Edit tour

Windows Analysis Report
bootstraper.exe

Overview

General Information

Sample name:	bootstraper.exe
Analysis ID:	1560967
MD5:	02c70d9d6696950c198db93b7f6a835e
SHA1:	30231a467a49cc37768eea0f55f4bea1cbfb48e2
SHA256:	8f2e28588f2303bd8d7a9b0c3ff6a9cb16fa93f8ddc9c5e0666a8c12d6880ee3
Tags:	exeuser-TheCursedSword
Infos:

Detection

Score:	80
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus detection for URL or domain

Multi AV Scanner detection for submitted file

Yara detected Powershell download and execute

.NET source code contains potential unpacker

AI detected suspicious sample

Machine Learning detection for sample

Uses ipconfig to lookup or modify the Windows network settings

AV process strings found (often used to terminate AV products)

Allocates memory with a write watch (potentially for evading sandboxes)

Checks if the current process is being debugged

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

HTTP GET or POST without a user agent

IP address seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

One or more processes crash

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Suricata IDS alerts with low severity for network traffic

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w10x64

bootstraper.exe (PID: 1788 cmdline: "C:\Users\user\Desktop\bootstraper.exe" MD5: 02C70D9D6696950C198DB93B7F6A835E)

conhost.exe (PID: 3056 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 5540 cmdline: "cmd" /c ipconfig /all MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 7108 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

ipconfig.exe (PID: 6128 cmdline: ipconfig /all MD5: 62F170FB07FDBB79CEB7147101406EB8)

WerFault.exe (PID: 6580 cmdline: C:\Windows\system32\WerFault.exe -u -p 1788 -s 2196 MD5: FD27D9F6D02763BDE32511B5DF7FF7A0)

cleanup

Yara Signatures

Dropped Files

Source	Rule	Description	Author	Strings
\Device\ConDrv	JoeSecurity_PowershellDownloadAndExecute	Yara detected Powershell download and execute	Joe Security

Memory Dumps

Source	Rule	Description	Author	Strings
Process Memory Space: bootstraper.exe PID: 1788	JoeSecurity_PowershellDownloadAndExecute	Yara detected Powershell download and execute	Joe Security

Sigma Signatures

Sigma detected: Suspicious Network Command

Source: Process started

Author: frack113, Christopher Peacock '@securepeacock', SCYTHE '@scythe_io': Data: Command: "cmd" /c ipconfig /all, CommandLine: "cmd" /c ipconfig /all, CommandLine|base64offset|contains: , Image: C:\Windows\System32\cmd.exe, NewProcessName: C:\Windows\System32\cmd.exe, OriginalFileName: C:\Windows\System32\cmd.exe, ParentCommandLine: "C:\Users\user\Desktop\bootstraper.exe", ParentImage: C:\Users\user\Desktop\bootstraper.exe, ParentProcessId: 1788, ParentProcessName: bootstraper.exe, ProcessCommandLine: "cmd" /c ipconfig /all, ProcessId: 5540, ProcessName: cmd.exe

Suricata Signatures

ETPRO MALWARE Common Downloader Header Pattern H

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-11-22T15:10:10.891472+0100	2803305	3	Unknown Traffic	192.168.2.5	49706	104.21.93.27	443	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus detection for URL or domain

Source: https://fdf3b68c.solaraweb-alj.pages.dev/download/static/files/Bootstrapper.exe	Avira URL Cloud: Label: malware
Source: https://fdf3b68c.solaraweb-alj.pages.dev/download/static/files/Solara.Dir.zip	Avira URL Cloud: Label: malware

Multi AV Scanner detection for submitted file

Source: bootstraper.exe

ReversingLabs: Detection: 63%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for sample

Source: bootstraper.exe

Joe Sandbox ML: detected

Source: unknown	HTTPS traffic detected: 104.21.93.27:443 -> 192.168.2.5:49704 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.93.27:443 -> 192.168.2.5:49706 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 128.116.119.3:443 -> 192.168.2.5:49707 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.20.23.46:443 -> 192.168.2.5:49708 version: TLS 1.2

Source: bootstraper.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: System.Runtime.Serialization.ni.pdb source: WER1BD.tmp.dmp.9.dr
Source:	Binary string: System.Data.pdb source: WER1BD.tmp.dmp.9.dr
Source:	Binary string: System.Xml.ni.pdb source: WER1BD.tmp.dmp.9.dr
Source:	Binary string: System.Runtime.Serialization.ni.pdbRSDSg@h source: WER1BD.tmp.dmp.9.dr
Source:	Binary string: System.ni.pdbRSDS source: WER1BD.tmp.dmp.9.dr
Source:	Binary string: System.pdbN\|2h\|2 Z\|2_CorDllMainmscoree.dll source: bootstraper.exe, 00000000.00000002.2552303099.0000024CAB33B000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: System.Windows.Forms.ni.pdb source: WER1BD.tmp.dmp.9.dr
Source:	Binary string: System.Drawing.ni.pdb source: WER1BD.tmp.dmp.9.dr
Source:	Binary string: System.Configuration.ni.pdb source: WER1BD.tmp.dmp.9.dr
Source:	Binary string: System.Configuration.pdbh source: WER1BD.tmp.dmp.9.dr
Source:	Binary string: mscorlib.ni.pdbRSDS7^3l source: WER1BD.tmp.dmp.9.dr
Source:	Binary string: System.Data.ni.pdb source: WER1BD.tmp.dmp.9.dr
Source:	Binary string: System.Data.ni.pdbRSDSC source: WER1BD.tmp.dmp.9.dr
Source:	Binary string: System.Configuration.pdb source: WER1BD.tmp.dmp.9.dr
Source:	Binary string: System.Drawing.ni.pdbRSDS source: WER1BD.tmp.dmp.9.dr
Source:	Binary string: System.pdbMZ source: WER1BD.tmp.dmp.9.dr
Source:	Binary string: System.Xml.pdb source: WER1BD.tmp.dmp.9.dr
Source:	Binary string: System.pdb source: bootstraper.exe, 00000000.00000002.2552303099.0000024CAB33B000.00000004.00000800.00020000.00000000.sdmp, WER1BD.tmp.dmp.9.dr
Source:	Binary string: System.Xml.ni.pdbRSDS# source: WER1BD.tmp.dmp.9.dr
Source:	Binary string: System.Core.ni.pdb source: WER1BD.tmp.dmp.9.dr
Source:	Binary string: System.Numerics.ni.pdbRSDSautg source: WER1BD.tmp.dmp.9.dr
Source:	Binary string: System.Data.pdbH source: WER1BD.tmp.dmp.9.dr
Source:	Binary string: System.Numerics.ni.pdb source: WER1BD.tmp.dmp.9.dr
Source:	Binary string: System.Numerics.pdbH source: WER1BD.tmp.dmp.9.dr
Source:	Binary string: System.Windows.Forms.pdb source: WER1BD.tmp.dmp.9.dr
Source:	Binary string: \??\C:\Windows\System.pdbL source: bootstraper.exe, 00000000.00000002.2553164284.0000024CC38DD000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: mscorlib.pdb source: WER1BD.tmp.dmp.9.dr
Source:	Binary string: System.Windows.Forms.ni.pdbRSDS source: WER1BD.tmp.dmp.9.dr
Source:	Binary string: System.Drawing.pdb source: WER1BD.tmp.dmp.9.dr
Source:	Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System\v4.0_4.0.0.0__b77a5c561934e089\System.pdb source: bootstraper.exe, 00000000.00000002.2553164284.0000024CC3865000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: mscorlib.ni.pdb source: WER1BD.tmp.dmp.9.dr
Source:	Binary string: System.Core.pdb source: WER1BD.tmp.dmp.9.dr
Source:	Binary string: System.Runtime.Serialization.pdb source: WER1BD.tmp.dmp.9.dr
Source:	Binary string: System.Configuration.ni.pdbRSDScUN source: WER1BD.tmp.dmp.9.dr
Source:	Binary string: System.Numerics.pdb source: WER1BD.tmp.dmp.9.dr
Source:	Binary string: System.ni.pdb source: WER1BD.tmp.dmp.9.dr
Source:	Binary string: System.Core.ni.pdbRSDS source: WER1BD.tmp.dmp.9.dr

Source: global traffic	HTTP traffic detected: GET /asset/discord.json HTTP/1.1Host: getsolara.devConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /api/endpoint.json HTTP/1.1Host: getsolara.dev
Source: global traffic	HTTP traffic detected: GET /v2/client-version/WindowsPlayer/channel/live HTTP/1.1Host: clientsettings.roblox.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /dist/v18.16.0/node-v18.16.0-x64.msi HTTP/1.1Host: www.nodejs.orgConnection: Keep-Alive

Source: Joe Sandbox View	IP Address: 104.21.93.27 104.21.93.27
Source: Joe Sandbox View	IP Address: 104.20.23.46 104.20.23.46

Source: Joe Sandbox View

JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e

Source: Network traffic

Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.5:49706 -> 104.21.93.27:443

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	HTTP traffic detected: GET /asset/discord.json HTTP/1.1Host: getsolara.devConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /api/endpoint.json HTTP/1.1Host: getsolara.dev
Source: global traffic	HTTP traffic detected: GET /v2/client-version/WindowsPlayer/channel/live HTTP/1.1Host: clientsettings.roblox.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /dist/v18.16.0/node-v18.16.0-x64.msi HTTP/1.1Host: www.nodejs.orgConnection: Keep-Alive

Source: global traffic	DNS traffic detected: DNS query: getsolara.dev
Source: global traffic	DNS traffic detected: DNS query: clientsettings.roblox.com
Source: global traffic	DNS traffic detected: DNS query: www.nodejs.org

Source: bootstraper.exe, 00000000.00000002.2552303099.0000024CAB15E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://127.0.0.1:6463
Source: bootstraper.exe, 00000000.00000002.2552303099.0000024CAB061000.00000004.00000800.00020000.00000000.sdmp, bootstraper.exe, 00000000.00000002.2552303099.0000024CAB15E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://127.0.0.1:6463/rpc?v=1
Source: bootstraper.exe, 00000000.00000002.2552303099.0000024CAB15E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://127.0.0.1:64632
Source: bootstraper.exe, 00000000.00000002.2552303099.0000024CAB1FE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://clientsettings.roblox.com
Source: bootstraper.exe, 00000000.00000002.2552303099.0000024CAB1FE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://edge-term4-lhr2.roblox.com
Source: bootstraper.exe, 00000000.00000002.2552303099.0000024CAB115000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://getsolara.dev
Source: bootstraper.exe	String found in binary or memory: http://james.newtonking.com/projects/json
Source: bootstraper.exe, 00000000.00000002.2552303099.0000024CAB0F7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: Amcache.hve.9.dr	String found in binary or memory: http://upx.sf.net
Source: bootstraper.exe, 00000000.00000002.2552303099.0000024CAB1FE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.nodejs.org
Source: bootstraper.exe	String found in binary or memory: https://aka.ms/vs/17/release/vc_redist.x64.exe
Source: bootstraper.exe, 00000000.00000002.2552303099.0000024CAB1FE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://clientsettings.roblox.com
Source: bootstraper.exe, 00000000.00000002.2552303099.0000024CAB1FE000.00000004.00000800.00020000.00000000.sdmp, bootstraper.exe, 00000000.00000002.2552303099.0000024CAB1EE000.00000004.00000800.00020000.00000000.sdmp, bootstraper.exe, 00000000.00000002.2552303099.0000024CAB1DD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://clientsettings.roblox.com/v2/client-version/WindowsPlayer/channel/live
Source: bootstraper.exe, 00000000.00000002.2552303099.0000024CAB061000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://discord.com
Source: bootstraper.exe	String found in binary or memory: https://discord.com;http://127.0.0.1:6463/rpc?v=11
Source: bootstraper.exe, 00000000.00000002.2552303099.0000024CAB1FE000.00000004.00000800.00020000.00000000.sdmp, bootstraper.exe, 00000000.00000002.2552303099.0000024CAB1DD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://fdf3b68c.solaraweb-alj.pages.dev/download/static/files/Bootstrapper.exe
Source: bootstraper.exe, 00000000.00000002.2552303099.0000024CAB1FE000.00000004.00000800.00020000.00000000.sdmp, bootstraper.exe, 00000000.00000002.2552303099.0000024CAB1EE000.00000004.00000800.00020000.00000000.sdmp, bootstraper.exe, 00000000.00000002.2552303099.0000024CAB131000.00000004.00000800.00020000.00000000.sdmp, bootstraper.exe, 00000000.00000002.2552303099.0000024CAB1DD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://fdf3b68c.solaraweb-alj.pages.dev/download/static/files/Solara.Dir.zip
Source: bootstraper.exe, 00000000.00000002.2552303099.0000024CAB0F7000.00000004.00000800.00020000.00000000.sdmp, bootstraper.exe, 00000000.00000002.2552303099.0000024CAB10A000.00000004.00000800.00020000.00000000.sdmp, bootstraper.exe, 00000000.00000002.2552303099.0000024CAB177000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://getsolara.dev
Source: bootstraper.exe	String found in binary or memory: https://getsolara.dev/api/endpoint.json
Source: bootstraper.exe	String found in binary or memory: https://getsolara.dev/asset/discord.json
Source: bootstraper.exe	String found in binary or memory: https://gitlab.com/cmd-softworks1/a/-/snippets/4768754/raw/main/endpoint.json
Source: bootstraper.exe	String found in binary or memory: https://gitlab.com/cmd-softworks1/a/-/snippets/4768756/raw/main/discord.json
Source: bootstraper.exe, 00000000.00000002.2552303099.0000024CAB1FE000.00000004.00000800.00020000.00000000.sdmp, bootstraper.exe, 00000000.00000002.2552303099.0000024CAB177000.00000004.00000800.00020000.00000000.sdmp, bootstraper.exe, 00000000.00000002.2552303099.0000024CAB1D9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ncs.roblox.com/upload
Source: bootstraper.exe, 00000000.00000002.2552303099.0000024CAB1FE000.00000004.00000800.00020000.00000000.sdmp, bootstraper.exe, 00000000.00000002.2552303099.0000024CAB177000.00000004.00000800.00020000.00000000.sdmp, bootstraper.exe, 00000000.00000002.2552303099.0000024CAB1D5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://nodejs.org/dist/v18.16.0/node-v18.16.0-x64.msi
Source: bootstraper.exe	String found in binary or memory: https://pastebin.com/raw/pjseRvyK
Source: bootstraper.exe	String found in binary or memory: https://www.newtonsoft.com/jsonschema
Source: bootstraper.exe, 00000000.00000002.2552303099.0000024CAB1FE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.nodejs.org
Source: bootstraper.exe	String found in binary or memory: https://www.nodejs.org/dist/v18.16.0/node-v18.16.0-x64.msi
Source: bootstraper.exe	String found in binary or memory: https://www.nuget.org/packages/Newtonsoft.Json.Bson

Source: unknown	Network traffic detected: HTTP traffic on port 49708 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49706 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49707 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49704 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49708
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49707
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49706
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49704

Source: unknown	HTTPS traffic detected: 104.21.93.27:443 -> 192.168.2.5:49704 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.93.27:443 -> 192.168.2.5:49706 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 128.116.119.3:443 -> 192.168.2.5:49707 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.20.23.46:443 -> 192.168.2.5:49708 version: TLS 1.2

Source: C:\Users\user\Desktop\bootstraper.exe	Code function: 0_2_00007FF848CF98F8		0_2_00007FF848CF98F8
Source: C:\Users\user\Desktop\bootstraper.exe	Code function: 0_2_00007FF848CF2540		0_2_00007FF848CF2540

Source: C:\Users\user\Desktop\bootstraper.exe

Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 1788 -s 2196

Source: bootstraper.exe, 00000000.00000000.2049184537.0000024CA91A2000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameSolaraBootstrapper.exeF vs bootstraper.exe
Source: bootstraper.exe	Binary or memory string: OriginalFilenameSolaraBootstrapper.exeF vs bootstraper.exe

Source: classification engine

Classification label: mal80.evad.winEXE@8/7@3/4

Source: C:\Users\user\Desktop\bootstraper.exe

File created: C:\Users\user\Desktop\DISCORD

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3056:120:WilError_03
Source: C:\Users\user\Desktop\bootstraper.exe	Mutant created: NULL
Source: C:\Windows\System32\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess1788
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7108:120:WilError_03

Source: C:\Users\user\Desktop\bootstraper.exe

File created: C:\Users\user\AppData\Local\Temp\node-v18.16.0-x64.msi

Jump to behavior

Source: bootstraper.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: bootstraper.exe

Static file information: TRID: Win64 Executable Console Net Framework (206006/5) 46.24%

Source: C:\Users\user\Desktop\bootstraper.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: bootstraper.exe

ReversingLabs: Detection: 63%

Source: bootstraper.exe	String found in binary or memory: --START ERROR INFO--
Source: bootstraper.exe	String found in binary or memory: pve[!] Error checking WebView2 runtime installation: chttps://go.microsoft.com/fwlink/p/?LinkId=2124703=MicrosoftEdgeWebview2Setup.exe!/silent /installQWebView2 runtime installed successfully.GError installing WebView2 runtime: iSOFTWARE\Microsoft\VisualStudio\14.0\VC\Runtimes\X64
Source: bootstraper.exe	String found in binary or memory: Installed#vc_redist.x64.exe5/install /quiet /norestart

Source: C:\Users\user\Desktop\bootstraper.exe

File read: C:\Users\user\Desktop\bootstraper.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\bootstraper.exe "C:\Users\user\Desktop\bootstraper.exe"
Source: C:\Users\user\Desktop\bootstraper.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\bootstraper.exe	Process created: C:\Windows\System32\cmd.exe "cmd" /c ipconfig /all
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\ipconfig.exe ipconfig /all
Source: C:\Users\user\Desktop\bootstraper.exe	Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 1788 -s 2196
Source: C:\Users\user\Desktop\bootstraper.exe	Process created: C:\Windows\System32\cmd.exe "cmd" /c ipconfig /all	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\ipconfig.exe ipconfig /all	Jump to behavior

Source: C:\Users\user\Desktop\bootstraper.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\bootstraper.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\bootstraper.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\bootstraper.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\bootstraper.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\bootstraper.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\bootstraper.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\bootstraper.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\bootstraper.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\bootstraper.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\Desktop\bootstraper.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\Desktop\bootstraper.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\bootstraper.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\bootstraper.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\bootstraper.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\bootstraper.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\bootstraper.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\bootstraper.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\bootstraper.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\bootstraper.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Users\user\Desktop\bootstraper.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\bootstraper.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\bootstraper.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\bootstraper.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\bootstraper.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\bootstraper.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\bootstraper.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\Desktop\bootstraper.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\bootstraper.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Desktop\bootstraper.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\Desktop\bootstraper.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\bootstraper.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\bootstraper.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\Desktop\bootstraper.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\bootstraper.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\ipconfig.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\System32\ipconfig.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\System32\ipconfig.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Windows\System32\ipconfig.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\System32\ipconfig.exe	Section loaded: winnsi.dll	Jump to behavior

Source: C:\Users\user\Desktop\bootstraper.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0A29FF9E-7F9C-4437-8B11-F424491E3931}\InprocServer32

Jump to behavior

Source: C:\Users\user\Desktop\bootstraper.exe

File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll

Jump to behavior

Source: bootstraper.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: bootstraper.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: System.Runtime.Serialization.ni.pdb source: WER1BD.tmp.dmp.9.dr
Source:	Binary string: System.Data.pdb source: WER1BD.tmp.dmp.9.dr
Source:	Binary string: System.Xml.ni.pdb source: WER1BD.tmp.dmp.9.dr
Source:	Binary string: System.Runtime.Serialization.ni.pdbRSDSg@h source: WER1BD.tmp.dmp.9.dr
Source:	Binary string: System.ni.pdbRSDS source: WER1BD.tmp.dmp.9.dr
Source:	Binary string: System.pdbN\|2h\|2 Z\|2_CorDllMainmscoree.dll source: bootstraper.exe, 00000000.00000002.2552303099.0000024CAB33B000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: System.Windows.Forms.ni.pdb source: WER1BD.tmp.dmp.9.dr
Source:	Binary string: System.Drawing.ni.pdb source: WER1BD.tmp.dmp.9.dr
Source:	Binary string: System.Configuration.ni.pdb source: WER1BD.tmp.dmp.9.dr
Source:	Binary string: System.Configuration.pdbh source: WER1BD.tmp.dmp.9.dr
Source:	Binary string: mscorlib.ni.pdbRSDS7^3l source: WER1BD.tmp.dmp.9.dr
Source:	Binary string: System.Data.ni.pdb source: WER1BD.tmp.dmp.9.dr
Source:	Binary string: System.Data.ni.pdbRSDSC source: WER1BD.tmp.dmp.9.dr
Source:	Binary string: System.Configuration.pdb source: WER1BD.tmp.dmp.9.dr
Source:	Binary string: System.Drawing.ni.pdbRSDS source: WER1BD.tmp.dmp.9.dr
Source:	Binary string: System.pdbMZ source: WER1BD.tmp.dmp.9.dr
Source:	Binary string: System.Xml.pdb source: WER1BD.tmp.dmp.9.dr
Source:	Binary string: System.pdb source: bootstraper.exe, 00000000.00000002.2552303099.0000024CAB33B000.00000004.00000800.00020000.00000000.sdmp, WER1BD.tmp.dmp.9.dr
Source:	Binary string: System.Xml.ni.pdbRSDS# source: WER1BD.tmp.dmp.9.dr
Source:	Binary string: System.Core.ni.pdb source: WER1BD.tmp.dmp.9.dr
Source:	Binary string: System.Numerics.ni.pdbRSDSautg source: WER1BD.tmp.dmp.9.dr
Source:	Binary string: System.Data.pdbH source: WER1BD.tmp.dmp.9.dr
Source:	Binary string: System.Numerics.ni.pdb source: WER1BD.tmp.dmp.9.dr
Source:	Binary string: System.Numerics.pdbH source: WER1BD.tmp.dmp.9.dr
Source:	Binary string: System.Windows.Forms.pdb source: WER1BD.tmp.dmp.9.dr
Source:	Binary string: \??\C:\Windows\System.pdbL source: bootstraper.exe, 00000000.00000002.2553164284.0000024CC38DD000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: mscorlib.pdb source: WER1BD.tmp.dmp.9.dr
Source:	Binary string: System.Windows.Forms.ni.pdbRSDS source: WER1BD.tmp.dmp.9.dr
Source:	Binary string: System.Drawing.pdb source: WER1BD.tmp.dmp.9.dr
Source:	Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System\v4.0_4.0.0.0__b77a5c561934e089\System.pdb source: bootstraper.exe, 00000000.00000002.2553164284.0000024CC3865000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: mscorlib.ni.pdb source: WER1BD.tmp.dmp.9.dr
Source:	Binary string: System.Core.pdb source: WER1BD.tmp.dmp.9.dr
Source:	Binary string: System.Runtime.Serialization.pdb source: WER1BD.tmp.dmp.9.dr
Source:	Binary string: System.Configuration.ni.pdbRSDScUN source: WER1BD.tmp.dmp.9.dr
Source:	Binary string: System.Numerics.pdb source: WER1BD.tmp.dmp.9.dr
Source:	Binary string: System.ni.pdb source: WER1BD.tmp.dmp.9.dr
Source:	Binary string: System.Core.ni.pdbRSDS source: WER1BD.tmp.dmp.9.dr

Data Obfuscation

.NET source code contains potential unpacker

Source: bootstraper.exe, DynamicUtils.cs	.Net Code: CreateSharpArgumentInfoArray
Source: bootstraper.exe, LateBoundReflectionDelegateFactory.cs	.Net Code: CreateDefaultConstructor

Source: C:\Users\user\Desktop\bootstraper.exe	Code function: 0_2_00007FF848CFD668 push ss; retf	0_2_00007FF848CFD837
Source: C:\Users\user\Desktop\bootstraper.exe	Code function: 0_2_00007FF848CFA272 push ebx; retf	0_2_00007FF848CFA282
Source: C:\Users\user\Desktop\bootstraper.exe	Code function: 0_2_00007FF848CE00BD pushad ; iretd	0_2_00007FF848CE00C1

Persistence and Installation Behavior

Uses ipconfig to lookup or modify the Windows network settings

Source: C:\Windows\System32\cmd.exe

Process created: C:\Windows\System32\ipconfig.exe ipconfig /all

Source: C:\Users\user\Desktop\bootstraper.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdate			Jump to behavior
Source: C:\Users\user\Desktop\bootstraper.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot			Jump to behavior

Source: C:\Users\user\Desktop\bootstraper.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\bootstraper.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\bootstraper.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\bootstraper.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\bootstraper.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\bootstraper.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\bootstraper.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\bootstraper.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\bootstraper.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\bootstraper.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\bootstraper.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\bootstraper.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\bootstraper.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\bootstraper.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\bootstraper.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\bootstraper.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\bootstraper.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\bootstraper.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\bootstraper.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\bootstraper.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\bootstraper.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\bootstraper.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\bootstraper.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\bootstraper.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\bootstraper.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\bootstraper.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\bootstraper.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\bootstraper.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\bootstraper.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\bootstraper.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\bootstraper.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\bootstraper.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\bootstraper.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\bootstraper.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\bootstraper.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\bootstraper.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\bootstraper.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\bootstraper.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\bootstraper.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\bootstraper.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\bootstraper.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\bootstraper.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\bootstraper.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\bootstraper.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\bootstraper.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\bootstraper.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\bootstraper.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\bootstraper.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\bootstraper.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\bootstraper.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\bootstraper.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\bootstraper.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\bootstraper.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\bootstraper.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\bootstraper.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\bootstraper.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\bootstraper.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Users\user\Desktop\bootstraper.exe	Memory allocated: 24CA9490000 memory reserve \| memory write watch			Jump to behavior
Source: C:\Users\user\Desktop\bootstraper.exe	Memory allocated: 24CC3060000 memory reserve \| memory write watch			Jump to behavior

Source: C:\Users\user\Desktop\bootstraper.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\bootstraper.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Users\user\Desktop\bootstraper.exe	Thread delayed: delay time: 599875	Jump to behavior
Source: C:\Users\user\Desktop\bootstraper.exe	Thread delayed: delay time: 599766	Jump to behavior
Source: C:\Users\user\Desktop\bootstraper.exe	Thread delayed: delay time: 599656	Jump to behavior
Source: C:\Users\user\Desktop\bootstraper.exe	Thread delayed: delay time: 599547	Jump to behavior
Source: C:\Users\user\Desktop\bootstraper.exe	Thread delayed: delay time: 599437	Jump to behavior
Source: C:\Users\user\Desktop\bootstraper.exe	Thread delayed: delay time: 599328	Jump to behavior
Source: C:\Users\user\Desktop\bootstraper.exe	Thread delayed: delay time: 599219	Jump to behavior
Source: C:\Users\user\Desktop\bootstraper.exe	Thread delayed: delay time: 599094	Jump to behavior
Source: C:\Users\user\Desktop\bootstraper.exe	Thread delayed: delay time: 598984	Jump to behavior
Source: C:\Users\user\Desktop\bootstraper.exe	Thread delayed: delay time: 598875	Jump to behavior
Source: C:\Users\user\Desktop\bootstraper.exe	Thread delayed: delay time: 598765	Jump to behavior
Source: C:\Users\user\Desktop\bootstraper.exe	Thread delayed: delay time: 598656	Jump to behavior
Source: C:\Users\user\Desktop\bootstraper.exe	Thread delayed: delay time: 598547	Jump to behavior
Source: C:\Users\user\Desktop\bootstraper.exe	Thread delayed: delay time: 598437	Jump to behavior
Source: C:\Users\user\Desktop\bootstraper.exe	Thread delayed: delay time: 598328	Jump to behavior
Source: C:\Users\user\Desktop\bootstraper.exe	Thread delayed: delay time: 598219	Jump to behavior
Source: C:\Users\user\Desktop\bootstraper.exe	Thread delayed: delay time: 598094	Jump to behavior
Source: C:\Users\user\Desktop\bootstraper.exe	Thread delayed: delay time: 597984	Jump to behavior
Source: C:\Users\user\Desktop\bootstraper.exe	Thread delayed: delay time: 597872	Jump to behavior
Source: C:\Users\user\Desktop\bootstraper.exe	Thread delayed: delay time: 597750	Jump to behavior
Source: C:\Users\user\Desktop\bootstraper.exe	Thread delayed: delay time: 597635	Jump to behavior
Source: C:\Users\user\Desktop\bootstraper.exe	Thread delayed: delay time: 597514	Jump to behavior
Source: C:\Users\user\Desktop\bootstraper.exe	Thread delayed: delay time: 597178	Jump to behavior
Source: C:\Users\user\Desktop\bootstraper.exe	Thread delayed: delay time: 597047	Jump to behavior
Source: C:\Users\user\Desktop\bootstraper.exe	Thread delayed: delay time: 596938	Jump to behavior
Source: C:\Users\user\Desktop\bootstraper.exe	Thread delayed: delay time: 596828	Jump to behavior
Source: C:\Users\user\Desktop\bootstraper.exe	Thread delayed: delay time: 596719	Jump to behavior
Source: C:\Users\user\Desktop\bootstraper.exe	Thread delayed: delay time: 596610	Jump to behavior
Source: C:\Users\user\Desktop\bootstraper.exe	Thread delayed: delay time: 596485	Jump to behavior
Source: C:\Users\user\Desktop\bootstraper.exe	Thread delayed: delay time: 596360	Jump to behavior
Source: C:\Users\user\Desktop\bootstraper.exe	Thread delayed: delay time: 596213	Jump to behavior
Source: C:\Users\user\Desktop\bootstraper.exe	Thread delayed: delay time: 596094	Jump to behavior
Source: C:\Users\user\Desktop\bootstraper.exe	Thread delayed: delay time: 595969	Jump to behavior
Source: C:\Users\user\Desktop\bootstraper.exe	Thread delayed: delay time: 595860	Jump to behavior
Source: C:\Users\user\Desktop\bootstraper.exe	Thread delayed: delay time: 595735	Jump to behavior
Source: C:\Users\user\Desktop\bootstraper.exe	Thread delayed: delay time: 595610	Jump to behavior
Source: C:\Users\user\Desktop\bootstraper.exe	Thread delayed: delay time: 595485	Jump to behavior
Source: C:\Users\user\Desktop\bootstraper.exe	Thread delayed: delay time: 595360	Jump to behavior
Source: C:\Users\user\Desktop\bootstraper.exe	Thread delayed: delay time: 595235	Jump to behavior
Source: C:\Users\user\Desktop\bootstraper.exe	Thread delayed: delay time: 595110	Jump to behavior
Source: C:\Users\user\Desktop\bootstraper.exe	Thread delayed: delay time: 594981	Jump to behavior
Source: C:\Users\user\Desktop\bootstraper.exe	Thread delayed: delay time: 594873	Jump to behavior
Source: C:\Users\user\Desktop\bootstraper.exe	Thread delayed: delay time: 594760	Jump to behavior
Source: C:\Users\user\Desktop\bootstraper.exe	Thread delayed: delay time: 594570	Jump to behavior
Source: C:\Users\user\Desktop\bootstraper.exe	Thread delayed: delay time: 594463	Jump to behavior
Source: C:\Users\user\Desktop\bootstraper.exe	Thread delayed: delay time: 594344	Jump to behavior
Source: C:\Users\user\Desktop\bootstraper.exe	Thread delayed: delay time: 594235	Jump to behavior
Source: C:\Users\user\Desktop\bootstraper.exe	Thread delayed: delay time: 594125	Jump to behavior
Source: C:\Users\user\Desktop\bootstraper.exe	Thread delayed: delay time: 594016	Jump to behavior

Source: C:\Users\user\Desktop\bootstraper.exe	Window / User API: threadDelayed 2796			Jump to behavior
Source: C:\Users\user\Desktop\bootstraper.exe	Window / User API: threadDelayed 7046			Jump to behavior

Source: C:\Users\user\Desktop\bootstraper.exe TID: 7116	Thread sleep time: -35048813740048126s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\bootstraper.exe TID: 7116	Thread sleep time: -600000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\bootstraper.exe TID: 7116	Thread sleep time: -599875s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\bootstraper.exe TID: 7116	Thread sleep time: -599766s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\bootstraper.exe TID: 7116	Thread sleep time: -599656s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\bootstraper.exe TID: 7116	Thread sleep time: -599547s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\bootstraper.exe TID: 7116	Thread sleep time: -599437s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\bootstraper.exe TID: 7116	Thread sleep time: -599328s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\bootstraper.exe TID: 7116	Thread sleep time: -599219s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\bootstraper.exe TID: 7116	Thread sleep time: -599094s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\bootstraper.exe TID: 7116	Thread sleep time: -598984s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\bootstraper.exe TID: 7116	Thread sleep time: -598875s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\bootstraper.exe TID: 7116	Thread sleep time: -598765s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\bootstraper.exe TID: 7116	Thread sleep time: -598656s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\bootstraper.exe TID: 7116	Thread sleep time: -598547s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\bootstraper.exe TID: 7116	Thread sleep time: -598437s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\bootstraper.exe TID: 7116	Thread sleep time: -598328s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\bootstraper.exe TID: 7116	Thread sleep time: -598219s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\bootstraper.exe TID: 7116	Thread sleep time: -598094s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\bootstraper.exe TID: 7116	Thread sleep time: -597984s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\bootstraper.exe TID: 7116	Thread sleep time: -597872s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\bootstraper.exe TID: 7116	Thread sleep time: -597750s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\bootstraper.exe TID: 7116	Thread sleep time: -597635s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\bootstraper.exe TID: 7116	Thread sleep time: -597514s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\bootstraper.exe TID: 7116	Thread sleep time: -597178s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\bootstraper.exe TID: 7116	Thread sleep time: -597047s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\bootstraper.exe TID: 7116	Thread sleep time: -596938s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\bootstraper.exe TID: 7116	Thread sleep time: -596828s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\bootstraper.exe TID: 7116	Thread sleep time: -596719s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\bootstraper.exe TID: 7116	Thread sleep time: -596610s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\bootstraper.exe TID: 7116	Thread sleep time: -596485s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\bootstraper.exe TID: 7116	Thread sleep time: -596360s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\bootstraper.exe TID: 7116	Thread sleep time: -596213s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\bootstraper.exe TID: 7116	Thread sleep time: -596094s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\bootstraper.exe TID: 7116	Thread sleep time: -595969s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\bootstraper.exe TID: 7116	Thread sleep time: -595860s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\bootstraper.exe TID: 7116	Thread sleep time: -595735s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\bootstraper.exe TID: 7116	Thread sleep time: -595610s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\bootstraper.exe TID: 7116	Thread sleep time: -595485s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\bootstraper.exe TID: 7116	Thread sleep time: -595360s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\bootstraper.exe TID: 7116	Thread sleep time: -595235s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\bootstraper.exe TID: 7116	Thread sleep time: -595110s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\bootstraper.exe TID: 7116	Thread sleep time: -594981s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\bootstraper.exe TID: 7116	Thread sleep time: -594873s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\bootstraper.exe TID: 7116	Thread sleep time: -594760s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\bootstraper.exe TID: 7116	Thread sleep time: -594570s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\bootstraper.exe TID: 7116	Thread sleep time: -594463s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\bootstraper.exe TID: 7116	Thread sleep time: -594344s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\bootstraper.exe TID: 7116	Thread sleep time: -594235s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\bootstraper.exe TID: 7116	Thread sleep time: -594125s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\bootstraper.exe TID: 7116	Thread sleep time: -594016s >= -30000s	Jump to behavior

Source: C:\Users\user\Desktop\bootstraper.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\bootstraper.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Users\user\Desktop\bootstraper.exe	Thread delayed: delay time: 599875	Jump to behavior
Source: C:\Users\user\Desktop\bootstraper.exe	Thread delayed: delay time: 599766	Jump to behavior
Source: C:\Users\user\Desktop\bootstraper.exe	Thread delayed: delay time: 599656	Jump to behavior
Source: C:\Users\user\Desktop\bootstraper.exe	Thread delayed: delay time: 599547	Jump to behavior
Source: C:\Users\user\Desktop\bootstraper.exe	Thread delayed: delay time: 599437	Jump to behavior
Source: C:\Users\user\Desktop\bootstraper.exe	Thread delayed: delay time: 599328	Jump to behavior
Source: C:\Users\user\Desktop\bootstraper.exe	Thread delayed: delay time: 599219	Jump to behavior
Source: C:\Users\user\Desktop\bootstraper.exe	Thread delayed: delay time: 599094	Jump to behavior
Source: C:\Users\user\Desktop\bootstraper.exe	Thread delayed: delay time: 598984	Jump to behavior
Source: C:\Users\user\Desktop\bootstraper.exe	Thread delayed: delay time: 598875	Jump to behavior
Source: C:\Users\user\Desktop\bootstraper.exe	Thread delayed: delay time: 598765	Jump to behavior
Source: C:\Users\user\Desktop\bootstraper.exe	Thread delayed: delay time: 598656	Jump to behavior
Source: C:\Users\user\Desktop\bootstraper.exe	Thread delayed: delay time: 598547	Jump to behavior
Source: C:\Users\user\Desktop\bootstraper.exe	Thread delayed: delay time: 598437	Jump to behavior
Source: C:\Users\user\Desktop\bootstraper.exe	Thread delayed: delay time: 598328	Jump to behavior
Source: C:\Users\user\Desktop\bootstraper.exe	Thread delayed: delay time: 598219	Jump to behavior
Source: C:\Users\user\Desktop\bootstraper.exe	Thread delayed: delay time: 598094	Jump to behavior
Source: C:\Users\user\Desktop\bootstraper.exe	Thread delayed: delay time: 597984	Jump to behavior
Source: C:\Users\user\Desktop\bootstraper.exe	Thread delayed: delay time: 597872	Jump to behavior
Source: C:\Users\user\Desktop\bootstraper.exe	Thread delayed: delay time: 597750	Jump to behavior
Source: C:\Users\user\Desktop\bootstraper.exe	Thread delayed: delay time: 597635	Jump to behavior
Source: C:\Users\user\Desktop\bootstraper.exe	Thread delayed: delay time: 597514	Jump to behavior
Source: C:\Users\user\Desktop\bootstraper.exe	Thread delayed: delay time: 597178	Jump to behavior
Source: C:\Users\user\Desktop\bootstraper.exe	Thread delayed: delay time: 597047	Jump to behavior
Source: C:\Users\user\Desktop\bootstraper.exe	Thread delayed: delay time: 596938	Jump to behavior
Source: C:\Users\user\Desktop\bootstraper.exe	Thread delayed: delay time: 596828	Jump to behavior
Source: C:\Users\user\Desktop\bootstraper.exe	Thread delayed: delay time: 596719	Jump to behavior
Source: C:\Users\user\Desktop\bootstraper.exe	Thread delayed: delay time: 596610	Jump to behavior
Source: C:\Users\user\Desktop\bootstraper.exe	Thread delayed: delay time: 596485	Jump to behavior
Source: C:\Users\user\Desktop\bootstraper.exe	Thread delayed: delay time: 596360	Jump to behavior
Source: C:\Users\user\Desktop\bootstraper.exe	Thread delayed: delay time: 596213	Jump to behavior
Source: C:\Users\user\Desktop\bootstraper.exe	Thread delayed: delay time: 596094	Jump to behavior
Source: C:\Users\user\Desktop\bootstraper.exe	Thread delayed: delay time: 595969	Jump to behavior
Source: C:\Users\user\Desktop\bootstraper.exe	Thread delayed: delay time: 595860	Jump to behavior
Source: C:\Users\user\Desktop\bootstraper.exe	Thread delayed: delay time: 595735	Jump to behavior
Source: C:\Users\user\Desktop\bootstraper.exe	Thread delayed: delay time: 595610	Jump to behavior
Source: C:\Users\user\Desktop\bootstraper.exe	Thread delayed: delay time: 595485	Jump to behavior
Source: C:\Users\user\Desktop\bootstraper.exe	Thread delayed: delay time: 595360	Jump to behavior
Source: C:\Users\user\Desktop\bootstraper.exe	Thread delayed: delay time: 595235	Jump to behavior
Source: C:\Users\user\Desktop\bootstraper.exe	Thread delayed: delay time: 595110	Jump to behavior
Source: C:\Users\user\Desktop\bootstraper.exe	Thread delayed: delay time: 594981	Jump to behavior
Source: C:\Users\user\Desktop\bootstraper.exe	Thread delayed: delay time: 594873	Jump to behavior
Source: C:\Users\user\Desktop\bootstraper.exe	Thread delayed: delay time: 594760	Jump to behavior
Source: C:\Users\user\Desktop\bootstraper.exe	Thread delayed: delay time: 594570	Jump to behavior
Source: C:\Users\user\Desktop\bootstraper.exe	Thread delayed: delay time: 594463	Jump to behavior
Source: C:\Users\user\Desktop\bootstraper.exe	Thread delayed: delay time: 594344	Jump to behavior
Source: C:\Users\user\Desktop\bootstraper.exe	Thread delayed: delay time: 594235	Jump to behavior
Source: C:\Users\user\Desktop\bootstraper.exe	Thread delayed: delay time: 594125	Jump to behavior
Source: C:\Users\user\Desktop\bootstraper.exe	Thread delayed: delay time: 594016	Jump to behavior

Source: Amcache.hve.9.dr	Binary or memory string: VMware
Source: Amcache.hve.9.dr	Binary or memory string: VMware Virtual USB Mouse
Source: Amcache.hve.9.dr	Binary or memory string: vmci.syshbin
Source: Amcache.hve.9.dr	Binary or memory string: VMware, Inc.
Source: Amcache.hve.9.dr	Binary or memory string: VMware20,1hbin@
Source: Amcache.hve.9.dr	Binary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
Source: Amcache.hve.9.dr	Binary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.9.dr	Binary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.9.dr	Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.9.dr	Binary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
Source: Amcache.hve.9.dr	Binary or memory string: c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.9.dr	Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: bootstraper.exe, 00000000.00000002.2551981183.0000024CA9533000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: Amcache.hve.9.dr	Binary or memory string: vmci.sys
Source: Amcache.hve.9.dr	Binary or memory string: VMware-56 4d 43 71 48 15 3d ed-ae e6 c7 5a ec d9 3b f0
Source: Amcache.hve.9.dr	Binary or memory string: vmci.syshbin`
Source: Amcache.hve.9.dr	Binary or memory string: \driver\vmci,\driver\pci
Source: Amcache.hve.9.dr	Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.9.dr	Binary or memory string: VMware20,1
Source: Amcache.hve.9.dr	Binary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.9.dr	Binary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.9.dr	Binary or memory string: VMware Virtual disk SCSI Disk Device
Source: Amcache.hve.9.dr	Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: Amcache.hve.9.dr	Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.9.dr	Binary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
Source: Amcache.hve.9.dr	Binary or memory string: VMware PCI VMCI Bus Device
Source: Amcache.hve.9.dr	Binary or memory string: VMware VMCI Bus Device
Source: Amcache.hve.9.dr	Binary or memory string: VMware Virtual RAM
Source: Amcache.hve.9.dr	Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: Amcache.hve.9.dr	Binary or memory string: vmci.inf_amd64_68ed49469341f563

Source: C:\Users\user\Desktop\bootstraper.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\bootstraper.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Users\user\Desktop\bootstraper.exe	Process queried: DebugPort			Jump to behavior

Source: C:\Users\user\Desktop\bootstraper.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Users\user\Desktop\bootstraper.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Yara detected Powershell download and execute

Source: Yara match	File source: Process Memory Space: bootstraper.exe PID: 1788, type: MEMORYSTR
Source: Yara match	File source: \Device\ConDrv, type: DROPPED

Source: C:\Users\user\Desktop\bootstraper.exe	Process created: C:\Windows\System32\cmd.exe "cmd" /c ipconfig /all			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\ipconfig.exe ipconfig /all			Jump to behavior

Source: C:\Users\user\Desktop\bootstraper.exe	Queries volume information: C:\Users\user\Desktop\bootstraper.exe VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\bootstraper.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation			Jump to behavior

Source: C:\Users\user\Desktop\bootstraper.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: Amcache.hve.9.dr	Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
Source: Amcache.hve.9.dr	Binary or memory string: msmpeng.exe
Source: Amcache.hve.9.dr	Binary or memory string: c:\program files\windows defender\msmpeng.exe
Source: Amcache.hve.9.dr	Binary or memory string: MsMpEng.exe

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	2 Command and Scripting Interpreter	1 DLL Side-Loading	11 Process Injection	1 Masquerading	OS Credential Dumping	1 Query Registry	Remote Services	1 Archive Collected Data	11 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	1 DLL Side-Loading	1 Disable or Modify Tools	LSASS Memory	21 Security Software Discovery	Remote Desktop Protocol	Data from Removable Media	1 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	41 Virtualization/Sandbox Evasion	Security Account Manager	1 Process Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	2 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	11 Process Injection	NTDS	41 Virtualization/Sandbox Evasion	Distributed Component Object Model	Input Capture	3 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Obfuscated Files or Information	LSA Secrets	1 Application Window Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 Software Packing	Cached Domain Credentials	1 System Network Configuration Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 DLL Side-Loading	DCSync	12 System Information Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
bootstraper.exe	63%	ReversingLabs	Win64.Trojan.Heracles
bootstraper.exe	100%	Joe Sandbox ML

Source	Detection	Scanner	Label
https://discord.com;http://127.0.0.1:6463/rpc?v=11	0%	Avira URL Cloud	safe
https://fdf3b68c.solaraweb-alj.pages.dev/download/static/files/Bootstrapper.exe	100%	Avira URL Cloud	malware
https://fdf3b68c.solaraweb-alj.pages.dev/download/static/files/Solara.Dir.zip	100%	Avira URL Cloud	malware
http://127.0.0.1:64632	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
getsolara.dev	104.21.93.27	true	false	high
www.nodejs.org	104.20.23.46	true	false	high
edge-term4-lhr2.roblox.com	128.116.119.3	true	false	high
clientsettings.roblox.com	unknown	unknown	false	high

Contacted URLs

Name	Malicious	Reputation
https://getsolara.dev/asset/discord.json	false	high
https://clientsettings.roblox.com/v2/client-version/WindowsPlayer/channel/live	false	high
https://getsolara.dev/api/endpoint.json	false	high
https://www.nodejs.org/dist/v18.16.0/node-v18.16.0-x64.msi	false	high

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://127.0.0.1:6463	bootstraper.exe, 00000000.00000002.2552303099.0000024CAB15E000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.nodejs.org	bootstraper.exe, 00000000.00000002.2552303099.0000024CAB1FE000.00000004.00000800.00020000.00000000.sdmp	false		high
https://discord.com	bootstraper.exe, 00000000.00000002.2552303099.0000024CAB061000.00000004.00000800.00020000.00000000.sdmp	false		high
https://ncs.roblox.com/upload	bootstraper.exe, 00000000.00000002.2552303099.0000024CAB1FE000.00000004.00000800.00020000.00000000.sdmp, bootstraper.exe, 00000000.00000002.2552303099.0000024CAB177000.00000004.00000800.00020000.00000000.sdmp, bootstraper.exe, 00000000.00000002.2552303099.0000024CAB1D9000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.nodejs.org	bootstraper.exe, 00000000.00000002.2552303099.0000024CAB1FE000.00000004.00000800.00020000.00000000.sdmp	false		high
http://upx.sf.net	Amcache.hve.9.dr	false		high
http://james.newtonking.com/projects/json	bootstraper.exe	false		high
http://getsolara.dev	bootstraper.exe, 00000000.00000002.2552303099.0000024CAB115000.00000004.00000800.00020000.00000000.sdmp	false		high
https://discord.com;http://127.0.0.1:6463/rpc?v=11	bootstraper.exe	false	Avira URL Cloud: safe	unknown
https://aka.ms/vs/17/release/vc_redist.x64.exe	bootstraper.exe	false		high
https://fdf3b68c.solaraweb-alj.pages.dev/download/static/files/Solara.Dir.zip	bootstraper.exe, 00000000.00000002.2552303099.0000024CAB1FE000.00000004.00000800.00020000.00000000.sdmp, bootstraper.exe, 00000000.00000002.2552303099.0000024CAB1EE000.00000004.00000800.00020000.00000000.sdmp, bootstraper.exe, 00000000.00000002.2552303099.0000024CAB131000.00000004.00000800.00020000.00000000.sdmp, bootstraper.exe, 00000000.00000002.2552303099.0000024CAB1DD000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://gitlab.com/cmd-softworks1/a/-/snippets/4768754/raw/main/endpoint.json	bootstraper.exe	false		high
http://edge-term4-lhr2.roblox.com	bootstraper.exe, 00000000.00000002.2552303099.0000024CAB1FE000.00000004.00000800.00020000.00000000.sdmp	false		high
https://getsolara.dev	bootstraper.exe, 00000000.00000002.2552303099.0000024CAB0F7000.00000004.00000800.00020000.00000000.sdmp, bootstraper.exe, 00000000.00000002.2552303099.0000024CAB10A000.00000004.00000800.00020000.00000000.sdmp, bootstraper.exe, 00000000.00000002.2552303099.0000024CAB177000.00000004.00000800.00020000.00000000.sdmp	false		high
https://gitlab.com/cmd-softworks1/a/-/snippets/4768756/raw/main/discord.json	bootstraper.exe	false		high
http://127.0.0.1:64632	bootstraper.exe, 00000000.00000002.2552303099.0000024CAB15E000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.newtonsoft.com/jsonschema	bootstraper.exe	false		high
https://www.nuget.org/packages/Newtonsoft.Json.Bson	bootstraper.exe	false		high
http://127.0.0.1:6463/rpc?v=1	bootstraper.exe, 00000000.00000002.2552303099.0000024CAB061000.00000004.00000800.00020000.00000000.sdmp, bootstraper.exe, 00000000.00000002.2552303099.0000024CAB15E000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	bootstraper.exe, 00000000.00000002.2552303099.0000024CAB0F7000.00000004.00000800.00020000.00000000.sdmp	false		high
http://clientsettings.roblox.com	bootstraper.exe, 00000000.00000002.2552303099.0000024CAB1FE000.00000004.00000800.00020000.00000000.sdmp	false		high
https://nodejs.org/dist/v18.16.0/node-v18.16.0-x64.msi	bootstraper.exe, 00000000.00000002.2552303099.0000024CAB1FE000.00000004.00000800.00020000.00000000.sdmp, bootstraper.exe, 00000000.00000002.2552303099.0000024CAB177000.00000004.00000800.00020000.00000000.sdmp, bootstraper.exe, 00000000.00000002.2552303099.0000024CAB1D5000.00000004.00000800.00020000.00000000.sdmp	false		high
https://pastebin.com/raw/pjseRvyK	bootstraper.exe	false		high
https://clientsettings.roblox.com	bootstraper.exe, 00000000.00000002.2552303099.0000024CAB1FE000.00000004.00000800.00020000.00000000.sdmp	false		high
https://fdf3b68c.solaraweb-alj.pages.dev/download/static/files/Bootstrapper.exe	bootstraper.exe, 00000000.00000002.2552303099.0000024CAB1FE000.00000004.00000800.00020000.00000000.sdmp, bootstraper.exe, 00000000.00000002.2552303099.0000024CAB1DD000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
128.116.119.3	edge-term4-lhr2.roblox.com	United States	22697	ROBLOX-PRODUCTIONUS	false
104.21.93.27	getsolara.dev	United States	13335	CLOUDFLARENETUS	false
104.20.23.46	www.nodejs.org	United States	13335	CLOUDFLARENETUS	false

Private

IP
127.0.0.1

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1560967
Start date and time:	2024-11-22 15:09:12 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 4m 54s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	13
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	bootstraper.exe
Detection:	MAL
Classification:	mal80.evad.winEXE@8/7@3/4
EGA Information:	Failed
HCA Information:	Successful, ratio: 95% Number of executed functions: 139 Number of non-executed functions: 4
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WerFault.exe, WMIADAP.exe, SIHClient.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 20.42.65.92
Excluded domains from analysis (whitelisted): onedsblobprdeus17.eastus.cloudapp.azure.com, ocsp.digicert.com, otelrules.azureedge.net, slscr.update.microsoft.com, login.live.com, blobcollector.events.data.trafficmanager.net, ctldl.windowsupdate.com, umwatson.events.data.microsoft.com, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target bootstraper.exe, PID 1788 because it is empty
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtAllocateVirtualMemory calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtReadVirtualMemory calls found.
Report size getting too big, too many NtSetInformationFile calls found.
VT rate limit hit for: bootstraper.exe

Simulations

Behavior and APIs

Time	Type	Description
09:10:08	API Interceptor	92x Sleep call for process: bootstraper.exe modified
09:10:53	API Interceptor	1x Sleep call for process: WerFault.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
128.116.119.3	SecuriteInfo.com.Trojan.Siggen21.26995.26259.1562.exe	Get hash	malicious	Unknown	Browse
	https://roblox.com.zm/games/10449761463/The-Strongest-Battlegrounds?privateServerLinkCode=22919554639422626360922039380445	Get hash	malicious	Unknown	Browse
	https://shrturl.net/pmf-gx3n	Get hash	malicious	Unknown	Browse
	RFAwChXSve.exe	Get hash	malicious	DCRat	Browse
104.21.93.27	8Hd0ZExgJz.exe	Get hash	malicious	Blank Grabber, Umbral Stealer, XWorm	Browse
	KKjubdmzCR.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse
	AYUGPPBj0x.exe	Get hash	malicious	DCRat	Browse
	SecuriteInfo.com.Variant.MSILHeracles.168781.2591.26227.exe	Get hash	malicious	Unknown	Browse
	SecuriteInfo.com.Variant.MSILHeracles.168781.2591.26227.exe	Get hash	malicious	Unknown	Browse
	8svMXMXNRn.exe	Get hash	malicious	NoCry, XWorm	Browse
	SecuriteInfo.com.Win64.MalwareX-gen.31726.9623.exe	Get hash	malicious	Unknown	Browse
	SecuriteInfo.com.Win64.MalwareX-gen.31726.9623.exe	Get hash	malicious	Unknown	Browse
	SecuriteInfo.com.Win64.MalwareX-gen.19388.23445.exe	Get hash	malicious	Unknown	Browse
	SecuriteInfo.com.Win64.MalwareX-gen.31726.9623.exe	Get hash	malicious	Unknown	Browse
104.20.23.46	KKjubdmzCR.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse
	AYUGPPBj0x.exe	Get hash	malicious	DCRat	Browse
	SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe	Get hash	malicious	Blank Grabber	Browse
	oIDX88LpSs.exe	Get hash	malicious	XWorm	Browse
	8svMXMXNRn.exe	Get hash	malicious	NoCry, XWorm	Browse
	SecuriteInfo.com.Win64.MalwareX-gen.31726.9623.exe	Get hash	malicious	Unknown	Browse
	SecuriteInfo.com.Win64.MalwareX-gen.31726.9623.exe	Get hash	malicious	Unknown	Browse
	SecuriteInfo.com.Trojan.Siggen21.26995.26259.1562.exe	Get hash	malicious	Unknown	Browse
	BootstrapperV1.19.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse
	SecuriteInfo.com.Win64.MalwareX-gen.4290.27796.exe	Get hash	malicious	Unknown	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
www.nodejs.org	8Hd0ZExgJz.exe	Get hash	malicious	Blank Grabber, Umbral Stealer, XWorm	Browse	104.20.22.46
	KKjubdmzCR.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse	104.20.23.46
	AYUGPPBj0x.exe	Get hash	malicious	DCRat	Browse	104.20.23.46
	IM3OLcx7li.exe	Get hash	malicious	XWorm	Browse	104.20.22.46
	SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe	Get hash	malicious	Blank Grabber	Browse	104.20.23.46
	cgqdM4IA7C.exe	Get hash	malicious	XWorm	Browse	104.20.22.46
	oIDX88LpSs.exe	Get hash	malicious	XWorm	Browse	104.20.23.46
	hKWBNgRd7p.exe	Get hash	malicious	XWorm	Browse	104.20.22.46
	8svMXMXNRn.exe	Get hash	malicious	NoCry, XWorm	Browse	104.20.23.46
	SecuriteInfo.com.Win64.MalwareX-gen.31726.9623.exe	Get hash	malicious	Unknown	Browse	104.20.22.46
getsolara.dev	8Hd0ZExgJz.exe	Get hash	malicious	Blank Grabber, Umbral Stealer, XWorm	Browse	104.21.93.27
	KKjubdmzCR.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse	104.21.93.27
	AYUGPPBj0x.exe	Get hash	malicious	DCRat	Browse	104.21.93.27
	IM3OLcx7li.exe	Get hash	malicious	XWorm	Browse	172.67.203.125
	SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe	Get hash	malicious	Blank Grabber	Browse	172.67.203.125
	cgqdM4IA7C.exe	Get hash	malicious	XWorm	Browse	172.67.203.125
	oIDX88LpSs.exe	Get hash	malicious	XWorm	Browse	172.67.203.125
	hKWBNgRd7p.exe	Get hash	malicious	XWorm	Browse	172.67.203.125
	SecuriteInfo.com.Variant.MSILHeracles.168781.2591.26227.exe	Get hash	malicious	Unknown	Browse	104.21.93.27
	SecuriteInfo.com.Variant.MSILHeracles.168781.2591.26227.exe	Get hash	malicious	Unknown	Browse	104.21.93.27
edge-term4-lhr2.roblox.com	SecuriteInfo.com.Trojan.Siggen21.26995.26259.1562.exe	Get hash	malicious	Unknown	Browse	128.116.119.3
	https://roblox.com.zm/games/10449761463/The-Strongest-Battlegrounds?privateServerLinkCode=22919554639422626360922039380445	Get hash	malicious	Unknown	Browse	128.116.119.3
	https://shrturl.net/pmf-gx3n	Get hash	malicious	Unknown	Browse	128.116.119.3

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
ROBLOX-PRODUCTIONUS	8Hd0ZExgJz.exe	Get hash	malicious	Blank Grabber, Umbral Stealer, XWorm	Browse	128.116.123.3
	KKjubdmzCR.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse	128.116.123.3
	AYUGPPBj0x.exe	Get hash	malicious	DCRat	Browse	128.116.44.3
	IM3OLcx7li.exe	Get hash	malicious	XWorm	Browse	128.116.44.4
	SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe	Get hash	malicious	Blank Grabber	Browse	128.116.123.4
	la.bot.arm.elf	Get hash	malicious	Unknown	Browse	128.116.110.16
	cgqdM4IA7C.exe	Get hash	malicious	XWorm	Browse	128.116.21.4
	oIDX88LpSs.exe	Get hash	malicious	XWorm	Browse	128.116.123.4
	hKWBNgRd7p.exe	Get hash	malicious	XWorm	Browse	128.116.123.3
	8svMXMXNRn.exe	Get hash	malicious	NoCry, XWorm	Browse	128.116.44.3
CLOUDFLARENETUS	https://app.typeset.com/play/G4WZ1	Get hash	malicious	HTMLPhisher	Browse	104.22.8.215
	https://b0.antidisesta1.com/HX8hiLPadaz1N7WrltpPjHg34q_2C98ig/#Xlhixacc.org	Get hash	malicious	Unknown	Browse	104.17.25.14
	file.exe	Get hash	malicious	CredGrabber, Meduza Stealer	Browse	104.26.12.205
	file.exe	Get hash	malicious	Amadey, Stealc, Vidar	Browse	172.64.41.3
	file.exe	Get hash	malicious	LummaC	Browse	104.21.66.38
	http://cdn.prod.website-files.com/65dccdc21b806b929439370e/66e00f5491860971b9b9ef25_80703488528.pdf	Get hash	malicious	Unknown	Browse	172.67.215.147
	https://qrcodeveloper.com/code/87JgljWuQCR6Oeir	Get hash	malicious	Unknown	Browse	172.67.72.106
	file.exe	Get hash	malicious	LummaC	Browse	104.21.66.38
	http://res.pdfonestartlive.com	Get hash	malicious	Unknown	Browse	104.18.30.234
	http://rfmdocument.technolutionszzzz.net	Get hash	malicious	Unknown	Browse	104.17.25.14
CLOUDFLARENETUS	https://app.typeset.com/play/G4WZ1	Get hash	malicious	HTMLPhisher	Browse	104.22.8.215
	https://b0.antidisesta1.com/HX8hiLPadaz1N7WrltpPjHg34q_2C98ig/#Xlhixacc.org	Get hash	malicious	Unknown	Browse	104.17.25.14
	file.exe	Get hash	malicious	CredGrabber, Meduza Stealer	Browse	104.26.12.205
	file.exe	Get hash	malicious	Amadey, Stealc, Vidar	Browse	172.64.41.3
	file.exe	Get hash	malicious	LummaC	Browse	104.21.66.38
	http://cdn.prod.website-files.com/65dccdc21b806b929439370e/66e00f5491860971b9b9ef25_80703488528.pdf	Get hash	malicious	Unknown	Browse	172.67.215.147
	https://qrcodeveloper.com/code/87JgljWuQCR6Oeir	Get hash	malicious	Unknown	Browse	172.67.72.106
	file.exe	Get hash	malicious	LummaC	Browse	104.21.66.38
	http://res.pdfonestartlive.com	Get hash	malicious	Unknown	Browse	104.18.30.234
	http://rfmdocument.technolutionszzzz.net	Get hash	malicious	Unknown	Browse	104.17.25.14

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
3b5074b1b5d032e5620f69f9f700ff0e	file.exe	Get hash	malicious	Amadey, Stealc, Vidar	Browse	128.116.119.3 104.21.93.27 104.20.23.46
	http://cdn.prod.website-files.com/65dccdc21b806b929439370e/66e00f5491860971b9b9ef25_80703488528.pdf	Get hash	malicious	Unknown	Browse	128.116.119.3 104.21.93.27 104.20.23.46
	2.ps1	Get hash	malicious	Unknown	Browse	128.116.119.3 104.21.93.27 104.20.23.46
	BX9IkWcF80.exe	Get hash	malicious	ScreenConnect Tool	Browse	128.116.119.3 104.21.93.27 104.20.23.46
	VKXD1NsFdC.exe	Get hash	malicious	ScreenConnect Tool	Browse	128.116.119.3 104.21.93.27 104.20.23.46
	hx0XzDVE1J.exe	Get hash	malicious	ScreenConnect Tool	Browse	128.116.119.3 104.21.93.27 104.20.23.46
	PZI8hMQHWg.exe	Get hash	malicious	ScreenConnect Tool	Browse	128.116.119.3 104.21.93.27 104.20.23.46
	lIUubnREXh.exe	Get hash	malicious	ScreenConnect Tool	Browse	128.116.119.3 104.21.93.27 104.20.23.46
	cFIg55rrfH.exe	Get hash	malicious	ScreenConnect Tool	Browse	128.116.119.3 104.21.93.27 104.20.23.46
	hx0XzDVE1J.exe	Get hash	malicious	ScreenConnect Tool	Browse	128.116.119.3 104.21.93.27 104.20.23.46

Dropped Files

⊘No context

Created / dropped Files

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_bootstraper.exe_ca15c659264497fc63bd796592de28a0dbe052ad_fcc18e5f_d2694d61-796f-40bf-a3a2-91ead7b808d4\Report.wer

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	1.25792224544916
Encrypted:	false
SSDEEP:	192:NA4k6ZYr0bU9+dQ1aWBejol2/fsLzuiFUZ24lO8b:24kcnbG+dQ1aml23sLzuiFUY4lO8b
MD5:	9509E8891FA6888F25BE6395DC2DF868
SHA1:	D15F771FA2DD0F2AEC7C69BD50CC710AA60B7C9B
SHA-256:	F8E69E11FFF08514FB065A4F635B89ACFC888C7A34EF27F18D7ECA54E3E49031
SHA-512:	983F912402D6FD175E664C0828C5541A60E60E24B2F061B8DAE1A8BC6005D40B7E1F95A03ED83527567B9B0595016DB5FDAD0A6EA4C2807069C8FA0CD10296CE
Malicious:	true
Reputation:	low
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.C.L.R.2.0.r.3.....E.v.e.n.t.T.i.m.e.=.1.3.3.7.6.7.5.8.2.1.9.8.8.9.0.3.9.9.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.7.6.7.5.8.2.2.0.6.2.3.4.1.6.3.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.d.2.6.9.4.d.6.1.-.7.9.6.f.-.4.0.b.f.-.a.3.a.2.-.9.1.e.a.d.7.b.8.0.8.d.4.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.f.3.d.4.2.c.3.5.-.1.5.1.e.-.4.c.d.0.-.9.4.f.a.-.e.3.7.a.5.f.f.d.b.e.c.f.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....N.s.A.p.p.N.a.m.e.=.b.o.o.t.s.t.r.a.p.e.r...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.S.o.l.a.r.a.B.o.o.t.s.t.r.a.p.p.e.r...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.0.6.f.c.-.0.0.0.1.-.0.0.1.4.-.c.4.5.2.-.b.b.3.9.e.8.3.c.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.2.f.e.1.7.3.6.3.1.c.a.d.c.4.a.7.6.9.5.d.3.9.9.5.7.a.1.2.d.e.9.c.0.0.0.0.0.0.0.0.!.0.0.0.0.3.0.2.3.1.a.4.6.7.a.4.9.c.c.3.7.7.6.8.e.e.a.0.f.5.5.f.4.b.e.a.1.c.b.f.b.4.8.e.2.!.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER1BD.tmp.dmp

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	Mini DuMP crash report, 16 streams, Fri Nov 22 14:10:20 2024, 0x1205a4 type
Category:	dropped
Size (bytes):	619166
Entropy (8bit):	3.2450078122658264
Encrypted:	false
SSDEEP:	6144:e6OpMhq28jdB3Q4YXYrwJKSbVHHxfZGKbTokM:JOWqjd1Q4YXYsFhm
MD5:	3A3B31D95C8FE193FEB90596676D1F58
SHA1:	26D2076CBB6CBB78C02ED4D4FD93560945393B98
SHA-256:	07CB59FDD591F0B705B769F0161B9F8E07C0EE5259AC905A91DD1E3A239B0A1F
SHA-512:	26750BC2D6D9109934CDC2B83B29B0398832DEBBB923D84FCA26235E921D0121FDB893AE6237AE7F8F030DFA3938B2F1AFA709FC36D5037872CB6144EBAFB40A
Malicious:	false
Reputation:	low
Preview:	MDMP..a..... ........@g............d...........<...........<....)...........).......T..............l.......8...........T............U...............E...........G..............................................................................eJ......pH......Lw......................T.............@g.............................0..............,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6...........................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WER3E1.tmp.WERInternalMetadata.xml

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	8834
Entropy (8bit):	3.697309097677076
Encrypted:	false
SSDEEP:	192:R6l7wVeJayHZFJ+g6YEI5T0ggggmfZi8xprq89bAwzvYfnAm:R6lXJhZFJ+g6YEWT0dggmfoUAkvYfl
MD5:	3106A769DCB8AF47F066CA55ACA8C467
SHA1:	63ADC5FA48F8526A1CBE5591324910766609E037
SHA-256:	2C7F5C5330DE052CD983A740976DEAAFDFE4320F764D0E516C8CF70849032269
SHA-512:	49253F500BD9976F62326EF50A81323D1871C2C4FC86216B65A920B79A2176FED994FF382E80FBB0319CC71946E3D431FF27FE0F487BB3FED449EF3C6D08C4FC
Malicious:	false
Reputation:	low
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.1.7.8.8.<./.P.i.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER411.tmp.xml

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4804
Entropy (8bit):	4.448263256540972
Encrypted:	false
SSDEEP:	48:cvIwWl8zsUJg771I9IbWpW8VY4vYm8M4J6/Ffpyq8v52DzTJ8d:uIjfSI7Dq7VWJoW8Xd8d
MD5:	A9878DA45109A499E7984E543117BAA6
SHA1:	C804F3F672A8ACC34E94DB674F2A95E34B6AAC78
SHA-256:	5895058624D76F5C900D7AF57E6049C33724DDAA4F46ED341F3F890A2D806F78
SHA-512:	46BE64D6DD8B4AAB42F831C9DA61F5FA61C9A1AAAE7E7D65184380590C3F2AFA4C014F72961ECD5E23E9A9A1E036A0E6DE00943AD17266054F5611AB6F5A0C33
Malicious:	false
Reputation:	low
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="599353" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

C:\Users\user\Desktop\DISCORD

Download File

Process:	C:\Users\user\Desktop\bootstraper.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	103
Entropy (8bit):	4.081427527984575
Encrypted:	false
SSDEEP:	3:XSWHlkHFWKBgdvHvIhN9GIxFf9oQg652UTF/HLMl1m:XSWHlW0aivQLkWFfx/52uyPm
MD5:	B016DAFCA051F817C6BA098C096CB450
SHA1:	4CC74827C4B2ED534613C7764E6121CEB041B459
SHA-256:	B03C8C2D2429E9DBC7920113DEDF6FC09095AB39421EE0CC8819AD412E5D67B9
SHA-512:	D69663E1E81EC33654B87F2DFADDD5383681C8EBF029A559B201D65EB12FA2989FA66C25FA98D58066EAB7B897F0EEF6B7A68FA1A9558482A17DFED7B6076ACA
Malicious:	false
Preview:	{. "args" : {. "code" : "8PgspRYAQu". },. "cmd" : "INVITE_BROWSER",. "nonce" : ".". }

C:\Windows\appcompat\Programs\Amcache.hve

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	MS Windows registry file, NT/2000 or above
Category:	dropped
Size (bytes):	1835008
Entropy (8bit):	4.421701412232913
Encrypted:	false
SSDEEP:	6144:cSvfpi6ceLP/9skLmb0OTyWSPHaJG8nAgeMZMMhA2fX4WABlEnNt0uhiTw:HvloTyW+EZMM6DFyr03w
MD5:	6FCD4AC5FE029A8FFFC19C27A8207F9D
SHA1:	26DDD84A405CF9857BDECC38B42E7D23B6245EC9
SHA-256:	49BF311709B21A9FCD2F4999B282A9259A4F3497D3B2B03153E8E945BD36B742
SHA-512:	F99D5D27D224A4DB66258F4C75D0B50B6B5416DFE5B7EA5BB4D8AC9CAE6DE9E6D9911DCF19A60D958CE6A871DFF17FB4F71FF7CFD58B6F4987C4186A5D93B3C1
Malicious:	false
Preview:	regf>...>....\.Z.................... ...........\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e....c...b...#.......c...b...#...........c...b...#......rmtm.DYC.<..............................................................................................................................................................................................................................................................................................................................................@.Nw........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

\Device\ConDrv

Download File

Process:	C:\Users\user\Desktop\bootstraper.exe
File Type:	ISO-8859 text, with CRLF, LF line terminators
Category:	dropped
Size (bytes):	571
Entropy (8bit):	4.9398118662542965
Encrypted:	false
SSDEEP:	12:t+3p+t/hQAOfVaOQsXCzLQ8X+UwkY1v3igBe:Yot/h+ltcQy+UwkY1vdBe
MD5:	5294778E41EE83E1F1E78B56466AD690
SHA1:	348B8B4687216D57B8DF59BBCEC481DC9D1E61A6
SHA-256:	3AC122288181813B83236E1A2BCB449C51B50A3CA4925677A38C08B2FC6DF69C
SHA-512:	381FB6F3AA34E41C17DB3DD8E68B85508F51A94B3E77C479E40AD074767D1CEAE89B6E04FB7DD3D02A74D1AC3431B30920860A198C73387A865051538AE140F1
Malicious:	true
Yara Hits:	Rule: JoeSecurity_PowershellDownloadAndExecute, Description: Yara detected Powershell download and execute, Source: \Device\ConDrv, Author: Joe Security
Preview:	.............................................................------------------------.. ..[-] Fetching endpoint.....[-] Bootstrapper up to date...[-] Killing conflicting processes.....[-] Ensuring essential directories.....[-] Ensuring essential dependencies.....[-] Downloading node......Unhandled Exception: System.Net.WebException: The operation has timed out.. at System.Net.WebClient.DownloadFile(Uri address, String fileName).. at Program.DownloadAndInstallNode().. at Program.EnsureDependencies().. at Program.Main(String[] args).

Static File Info

General

File type:	PE32+ executable (console) x86-64 Mono/.Net assembly, for MS Windows
Entropy (8bit):	5.598261375667174
TrID:	Win64 Executable Console Net Framework (206006/5) 46.24% Win64 Executable Console (202006/5) 45.34% Win64 Executable (generic) Net Framework (21505/4) 4.83% Win64 Executable (generic) (12005/4) 2.69% Generic Win/DOS Executable (2004/3) 0.45%
File name:	bootstraper.exe
File size:	819'200 bytes
MD5:	02c70d9d6696950c198db93b7f6a835e
SHA1:	30231a467a49cc37768eea0f55f4bea1cbfb48e2
SHA256:	8f2e28588f2303bd8d7a9b0c3ff6a9cb16fa93f8ddc9c5e0666a8c12d6880ee3
SHA512:	431d9b9918553bff4f4a5bc2a5e7b7015f8ad0e2d390bb4d5264d08983372424156524ef5587b24b67d1226856fc630aaca08edc8113097e0094501b4f08efeb
SSDEEP:	12288:qhd8cjaLXVh84wEFkW1mocaBj6WtiRPpptHxQ0z:2ycjar84w5W4ocaBj6y2tHDz
TLSH:	D60539107BE8DA13E1EF6736A8B54B181BF5F1C1B262EB8F658856E82C037046D5036F
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d.....5g.........."......v............... ....@...... ....................................`................................

File Icon


Icon Hash:	00928e8e8686b000

Static PE Info

General

Entrypoint:	0x4c948a
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows cui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
DLL Characteristics:	HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x6735151B [Wed Nov 13 21:07:39 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [004C9498h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
insb
xchg eax, esp
or al, 00h
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xc9434	0x54	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xca000	0x575	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0xcc000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0xc9498	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2000	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0xc74a8	0xc7600	d9a73aea6be4adcc91ca5e381f1c1436	False	0.34694234913793104	data	5.603888358836962	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0xca000	0x575	0x600	706ed0398f1aa324656eb5102ff400cf	False	0.39453125	data	3.770686100904012	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0xcc000	0xc	0x200	37d9bb2189ab2cf85e4fa7627eed6d58	False	0.044921875	data	0.09800417566270775	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_VERSION	0xca090	0x36c	data			0.3995433789954338
RT_MANIFEST	0xca40c	0x169	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators			0.6204986149584487

Imports

DLL	Import
mscoree.dll	_CorExeMain

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2024-11-22T15:10:10.891472+0100	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.5	49706	104.21.93.27	443	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 22, 2024 15:10:05.145771980 CET	49704	443	192.168.2.5	104.21.93.27
Nov 22, 2024 15:10:05.145852089 CET	443	49704	104.21.93.27	192.168.2.5
Nov 22, 2024 15:10:05.145935059 CET	49704	443	192.168.2.5	104.21.93.27
Nov 22, 2024 15:10:05.164086103 CET	49704	443	192.168.2.5	104.21.93.27
Nov 22, 2024 15:10:05.164134979 CET	443	49704	104.21.93.27	192.168.2.5
Nov 22, 2024 15:10:06.482899904 CET	443	49704	104.21.93.27	192.168.2.5
Nov 22, 2024 15:10:06.483047009 CET	49704	443	192.168.2.5	104.21.93.27
Nov 22, 2024 15:10:06.488358974 CET	49704	443	192.168.2.5	104.21.93.27
Nov 22, 2024 15:10:06.488396883 CET	443	49704	104.21.93.27	192.168.2.5
Nov 22, 2024 15:10:06.488699913 CET	443	49704	104.21.93.27	192.168.2.5
Nov 22, 2024 15:10:06.538883924 CET	49704	443	192.168.2.5	104.21.93.27
Nov 22, 2024 15:10:06.585628986 CET	49704	443	192.168.2.5	104.21.93.27
Nov 22, 2024 15:10:06.631349087 CET	443	49704	104.21.93.27	192.168.2.5
Nov 22, 2024 15:10:06.975210905 CET	443	49704	104.21.93.27	192.168.2.5
Nov 22, 2024 15:10:06.975290060 CET	443	49704	104.21.93.27	192.168.2.5
Nov 22, 2024 15:10:06.975512028 CET	49704	443	192.168.2.5	104.21.93.27
Nov 22, 2024 15:10:06.994754076 CET	49704	443	192.168.2.5	104.21.93.27
Nov 22, 2024 15:10:09.092643976 CET	49706	443	192.168.2.5	104.21.93.27
Nov 22, 2024 15:10:09.092720032 CET	443	49706	104.21.93.27	192.168.2.5
Nov 22, 2024 15:10:09.092803955 CET	49706	443	192.168.2.5	104.21.93.27
Nov 22, 2024 15:10:09.094598055 CET	49706	443	192.168.2.5	104.21.93.27
Nov 22, 2024 15:10:09.094639063 CET	443	49706	104.21.93.27	192.168.2.5
Nov 22, 2024 15:10:10.359528065 CET	443	49706	104.21.93.27	192.168.2.5
Nov 22, 2024 15:10:10.359647989 CET	49706	443	192.168.2.5	104.21.93.27
Nov 22, 2024 15:10:10.362552881 CET	49706	443	192.168.2.5	104.21.93.27
Nov 22, 2024 15:10:10.362581015 CET	443	49706	104.21.93.27	192.168.2.5
Nov 22, 2024 15:10:10.362936020 CET	443	49706	104.21.93.27	192.168.2.5
Nov 22, 2024 15:10:10.364633083 CET	49706	443	192.168.2.5	104.21.93.27
Nov 22, 2024 15:10:10.411329985 CET	443	49706	104.21.93.27	192.168.2.5
Nov 22, 2024 15:10:10.891463995 CET	443	49706	104.21.93.27	192.168.2.5
Nov 22, 2024 15:10:10.891598940 CET	443	49706	104.21.93.27	192.168.2.5
Nov 22, 2024 15:10:10.891688108 CET	49706	443	192.168.2.5	104.21.93.27
Nov 22, 2024 15:10:10.892647982 CET	49706	443	192.168.2.5	104.21.93.27
Nov 22, 2024 15:10:13.223939896 CET	49707	443	192.168.2.5	128.116.119.3
Nov 22, 2024 15:10:13.223994970 CET	443	49707	128.116.119.3	192.168.2.5
Nov 22, 2024 15:10:13.224071026 CET	49707	443	192.168.2.5	128.116.119.3
Nov 22, 2024 15:10:13.224464893 CET	49707	443	192.168.2.5	128.116.119.3
Nov 22, 2024 15:10:13.224478960 CET	443	49707	128.116.119.3	192.168.2.5
Nov 22, 2024 15:10:14.883230925 CET	443	49707	128.116.119.3	192.168.2.5
Nov 22, 2024 15:10:14.883339882 CET	49707	443	192.168.2.5	128.116.119.3
Nov 22, 2024 15:10:14.886816978 CET	49707	443	192.168.2.5	128.116.119.3
Nov 22, 2024 15:10:14.886835098 CET	443	49707	128.116.119.3	192.168.2.5
Nov 22, 2024 15:10:14.887367010 CET	443	49707	128.116.119.3	192.168.2.5
Nov 22, 2024 15:10:14.888345957 CET	49707	443	192.168.2.5	128.116.119.3
Nov 22, 2024 15:10:14.931340933 CET	443	49707	128.116.119.3	192.168.2.5
Nov 22, 2024 15:10:15.582783937 CET	443	49707	128.116.119.3	192.168.2.5
Nov 22, 2024 15:10:15.582886934 CET	443	49707	128.116.119.3	192.168.2.5
Nov 22, 2024 15:10:15.582981110 CET	49707	443	192.168.2.5	128.116.119.3
Nov 22, 2024 15:10:15.583909035 CET	49707	443	192.168.2.5	128.116.119.3
Nov 22, 2024 15:10:17.455873013 CET	49708	443	192.168.2.5	104.20.23.46
Nov 22, 2024 15:10:17.455965042 CET	443	49708	104.20.23.46	192.168.2.5
Nov 22, 2024 15:10:17.456058979 CET	49708	443	192.168.2.5	104.20.23.46
Nov 22, 2024 15:10:17.456718922 CET	49708	443	192.168.2.5	104.20.23.46
Nov 22, 2024 15:10:17.456803083 CET	443	49708	104.20.23.46	192.168.2.5
Nov 22, 2024 15:10:18.709176064 CET	443	49708	104.20.23.46	192.168.2.5
Nov 22, 2024 15:10:18.709285975 CET	49708	443	192.168.2.5	104.20.23.46
Nov 22, 2024 15:10:18.711549044 CET	49708	443	192.168.2.5	104.20.23.46
Nov 22, 2024 15:10:18.711565018 CET	443	49708	104.20.23.46	192.168.2.5
Nov 22, 2024 15:10:18.711966038 CET	443	49708	104.20.23.46	192.168.2.5
Nov 22, 2024 15:10:18.713294983 CET	49708	443	192.168.2.5	104.20.23.46
Nov 22, 2024 15:10:18.755361080 CET	443	49708	104.20.23.46	192.168.2.5
Nov 22, 2024 15:10:19.567679882 CET	443	49708	104.20.23.46	192.168.2.5
Nov 22, 2024 15:10:19.567939043 CET	443	49708	104.20.23.46	192.168.2.5
Nov 22, 2024 15:10:19.568021059 CET	49708	443	192.168.2.5	104.20.23.46
Nov 22, 2024 15:10:19.569351912 CET	49708	443	192.168.2.5	104.20.23.46

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 22, 2024 15:10:05.001585960 CET	54037	53	192.168.2.5	1.1.1.1
Nov 22, 2024 15:10:05.139151096 CET	53	54037	1.1.1.1	192.168.2.5
Nov 22, 2024 15:10:13.081082106 CET	57067	53	192.168.2.5	1.1.1.1
Nov 22, 2024 15:10:13.222415924 CET	53	57067	1.1.1.1	192.168.2.5
Nov 22, 2024 15:10:17.313571930 CET	63141	53	192.168.2.5	1.1.1.1
Nov 22, 2024 15:10:17.454961061 CET	53	63141	1.1.1.1	192.168.2.5

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Nov 22, 2024 15:10:05.001585960 CET	192.168.2.5	1.1.1.1	0x5b94	Standard query (0)	getsolara.dev	A (IP address)	IN (0x0001)	false
Nov 22, 2024 15:10:13.081082106 CET	192.168.2.5	1.1.1.1	0xf721	Standard query (0)	clientsettings.roblox.com	A (IP address)	IN (0x0001)	false
Nov 22, 2024 15:10:17.313571930 CET	192.168.2.5	1.1.1.1	0xe424	Standard query (0)	www.nodejs.org	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Nov 22, 2024 15:10:05.139151096 CET	1.1.1.1	192.168.2.5	0x5b94	No error (0)	getsolara.dev		104.21.93.27	A (IP address)	IN (0x0001)	false
Nov 22, 2024 15:10:05.139151096 CET	1.1.1.1	192.168.2.5	0x5b94	No error (0)	getsolara.dev		172.67.203.125	A (IP address)	IN (0x0001)	false
Nov 22, 2024 15:10:13.222415924 CET	1.1.1.1	192.168.2.5	0xf721	No error (0)	clientsettings.roblox.com	titanium.roblox.com		CNAME (Canonical name)	IN (0x0001)	false
Nov 22, 2024 15:10:13.222415924 CET	1.1.1.1	192.168.2.5	0xf721	No error (0)	titanium.roblox.com	edge-term4.roblox.com		CNAME (Canonical name)	IN (0x0001)	false
Nov 22, 2024 15:10:13.222415924 CET	1.1.1.1	192.168.2.5	0xf721	No error (0)	edge-term4.roblox.com	edge-term4-lhr2.roblox.com		CNAME (Canonical name)	IN (0x0001)	false
Nov 22, 2024 15:10:13.222415924 CET	1.1.1.1	192.168.2.5	0xf721	No error (0)	edge-term4-lhr2.roblox.com		128.116.119.3	A (IP address)	IN (0x0001)	false
Nov 22, 2024 15:10:17.454961061 CET	1.1.1.1	192.168.2.5	0xe424	No error (0)	www.nodejs.org		104.20.23.46	A (IP address)	IN (0x0001)	false
Nov 22, 2024 15:10:17.454961061 CET	1.1.1.1	192.168.2.5	0xe424	No error (0)	www.nodejs.org		104.20.22.46	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

getsolara.dev

clientsettings.roblox.com

www.nodejs.org

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.5	49704	104.21.93.27	443	1788	C:\Users\user\Desktop\bootstraper.exe

Timestamp	Bytes transferred	Direction	Data
2024-11-22 14:10:06 UTC	81	OUT	GET /asset/discord.json HTTP/1.1 Host: getsolara.dev Connection: Keep-Alive
2024-11-22 14:10:06 UTC	1021	IN	HTTP/1.1 200 OK Date: Fri, 22 Nov 2024 14:10:06 GMT Content-Type: application/json Transfer-Encoding: chunked Connection: close Access-Control-Allow-Origin: * Cache-Control: public, max-age=0, must-revalidate ETag: W/"7d966f73b6ce74a610dddaf0d0951ed8" referrer-policy: strict-origin-when-cross-origin x-content-type-options: nosniff Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=jqyiyOHKQF8x1D0xOSBH7ZlQJnFZ2bNt8uXBqFJ7Gj%2BEd3nM1q%2FSCJpFwi2EbBDKpm9bXs3zPvDCSKKRy9XTvWifIH44e6I4hnlqMTQOH0yOCl7NuImSfF6Z%2FTv%2FXX7r"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Vary: Accept-Encoding cf-cache-status: DYNAMIC Strict-Transport-Security: max-age=0 Server: cloudflare CF-RAY: 8e6980484a6a4286-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1749&sent=6&recv=7&lost=0&retrans=0&sent_bytes=2811&recv_bytes=695&delivery_rate=1583514&cwnd=232&unsent_bytes=0&cid=3b91df7baf7cce0a&ts=505&x=0"
2024-11-22 14:10:06 UTC	109	IN	Data Raw: 36 37 0d 0a 7b 0a 20 20 20 20 22 61 72 67 73 22 20 3a 20 7b 0a 20 20 20 20 20 20 20 22 63 6f 64 65 22 20 3a 20 22 38 50 67 73 70 52 59 41 51 75 22 0a 20 20 20 20 7d 2c 0a 20 20 20 20 22 63 6d 64 22 20 3a 20 22 49 4e 56 49 54 45 5f 42 52 4f 57 53 45 52 22 2c 0a 20 20 20 20 22 6e 6f 6e 63 65 22 20 3a 20 22 2e 22 0a 20 7d 0d 0a Data Ascii: 67{ "args" : { "code" : "8PgspRYAQu" }, "cmd" : "INVITE_BROWSER", "nonce" : "." }
2024-11-22 14:10:06 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.5	49706	104.21.93.27	443	1788	C:\Users\user\Desktop\bootstraper.exe

Timestamp	Bytes transferred	Direction	Data
2024-11-22 14:10:10 UTC	56	OUT	GET /api/endpoint.json HTTP/1.1 Host: getsolara.dev
2024-11-22 14:10:10 UTC	1021	IN	HTTP/1.1 200 OK Date: Fri, 22 Nov 2024 14:10:10 GMT Content-Type: application/json Transfer-Encoding: chunked Connection: close Access-Control-Allow-Origin: * Cache-Control: public, max-age=0, must-revalidate ETag: W/"1fb39881d9a29ec7570ef2c2a61f7386" referrer-policy: strict-origin-when-cross-origin x-content-type-options: nosniff Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=in9jG6QsyiPnfGw41NRSJEOarl1MUPhu%2BOT9Uj6li%2F1ubyec4HnnFgQ0pVxX480aaVuyYmLv3qkf2Z5GQM7cHxcuR%2FJK6ZBIeOTVDX8sTkf757jU3OLK9g1gi2msr%2B7G"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Vary: Accept-Encoding cf-cache-status: DYNAMIC Strict-Transport-Security: max-age=0 Server: cloudflare CF-RAY: 8e6980607a1a4283-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=2009&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2811&recv_bytes=694&delivery_rate=1775075&cwnd=243&unsent_bytes=0&cid=ec42da9872f2aefd&ts=544&x=0"
2024-11-22 14:10:10 UTC	348	IN	Data Raw: 32 31 63 0d 0a 7b 0a 20 20 20 20 22 42 6f 6f 74 73 74 72 61 70 70 65 72 56 65 72 73 69 6f 6e 22 3a 20 22 31 2e 32 33 22 2c 0a 20 20 20 20 22 53 75 70 70 6f 72 74 65 64 43 6c 69 65 6e 74 22 3a 20 22 76 65 72 73 69 6f 6e 2d 38 61 61 33 36 62 62 66 30 65 62 31 34 39 34 61 22 2c 0a 20 20 20 20 22 53 6f 66 74 77 61 72 65 56 65 72 73 69 6f 6e 22 3a 20 22 33 2e 31 32 39 22 2c 0a 20 20 20 20 22 42 6f 6f 74 73 74 72 61 70 70 65 72 55 72 6c 22 3a 20 22 68 74 74 70 73 3a 2f 2f 66 64 66 33 62 36 38 63 2e 73 6f 6c 61 72 61 77 65 62 2d 61 6c 6a 2e 70 61 67 65 73 2e 64 65 76 2f 64 6f 77 6e 6c 6f 61 64 2f 73 74 61 74 69 63 2f 66 69 6c 65 73 2f 42 6f 6f 74 73 74 72 61 70 70 65 72 2e 65 78 65 22 2c 0a 20 20 20 20 22 53 6f 66 74 77 61 72 65 55 72 6c 22 3a 22 68 74 74 70 73 Data Ascii: 21c{ "BootstrapperVersion": "1.23", "SupportedClient": "version-8aa36bbf0eb1494a", "SoftwareVersion": "3.129", "BootstrapperUrl": "https://fdf3b68c.solaraweb-alj.pages.dev/download/static/files/Bootstrapper.exe", "SoftwareUrl":"https
2024-11-22 14:10:10 UTC	199	IN	Data Raw: 68 74 74 70 73 3a 2f 2f 63 6c 69 65 6e 74 73 65 74 74 69 6e 67 73 2e 72 6f 62 6c 6f 78 2e 63 6f 6d 2f 76 32 2f 63 6c 69 65 6e 74 2d 76 65 72 73 69 6f 6e 2f 57 69 6e 64 6f 77 73 50 6c 61 79 65 72 2f 63 68 61 6e 6e 65 6c 2f 6c 69 76 65 22 2c 0a 20 20 20 20 22 43 6c 69 65 6e 74 48 61 73 68 22 3a 22 36 62 38 65 38 34 38 34 37 64 38 66 31 37 35 39 32 65 39 66 37 34 63 62 36 34 33 31 65 32 35 32 30 35 66 62 65 65 30 64 31 36 39 39 66 30 62 35 39 39 33 31 39 64 33 39 66 65 38 31 37 34 64 64 22 2c 0a 20 20 20 20 22 43 68 61 6e 67 65 6c 6f 67 22 3a 22 5b 2b 5d 20 75 70 64 61 74 65 64 22 0a 7d 0d 0a Data Ascii: https://clientsettings.roblox.com/v2/client-version/WindowsPlayer/channel/live", "ClientHash":"6b8e84847d8f17592e9f74cb6431e25205fbee0d1699f0b599319d39fe8174dd", "Changelog":"[+] updated"}
2024-11-22 14:10:10 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.5	49707	128.116.119.3	443	1788	C:\Users\user\Desktop\bootstraper.exe

Timestamp	Bytes transferred	Direction	Data
2024-11-22 14:10:14 UTC	119	OUT	GET /v2/client-version/WindowsPlayer/channel/live HTTP/1.1 Host: clientsettings.roblox.com Connection: Keep-Alive
2024-11-22 14:10:15 UTC	576	IN	HTTP/1.1 200 OK content-length: 119 content-type: application/json; charset=utf-8 date: Fri, 22 Nov 2024 14:10:14 GMT server: Kestrel cache-control: no-cache strict-transport-security: max-age=3600 x-frame-options: SAMEORIGIN roblox-machine-id: 7ca5d090-5b12-463d-4ef2-03148a769c4e x-roblox-region: us-central_rbx x-roblox-edge: lhr2 report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://ncs.roblox.com/upload"}]} nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1} connection: close
2024-11-22 14:10:15 UTC	119	IN	Data Raw: 7b 22 76 65 72 73 69 6f 6e 22 3a 22 30 2e 36 35 32 2e 30 2e 36 35 32 30 37 36 34 22 2c 22 63 6c 69 65 6e 74 56 65 72 73 69 6f 6e 55 70 6c 6f 61 64 22 3a 22 76 65 72 73 69 6f 6e 2d 38 61 61 33 36 62 62 66 30 65 62 31 34 39 34 61 22 2c 22 62 6f 6f 74 73 74 72 61 70 70 65 72 56 65 72 73 69 6f 6e 22 3a 22 31 2c 20 36 2c 20 30 2c 20 36 35 32 30 37 36 34 22 7d Data Ascii: {"version":"0.652.0.6520764","clientVersionUpload":"version-8aa36bbf0eb1494a","bootstrapperVersion":"1, 6, 0, 6520764"}

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.5	49708	104.20.23.46	443	1788	C:\Users\user\Desktop\bootstraper.exe

Timestamp	Bytes transferred	Direction	Data
2024-11-22 14:10:18 UTC	99	OUT	GET /dist/v18.16.0/node-v18.16.0-x64.msi HTTP/1.1 Host: www.nodejs.org Connection: Keep-Alive
2024-11-22 14:10:19 UTC	497	IN	HTTP/1.1 307 Temporary Redirect Date: Fri, 22 Nov 2024 14:10:19 GMT Content-Type: text/plain Transfer-Encoding: chunked Connection: close Cache-Control: public, max-age=0, must-revalidate location: https://nodejs.org/dist/v18.16.0/node-v18.16.0-x64.msi strict-transport-security: max-age=31536000; includeSubDomains; preload x-vercel-id: iad1::wmtr6-1732284619254-1b42ed35060b CF-Cache-Status: DYNAMIC X-Content-Type-Options: nosniff Server: cloudflare CF-RAY: 8e6980949c994408-EWR
2024-11-22 14:10:19 UTC	20	IN	Data Raw: 66 0d 0a 52 65 64 69 72 65 63 74 69 6e 67 2e 2e 2e 0a 0d 0a Data Ascii: fRedirecting...
2024-11-22 14:10:19 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Target ID:	0
Start time:	09:10:03
Start date:	22/11/2024
Path:	C:\Users\user\Desktop\bootstraper.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\Desktop\bootstraper.exe"
Imagebase:	0x24ca91a0000
File size:	819'200 bytes
MD5 hash:	02C70D9D6696950C198DB93B7F6A835E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	09:10:03
Start date:	22/11/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	09:10:04
Start date:	22/11/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	"cmd" /c ipconfig /all
Imagebase:	0x7ff6e93c0000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	09:10:04
Start date:	22/11/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	09:10:04
Start date:	22/11/2024
Path:	C:\Windows\System32\ipconfig.exe
Wow64 process (32bit):	false
Commandline:	ipconfig /all
Imagebase:	0x7ff68cb60000
File size:	35'840 bytes
MD5 hash:	62F170FB07FDBB79CEB7147101406EB8
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	9
Start time:	09:10:19
Start date:	22/11/2024
Path:	C:\Windows\System32\WerFault.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\WerFault.exe -u -p 1788 -s 2196
Imagebase:	0x7ff668d30000
File size:	570'736 bytes
MD5 hash:	FD27D9F6D02763BDE32511B5DF7FF7A0
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Function 00007FF848CF98F8 Relevance: 1.0, Instructions: 1050COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2553892643.00007FF848CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848CE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848ce0000_bootstraper.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6d16add76e2858cf3ba69bfa93e18676b0006c5f623817f397245096e4c0edd5
Instruction ID: 16d386b5694645d430b3636581ca17bfa5c36d158dfffe65f668783f770a4b64
Opcode Fuzzy Hash: 6d16add76e2858cf3ba69bfa93e18676b0006c5f623817f397245096e4c0edd5
Instruction Fuzzy Hash: 7872A030A1C9499FEB99EF2CC895AA977E1FF58384F0401B9E54DC7292CF28E841CB45

Function 00007FF848CF2540 Relevance: .6, Instructions: 621COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2553892643.00007FF848CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848CE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848ce0000_bootstraper.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 50bcb23867f5a4e717e1e8d9618cc19d79f6da28b8e3841a01539ee353cff0e5
Instruction ID: f03be2bcf549952ee3c3b4c7527fb7dfc2d488243ca7e7dd0df8ffb2a8e68db1
Opcode Fuzzy Hash: 50bcb23867f5a4e717e1e8d9618cc19d79f6da28b8e3841a01539ee353cff0e5
Instruction Fuzzy Hash: 8722E73091CF858FE399EB2884546A6BBE1FF65340F1486BED48AC7292DF34E845C785

Function 00007FF848CE6DB8 Relevance: 7.9, Strings: 6, Instructions: 375COMMON

Download Yara Rule

Strings

hfH, xrefs: 00007FF848CFAD49
PfH, xrefs: 00007FF848CFAD19
`dH, xrefs: 00007FF848CFACD9
pdH, xrefs: 00007FF848CFACF9
xdH, xrefs: 00007FF848CFAD09
pfH, xrefs: 00007FF848CFAD59

Memory Dump Source

Source File: 00000000.00000002.2553892643.00007FF848CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848CE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848ce0000_bootstraper.jbxd

Similarity

API ID:
String ID: PfH$`dH$hfH$pdH$pfH$xdH
API String ID: 0-822065893
Opcode ID: eaca83faf117a59932d1f6a968ba0e83dcc3129f0816a2a812df4a27e5a7f58c
Instruction ID: 11dd400e5fefc26463fba96f35e304c3e3dd87d0d48f281063e9dd0a9886c963
Opcode Fuzzy Hash: eaca83faf117a59932d1f6a968ba0e83dcc3129f0816a2a812df4a27e5a7f58c
Instruction Fuzzy Hash: 62B16C22E0EA824FF399E76C6C56178BBD0FF51799F0801BBD188C71D7DE19A8458389

Function 00007FF848CFF5B0 Relevance: 3.4, Strings: 2, Instructions: 910COMMON

Download Yara Rule

Strings

H, xrefs: 00007FF848CFFC81
,L_L, xrefs: 00007FF848CFF9C0

Memory Dump Source

Source File: 00000000.00000002.2553892643.00007FF848CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848CE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848ce0000_bootstraper.jbxd

Similarity

API ID:
String ID: H$,L_L
API String ID: 0-3163723879
Opcode ID: 88ea4b409d4d45c27654d3dabc8e158bd17530f8096c271b886923c4d03e28bd
Instruction ID: f28fdcb62c9ea9baa96a3a8fa1675f2396307b8e398028e66459f4a4764d0374
Opcode Fuzzy Hash: 88ea4b409d4d45c27654d3dabc8e158bd17530f8096c271b886923c4d03e28bd
Instruction Fuzzy Hash: 33D16931A1CA8A4FF799EB2C68551B577E1EF95790F1400BED84DC32D7DE28A843834A

Function 00007FF848CEA7DA Relevance: 3.1, Strings: 2, Instructions: 551COMMON

Download Yara Rule

Strings

yX_H, xrefs: 00007FF848CEAACF
vX_H, xrefs: 00007FF848CEAE4F

Memory Dump Source

Source File: 00000000.00000002.2553892643.00007FF848CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848CE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848ce0000_bootstraper.jbxd

Similarity

API ID:
String ID: vX_H$yX_H
API String ID: 0-3491284542
Opcode ID: 78eb584c3c85ffbd8e5ae913d778b4bc920daf94e1e20f3ad4ab95829338c613
Instruction ID: 4acc18a944db10c289e1c527ce1b03d7e33a27432e66f407226d219a1a9c315b
Opcode Fuzzy Hash: 78eb584c3c85ffbd8e5ae913d778b4bc920daf94e1e20f3ad4ab95829338c613
Instruction Fuzzy Hash: 2612FB71E189198FEBE5EB1898997B873F1FB68740F1001F6D04DD3296DF3869C28A19

Function 00007FF848CF79D0 Relevance: 2.1, Strings: 1, Instructions: 802COMMON

Download Yara Rule

Strings

\, xrefs: 00007FF848CF7CC5

Memory Dump Source

Source File: 00000000.00000002.2553892643.00007FF848CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848CE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848ce0000_bootstraper.jbxd

Similarity

API ID:
String ID: \
API String ID: 0-2967466578
Opcode ID: 14133c882656d6fd2bbf9bca73ddfa13f9b53a0b7db44cd6e1fb47b8f9c26e16
Instruction ID: f830ba878a5b5bf32f2334befc555d3399fa26e359fdea23c74f05140521062d
Opcode Fuzzy Hash: 14133c882656d6fd2bbf9bca73ddfa13f9b53a0b7db44cd6e1fb47b8f9c26e16
Instruction Fuzzy Hash: 20422530A1CA854FF7A8EB2894952B977D1EF89340F14807ED58EC32D6DF2878468795

Function 00007FF848CEC419 Relevance: 1.7, Strings: 1, Instructions: 435COMMON

Download Yara Rule

Strings

^, xrefs: 00007FF848CEC472

Memory Dump Source

Source File: 00000000.00000002.2553892643.00007FF848CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848CE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848ce0000_bootstraper.jbxd

Similarity

API ID:
String ID: ^
API String ID: 0-1590793086
Opcode ID: 249a8ca2c4ea137e3e7a29382b6b5af4b8dc781f0de169db493c96889200fc7c
Instruction ID: 8cfd18b860c3c91b7b1639860c1f26ccf81b5ad3b6dbe39b12257a8bb04f2ef6
Opcode Fuzzy Hash: 249a8ca2c4ea137e3e7a29382b6b5af4b8dc781f0de169db493c96889200fc7c
Instruction Fuzzy Hash: 4BC1F613B1D5965FE352B72CB8550F97BA0EF512B7F1801B7D188CA093DF1C644682AD

Function 00007FF848CEB09A Relevance: 1.7, Strings: 1, Instructions: 420COMMON

Download Yara Rule

Strings

d, xrefs: 00007FF848CEB42E

Memory Dump Source

Source File: 00000000.00000002.2553892643.00007FF848CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848CE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848ce0000_bootstraper.jbxd

Similarity

API ID:
String ID: d
API String ID: 0-2564639436
Opcode ID: 7559c7081cbb47c05be44ddd9a094ff32cb1f9a7fa4e47c45728687f66cb0d63
Instruction ID: ef0ada3a80b0221c54472e33e8fa1216d43d5cd5abfa8f7f716c65999ef3ecac
Opcode Fuzzy Hash: 7559c7081cbb47c05be44ddd9a094ff32cb1f9a7fa4e47c45728687f66cb0d63
Instruction Fuzzy Hash: 36C13130A1CB868FE3A9EB189441675B7E1FF95390F1405BED08AC7296DF39F8428785

Function 00007FF848CE93B0 Relevance: 1.6, Strings: 1, Instructions: 388COMMON

Download Yara Rule

Strings

d, xrefs: 00007FF848CEB42E

Memory Dump Source

Source File: 00000000.00000002.2553892643.00007FF848CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848CE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848ce0000_bootstraper.jbxd

Similarity

API ID:
String ID: d
API String ID: 0-2564639436
Opcode ID: c1cc227a6ac401f0a363a2d21e16a946fd796fdfe5a25787ba38e154b7b03261
Instruction ID: 01f87f35dbbb1151a5c48aeb1efe0c7b7f3d20faa2431a594329f2a9659302ab
Opcode Fuzzy Hash: c1cc227a6ac401f0a363a2d21e16a946fd796fdfe5a25787ba38e154b7b03261
Instruction Fuzzy Hash: 75C1DF30A1CB458FD7A9EB18D481636B3E1FF99350F24497DD08AC3696DA39F8438B85

Function 00007FF848CE7D58 Relevance: 1.6, Strings: 1, Instructions: 386COMMON

Download Yara Rule

Strings

H, xrefs: 00007FF848CF1F5C

Memory Dump Source

Source File: 00000000.00000002.2553892643.00007FF848CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848CE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848ce0000_bootstraper.jbxd

Similarity

API ID:
String ID: H
API String ID: 0-2852464175
Opcode ID: 5f4a5b0359bb980283bf800bbf236b7aebe8f519e6b855a5a420d26247e7129e
Instruction ID: 7d4e6b98cded3ff321cc7281a5958e0711160503cacaeff393cb0acf8912622d
Opcode Fuzzy Hash: 5f4a5b0359bb980283bf800bbf236b7aebe8f519e6b855a5a420d26247e7129e
Instruction Fuzzy Hash: F2B11231A1C9495FEBD9FB2C98496B937D1EF94790F1001BAD94EC3297DE28AC428385

Function 00007FF848CF9860 Relevance: 1.6, Strings: 1, Instructions: 378COMMON

Download Yara Rule

Strings

d, xrefs: 00007FF848CFB6EE

Memory Dump Source

Source File: 00000000.00000002.2553892643.00007FF848CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848CE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848ce0000_bootstraper.jbxd

Similarity

API ID:
String ID: d
API String ID: 0-2564639436
Opcode ID: bf4785f2f8b144a90a7e730cb1b451ca2c21de493b9b33256ea54250c1d2c1d7
Instruction ID: 82201fefa90f92e68ba9028d3b211782ec640ea3b3125625071715db67b085f2
Opcode Fuzzy Hash: bf4785f2f8b144a90a7e730cb1b451ca2c21de493b9b33256ea54250c1d2c1d7
Instruction Fuzzy Hash: A9B1CD30A1CB498FE7A9EB18D441636B3E1FF94340F24497ED18A83696DB35F8428B85

Function 00007FF848CE48E0 Relevance: 1.6, Strings: 1, Instructions: 331COMMON

Download Yara Rule

Strings

?L_H, xrefs: 00007FF848CFE56E

Memory Dump Source

Source File: 00000000.00000002.2553892643.00007FF848CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848CE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848ce0000_bootstraper.jbxd

Similarity

API ID:
String ID: ?L_H
API String ID: 0-3047738230
Opcode ID: 36d1f0f0c9dbdcadbf433bce9f31ad5f1b9ef546c25819670c29f23b47285c0f
Instruction ID: 6d590fccb4823eb67280f95403ec507c0cd0219f1c75611fec398d6a77159ecb
Opcode Fuzzy Hash: 36d1f0f0c9dbdcadbf433bce9f31ad5f1b9ef546c25819670c29f23b47285c0f
Instruction Fuzzy Hash: B3B1F420E0C68A8FF7A8FA7854542B57BE1EF46390F0541BFD54ACB1D2EF2C68468359

Function 00007FF848CE5918 Relevance: 1.5, Strings: 1, Instructions: 273COMMON

Download Yara Rule

Strings

\S_H, xrefs: 00007FF848CF468E

Memory Dump Source

Source File: 00000000.00000002.2553892643.00007FF848CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848CE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848ce0000_bootstraper.jbxd

Similarity

API ID:
String ID: \S_H
API String ID: 0-2336323542
Opcode ID: 391a371fed3f9763c5e5b01c3bbc12e9511491a4f66916094807c99a575cb28f
Instruction ID: e4a6cf76ac7b3b00e697e3354295a6033cd643eb3effd07633c1c2b62cc3c8ef
Opcode Fuzzy Hash: 391a371fed3f9763c5e5b01c3bbc12e9511491a4f66916094807c99a575cb28f
Instruction Fuzzy Hash: C7712521F1D98A4FF3D5E76C18592B47BD1EF99690F0800BAD14DC72E7EE189C068346

Function 00007FF848CFD668 Relevance: 1.5, Strings: 1, Instructions: 265COMMON

Download Yara Rule

Strings

dL_H, xrefs: 00007FF848CFD7C3

Memory Dump Source

Source File: 00000000.00000002.2553892643.00007FF848CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848CE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848ce0000_bootstraper.jbxd

Similarity

API ID:
String ID: dL_H
API String ID: 0-2846114773
Opcode ID: cec2a2f551664a72cece465498436cdfef490b0c591e0c0101b985c0ecc16d59
Instruction ID: ef5ef6050a7e306a2dd19bc11a3d13d6b8a27db860099e2c0d6d86c2289322ea
Opcode Fuzzy Hash: cec2a2f551664a72cece465498436cdfef490b0c591e0c0101b985c0ecc16d59
Instruction Fuzzy Hash: 1B514B22F0DE4E4FF7D9E62C685917537D2FBA86A1B1502BBC10DC72D6DE189C468381

Function 00007FF848CE6C90 Relevance: 1.5, Strings: 1, Instructions: 245COMMON

Download Yara Rule

Strings

#T_H, xrefs: 00007FF848CE7F8E

Memory Dump Source

Source File: 00000000.00000002.2553892643.00007FF848CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848CE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848ce0000_bootstraper.jbxd

Similarity

API ID:
String ID: #T_H
API String ID: 0-3176321433
Opcode ID: 471cfd7b32bebfc985517328f9ee4cfc3c4774fa339a8538a3951c13fd1f94ca
Instruction ID: a3a99ca8489f3aaeb080e92079f4f325d7ea3190d02bf3401b837ae1792d3407
Opcode Fuzzy Hash: 471cfd7b32bebfc985517328f9ee4cfc3c4774fa339a8538a3951c13fd1f94ca
Instruction Fuzzy Hash: AC71C630A1894E8FDBD8EF5CD495ABA77E1FF68381F450179E44AD32A1CB28E8518784

Function 00007FF848CED173 Relevance: 1.5, Strings: 1, Instructions: 221COMMON

Download Yara Rule

Strings

rM_^, xrefs: 00007FF848CED201

Memory Dump Source

Source File: 00000000.00000002.2553892643.00007FF848CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848CE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848ce0000_bootstraper.jbxd

Similarity

API ID:
String ID: rM_^
API String ID: 0-700486896
Opcode ID: a261cb9c6df1b361d5e80842923eed3991f49a6687a65bb56842b0344e7cd6f1
Instruction ID: ba8a5cfc6672d16f7072c449e8661cc942b98db1a70626ec6712a4af25dc87e3
Opcode Fuzzy Hash: a261cb9c6df1b361d5e80842923eed3991f49a6687a65bb56842b0344e7cd6f1
Instruction Fuzzy Hash: 1061C652B0D5961FE742B72CB4951F93BA1EF41266F0841F7D28C8A1A3DE0C684AC3AD

Function 00007FF848CE7C50 Relevance: 1.4, Strings: 1, Instructions: 134COMMON

Download Yara Rule

Strings

_, xrefs: 00007FF848CEE739

Memory Dump Source

Source File: 00000000.00000002.2553892643.00007FF848CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848CE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848ce0000_bootstraper.jbxd

Similarity

API ID:
String ID: _
API String ID: 0-701932520
Opcode ID: 5fa34e5f75959c91ff8ed97d162f51aeba6087ca03c782e430d99e71c67ed7ac
Instruction ID: 44442cf7e5c4f8e65117f83cde176bcde38bf24ebb389799657daf94e26206e9
Opcode Fuzzy Hash: 5fa34e5f75959c91ff8ed97d162f51aeba6087ca03c782e430d99e71c67ed7ac
Instruction Fuzzy Hash: 41312932E0D5694FD355EB2CA8956F93BE0EF422A1F0841F7D48CCB197DE0C684683A8

Function 00007FF848CFFBE9 Relevance: 1.4, Strings: 1, Instructions: 125COMMON

Download Yara Rule

Strings

H, xrefs: 00007FF848CFFC81

Memory Dump Source

Source File: 00000000.00000002.2553892643.00007FF848CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848CE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848ce0000_bootstraper.jbxd

Similarity

API ID:
String ID: H
API String ID: 0-3524016112
Opcode ID: 1a734ab12a22a00af3612c9296912a1bf41fda5b1ecd5e9b089f6b3bef807f18
Instruction ID: 0f423c1ac24936e253b51f37c042e08dcb3787cdb95d99c707aec37a822138e6
Opcode Fuzzy Hash: 1a734ab12a22a00af3612c9296912a1bf41fda5b1ecd5e9b089f6b3bef807f18
Instruction Fuzzy Hash: E1310331A1CA4D8FEB98FA2CA84556577E1FFA9740F10016ED84DC3282DF21E842C785

Function 00007FF848CE7404 Relevance: .6, Instructions: 585COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2553892643.00007FF848CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848CE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848ce0000_bootstraper.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ac420dca96a732c9eb20463edcdb9f791d0280e0435f402d98a925f106bcc2e9
Instruction ID: 48a363d947735afb80734a8722c0ce7799e789d952b31148e239a09dba3d6fa5
Opcode Fuzzy Hash: ac420dca96a732c9eb20463edcdb9f791d0280e0435f402d98a925f106bcc2e9
Instruction Fuzzy Hash: 3E02C730A0DA498FD799EB2CD4956B57BE1FFA5300F14426ED48EC7296CF28A846C781

Function 00007FF848CEFA56 Relevance: .6, Instructions: 562COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2553892643.00007FF848CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848CE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848ce0000_bootstraper.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 541dc0d4151039b51e62657de3cecd4d75e2ac6189cb50a6585c9fb47ce492e4
Instruction ID: d74196ab2d5d42285ce94adac64e46a60c9a97bf25becf5b7641861ab6689c62
Opcode Fuzzy Hash: 541dc0d4151039b51e62657de3cecd4d75e2ac6189cb50a6585c9fb47ce492e4
Instruction Fuzzy Hash: 3E02A870A1CB898FE794EB2C84556BAB7E2FF94340F1445BED48DC7292DF38A8418746

Function 00007FF848CE5968 Relevance: .6, Instructions: 555COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2553892643.00007FF848CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848CE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848ce0000_bootstraper.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 14c817012c5b4f18aa7c0ff6a8011ded820f1f27b572d177f57a81fd124fc6c1
Instruction ID: ed7eb0668be3b03e88c4d955c5f93a705adc469ef88a13ddf122a86b56807db1
Opcode Fuzzy Hash: 14c817012c5b4f18aa7c0ff6a8011ded820f1f27b572d177f57a81fd124fc6c1
Instruction Fuzzy Hash: A002AA70A1CB894FE794EB2C84556BAB7E1FF94340F1445BED48DC7292DF38A8418746

Function 00007FF848CF6F9D Relevance: .5, Instructions: 533COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2553892643.00007FF848CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848CE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848ce0000_bootstraper.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c3b336d1b20c7319932cb3b40cec53640ffeabbf7b279bea37ba7bf7a37512c6
Instruction ID: 948332598cc2d623586160872bc89ed33a6b0327320ea882abf5177dfda031f4
Opcode Fuzzy Hash: c3b336d1b20c7319932cb3b40cec53640ffeabbf7b279bea37ba7bf7a37512c6
Instruction Fuzzy Hash: 19E10421F1CA8A5FE799F73C585A2B97BD1EF99690F0441BAD04DC72C7DF28A8028345

Function 00007FF848CF6EAC Relevance: .4, Instructions: 443COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2553892643.00007FF848CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848CE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848ce0000_bootstraper.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 24a987794496572d01b2823935e52282a7149fb326770fd317dcec60746aed00
Instruction ID: e3d41e4e940da81cf43b2b6d10ded05ad0bbbe3d99996887b9e72bc3e8d6dce5
Opcode Fuzzy Hash: 24a987794496572d01b2823935e52282a7149fb326770fd317dcec60746aed00
Instruction Fuzzy Hash: D3C1C430B1CA895FEBD5E73C945A6793BE1EF99680B0501BAD04DC72D7DF28AC028745

Function 00007FF848CF55A9 Relevance: .4, Instructions: 435COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2553892643.00007FF848CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848CE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848ce0000_bootstraper.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3ae6375add818f3572c2178afb185d83e5681a7db3732911792edf1b27339025
Instruction ID: dc6d104382b3eb9bb8a19b636bbba4ac4d9f877c067babd60d22f758c43eeeac
Opcode Fuzzy Hash: 3ae6375add818f3572c2178afb185d83e5681a7db3732911792edf1b27339025
Instruction Fuzzy Hash: 9DD10420A1CA464FF7A9F72898952B977D2EF45380F25417AC28FC71C6DE2D7842838D

Function 00007FF848CEC0E0 Relevance: .4, Instructions: 425COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2553892643.00007FF848CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848CE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848ce0000_bootstraper.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e94b91e29912ce703f496546f21c5d2f11fa66e022cfbee91597bf4865ada507
Instruction ID: ab0c9c2f773dac9656d2a707a779fed210ddfa04df5a896a94c15aa7a1a73186
Opcode Fuzzy Hash: e94b91e29912ce703f496546f21c5d2f11fa66e022cfbee91597bf4865ada507
Instruction Fuzzy Hash: 04B13522F2DD5A8FF7E9F62C64692B563C1EBA86A2F2001B7C44DC32D5DE1C9C464385

Function 00007FF848CE6CD0 Relevance: .4, Instructions: 405COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2553892643.00007FF848CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848CE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848ce0000_bootstraper.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 80d67e97cc4349a3d7d5d88f566085e8890fbaa2b1803e6b38cf939a958d1d8f
Instruction ID: 717a5ef5fca2afebd35eea084b61537cc870b6aa7671f2f14d6d17d84ae6f6d5
Opcode Fuzzy Hash: 80d67e97cc4349a3d7d5d88f566085e8890fbaa2b1803e6b38cf939a958d1d8f
Instruction Fuzzy Hash: 2CC1C730A1CA494FEB94FB2898559B97BE1FF99350F0401BEE44EC7296DF28EC418785

Function 00007FF848CE454D Relevance: .4, Instructions: 403COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2553892643.00007FF848CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848CE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848ce0000_bootstraper.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 73022b17776ade93888451fffd074fedd166d2d2501986fcd244ff6974bd04f2
Instruction ID: 08ea1a8a6d015e95d668b6d9ed2599a2fb16b14fb3f03593d2453d4c490d87d4
Opcode Fuzzy Hash: 73022b17776ade93888451fffd074fedd166d2d2501986fcd244ff6974bd04f2
Instruction Fuzzy Hash: 9CC12232B0DA5E8FE795FB6CA8441F97791EF85361F1402B7D648CB192DF28A84283D4

Function 00007FF848CF0FE6 Relevance: .4, Instructions: 389COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2553892643.00007FF848CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848CE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848ce0000_bootstraper.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 85aaab318a6d2b303fb9a4619380b8f2ea345ff2d1e6241b6559e1bb31cca55b
Instruction ID: 91f39b236cc272c1658c23d4d2fce25d2042844866430a603967cf322d057734
Opcode Fuzzy Hash: 85aaab318a6d2b303fb9a4619380b8f2ea345ff2d1e6241b6559e1bb31cca55b
Instruction Fuzzy Hash: FEC12721E1DACA4FF7D6EB7898556B53BD1EF9A290F0800BAD54DC72D3DE189802C305

Function 00007FF848CEBD19 Relevance: .4, Instructions: 383COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2553892643.00007FF848CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848CE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848ce0000_bootstraper.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c70d0b253e135e0fa59fb9be80c3fd4371930200e148a7f160430d4fca935c26
Instruction ID: 8571261bab3665058fa6f73bf0681096c5d4a499af6a63b85d39a3d5d3c18b87
Opcode Fuzzy Hash: c70d0b253e135e0fa59fb9be80c3fd4371930200e148a7f160430d4fca935c26
Instruction Fuzzy Hash: 84A15932A0DD4E0FE7D9F66CA8556B97BD1EF453A0F0401BAD08DD7197DE1DA8428384

Function 00007FF848CED35F Relevance: .4, Instructions: 363COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2553892643.00007FF848CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848CE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848ce0000_bootstraper.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cebb78bac179548571d44377f909a50c3942ddb8a8aeeb14f246702af794d322
Instruction ID: cd711f9cf08c557b7af2d8b1be5ae63b511ec4c5b017465d16550d11db34c48d
Opcode Fuzzy Hash: cebb78bac179548571d44377f909a50c3942ddb8a8aeeb14f246702af794d322
Instruction Fuzzy Hash: 2CB1AF70A1DA494FEBD5FB2C8445AB537E2EF68740F0441BAD80ECB297DE28E845C785

Function 00007FF848CE6D10 Relevance: .4, Instructions: 357COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2553892643.00007FF848CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848CE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848ce0000_bootstraper.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6d138f4b42c51b2a222190fa31b51b8efc968441d0132f6b7c46550766b0bf21
Instruction ID: c6dc02f951a8e04c91d9c5d0053e3def4df2ca9e5e12a6ddc068f24f736425d5
Opcode Fuzzy Hash: 6d138f4b42c51b2a222190fa31b51b8efc968441d0132f6b7c46550766b0bf21
Instruction Fuzzy Hash: F7A1F731B1CA584FEB98EB1CA8466B877E1FF99351F04017EE54AC3292DB25F841C786

Function 00007FF848CECA60 Relevance: .3, Instructions: 316COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2553892643.00007FF848CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848CE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848ce0000_bootstraper.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 49122f416b8e0435e2b8db912431558f247f148a046881f6e91042281e8a1b87
Instruction ID: 9f68dc002bf1d83f071756b7805ab9eb6fab2c7d39ae8e115b4adb479bdb8f65
Opcode Fuzzy Hash: 49122f416b8e0435e2b8db912431558f247f148a046881f6e91042281e8a1b87
Instruction Fuzzy Hash: 9A81F331B2CC190FEBE4E72CA8597B977D1EB983A2F0501BAD40DC3296DE1D9C428385

Function 00007FF848CEF5FA Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2553892643.00007FF848CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848CE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848ce0000_bootstraper.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d88fd31d7919ed7839771bcc33d3e846ad91e1660ea3dae99fc6e4a0dbe9efba
Instruction ID: fea556b059d7d8380d30e609ce68ac600838120b25a28d846203d871893ba637
Opcode Fuzzy Hash: d88fd31d7919ed7839771bcc33d3e846ad91e1660ea3dae99fc6e4a0dbe9efba
Instruction Fuzzy Hash: 2B31383291CFC54FD391F728985A6B5BBD1FF95350F0805FAC489C71A2DB28A8418387

Function 00007FF848CEB4C4 Relevance: .3, Instructions: 308COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2553892643.00007FF848CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848CE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848ce0000_bootstraper.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 97c8194a0ad868e68fb10140ca10e362e631130725868429d3a2a511ffe1b739
Instruction ID: 5a371f98017b8bcf430cab7d23a7089b0449c16b59a1d6cd752f9910b169be24
Opcode Fuzzy Hash: 97c8194a0ad868e68fb10140ca10e362e631130725868429d3a2a511ffe1b739
Instruction Fuzzy Hash: 64911231A1DA4A4FD799EF2C94855B6B7E0FF55360F14067ED08AC3296EF28F8428784

Function 00007FF848CE6FE0 Relevance: .3, Instructions: 308COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2553892643.00007FF848CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848CE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848ce0000_bootstraper.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 001de6e853ed139015a8cabb22c78635f5e61355cbd84063387a30c833e1374f
Instruction ID: c79e9e6282281ac85ba85a40ea74b2efc7e62ddc90f25b1dff5fefe32c84378c
Opcode Fuzzy Hash: 001de6e853ed139015a8cabb22c78635f5e61355cbd84063387a30c833e1374f
Instruction Fuzzy Hash: 1E814B6194FBC54FD397AB3898655657FB0EF57240B1D40EBC488CB1A7DB1CA80AC326

Function 00007FF848CFB784 Relevance: .3, Instructions: 305COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2553892643.00007FF848CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848CE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848ce0000_bootstraper.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 977729b89af69abf09195a81d3bc8c82aa4079ecbbd2bbbba6c36b1ee75d596e
Instruction ID: 3ab72b55a7f32917cbe6dd08a18c2ba3571da2f86fc1c7dd24360723c73238a7
Opcode Fuzzy Hash: 977729b89af69abf09195a81d3bc8c82aa4079ecbbd2bbbba6c36b1ee75d596e
Instruction Fuzzy Hash: 0B910230A1CA4A4FE798EE2894855B677E0FF95350F14467ED18AC32D6EF28F8428785

Function 00007FF848CF27FA Relevance: .3, Instructions: 303COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2553892643.00007FF848CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848CE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848ce0000_bootstraper.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5ea2152b4418b96f01f4ac45fa3976b12fd90b5decf0e18653b5752dd6fc610d
Instruction ID: fdeecd0f85f7e93dd55ee35877cd9cc1f7ce585689c2cb7e02290dca50d04d86
Opcode Fuzzy Hash: 5ea2152b4418b96f01f4ac45fa3976b12fd90b5decf0e18653b5752dd6fc610d
Instruction Fuzzy Hash: EE814462B1C98A4FE795F72CA49A5F93BD0EF64791F0001B7E149C71A7DF18A802C399

Function 00007FF848CE0B7A Relevance: .3, Instructions: 291COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2553892643.00007FF848CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848CE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848ce0000_bootstraper.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9a7ebe256fe2affcbf4e0d6c4a5367de672d6b3ba9f1de6c6b26c799ea30280e
Instruction ID: 5ce0c6279dd25f4bc871d899c3555bdc62054a55cccac844a99a73fa3dce0394
Opcode Fuzzy Hash: 9a7ebe256fe2affcbf4e0d6c4a5367de672d6b3ba9f1de6c6b26c799ea30280e
Instruction Fuzzy Hash: B0A1C130A1E5494FE799FBA8C4953B97BA2FF45380F1440BDD04ED7692CE286882CB84

Function 00007FF848CFBAC5 Relevance: .3, Instructions: 286COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2553892643.00007FF848CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848CE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848ce0000_bootstraper.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e91f71d3a9d8254327c10074c0799377f0f1c609605182f446e9337dcfa4f2b4
Instruction ID: 32665d297c76730dff9086ef7618a316dd94d0ec133ccdf1302cef0ffef46678
Opcode Fuzzy Hash: e91f71d3a9d8254327c10074c0799377f0f1c609605182f446e9337dcfa4f2b4
Instruction Fuzzy Hash: 80814531A0DA4A4FE399EB28988567177E0FF56360F1806BAC18DC71E7DF29B842C745

Function 00007FF848CE595D Relevance: .3, Instructions: 282COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2553892643.00007FF848CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848CE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848ce0000_bootstraper.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f54c508fed0648bcac4fcf2f7e091950255224d19c1123f43be096e6bfb7ae17
Instruction ID: b986266177e2a834f1ae30c6338279a755a786952f1e247716b675db216016c7
Opcode Fuzzy Hash: f54c508fed0648bcac4fcf2f7e091950255224d19c1123f43be096e6bfb7ae17
Instruction Fuzzy Hash: 7981273192DE8AAFE7A4F72894597B5B7E1FF95390F4405F9C089C7182DF2CA8428346

Function 00007FF848CE9430 Relevance: .3, Instructions: 260COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2553892643.00007FF848CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848CE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848ce0000_bootstraper.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7a8358261865a789939778a4db3a370ad006a31470c59db80b91cf176923d702
Instruction ID: e39daa1f3407b1cff77c6db685e2a99fb33bb45792fed55804aa0057b46e7534
Opcode Fuzzy Hash: 7a8358261865a789939778a4db3a370ad006a31470c59db80b91cf176923d702
Instruction Fuzzy Hash: E2713431A1CB8A4FD399EF28A4854B677E0FF55350F10067ED48AC3296EF29F8428795

Function 00007FF848CF9008 Relevance: .2, Instructions: 238COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2553892643.00007FF848CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848CE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848ce0000_bootstraper.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7c902a4f7f5f5305cc0a9874135efa1ac4238effeb6fc9a2f2b9f9169f81f710
Instruction ID: dff010f5eb504144cacc783d874b8f26c310f298c1fc941d2813298b5d489be1
Opcode Fuzzy Hash: 7c902a4f7f5f5305cc0a9874135efa1ac4238effeb6fc9a2f2b9f9169f81f710
Instruction Fuzzy Hash: C0712821A0DAC54FF7A7E63C68193757BE1EF56294F0440FFD189C71D7CA29980A8346

Function 00007FF848CE8F25 Relevance: .2, Instructions: 228COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2553892643.00007FF848CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848CE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848ce0000_bootstraper.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1a3a0f61a3f14d708d3b77e8a72228477884dc94234836ac653c4daa303c4d78
Instruction ID: 16002421ac2981247e37ee6b2efc9b2a3afbe7fb588361279ec3821708cc9f46
Opcode Fuzzy Hash: 1a3a0f61a3f14d708d3b77e8a72228477884dc94234836ac653c4daa303c4d78
Instruction Fuzzy Hash: 7551A231B4DD0A4FEBE9EA1CA494A7473D2FF5C3A0B5405BAD40DC72A6DE19DC418385

Function 00007FF848CFAF80 Relevance: .2, Instructions: 226COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2553892643.00007FF848CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848CE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848ce0000_bootstraper.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6ae924c60af4a3b316cb3ea5948a066c8c772fecfc005c8062e05d6850e404e8
Instruction ID: 4e0deed5be84cf4cf8735e977fac6ffb3341df831d8d25a57a9c0077f69fb718
Opcode Fuzzy Hash: 6ae924c60af4a3b316cb3ea5948a066c8c772fecfc005c8062e05d6850e404e8
Instruction Fuzzy Hash: 7771AC71D1C99A8FF795EB28A8592E8BBB0FF55384F0400BAD14DD71D3DF2818868B19

Function 00007FF848CE47C8 Relevance: .2, Instructions: 221COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2553892643.00007FF848CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848CE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848ce0000_bootstraper.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3367b8bc8d92a0fb18baf41aeb9382ffe85c16dc3139f6ff0fb5fb9fa19ec076
Instruction ID: 50e568efa62f3d96aeeb1770ee36470890d4b5b1338cc4c2db007da5ef7aa7de
Opcode Fuzzy Hash: 3367b8bc8d92a0fb18baf41aeb9382ffe85c16dc3139f6ff0fb5fb9fa19ec076
Instruction Fuzzy Hash: 3561013061CB454FE798EB28C4859B6B7E1EF95380F10467ED14AC72D2DE24F8468B89

Function 00007FF848CE9440 Relevance: .2, Instructions: 213COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2553892643.00007FF848CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848CE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848ce0000_bootstraper.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6e058b3ba147409929ca19858aef9d8c4b06ce92d6318ac9bc4af2879e2dc419
Instruction ID: 7453801751d8e8c663786995b1611400f67e3ac288fe6239795b3a158668b5bc
Opcode Fuzzy Hash: 6e058b3ba147409929ca19858aef9d8c4b06ce92d6318ac9bc4af2879e2dc419
Instruction Fuzzy Hash: A851053061CE0A4FEBA8EB1CD884A7173E0FF99350B144679D44EC3266DA39F8838785

Function 00007FF848CE7D48 Relevance: .2, Instructions: 211COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2553892643.00007FF848CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848CE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848ce0000_bootstraper.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4a34ed97de37ee29099a92c8a6f365308844900f3ce08da5ade89bde8fec1d67
Instruction ID: 597f6d4b707b7f38ef92caffd02f5308485d882f614c06b4c3ca312b3982db62
Opcode Fuzzy Hash: 4a34ed97de37ee29099a92c8a6f365308844900f3ce08da5ade89bde8fec1d67
Instruction Fuzzy Hash: 6F517621B0DD8A8FF3EAE72C58592B67BD1EF5A290B1441FBD04DC31E6EE149C028345

Function 00007FF848CF28E8 Relevance: .2, Instructions: 201COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2553892643.00007FF848CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848CE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848ce0000_bootstraper.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b6fff381a9b1bb38ee9e9ec39e554e1849194ef93c4a50046dfab45bafe296d1
Instruction ID: f3bd7444381a7de230c70af17dfd334d676f21bd7c8199eb6575dde3fdf47dd2
Opcode Fuzzy Hash: b6fff381a9b1bb38ee9e9ec39e554e1849194ef93c4a50046dfab45bafe296d1
Instruction Fuzzy Hash: 8D51B620B1C9594FEBA5EB2C94556B93BD1EF68750F1401BAF44EC3297DF28EC41838A

Function 00007FF848CF1D91 Relevance: .2, Instructions: 198COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2553892643.00007FF848CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848CE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848ce0000_bootstraper.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 510b43499e1446e7f9a492eb7b8c66b047ecb9b8fc6544503c6d34c8b5f1c586
Instruction ID: 4a67f36a2e8a2021b7fdd60ba3267bebdb6d41c96017f935752ab97d6ad4d0ee
Opcode Fuzzy Hash: 510b43499e1446e7f9a492eb7b8c66b047ecb9b8fc6544503c6d34c8b5f1c586
Instruction Fuzzy Hash: 7351AD20A1C9494FEBD6EB2C884867537E1EF99751F1101BAD58EC7297DE28AC42C784

Function 00007FF848CE6738 Relevance: .2, Instructions: 191COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2553892643.00007FF848CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848CE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848ce0000_bootstraper.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c8dcc2ec3c68e7c74cfcbba05f4ded9526744b2145816d78e0c96f5721de6db0
Instruction ID: 918451e7aa3c5a554da5784401b13b1ed5dd76f43666f2df11f3d05114e8acdb
Opcode Fuzzy Hash: c8dcc2ec3c68e7c74cfcbba05f4ded9526744b2145816d78e0c96f5721de6db0
Instruction Fuzzy Hash: 8051F5A1D1DA895FE795E76C58665F9BBE0FF05290F0402FAD08A87193EE1C2806C35A

Function 00007FF848CFB36A Relevance: .2, Instructions: 171COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2553892643.00007FF848CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848CE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848ce0000_bootstraper.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b0ee89681348803973c9e3f0970231f340febd448095a101fd3b23f6695ffa1f
Instruction ID: 2a60166a1ef5b956e3dea3c8776486b2f907c65c55d4c20e1e97c3dea269521d
Opcode Fuzzy Hash: b0ee89681348803973c9e3f0970231f340febd448095a101fd3b23f6695ffa1f
Instruction Fuzzy Hash: AC41252191EA8A4FF796E72848156723BE1EFA6240F1901BAD189C71D3DF28EC068355

Function 00007FF848CF0DE1 Relevance: .2, Instructions: 166COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2553892643.00007FF848CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848CE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848ce0000_bootstraper.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ea557f5633f5715b173ee82536f4962a0799f220b9aa103e7587a36579624383
Instruction ID: cd102a35fa2420200a7279aceb34f527271a2ea0f5d1d1c339b4ec692ea1b209
Opcode Fuzzy Hash: ea557f5633f5715b173ee82536f4962a0799f220b9aa103e7587a36579624383
Instruction Fuzzy Hash: 3A51F470E1D98A8FEBC5FB6888956B9BBE1FF59780F0404B9D149C7196CF28A801C740

Function 00007FF848CF0EB8 Relevance: .2, Instructions: 166COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2553892643.00007FF848CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848CE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848ce0000_bootstraper.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 463f81349a6c971b38e8d3214991b7982cad134279b9dae633bdbd9d09fa8590
Instruction ID: f28e69b995988ef3d50a14ff872fb546cf25dfe1a3b27f635648e9a8bfec9eca
Opcode Fuzzy Hash: 463f81349a6c971b38e8d3214991b7982cad134279b9dae633bdbd9d09fa8590
Instruction Fuzzy Hash: 1A51F470E1D98A8FEBC5FB6898956F9BBE1FF59780F0404B9D149C7196CF28A801C744

Function 00007FF848CE90CA Relevance: .2, Instructions: 160COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2553892643.00007FF848CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848CE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848ce0000_bootstraper.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2074efa6e864df83134462080ece4b9249a1a9801c9b559df8c482e9a935850c
Instruction ID: 6acded0cafc70a278b4378dc974d540854596ad6723b101e28050f76abd16916
Opcode Fuzzy Hash: 2074efa6e864df83134462080ece4b9249a1a9801c9b559df8c482e9a935850c
Instruction Fuzzy Hash: 5441EC3174C8098FEBE4EA4CE498BB463D1EB993A1B1406B6D44DC73A5DA29DC468744

Function 00007FF848CEF021 Relevance: .2, Instructions: 160COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2553892643.00007FF848CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848CE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848ce0000_bootstraper.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 30f0844050106d9ada2efe0a9b86d93c86e2d9d1557e34f4420e511518e7d0f5
Instruction ID: 5ec4fe5fe16bd4300767776079bddafd34c2271acf683ed522ab0c3f88da4a68
Opcode Fuzzy Hash: 30f0844050106d9ada2efe0a9b86d93c86e2d9d1557e34f4420e511518e7d0f5
Instruction Fuzzy Hash: 8141E420A1DA891FE7D9E72C98296B57BD2EF99350F0401FED48EC7297DE1CAC428345

Function 00007FF848CF162F Relevance: .2, Instructions: 159COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2553892643.00007FF848CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848CE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848ce0000_bootstraper.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: adf180aef1658e1def1227fbd8f3354c55f19a48cd53c2d4e10130c0856e512f
Instruction ID: fcafe1520022db518095f07165670f586136018157b85246b48720c4a3e666dc
Opcode Fuzzy Hash: adf180aef1658e1def1227fbd8f3354c55f19a48cd53c2d4e10130c0856e512f
Instruction Fuzzy Hash: E541D221F1D9494FEBD5EB2CA8552B977E2FF99684F0801BAD04DC32D6DE249C028385

Function 00007FF848CE5A71 Relevance: .2, Instructions: 156COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2553892643.00007FF848CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848CE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848ce0000_bootstraper.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 70b31427e4256796b97a114eb404a97f74afe7277ed135ea63fc4194208b40c4
Instruction ID: 2c7f5ef0f6e8270e4076a3170adb7e2c2ced33d3e070ca93b3237b759be0021f
Opcode Fuzzy Hash: 70b31427e4256796b97a114eb404a97f74afe7277ed135ea63fc4194208b40c4
Instruction Fuzzy Hash: CE41AE21E1DD4A4FE7E8EB2CA4953B677D1FF98290F4501BAD04DC329ADE2CA8428345

Function 00007FF848CE6DFB Relevance: .2, Instructions: 152COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2553892643.00007FF848CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848CE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848ce0000_bootstraper.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2a03a248b3ac82de8f5eab88eec36b089d41e27349d281238947f282fae24df4
Instruction ID: f46908bcce6a98f9cd5c142b3e2a6cc958cbbf5ec93881dd1daeb419d868fe86
Opcode Fuzzy Hash: 2a03a248b3ac82de8f5eab88eec36b089d41e27349d281238947f282fae24df4
Instruction Fuzzy Hash: BC412453F1D9961FE792F72CA8995F5B7A0EF51290F0802B7C048C72D3EE1D1846C289

Function 00007FF848CF4CDA Relevance: .1, Instructions: 148COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2553892643.00007FF848CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848CE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848ce0000_bootstraper.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 58142a02fcde2af23cd000cc2fe47b07cbca0f0ba4460bea91a3ec6a3ba41af8
Instruction ID: b220f06f8108af3c9120f29f0cbcd613da3d836bcda48678be62999b58f5b460
Opcode Fuzzy Hash: 58142a02fcde2af23cd000cc2fe47b07cbca0f0ba4460bea91a3ec6a3ba41af8
Instruction Fuzzy Hash: D4410620A0DB894FE7DAE73C44652747FE1EF4A290F0941FBD089CB1E7DA189C468356

Function 00007FF848CEDC60 Relevance: .1, Instructions: 146COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2553892643.00007FF848CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848CE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848ce0000_bootstraper.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2e715d794f8fec06f83e842a3c2bfcf939e6d09775e22d1d2812de49bba1aeec
Instruction ID: e9fec9c740176d6bc94cbd231a29c04e3016f606880da00f23d108e22a574d3b
Opcode Fuzzy Hash: 2e715d794f8fec06f83e842a3c2bfcf939e6d09775e22d1d2812de49bba1aeec
Instruction Fuzzy Hash: CA41B33061DE898FDBA5EB2CC494EB277D2EF59380F0445A9D18EC72A6CE29F841C754

Function 00007FF848CE09FF Relevance: .1, Instructions: 145COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2553892643.00007FF848CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848CE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848ce0000_bootstraper.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 729871cab7863d9569e73c0f7df9b323eeed2be5e0e42530e52c676461fa9df9
Instruction ID: 3d4eb205e150572f735f2bf120a33380d100224a091ce077286dfdb62746ce35
Opcode Fuzzy Hash: 729871cab7863d9569e73c0f7df9b323eeed2be5e0e42530e52c676461fa9df9
Instruction Fuzzy Hash: F441D130A199499FEB94FBB884596BDBBE1FF59340F0004B9D00EC7293DE28A841C785

Function 00007FF848CED228 Relevance: .1, Instructions: 143COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2553892643.00007FF848CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848CE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848ce0000_bootstraper.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 996e446ee914895445d62e5a86aa8deb99db2029e5101ea6362d72be4b9a6d01
Instruction ID: fb4e8bde4a10f47b81b79004e4c00ff8e6013a3e05bcac0ab27010ee4d2c02cf
Opcode Fuzzy Hash: 996e446ee914895445d62e5a86aa8deb99db2029e5101ea6362d72be4b9a6d01
Instruction Fuzzy Hash: 6A41E512B0D6960FE791F72CA8652F53BE1EF42261F0841F7D18CCB197DE1C684A8368

Function 00007FF848CF5B40 Relevance: .1, Instructions: 141COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2553892643.00007FF848CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848CE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848ce0000_bootstraper.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9e664e57d314071678a3dd5b209ac412bc8bae80850cf1a5809febb7aee395b1
Instruction ID: f250d554a58b552b13a2f57c35abbc1a6ff8b625ae9f30cd6bf7f9a339f583db
Opcode Fuzzy Hash: 9e664e57d314071678a3dd5b209ac412bc8bae80850cf1a5809febb7aee395b1
Instruction Fuzzy Hash: 3141BF30A1CE064FE799EB28D4956A6B7D1FF98300F14456DD68AC3295DB29B882C788

Function 00007FF848CE8478 Relevance: .1, Instructions: 141COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2553892643.00007FF848CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848CE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848ce0000_bootstraper.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 93485c1b9554b1afbf38977bb5405f928747d16ffe165f60c70e33fc899464c1
Instruction ID: 4164aada83f62fe76d2049364f8280d411c9c90027277e5764baf5ea70ad74a9
Opcode Fuzzy Hash: 93485c1b9554b1afbf38977bb5405f928747d16ffe165f60c70e33fc899464c1
Instruction Fuzzy Hash: B6313532E2C95A8FE7D4EA2CE4092B977D0EB54791F05057BD44DC72A5DF1C88824389

Function 00007FF848CE8270 Relevance: .1, Instructions: 138COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2553892643.00007FF848CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848CE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848ce0000_bootstraper.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7ba0028da77506219f87cbdbbd8ef7449d02dc76cf23c605b9d66ab38e0d4a26
Instruction ID: 51076a6efe5a4e719d3f459513dfa58719413ca0af7751d65ac73bf951318020
Opcode Fuzzy Hash: 7ba0028da77506219f87cbdbbd8ef7449d02dc76cf23c605b9d66ab38e0d4a26
Instruction Fuzzy Hash: A2411621A1EA891FE3A9F77C685A1B57BC1EF46390F0800FED089C71D3DD086C428389

Function 00007FF848CF7728 Relevance: .1, Instructions: 138COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2553892643.00007FF848CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848CE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848ce0000_bootstraper.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 37dd3be7f7de912323105e039a016a3f057887c31781d9c345c03e4faeff40d0
Instruction ID: a90aa429c8a7ea2b98c3983e9178baabde58812c4201d7cc24e8a49efafb9ef1
Opcode Fuzzy Hash: 37dd3be7f7de912323105e039a016a3f057887c31781d9c345c03e4faeff40d0
Instruction Fuzzy Hash: 9F41E130A5DA898FE79AEB28C0946B577E1FF55340F1540BEC08AC72D2CF29B842C749

Function 00007FF848CEDC5B Relevance: .1, Instructions: 133COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2553892643.00007FF848CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848CE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848ce0000_bootstraper.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2672e5dcc36c8f2f38dfdef27a99fde5fdc79e9b3ce787719a1db2ee7bce7570
Instruction ID: 47c9c29e2cba532f8178c17e98c13255ac1ed0b02828370dd36f26e7b92680f2
Opcode Fuzzy Hash: 2672e5dcc36c8f2f38dfdef27a99fde5fdc79e9b3ce787719a1db2ee7bce7570
Instruction Fuzzy Hash: F441C33061DE898FDBD5EB2CC494EB177E2EF58380B0445A9D08EC72A6CA29F841CB54

Function 00007FF848CE14E1 Relevance: .1, Instructions: 129COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2553892643.00007FF848CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848CE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848ce0000_bootstraper.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: afb06a532c4f865b4fec22e578bd6611ac887a21133b8db181b0f320aea5be7a
Instruction ID: 212f571125583cd703fe945894751f99f7140b92d1874ab5c61e45d99a94ea4f
Opcode Fuzzy Hash: afb06a532c4f865b4fec22e578bd6611ac887a21133b8db181b0f320aea5be7a
Instruction Fuzzy Hash: 8E41B431A1D94A4FDB95F76884597FABBE0FF58351F0400BAD00DC71A2CF289841C781

Function 00007FF848CF44A1 Relevance: .1, Instructions: 128COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2553892643.00007FF848CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848CE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848ce0000_bootstraper.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e97f9d4561dc7d1ef68511abd192b660abf6971ee8560abdf0147503493c16ed
Instruction ID: 6345cc5537e29763fbb3d29317e87271a871611da002ae68f5049690ad1dd8a2
Opcode Fuzzy Hash: e97f9d4561dc7d1ef68511abd192b660abf6971ee8560abdf0147503493c16ed
Instruction Fuzzy Hash: B931BF21E1DEC94FF3D5E77C18692706BD1EF5A694B0900FAE589CB2E7DA049C068305

Function 00007FF848CE2C98 Relevance: .1, Instructions: 125COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2553892643.00007FF848CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848CE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848ce0000_bootstraper.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f7c160e1445a13b1579588edcb714ddd3fffb64a2b65c65c2a69ae702a652dbf
Instruction ID: d1962509e9357b92f259628de9214a0ae67fafd81a0953a63bcd8f888d636b70
Opcode Fuzzy Hash: f7c160e1445a13b1579588edcb714ddd3fffb64a2b65c65c2a69ae702a652dbf
Instruction Fuzzy Hash: C5319E31B08C1D8FDBE8EB5CA4497B973E1FB98751F0441B6E40ED7295DE289C014389

Function 00007FF848CF4C50 Relevance: .1, Instructions: 125COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2553892643.00007FF848CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848CE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848ce0000_bootstraper.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8f27c020c6916ed972ec5e2fe31d2236e5911f7b1742365ebb2c907554c784a2
Instruction ID: 626b8afbf7df4141463f3bdbaa4e4a7ec32806b7c815f106b9287da4ef279047
Opcode Fuzzy Hash: 8f27c020c6916ed972ec5e2fe31d2236e5911f7b1742365ebb2c907554c784a2
Instruction Fuzzy Hash: 5E310831A0DAD94FE7A6E73858646B47FE0EF47290F0A41EBD489CB1E3DA085C49C352

Function 00007FF848CE48ED Relevance: .1, Instructions: 120COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2553892643.00007FF848CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848CE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848ce0000_bootstraper.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 043d923630261b4865bb208ba9139708dfaf8bb7213ac539f4963e489c3833cc
Instruction ID: ee08f1d86c14ba90b9344cc6ca830f453dc313b488cb2b01d9b8b300fc8c9937
Opcode Fuzzy Hash: 043d923630261b4865bb208ba9139708dfaf8bb7213ac539f4963e489c3833cc
Instruction Fuzzy Hash: 2B318E3066CA598FE7A9FB18C08467573E1EB98340F60417DD14EC32D1CF25B842C788

Function 00007FF848CF7520 Relevance: .1, Instructions: 119COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2553892643.00007FF848CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848CE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848ce0000_bootstraper.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 20e135addfe517b7d89abe7639b665852026e8cff906f428f45f3d8dd05c1aed
Instruction ID: 92b3350b80a8a3dbe12d2cd07adf8ed373c479cb0a9de22a5720dfd6de4cc277
Opcode Fuzzy Hash: 20e135addfe517b7d89abe7639b665852026e8cff906f428f45f3d8dd05c1aed
Instruction Fuzzy Hash: 5B41A02095DBC94FE796E73888596657BE1EF06340F4A40FAD089C71E3DF1CA806C359

Function 00007FF848CFF271 Relevance: .1, Instructions: 115COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2553892643.00007FF848CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848CE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848ce0000_bootstraper.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: af6e28c1e49f92af4d40ff1c8b58bfb872afb244f3d35f1023d568ab477c01eb
Instruction ID: ae3fa926ce33c03b6d4f4ec353361ad191e5c46ff32036e9aee38683a9e6af51
Opcode Fuzzy Hash: af6e28c1e49f92af4d40ff1c8b58bfb872afb244f3d35f1023d568ab477c01eb
Instruction Fuzzy Hash: 6631C221A2C9CA0FE796E33C44653FABBE1EF95380F0800E6C089C7192DE1898469386

Function 00007FF848CF97F2 Relevance: .1, Instructions: 115COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2553892643.00007FF848CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848CE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848ce0000_bootstraper.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 912e797f198c34515afa8418baf344aa9a38f8b5e69491cd18a0062053e47855
Instruction ID: 36ab5e7554ccd31b946bd709f789d5e1759efa501f607d9035ee520cee28bdbc
Opcode Fuzzy Hash: 912e797f198c34515afa8418baf344aa9a38f8b5e69491cd18a0062053e47855
Instruction Fuzzy Hash: 36315822A0D6465FE345F76DA4161F63BE0EF422AAF1801BBE28D87193DF146801C3AD

Function 00007FF848CE97E0 Relevance: .1, Instructions: 114COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2553892643.00007FF848CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848CE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848ce0000_bootstraper.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5873edf63c18bfdc7e6a4cbf1f3e30a48229f41fde32e2309ce7839831070045
Instruction ID: f3e61f6e243e4ffd22b201bb0a1ea01c1361e8559748227b6196141d93e4e942
Opcode Fuzzy Hash: 5873edf63c18bfdc7e6a4cbf1f3e30a48229f41fde32e2309ce7839831070045
Instruction Fuzzy Hash: 97219F22B2DD0E4FEBE8E61D64656B963C2EBA8392F54017AD40EC3685DF2DDC424349

Function 00007FF848CE3F69 Relevance: .1, Instructions: 114COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2553892643.00007FF848CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848CE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848ce0000_bootstraper.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 89bcad926df61ed8567e10948a62c301aa1719794baa64617e0f0ff5a64f859c
Instruction ID: 6b6f77bf58f7f479f4c2cce4a153460a86d2c8c9b60528d021cf2983e157de03
Opcode Fuzzy Hash: 89bcad926df61ed8567e10948a62c301aa1719794baa64617e0f0ff5a64f859c
Instruction Fuzzy Hash: 5431943188D5911FD74693346C575F27BA4DF42365F1A01E7D04CCB9A3CA1E6583C3A6

Function 00007FF848CFF3B5 Relevance: .1, Instructions: 110COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2553892643.00007FF848CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848CE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848ce0000_bootstraper.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: de66de43caad6d618fce942ec607a9a446941f7c3404dc280212f034716a823e
Instruction ID: 59da436f077bf694ee660c65b7e640d04bc17b7d8fff087683f4bc90c409e740
Opcode Fuzzy Hash: de66de43caad6d618fce942ec607a9a446941f7c3404dc280212f034716a823e
Instruction Fuzzy Hash: D331047095E9C91FE795E77C681A2FABFE1EF4A240B4800EBD489C72D3DD1818468396

Function 00007FF848CE49F2 Relevance: .1, Instructions: 109COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2553892643.00007FF848CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848CE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848ce0000_bootstraper.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 70273ad26c453729b711717b1bdf76d8e5c41128f6285734f0ce371194741097
Instruction ID: d3c5866a841924d78f00bb592f1d094ae8d6fe7c8a17b1e9d631d2859382738c
Opcode Fuzzy Hash: 70273ad26c453729b711717b1bdf76d8e5c41128f6285734f0ce371194741097
Instruction Fuzzy Hash: BF31AF31A0DE588FDB95EB2C98597B97BE1FF59350F0901F6E40CD7296CE289C058389

Function 00007FF848CE109D Relevance: .1, Instructions: 109COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2553892643.00007FF848CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848CE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848ce0000_bootstraper.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c5e7e74f80b2ef8a330211cb604f5dd720fb34969a8e0ada4e08b83f9bc0f052
Instruction ID: 94ebf20ebf03d38818a06fcff856ef7f5df03e0eeb7e98eca85bac37a11b9dcf
Opcode Fuzzy Hash: c5e7e74f80b2ef8a330211cb604f5dd720fb34969a8e0ada4e08b83f9bc0f052
Instruction Fuzzy Hash: A431FB5048F7C21FD3A397B499645923FFA9D87560B0E81EBD5C8CE4A7D28E485AC323

Function 00007FF848CFCA31 Relevance: .1, Instructions: 106COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2553892643.00007FF848CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848CE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848ce0000_bootstraper.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a00f8157c16b7269f2c2696af6c131ef9e8dc231620a7a6adc191a384bffd8d2
Instruction ID: 28cfefc3de5034c474adc3b0111005cea51336ee96f01e8a9c63a2addd017795
Opcode Fuzzy Hash: a00f8157c16b7269f2c2696af6c131ef9e8dc231620a7a6adc191a384bffd8d2
Instruction Fuzzy Hash: B231E23191CB984FEB54EB189C465E9BBE4EF96310F0401AFE889D3192D764B945C7C3

Function 00007FF848CE7DFB Relevance: .1, Instructions: 105COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2553892643.00007FF848CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848CE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848ce0000_bootstraper.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d4e7d124a2dc872d6e0328808cf2424156e377d6e25e691f4759eb514795302b
Instruction ID: 3fc0d41fa68ed1f6935a3c687dea4e7f14bd19adec51349ad83dc2bac460af71
Opcode Fuzzy Hash: d4e7d124a2dc872d6e0328808cf2424156e377d6e25e691f4759eb514795302b
Instruction Fuzzy Hash: CB318331A0DA8D4FDBC5EF2888956F97BF0FF69355F0401BAD449D3192CB289845C794

Function 00007FF848CF119B Relevance: .1, Instructions: 103COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2553892643.00007FF848CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848CE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848ce0000_bootstraper.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7bddf93be6a18ad30638b5f140255abf59ec141c6ffa74a7b4e875dd436f53b0
Instruction ID: f079ae5987e83e59383117b958e4ed07f36eb8275808f260f7a589660e886bed
Opcode Fuzzy Hash: 7bddf93be6a18ad30638b5f140255abf59ec141c6ffa74a7b4e875dd436f53b0
Instruction Fuzzy Hash: E131A430E0C9894FFBDAEBA8A4656B83BD1EF59384F5500BAE54DC72D2DE189846C305

Function 00007FF848CF6DE1 Relevance: .1, Instructions: 102COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2553892643.00007FF848CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848CE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848ce0000_bootstraper.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b6f45140f8ca3e3258e59e90569040b1e7d824bb05ac5a3774154a0a6c888d98
Instruction ID: 7ce9587aa44c413cf97c242c1f618caca46dbb2d089a238f9d71186828d37645
Opcode Fuzzy Hash: b6f45140f8ca3e3258e59e90569040b1e7d824bb05ac5a3774154a0a6c888d98
Instruction Fuzzy Hash: 58214C31A1CA0D8FEFD8EB1C9455AB877E1FB98750F44027ED14ED3281CF25A8018B89

Function 00007FF848CF9B66 Relevance: .1, Instructions: 94COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2553892643.00007FF848CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848CE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848ce0000_bootstraper.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c46fa5dc4c4312532e3c587db0189b630b8e83e2a92509949e1a9cb1e60c98f0
Instruction ID: db8c4b7a8fa3f7d93926e883011ab503844a2da7f0f59365233803506fca7a49
Opcode Fuzzy Hash: c46fa5dc4c4312532e3c587db0189b630b8e83e2a92509949e1a9cb1e60c98f0
Instruction Fuzzy Hash: 2831E5309189499FEFA9EF18C889BA877E1FF59358F0101B9E44DD72A1CB38E844CB44

Function 00007FF848CF64B2 Relevance: .1, Instructions: 92COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2553892643.00007FF848CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848CE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848ce0000_bootstraper.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d3aadaef186cc04f3820cc4875f7a35ee2577b6877149e7b837247685cedc59a
Instruction ID: dabf3435070ea8c3ac7a30919864736a4c8fd6490ba6d65875cc962912f255fa
Opcode Fuzzy Hash: d3aadaef186cc04f3820cc4875f7a35ee2577b6877149e7b837247685cedc59a
Instruction Fuzzy Hash: 5421F332B0CA084FF798EA1CA4561F977D1EF89261F04027FD28EC31D2DF16A806464A

Function 00007FF848CE092D Relevance: .1, Instructions: 91COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2553892643.00007FF848CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848CE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848ce0000_bootstraper.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 86eaae7159c90dbe73f07989a77e1600a81924a2f91d19b6ccdf043760b238ed
Instruction ID: f7686117fe069dd730468ab5135527c67d879e2bfb83e8b0827758e5787acdd5
Opcode Fuzzy Hash: 86eaae7159c90dbe73f07989a77e1600a81924a2f91d19b6ccdf043760b238ed
Instruction Fuzzy Hash: 5831EB5091E5C61FD795FBB8045A6F9BFE1EF46290F4405EAD0C98B1D3CA181C02C785

Function 00007FF848CEBE1D Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2553892643.00007FF848CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848CE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848ce0000_bootstraper.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e2d58678d47c6fef457931b0b84fae7a19467b4d87dab167644be9a75a3e3f56
Instruction ID: 4e6b840c3324dd2eb53b3491c6a9c1dc691fbf15a203494ac3dd2716163e63a6
Opcode Fuzzy Hash: e2d58678d47c6fef457931b0b84fae7a19467b4d87dab167644be9a75a3e3f56
Instruction Fuzzy Hash: 68112931A0DA4A0FE7D8EB1C9856A727BD5EF56390F0442FED04CC7297DA2DE8028744

Function 00007FF848CE1289 Relevance: .1, Instructions: 84COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2553892643.00007FF848CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848CE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848ce0000_bootstraper.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9b293f91fedb0fb166955b246d6e3f97ed10c0267766d1bd7116e84f693f890d
Instruction ID: ce946e9046a04fdc5046253b2f7b85ec141f9f7cf123e221b1ec9183878b8ac5
Opcode Fuzzy Hash: 9b293f91fedb0fb166955b246d6e3f97ed10c0267766d1bd7116e84f693f890d
Instruction Fuzzy Hash: F421C24190FBC51FE392A7781C691B57FA1EF47690B1D45EBC484CB0A7E90C9C198356

Function 00007FF848CEDEE1 Relevance: .1, Instructions: 81COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2553892643.00007FF848CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848CE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848ce0000_bootstraper.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 44db6ca8e8bad9529ef6f30b7212a2955c348c2e6a40e60464682167431d7ddf
Instruction ID: 40a7d807f6af246fa92a726b1845a56784848047f0810c9d314350e66e619514
Opcode Fuzzy Hash: 44db6ca8e8bad9529ef6f30b7212a2955c348c2e6a40e60464682167431d7ddf
Instruction Fuzzy Hash: 78112332F1DE894FE3D5E56C2C691752AC2EF99644B0901FBE60CC72E2DA488C05834A

Function 00007FF848CFEF99 Relevance: .1, Instructions: 78COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2553892643.00007FF848CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848CE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848ce0000_bootstraper.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b82452f9030119f4b2412e325362d54bb93eceea1e96274353875dec8b9dd5b9
Instruction ID: 39247398e292738cbb2205af086b6c1caf501f64191d9b9cbc0a026ec03c6354
Opcode Fuzzy Hash: b82452f9030119f4b2412e325362d54bb93eceea1e96274353875dec8b9dd5b9
Instruction Fuzzy Hash: 0D11D032D1C98D8FEB90FB68A8151B9BBE1FF89350F0401AAE40CC71D2DB285C458386

Function 00007FF848CEDF00 Relevance: .1, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2553892643.00007FF848CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848CE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848ce0000_bootstraper.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c6e4baf74f796c5c3aa2a1f6fc9dc91c2e1c03912f1b5035368937c6e29469a7
Instruction ID: 05aec16ccd6398d62c78d3f4c4acd1b5aeac06536db126ef3521c087aaffefcf
Opcode Fuzzy Hash: c6e4baf74f796c5c3aa2a1f6fc9dc91c2e1c03912f1b5035368937c6e29469a7
Instruction Fuzzy Hash: 8B114432F1ED494FE3D4E46D3C5917526C2EB99654B0401BBE60CC72E6DE4A8C42838A

Function 00007FF848CEBF7D Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2553892643.00007FF848CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848CE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848ce0000_bootstraper.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f107b7af8d8de1e4f161acff47231c169c6dd4f6a9099b2c0d588da6e48c48b3
Instruction ID: bb0dab281b19e8dd01ef4f63af8576a045dd80ede1c5ad747bc15e9d469265ba
Opcode Fuzzy Hash: f107b7af8d8de1e4f161acff47231c169c6dd4f6a9099b2c0d588da6e48c48b3
Instruction Fuzzy Hash: 5911262150EBC51FE7A2F37898565B17FD0EF56390B0A00FBD0C8CB0A3D9086C868365

Function 00007FF848CFEFD1 Relevance: .1, Instructions: 67COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2553892643.00007FF848CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848CE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848ce0000_bootstraper.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ce27b123e6691e1734c762b81f412e1e08a37e1f1a68198deaf8637aedbdfb6e
Instruction ID: e9637552abf884d0a493ff96121c3487fa4f4cf61f842670769608f73572c0af
Opcode Fuzzy Hash: ce27b123e6691e1734c762b81f412e1e08a37e1f1a68198deaf8637aedbdfb6e
Instruction Fuzzy Hash: 76112532C1C9885FEB91FB2858161FA7BE4FF45360F0402B7E408C75D2CB1C19428392

Function 00007FF848CFF1E0 Relevance: .1, Instructions: 65COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2553892643.00007FF848CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848CE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848ce0000_bootstraper.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f84fab8c50c10cb70edd27e848eac11bcdd99f02e426418fe186fae44cabd063
Instruction ID: 42188f704c96304086e6ceab2dc7d41b8efd78015d16a98ec66293c7331b6a8e
Opcode Fuzzy Hash: f84fab8c50c10cb70edd27e848eac11bcdd99f02e426418fe186fae44cabd063
Instruction Fuzzy Hash: AE11511093F58A1FE78AF7B818966B57B81DF0A190F4808E9D58A870E3DD0D245AC24E

Function 00007FF848CE0480 Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2553892643.00007FF848CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848CE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848ce0000_bootstraper.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5c750fe795490cb6d627301c715fdc7eca30010795098b660882868c09d1731c
Instruction ID: cc543a42d77f608005b913472f3d81f41c5a01a2d1b04c35710c2d6e4e4c7768
Opcode Fuzzy Hash: 5c750fe795490cb6d627301c715fdc7eca30010795098b660882868c09d1731c
Instruction Fuzzy Hash: CC01D806B1E06529E612B36CB4A15F93B90DF4537AF1941B3E28CD90D3DD09684981ED

Function 00007FF848CFF0EC Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2553892643.00007FF848CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848CE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848ce0000_bootstraper.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2ece1b92b1730fd78ee06b33e511ab1e7cbd44e3c81dfb7e4bd1451735504789
Instruction ID: 24822c8796cc22b94da69513b2f1c9dce2a7e395c6da50bbb62dff919be4b10c
Opcode Fuzzy Hash: 2ece1b92b1730fd78ee06b33e511ab1e7cbd44e3c81dfb7e4bd1451735504789
Instruction Fuzzy Hash: 8611545062E8C22FE789F37848666BA7BE1EF4A2C0F4804FDD08AC75D3DD181805C346

Function 00007FF848CE4ED0 Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2553892643.00007FF848CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848CE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848ce0000_bootstraper.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 24e9c71739fc119dc72247344029cd1adf379096d7f8790868c7c915dccb6173
Instruction ID: 705f8a749166d8a83796d0b8c59901e61c903d977ce784e5074b4e0bb7e5706a
Opcode Fuzzy Hash: 24e9c71739fc119dc72247344029cd1adf379096d7f8790868c7c915dccb6173
Instruction Fuzzy Hash: FE01AD31F0C90E5FD7E4EA1DA84477623D0EB98360F80027AE40CC3296DE68EC014385

Function 00007FF848CFF4D9 Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2553892643.00007FF848CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848CE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848ce0000_bootstraper.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 89cf1633d3c9f280f149ede136cd041144b4f8cef57a23138db2b7041a32e110
Instruction ID: c5028a373a3836f7edd6b1f49ef5803daf403e713bdf4cf143c659ee95539e01
Opcode Fuzzy Hash: 89cf1633d3c9f280f149ede136cd041144b4f8cef57a23138db2b7041a32e110
Instruction Fuzzy Hash: A301F12195E6810FE38AE338A8122F17BD0DF86360F1981BAE58CC71D3DE5D58428399

Function 00007FF848CE9D2B Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2553892643.00007FF848CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848CE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848ce0000_bootstraper.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 58ee2b1fd3a084d2070745009b272449f7e9aca1d41494c424e2a0cb3f36cd4d
Instruction ID: 9fa28a34d6b7ebe31cdd5e85ddef25de6a874c8789f35b1668e4e77972cf0045
Opcode Fuzzy Hash: 58ee2b1fd3a084d2070745009b272449f7e9aca1d41494c424e2a0cb3f36cd4d
Instruction Fuzzy Hash: 1B111C70D189598FE7EAEB2888492FDB3A1FF58380F1001B9D04ED2297DF385985CB04

Function 00007FF848CED79D Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2553892643.00007FF848CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848CE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848ce0000_bootstraper.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aea89b709ed8f2a8e6bb62b2c852c7262c53a5d562cd40fd9f37f55ab08f82aa
Instruction ID: 7299ae9a7ec915aebd376608f48c4903a148a3f7ee8b1ab63e010423f6c76699
Opcode Fuzzy Hash: aea89b709ed8f2a8e6bb62b2c852c7262c53a5d562cd40fd9f37f55ab08f82aa
Instruction Fuzzy Hash: AA01D62190DE8A0FE79AF73C64912B577E2EB56291F0405BAC489C3186DE4D64468345

Function 00007FF848CE0862 Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2553892643.00007FF848CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848CE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848ce0000_bootstraper.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 24ebaadf2cc5f0d315931f5fd65273260c344c633c344c6b4f5425cec05705ad
Instruction ID: b35ab400c986ce0f1fc7f8b142ce23a94614c5d3dda2c62502c34fd4aec612b4
Opcode Fuzzy Hash: 24ebaadf2cc5f0d315931f5fd65273260c344c633c344c6b4f5425cec05705ad
Instruction Fuzzy Hash: E901D86190EAC85FD366AB7858253A57FE0FF56300F0801EBD058D71D3DA285C19C3D2

Function 00007FF848CFABB1 Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2553892643.00007FF848CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848CE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848ce0000_bootstraper.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ef43ba2d0f50fa9ef89e435a94aa5f7e510fc674503fc366f191bcb2138689c3
Instruction ID: 4cbd77778eeb702d78b3fd0d03aaf61c21fa76d27947a21de7c5f185b3292cc2
Opcode Fuzzy Hash: ef43ba2d0f50fa9ef89e435a94aa5f7e510fc674503fc366f191bcb2138689c3
Instruction Fuzzy Hash: CCF02852F0EA8A1FF3D2E26C689A2B4AB81EB98161B0841F7D04CC71E2DD0C0C874396

Function 00007FF848CE5D33 Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2553892643.00007FF848CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848CE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848ce0000_bootstraper.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 40302585457cc272559fc2e5327e6e87173e5f579008db0aee3d3d29525a85e2
Instruction ID: d08f4488317e9c00e6d50c312bd5c139eb0368e57fadbd9857206e8cc34c8027
Opcode Fuzzy Hash: 40302585457cc272559fc2e5327e6e87173e5f579008db0aee3d3d29525a85e2
Instruction Fuzzy Hash: A6F09611F1DE1E0FE7D9F66C25193B962C1EB882A1F80117BD90EC2186EE2D9D41828C

Function 00007FF848CE5A80 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2553892643.00007FF848CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848CE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848ce0000_bootstraper.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ffe9fd9a80e7ec5b57652bd5353fb55f4ca16d63713b89805d06391355da88f4
Instruction ID: d26a9b955fb405c4a032ac7d82c3b62e409c2195c757a530ace1e40bf1e4e1e1
Opcode Fuzzy Hash: ffe9fd9a80e7ec5b57652bd5353fb55f4ca16d63713b89805d06391355da88f4
Instruction Fuzzy Hash: C7016221A19D4B4FD7D9FB2890916B673E1FFA8340B44457AD00EC3245DF28E8428345

Function 00007FF848CE4D51 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2553892643.00007FF848CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848CE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848ce0000_bootstraper.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5510ef684bb7fe8c0e57c41cb64c8e0c642b1552099be807c3aa598818d30167
Instruction ID: 04be252df16329f55f2b8501b9c779f1073dcba7e1403458f8b1a8c760343f43
Opcode Fuzzy Hash: 5510ef684bb7fe8c0e57c41cb64c8e0c642b1552099be807c3aa598818d30167
Instruction Fuzzy Hash: 9901C271C1D9CD6FD756EB7898994F97FB0EF46280F0904EAE489C71A3DE2C26148352

Function 00007FF848CE4B4D Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2553892643.00007FF848CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848CE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848ce0000_bootstraper.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 333299cdbed1a8c9a61a4ff2470a96f547f97ff15d8a4b08999c69709fd06872
Instruction ID: e97cf087eb582fff12298fa563e9951038bab0e170d13c0cae3a1cd31a166efd
Opcode Fuzzy Hash: 333299cdbed1a8c9a61a4ff2470a96f547f97ff15d8a4b08999c69709fd06872
Instruction Fuzzy Hash: 24018C0581EEC61FD3A3A37828242B16FA59F83264B0D02E7D0C8CA08BDA0C5856C39A

Function 00007FF848CE4CF5 Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2553892643.00007FF848CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848CE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848ce0000_bootstraper.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c6c0269e86565d23deecbbdd0d4a92358e440408670899596163225a8050a829
Instruction ID: 16124e8a0cddf17797a93213f1185984dac1d64d50a5a40fa976d5e2edb0b0e8
Opcode Fuzzy Hash: c6c0269e86565d23deecbbdd0d4a92358e440408670899596163225a8050a829
Instruction Fuzzy Hash: 55F08252F0EDDA0FD3D6E32C68651B45B92EB951A0B4D03F7C488CB18BDD4C4E464399

Function 00007FF848CE7D50 Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2553892643.00007FF848CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848CE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848ce0000_bootstraper.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d7b15803618bdb6e2cf3706307403d173f304ff4bbddb05ceac6edea17d7719b
Instruction ID: af02111d78b8b2a5e598c8e225a5a96ca4b5c4ea7a096f5cd1199bbe3a347c7d
Opcode Fuzzy Hash: d7b15803618bdb6e2cf3706307403d173f304ff4bbddb05ceac6edea17d7719b
Instruction Fuzzy Hash: A4F0E23160C80B8EF7F9E10D9459772A6D8EF8A3F0F221077E54EC21D2EA496C428354

Function 00007FF848CE5BE9 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2553892643.00007FF848CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848CE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848ce0000_bootstraper.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7b326f34c8f4a0e3187aa8158d7780c4abc37740cfa1ca7b060e47d7f68403f8
Instruction ID: 842bfded59f13970fc48e6ac77b53839ef29995b54d4013cc33c570b8fa033b1
Opcode Fuzzy Hash: 7b326f34c8f4a0e3187aa8158d7780c4abc37740cfa1ca7b060e47d7f68403f8
Instruction Fuzzy Hash: CD01A93081CB8E4FDB86EF2888581FA7FB0FF16200F4008ABD458C72A2DA794814C741

Function 00007FF848CF6413 Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2553892643.00007FF848CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848CE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848ce0000_bootstraper.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b38305b3b40af3cfe382425060cd21d954bd3f4fff5c49e09cf031b3acd0b252
Instruction ID: 61f72920589fee5e41a108f2f01ee844b24eae37126211d8514f799a50cb36c8
Opcode Fuzzy Hash: b38305b3b40af3cfe382425060cd21d954bd3f4fff5c49e09cf031b3acd0b252
Instruction Fuzzy Hash: 91F0DA71A2CB188B9B44AE4CBC434A977D0EB89B60F10116BF94A43241D621B8928AC7

Function 00007FF848CE6FF2 Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2553892643.00007FF848CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848CE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848ce0000_bootstraper.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3a97ec8505599f3b8cdcab6f61b8ac5fd7177e8a85d2d9816b9524eda262b6ef
Instruction ID: d8270060c255c810dd33cb0dca9a7f017cf04b1e3595fed4561b9de237b70336
Opcode Fuzzy Hash: 3a97ec8505599f3b8cdcab6f61b8ac5fd7177e8a85d2d9816b9524eda262b6ef
Instruction Fuzzy Hash: 3EF09061B19D0B8FEAD5FB28E4909BAB3E1FFA4780B504875C00AC3185DF28E8428744

Function 00007FF848CFBE9B Relevance: .0, Instructions: 40COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2553892643.00007FF848CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848CE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848ce0000_bootstraper.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4fdd50f36252cfcdd8cdbf831ac34e1ca273fe8e98120c94be54a0ae04a363a3
Instruction ID: 453014d732c160534c9c9a0b155fd0c50961d6149370776dc77b33169fd5d0e2
Opcode Fuzzy Hash: 4fdd50f36252cfcdd8cdbf831ac34e1ca273fe8e98120c94be54a0ae04a363a3
Instruction Fuzzy Hash: 3BF08C62B1CA594FE288BA1C24022B9B3C2EB89960F11816BC18EC3286DE25680B4285

Function 00007FF848CEB902 Relevance: .0, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2553892643.00007FF848CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848CE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848ce0000_bootstraper.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a7661274f33c9129183e4b0808045872dbd61d1883e57e7c0235211108d9c5db
Instruction ID: 22f9f8174396a6af686f7506bf3c9b46407cd69e95ce4d99f5b903354864cb05
Opcode Fuzzy Hash: a7661274f33c9129183e4b0808045872dbd61d1883e57e7c0235211108d9c5db
Instruction Fuzzy Hash: 1CF0C22040DACA0FD356EB3894546B07BF0EF46350F4D01F6D488CB2A7DA1DA8858395

Function 00007FF848CE8AE8 Relevance: .0, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2553892643.00007FF848CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848CE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848ce0000_bootstraper.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9e31f494c52a1f2c0bb0eabae855196c424a2bbbfea4fbd5ad6ef274cc739bb5
Instruction ID: b434e1142042d212ab153425a110d2efe9a3b12d5b3632278b3e190625d73f8b
Opcode Fuzzy Hash: 9e31f494c52a1f2c0bb0eabae855196c424a2bbbfea4fbd5ad6ef274cc739bb5
Instruction Fuzzy Hash: EBF05C31A1DC0D0FD3E4F31C60446BE32D2EB94750F40023AD40DC32C5CE5D68428385

Function 00007FF848CEDF92 Relevance: .0, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2553892643.00007FF848CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848CE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848ce0000_bootstraper.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d028b2f43a4f72a7e60ba3c39b3b78780143be4aed465062476aae02a99bf0c7
Instruction ID: 7e37d02a7961ee0f9e4986681d6016ce3fc679c85ab863b51430e7779beb99db
Opcode Fuzzy Hash: d028b2f43a4f72a7e60ba3c39b3b78780143be4aed465062476aae02a99bf0c7
Instruction Fuzzy Hash: 0AF06D8181E6C41FE75BA778086A2A67FE29F5B150B4D85EBC1C8CF1A3D51C540AC352

Function 00007FF848CE92C5 Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2553892643.00007FF848CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848CE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848ce0000_bootstraper.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c18606aa9f22a63096927ab58a008ccea1b0eaa331fd8dbcc7d70ffea8e51c58
Instruction ID: 6bd060068c65faf7a057458a8a85021eca853a0dfadc533f26ef19db13fda32c
Opcode Fuzzy Hash: c18606aa9f22a63096927ab58a008ccea1b0eaa331fd8dbcc7d70ffea8e51c58
Instruction Fuzzy Hash: AEF0277280CB824FE791E62988861F47BC0FF5A260F4805F6C048CB0A2E71C9989834A

Function 00007FF848CE51FE Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2553892643.00007FF848CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848CE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848ce0000_bootstraper.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8589856443427d2d7d9d656dc559db4ae3479344fbae14a96040bc24500a8af3
Instruction ID: 2e65a28b678ba4e738ee31969d47d6b177205c97022183f8c96351f9b9a35d4b
Opcode Fuzzy Hash: 8589856443427d2d7d9d656dc559db4ae3479344fbae14a96040bc24500a8af3
Instruction Fuzzy Hash: B3F09712A0EDCB4FE7C5F7286881AF9B781EF50640F0408BEC00DC7097CE28A9868304

Function 00007FF848CE08DD Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2553892643.00007FF848CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848CE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848ce0000_bootstraper.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fcd1a2fb75f9f566123dbc276ae05e10ca37906b19cfe0a5f74ef021d58301f7
Instruction ID: 9581312b29f59c911d02815224af1ee309868abda5235a65d9dfb2948347f699
Opcode Fuzzy Hash: fcd1a2fb75f9f566123dbc276ae05e10ca37906b19cfe0a5f74ef021d58301f7
Instruction Fuzzy Hash: 8DF0E260D1E98A1FE795FBB8105A2B9BFE1EF55290B8401EED04A836A2C91C080287C4

Function 00007FF848CFF21E Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2553892643.00007FF848CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848CE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848ce0000_bootstraper.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5bb232d3abc587c0d28f991c491a9131483863a9f5019dc1e63c53a709a8ccef
Instruction ID: bfa39d7d972fcc0dc4e4e9bb462706b5a37108c2ab25337baa686eb51698cf9f
Opcode Fuzzy Hash: 5bb232d3abc587c0d28f991c491a9131483863a9f5019dc1e63c53a709a8ccef
Instruction Fuzzy Hash: 70F0E52082F58A0FD389BBA85C925F47B91EF4A290F8404EDD48A875E3CD0C185AC28B

Function 00007FF848CE04C0 Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2553892643.00007FF848CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848CE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848ce0000_bootstraper.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1ff26476adab0c5e90d9e9949c32fde73bae2137358cba7ddb2f119ac8390e39
Instruction ID: a5bd3c4f0847d34cdb80099394f617c89fb4028611a32db8ef7b5674fc7a9015
Opcode Fuzzy Hash: 1ff26476adab0c5e90d9e9949c32fde73bae2137358cba7ddb2f119ac8390e39
Instruction Fuzzy Hash: 6EE0D802B1D8791AFBA4B26C70513F92780CF45379F4941B2E98CE51C7DD491C4542DD

Function 00007FF848CE1614 Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2553892643.00007FF848CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848CE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848ce0000_bootstraper.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 880addffafdf6fa4e3ddaa917235b7a80234a147c215861e3f9d324185923a77
Instruction ID: 986971b80975bf3e40d653fdfda6405d05a89c834974fff6e7c595ccc21c954b
Opcode Fuzzy Hash: 880addffafdf6fa4e3ddaa917235b7a80234a147c215861e3f9d324185923a77
Instruction Fuzzy Hash: 7FE07D3290CD8C4FCB80FA98E8014E67BA4FBC530CF04009AE44CC3191D3259511C351

Function 00007FF848CF5381 Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2553892643.00007FF848CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848CE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848ce0000_bootstraper.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c22214349aba8a2af8fac0b57b92db312700bc1ce3a8325770904d24a18c2f4d
Instruction ID: 0a5933c8db1b920fb6b735f8e54dd742b07b446242d330b42e5ae8c44aa36016
Opcode Fuzzy Hash: c22214349aba8a2af8fac0b57b92db312700bc1ce3a8325770904d24a18c2f4d
Instruction Fuzzy Hash: D8E0D83260C8054FF758FB0494905F43392EB81360F10463AD606C66D1DE5CE4418388

Function 00007FF848CE04C8 Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2553892643.00007FF848CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848CE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848ce0000_bootstraper.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ed113b5e1904a30984dead9c2c9791d65be58c4b3030892275df5fb754d24f00
Instruction ID: 94d2add376c6e2f078eb8bfe3cb9513f848ba183271f051f95e85c1c559de929
Opcode Fuzzy Hash: ed113b5e1904a30984dead9c2c9791d65be58c4b3030892275df5fb754d24f00
Instruction Fuzzy Hash: 9DE08612A2D82615FBA8726C70513F92280CF09364F544072E94CA51C7DD492C8141DD

Function 00007FF848CE45A0 Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2553892643.00007FF848CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848CE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848ce0000_bootstraper.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9630e5225c63844d1be11e52c06c97d7fb5f965d035736d94733a43f786685a2
Instruction ID: 40e66687b5a4ced200344757c1ec9fba894fc8420907a7ddb6d0147fa86b04f7
Opcode Fuzzy Hash: 9630e5225c63844d1be11e52c06c97d7fb5f965d035736d94733a43f786685a2
Instruction Fuzzy Hash: 64E04631A0DC298FEBE8EB2CA444664A7E1EF08780B0500EAE08DCB2D5CA109C488781

Function 00007FF848CFFD40 Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2553892643.00007FF848CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848CE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848ce0000_bootstraper.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 18c8ac732036227006918f8480f734e7852c34aba79fe23481d2db2e687ea8ee
Instruction ID: fed1421909a67b94294da114da70c565e550e5bb02e49843bf7d325211c24f37
Opcode Fuzzy Hash: 18c8ac732036227006918f8480f734e7852c34aba79fe23481d2db2e687ea8ee
Instruction Fuzzy Hash: E1E092B041D3D00FE35BA73448655A47FA0EB43250F8805EED5C9CF1E3C66C414AC352

Function 00007FF848CFF189 Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2553892643.00007FF848CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848CE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848ce0000_bootstraper.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6b5afb03a6432ff75a3f397abf3f424558a9d68ac4ca5cfedf0e102c21d881e2
Instruction ID: 79fcba7f9e846d40fd7e3752b69d759ddccc49ff9e2469e2e6f728afb2c1ff3a
Opcode Fuzzy Hash: 6b5afb03a6432ff75a3f397abf3f424558a9d68ac4ca5cfedf0e102c21d881e2
Instruction Fuzzy Hash: E4E0D81191DBD40FF7B6A22818752A43FA0DF06210F0900EBD948DB1D7E94D5C458392

Function 00007FF848CE4260 Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2553892643.00007FF848CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848CE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848ce0000_bootstraper.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 18ba18a943ee4dd1e0716ccb17947207b2c0a5ac732912e0e0b1e0b67193fad7
Instruction ID: a988b8eeaf1fb70c0f1d0427c8ee47fcbd5df66123f131231fba8019a2b0d2b0
Opcode Fuzzy Hash: 18ba18a943ee4dd1e0716ccb17947207b2c0a5ac732912e0e0b1e0b67193fad7
Instruction Fuzzy Hash: 0CD06712E1EC2A1BD6F5B32D38156B90085DBC86A0F9A07B6E80CD2289DE5CAC9142C9

Function 00007FF848CE8150 Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2553892643.00007FF848CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848CE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848ce0000_bootstraper.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 960f7c9c0fa81a41ecd1ece01e4db02a8c4c4734b07c5262b6cc5c12aa22f3e7
Instruction ID: 89d3e473a9e19acb1400231f73a5cc41c5f61cedefa8d35f319c92dee4199a25
Opcode Fuzzy Hash: 960f7c9c0fa81a41ecd1ece01e4db02a8c4c4734b07c5262b6cc5c12aa22f3e7
Instruction Fuzzy Hash: C7E0C224E1DD0A4FDECCF5298C920303191FBA9208FA400ADC408C2186FA1EC886C305

Function 00007FF848CE59D0 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2553892643.00007FF848CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848CE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848ce0000_bootstraper.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: de468debe682384a4ada51a86ca342db9928b04da778ab81132a384b1a51b698
Instruction ID: 3325354f1d2bb9cfec6870d710d8cea480cae5b184da6769a2ac2836f4b4f3e2
Opcode Fuzzy Hash: de468debe682384a4ada51a86ca342db9928b04da778ab81132a384b1a51b698
Instruction Fuzzy Hash: 40E0C23081CB464BE744FA324C4507AB1D1FB88281F844A36DC8CC0090FB2CC3C9924A

Function 00007FF848CFBCD8 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2553892643.00007FF848CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848CE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848ce0000_bootstraper.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0ad13df60485e0ceada3744bbf11c218f0b64a2ecdd8379f76ce2b3593754de6
Instruction ID: 7a67c8974e7eecee9b3fa9992f9ce6a48a264e71080ac544c99814915b910743
Opcode Fuzzy Hash: 0ad13df60485e0ceada3744bbf11c218f0b64a2ecdd8379f76ce2b3593754de6
Instruction Fuzzy Hash: DFE0D841D0E9C60FF7C5F72D08683656E81AF16250F9841F9C348C75EBEF189C44834A

Function 00007FF848CE59E0 Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2553892643.00007FF848CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848CE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848ce0000_bootstraper.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d606a3eff54a8afc23c6f3d9692f99aba78f197071398acf0b125e50e4cf453a
Instruction ID: 11913e66bb3651572384b436f33fbc1350db0cf984b1d8c38dbbe7828ec9d3e2
Opcode Fuzzy Hash: d606a3eff54a8afc23c6f3d9692f99aba78f197071398acf0b125e50e4cf453a
Instruction Fuzzy Hash: C8D05B3193CD150BEBD0F63851496F567D0CB54395F040677EC4DD61A4DE5D598142C9

Function 00007FF848CEEE20 Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2553892643.00007FF848CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848CE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848ce0000_bootstraper.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 560f5766db1974f73d8bbd978829ed2ead2dcccc5d857e2b3538a902aecb0540
Instruction ID: e2312e7b5e3153e6cd22780803644d12296de748d3cee8170b252be10d227ea4
Opcode Fuzzy Hash: 560f5766db1974f73d8bbd978829ed2ead2dcccc5d857e2b3538a902aecb0540
Instruction Fuzzy Hash: 23E0B64041FAC95FCA86B77C899A0A97FA19E0A2C0B4844DAD4898F1E2F108140E8306

Function 00007FF848CE04D8 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2553892643.00007FF848CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848CE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848ce0000_bootstraper.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7c84f2a12976bfcb2155221b706b85f60fe6c51ff9c6c3d97b3be2760ff48b53
Instruction ID: e1cf41f729ec127559e8c51d564f835e21e313b5e6ac55f018319c80584f9c52
Opcode Fuzzy Hash: 7c84f2a12976bfcb2155221b706b85f60fe6c51ff9c6c3d97b3be2760ff48b53
Instruction Fuzzy Hash: A0D0C711A6DC2A19FBEC715C61513F85181CF49760F515076FD0DF22CADD9D1C9106D5

Function 00007FF848CE3B2C Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2553892643.00007FF848CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848CE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848ce0000_bootstraper.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 31620dac84fa7c1ed3e2c91ff248137d6c776cdc8490196acc4964ffe2440a01
Instruction ID: 2fc26f4505277ec03ab30a959b4f6bf3184d06856c56be2cab28ae9cf3d56264
Opcode Fuzzy Hash: 31620dac84fa7c1ed3e2c91ff248137d6c776cdc8490196acc4964ffe2440a01
Instruction Fuzzy Hash: 3BD01232E0894E9FEFC4FE5CD4A5ABDA7B2FB99301F604165D50CD36D2CA2898418780

Function 00007FF848CFB81B Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2553892643.00007FF848CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848CE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848ce0000_bootstraper.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6dabcae79710d072ffc6c257a38d8c6757f8da0075a82004df2bb01404858398
Instruction ID: e741dbeb7df52de36b238e7944330f034690eca8f55b939a0e2e95c17e943eef
Opcode Fuzzy Hash: 6dabcae79710d072ffc6c257a38d8c6757f8da0075a82004df2bb01404858398
Instruction Fuzzy Hash: 68D0A711B15E090785A1A73C74000EAA2D1EB84230B400B76D15AC32C9EF2D94438345

Function 00007FF848CE118C Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2553892643.00007FF848CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848CE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848ce0000_bootstraper.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7f940b305a966e21a75a46e91d59cc2e0fa73a1191d9023589f5eeac1ff2fa3a
Instruction ID: 15b7bdaf30557811a7c2da1a4615778c1d68edffa2bb157fdb7be0ee28b69d96
Opcode Fuzzy Hash: 7f940b305a966e21a75a46e91d59cc2e0fa73a1191d9023589f5eeac1ff2fa3a
Instruction Fuzzy Hash: 7AD0A7601285C46FD748D728C4A1BB63BE2EF4F248F5C008DC0CA47293C2295807C742

Function 00007FF848CE3B59 Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2553892643.00007FF848CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848CE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848ce0000_bootstraper.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3b199c7db29a0555a7ea2d430dad342ee8e14e956db0a55e7f56215082f33101
Instruction ID: 9a41d2727a708efb5158fd4969e72509397430df7050b02a408e7a08f6506b7b
Opcode Fuzzy Hash: 3b199c7db29a0555a7ea2d430dad342ee8e14e956db0a55e7f56215082f33101
Instruction Fuzzy Hash: DFC01232A0880C8E8F80EA9CA0056ECB7A0EB88221F042032D10DE2100CA2424504790

Function 00007FF848CFEF81 Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2553892643.00007FF848CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848CE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848ce0000_bootstraper.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 17834229a8b82ec3ab3fedc478e2bf69b7b879a3d5ca4f62e43692e902bd5cb6
Instruction ID: 4d32d9e4f3af9cc0dc80ba158bd00edd5640a5d4bc77b5e30b883fbf10879ddf
Opcode Fuzzy Hash: 17834229a8b82ec3ab3fedc478e2bf69b7b879a3d5ca4f62e43692e902bd5cb6
Instruction Fuzzy Hash: B9C02B33F0140846D740F668EC055FA3350EBC8292F100033C70CC3451CE1018144380

Non-executed Functions

Function 00007FF848CF95A9 Relevance: 14.0, Strings: 11, Instructions: 264COMMON

Download Yara Rule

Strings

`GH, xrefs: 00007FF848CF9621
8LH, xrefs: 00007FF848CF96D1
PGH, xrefs: 00007FF848CF9611
JH, xrefs: 00007FF848CF9691
hLH, xrefs: 00007FF848CF9701
pGH, xrefs: 00007FF848CF9631
xNH, xrefs: 00007FF848CF9731
GH, xrefs: 00007FF848CF95E1
xLH, xrefs: 00007FF848CF9711
HLH, xrefs: 00007FF848CF96E1
@GH, xrefs: 00007FF848CF9601

Memory Dump Source

Source File: 00000000.00000002.2553892643.00007FF848CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848CE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848ce0000_bootstraper.jbxd

Similarity

API ID:
String ID: GH$ JH$8LH$@GH$HLH$PGH$`GH$hLH$pGH$xLH$xNH
API String ID: 0-2037268505
Opcode ID: eb7299be98c9f35223495f1a6e2c109eba28a07d04b9ba3d6c8bb0b6c239f662
Instruction ID: 55d1b6f63157a358d9cc6914308782e998fede80d2ae9dbb7b8db59e58d3af79
Opcode Fuzzy Hash: eb7299be98c9f35223495f1a6e2c109eba28a07d04b9ba3d6c8bb0b6c239f662
Instruction Fuzzy Hash: 6981B142D0E6C14FF797A67C69291746FA0EF535ADF1D01FBC2848B0E79A09490A839A

Function 00007FF848CE85FA Relevance: 5.1, Strings: 4, Instructions: 93COMMON

Download Yara Rule

Strings

M_^$, xrefs: 00007FF848CE86CA
M_^, xrefs: 00007FF848CE8622
M_^#, xrefs: 00007FF848CE86C2
M_^, xrefs: 00007FF848CE85FA

Memory Dump Source

Source File: 00000000.00000002.2553892643.00007FF848CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848CE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848ce0000_bootstraper.jbxd

Similarity

API ID:
String ID: M_^$M_^$M_^#$M_^$
API String ID: 0-3697010251
Opcode ID: a1784b22039dc77b41b82fb73ee3a7a12f26eab9af5079dd2e176202b95df262
Instruction ID: fe91cc995286947c32038134b77845c2a4cb40441f062585b2d328ed53082eb8
Opcode Fuzzy Hash: a1784b22039dc77b41b82fb73ee3a7a12f26eab9af5079dd2e176202b95df262
Instruction Fuzzy Hash: C231D0B2E1D6568FE367BA1964040B8B7E4EF102A5F4A0BF6C17CD60C2BE183804929D

Function 00007FF848CE8BFA Relevance: 5.1, Strings: 4, Instructions: 83COMMON

Download Yara Rule

Strings

M_^, xrefs: 00007FF848CE8C6A
M_^, xrefs: 00007FF848CE8C12
M_^, xrefs: 00007FF848CE8C2A
M_^, xrefs: 00007FF848CE8C7A

Memory Dump Source

Source File: 00000000.00000002.2553892643.00007FF848CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848CE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848ce0000_bootstraper.jbxd

Similarity

API ID:
String ID: M_^$M_^$M_^$M_^
API String ID: 0-1397233021
Opcode ID: 7bda09cdd35d5b5f8363d1a4f1bd76d4e7b31ea505cb3402e5ccac0e371d69e6
Instruction ID: 78017493a56747b57d29ff521d81114cea6ad376f0a8ece6bbbe674cb88f4d24
Opcode Fuzzy Hash: 7bda09cdd35d5b5f8363d1a4f1bd76d4e7b31ea505cb3402e5ccac0e371d69e6
Instruction Fuzzy Hash: 662188B3E0E9458FE386AB2D4C5E0A577D0FF21758B8E02F5D059CB1A3FE19644AC249

Function 00007FF848CE8BF8 Relevance: 5.1, Strings: 4, Instructions: 79COMMON

Download Yara Rule

Strings

M_^, xrefs: 00007FF848CE8C6A
M_^, xrefs: 00007FF848CE8C12
M_^, xrefs: 00007FF848CE8C2A
M_^, xrefs: 00007FF848CE8C7A

Memory Dump Source

Source File: 00000000.00000002.2553892643.00007FF848CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848CE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848ce0000_bootstraper.jbxd

Similarity

API ID:
String ID: M_^$M_^$M_^$M_^
API String ID: 0-1397233021
Opcode ID: 5a4056a9fd64b7a1ebb1f4b584cf777a6aed9e0d28d492105764ac102af02f40
Instruction ID: b2da9e92270877c3fa8b2dee7f4ef3129e811402bb484b062b3a2784a6f09158
Opcode Fuzzy Hash: 5a4056a9fd64b7a1ebb1f4b584cf777a6aed9e0d28d492105764ac102af02f40
Instruction Fuzzy Hash: 9C2188B3E0E9458FE386AB2D4C5E0A477D0FF21758B4E02F5D058CB1A3FE196446C249

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to gather information about the system, configuration, and installed software.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may look for details about the network configuration and settings, such as IP and/or MAC addresses, of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp , ipconfig / ifconfig , nbtstat , and route .
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report bootstraper.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Dropped Files

Memory Dumps

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Networking

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

Private

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_bootstraper.exe_ca15c659264497fc63bd796592de28a0dbe052ad_fcc18e5f_d2694d61-796f-40bf-a3a2-91ead7b808d4\Report.wer

C:\ProgramData\Microsoft\Windows\WER\Temp\WER1BD.tmp.dmp

C:\ProgramData\Microsoft\Windows\WER\Temp\WER3E1.tmp.WERInternalMetadata.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WER411.tmp.xml

C:\Users\user\Desktop\DISCORD

C:\Windows\appcompat\Programs\Amcache.hve

\Device\ConDrv

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Network Behavior

Windows Analysis Report
bootstraper.exe