Edit tour

Windows Analysis Report
BootStrapper.exe

Overview

General Information

Sample name:	BootStrapper.exe
Analysis ID:	1580863
MD5:	1d3a607fc1ac39cc65eb12852ee80b11
SHA1:	8d81228aee9ec472b9eead61de86a3686847c747
SHA256:	1800b9a8d7f6d2c97901dbc8f736959ef155496a3b7f95dd7019f9a4c68d57bc
Tags:	exeuser-aachum
Infos:

Detection

LummaC

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

Yara detected LummaC Stealer

AI detected suspicious sample

C2 URLs / IPs found in malware configuration

Contains functionality to inject code into remote processes

Injects a PE file into a foreign processes

LummaC encrypted strings found

Machine Learning detection for sample

Sample uses string decryption to hide its real strings

Contains functionality for read data from the clipboard

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to query locales information (e.g. system language)

Contains functionality to read the PEB

Contains functionality to read the clipboard data

Contains functionality to record screenshots

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Found inlined nop instructions (likely shell or obfuscated code)

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

IP address seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Suricata IDS alerts with low severity for network traffic

Uses 32bit PE files

Uses Microsoft's Enhanced Cryptographic Provider

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w10x64

BootStrapper.exe (PID: 2736 cmdline: "C:\Users\user\Desktop\BootStrapper.exe" MD5: 1D3A607FC1AC39CC65EB12852EE80B11)

conhost.exe (PID: 5432 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

BootStrapper.exe (PID: 2308 cmdline: "C:\Users\user\Desktop\BootStrapper.exe" MD5: 1D3A607FC1AC39CC65EB12852EE80B11)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Lumma Stealer, LummaC2 Stealer	Lumma Stealer (aka LummaC2 Stealer) is an information stealer written in C language that has been available through a Malware-as-a-Service (MaaS) model on Russian-speaking forums since at least August 2022. It is believed to have been developed by the threat actor "Shamel", who goes by the alias "Lumma". Lumma Stealer primarily targets cryptocurrency wallets and two-factor authentication (2FA) browser extensions, before ultimately stealing sensitive information from the victim's machine. Once the targeted data is obtained, it is exfiltrated to a C2 server via HTTP POST requests using the user agent "TeslaBrowser/5.5"." The stealer also features a non-resident loader that is capable of delivering additional payloads via EXE, DLL, and PowerShell.	No Attribution	https://0xmrmagnezi.github.io/malware%20analysis/LummaStealer/ https://0xtoxin-labs.gitbook.io/malware-analysis/malware-analysis/lummac2-breakdown#chrome-extensions-crx https://any.run/cybersecurity-blog/crackedcantil-breakdown/ https://blog.cyble.com/2023/01/06/lummac2-stealer-a-potent-threat-to-crypto-users/ https://blog.sekoia.io/exposing-fakebat-loader-distribution-methods-and-adversary-infrastructure/	https://malpedia.caad.fkie.fraunhofer.de/details/win.lumma

Malware Configuration

Threatname: LummaC

{"C2 url": ["observerfry.lat", "wordyfindy.lat", "curverpluch.lat", "shapestickyr.lat", "bashfulacid.lat", "talkynicer.lat", "manyrestro.lat", "tentabatte.lat", "slipperyloo.lat"], "Build id": "yau6Na--976664372"}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
decrypted.memstr	JoeSecurity_LummaCStealer_2	Yara detected LummaC Stealer	Joe Security

Suricata Signatures

ET JA3 Hash - Possible Malware - Fake Firefox Font Update

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-26T12:34:03.265324+0100	2028371	3	Unknown Traffic	192.168.2.6	49707	23.55.153.106	443	TCP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (bashfulacid .lat)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-26T12:34:01.395723+0100	2058480	1	Domain Observed Used for C2 Detected	192.168.2.6	65255	1.1.1.1	53	UDP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (curverpluch .lat)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-26T12:34:01.054220+0100	2058484	1	Domain Observed Used for C2 Detected	192.168.2.6	52560	1.1.1.1	53	UDP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (manyrestro .lat)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-26T12:34:00.631944+0100	2058492	1	Domain Observed Used for C2 Detected	192.168.2.6	63622	1.1.1.1	53	UDP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (shapestickyr .lat)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-26T12:34:00.772630+0100	2058500	1	Domain Observed Used for C2 Detected	192.168.2.6	62869	1.1.1.1	53	UDP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (slipperyloo .lat)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-26T12:34:00.490740+0100	2058502	1	Domain Observed Used for C2 Detected	192.168.2.6	56750	1.1.1.1	53	UDP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (talkynicer .lat)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-26T12:34:00.912866+0100	2058510	1	Domain Observed Used for C2 Detected	192.168.2.6	61100	1.1.1.1	53	UDP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (tentabatte .lat)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-26T12:34:01.202266+0100	2058512	1	Domain Observed Used for C2 Detected	192.168.2.6	56560	1.1.1.1	53	UDP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (wordyfindy .lat)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-26T12:34:00.350098+0100	2058514	1	Domain Observed Used for C2 Detected	192.168.2.6	59709	1.1.1.1	53	UDP

ETPRO MALWARE Win32/Lumma Stealer Steam Profile Lookup

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-26T12:34:04.046099+0100	2858666	1	Domain Observed Used for C2 Detected	192.168.2.6	49707	23.55.153.106	443	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Found malware configuration

Source: 00000000.00000002.2127489303.0000000000C7E000.00000004.00000020.00020000.00000000.sdmp

Malware Configuration Extractor: LummaC {"C2 url": ["observerfry.lat", "wordyfindy.lat", "curverpluch.lat", "shapestickyr.lat", "bashfulacid.lat", "talkynicer.lat", "manyrestro.lat", "tentabatte.lat", "slipperyloo.lat"], "Build id": "yau6Na--976664372"}

Multi AV Scanner detection for submitted file

Source: BootStrapper.exe	Virustotal: Detection: 43%			Perma Link
Source: BootStrapper.exe	ReversingLabs: Detection: 42%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 94.4% probability

Machine Learning detection for sample

Source: BootStrapper.exe

Joe Sandbox ML: detected

Sample uses string decryption to hide its real strings

Source: 00000003.00000002.2169013850.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: bashfulacid.lat
Source: 00000003.00000002.2169013850.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: tentabatte.lat
Source: 00000003.00000002.2169013850.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: curverpluch.lat
Source: 00000003.00000002.2169013850.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: talkynicer.lat
Source: 00000003.00000002.2169013850.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: shapestickyr.lat
Source: 00000003.00000002.2169013850.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: manyrestro.lat
Source: 00000003.00000002.2169013850.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: slipperyloo.lat
Source: 00000003.00000002.2169013850.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: wordyfindy.lat
Source: 00000003.00000002.2169013850.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: observerfry.lat
Source: 00000003.00000002.2169013850.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: lid=%s&j=%s&ver=4.0
Source: 00000003.00000002.2169013850.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: TeslaBrowser/5.5
Source: 00000003.00000002.2169013850.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: - Screen Resoluton:
Source: 00000003.00000002.2169013850.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: - Physical Installed Memory:
Source: 00000003.00000002.2169013850.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: Workgroup: -
Source: 00000003.00000002.2169013850.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: yau6Na--976664372

Source: C:\Users\user\Desktop\BootStrapper.exe

Code function: 3_2_00DE1A80 FreeConsole,CryptDestroyKey,

3_2_00DE1A80

Source: BootStrapper.exe

Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source: unknown

HTTPS traffic detected: 23.55.153.106:443 -> 192.168.2.6:49707 version: TLS 1.2

Source: BootStrapper.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_ISOLATION, TERMINAL_SERVER_AWARE

Source: C:\Users\user\Desktop\BootStrapper.exe	Code function: 0_2_00DFA1A8 FindFirstFileExW,	0_2_00DFA1A8
Source: C:\Users\user\Desktop\BootStrapper.exe	Code function: 0_2_00DFA259 FindFirstFileExW,FindNextFileW,FindClose,FindClose,	0_2_00DFA259
Source: C:\Users\user\Desktop\BootStrapper.exe	Code function: 3_2_00DFA1A8 FindFirstFileExW,	3_2_00DFA1A8
Source: C:\Users\user\Desktop\BootStrapper.exe	Code function: 3_2_00DFA259 FindFirstFileExW,FindNextFileW,FindClose,FindClose,	3_2_00DFA259

Source: C:\Users\user\Desktop\BootStrapper.exe	Code function: 4x nop then mov word ptr [ecx], dx	3_2_0043F39E
Source: C:\Users\user\Desktop\BootStrapper.exe	Code function: 4x nop then mov edx, ebx	3_2_0040B79B
Source: C:\Users\user\Desktop\BootStrapper.exe	Code function: 4x nop then cmp word ptr [esi+eax], 0000h	3_2_0041D050
Source: C:\Users\user\Desktop\BootStrapper.exe	Code function: 4x nop then mov word ptr [eax], cx	3_2_0041780D
Source: C:\Users\user\Desktop\BootStrapper.exe	Code function: 4x nop then cmp dword ptr [edx+ecx*8], 2DFE5A91h	3_2_004410D0
Source: C:\Users\user\Desktop\BootStrapper.exe	Code function: 4x nop then movzx esi, byte ptr [esp+edx+2Ch]	3_2_0042788F
Source: C:\Users\user\Desktop\BootStrapper.exe	Code function: 4x nop then mov edi, dword ptr [ebp-10h]	3_2_0041C900
Source: C:\Users\user\Desktop\BootStrapper.exe	Code function: 4x nop then add ebp, dword ptr [esp+0Ch]	3_2_0042B100
Source: C:\Users\user\Desktop\BootStrapper.exe	Code function: 4x nop then mov ecx, eax	3_2_00427917
Source: C:\Users\user\Desktop\BootStrapper.exe	Code function: 4x nop then test eax, eax	3_2_0043A120
Source: C:\Users\user\Desktop\BootStrapper.exe	Code function: 4x nop then movzx eax, byte ptr [esp+ecx+338E7E12h]	3_2_0043A120
Source: C:\Users\user\Desktop\BootStrapper.exe	Code function: 4x nop then mov ebx, eax	3_2_00405930
Source: C:\Users\user\Desktop\BootStrapper.exe	Code function: 4x nop then mov ebp, eax	3_2_00405930
Source: C:\Users\user\Desktop\BootStrapper.exe	Code function: 4x nop then movzx eax, word ptr [ebp+00h]	3_2_0043A9D6
Source: C:\Users\user\Desktop\BootStrapper.exe	Code function: 4x nop then sub edx, 01h	3_2_004409E0
Source: C:\Users\user\Desktop\BootStrapper.exe	Code function: 4x nop then movzx ecx, byte ptr [esp+edx]	3_2_00426190
Source: C:\Users\user\Desktop\BootStrapper.exe	Code function: 4x nop then movzx edi, byte ptr [ecx]	3_2_0043E9B3
Source: C:\Users\user\Desktop\BootStrapper.exe	Code function: 4x nop then movzx ecx, byte ptr [esp+eax+0000026Dh]	3_2_00415200
Source: C:\Users\user\Desktop\BootStrapper.exe	Code function: 4x nop then movzx esi, byte ptr [esp+edx+2Ch]	3_2_00427A3F
Source: C:\Users\user\Desktop\BootStrapper.exe	Code function: 4x nop then movzx ebx, byte ptr [eax+edx]	3_2_0041F2C0
Source: C:\Users\user\Desktop\BootStrapper.exe	Code function: 4x nop then mov word ptr [eax], cx	3_2_004292E0
Source: C:\Users\user\Desktop\BootStrapper.exe	Code function: 4x nop then movzx ebx, byte ptr [esp+edi-535229ACh]	3_2_004402B0
Source: C:\Users\user\Desktop\BootStrapper.exe	Code function: 4x nop then sub edx, 01h	3_2_004402B0
Source: C:\Users\user\Desktop\BootStrapper.exe	Code function: 4x nop then movzx edx, byte ptr [esp+eax+70h]	3_2_00409370
Source: C:\Users\user\Desktop\BootStrapper.exe	Code function: 4x nop then mov edx, ecx	3_2_00409370
Source: C:\Users\user\Desktop\BootStrapper.exe	Code function: 4x nop then movzx edi, byte ptr [ecx+esi]	3_2_00402B70
Source: C:\Users\user\Desktop\BootStrapper.exe	Code function: 4x nop then movzx ebx, byte ptr [edx]	3_2_00436370
Source: C:\Users\user\Desktop\BootStrapper.exe	Code function: 4x nop then mov eax, ecx	3_2_00408B00
Source: C:\Users\user\Desktop\BootStrapper.exe	Code function: 4x nop then mov byte ptr [edi], cl	3_2_0042D306
Source: C:\Users\user\Desktop\BootStrapper.exe	Code function: 4x nop then jmp dword ptr [00448B7Ch]	3_2_00428307
Source: C:\Users\user\Desktop\BootStrapper.exe	Code function: 4x nop then movzx ebp, byte ptr [esp+esi-6Fh]	3_2_004393C0
Source: C:\Users\user\Desktop\BootStrapper.exe	Code function: 4x nop then movzx ebx, byte ptr [esp+edi-535229ACh]	3_2_004403D0
Source: C:\Users\user\Desktop\BootStrapper.exe	Code function: 4x nop then sub edx, 01h	3_2_004403D0
Source: C:\Users\user\Desktop\BootStrapper.exe	Code function: 4x nop then movzx ecx, byte ptr [esp+eax+00000274h]	3_2_0042BBE3
Source: C:\Users\user\Desktop\BootStrapper.exe	Code function: 4x nop then movzx ecx, byte ptr [esp+eax+00000274h]	3_2_0042BC53
Source: C:\Users\user\Desktop\BootStrapper.exe	Code function: 4x nop then movzx edx, byte ptr [ebp+eax-00000258h]	3_2_0043EC60
Source: C:\Users\user\Desktop\BootStrapper.exe	Code function: 4x nop then mov edx, ecx	3_2_00416C77
Source: C:\Users\user\Desktop\BootStrapper.exe	Code function: 4x nop then mov byte ptr [edi], cl	3_2_0042D4D0
Source: C:\Users\user\Desktop\BootStrapper.exe	Code function: 4x nop then cmp word ptr [edi+ebx+02h], 0000h	3_2_00440CE0
Source: C:\Users\user\Desktop\BootStrapper.exe	Code function: 4x nop then movzx esi, byte ptr [esp+ecx-53h]	3_2_00419C90
Source: C:\Users\user\Desktop\BootStrapper.exe	Code function: 4x nop then mov edx, ecx	3_2_00419C90
Source: C:\Users\user\Desktop\BootStrapper.exe	Code function: 4x nop then cmp dword ptr [edi+esi*8], 798ECF08h	3_2_00439490
Source: C:\Users\user\Desktop\BootStrapper.exe	Code function: 4x nop then cmp dword ptr [edi+esi*8], 11A82DE9h	3_2_00439490
Source: C:\Users\user\Desktop\BootStrapper.exe	Code function: 4x nop then mov byte ptr [edi], cl	3_2_0042D49A
Source: C:\Users\user\Desktop\BootStrapper.exe	Code function: 4x nop then add eax, dword ptr [esp+ecx*4+24h]	3_2_004074A0
Source: C:\Users\user\Desktop\BootStrapper.exe	Code function: 4x nop then movzx ecx, word ptr [edi+esi*4]	3_2_004074A0
Source: C:\Users\user\Desktop\BootStrapper.exe	Code function: 4x nop then movzx ecx, byte ptr [esp+eax+00000274h]	3_2_0042BB19
Source: C:\Users\user\Desktop\BootStrapper.exe	Code function: 4x nop then sub edx, 01h	3_2_00440550
Source: C:\Users\user\Desktop\BootStrapper.exe	Code function: 4x nop then mov byte ptr [ecx], al	3_2_0041C561
Source: C:\Users\user\Desktop\BootStrapper.exe	Code function: 4x nop then movzx edi, byte ptr [esi+eax+26h]	3_2_0041C561
Source: C:\Users\user\Desktop\BootStrapper.exe	Code function: 4x nop then mov byte ptr [edi], al	3_2_0041C561
Source: C:\Users\user\Desktop\BootStrapper.exe	Code function: 4x nop then movzx esi, byte ptr [eax]	3_2_00426513
Source: C:\Users\user\Desktop\BootStrapper.exe	Code function: 4x nop then mov edx, ecx	3_2_00425DEA
Source: C:\Users\user\Desktop\BootStrapper.exe	Code function: 4x nop then cmp dword ptr [edi+esi*8], 385488F2h	3_2_00425DEA
Source: C:\Users\user\Desktop\BootStrapper.exe	Code function: 4x nop then movzx edx, byte ptr [esp+ecx+446E8726h]	3_2_00441DA0
Source: C:\Users\user\Desktop\BootStrapper.exe	Code function: 4x nop then cmp dword ptr [edi+ebp*8], 385488F2h	3_2_0043A640
Source: C:\Users\user\Desktop\BootStrapper.exe	Code function: 4x nop then mov byte ptr [edi], cl	3_2_0042D64C
Source: C:\Users\user\Desktop\BootStrapper.exe	Code function: 4x nop then movzx ecx, byte ptr [ebp+eax-38h]	3_2_0043EE50
Source: C:\Users\user\Desktop\BootStrapper.exe	Code function: 4x nop then mov ebx, dword ptr [edi+04h]	3_2_0042A660
Source: C:\Users\user\Desktop\BootStrapper.exe	Code function: 4x nop then mov edx, eax	3_2_0041966B
Source: C:\Users\user\Desktop\BootStrapper.exe	Code function: 4x nop then cmp dword ptr [edi+esi*8], 385488F2h	3_2_00425E70
Source: C:\Users\user\Desktop\BootStrapper.exe	Code function: 4x nop then sub edx, 01h	3_2_00440600
Source: C:\Users\user\Desktop\BootStrapper.exe	Code function: 4x nop then cmp dword ptr [edx+ecx*8], 9164D103h	3_2_00440E00
Source: C:\Users\user\Desktop\BootStrapper.exe	Code function: 4x nop then cmp dword ptr [edi+edx*8], EABBD981h	3_2_0040DE13
Source: C:\Users\user\Desktop\BootStrapper.exe	Code function: 4x nop then mov word ptr [eax], cx	3_2_00417E1A
Source: C:\Users\user\Desktop\BootStrapper.exe	Code function: 4x nop then mov ebx, eax	3_2_00417E1A
Source: C:\Users\user\Desktop\BootStrapper.exe	Code function: 4x nop then movzx edx, byte ptr [esp+eax-2DC31920h]	3_2_00422E3F
Source: C:\Users\user\Desktop\BootStrapper.exe	Code function: 4x nop then mov edx, ecx	3_2_00422E3F
Source: C:\Users\user\Desktop\BootStrapper.exe	Code function: 4x nop then movzx edi, byte ptr [esp+edx+74842D10h]	3_2_00422E3F
Source: C:\Users\user\Desktop\BootStrapper.exe	Code function: 4x nop then sub edx, 01h	3_2_00440690
Source: C:\Users\user\Desktop\BootStrapper.exe	Code function: 4x nop then movzx ecx, byte ptr [esp+eax+5B5F0E69h]	3_2_004146A0
Source: C:\Users\user\Desktop\BootStrapper.exe	Code function: 4x nop then mov eax, ecx	3_2_004146A0
Source: C:\Users\user\Desktop\BootStrapper.exe	Code function: 4x nop then cmp dword ptr [edi+esi*8], 385488F2h	3_2_004146A0
Source: C:\Users\user\Desktop\BootStrapper.exe	Code function: 4x nop then movzx esi, byte ptr [esp+eax+0Ch]	3_2_004396A0
Source: C:\Users\user\Desktop\BootStrapper.exe	Code function: 4x nop then mov ecx, eax	3_2_00426EB0
Source: C:\Users\user\Desktop\BootStrapper.exe	Code function: 4x nop then mov ecx, eax	3_2_0040A770
Source: C:\Users\user\Desktop\BootStrapper.exe	Code function: 4x nop then push eax	3_2_00415F19
Source: C:\Users\user\Desktop\BootStrapper.exe	Code function: 4x nop then movzx edx, byte ptr [ebx+ecx-4835D6BBh]	3_2_0040D7CF
Source: C:\Users\user\Desktop\BootStrapper.exe	Code function: 4x nop then mov ecx, edx	3_2_004227E0
Source: C:\Users\user\Desktop\BootStrapper.exe	Code function: 4x nop then mov byte ptr [eax], cl	3_2_00416790
Source: C:\Users\user\Desktop\BootStrapper.exe	Code function: 4x nop then mov byte ptr [eax], cl	3_2_00416790
Source: C:\Users\user\Desktop\BootStrapper.exe	Code function: 4x nop then movzx edx, byte ptr [esi+ecx]	3_2_0041E7A0
Source: C:\Users\user\Desktop\BootStrapper.exe	Code function: 4x nop then movsx ecx, byte ptr [edi+eax]	3_2_0043F7B2

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2058514 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (wordyfindy .lat) : 192.168.2.6:59709 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2058484 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (curverpluch .lat) : 192.168.2.6:52560 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2058512 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (tentabatte .lat) : 192.168.2.6:56560 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2058500 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (shapestickyr .lat) : 192.168.2.6:62869 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2058492 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (manyrestro .lat) : 192.168.2.6:63622 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2058510 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (talkynicer .lat) : 192.168.2.6:61100 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2058480 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (bashfulacid .lat) : 192.168.2.6:65255 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2058502 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (slipperyloo .lat) : 192.168.2.6:56750 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2858666 - Severity 1 - ETPRO MALWARE Win32/Lumma Stealer Steam Profile Lookup : 192.168.2.6:49707 -> 23.55.153.106:443

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor	URLs: observerfry.lat
Source: Malware configuration extractor	URLs: wordyfindy.lat
Source: Malware configuration extractor	URLs: curverpluch.lat
Source: Malware configuration extractor	URLs: shapestickyr.lat
Source: Malware configuration extractor	URLs: bashfulacid.lat
Source: Malware configuration extractor	URLs: talkynicer.lat
Source: Malware configuration extractor	URLs: manyrestro.lat
Source: Malware configuration extractor	URLs: tentabatte.lat
Source: Malware configuration extractor	URLs: slipperyloo.lat

Source: Joe Sandbox View

IP Address: 23.55.153.106 23.55.153.106

Source: Joe Sandbox View

JA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1

Source: Network traffic

Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.6:49707 -> 23.55.153.106:443

Source: global traffic

HTTP traffic detected: GET /profiles/76561199724331900 HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: steamcommunity.com

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic

Source: BootStrapper.exe, 00000003.00000003.2168393978.000000000102E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Content-Security-Policydefault-src blob: data: https: 'unsafe-inline' 'unsafe-eval'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://community.fastly.steamstatic.com/ https://cdn.fastly.steamstatic.com/steamcommunity/public/assets/ https://api.steampowered.com/ https://recaptcha.net https://www.google.com/recaptcha/ https://www.gstatic.cn/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.youtube.com/ https://s.ytimg.com; object-src 'none'; connect-src 'self' https://community.fastly.steamstatic.com/ https://store.steampowered.com/ https://checkout.steampowered.com/ wss://community.steam-api.com/websocket/ https://api.steampowered.com/ https://login.steampowered.com/ https://help.steampowered.com/ https://steam.tv/ https://steamcommunity.com/ https://.valvesoftware.com https://.steambeta.net https://.discovery.beta.steamserver.net https://.steamcontent.com https://steambroadcast.akamaized.net https://steambroadcast-test.akamaized.net https://broadcast.st.dl.eccdnx.com https://lv.queniujq.cn https://steambroadcastchat.akamaized.net http://127.0.0.1:27060 ws://127.0.0.1:27060; frame-src 'self' steam: https://store.steampowered.com/ https://help.steampowered.com/ https://login.steampowered.com/ https://checkout.steampowered.com/ https://www.youtube.com https://www.google.com https://sketchfab.com https://player.vimeo.com https://medal.tv https://www.google.com/recaptcha/ https://recaptcha.net/recaptcha/; frame-ancestors 'self' https://store.steampowered.com/;Persistent-AuthWWW-AuthenticateVarysteamCountry=US%7C185ce35c568ebbb18a145d0cabae7186; Path=/; Secure; HttpOnly; SameSite=Nonesessionid=9bb70760be177dbab1860100; Path=/; Secure; SameSite=NoneSet-CookienginxServerRetry-AfterProxy-SupportProxy-AuthenticateP3PLocationETagAuthentication-InfoAgeAccept-RangesLast-ModifiedMon, 26 Jul 1997 05:00:00 GMTExpiresContent-RangeContent-MD5Content-LocationContent-LanguageContent-Encodingtext/html; charset=UTF-8Content-Type25665Content-LengthAllowWarningViaUpgradeTransfer-EncodingTrailerPragmaKeep-AliveThu, 26 Dec 2024 11:34:03 GMTDateProxy-ConnectioncloseConnectionno-cacheCache-Control equals www.youtube.com (Youtube)
Source: BootStrapper.exe, 00000003.00000003.2168351907.0000000001076000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: afe-inline' 'unsafe-eval'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://community.fastly.steamstatic.com/ https://cdn.fastly.steamstatic.com/steamcommunity/public/assets/ https://api.steampowered.com/ https://recaptcha.net https://www.google.com/recaptcha/ https://www.gstatic.cn/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.youtube.com/ https://s.ytimg.com; object-src 'none'; connect-src 'self' https://community.fastly.steamstatic.com/ https://store.steampowered.com/ https://checkout.steampowered.com/ wss://community.steam-api.com/websocket/ https://api.steampowered.com/ https://login.steampowered.com/ https://help.steampowered.com/ https://steam.tv/ https://steamcommunity.com/ https://.valvesoftware.com https://.steambeta.net https://.discovery.beta.steamserver.net https://.steamcontent.com https://steambroadcast.akamaized.net https://steambroadcast-test.akamaized.net https://broadcast.st.dl.eccdnx.com https://lv.queniujq.cn https://steambroadcastchat.akamaized.net http://127.0.0.1:27060 ws://127.0.0.1:27060; frame-src 'self' steam: https://store.steampowered.com/ https://help.steampowered.com/ https://login.steampowered.com/ https://checkout.steampowered.com/ https://www.youtube.com https://www.google.com https://sketchfab.com https://player.vimeo.com https://medal.tv https://www.google.com/recaptcha/ https://recaptcha.net/recaptcha/; frame-ancestors 'self' https://store.steampowered.com/; equals www.youtube.com (Youtube)
Source: BootStrapper.exe, 00000003.00000003.2168393978.000000000102E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: default-src blob: data: https: 'unsafe-inline' 'unsafe-eval'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://community.fastly.steamstatic.com/ https://cdn.fastly.steamstatic.com/steamcommunity/public/assets/ https://api.steampowered.com/ https://recaptcha.net https://www.google.com/recaptcha/ https://www.gstatic.cn/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.youtube.com/ https://s.ytimg.com; object-src 'none'; connect-src 'self' https://community.fastly.steamstatic.com/ https://store.steampowered.com/ https://checkout.steampowered.com/ wss://community.steam-api.com/websocket/ https://api.steampowered.com/ https://login.steampowered.com/ https://help.steampowered.com/ https://steam.tv/ https://steamcommunity.com/ https://.valvesoftware.com https://.steambeta.net https://.discovery.beta.steamserver.net https://.steamcontent.com https://steambroadcast.akamaized.net https://steambroadcast-test.akamaized.net https://broadcast.st.dl.eccdnx.com https://lv.queniujq.cn https://steambroadcastchat.akamaized.net http://127.0.0.1:27060 ws://127.0.0.1:27060; frame-src 'self' steam: https://store.steampowered.com/ https://help.steampowered.com/ https://login.steampowered.com/ https://checkout.steampowered.com/ https://www.youtube.com https://www.google.com https://sketchfab.com https://player.vimeo.com https://medal.tv https://www.google.com/recaptcha/ https://recaptcha.net/recaptcha/; frame-ancestors 'self' https://store.steampowered.com/; equals www.youtube.com (Youtube)

Source: global traffic	DNS traffic detected: DNS query: observerfry.lat
Source: global traffic	DNS traffic detected: DNS query: wordyfindy.lat
Source: global traffic	DNS traffic detected: DNS query: slipperyloo.lat
Source: global traffic	DNS traffic detected: DNS query: manyrestro.lat
Source: global traffic	DNS traffic detected: DNS query: shapestickyr.lat
Source: global traffic	DNS traffic detected: DNS query: talkynicer.lat
Source: global traffic	DNS traffic detected: DNS query: curverpluch.lat
Source: global traffic	DNS traffic detected: DNS query: tentabatte.lat
Source: global traffic	DNS traffic detected: DNS query: bashfulacid.lat
Source: global traffic	DNS traffic detected: DNS query: steamcommunity.com

Source: BootStrapper.exe, 00000003.00000003.2168393978.000000000102E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://127.0.0.1:27060
Source: BootStrapper.exe, 00000003.00000003.2168351907.0000000001076000.00000004.00000020.00020000.00000000.sdmp, BootStrapper.exe, 00000003.00000002.2169355791.0000000000FDC000.00000004.00000020.00020000.00000000.sdmp, BootStrapper.exe, 00000003.00000003.2168351907.000000000107C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://store.steampowered.com/account/cookiepreferences/
Source: BootStrapper.exe, 00000003.00000003.2168351907.0000000001076000.00000004.00000020.00020000.00000000.sdmp, BootStrapper.exe, 00000003.00000002.2169355791.0000000000FDC000.00000004.00000020.00020000.00000000.sdmp, BootStrapper.exe, 00000003.00000003.2168351907.000000000107C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://store.steampowered.com/privacy_agreement/
Source: BootStrapper.exe, 00000003.00000003.2168351907.0000000001076000.00000004.00000020.00020000.00000000.sdmp, BootStrapper.exe, 00000003.00000002.2169355791.0000000000FDC000.00000004.00000020.00020000.00000000.sdmp, BootStrapper.exe, 00000003.00000003.2168351907.000000000107C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://store.steampowered.com/subscriber_agreement/
Source: BootStrapper.exe, 00000003.00000003.2168351907.000000000107C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.valvesoftware.com/legal.htm
Source: BootStrapper.exe, 00000003.00000003.2168393978.000000000102E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.steampowered.com/
Source: BootStrapper.exe, 00000003.00000003.2168393978.000000000102E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://broadcast.st.dl.eccdnx.com
Source: BootStrapper.exe, 00000003.00000003.2168393978.000000000102E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cdn.fastly.steamstatic.com/steamcommunity/public/assets/
Source: BootStrapper.exe, 00000003.00000003.2168393978.000000000102E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://checkout.steampowered.com/
Source: BootStrapper.exe, 00000003.00000003.2168393978.000000000102E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/
Source: BootStrapper.exe, 00000003.00000003.2168351907.000000000107C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/css/applications/community/main.css?v=Lj6X7NKUMfzk&a
Source: BootStrapper.exe, 00000003.00000003.2168351907.0000000001076000.00000004.00000020.00020000.00000000.sdmp, BootStrapper.exe, 00000003.00000003.2168351907.000000000107C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/css/globalv2.css?v=hzEgqbtRcI5V&l=english&_c
Source: BootStrapper.exe, 00000003.00000003.2168351907.0000000001076000.00000004.00000020.00020000.00000000.sdmp, BootStrapper.exe, 00000003.00000003.2168351907.000000000107C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/css/skin_1/fatalerror.css?v=OFUqlcDNiD6y&l=engli
Source: BootStrapper.exe, 00000003.00000003.2168351907.0000000001076000.00000004.00000020.00020000.00000000.sdmp, BootStrapper.exe, 00000003.00000003.2168351907.000000000107C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/css/skin_1/header.css?v=EM4kCu67DNda&l=english&a
Source: BootStrapper.exe, 00000003.00000003.2168351907.0000000001076000.00000004.00000020.00020000.00000000.sdmp, BootStrapper.exe, 00000003.00000002.2169355791.0000000000FDC000.00000004.00000020.00020000.00000000.sdmp, BootStrapper.exe, 00000003.00000003.2168351907.000000000107C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/images/skin_1/footerLogo_valve.png?v=1
Source: BootStrapper.exe, 00000003.00000003.2168351907.000000000107C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/applications/community/libraries~b28b7af6
Source: BootStrapper.exe, 00000003.00000003.2168351907.000000000107C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/applications/community/main.js?v=_92TWn81
Source: BootStrapper.exe, 00000003.00000003.2168351907.000000000107C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/applications/community/manifest.js?v=FRRi
Source: BootStrapper.exe, 00000003.00000003.2168351907.0000000001076000.00000004.00000020.00020000.00000000.sdmp, BootStrapper.exe, 00000003.00000003.2168351907.000000000107C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/global.js?v=jWc2JLWHx5Kn&l=english&am
Source: BootStrapper.exe, 00000003.00000003.2168351907.0000000001076000.00000004.00000020.00020000.00000000.sdmp, BootStrapper.exe, 00000003.00000003.2168351907.000000000107C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/jquery-1.11.1.min.js?v=gQHVlrK4-jX-&l
Source: BootStrapper.exe, 00000003.00000003.2168351907.0000000001076000.00000004.00000020.00020000.00000000.sdmp, BootStrapper.exe, 00000003.00000003.2168351907.000000000107C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/prototype-1.7.js?v=npJElBnrEO6W&l=eng
Source: BootStrapper.exe, 00000003.00000003.2168351907.0000000001076000.00000004.00000020.00020000.00000000.sdmp, BootStrapper.exe, 00000003.00000003.2168351907.000000000107C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/scriptaculous/_combined.js?v=pbdAKOcDIgbC
Source: BootStrapper.exe, 00000003.00000003.2168351907.0000000001076000.00000004.00000020.00020000.00000000.sdmp, BootStrapper.exe, 00000003.00000003.2168351907.000000000107C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/shared/css/buttons.css?v=qhQgyjWi6LgJ&l=english&
Source: BootStrapper.exe, 00000003.00000003.2168351907.0000000001076000.00000004.00000020.00020000.00000000.sdmp, BootStrapper.exe, 00000003.00000003.2168351907.000000000107C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/shared/css/motiva_sans.css?v=-yZgCk0Nu7kH&l=engl
Source: BootStrapper.exe, 00000003.00000003.2168351907.0000000001076000.00000004.00000020.00020000.00000000.sdmp, BootStrapper.exe, 00000003.00000003.2168351907.000000000107C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/shared/css/shared_global.css?v=wuA4X_n5-mo0&l=en
Source: BootStrapper.exe, 00000003.00000003.2168351907.0000000001076000.00000004.00000020.00020000.00000000.sdmp, BootStrapper.exe, 00000003.00000003.2168351907.000000000107C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/shared/css/shared_responsive.css?v=JL1e4uQSrVGe&
Source: BootStrapper.exe, 00000003.00000003.2168351907.000000000107C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/shared/images/header/logo_steam.svg?t=962016
Source: BootStrapper.exe, 00000003.00000003.2168351907.000000000107C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/shared/images/responsive/header_logo.png
Source: BootStrapper.exe, 00000003.00000003.2168351907.000000000107C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/shared/images/responsive/header_menu_hamburger.png
Source: BootStrapper.exe, 00000003.00000003.2168351907.000000000107C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/shared/images/responsive/logo_valve_footer.png
Source: BootStrapper.exe, 00000003.00000003.2168351907.0000000001076000.00000004.00000020.00020000.00000000.sdmp, BootStrapper.exe, 00000003.00000003.2168351907.000000000107C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/shared/javascript/auth_refresh.js?v=w6QbwI-5-j2S&amp
Source: BootStrapper.exe, 00000003.00000003.2168351907.0000000001076000.00000004.00000020.00020000.00000000.sdmp, BootStrapper.exe, 00000003.00000003.2168351907.000000000107C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/shared/javascript/shared_global.js?v=Gr6TbGRvDtNE&am
Source: BootStrapper.exe, 00000003.00000003.2168351907.0000000001076000.00000004.00000020.00020000.00000000.sdmp, BootStrapper.exe, 00000003.00000003.2168351907.000000000107C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/shared/javascript/shared_responsive_adapter.js?v=tvQ
Source: BootStrapper.exe, 00000003.00000003.2168351907.0000000001076000.00000004.00000020.00020000.00000000.sdmp, BootStrapper.exe, 00000003.00000003.2168351907.000000000107C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/shared/javascript/tooltip.js?v=QYkT4eS5mbTN&l=en
Source: BootStrapper.exe, 00000003.00000003.2168393978.000000000102E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://help.steampowered.com/
Source: BootStrapper.exe, 00000003.00000003.2168351907.000000000107C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://help.steampowered.com/en/
Source: BootStrapper.exe, 00000003.00000003.2168393978.000000000102E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.steampowered.com/
Source: BootStrapper.exe, 00000003.00000003.2168393978.000000000102E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://lv.queniujq.cn
Source: BootStrapper.exe, 00000003.00000003.2168393978.000000000102E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://medal.tv
Source: BootStrapper.exe, 00000003.00000003.2168393978.000000000102E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://player.vimeo.com
Source: BootStrapper.exe, 00000003.00000003.2168393978.000000000102E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://recaptcha.net
Source: BootStrapper.exe, 00000003.00000003.2168393978.000000000102E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://recaptcha.net/recaptcha/;
Source: BootStrapper.exe, 00000003.00000003.2168393978.000000000102E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://s.ytimg.com;
Source: BootStrapper.exe, 00000003.00000003.2168393978.000000000102E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://sketchfab.com
Source: BootStrapper.exe, 00000003.00000003.2168393978.000000000102E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steam.tv/
Source: BootStrapper.exe, 00000003.00000003.2168393978.000000000102E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steambroadcast-test.akamaized.net
Source: BootStrapper.exe, 00000003.00000003.2168393978.000000000102E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steambroadcast.akamaized.net
Source: BootStrapper.exe, 00000003.00000003.2168393978.000000000102E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steambroadcastchat.akamaized.net
Source: BootStrapper.exe, 00000003.00000003.2168351907.0000000001076000.00000004.00000020.00020000.00000000.sdmp, BootStrapper.exe, 00000003.00000002.2169355791.0000000000FDC000.00000004.00000020.00020000.00000000.sdmp, BootStrapper.exe, 00000003.00000003.2168351907.000000000107C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com
Source: BootStrapper.exe, 00000003.00000003.2168393978.000000000102E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/
Source: BootStrapper.exe, 00000003.00000003.2168351907.000000000107C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/?subsection=broadcasts
Source: BootStrapper.exe, 00000003.00000003.2168351907.000000000107C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/discussions/
Source: BootStrapper.exe, 00000003.00000003.2168351907.0000000001076000.00000004.00000020.00020000.00000000.sdmp, BootStrapper.exe, 00000003.00000002.2169355791.0000000000FDC000.00000004.00000020.00020000.00000000.sdmp, BootStrapper.exe, 00000003.00000003.2168351907.000000000107C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/linkfilter/?u=http%3A%2F%2Fwww.geonames.org
Source: BootStrapper.exe, 00000003.00000003.2168351907.000000000107C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/login/home/?goto=profiles%2F76561199724331900
Source: BootStrapper.exe, 00000003.00000003.2168351907.000000000107C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/market/
Source: BootStrapper.exe, 00000003.00000003.2168351907.0000000001076000.00000004.00000020.00020000.00000000.sdmp, BootStrapper.exe, 00000003.00000003.2168351907.000000000107C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/my/wishlist/
Source: BootStrapper.exe, 00000003.00000003.2168393978.0000000000FFE000.00000004.00000020.00020000.00000000.sdmp, BootStrapper.exe, 00000003.00000003.2168393978.0000000001011000.00000004.00000020.00020000.00000000.sdmp, BootStrapper.exe, 00000003.00000002.2169400962.0000000000FFE000.00000004.00000020.00020000.00000000.sdmp, BootStrapper.exe, 00000003.00000002.2169400962.0000000001011000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/profiles/76561199724331900
Source: BootStrapper.exe, 00000003.00000003.2168351907.000000000107C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/workshop/
Source: BootStrapper.exe, 00000003.00000003.2168393978.000000000102E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/
Source: BootStrapper.exe, 00000003.00000003.2168351907.0000000001076000.00000004.00000020.00020000.00000000.sdmp, BootStrapper.exe, 00000003.00000003.2168875044.000000000102F000.00000004.00000020.00020000.00000000.sdmp, BootStrapper.exe, 00000003.00000002.2169511899.0000000001030000.00000004.00000020.00020000.00000000.sdmp, BootStrapper.exe, 00000003.00000003.2168393978.000000000102E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/;
Source: BootStrapper.exe, 00000003.00000003.2168875044.000000000102F000.00000004.00000020.00020000.00000000.sdmp, BootStrapper.exe, 00000003.00000002.2169511899.0000000001030000.00000004.00000020.00020000.00000000.sdmp, BootStrapper.exe, 00000003.00000003.2168393978.000000000102E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/;Persistent-AuthWWW-AuthenticateVarysteamCountry=US%7C185ce35c568ebbb
Source: BootStrapper.exe, 00000003.00000003.2168351907.000000000107C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/about/
Source: BootStrapper.exe, 00000003.00000003.2168351907.0000000001076000.00000004.00000020.00020000.00000000.sdmp, BootStrapper.exe, 00000003.00000003.2168351907.000000000107C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/explore/
Source: BootStrapper.exe, 00000003.00000003.2168351907.0000000001076000.00000004.00000020.00020000.00000000.sdmp, BootStrapper.exe, 00000003.00000002.2169355791.0000000000FDC000.00000004.00000020.00020000.00000000.sdmp, BootStrapper.exe, 00000003.00000003.2168351907.000000000107C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/legal/
Source: BootStrapper.exe, 00000003.00000003.2168351907.000000000107C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/mobile
Source: BootStrapper.exe, 00000003.00000003.2168351907.000000000107C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/news/
Source: BootStrapper.exe, 00000003.00000003.2168351907.000000000107C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/points/shop/
Source: BootStrapper.exe, 00000003.00000003.2168351907.0000000001076000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/points/shopo
Source: BootStrapper.exe, 00000003.00000003.2168351907.000000000107C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/privacy_agreement/
Source: BootStrapper.exe, 00000003.00000003.2168351907.000000000107C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/stats/
Source: BootStrapper.exe, 00000003.00000003.2168351907.000000000107C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/steam_refunds/
Source: BootStrapper.exe, 00000003.00000003.2168351907.000000000107C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/subscriber_agreement/
Source: BootStrapper.exe, 00000003.00000003.2168393978.000000000102E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com
Source: BootStrapper.exe, 00000003.00000003.2168393978.000000000102E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/recaptcha/
Source: BootStrapper.exe, 00000003.00000003.2168393978.000000000102E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.gstatic.cn/recaptcha/
Source: BootStrapper.exe, 00000003.00000003.2168393978.000000000102E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.gstatic.com/recaptcha/
Source: BootStrapper.exe, 00000003.00000003.2168351907.0000000001076000.00000004.00000020.00020000.00000000.sdmp, BootStrapper.exe, 00000003.00000003.2168393978.0000000000FE9000.00000004.00000020.00020000.00000000.sdmp, BootStrapper.exe, 00000003.00000003.2168351907.000000000107C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.valvesoftware.com/en/contact?contact-person=Translation%20Team%20Feedback
Source: BootStrapper.exe, 00000003.00000003.2168393978.000000000102E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com
Source: BootStrapper.exe, 00000003.00000003.2168393978.000000000102E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/

Source: unknown	Network traffic detected: HTTP traffic on port 49707 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49707

Source: unknown

HTTPS traffic detected: 23.55.153.106:443 -> 192.168.2.6:49707 version: TLS 1.2

Source: C:\Users\user\Desktop\BootStrapper.exe

Code function: 3_2_00433600 OpenClipboard,GetClipboardData,GlobalLock,GetWindowLongW,GlobalUnlock,CloseClipboard,

3_2_00433600

Source: C:\Users\user\Desktop\BootStrapper.exe

Code function: 3_2_00433600 OpenClipboard,GetClipboardData,GlobalLock,GetWindowLongW,GlobalUnlock,CloseClipboard,

3_2_00433600

Source: C:\Users\user\Desktop\BootStrapper.exe

Code function: 3_2_0043403E GetDC,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,GetCurrentObject,GetObjectW,DeleteObject,CreateCompatibleDC,CreateCompatibleBitmap,SelectObject,BitBlt,

3_2_0043403E

Source: C:\Users\user\Desktop\BootStrapper.exe	Code function: 0_2_00DE1000	0_2_00DE1000
Source: C:\Users\user\Desktop\BootStrapper.exe	Code function: 0_2_00DE7B46	0_2_00DE7B46
Source: C:\Users\user\Desktop\BootStrapper.exe	Code function: 0_2_00DF2370	0_2_00DF2370
Source: C:\Users\user\Desktop\BootStrapper.exe	Code function: 0_2_00DFFCA2	0_2_00DFFCA2
Source: C:\Users\user\Desktop\BootStrapper.exe	Code function: 0_2_00DFDECA	0_2_00DFDECA
Source: C:\Users\user\Desktop\BootStrapper.exe	Code function: 0_2_00DEC692	0_2_00DEC692
Source: C:\Users\user\Desktop\BootStrapper.exe	Code function: 3_2_0040ADEC	3_2_0040ADEC
Source: C:\Users\user\Desktop\BootStrapper.exe	Code function: 3_2_004085F0	3_2_004085F0
Source: C:\Users\user\Desktop\BootStrapper.exe	Code function: 3_2_00408800	3_2_00408800
Source: C:\Users\user\Desktop\BootStrapper.exe	Code function: 3_2_0041780D	3_2_0041780D
Source: C:\Users\user\Desktop\BootStrapper.exe	Code function: 3_2_004410D0	3_2_004410D0
Source: C:\Users\user\Desktop\BootStrapper.exe	Code function: 3_2_0042788F	3_2_0042788F
Source: C:\Users\user\Desktop\BootStrapper.exe	Code function: 3_2_00403900	3_2_00403900
Source: C:\Users\user\Desktop\BootStrapper.exe	Code function: 3_2_0041C900	3_2_0041C900
Source: C:\Users\user\Desktop\BootStrapper.exe	Code function: 3_2_00412100	3_2_00412100
Source: C:\Users\user\Desktop\BootStrapper.exe	Code function: 3_2_0043A120	3_2_0043A120
Source: C:\Users\user\Desktop\BootStrapper.exe	Code function: 3_2_00405930	3_2_00405930
Source: C:\Users\user\Desktop\BootStrapper.exe	Code function: 3_2_0043D1C0	3_2_0043D1C0
Source: C:\Users\user\Desktop\BootStrapper.exe	Code function: 3_2_004081D0	3_2_004081D0
Source: C:\Users\user\Desktop\BootStrapper.exe	Code function: 3_2_0043A9D6	3_2_0043A9D6
Source: C:\Users\user\Desktop\BootStrapper.exe	Code function: 3_2_0042C9D4	3_2_0042C9D4
Source: C:\Users\user\Desktop\BootStrapper.exe	Code function: 3_2_004259E4	3_2_004259E4
Source: C:\Users\user\Desktop\BootStrapper.exe	Code function: 3_2_00433180	3_2_00433180
Source: C:\Users\user\Desktop\BootStrapper.exe	Code function: 3_2_00424990	3_2_00424990
Source: C:\Users\user\Desktop\BootStrapper.exe	Code function: 3_2_00406240	3_2_00406240
Source: C:\Users\user\Desktop\BootStrapper.exe	Code function: 3_2_00410A57	3_2_00410A57
Source: C:\Users\user\Desktop\BootStrapper.exe	Code function: 3_2_00415200	3_2_00415200
Source: C:\Users\user\Desktop\BootStrapper.exe	Code function: 3_2_00431210	3_2_00431210
Source: C:\Users\user\Desktop\BootStrapper.exe	Code function: 3_2_0041E220	3_2_0041E220
Source: C:\Users\user\Desktop\BootStrapper.exe	Code function: 3_2_00427A3F	3_2_00427A3F
Source: C:\Users\user\Desktop\BootStrapper.exe	Code function: 3_2_004042B0	3_2_004042B0
Source: C:\Users\user\Desktop\BootStrapper.exe	Code function: 3_2_004402B0	3_2_004402B0
Source: C:\Users\user\Desktop\BootStrapper.exe	Code function: 3_2_0041DB40	3_2_0041DB40
Source: C:\Users\user\Desktop\BootStrapper.exe	Code function: 3_2_00409370	3_2_00409370
Source: C:\Users\user\Desktop\BootStrapper.exe	Code function: 3_2_00426B70	3_2_00426B70
Source: C:\Users\user\Desktop\BootStrapper.exe	Code function: 3_2_00422370	3_2_00422370
Source: C:\Users\user\Desktop\BootStrapper.exe	Code function: 3_2_00408B00	3_2_00408B00
Source: C:\Users\user\Desktop\BootStrapper.exe	Code function: 3_2_00424B00	3_2_00424B00
Source: C:\Users\user\Desktop\BootStrapper.exe	Code function: 3_2_00428307	3_2_00428307
Source: C:\Users\user\Desktop\BootStrapper.exe	Code function: 3_2_00421B10	3_2_00421B10
Source: C:\Users\user\Desktop\BootStrapper.exe	Code function: 3_2_0043CB20	3_2_0043CB20
Source: C:\Users\user\Desktop\BootStrapper.exe	Code function: 3_2_004403D0	3_2_004403D0
Source: C:\Users\user\Desktop\BootStrapper.exe	Code function: 3_2_004413E0	3_2_004413E0
Source: C:\Users\user\Desktop\BootStrapper.exe	Code function: 3_2_00404BF0	3_2_00404BF0
Source: C:\Users\user\Desktop\BootStrapper.exe	Code function: 3_2_0041AB80	3_2_0041AB80
Source: C:\Users\user\Desktop\BootStrapper.exe	Code function: 3_2_00438C5D	3_2_00438C5D
Source: C:\Users\user\Desktop\BootStrapper.exe	Code function: 3_2_00416C77	3_2_00416C77
Source: C:\Users\user\Desktop\BootStrapper.exe	Code function: 3_2_00437C78	3_2_00437C78
Source: C:\Users\user\Desktop\BootStrapper.exe	Code function: 3_2_0042AC30	3_2_0042AC30
Source: C:\Users\user\Desktop\BootStrapper.exe	Code function: 3_2_0042F4F6	3_2_0042F4F6
Source: C:\Users\user\Desktop\BootStrapper.exe	Code function: 3_2_00419C90	3_2_00419C90
Source: C:\Users\user\Desktop\BootStrapper.exe	Code function: 3_2_00416492	3_2_00416492
Source: C:\Users\user\Desktop\BootStrapper.exe	Code function: 3_2_0042CCA2	3_2_0042CCA2
Source: C:\Users\user\Desktop\BootStrapper.exe	Code function: 3_2_004074A0	3_2_004074A0
Source: C:\Users\user\Desktop\BootStrapper.exe	Code function: 3_2_004264B0	3_2_004264B0
Source: C:\Users\user\Desktop\BootStrapper.exe	Code function: 3_2_00438CB0	3_2_00438CB0
Source: C:\Users\user\Desktop\BootStrapper.exe	Code function: 3_2_0041E540	3_2_0041E540
Source: C:\Users\user\Desktop\BootStrapper.exe	Code function: 3_2_00423D40	3_2_00423D40
Source: C:\Users\user\Desktop\BootStrapper.exe	Code function: 3_2_0040CD4E	3_2_0040CD4E
Source: C:\Users\user\Desktop\BootStrapper.exe	Code function: 3_2_00440550	3_2_00440550
Source: C:\Users\user\Desktop\BootStrapper.exe	Code function: 3_2_0041C561	3_2_0041C561
Source: C:\Users\user\Desktop\BootStrapper.exe	Code function: 3_2_0042D57F	3_2_0042D57F
Source: C:\Users\user\Desktop\BootStrapper.exe	Code function: 3_2_004385C7	3_2_004385C7
Source: C:\Users\user\Desktop\BootStrapper.exe	Code function: 3_2_00411DC9	3_2_00411DC9
Source: C:\Users\user\Desktop\BootStrapper.exe	Code function: 3_2_00418DE6	3_2_00418DE6
Source: C:\Users\user\Desktop\BootStrapper.exe	Code function: 3_2_004115F1	3_2_004115F1
Source: C:\Users\user\Desktop\BootStrapper.exe	Code function: 3_2_00420583	3_2_00420583
Source: C:\Users\user\Desktop\BootStrapper.exe	Code function: 3_2_0042E64D	3_2_0042E64D
Source: C:\Users\user\Desktop\BootStrapper.exe	Code function: 3_2_0041966B	3_2_0041966B
Source: C:\Users\user\Desktop\BootStrapper.exe	Code function: 3_2_00440600	3_2_00440600
Source: C:\Users\user\Desktop\BootStrapper.exe	Code function: 3_2_00440E00	3_2_00440E00
Source: C:\Users\user\Desktop\BootStrapper.exe	Code function: 3_2_0041DE10	3_2_0041DE10
Source: C:\Users\user\Desktop\BootStrapper.exe	Code function: 3_2_00417E1A	3_2_00417E1A
Source: C:\Users\user\Desktop\BootStrapper.exe	Code function: 3_2_00422E3F	3_2_00422E3F
Source: C:\Users\user\Desktop\BootStrapper.exe	Code function: 3_2_00402EC0	3_2_00402EC0
Source: C:\Users\user\Desktop\BootStrapper.exe	Code function: 3_2_004066D0	3_2_004066D0
Source: C:\Users\user\Desktop\BootStrapper.exe	Code function: 3_2_00426ED0	3_2_00426ED0
Source: C:\Users\user\Desktop\BootStrapper.exe	Code function: 3_2_00405E80	3_2_00405E80
Source: C:\Users\user\Desktop\BootStrapper.exe	Code function: 3_2_00440690	3_2_00440690
Source: C:\Users\user\Desktop\BootStrapper.exe	Code function: 3_2_004146A0	3_2_004146A0
Source: C:\Users\user\Desktop\BootStrapper.exe	Code function: 3_2_004396A0	3_2_004396A0
Source: C:\Users\user\Desktop\BootStrapper.exe	Code function: 3_2_00426EB0	3_2_00426EB0
Source: C:\Users\user\Desktop\BootStrapper.exe	Code function: 3_2_00429740	3_2_00429740
Source: C:\Users\user\Desktop\BootStrapper.exe	Code function: 3_2_0040A770	3_2_0040A770
Source: C:\Users\user\Desktop\BootStrapper.exe	Code function: 3_2_00428770	3_2_00428770
Source: C:\Users\user\Desktop\BootStrapper.exe	Code function: 3_2_00441700	3_2_00441700
Source: C:\Users\user\Desktop\BootStrapper.exe	Code function: 3_2_00438F10	3_2_00438F10
Source: C:\Users\user\Desktop\BootStrapper.exe	Code function: 3_2_0043D710	3_2_0043D710
Source: C:\Users\user\Desktop\BootStrapper.exe	Code function: 3_2_00415F19	3_2_00415F19
Source: C:\Users\user\Desktop\BootStrapper.exe	Code function: 3_2_00436F2C	3_2_00436F2C
Source: C:\Users\user\Desktop\BootStrapper.exe	Code function: 3_2_0040D7CF	3_2_0040D7CF
Source: C:\Users\user\Desktop\BootStrapper.exe	Code function: 3_2_0043A7D0	3_2_0043A7D0
Source: C:\Users\user\Desktop\BootStrapper.exe	Code function: 3_2_004227E0	3_2_004227E0
Source: C:\Users\user\Desktop\BootStrapper.exe	Code function: 3_2_00416FF0	3_2_00416FF0
Source: C:\Users\user\Desktop\BootStrapper.exe	Code function: 3_2_0040C782	3_2_0040C782
Source: C:\Users\user\Desktop\BootStrapper.exe	Code function: 3_2_0043AF80	3_2_0043AF80
Source: C:\Users\user\Desktop\BootStrapper.exe	Code function: 3_2_00408F90	3_2_00408F90
Source: C:\Users\user\Desktop\BootStrapper.exe	Code function: 3_2_00416790	3_2_00416790
Source: C:\Users\user\Desktop\BootStrapper.exe	Code function: 3_2_00430797	3_2_00430797
Source: C:\Users\user\Desktop\BootStrapper.exe	Code function: 3_2_0041E7A0	3_2_0041E7A0
Source: C:\Users\user\Desktop\BootStrapper.exe	Code function: 3_2_0043F7B2	3_2_0043F7B2
Source: C:\Users\user\Desktop\BootStrapper.exe	Code function: 3_2_00DE1000	3_2_00DE1000
Source: C:\Users\user\Desktop\BootStrapper.exe	Code function: 3_2_00DE7B46	3_2_00DE7B46
Source: C:\Users\user\Desktop\BootStrapper.exe	Code function: 3_2_00DF2370	3_2_00DF2370
Source: C:\Users\user\Desktop\BootStrapper.exe	Code function: 3_2_00DFFCA2	3_2_00DFFCA2
Source: C:\Users\user\Desktop\BootStrapper.exe	Code function: 3_2_00DFDECA	3_2_00DFDECA
Source: C:\Users\user\Desktop\BootStrapper.exe	Code function: 3_2_00DEC692	3_2_00DEC692

Source: C:\Users\user\Desktop\BootStrapper.exe	Code function: String function: 00DF52BD appears 40 times
Source: C:\Users\user\Desktop\BootStrapper.exe	Code function: String function: 00DF07A7 appears 42 times
Source: C:\Users\user\Desktop\BootStrapper.exe	Code function: String function: 00DE8050 appears 102 times
Source: C:\Users\user\Desktop\BootStrapper.exe	Code function: String function: 00407FE0 appears 41 times
Source: C:\Users\user\Desktop\BootStrapper.exe	Code function: String function: 00414690 appears 95 times

Source: BootStrapper.exe

Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source: BootStrapper.exe

Static PE information: Section: .bss ZLIB complexity 1.0003360896915585

Source: classification engine

Classification label: mal100.troj.evad.winEXE@4/0@10/1

Source: C:\Users\user\Desktop\BootStrapper.exe

Code function: 3_2_004318D2 CoCreateInstance,

3_2_004318D2

Source: C:\Windows\System32\conhost.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5432:120:WilError_03

Source: BootStrapper.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\BootStrapper.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: BootStrapper.exe	Virustotal: Detection: 43%
Source: BootStrapper.exe	ReversingLabs: Detection: 42%

Source: C:\Users\user\Desktop\BootStrapper.exe

File read: C:\Users\user\Desktop\BootStrapper.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\BootStrapper.exe "C:\Users\user\Desktop\BootStrapper.exe"
Source: C:\Users\user\Desktop\BootStrapper.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\BootStrapper.exe	Process created: C:\Users\user\Desktop\BootStrapper.exe "C:\Users\user\Desktop\BootStrapper.exe"
Source: C:\Users\user\Desktop\BootStrapper.exe	Process created: C:\Users\user\Desktop\BootStrapper.exe "C:\Users\user\Desktop\BootStrapper.exe"	Jump to behavior

Source: C:\Users\user\Desktop\BootStrapper.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\BootStrapper.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\BootStrapper.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\BootStrapper.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\BootStrapper.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\BootStrapper.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\BootStrapper.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\BootStrapper.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Users\user\Desktop\BootStrapper.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\BootStrapper.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\BootStrapper.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\BootStrapper.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\BootStrapper.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\BootStrapper.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\BootStrapper.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\BootStrapper.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\BootStrapper.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\BootStrapper.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\BootStrapper.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\BootStrapper.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Desktop\BootStrapper.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\Desktop\BootStrapper.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\BootStrapper.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\BootStrapper.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\Desktop\BootStrapper.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\BootStrapper.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\BootStrapper.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\BootStrapper.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\BootStrapper.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\BootStrapper.exe	Section loaded: dpapi.dll	Jump to behavior

Source: BootStrapper.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_ISOLATION, TERMINAL_SERVER_AWARE

Source: BootStrapper.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: BootStrapper.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: BootStrapper.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: BootStrapper.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: BootStrapper.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Source: C:\Users\user\Desktop\BootStrapper.exe	Code function: 0_2_00DE820A push ecx; ret	0_2_00DE821D
Source: C:\Users\user\Desktop\BootStrapper.exe	Code function: 0_2_00E176BD push ecx; retf	0_2_00E176BE
Source: C:\Users\user\Desktop\BootStrapper.exe	Code function: 3_2_00440240 push eax; mov dword ptr [esp], DED9D88Bh	3_2_00440245
Source: C:\Users\user\Desktop\BootStrapper.exe	Code function: 3_2_004464FA push edx; ret	3_2_00446500
Source: C:\Users\user\Desktop\BootStrapper.exe	Code function: 3_2_0044666E push cs; ret	3_2_00446682
Source: C:\Users\user\Desktop\BootStrapper.exe	Code function: 3_2_00446627 push cs; ret	3_2_00446682
Source: C:\Users\user\Desktop\BootStrapper.exe	Code function: 3_2_00449E23 push cs; ret	3_2_00449E3F
Source: C:\Users\user\Desktop\BootStrapper.exe	Code function: 3_2_00449E23 pushfd ; ret	3_2_00449EB4
Source: C:\Users\user\Desktop\BootStrapper.exe	Code function: 3_2_00449EA1 pushfd ; ret	3_2_00449EB4
Source: C:\Users\user\Desktop\BootStrapper.exe	Code function: 3_2_00430797 push 89240489h; mov dword ptr [esp], eax	3_2_004307CB
Source: C:\Users\user\Desktop\BootStrapper.exe	Code function: 3_2_00DE820A push ecx; ret	3_2_00DE821D
Source: C:\Users\user\Desktop\BootStrapper.exe	Code function: 3_2_00E176BD push ecx; retf	3_2_00E176BE

Source: C:\Users\user\Desktop\BootStrapper.exe

API coverage: 3.2 %

Source: C:\Users\user\Desktop\BootStrapper.exe TID: 5232

Thread sleep time: -60000s >= -30000s

Jump to behavior

Source: C:\Users\user\Desktop\BootStrapper.exe	Code function: 0_2_00DFA1A8 FindFirstFileExW,	0_2_00DFA1A8
Source: C:\Users\user\Desktop\BootStrapper.exe	Code function: 0_2_00DFA259 FindFirstFileExW,FindNextFileW,FindClose,FindClose,	0_2_00DFA259
Source: C:\Users\user\Desktop\BootStrapper.exe	Code function: 3_2_00DFA1A8 FindFirstFileExW,	3_2_00DFA1A8
Source: C:\Users\user\Desktop\BootStrapper.exe	Code function: 3_2_00DFA259 FindFirstFileExW,FindNextFileW,FindClose,FindClose,	3_2_00DFA259

Source: BootStrapper.exe, 00000003.00000003.2168875044.000000000102F000.00000004.00000020.00020000.00000000.sdmp, BootStrapper.exe, 00000003.00000002.2169511899.0000000001030000.00000004.00000020.00020000.00000000.sdmp, BootStrapper.exe, 00000003.00000003.2168393978.000000000102E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWt _
Source: BootStrapper.exe, 00000003.00000003.2168875044.000000000102F000.00000004.00000020.00020000.00000000.sdmp, BootStrapper.exe, 00000003.00000002.2169511899.0000000001030000.00000004.00000020.00020000.00000000.sdmp, BootStrapper.exe, 00000003.00000002.2169355791.0000000000FDC000.00000004.00000020.00020000.00000000.sdmp, BootStrapper.exe, 00000003.00000003.2168393978.000000000102E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW

Source: C:\Users\user\Desktop\BootStrapper.exe

Code function: 3_2_0043EBA0 LdrInitializeThunk,

3_2_0043EBA0

Source: C:\Users\user\Desktop\BootStrapper.exe

Code function: 0_2_00DF04F9 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

0_2_00DF04F9

Source: C:\Users\user\Desktop\BootStrapper.exe	Code function: 0_2_00E0F19E mov edi, dword ptr fs:[00000030h]	0_2_00E0F19E
Source: C:\Users\user\Desktop\BootStrapper.exe	Code function: 0_2_00DE1360 mov edi, dword ptr fs:[00000030h]	0_2_00DE1360
Source: C:\Users\user\Desktop\BootStrapper.exe	Code function: 0_2_00DE1730 mov edi, dword ptr fs:[00000030h]	0_2_00DE1730
Source: C:\Users\user\Desktop\BootStrapper.exe	Code function: 3_2_00DE1360 mov edi, dword ptr fs:[00000030h]	3_2_00DE1360
Source: C:\Users\user\Desktop\BootStrapper.exe	Code function: 3_2_00DE1730 mov edi, dword ptr fs:[00000030h]	3_2_00DE1730

Source: C:\Users\user\Desktop\BootStrapper.exe

Code function: 0_2_00DF5BB5 GetProcessHeap,

0_2_00DF5BB5

Source: C:\Users\user\Desktop\BootStrapper.exe	Code function: 0_2_00DE7B1E SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_00DE7B1E
Source: C:\Users\user\Desktop\BootStrapper.exe	Code function: 0_2_00DF04F9 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_00DF04F9
Source: C:\Users\user\Desktop\BootStrapper.exe	Code function: 0_2_00DE7EDA IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_00DE7EDA
Source: C:\Users\user\Desktop\BootStrapper.exe	Code function: 0_2_00DE7ECE SetUnhandledExceptionFilter,	0_2_00DE7ECE
Source: C:\Users\user\Desktop\BootStrapper.exe	Code function: 3_2_00DE7B1E SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	3_2_00DE7B1E
Source: C:\Users\user\Desktop\BootStrapper.exe	Code function: 3_2_00DF04F9 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	3_2_00DF04F9
Source: C:\Users\user\Desktop\BootStrapper.exe	Code function: 3_2_00DE7EDA IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	3_2_00DE7EDA
Source: C:\Users\user\Desktop\BootStrapper.exe	Code function: 3_2_00DE7ECE SetUnhandledExceptionFilter,	3_2_00DE7ECE

HIPS / PFW / Operating System Protection Evasion

Contains functionality to inject code into remote processes

Source: C:\Users\user\Desktop\BootStrapper.exe

Code function: 0_2_00E0F19E GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,CreateProcessW,CreateProcessW,VirtualAlloc,VirtualAlloc,GetThreadContext,Wow64GetThreadContext,ReadProcessMemory,ReadProcessMemory,VirtualAllocEx,VirtualAllocEx,GetProcAddress,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,SetThreadContext,Wow64SetThreadContext,ResumeThread,ResumeThread,

0_2_00E0F19E

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\BootStrapper.exe

Memory written: C:\Users\user\Desktop\BootStrapper.exe base: 400000 value starts with: 4D5A

Jump to behavior

LummaC encrypted strings found

Source: BootStrapper.exe, 00000000.00000002.2127489303.0000000000C7E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: bashfulacid.lat
Source: BootStrapper.exe, 00000000.00000002.2127489303.0000000000C7E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: tentabatte.lat
Source: BootStrapper.exe, 00000000.00000002.2127489303.0000000000C7E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: curverpluch.lat
Source: BootStrapper.exe, 00000000.00000002.2127489303.0000000000C7E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: talkynicer.lat
Source: BootStrapper.exe, 00000000.00000002.2127489303.0000000000C7E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: shapestickyr.lat
Source: BootStrapper.exe, 00000000.00000002.2127489303.0000000000C7E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: manyrestro.lat
Source: BootStrapper.exe, 00000000.00000002.2127489303.0000000000C7E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: slipperyloo.lat
Source: BootStrapper.exe, 00000000.00000002.2127489303.0000000000C7E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: wordyfindy.lat
Source: BootStrapper.exe, 00000000.00000002.2127489303.0000000000C7E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: observerfry.lat

Source: C:\Users\user\Desktop\BootStrapper.exe

Process created: C:\Users\user\Desktop\BootStrapper.exe "C:\Users\user\Desktop\BootStrapper.exe"

Jump to behavior

Source: C:\Users\user\Desktop\BootStrapper.exe	Code function: GetLocaleInfoW,	0_2_00DF9AB0
Source: C:\Users\user\Desktop\BootStrapper.exe	Code function: EnumSystemLocalesW,	0_2_00DF9A51
Source: C:\Users\user\Desktop\BootStrapper.exe	Code function: GetLocaleInfoW,	0_2_00DF9BD0
Source: C:\Users\user\Desktop\BootStrapper.exe	Code function: EnumSystemLocalesW,	0_2_00DF9B85
Source: C:\Users\user\Desktop\BootStrapper.exe	Code function: EnumSystemLocalesW,	0_2_00DF54A0
Source: C:\Users\user\Desktop\BootStrapper.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	0_2_00DF9C77
Source: C:\Users\user\Desktop\BootStrapper.exe	Code function: GetLocaleInfoW,	0_2_00DF9D7D
Source: C:\Users\user\Desktop\BootStrapper.exe	Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,	0_2_00DF9512
Source: C:\Users\user\Desktop\BootStrapper.exe	Code function: GetLocaleInfoW,	0_2_00DF4EFC
Source: C:\Users\user\Desktop\BootStrapper.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,	0_2_00DF97FE
Source: C:\Users\user\Desktop\BootStrapper.exe	Code function: EnumSystemLocalesW,	0_2_00DF9763
Source: C:\Users\user\Desktop\BootStrapper.exe	Code function: GetLocaleInfoW,	3_2_00DF9AB0
Source: C:\Users\user\Desktop\BootStrapper.exe	Code function: EnumSystemLocalesW,	3_2_00DF9A51
Source: C:\Users\user\Desktop\BootStrapper.exe	Code function: GetLocaleInfoW,	3_2_00DF9BD0
Source: C:\Users\user\Desktop\BootStrapper.exe	Code function: EnumSystemLocalesW,	3_2_00DF9B85
Source: C:\Users\user\Desktop\BootStrapper.exe	Code function: EnumSystemLocalesW,	3_2_00DF54A0
Source: C:\Users\user\Desktop\BootStrapper.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	3_2_00DF9C77
Source: C:\Users\user\Desktop\BootStrapper.exe	Code function: GetLocaleInfoW,	3_2_00DF9D7D
Source: C:\Users\user\Desktop\BootStrapper.exe	Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,	3_2_00DF9512
Source: C:\Users\user\Desktop\BootStrapper.exe	Code function: GetLocaleInfoW,	3_2_00DF4EFC
Source: C:\Users\user\Desktop\BootStrapper.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,	3_2_00DF97FE
Source: C:\Users\user\Desktop\BootStrapper.exe	Code function: EnumSystemLocalesW,	3_2_00DF9763

Source: C:\Users\user\Desktop\BootStrapper.exe

Code function: 0_2_00DE8C37 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

0_2_00DE8C37

Source: C:\Users\user\Desktop\BootStrapper.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected LummaC Stealer

Source: Yara match

File source: decrypted.memstr, type: MEMORYSTR

Remote Access Functionality

Yara detected LummaC Stealer

Source: Yara match

File source: decrypted.memstr, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	1 PowerShell	1 DLL Side-Loading	211 Process Injection	1 Virtualization/Sandbox Evasion	OS Credential Dumping	1 System Time Discovery	Remote Services	1 Screen Capture	21 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	1 DLL Side-Loading	211 Process Injection	LSASS Memory	21 Security Software Discovery	Remote Desktop Protocol	1 Archive Collected Data	1 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	11 Deobfuscate/Decode Files or Information	Security Account Manager	1 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	2 Clipboard Data	2 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	3 Obfuscated Files or Information	NTDS	1 File and Directory Discovery	Distributed Component Object Model	Input Capture	113 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Software Packing	LSA Secrets	13 System Information Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 DLL Side-Loading	Cached Domain Credentials	Wi-Fi Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
BootStrapper.exe	43%	Virustotal		Browse
BootStrapper.exe	42%	ReversingLabs	Win32.Trojan.Generic
BootStrapper.exe	100%	Joe Sandbox ML

Dropped Files

⊘No Antivirus matches

Unpacked PE Files

⊘No Antivirus matches

Domains

⊘No Antivirus matches

URLs

⊘No Antivirus matches

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
steamcommunity.com	23.55.153.106	true	false	high
wordyfindy.lat	unknown	unknown	true	unknown
slipperyloo.lat	unknown	unknown	true	unknown
curverpluch.lat	unknown	unknown	true	unknown
tentabatte.lat	unknown	unknown	true	unknown
manyrestro.lat	unknown	unknown	true	unknown
bashfulacid.lat	unknown	unknown	true	unknown
shapestickyr.lat	unknown	unknown	true	unknown
observerfry.lat	unknown	unknown	false	high
talkynicer.lat	unknown	unknown	true	unknown

Contacted URLs

Name	Malicious	Reputation
curverpluch.lat	false	high
slipperyloo.lat	false	high
tentabatte.lat	false	high
manyrestro.lat	false	high
bashfulacid.lat	false	high
observerfry.lat	false	high
https://steamcommunity.com/profiles/76561199724331900	false	high
wordyfindy.lat	false	high
shapestickyr.lat	false	high
talkynicer.lat	false	high

URLs from Memory and Binaries

Name	Source	Malicious	Reputation
https://steamcommunity.com/my/wishlist/	BootStrapper.exe, 00000003.00000003.2168351907.0000000001076000.00000004.00000020.00020000.00000000.sdmp, BootStrapper.exe, 00000003.00000003.2168351907.000000000107C000.00000004.00000020.00020000.00000000.sdmp	false	high
https://community.fastly.steamstatic.com/public/shared/images/responsive/header_menu_hamburger.png	BootStrapper.exe, 00000003.00000003.2168351907.000000000107C000.00000004.00000020.00020000.00000000.sdmp	false	high
https://player.vimeo.com	BootStrapper.exe, 00000003.00000003.2168393978.000000000102E000.00000004.00000020.00020000.00000000.sdmp	false	high
https://community.fastly.steamstatic.com/public/shared/css/shared_responsive.css?v=JL1e4uQSrVGe&	BootStrapper.exe, 00000003.00000003.2168351907.0000000001076000.00000004.00000020.00020000.00000000.sdmp, BootStrapper.exe, 00000003.00000003.2168351907.000000000107C000.00000004.00000020.00020000.00000000.sdmp	false	high
https://steamcommunity.com/?subsection=broadcasts	BootStrapper.exe, 00000003.00000003.2168351907.000000000107C000.00000004.00000020.00020000.00000000.sdmp	false	high
https://help.steampowered.com/en/	BootStrapper.exe, 00000003.00000003.2168351907.000000000107C000.00000004.00000020.00020000.00000000.sdmp	false	high
https://steamcommunity.com/market/	BootStrapper.exe, 00000003.00000003.2168351907.000000000107C000.00000004.00000020.00020000.00000000.sdmp	false	high
https://store.steampowered.com/news/	BootStrapper.exe, 00000003.00000003.2168351907.000000000107C000.00000004.00000020.00020000.00000000.sdmp	false	high
https://store.steampowered.com/points/shopo	BootStrapper.exe, 00000003.00000003.2168351907.0000000001076000.00000004.00000020.00020000.00000000.sdmp	false	high
https://store.steampowered.com/subscriber_agreement/	BootStrapper.exe, 00000003.00000003.2168351907.000000000107C000.00000004.00000020.00020000.00000000.sdmp	false	high
https://www.gstatic.cn/recaptcha/	BootStrapper.exe, 00000003.00000003.2168393978.000000000102E000.00000004.00000020.00020000.00000000.sdmp	false	high
http://store.steampowered.com/subscriber_agreement/	BootStrapper.exe, 00000003.00000003.2168351907.0000000001076000.00000004.00000020.00020000.00000000.sdmp, BootStrapper.exe, 00000003.00000002.2169355791.0000000000FDC000.00000004.00000020.00020000.00000000.sdmp, BootStrapper.exe, 00000003.00000003.2168351907.000000000107C000.00000004.00000020.00020000.00000000.sdmp	false	high
https://steamcommunity.com/linkfilter/?u=http%3A%2F%2Fwww.geonames.org	BootStrapper.exe, 00000003.00000003.2168351907.0000000001076000.00000004.00000020.00020000.00000000.sdmp, BootStrapper.exe, 00000003.00000002.2169355791.0000000000FDC000.00000004.00000020.00020000.00000000.sdmp, BootStrapper.exe, 00000003.00000003.2168351907.000000000107C000.00000004.00000020.00020000.00000000.sdmp	false	high
https://recaptcha.net/recaptcha/;	BootStrapper.exe, 00000003.00000003.2168393978.000000000102E000.00000004.00000020.00020000.00000000.sdmp	false	high
http://www.valvesoftware.com/legal.htm	BootStrapper.exe, 00000003.00000003.2168351907.000000000107C000.00000004.00000020.00020000.00000000.sdmp	false	high
https://community.fastly.steamstatic.com/public/shared/css/shared_global.css?v=wuA4X_n5-mo0&l=en	BootStrapper.exe, 00000003.00000003.2168351907.0000000001076000.00000004.00000020.00020000.00000000.sdmp, BootStrapper.exe, 00000003.00000003.2168351907.000000000107C000.00000004.00000020.00020000.00000000.sdmp	false	high
https://steamcommunity.com/discussions/	BootStrapper.exe, 00000003.00000003.2168351907.000000000107C000.00000004.00000020.00020000.00000000.sdmp	false	high
https://www.youtube.com	BootStrapper.exe, 00000003.00000003.2168393978.000000000102E000.00000004.00000020.00020000.00000000.sdmp	false	high
https://www.google.com	BootStrapper.exe, 00000003.00000003.2168393978.000000000102E000.00000004.00000020.00020000.00000000.sdmp	false	high
https://store.steampowered.com/stats/	BootStrapper.exe, 00000003.00000003.2168351907.000000000107C000.00000004.00000020.00020000.00000000.sdmp	false	high
https://community.fastly.steamstatic.com/public/shared/javascript/shared_global.js?v=Gr6TbGRvDtNE&am	BootStrapper.exe, 00000003.00000003.2168351907.0000000001076000.00000004.00000020.00020000.00000000.sdmp, BootStrapper.exe, 00000003.00000003.2168351907.000000000107C000.00000004.00000020.00020000.00000000.sdmp	false	high
https://medal.tv	BootStrapper.exe, 00000003.00000003.2168393978.000000000102E000.00000004.00000020.00020000.00000000.sdmp	false	high
https://broadcast.st.dl.eccdnx.com	BootStrapper.exe, 00000003.00000003.2168393978.000000000102E000.00000004.00000020.00020000.00000000.sdmp	false	high
https://community.fastly.steamstatic.com/public/shared/images/responsive/logo_valve_footer.png	BootStrapper.exe, 00000003.00000003.2168351907.000000000107C000.00000004.00000020.00020000.00000000.sdmp	false	high
https://community.fastly.steamstatic.com/public/css/skin_1/header.css?v=EM4kCu67DNda&l=english&a	BootStrapper.exe, 00000003.00000003.2168351907.0000000001076000.00000004.00000020.00020000.00000000.sdmp, BootStrapper.exe, 00000003.00000003.2168351907.000000000107C000.00000004.00000020.00020000.00000000.sdmp	false	high
https://store.steampowered.com/steam_refunds/	BootStrapper.exe, 00000003.00000003.2168351907.000000000107C000.00000004.00000020.00020000.00000000.sdmp	false	high
https://www.valvesoftware.com/en/contact?contact-person=Translation%20Team%20Feedback	BootStrapper.exe, 00000003.00000003.2168351907.0000000001076000.00000004.00000020.00020000.00000000.sdmp, BootStrapper.exe, 00000003.00000003.2168393978.0000000000FE9000.00000004.00000020.00020000.00000000.sdmp, BootStrapper.exe, 00000003.00000003.2168351907.000000000107C000.00000004.00000020.00020000.00000000.sdmp	false	high
https://community.fastly.steamstatic.com/public/css/applications/community/main.css?v=Lj6X7NKUMfzk&a	BootStrapper.exe, 00000003.00000003.2168351907.000000000107C000.00000004.00000020.00020000.00000000.sdmp	false	high
https://steamcommunity.com/login/home/?goto=profiles%2F76561199724331900	BootStrapper.exe, 00000003.00000003.2168351907.000000000107C000.00000004.00000020.00020000.00000000.sdmp	false	high
https://community.fastly.steamstatic.com/public/javascript/applications/community/libraries~b28b7af6	BootStrapper.exe, 00000003.00000003.2168351907.000000000107C000.00000004.00000020.00020000.00000000.sdmp	false	high
https://community.fastly.steamstatic.com/public/shared/images/header/logo_steam.svg?t=962016	BootStrapper.exe, 00000003.00000003.2168351907.000000000107C000.00000004.00000020.00020000.00000000.sdmp	false	high
https://cdn.fastly.steamstatic.com/steamcommunity/public/assets/	BootStrapper.exe, 00000003.00000003.2168393978.000000000102E000.00000004.00000020.00020000.00000000.sdmp	false	high
https://community.fastly.steamstatic.com/public/shared/css/motiva_sans.css?v=-yZgCk0Nu7kH&l=engl	BootStrapper.exe, 00000003.00000003.2168351907.0000000001076000.00000004.00000020.00020000.00000000.sdmp, BootStrapper.exe, 00000003.00000003.2168351907.000000000107C000.00000004.00000020.00020000.00000000.sdmp	false	high
https://community.fastly.steamstatic.com/public/javascript/scriptaculous/_combined.js?v=pbdAKOcDIgbC	BootStrapper.exe, 00000003.00000003.2168351907.0000000001076000.00000004.00000020.00020000.00000000.sdmp, BootStrapper.exe, 00000003.00000003.2168351907.000000000107C000.00000004.00000020.00020000.00000000.sdmp	false	high
https://s.ytimg.com;	BootStrapper.exe, 00000003.00000003.2168393978.000000000102E000.00000004.00000020.00020000.00000000.sdmp	false	high
https://community.fastly.steamstatic.com/public/javascript/applications/community/manifest.js?v=FRRi	BootStrapper.exe, 00000003.00000003.2168351907.000000000107C000.00000004.00000020.00020000.00000000.sdmp	false	high
https://steamcommunity.com/workshop/	BootStrapper.exe, 00000003.00000003.2168351907.000000000107C000.00000004.00000020.00020000.00000000.sdmp	false	high
https://login.steampowered.com/	BootStrapper.exe, 00000003.00000003.2168393978.000000000102E000.00000004.00000020.00020000.00000000.sdmp	false	high
https://store.steampowered.com/;Persistent-AuthWWW-AuthenticateVarysteamCountry=US%7C185ce35c568ebbb	BootStrapper.exe, 00000003.00000003.2168875044.000000000102F000.00000004.00000020.00020000.00000000.sdmp, BootStrapper.exe, 00000003.00000002.2169511899.0000000001030000.00000004.00000020.00020000.00000000.sdmp, BootStrapper.exe, 00000003.00000003.2168393978.000000000102E000.00000004.00000020.00020000.00000000.sdmp	false	high
https://community.fastly.steamstatic.com/public/css/globalv2.css?v=hzEgqbtRcI5V&l=english&_c	BootStrapper.exe, 00000003.00000003.2168351907.0000000001076000.00000004.00000020.00020000.00000000.sdmp, BootStrapper.exe, 00000003.00000003.2168351907.000000000107C000.00000004.00000020.00020000.00000000.sdmp	false	high
https://community.fastly.steamstatic.com/public/images/skin_1/footerLogo_valve.png?v=1	BootStrapper.exe, 00000003.00000003.2168351907.0000000001076000.00000004.00000020.00020000.00000000.sdmp, BootStrapper.exe, 00000003.00000002.2169355791.0000000000FDC000.00000004.00000020.00020000.00000000.sdmp, BootStrapper.exe, 00000003.00000003.2168351907.000000000107C000.00000004.00000020.00020000.00000000.sdmp	false	high
https://community.fastly.steamstatic.com/public/shared/css/buttons.css?v=qhQgyjWi6LgJ&l=english&	BootStrapper.exe, 00000003.00000003.2168351907.0000000001076000.00000004.00000020.00020000.00000000.sdmp, BootStrapper.exe, 00000003.00000003.2168351907.000000000107C000.00000004.00000020.00020000.00000000.sdmp	false	high
https://store.steampowered.com/legal/	BootStrapper.exe, 00000003.00000003.2168351907.0000000001076000.00000004.00000020.00020000.00000000.sdmp, BootStrapper.exe, 00000003.00000002.2169355791.0000000000FDC000.00000004.00000020.00020000.00000000.sdmp, BootStrapper.exe, 00000003.00000003.2168351907.000000000107C000.00000004.00000020.00020000.00000000.sdmp	false	high
https://community.fastly.steamstatic.com/	BootStrapper.exe, 00000003.00000003.2168393978.000000000102E000.00000004.00000020.00020000.00000000.sdmp	false	high
https://community.fastly.steamstatic.com/public/css/skin_1/fatalerror.css?v=OFUqlcDNiD6y&l=engli	BootStrapper.exe, 00000003.00000003.2168351907.0000000001076000.00000004.00000020.00020000.00000000.sdmp, BootStrapper.exe, 00000003.00000003.2168351907.000000000107C000.00000004.00000020.00020000.00000000.sdmp	false	high
https://steam.tv/	BootStrapper.exe, 00000003.00000003.2168393978.000000000102E000.00000004.00000020.00020000.00000000.sdmp	false	high
https://community.fastly.steamstatic.com/public/shared/javascript/tooltip.js?v=QYkT4eS5mbTN&l=en	BootStrapper.exe, 00000003.00000003.2168351907.0000000001076000.00000004.00000020.00020000.00000000.sdmp, BootStrapper.exe, 00000003.00000003.2168351907.000000000107C000.00000004.00000020.00020000.00000000.sdmp	false	high
https://community.fastly.steamstatic.com/public/javascript/prototype-1.7.js?v=npJElBnrEO6W&l=eng	BootStrapper.exe, 00000003.00000003.2168351907.0000000001076000.00000004.00000020.00020000.00000000.sdmp, BootStrapper.exe, 00000003.00000003.2168351907.000000000107C000.00000004.00000020.00020000.00000000.sdmp	false	high
http://store.steampowered.com/privacy_agreement/	BootStrapper.exe, 00000003.00000003.2168351907.0000000001076000.00000004.00000020.00020000.00000000.sdmp, BootStrapper.exe, 00000003.00000002.2169355791.0000000000FDC000.00000004.00000020.00020000.00000000.sdmp, BootStrapper.exe, 00000003.00000003.2168351907.000000000107C000.00000004.00000020.00020000.00000000.sdmp	false	high
https://store.steampowered.com/points/shop/	BootStrapper.exe, 00000003.00000003.2168351907.000000000107C000.00000004.00000020.00020000.00000000.sdmp	false	high
https://recaptcha.net	BootStrapper.exe, 00000003.00000003.2168393978.000000000102E000.00000004.00000020.00020000.00000000.sdmp	false	high
https://store.steampowered.com/	BootStrapper.exe, 00000003.00000003.2168393978.000000000102E000.00000004.00000020.00020000.00000000.sdmp	false	high
https://steamcommunity.com	BootStrapper.exe, 00000003.00000003.2168351907.0000000001076000.00000004.00000020.00020000.00000000.sdmp, BootStrapper.exe, 00000003.00000002.2169355791.0000000000FDC000.00000004.00000020.00020000.00000000.sdmp, BootStrapper.exe, 00000003.00000003.2168351907.000000000107C000.00000004.00000020.00020000.00000000.sdmp	false	high
https://sketchfab.com	BootStrapper.exe, 00000003.00000003.2168393978.000000000102E000.00000004.00000020.00020000.00000000.sdmp	false	high
https://lv.queniujq.cn	BootStrapper.exe, 00000003.00000003.2168393978.000000000102E000.00000004.00000020.00020000.00000000.sdmp	false	high
https://community.fastly.steamstatic.com/public/shared/images/responsive/header_logo.png	BootStrapper.exe, 00000003.00000003.2168351907.000000000107C000.00000004.00000020.00020000.00000000.sdmp	false	high
https://www.youtube.com/	BootStrapper.exe, 00000003.00000003.2168393978.000000000102E000.00000004.00000020.00020000.00000000.sdmp	false	high
http://127.0.0.1:27060	BootStrapper.exe, 00000003.00000003.2168393978.000000000102E000.00000004.00000020.00020000.00000000.sdmp	false	high
https://store.steampowered.com/privacy_agreement/	BootStrapper.exe, 00000003.00000003.2168351907.000000000107C000.00000004.00000020.00020000.00000000.sdmp	false	high
https://community.fastly.steamstatic.com/public/shared/javascript/shared_responsive_adapter.js?v=tvQ	BootStrapper.exe, 00000003.00000003.2168351907.0000000001076000.00000004.00000020.00020000.00000000.sdmp, BootStrapper.exe, 00000003.00000003.2168351907.000000000107C000.00000004.00000020.00020000.00000000.sdmp	false	high
https://community.fastly.steamstatic.com/public/javascript/global.js?v=jWc2JLWHx5Kn&l=english&am	BootStrapper.exe, 00000003.00000003.2168351907.0000000001076000.00000004.00000020.00020000.00000000.sdmp, BootStrapper.exe, 00000003.00000003.2168351907.000000000107C000.00000004.00000020.00020000.00000000.sdmp	false	high
https://www.google.com/recaptcha/	BootStrapper.exe, 00000003.00000003.2168393978.000000000102E000.00000004.00000020.00020000.00000000.sdmp	false	high
https://checkout.steampowered.com/	BootStrapper.exe, 00000003.00000003.2168393978.000000000102E000.00000004.00000020.00020000.00000000.sdmp	false	high
https://community.fastly.steamstatic.com/public/shared/javascript/auth_refresh.js?v=w6QbwI-5-j2S&amp	BootStrapper.exe, 00000003.00000003.2168351907.0000000001076000.00000004.00000020.00020000.00000000.sdmp, BootStrapper.exe, 00000003.00000003.2168351907.000000000107C000.00000004.00000020.00020000.00000000.sdmp	false	high
https://help.steampowered.com/	BootStrapper.exe, 00000003.00000003.2168393978.000000000102E000.00000004.00000020.00020000.00000000.sdmp	false	high
https://api.steampowered.com/	BootStrapper.exe, 00000003.00000003.2168393978.000000000102E000.00000004.00000020.00020000.00000000.sdmp	false	high
http://store.steampowered.com/account/cookiepreferences/	BootStrapper.exe, 00000003.00000003.2168351907.0000000001076000.00000004.00000020.00020000.00000000.sdmp, BootStrapper.exe, 00000003.00000002.2169355791.0000000000FDC000.00000004.00000020.00020000.00000000.sdmp, BootStrapper.exe, 00000003.00000003.2168351907.000000000107C000.00000004.00000020.00020000.00000000.sdmp	false	high
https://store.steampowered.com/mobile	BootStrapper.exe, 00000003.00000003.2168351907.000000000107C000.00000004.00000020.00020000.00000000.sdmp	false	high
https://steamcommunity.com/	BootStrapper.exe, 00000003.00000003.2168393978.000000000102E000.00000004.00000020.00020000.00000000.sdmp	false	high
https://community.fastly.steamstatic.com/public/javascript/applications/community/main.js?v=_92TWn81	BootStrapper.exe, 00000003.00000003.2168351907.000000000107C000.00000004.00000020.00020000.00000000.sdmp	false	high
https://store.steampowered.com/;	BootStrapper.exe, 00000003.00000003.2168351907.0000000001076000.00000004.00000020.00020000.00000000.sdmp, BootStrapper.exe, 00000003.00000003.2168875044.000000000102F000.00000004.00000020.00020000.00000000.sdmp, BootStrapper.exe, 00000003.00000002.2169511899.0000000001030000.00000004.00000020.00020000.00000000.sdmp, BootStrapper.exe, 00000003.00000003.2168393978.000000000102E000.00000004.00000020.00020000.00000000.sdmp	false	high
https://store.steampowered.com/about/	BootStrapper.exe, 00000003.00000003.2168351907.000000000107C000.00000004.00000020.00020000.00000000.sdmp	false	high
https://community.fastly.steamstatic.com/public/javascript/jquery-1.11.1.min.js?v=gQHVlrK4-jX-&l	BootStrapper.exe, 00000003.00000003.2168351907.0000000001076000.00000004.00000020.00020000.00000000.sdmp, BootStrapper.exe, 00000003.00000003.2168351907.000000000107C000.00000004.00000020.00020000.00000000.sdmp	false	high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
23.55.153.106	steamcommunity.com	United States		20940	AKAMAI-ASN1EU	false

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1580863
Start date and time:	2024-12-26 12:33:07 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 2m 44s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	4
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	BootStrapper.exe
Detection:	MAL
Classification:	mal100.troj.evad.winEXE@4/0@10/1
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 98% Number of executed functions: 31 Number of non-executed functions: 166
Cookbook Comments:	Found application associated with file extension: .exe Stop behavior analysis, all processes terminated

Warnings

Exclude process from analysis (whitelisted): dllhost.exe
Excluded IPs from analysis (whitelisted): 13.107.246.63
Excluded domains from analysis (whitelisted): client.wns.windows.com, otelrules.azureedge.net
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
06:33:59	API Interceptor	5x Sleep call for process: BootStrapper.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
23.55.153.106	Loader.exe	Get hash	malicious	LummaC	Browse
	Script.exe	Get hash	malicious	LummaC	Browse
	3zg6i6Zu1u.exe	Get hash	malicious	LummaC	Browse
	oiF7u78bY2.exe	Get hash	malicious	LummaC	Browse
	L5Kgf2Tvkc.exe	Get hash	malicious	LummaC	Browse
	jSFUzuYPG9.exe	Get hash	malicious	LummaC	Browse
	HK8IIasL9i.exe	Get hash	malicious	LummaC	Browse
	OGBLsboKIF.exe	Get hash	malicious	LummaC	Browse
	NfwBtCx5PR.exe	Get hash	malicious	LummaC	Browse
	pJRiqnTih0.exe	Get hash	malicious	LummaC	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
steamcommunity.com	Loader.exe	Get hash	malicious	LummaC	Browse	23.55.153.106
	Script.exe	Get hash	malicious	LummaC	Browse	23.55.153.106
	3zg6i6Zu1u.exe	Get hash	malicious	LummaC	Browse	23.55.153.106
	oiF7u78bY2.exe	Get hash	malicious	LummaC	Browse	23.55.153.106
	L5Kgf2Tvkc.exe	Get hash	malicious	LummaC	Browse	23.55.153.106
	fkawMJ7FH8.exe	Get hash	malicious	LummaC, Amadey, LummaC Stealer, RedLine, Stealc	Browse	104.121.10.34
	2ZsJ2iP8Q2.exe	Get hash	malicious	LummaC	Browse	104.102.49.254
	LopCYSStr3.exe	Get hash	malicious	LummaC	Browse	104.102.49.254
	LNn56KMkEE.exe	Get hash	malicious	LummaC	Browse	104.102.49.254
	YYjRtxS70h.exe	Get hash	malicious	Unknown	Browse	104.102.49.254

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
AKAMAI-ASN1EU	Loader.exe	Get hash	malicious	LummaC	Browse	23.55.153.106
	Script.exe	Get hash	malicious	LummaC	Browse	23.55.153.106
	HVlonDQpuI.exe	Get hash	malicious	Vidar	Browse	23.44.201.30
	armv7l.elf	Get hash	malicious	Mirai	Browse	2.18.19.83
	armv5l.elf	Get hash	malicious	Mirai	Browse	23.62.62.162
	PodcastsTries.exe	Get hash	malicious	Vidar	Browse	23.209.72.39
	Canvas of Kings_N6xC-S2.exe	Get hash	malicious	Unknown	Browse	184.85.182.130
	cMTqzvmx9u.exe	Get hash	malicious	LummaC, Amadey, LummaC Stealer, RedLine	Browse	88.221.134.155
	3zg6i6Zu1u.exe	Get hash	malicious	LummaC	Browse	23.55.153.106
	oiF7u78bY2.exe	Get hash	malicious	LummaC	Browse	23.55.153.106

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
a0e9f5d64349fb13191bc781f81f42e1	Loader.exe	Get hash	malicious	LummaC	Browse	23.55.153.106
	Script.exe	Get hash	malicious	LummaC	Browse	23.55.153.106
	1C6ljtnwXP.exe	Get hash	malicious	LummaC	Browse	23.55.153.106
	1C6ljtnwXP.exe	Get hash	malicious	LummaC	Browse	23.55.153.106
	RIMz2N1u5y.exe	Get hash	malicious	LummaC	Browse	23.55.153.106
	5RRVBiCpFI.exe	Get hash	malicious	LummaC	Browse	23.55.153.106
	MPySEh8HaF.exe	Get hash	malicious	LummaC	Browse	23.55.153.106
	Delivery form - Airway bill details - Tracking info 45821631127I ,pdf.scr.exe	Get hash	malicious	DBatLoader, FormBook	Browse	23.55.153.106
	ciwa.mp4.hta	Get hash	malicious	LummaC, PureLog Stealer	Browse	23.55.153.106
	Set-up.exe	Get hash	malicious	LummaC	Browse	23.55.153.106

Dropped Files

⊘No context

Created / dropped Files

⊘No created / dropped files found

Static File Info

General

File type:	PE32 executable (console) Intel 80386, for MS Windows
Entropy (8bit):	7.662456002797942
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	BootStrapper.exe
File size:	518'144 bytes
MD5:	1d3a607fc1ac39cc65eb12852ee80b11
SHA1:	8d81228aee9ec472b9eead61de86a3686847c747
SHA256:	1800b9a8d7f6d2c97901dbc8f736959ef155496a3b7f95dd7019f9a4c68d57bc
SHA512:	58936ef4057bb7792d7515d495ea519561a1dc5c64b76d6494daa148c526cd938207902bda069542a758a56cf9545a6279594248773ea08b5d1d3626c1e55b1e
SSDEEP:	12288:OZqOSYt4cgd2+GSOgHAO+QzZdbnnCQXLb:OsOSKgx/v+cnC0Lb
TLSH:	59B4E16675C18072C9A7193198F4DB759A7EF9300F31AACB63C44B3A8E716D18731B2B
File Content Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L.....kg.........."......:........................@..........................0............@.....................................<..

File Icon


Icon Hash:	00928e8e8686b000

Static PE Info

General

Entrypoint:	0x408be2
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows cui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, NO_ISOLATION, TERMINAL_SERVER_AWARE
Time Stamp:	0x676BFDDD [Wed Dec 25 12:43:09 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	6
OS Version Minor:	0
File Version Major:	6
File Version Minor:	0
Subsystem Version Major:	6
Subsystem Version Minor:	0
Import Hash:	a9da46e39a9cdaffa6def3d7b746c0a0

Entrypoint Preview

Instruction
call 00007F2C907A9B5Ah
jmp 00007F2C907A99C9h
mov ecx, dword ptr [0042F800h]
push esi
push edi
mov edi, BB40E64Eh
mov esi, FFFF0000h
cmp ecx, edi
je 00007F2C907A9B56h
test esi, ecx
jne 00007F2C907A9B78h
call 00007F2C907A9B81h
mov ecx, eax
cmp ecx, edi
jne 00007F2C907A9B59h
mov ecx, BB40E64Fh
jmp 00007F2C907A9B60h
test esi, ecx
jne 00007F2C907A9B5Ch
or eax, 00004711h
shl eax, 10h
or ecx, eax
mov dword ptr [0042F800h], ecx
not ecx
pop edi
mov dword ptr [0042F840h], ecx
pop esi
ret
push ebp
mov ebp, esp
sub esp, 14h
lea eax, dword ptr [ebp-0Ch]
xorps xmm0, xmm0
push eax
movlpd qword ptr [ebp-0Ch], xmm0
call dword ptr [0042DA5Ch]
mov eax, dword ptr [ebp-08h]
xor eax, dword ptr [ebp-0Ch]
mov dword ptr [ebp-04h], eax
call dword ptr [0042DA10h]
xor dword ptr [ebp-04h], eax
call dword ptr [0042DA0Ch]
xor dword ptr [ebp-04h], eax
lea eax, dword ptr [ebp-14h]
push eax
call dword ptr [0042DAA4h]
mov eax, dword ptr [ebp-10h]
lea ecx, dword ptr [ebp-04h]
xor eax, dword ptr [ebp-14h]
xor eax, dword ptr [ebp-04h]
xor eax, ecx
leave
ret
mov eax, 00004000h
ret
push 00430F88h
call dword ptr [0042DA7Ch]
ret
push 00030000h
push 00010000h
push 00000000h
call 00007F2C907B08BAh
add esp, 0Ch

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x2d7f4	0x3c	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x33000	0xe8	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x34000	0x1d80	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x29b28	0x18	.rdata
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x25fb0	0xc0	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2d9a0	0x170	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x2381e	0x23a00	28687a01c6fa568872ae982fba881cfb	False	0.576404879385965	data	6.645994573837695	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x25000	0x9de4	0x9e00	47199544a5de9c952a99bdeba92246a4	False	0.4287232990506329	data	4.98242541383292	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x2f000	0x2754	0x1800	8ef6ad6dc3390546a2e587d33b754c2c	False	0.3720703125	data	4.57694484359984	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.tls	0x32000	0x9	0x200	1f354d76203061bfdd5a53dae48d5435	False	0.033203125	data	0.020393135236084953	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x33000	0xe8	0x200	76660b904055370f27d3dce420e17802	False	0.306640625	data	2.338577594010538	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x34000	0x1d80	0x1e00	454b42aa5668ecfd23670a763d59b9d2	False	0.77265625	data	6.5387366619530765	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
.bss	0x36000	0x4d000	0x4d000	caef6e3e6835aafb8ae796907a54c601	False	1.0003360896915585	data	7.999394979723871	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_MANIFEST	0x33060	0x87	XML 1.0 document, ASCII text	English	United States	0.8222222222222222

Imports

DLL

Import

KERNEL32.dll

AcquireSRWLockExclusive, CloseHandle, CompareStringW, CreateFileW, CreateThread, DecodePointer, DeleteCriticalSection, EncodePointer, EnterCriticalSection, EnumSystemLocalesW, ExitProcess, ExitThread, FindClose, FindFirstFileExW, FindNextFileW, FlushFileBuffers, FreeConsole, FreeEnvironmentStringsW, FreeLibrary, FreeLibraryAndExitThread, GetACP, GetCPInfo, GetCommandLineA, GetCommandLineW, GetConsoleMode, GetConsoleOutputCP, GetCurrentProcess, GetCurrentProcessId, GetCurrentThreadId, GetEnvironmentStringsW, GetExitCodeThread, GetFileSize, GetFileSizeEx, GetFileType, GetLastError, GetLocaleInfoW, GetModuleFileNameA, GetModuleFileNameW, GetModuleHandleA, GetModuleHandleExW, GetModuleHandleW, GetOEMCP, GetProcAddress, GetProcessHeap, GetStartupInfoW, GetStdHandle, GetStringTypeW, GetSystemTimeAsFileTime, GetUserDefaultLCID, HeapAlloc, HeapFree, HeapReAlloc, HeapSize, InitializeCriticalSectionAndSpinCount, InitializeCriticalSectionEx, InitializeSListHead, IsDebuggerPresent, IsProcessorFeaturePresent, IsValidCodePage, IsValidLocale, LCMapStringEx, LCMapStringW, LeaveCriticalSection, LoadLibraryExW, MultiByteToWideChar, QueryPerformanceCounter, RaiseException, ReadConsoleW, ReadFile, ReleaseSRWLockExclusive, RtlUnwind, SetEnvironmentVariableW, SetFilePointerEx, SetLastError, SetStdHandle, SetUnhandledExceptionFilter, SleepConditionVariableSRW, TerminateProcess, TlsAlloc, TlsFree, TlsGetValue, TlsSetValue, TryAcquireSRWLockExclusive, UnhandledExceptionFilter, WaitForSingleObjectEx, WakeAllConditionVariable, WideCharToMultiByte, WriteConsoleW, WriteFile

ADVAPI32.dll

CryptDestroyKey

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2024-12-26T12:34:00.350098+0100	2058514	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (wordyfindy .lat)	1	192.168.2.6	59709	1.1.1.1	53	UDP
2024-12-26T12:34:00.490740+0100	2058502	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (slipperyloo .lat)	1	192.168.2.6	56750	1.1.1.1	53	UDP
2024-12-26T12:34:00.631944+0100	2058492	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (manyrestro .lat)	1	192.168.2.6	63622	1.1.1.1	53	UDP
2024-12-26T12:34:00.772630+0100	2058500	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (shapestickyr .lat)	1	192.168.2.6	62869	1.1.1.1	53	UDP
2024-12-26T12:34:00.912866+0100	2058510	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (talkynicer .lat)	1	192.168.2.6	61100	1.1.1.1	53	UDP
2024-12-26T12:34:01.054220+0100	2058484	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (curverpluch .lat)	1	192.168.2.6	52560	1.1.1.1	53	UDP
2024-12-26T12:34:01.202266+0100	2058512	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (tentabatte .lat)	1	192.168.2.6	56560	1.1.1.1	53	UDP
2024-12-26T12:34:01.395723+0100	2058480	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (bashfulacid .lat)	1	192.168.2.6	65255	1.1.1.1	53	UDP
2024-12-26T12:34:03.265324+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.6	49707	23.55.153.106	443	TCP
2024-12-26T12:34:04.046099+0100	2858666	ETPRO MALWARE Win32/Lumma Stealer Steam Profile Lookup	1	192.168.2.6	49707	23.55.153.106	443	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 26, 2024 12:34:01.745301962 CET	49707	443	192.168.2.6	23.55.153.106
Dec 26, 2024 12:34:01.745347977 CET	443	49707	23.55.153.106	192.168.2.6
Dec 26, 2024 12:34:01.745424032 CET	49707	443	192.168.2.6	23.55.153.106
Dec 26, 2024 12:34:01.749255896 CET	49707	443	192.168.2.6	23.55.153.106
Dec 26, 2024 12:34:01.749268055 CET	443	49707	23.55.153.106	192.168.2.6
Dec 26, 2024 12:34:03.265221119 CET	443	49707	23.55.153.106	192.168.2.6
Dec 26, 2024 12:34:03.265324116 CET	49707	443	192.168.2.6	23.55.153.106
Dec 26, 2024 12:34:03.268831968 CET	49707	443	192.168.2.6	23.55.153.106
Dec 26, 2024 12:34:03.268846035 CET	443	49707	23.55.153.106	192.168.2.6
Dec 26, 2024 12:34:03.269103050 CET	443	49707	23.55.153.106	192.168.2.6
Dec 26, 2024 12:34:03.309650898 CET	49707	443	192.168.2.6	23.55.153.106
Dec 26, 2024 12:34:03.315613031 CET	49707	443	192.168.2.6	23.55.153.106
Dec 26, 2024 12:34:03.363331079 CET	443	49707	23.55.153.106	192.168.2.6
Dec 26, 2024 12:34:04.046125889 CET	443	49707	23.55.153.106	192.168.2.6
Dec 26, 2024 12:34:04.046149969 CET	443	49707	23.55.153.106	192.168.2.6
Dec 26, 2024 12:34:04.046181917 CET	443	49707	23.55.153.106	192.168.2.6
Dec 26, 2024 12:34:04.046196938 CET	443	49707	23.55.153.106	192.168.2.6
Dec 26, 2024 12:34:04.046220064 CET	49707	443	192.168.2.6	23.55.153.106
Dec 26, 2024 12:34:04.046233892 CET	443	49707	23.55.153.106	192.168.2.6
Dec 26, 2024 12:34:04.046240091 CET	443	49707	23.55.153.106	192.168.2.6
Dec 26, 2024 12:34:04.046291113 CET	49707	443	192.168.2.6	23.55.153.106
Dec 26, 2024 12:34:04.239624977 CET	443	49707	23.55.153.106	192.168.2.6
Dec 26, 2024 12:34:04.239671946 CET	443	49707	23.55.153.106	192.168.2.6
Dec 26, 2024 12:34:04.239696026 CET	49707	443	192.168.2.6	23.55.153.106
Dec 26, 2024 12:34:04.239706993 CET	443	49707	23.55.153.106	192.168.2.6
Dec 26, 2024 12:34:04.239747047 CET	49707	443	192.168.2.6	23.55.153.106
Dec 26, 2024 12:34:04.246790886 CET	443	49707	23.55.153.106	192.168.2.6
Dec 26, 2024 12:34:04.246855974 CET	443	49707	23.55.153.106	192.168.2.6
Dec 26, 2024 12:34:04.246897936 CET	49707	443	192.168.2.6	23.55.153.106
Dec 26, 2024 12:34:04.248828888 CET	49707	443	192.168.2.6	23.55.153.106
Dec 26, 2024 12:34:04.248842001 CET	443	49707	23.55.153.106	192.168.2.6

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 26, 2024 12:34:00.206513882 CET	57140	53	192.168.2.6	1.1.1.1
Dec 26, 2024 12:34:00.346101999 CET	53	57140	1.1.1.1	192.168.2.6
Dec 26, 2024 12:34:00.350097895 CET	59709	53	192.168.2.6	1.1.1.1
Dec 26, 2024 12:34:00.487963915 CET	53	59709	1.1.1.1	192.168.2.6
Dec 26, 2024 12:34:00.490740061 CET	56750	53	192.168.2.6	1.1.1.1
Dec 26, 2024 12:34:00.629043102 CET	53	56750	1.1.1.1	192.168.2.6
Dec 26, 2024 12:34:00.631943941 CET	63622	53	192.168.2.6	1.1.1.1
Dec 26, 2024 12:34:00.770842075 CET	53	63622	1.1.1.1	192.168.2.6
Dec 26, 2024 12:34:00.772629976 CET	62869	53	192.168.2.6	1.1.1.1
Dec 26, 2024 12:34:00.910650015 CET	53	62869	1.1.1.1	192.168.2.6
Dec 26, 2024 12:34:00.912866116 CET	61100	53	192.168.2.6	1.1.1.1
Dec 26, 2024 12:34:01.050589085 CET	53	61100	1.1.1.1	192.168.2.6
Dec 26, 2024 12:34:01.054219961 CET	52560	53	192.168.2.6	1.1.1.1
Dec 26, 2024 12:34:01.197591066 CET	53	52560	1.1.1.1	192.168.2.6
Dec 26, 2024 12:34:01.202265978 CET	56560	53	192.168.2.6	1.1.1.1
Dec 26, 2024 12:34:01.340051889 CET	53	56560	1.1.1.1	192.168.2.6
Dec 26, 2024 12:34:01.395723104 CET	65255	53	192.168.2.6	1.1.1.1
Dec 26, 2024 12:34:01.533162117 CET	53	65255	1.1.1.1	192.168.2.6
Dec 26, 2024 12:34:01.591598034 CET	55667	53	192.168.2.6	1.1.1.1
Dec 26, 2024 12:34:01.739541054 CET	53	55667	1.1.1.1	192.168.2.6

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Dec 26, 2024 12:34:00.206513882 CET	192.168.2.6	1.1.1.1	0x1220	Standard query (0)	observerfry.lat	A (IP address)	IN (0x0001)	false
Dec 26, 2024 12:34:00.350097895 CET	192.168.2.6	1.1.1.1	0x5317	Standard query (0)	wordyfindy.lat	A (IP address)	IN (0x0001)	false
Dec 26, 2024 12:34:00.490740061 CET	192.168.2.6	1.1.1.1	0x9c9	Standard query (0)	slipperyloo.lat	A (IP address)	IN (0x0001)	false
Dec 26, 2024 12:34:00.631943941 CET	192.168.2.6	1.1.1.1	0x68c8	Standard query (0)	manyrestro.lat	A (IP address)	IN (0x0001)	false
Dec 26, 2024 12:34:00.772629976 CET	192.168.2.6	1.1.1.1	0x59f2	Standard query (0)	shapestickyr.lat	A (IP address)	IN (0x0001)	false
Dec 26, 2024 12:34:00.912866116 CET	192.168.2.6	1.1.1.1	0x66ab	Standard query (0)	talkynicer.lat	A (IP address)	IN (0x0001)	false
Dec 26, 2024 12:34:01.054219961 CET	192.168.2.6	1.1.1.1	0xcc2f	Standard query (0)	curverpluch.lat	A (IP address)	IN (0x0001)	false
Dec 26, 2024 12:34:01.202265978 CET	192.168.2.6	1.1.1.1	0xbd4d	Standard query (0)	tentabatte.lat	A (IP address)	IN (0x0001)	false
Dec 26, 2024 12:34:01.395723104 CET	192.168.2.6	1.1.1.1	0x519e	Standard query (0)	bashfulacid.lat	A (IP address)	IN (0x0001)	false
Dec 26, 2024 12:34:01.591598034 CET	192.168.2.6	1.1.1.1	0x8145	Standard query (0)	steamcommunity.com	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Dec 26, 2024 12:34:00.346101999 CET	1.1.1.1	192.168.2.6	0x1220	Name error (3)	observerfry.lat	none	none	A (IP address)	IN (0x0001)	false
Dec 26, 2024 12:34:00.487963915 CET	1.1.1.1	192.168.2.6	0x5317	Name error (3)	wordyfindy.lat	none	none	A (IP address)	IN (0x0001)	false
Dec 26, 2024 12:34:00.629043102 CET	1.1.1.1	192.168.2.6	0x9c9	Name error (3)	slipperyloo.lat	none	none	A (IP address)	IN (0x0001)	false
Dec 26, 2024 12:34:00.770842075 CET	1.1.1.1	192.168.2.6	0x68c8	Name error (3)	manyrestro.lat	none	none	A (IP address)	IN (0x0001)	false
Dec 26, 2024 12:34:00.910650015 CET	1.1.1.1	192.168.2.6	0x59f2	Name error (3)	shapestickyr.lat	none	none	A (IP address)	IN (0x0001)	false
Dec 26, 2024 12:34:01.050589085 CET	1.1.1.1	192.168.2.6	0x66ab	Name error (3)	talkynicer.lat	none	none	A (IP address)	IN (0x0001)	false
Dec 26, 2024 12:34:01.197591066 CET	1.1.1.1	192.168.2.6	0xcc2f	Name error (3)	curverpluch.lat	none	none	A (IP address)	IN (0x0001)	false
Dec 26, 2024 12:34:01.340051889 CET	1.1.1.1	192.168.2.6	0xbd4d	Name error (3)	tentabatte.lat	none	none	A (IP address)	IN (0x0001)	false
Dec 26, 2024 12:34:01.533162117 CET	1.1.1.1	192.168.2.6	0x519e	Name error (3)	bashfulacid.lat	none	none	A (IP address)	IN (0x0001)	false
Dec 26, 2024 12:34:01.739541054 CET	1.1.1.1	192.168.2.6	0x8145	No error (0)	steamcommunity.com		23.55.153.106	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

steamcommunity.com

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.6	49707	23.55.153.106	443	2308	C:\Users\user\Desktop\BootStrapper.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-26 11:34:03 UTC	219	OUT	GET /profiles/76561199724331900 HTTP/1.1 Connection: Keep-Alive User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Host: steamcommunity.com
2024-12-26 11:34:04 UTC	1905	IN	HTTP/1.1 200 OK Server: nginx Content-Type: text/html; charset=UTF-8 Content-Security-Policy: default-src blob: data: https: 'unsafe-inline' 'unsafe-eval'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://community.fastly.steamstatic.com/ https://cdn.fastly.steamstatic.com/steamcommunity/public/assets/ https://api.steampowered.com/ https://recaptcha.net https://www.google.com/recaptcha/ https://www.gstatic.cn/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.youtube.com/ https://s.ytimg.com; object-src 'none'; connect-src 'self' https://community.fastly.steamstatic.com/ https://store.steampowered.com/ https://checkout.steampowered.com/ wss://community.steam-api.com/websocket/ https://api.steampowered.com/ https://login.steampowered.com/ https://help.steampowered.com/ https://steam.tv/ https://steamcommunity.com/ https://.valvesoftware.com https://.steambeta.net https://.discovery.beta.steamserver.net https://.steamcontent.com https://steambroadcast.akamaized.net https://steambroadcast-test.akamaized.net https://broadcast.st.dl.eccdnx.com https://lv.queniujq. [TRUNCATED] Expires: Mon, 26 Jul 1997 05:00:00 GMT Cache-Control: no-cache Date: Thu, 26 Dec 2024 11:34:03 GMT Content-Length: 25665 Connection: close Set-Cookie: sessionid=9bb70760be177dbab1860100; Path=/; Secure; SameSite=None Set-Cookie: steamCountry=US%7C185ce35c568ebbb18a145d0cabae7186; Path=/; Secure; HttpOnly; SameSite=None
2024-12-26 11:34:04 UTC	14479	IN	Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 20 72 65 73 70 6f 6e 73 69 76 65 22 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 09 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 3e 0a 09 09 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 0a 09 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 74 68 65 6d 65 2d 63 6f 6c 6f 72 22 20 63 6f 6e 74 65 6e 74 3d 22 23 31 37 31 61 32 31 22 3e 0a 09 09 3c 74 69 74 6c 65 3e Data Ascii: <!DOCTYPE html><html class=" responsive" lang="en"><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8"><meta name="viewport" content="width=device-width,initial-scale=1"><meta name="theme-color" content="#171a21"><title>
2024-12-26 11:34:04 UTC	10097	IN	Data Raw: 3f 6c 3d 6b 6f 72 65 61 6e 61 22 20 6f 6e 63 6c 69 63 6b 3d 22 43 68 61 6e 67 65 4c 61 6e 67 75 61 67 65 28 20 27 6b 6f 72 65 61 6e 61 27 20 29 3b 20 72 65 74 75 72 6e 20 66 61 6c 73 65 3b 22 3e ed 95 9c ea b5 ad ec 96 b4 20 28 4b 6f 72 65 61 6e 29 3c 2f 61 3e 0a 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 3c 61 20 63 6c 61 73 73 3d 22 70 6f 70 75 70 5f 6d 65 6e 75 5f 69 74 65 6d 20 74 69 67 68 74 22 20 68 72 65 66 3d 22 3f 6c 3d 74 68 61 69 22 20 6f 6e 63 6c 69 63 6b 3d 22 43 68 61 6e 67 65 4c 61 6e 67 75 61 67 65 28 20 27 74 68 61 69 27 20 29 3b 20 72 65 74 75 72 6e 20 66 61 6c 73 65 3b 22 3e e0 b9 84 e0 b8 97 e0 b8 a2 20 28 54 68 61 69 29 3c 2f 61 3e 0a 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 Data Ascii: ?l=koreana" onclick="ChangeLanguage( 'koreana' ); return false;"> (Korean)</a><a class="popup_menu_item tight" href="?l=thai" onclick="ChangeLanguage( 'thai' ); return false;"> (Thai)</a>
2024-12-26 11:34:04 UTC	1089	IN	Data Raw: 68 65 69 72 20 72 65 73 70 65 63 74 69 76 65 20 6f 77 6e 65 72 73 20 69 6e 20 74 68 65 20 55 53 20 61 6e 64 20 6f 74 68 65 72 20 63 6f 75 6e 74 72 69 65 73 2e 3c 62 72 2f 3e 53 6f 6d 65 20 67 65 6f 73 70 61 74 69 61 6c 20 64 61 74 61 20 6f 6e 20 74 68 69 73 20 77 65 62 73 69 74 65 20 69 73 20 70 72 6f 76 69 64 65 64 20 62 79 20 3c 61 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 73 74 65 61 6d 63 6f 6d 6d 75 6e 69 74 79 2e 63 6f 6d 2f 6c 69 6e 6b 66 69 6c 74 65 72 2f 3f 75 3d 68 74 74 70 25 33 41 25 32 46 25 32 46 77 77 77 2e 67 65 6f 6e 61 6d 65 73 2e 6f 72 67 22 20 74 61 72 67 65 74 3d 22 5f 62 6c 61 6e 6b 22 20 72 65 6c 3d 22 20 6e 6f 6f 70 65 6e 65 72 22 3e 67 65 6f 6e 61 6d 65 73 2e 6f 72 67 3c 2f 61 3e 2e 09 09 09 09 09 3c 62 72 3e 0a 09 09 09 09 09 Data Ascii: heir respective owners in the US and other countries.<br/>Some geospatial data on this website is provided by <a href="https://steamcommunity.com/linkfilter/?u=http%3A%2F%2Fwww.geonames.org" target="_blank" rel=" noopener">geonames.org</a>.<br>

Target ID:	0
Start time:	06:33:58
Start date:	26/12/2024
Path:	C:\Users\user\Desktop\BootStrapper.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\BootStrapper.exe"
Imagebase:	0xde0000
File size:	518'144 bytes
MD5 hash:	1D3A607FC1AC39CC65EB12852EE80B11
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	06:33:58
Start date:	26/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff66e660000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	06:33:59
Start date:	26/12/2024
Path:	C:\Users\user\Desktop\BootStrapper.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\BootStrapper.exe"
Imagebase:	0xde0000
File size:	518'144 bytes
MD5 hash:	1D3A607FC1AC39CC65EB12852EE80B11
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	6.1%
Dynamic/Decrypted Code Coverage:	0.4%
Signature Coverage:	2.8%
Total number of Nodes:	2000
Total number of Limit Nodes:	51

Executed Functions

Function 00E0F19E Relevance: 42.3, APIs: 10, Strings: 14, Instructions: 295
threadinjectionmemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessW.KERNELBASE(?,00000000,00000000,00000000,00000000,00000004,00000000,00000000,00E0F110,00E0F100), ref: 00E0F334
VirtualAlloc.KERNELBASE(00000000,00000004,00001000,00000004), ref: 00E0F347
Wow64GetThreadContext.KERNEL32(00000098,00000000), ref: 00E0F365
ReadProcessMemory.KERNELBASE(0000004C,?,00E0F154,00000004,00000000), ref: 00E0F389
VirtualAllocEx.KERNELBASE(0000004C,?,?,00003000,00000040), ref: 00E0F3B4
WriteProcessMemory.KERNELBASE(0000004C,00000000,?,?,00000000,?), ref: 00E0F40C
WriteProcessMemory.KERNELBASE(0000004C,00400000,?,?,00000000,?,00000028), ref: 00E0F457
WriteProcessMemory.KERNELBASE(0000004C,?,?,00000004,00000000), ref: 00E0F495
Wow64SetThreadContext.KERNEL32(00000098,007E0000), ref: 00E0F4D1
ResumeThread.KERNELBASE(00000098), ref: 00E0F4E0

Strings

SetThreadContext, xrefs: 00E0F2C2
VirtualAlloc, xrefs: 00E0F263
Load, xrefs: 00E0F1DA
CreateProcessW, xrefs: 00E0F250
GetThreadContext, xrefs: 00E0F276
aryA, xrefs: 00E0F1E2
VirtualAllocEx, xrefs: 00E0F29C
WriteProcessMemory, xrefs: 00E0F2AF
ress, xrefs: 00E0F226
ReadProcessMemory, xrefs: 00E0F289
TerminateProcess, xrefs: 00E0F3C3
ResumeThread, xrefs: 00E0F2D8
GetP, xrefs: 00E0F21E
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe, xrefs: 00E0F333

Memory Dump Source

Source File: 00000000.00000002.2127650327.0000000000E0F000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true

Associated: 00000000.00000002.2127576046.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127598354.0000000000DE1000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127632958.0000000000E05000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127667427.0000000000E10000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127686616.0000000000E13000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127704582.0000000000E16000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_de0000_BootStrapper.jbxd

Similarity

API ID: Process$Memory$ThreadWrite$AllocContextVirtualWow64$CreateReadResume
String ID: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe$CreateProcessW$GetP$GetThreadContext$Load$ReadProcessMemory$ResumeThread$SetThreadContext$TerminateProcess$VirtualAlloc$VirtualAllocEx$WriteProcessMemory$aryA$ress
API String ID: 2687962208-3857624555
Opcode ID: 4d4c1a7e65f8d0d38951af6025ef960edc15c7aa7ffa2998c2434409f37e51df
Instruction ID: 54a44dba1fa05245d4d5eca472cf45965211bae0ade97c7bcc4c02dd09195454
Opcode Fuzzy Hash: 4d4c1a7e65f8d0d38951af6025ef960edc15c7aa7ffa2998c2434409f37e51df
Instruction Fuzzy Hash: 33B1087664064AAFDB60CF68CC80BDA73A5FF88714F158124EA0CAB741D774FA51CB94

Function 00DE1730 Relevance: 12.2, APIs: 8, Instructions: 200
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00DE1180: _strlen.LIBCMT ref: 00DE11EA

CreateFileA.KERNELBASE ref: 00DE1791
GetFileSize.KERNEL32(00000000,00000000), ref: 00DE17A1
ReadFile.KERNELBASE(00000000,00000000,00000000,?,00000000), ref: 00DE17C7
CloseHandle.KERNELBASE(00000000), ref: 00DE17D6
_strlen.LIBCMT ref: 00DE1834
CloseHandle.KERNEL32(00000000), ref: 00DE1946
GetModuleHandleA.KERNEL32(00000000), ref: 00DE19A7
GetModuleFileNameA.KERNEL32(00000000,?,00000104), ref: 00DE19B6

Memory Dump Source

Source File: 00000000.00000002.2127598354.0000000000DE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true

Associated: 00000000.00000002.2127576046.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127632958.0000000000E05000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127650327.0000000000E0F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127667427.0000000000E10000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127686616.0000000000E13000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127704582.0000000000E16000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_de0000_BootStrapper.jbxd

Similarity

API ID: File$Handle$CloseModule_strlen$CreateNameReadSize
String ID:
API String ID: 4043702072-0
Opcode ID: 17027a3f5b5ed186948479d479e7b344c9c19c87850d9226c5920a75b5ea9426
Instruction ID: f52a6b6fe08c4e71ee53ea1d8748fe2e714b15de5fd1f3709b19767ddf84f6a4
Opcode Fuzzy Hash: 17027a3f5b5ed186948479d479e7b344c9c19c87850d9226c5920a75b5ea9426
Instruction Fuzzy Hash: 536106B6A043809FD710FF26CC85B6EB7E4EF88314F454928F49997252E735D9848BB2

Function 00DE1360 Relevance: 1.4, Strings: 1, Instructions: 186COMMON

Download Yara Rule

Strings

Soon... Soon..., xrefs: 00DE150B

Memory Dump Source

Source File: 00000000.00000002.2127598354.0000000000DE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true

Associated: 00000000.00000002.2127576046.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127632958.0000000000E05000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127650327.0000000000E0F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127667427.0000000000E10000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127686616.0000000000E13000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127704582.0000000000E16000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_de0000_BootStrapper.jbxd

Similarity

API ID:
String ID: Soon... Soon...
API String ID: 0-2191780827
Opcode ID: 10c9dd2621b98529bf6b2e0ce04d7589ac8bbca6f090bc2ccec1b0e4da7f491a
Instruction ID: 9d6d75af716cc26f5711954edf931845030b99019ee462b249364f2d370c7a86
Opcode Fuzzy Hash: 10c9dd2621b98529bf6b2e0ce04d7589ac8bbca6f090bc2ccec1b0e4da7f491a
Instruction Fuzzy Hash: 8C71A2352093848FC718EB29D495BFABBE5EFD5314F18886DE4DA87342C634D944CBA2

Function 00DF51F2 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 74
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FreeLibrary.KERNEL32(00000000,?,00000000,00000800,00000000,?,?,495F5382,?,00DF5301,?,?,00000000), ref: 00DF52B3

Strings

api-ms-, xrefs: 00DF5249
ext-ms-, xrefs: 00DF525D

Memory Dump Source

Source File: 00000000.00000002.2127598354.0000000000DE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true

Associated: 00000000.00000002.2127576046.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127632958.0000000000E05000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127650327.0000000000E0F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127667427.0000000000E10000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127686616.0000000000E13000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127704582.0000000000E16000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_de0000_BootStrapper.jbxd

Similarity

API ID: FreeLibrary
String ID: api-ms-$ext-ms-
API String ID: 3664257935-537541572
Opcode ID: b6ed5598f9654778ba3fbcba212659394d62eb865accbc48822a395a5536116e
Instruction ID: 999ba64b4d1832c851bfdf4280089b4bcb3732910a272ef71e7577445e8e25ba
Opcode Fuzzy Hash: b6ed5598f9654778ba3fbcba212659394d62eb865accbc48822a395a5536116e
Instruction Fuzzy Hash: E2212B31A05619AFCB219BB6FC40A7E7768DB41360F2A8250EF15B7284D631ED04C6F8

Function 00DE1B30 Relevance: 7.3, APIs: 1, Strings: 3, Instructions: 324
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_strlen.LIBCMT ref: 00DE1B4A

Strings

ios_base::badbit set, xrefs: 00DE1EE4, 00DE1F02
ios_base::eofbit set, xrefs: 00DE1ED4
ios_base::failbit set, xrefs: 00DE1ED9

Memory Dump Source

Source File: 00000000.00000002.2127598354.0000000000DE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true

Associated: 00000000.00000002.2127576046.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127632958.0000000000E05000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127650327.0000000000E0F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127667427.0000000000E10000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127686616.0000000000E13000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127704582.0000000000E16000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_de0000_BootStrapper.jbxd

Similarity

API ID: _strlen
String ID: ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set
API String ID: 4218353326-1866435925
Opcode ID: 8bda31314622548aa10f71af2c943ac80aa36fbd3e63e2541b54525b8cd0c563
Instruction ID: 71a63f74ad229ff70d62d967c7df8f3aeb2582c428cdc65e3a14137aba0db6fe
Opcode Fuzzy Hash: 8bda31314622548aa10f71af2c943ac80aa36fbd3e63e2541b54525b8cd0c563
Instruction Fuzzy Hash: 68C17A393006418FC714EF29C484B6AB7E1FF89714F69866CE9998B3A1C735EC45CBA1

Function 00DEDA29 Relevance: 4.6, APIs: 3, Instructions: 51
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateThread.KERNELBASE(?,?,Function_0000DB41,00000000,?,?), ref: 00DEDA72
GetLastError.KERNEL32 ref: 00DEDA7E
__dosmaperr.LIBCMT ref: 00DEDA85

Memory Dump Source

Source File: 00000000.00000002.2127598354.0000000000DE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true

Associated: 00000000.00000002.2127576046.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127632958.0000000000E05000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127650327.0000000000E0F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127667427.0000000000E10000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127686616.0000000000E13000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127704582.0000000000E16000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_de0000_BootStrapper.jbxd

Similarity

API ID: CreateErrorLastThread__dosmaperr
String ID:
API String ID: 2744730728-0
Opcode ID: 7f888a9ed9df16c02580091c3279c7ed5a81f274a0cc0e018bd4f0c75ab439aa
Instruction ID: 28d8253f96613933425c686584901ea8dd99e1d9a4fa0651ba52ecc6b8d7fa71
Opcode Fuzzy Hash: 7f888a9ed9df16c02580091c3279c7ed5a81f274a0cc0e018bd4f0c75ab439aa
Instruction Fuzzy Hash: F601BC72518299AFCF15BFA2DC06AAE3BB6EF50364F104028F80192190EF71CE40DBB0

Function 00DEDBBF Relevance: 4.5, APIs: 3, Instructions: 30
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00DF45B4: GetLastError.KERNEL32(00000000,?,00DEFDB2,00DF55E2,?,?,00DF44B0,00000001,00000364,?,00000003,000000FF,?,00DEDB66,00E0E6D8,0000000C), ref: 00DF45B8
Part of subcall function 00DF45B4: SetLastError.KERNEL32(00000000), ref: 00DF465A

CloseHandle.KERNEL32(?,?,?,00DEDAB9,?,?,00DEDB9F,00000000), ref: 00DEDBF0
FreeLibraryAndExitThread.KERNELBASE(?,?,?,?,00DEDAB9,?,?,00DEDB9F,00000000), ref: 00DEDC06
ExitThread.KERNEL32 ref: 00DEDC0F

Memory Dump Source

Source File: 00000000.00000002.2127598354.0000000000DE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true

Associated: 00000000.00000002.2127576046.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127632958.0000000000E05000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127650327.0000000000E0F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127667427.0000000000E10000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127686616.0000000000E13000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127704582.0000000000E16000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_de0000_BootStrapper.jbxd

Similarity

API ID: ErrorExitLastThread$CloseFreeHandleLibrary
String ID:
API String ID: 1991824761-0
Opcode ID: 78b0aca812234befddb7e4daab3eb8a0ec5f54de587873eb9d269ad82fd49f03
Instruction ID: 66b2a774e6053c39a60a77a4c1ef4cf32b53db79abedd069d2c0b017fa79cfa7
Opcode Fuzzy Hash: 78b0aca812234befddb7e4daab3eb8a0ec5f54de587873eb9d269ad82fd49f03
Instruction Fuzzy Hash: F0F05E314046456FCB213B67CD08A6B3BAAAF443A0B1D8610FD29D71A1DFB2DC85C771

Function 00DEDD30 Relevance: 4.5, APIs: 3, Instructions: 15
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32(00000002,?,00DEDDF2,00DF0A45,00DF0A45,?,00000002,495F5382,00DF0A45,00000002), ref: 00DEDD41
TerminateProcess.KERNEL32(00000000,?,00DEDDF2,00DF0A45,00DF0A45,?,00000002,495F5382,00DF0A45,00000002), ref: 00DEDD48
ExitProcess.KERNEL32 ref: 00DEDD5A

Memory Dump Source

Source File: 00000000.00000002.2127598354.0000000000DE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true

Associated: 00000000.00000002.2127576046.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127632958.0000000000E05000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127650327.0000000000E0F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127667427.0000000000E10000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127686616.0000000000E13000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127704582.0000000000E16000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_de0000_BootStrapper.jbxd

Similarity

API ID: Process$CurrentExitTerminate
String ID:
API String ID: 1703294689-0
Opcode ID: 962ac3cc48df5573f87dd59fd6b914bc3873ad9b5df74e4f58a71c6e76e04d71
Instruction ID: 65344b202beec1045cdb53d5b207be6d618c1e5b90931cfd743cdc2c25d6c7e1
Opcode Fuzzy Hash: 962ac3cc48df5573f87dd59fd6b914bc3873ad9b5df74e4f58a71c6e76e04d71
Instruction Fuzzy Hash: 81D06C31008288BFCB013FA2DD099893F3BEB84391B544010B90A6A031CFB699969BA0

Function 00DE2780 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 118
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_strlen.LIBCMT ref: 00DE27A8

Strings

ios_base::badbit set, xrefs: 00DE2782

Memory Dump Source

Source File: 00000000.00000002.2127598354.0000000000DE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true

Associated: 00000000.00000002.2127576046.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127632958.0000000000E05000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127650327.0000000000E0F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127667427.0000000000E10000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127686616.0000000000E13000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127704582.0000000000E16000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_de0000_BootStrapper.jbxd

Similarity

API ID: _strlen
String ID: ios_base::badbit set
API String ID: 4218353326-3882152299
Opcode ID: dab97512b691b9041eeb7d63b56efdcaed364c4c8b54f4cd7cda1ac14ad9270c
Instruction ID: b7020cb972e74cb858c46ef809bdd32ead96916329c6eaa13d3855b41142d661
Opcode Fuzzy Hash: dab97512b691b9041eeb7d63b56efdcaed364c4c8b54f4cd7cda1ac14ad9270c
Instruction Fuzzy Hash: A131CFB2A043855BD700FF2ACC8592FBBEAEFD8304F554929F08587252E731D98487B2

Function 00DFBE60 Relevance: 3.2, APIs: 2, Instructions: 196
fileCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00DFC20A: GetConsoleOutputCP.KERNEL32(495F5382,00000000,00000000,?), ref: 00DFC26D

WriteFile.KERNEL32(?,?,?,?,00000000,?,00000000,?,?,?,?,?,00DEC0E2,?,00DEC344), ref: 00DFBFE5
GetLastError.KERNEL32(?,00DEC0E2,?,00DEC344,?,00DEC344,?,?,?,?,?,?,?,?,?,?), ref: 00DFBFEF

Memory Dump Source

Source File: 00000000.00000002.2127598354.0000000000DE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true

Associated: 00000000.00000002.2127576046.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127632958.0000000000E05000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127650327.0000000000E0F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127667427.0000000000E10000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127686616.0000000000E13000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127704582.0000000000E16000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_de0000_BootStrapper.jbxd

Similarity

API ID: ConsoleErrorFileLastOutputWrite
String ID:
API String ID: 2915228174-0
Opcode ID: 67249d1945d14070f32ef5d11f688cb86156215c33a34c0f439e778cc0ac20a8
Instruction ID: 00dd23cf44163eddd5dc1d0cac3f3673722a14ccabb41c6ff0a07f5661a6293d
Opcode Fuzzy Hash: 67249d1945d14070f32ef5d11f688cb86156215c33a34c0f439e778cc0ac20a8
Instruction Fuzzy Hash: 3561C07191410DAFDF15DFA8DD44AFEBBB9AF49314F1A8186EA00A7212D732D911CBB0

Function 00DFC639 Relevance: 3.1, APIs: 2, Instructions: 80
fileCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WriteFile.KERNELBASE(?,?,?,?,00000000,00000000,00000000,?,?,00DFBFCB,?,00DEC344,?,?,?,00000000), ref: 00DFC6D5
GetLastError.KERNEL32(?,00DFBFCB,?,00DEC344,?,?,?,00000000,?,?,?,?,?,00DEC0E2,?,00DEC344), ref: 00DFC6FB

Memory Dump Source

Source File: 00000000.00000002.2127598354.0000000000DE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true

Associated: 00000000.00000002.2127576046.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127632958.0000000000E05000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127650327.0000000000E0F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127667427.0000000000E10000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127686616.0000000000E13000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127704582.0000000000E16000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_de0000_BootStrapper.jbxd

Similarity

API ID: ErrorFileLastWrite
String ID:
API String ID: 442123175-0
Opcode ID: c5b3731dbd9f7dc9defae120682d3742abdabfb27ab1151ef4b0a257de7ca6ec
Instruction ID: e01e2c4d66284ca505e6eb32737b3f24ce1b59247249be58cf462101dc4b5a36
Opcode Fuzzy Hash: c5b3731dbd9f7dc9defae120682d3742abdabfb27ab1151ef4b0a257de7ca6ec
Instruction Fuzzy Hash: 67218D34A1421D9FCB15DF2ACD80AE9B7F9EB48305B1590A9EA06D7221D7309E868F60

Function 00DF5D12 Relevance: 3.1, APIs: 2, Instructions: 65
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetStdHandle.KERNEL32(000000F6,?,?,?,?,?,?,?,?,00000000,00DF5C01,00E0EC08), ref: 00DF5D5E
GetFileType.KERNELBASE(00000000,?,?,?,?,?,?,?,?,00000000,00DF5C01,00E0EC08), ref: 00DF5D70

Memory Dump Source

Source File: 00000000.00000002.2127598354.0000000000DE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true

Associated: 00000000.00000002.2127576046.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127632958.0000000000E05000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127650327.0000000000E0F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127667427.0000000000E10000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127686616.0000000000E13000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127704582.0000000000E16000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_de0000_BootStrapper.jbxd

Similarity

API ID: FileHandleType
String ID:
API String ID: 3000768030-0
Opcode ID: 90bd0e56f3e83aae7dfc742e782fbe941c8595c3a2a9f231b8e5a9706766d712
Instruction ID: 170c161f8cbc03b9c9e803052c64e4da045cc1d9e4e24b90432e5508a97d5f32
Opcode Fuzzy Hash: 90bd0e56f3e83aae7dfc742e782fbe941c8595c3a2a9f231b8e5a9706766d712
Instruction Fuzzy Hash: B511E731206F454ACB308E3EAC8C6727AA5A756334B3E4709D3BB875F9C374D886C260

Function 00DE1A80 Relevance: 3.1, APIs: 2, Instructions: 56
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FreeConsole.KERNELBASE ref: 00DE1A90

Part of subcall function 00DE1B30: _strlen.LIBCMT ref: 00DE1B4A

Part of subcall function 00DE3510: std::_Lockit::_Lockit.LIBCPMT ref: 00DE352C
Part of subcall function 00DE3510: std::_Lockit::_Lockit.LIBCPMT ref: 00DE354A
Part of subcall function 00DE3510: std::_Lockit::~_Lockit.LIBCPMT ref: 00DE356C
Part of subcall function 00DE3510: std::_Lockit::~_Lockit.LIBCPMT ref: 00DE35DA

KiUserExceptionDispatcher.NTDLL(00000000,00000000), ref: 00DE1B07

Memory Dump Source

Source File: 00000000.00000002.2127598354.0000000000DE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true

Associated: 00000000.00000002.2127576046.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127632958.0000000000E05000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127650327.0000000000E0F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127667427.0000000000E10000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127686616.0000000000E13000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127704582.0000000000E16000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_de0000_BootStrapper.jbxd

Similarity

API ID: Lockitstd::_$Lockit::_Lockit::~_$ConsoleDispatcherExceptionFreeUser_strlen
String ID:
API String ID: 2861529853-0
Opcode ID: e20f368f9974264654f8516d321829f48a966a84dc09d671516cbf7f428477d3
Instruction ID: efc154debf22acb55cef1799093cf26e0ccf69ff206a60a2c308965593cbf9e5
Opcode Fuzzy Hash: e20f368f9974264654f8516d321829f48a966a84dc09d671516cbf7f428477d3
Instruction Fuzzy Hash: C81170347003009FC754BB76D85AA2E7BE4FF89741B058068F40ACB3A1DA70DD40CB62

Function 00DEDB41 Relevance: 3.0, APIs: 2, Instructions: 38
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetLastError.KERNEL32(00E0E6D8,0000000C), ref: 00DEDB54
ExitThread.KERNEL32 ref: 00DEDB5B

Memory Dump Source

Source File: 00000000.00000002.2127598354.0000000000DE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true

Associated: 00000000.00000002.2127576046.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127632958.0000000000E05000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127650327.0000000000E0F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127667427.0000000000E10000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127686616.0000000000E13000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127704582.0000000000E16000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_de0000_BootStrapper.jbxd

Similarity

API ID: ErrorExitLastThread
String ID:
API String ID: 1611280651-0
Opcode ID: 848b542fabbd998defcfa9bedc5296cfc1879fc3008445e4de8324be5133970c
Instruction ID: 4a37d1aa20ff09750d29222211aacf58d7923488605a821811b13fef96f7ab7f
Opcode Fuzzy Hash: 848b542fabbd998defcfa9bedc5296cfc1879fc3008445e4de8324be5133970c
Instruction Fuzzy Hash: B4F0C270904604AFDB00BFB1D84AA7E3B75EF80710F214559F505A7292DF755944CFB1

Function 00DF41D7 Relevance: 3.0, APIs: 2, Instructions: 22memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlFreeHeap.NTDLL(00000000,00000000,?,00DF8554,?,00000000,?,?,00DF81F4,?,00000007,?,?,00DF8B3A,?,?), ref: 00DF41ED
GetLastError.KERNEL32(?,?,00DF8554,?,00000000,?,?,00DF81F4,?,00000007,?,?,00DF8B3A,?,?), ref: 00DF41F8

Memory Dump Source

Source File: 00000000.00000002.2127598354.0000000000DE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true

Associated: 00000000.00000002.2127576046.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127632958.0000000000E05000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127650327.0000000000E0F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127667427.0000000000E10000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127686616.0000000000E13000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127704582.0000000000E16000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_de0000_BootStrapper.jbxd

Similarity

API ID: ErrorFreeHeapLast
String ID:
API String ID: 485612231-0
Opcode ID: c96057286071e3ba0959ab4e55e8891122e76a55031727d05f3833f15a2cd032
Instruction ID: 9aa488ce5dba41f853f2c41244f7066b940f8dabc75e9a25787c26d41280d920
Opcode Fuzzy Hash: c96057286071e3ba0959ab4e55e8891122e76a55031727d05f3833f15a2cd032
Instruction Fuzzy Hash: B1E0E632148614ABCB112FAAAC09F963BA8DB54751F194070F718D6560DA758994C7B8

Function 00DE681D Relevance: 1.6, APIs: 1, Instructions: 116COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2127598354.0000000000DE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true

Associated: 00000000.00000002.2127576046.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127632958.0000000000E05000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127650327.0000000000E0F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127667427.0000000000E10000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127686616.0000000000E13000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127704582.0000000000E16000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_de0000_BootStrapper.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6b39ccb7f126b182573813d509010053a0a00b6589caef9821940611106d38ee
Instruction ID: 9f14f9efbaf0224b04ce71518ba536b201cedcb48a0a8b2ee05c0229c3b17066
Opcode Fuzzy Hash: 6b39ccb7f126b182573813d509010053a0a00b6589caef9821940611106d38ee
Instruction Fuzzy Hash: 01419F3190014AAFCB15EF6AC8908EDB7B9FF28354B54402AE546E7680E731E945DBB0

Function 00DE5541 Relevance: 1.6, APIs: 1, Instructions: 111COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2127598354.0000000000DE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true

Associated: 00000000.00000002.2127576046.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127632958.0000000000E05000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127650327.0000000000E0F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127667427.0000000000E10000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127686616.0000000000E13000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127704582.0000000000E16000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_de0000_BootStrapper.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4de6258aebe2a1326711d03d3d279300c7f973033cd1274f081e96b084466a10
Instruction ID: ae84d4e40154f2759db57103a41c14d06d029a98647017a12ef6a5afaf2863b9
Opcode Fuzzy Hash: 4de6258aebe2a1326711d03d3d279300c7f973033cd1274f081e96b084466a10
Instruction Fuzzy Hash: C331A53290055AAFCF15EF69D8808EDB7F9FF09364B54026AE511E7294D731E944CBB0

Function 00DE1660 Relevance: 1.6, APIs: 1, Instructions: 58memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00DE1180: _strlen.LIBCMT ref: 00DE11EA

VirtualProtect.KERNELBASE(00E0F011,00000549,00000040,?), ref: 00DE16E0

Memory Dump Source

Source File: 00000000.00000002.2127598354.0000000000DE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true

Associated: 00000000.00000002.2127576046.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127632958.0000000000E05000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127650327.0000000000E0F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127667427.0000000000E10000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127686616.0000000000E13000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127704582.0000000000E16000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_de0000_BootStrapper.jbxd

Similarity

API ID: ProtectVirtual_strlen
String ID:
API String ID: 1613229118-0
Opcode ID: d96b79c4ba87e720b5d112792c8f93fed221d844384764cbf21380e221ba8c7e
Instruction ID: 3fdb6d181a8b06e52575075edec572b98afe833e6cbed0e02513d05055796d81
Opcode Fuzzy Hash: d96b79c4ba87e720b5d112792c8f93fed221d844384764cbf21380e221ba8c7e
Instruction Fuzzy Hash: A0118635B402086BDB14BBA59C03EAF7764EF84704F444434F608B76C2EA71A56086E1

Function 00DF52BD Relevance: 1.6, APIs: 1, Instructions: 56COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2127598354.0000000000DE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true

Associated: 00000000.00000002.2127576046.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127632958.0000000000E05000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127650327.0000000000E0F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127667427.0000000000E10000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127686616.0000000000E13000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127704582.0000000000E16000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_de0000_BootStrapper.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c8f7ae6af51fe6e23a23af5e8a82dfb5f605783b5e1c431392cf0267ee9c4745
Instruction ID: b156e7733382030bb03c843027479cc00bfb134a13df13a6838b4e2a238bd710
Opcode Fuzzy Hash: c8f7ae6af51fe6e23a23af5e8a82dfb5f605783b5e1c431392cf0267ee9c4745
Instruction Fuzzy Hash: 9401F537200A189FDB169FADFC40A6633E6FBC5360366C124FB109B498EA31D85497B0

Function 00DE5533 Relevance: 1.5, APIs: 1, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2127598354.0000000000DE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true

Associated: 00000000.00000002.2127576046.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127632958.0000000000E05000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127650327.0000000000E0F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127667427.0000000000E10000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127686616.0000000000E13000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127704582.0000000000E16000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_de0000_BootStrapper.jbxd

Similarity

API ID: CriticalLeaveSection
String ID:
API String ID: 3988221542-0
Opcode ID: 9aad9a045ed40e4104bc28b67d8d7e825bdb5219b3b33f2099218c78a4bdebb6
Instruction ID: 9cae121d42af2fb4cb4f6916f4d7e3302ac47e727f410dd3d31c114d7894a67f
Opcode Fuzzy Hash: 9aad9a045ed40e4104bc28b67d8d7e825bdb5219b3b33f2099218c78a4bdebb6
Instruction Fuzzy Hash: 4D0149736089C20ACF05EE7AB8296A9BB50EF96378B6401AFD001C80C5CA128810D730

Function 00DF4211 Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000000,00DF61EA,?,?,00DF61EA,00000220,?,00000001,?), ref: 00DF4243

Memory Dump Source

Source File: 00000000.00000002.2127598354.0000000000DE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true

Associated: 00000000.00000002.2127576046.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127632958.0000000000E05000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127650327.0000000000E0F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127667427.0000000000E10000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127686616.0000000000E13000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127704582.0000000000E16000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_de0000_BootStrapper.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: e619cf435de5f6f9eec8ede36ce3211aba3a230f0c76da5bc894337285a713ac
Instruction ID: e0751c52524899be8d8af388a0c69a812e7e6e65c2453aa6201242d00bc8fd43
Opcode Fuzzy Hash: e619cf435de5f6f9eec8ede36ce3211aba3a230f0c76da5bc894337285a713ac
Instruction Fuzzy Hash: 22E06C3250551956D7212A569C00777365CDF82BA0F5B8170FE5597191EA50DD4085B8

Non-executed Functions

Function 00DFFCA2 Relevance: 10.2, APIs: 1, Strings: 4, Instructions: 1479COMMON

Download Yara Rule

APIs

__floor_pentium4.LIBCMT ref: 00DFFEB9

Strings

1#QNAN, xrefs: 00DFFDB5
1#SNAN, xrefs: 00DFFDAE
1#INF, xrefs: 00DFFDD8
1#IND, xrefs: 00DFFDA7

Memory Dump Source

Source File: 00000000.00000002.2127598354.0000000000DE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true

Associated: 00000000.00000002.2127576046.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127632958.0000000000E05000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127650327.0000000000E0F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127667427.0000000000E10000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127686616.0000000000E13000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127704582.0000000000E16000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_de0000_BootStrapper.jbxd

Similarity

API ID: __floor_pentium4
String ID: 1#IND$1#INF$1#QNAN$1#SNAN
API String ID: 4168288129-2761157908
Opcode ID: eaff4426e0951b46880478a4a950efc0d0245a4e97c29d70d480bbdc54f3d16b
Instruction ID: b4c179dc98da13b3832d4033637415667924a3e5dfe232e2c546b3e8ec049b7f
Opcode Fuzzy Hash: eaff4426e0951b46880478a4a950efc0d0245a4e97c29d70d480bbdc54f3d16b
Instruction Fuzzy Hash: 08D21372E082298FDB65CE28DC447EAB7B5EB44304F1451EAD44DB6280EB78AEC58F51

Function 00DF9C77 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 85COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLocaleInfoW.KERNEL32(?,2000000B,00DF9648,00000002,00000000,?,?,?,00DF9648,?,00000000), ref: 00DF9D10
GetLocaleInfoW.KERNEL32(?,20001004,00DF9648,00000002,00000000,?,?,?,00DF9648,?,00000000), ref: 00DF9D39
GetACP.KERNEL32(?,?,00DF9648,?,00000000), ref: 00DF9D4E

Strings

OCP, xrefs: 00DF9CCB
ACP, xrefs: 00DF9C95

Memory Dump Source

Source File: 00000000.00000002.2127598354.0000000000DE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true

Associated: 00000000.00000002.2127576046.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127632958.0000000000E05000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127650327.0000000000E0F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127667427.0000000000E10000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127686616.0000000000E13000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127704582.0000000000E16000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_de0000_BootStrapper.jbxd

Similarity

API ID: InfoLocale
String ID: ACP$OCP
API String ID: 2299586839-711371036
Opcode ID: 94d01ab8a0081fe6091291e26146c53a1d2f1827b0cfe33b1e74d5b22bc676cc
Instruction ID: 03497b1e79ced1b712e025affa3a3d69797ff06ca9f30cb42690f70699ce396a
Opcode Fuzzy Hash: 94d01ab8a0081fe6091291e26146c53a1d2f1827b0cfe33b1e74d5b22bc676cc
Instruction Fuzzy Hash: 4521B722E00108AAD7348B15CD10BB7F3A6EF94B6476BC524EB49D7214E732DE40C370

Function 00DF9512 Relevance: 7.7, APIs: 5, Instructions: 182COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00DF4463: GetLastError.KERNEL32(?,?,00DEDB66,00E0E6D8,0000000C), ref: 00DF4467
Part of subcall function 00DF4463: SetLastError.KERNEL32(00000000), ref: 00DF4509

GetUserDefaultLCID.KERNEL32(-00000002,00000000,?,00000055,?), ref: 00DF961A
IsValidCodePage.KERNEL32(00000000), ref: 00DF9658
IsValidLocale.KERNEL32(?,00000001), ref: 00DF966B
GetLocaleInfoW.KERNEL32(?,00001001,-00000050,00000040,?,000000D0,00000055,00000000,?,?,00000055,00000000), ref: 00DF96B3
GetLocaleInfoW.KERNEL32(?,00001002,00000030,00000040), ref: 00DF96CE

Memory Dump Source

Source File: 00000000.00000002.2127598354.0000000000DE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true

Associated: 00000000.00000002.2127576046.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127632958.0000000000E05000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127650327.0000000000E0F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127667427.0000000000E10000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127686616.0000000000E13000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127704582.0000000000E16000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_de0000_BootStrapper.jbxd

Similarity

API ID: Locale$ErrorInfoLastValid$CodeDefaultPageUser
String ID:
API String ID: 415426439-0
Opcode ID: 6821b2a4b8d13bd5510c6b9cf4e89360743b5ee8ad27057a58a49e92b0a02248
Instruction ID: 7838c44e3caa50ccc8532e82292858e01f0129d000b075f330729392f214ca2e
Opcode Fuzzy Hash: 6821b2a4b8d13bd5510c6b9cf4e89360743b5ee8ad27057a58a49e92b0a02248
Instruction Fuzzy Hash: 16514F71E002099FDB21EFA5DC91BBAB7B8EF04740F1A8065BA01E7190E77199448B71

Function 00DF2370 Relevance: 6.5, APIs: 4, Instructions: 455COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2127598354.0000000000DE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true

Associated: 00000000.00000002.2127576046.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127632958.0000000000E05000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127650327.0000000000E0F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127667427.0000000000E10000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127686616.0000000000E13000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127704582.0000000000E16000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_de0000_BootStrapper.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bd5e9c3d5b8dfd3e6dc0569d32db29be04432f65769e57fa47aedbbc9c5abd24
Instruction ID: cbd7a8ee87876727b0363ea108418731cc8229e01aac165094c50fa1a31966a9
Opcode Fuzzy Hash: bd5e9c3d5b8dfd3e6dc0569d32db29be04432f65769e57fa47aedbbc9c5abd24
Instruction Fuzzy Hash: 52022D71E012199BDF14DFA9D8906BEBBF1FF48314F258269DA19EB340D731A941CBA0

Function 00DFA259 Relevance: 6.2, APIs: 4, Instructions: 205COMMON

Download Yara Rule

APIs

FindFirstFileExW.KERNEL32(?,00000000,?,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00DFA349

Memory Dump Source

Source File: 00000000.00000002.2127598354.0000000000DE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true

Associated: 00000000.00000002.2127576046.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127632958.0000000000E05000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127650327.0000000000E0F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127667427.0000000000E10000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127686616.0000000000E13000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127704582.0000000000E16000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_de0000_BootStrapper.jbxd

Similarity

API ID: FileFindFirst
String ID:
API String ID: 1974802433-0
Opcode ID: cf593a78f0e73537c509592cfc088333c59c4a9b4db1725215f53e8a099d61e7
Instruction ID: 241324af2d0fc040e74a67a4fcf102f963ba41e9905d55b934a9402f0bd9c4c3
Opcode Fuzzy Hash: cf593a78f0e73537c509592cfc088333c59c4a9b4db1725215f53e8a099d61e7
Instruction Fuzzy Hash: 5A71E2B190516C5EDF20AF6CCC89ABAB7B8EB45300F1981D9E24DA7211DA314EC49F35

Function 00DE7EDA Relevance: 6.1, APIs: 4, Instructions: 70COMMON

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32(00000017,?), ref: 00DE7EE6
IsDebuggerPresent.KERNEL32 ref: 00DE7FB2
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 00DE7FCB
UnhandledExceptionFilter.KERNEL32(?), ref: 00DE7FD5

Memory Dump Source

Source File: 00000000.00000002.2127598354.0000000000DE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true

Associated: 00000000.00000002.2127576046.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127632958.0000000000E05000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127650327.0000000000E0F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127667427.0000000000E10000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127686616.0000000000E13000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127704582.0000000000E16000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_de0000_BootStrapper.jbxd

Similarity

API ID: ExceptionFilterPresentUnhandled$DebuggerFeatureProcessor
String ID:
API String ID: 254469556-0
Opcode ID: 6934686a461ff26f3a8037478603f8f047baefc9e26b154d965c4818f6cb4f4a
Instruction ID: c451b917d866587a9f17451ef9af170abda560b54d017e44cb7e3e63fde58df3
Opcode Fuzzy Hash: 6934686a461ff26f3a8037478603f8f047baefc9e26b154d965c4818f6cb4f4a
Instruction Fuzzy Hash: DA31F7B5D092199BDB60EFA5DD497CDBBB8EF08300F1041EAE40CAB250EB719A85CF55

Function 00DE8C37 Relevance: 6.0, APIs: 4, Instructions: 25timethreadCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetSystemTimeAsFileTime.KERNEL32(?), ref: 00DE8C49
GetCurrentThreadId.KERNEL32 ref: 00DE8C58
GetCurrentProcessId.KERNEL32 ref: 00DE8C61
QueryPerformanceCounter.KERNEL32(?), ref: 00DE8C6E

Memory Dump Source

Source File: 00000000.00000002.2127598354.0000000000DE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true

Associated: 00000000.00000002.2127576046.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127632958.0000000000E05000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127650327.0000000000E0F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127667427.0000000000E10000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127686616.0000000000E13000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127704582.0000000000E16000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_de0000_BootStrapper.jbxd

Similarity

API ID: CurrentTime$CounterFilePerformanceProcessQuerySystemThread
String ID:
API String ID: 2933794660-0
Opcode ID: 500ae6b87a4f1ddc23458c3f1db8f489e605078f19ee3767f6317b1d2b0e6181
Instruction ID: efdec81e2d06600ef4e48ce10edf2320a56d1dabfe293033c7f358f7b2c821b6
Opcode Fuzzy Hash: 500ae6b87a4f1ddc23458c3f1db8f489e605078f19ee3767f6317b1d2b0e6181
Instruction Fuzzy Hash: 9CF05F75D1420DEFCB00DBF5DA4999EBBF4EF1C204B918996A412F6510E730AB889B50

Function 00DF97FE Relevance: 4.7, APIs: 3, Instructions: 205COMMON

Download Yara Rule

APIs

Part of subcall function 00DF4463: GetLastError.KERNEL32(?,?,00DEDB66,00E0E6D8,0000000C), ref: 00DF4467
Part of subcall function 00DF4463: SetLastError.KERNEL32(00000000), ref: 00DF4509

GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 00DF9852
GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 00DF989C
GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 00DF9962

Memory Dump Source

Source File: 00000000.00000002.2127598354.0000000000DE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true

Associated: 00000000.00000002.2127576046.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127632958.0000000000E05000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127650327.0000000000E0F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127667427.0000000000E10000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127686616.0000000000E13000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127704582.0000000000E16000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_de0000_BootStrapper.jbxd

Similarity

API ID: InfoLocale$ErrorLast
String ID:
API String ID: 661929714-0
Opcode ID: c7c2e606c9d9f374bbb46141b2ffb9e4687ce63a8e9215e9e68b240ff0620d37
Instruction ID: 6eef0398a9b6368ae679fddaae64b3dafbed2e1af25355982d19e3457be8796c
Opcode Fuzzy Hash: c7c2e606c9d9f374bbb46141b2ffb9e4687ce63a8e9215e9e68b240ff0620d37
Instruction Fuzzy Hash: A1618071D5010B9FDB289F29CC92BBAB3A8EF08310F16C169EA05D6285E775D985CF70

Function 00DF04F9 Relevance: 4.6, APIs: 3, Instructions: 77COMMONLIBRARYCODE

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32(?,?,?,?,?,00000000), ref: 00DF05F1
SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,?,?,?,00000000), ref: 00DF05FB
UnhandledExceptionFilter.KERNEL32(-00000327,?,?,?,?,?,00000000), ref: 00DF0608

Memory Dump Source

Source File: 00000000.00000002.2127598354.0000000000DE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true

Associated: 00000000.00000002.2127576046.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127632958.0000000000E05000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127650327.0000000000E0F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127667427.0000000000E10000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127686616.0000000000E13000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127704582.0000000000E16000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_de0000_BootStrapper.jbxd

Similarity

API ID: ExceptionFilterUnhandled$DebuggerPresent
String ID:
API String ID: 3906539128-0
Opcode ID: 38ad40053e8686aec1a5cf07a2b19eca574c94961d9d39f988e86bda41610066
Instruction ID: 16916dc4f9ea518411986c11212efb7fd81efff47bdb71100818ece59120826e
Opcode Fuzzy Hash: 38ad40053e8686aec1a5cf07a2b19eca574c94961d9d39f988e86bda41610066
Instruction Fuzzy Hash: DB31C27590122D9BCB21DF69DC88799BBB8BF08310F5081EAE81CA7251E7709F858F54

Function 00DF54A0 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 33COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00DF0790: EnterCriticalSection.KERNEL32(?,?,00DF48F0,?,00E0EB68,00000008,00DF47E2,?,?,?), ref: 00DF079F

EnumSystemLocalesW.KERNEL32(00DF5493,00000001,00E0EBE8,0000000C,00DF4DF8,-00000050), ref: 00DF54D8

Strings

I, xrefs: 00DF54CC, 00DF54E5

Memory Dump Source

Source File: 00000000.00000002.2127598354.0000000000DE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true

Associated: 00000000.00000002.2127576046.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127632958.0000000000E05000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127650327.0000000000E0F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127667427.0000000000E10000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127686616.0000000000E13000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127704582.0000000000E16000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_de0000_BootStrapper.jbxd

Similarity

API ID: CriticalEnterEnumLocalesSectionSystem
String ID: I
API String ID: 1272433827-3707901625
Opcode ID: fe7d12a8f236f337455f96d48ec27b7f2e30c7807f2c4192076668671c0e0dbd
Instruction ID: dcddd585ed2c7b31388ac60534f9834f4083acf8bfeaa1bdc3a61667f5e8ec7a
Opcode Fuzzy Hash: fe7d12a8f236f337455f96d48ec27b7f2e30c7807f2c4192076668671c0e0dbd
Instruction Fuzzy Hash: CEF03C36A402059FD710EF99E842B9D7BF0EB44721F0080AAF610A72E1C77599448F60

Function 00DFDECA Relevance: 1.8, APIs: 1, Instructions: 269COMMONLIBRARYCODE

Download Yara Rule

APIs

RaiseException.KERNEL32(C000000D,00000000,00000001,?,?,00000008,?,?,00DFDE25,?,?,00000008,?,?,00E042BB,00000000), ref: 00DFE0F7

Memory Dump Source

Source File: 00000000.00000002.2127598354.0000000000DE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true

Associated: 00000000.00000002.2127576046.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127632958.0000000000E05000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127650327.0000000000E0F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127667427.0000000000E10000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127686616.0000000000E13000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127704582.0000000000E16000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_de0000_BootStrapper.jbxd

Similarity

API ID: ExceptionRaise
String ID:
API String ID: 3997070919-0
Opcode ID: 959419e0a7e5de3d3b93625a3aa49840d0eb9d0e2600ee19deb7955385e47e00
Instruction ID: 4ebb35a9a220a1bb27d6bbfdb54f2cb17d4ca546d37eb7c9e5424fa7f34d99e2
Opcode Fuzzy Hash: 959419e0a7e5de3d3b93625a3aa49840d0eb9d0e2600ee19deb7955385e47e00
Instruction Fuzzy Hash: 5BB15831210608DFD714CF28C48AB647BE1FF45364F2AC698EA9ACF2A1C775E981CB50

Function 00DE7B46 Relevance: 1.7, APIs: 1, Instructions: 242COMMON

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32(0000000A), ref: 00DE7B5C

Memory Dump Source

Source File: 00000000.00000002.2127598354.0000000000DE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true

Associated: 00000000.00000002.2127576046.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127632958.0000000000E05000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127650327.0000000000E0F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127667427.0000000000E10000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127686616.0000000000E13000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127704582.0000000000E16000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_de0000_BootStrapper.jbxd

Similarity

API ID: FeaturePresentProcessor
String ID:
API String ID: 2325560087-0
Opcode ID: f90f777b4ec8051f1035513f4acae04b8c51c0624f05593a197d72d8e003bc6c
Instruction ID: 94423a19b86bc08a0ec2a2a58cfdb776eeac7acad556d2e29f45aea5b2105b5a
Opcode Fuzzy Hash: f90f777b4ec8051f1035513f4acae04b8c51c0624f05593a197d72d8e003bc6c
Instruction Fuzzy Hash: 40A169B29046058FDB6CCF5AE8826ADBBF0FB48310F28C12AD415E7760D3759895CF60

Function 00DFA1A8 Relevance: 1.7, APIs: 1, Instructions: 199fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00DF5590: HeapAlloc.KERNEL32(00000008,?,?,?,00DF44B0,00000001,00000364,?,00000003,000000FF,?,00DEDB66,00E0E6D8,0000000C), ref: 00DF55D1

FindFirstFileExW.KERNEL32(?,00000000,?,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00DFA349
FindNextFileW.KERNEL32(00000000,?), ref: 00DFA43D
FindClose.KERNEL32(00000000), ref: 00DFA47C
FindClose.KERNEL32(00000000), ref: 00DFA4AF

Memory Dump Source

Source File: 00000000.00000002.2127598354.0000000000DE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true

Associated: 00000000.00000002.2127576046.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127632958.0000000000E05000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127650327.0000000000E0F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127667427.0000000000E10000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127686616.0000000000E13000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127704582.0000000000E16000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_de0000_BootStrapper.jbxd

Similarity

API ID: Find$CloseFile$AllocFirstHeapNext
String ID:
API String ID: 2701053895-0
Opcode ID: a9ff081fc80ac4a8fd891a3c610e4ee272e8894a73d0a8c37cb0fe0469fd91c5
Instruction ID: 0aa922a108a426e42ec9e1b29e2fe36cd39a1f407a3e87d8f284f55401bc788d
Opcode Fuzzy Hash: a9ff081fc80ac4a8fd891a3c610e4ee272e8894a73d0a8c37cb0fe0469fd91c5
Instruction Fuzzy Hash: D75178B1A0020D6FDF10AF6C9C85ABE77B9DF85314F1AC199FA0D97201EA318D819B75

Function 00DF9AB0 Relevance: 1.6, APIs: 1, Instructions: 83COMMON

Download Yara Rule

APIs

Part of subcall function 00DF4463: GetLastError.KERNEL32(?,?,00DEDB66,00E0E6D8,0000000C), ref: 00DF4467
Part of subcall function 00DF4463: SetLastError.KERNEL32(00000000), ref: 00DF4509

GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 00DF9B04

Memory Dump Source

Source File: 00000000.00000002.2127598354.0000000000DE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true

Associated: 00000000.00000002.2127576046.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127632958.0000000000E05000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127650327.0000000000E0F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127667427.0000000000E10000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127686616.0000000000E13000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127704582.0000000000E16000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_de0000_BootStrapper.jbxd

Similarity

API ID: ErrorLast$InfoLocale
String ID:
API String ID: 3736152602-0
Opcode ID: dc5d94530e4de340e631ccb496bdb42722003cd770feda8475d688217adbf7a7
Instruction ID: 2b79ba818874af7c6432e2c2d541f34dc22e80724edd16ed94935194d2484553
Opcode Fuzzy Hash: dc5d94530e4de340e631ccb496bdb42722003cd770feda8475d688217adbf7a7
Instruction Fuzzy Hash: 1E218632E1410AABDF289F25EC91F7AB3ACEF45310B1580B9FA01D6141EA74ED448B74

Function 00DF9BD0 Relevance: 1.6, APIs: 1, Instructions: 63COMMON

Download Yara Rule

APIs

Part of subcall function 00DF4463: GetLastError.KERNEL32(?,?,00DEDB66,00E0E6D8,0000000C), ref: 00DF4467
Part of subcall function 00DF4463: SetLastError.KERNEL32(00000000), ref: 00DF4509

GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 00DF9C24

Memory Dump Source

Source File: 00000000.00000002.2127598354.0000000000DE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true

Associated: 00000000.00000002.2127576046.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127632958.0000000000E05000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127650327.0000000000E0F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127667427.0000000000E10000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127686616.0000000000E13000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127704582.0000000000E16000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_de0000_BootStrapper.jbxd

Similarity

API ID: ErrorLast$InfoLocale
String ID:
API String ID: 3736152602-0
Opcode ID: 5c18f5c5391ae6ec6ed56057a26b68ade04c0f513950a15a3d1289f9099076e7
Instruction ID: e3e57e15d95860b1d0d85ee100e63426c90bcfae5efe8f93a417d2cd121bc91f
Opcode Fuzzy Hash: 5c18f5c5391ae6ec6ed56057a26b68ade04c0f513950a15a3d1289f9099076e7
Instruction Fuzzy Hash: 2F11E972A1010AABDB14AB29DC56BBAB7ECEF44320B11817AF705D7241EB74ED448B70

Function 00DF9763 Relevance: 1.6, APIs: 1, Instructions: 63COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00DF4463: GetLastError.KERNEL32(?,?,00DEDB66,00E0E6D8,0000000C), ref: 00DF4467
Part of subcall function 00DF4463: SetLastError.KERNEL32(00000000), ref: 00DF4509

EnumSystemLocalesW.KERNEL32(00DF97FE,00000001,00000000,?,-00000050,?,00DF95EE,00000000,-00000002,00000000,?,00000055,?), ref: 00DF97D5

Memory Dump Source

Source File: 00000000.00000002.2127598354.0000000000DE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true

Associated: 00000000.00000002.2127576046.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127632958.0000000000E05000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127650327.0000000000E0F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127667427.0000000000E10000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127686616.0000000000E13000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127704582.0000000000E16000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_de0000_BootStrapper.jbxd

Similarity

API ID: ErrorLast$EnumLocalesSystem
String ID:
API String ID: 2417226690-0
Opcode ID: f114c2c8608a86f0bcb3fb42f81a3c6359884b6789d8c47dcb6e8db205d1b0c7
Instruction ID: f705741691b2c0bfd99a77a8418a58799f9c91b9b6f12c1143f4ae0c13b158e9
Opcode Fuzzy Hash: f114c2c8608a86f0bcb3fb42f81a3c6359884b6789d8c47dcb6e8db205d1b0c7
Instruction Fuzzy Hash: F611293AA143099FDB18AF39D8E167AF791FF80718B19842CE64647640D3717942C750

Function 00DF9D7D Relevance: 1.5, APIs: 1, Instructions: 48COMMON

Download Yara Rule

APIs

Part of subcall function 00DF4463: GetLastError.KERNEL32(?,?,00DEDB66,00E0E6D8,0000000C), ref: 00DF4467
Part of subcall function 00DF4463: SetLastError.KERNEL32(00000000), ref: 00DF4509

GetLocaleInfoW.KERNEL32(?,20000001,?,00000002,?,00000000,?,?,00DF9A1A,00000000,00000000,?), ref: 00DF9DA9

Memory Dump Source

Source File: 00000000.00000002.2127598354.0000000000DE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true

Associated: 00000000.00000002.2127576046.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127632958.0000000000E05000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127650327.0000000000E0F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127667427.0000000000E10000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127686616.0000000000E13000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127704582.0000000000E16000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_de0000_BootStrapper.jbxd

Similarity

API ID: ErrorLast$InfoLocale
String ID:
API String ID: 3736152602-0
Opcode ID: e95350ed1422cf37c09cf81019949e181726cf54b18d9737d8d3e8c7b8c4f876
Instruction ID: 93790db8049dba0a991b1bd959529fd7d84b634d360b2dfd48a02203da0f01d3
Opcode Fuzzy Hash: e95350ed1422cf37c09cf81019949e181726cf54b18d9737d8d3e8c7b8c4f876
Instruction Fuzzy Hash: 6B01FE32E1411ABBDB186725CC55BBBB764DB40758F268429EE42E3180DA74FE41C6B0

Function 00DF9A51 Relevance: 1.5, APIs: 1, Instructions: 41COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00DF4463: GetLastError.KERNEL32(?,?,00DEDB66,00E0E6D8,0000000C), ref: 00DF4467
Part of subcall function 00DF4463: SetLastError.KERNEL32(00000000), ref: 00DF4509

EnumSystemLocalesW.KERNEL32(00DF9AB0,00000001,?,?,-00000050,?,00DF95B6,-00000050,-00000002,00000000,?,00000055,?,-00000050,?,?), ref: 00DF9A9B

Memory Dump Source

Source File: 00000000.00000002.2127598354.0000000000DE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true

Associated: 00000000.00000002.2127576046.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127632958.0000000000E05000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127650327.0000000000E0F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127667427.0000000000E10000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127686616.0000000000E13000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127704582.0000000000E16000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_de0000_BootStrapper.jbxd

Similarity

API ID: ErrorLast$EnumLocalesSystem
String ID:
API String ID: 2417226690-0
Opcode ID: b2fb4028409b322b46bb007014e64ba2392f77fa33298b39e6a9d99252c3adc3
Instruction ID: 1a90a39bafee2807b0b3318e65581b42bc8acdcc2b881c12b9e689972e512360
Opcode Fuzzy Hash: b2fb4028409b322b46bb007014e64ba2392f77fa33298b39e6a9d99252c3adc3
Instruction Fuzzy Hash: 8AF0C8366043085FDB245F359891776BB95EB80768F0AC42CF6454B680C6B19C41C660

Function 00DF9B85 Relevance: 1.5, APIs: 1, Instructions: 31COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00DF4463: GetLastError.KERNEL32(?,?,00DEDB66,00E0E6D8,0000000C), ref: 00DF4467
Part of subcall function 00DF4463: SetLastError.KERNEL32(00000000), ref: 00DF4509

EnumSystemLocalesW.KERNEL32(00DF9BD0,00000001,?,?,?,00DF9610,-00000050,-00000002,00000000,?,00000055,?,-00000050,?,?,?), ref: 00DF9BBC

Memory Dump Source

Source File: 00000000.00000002.2127598354.0000000000DE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true

Associated: 00000000.00000002.2127576046.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127632958.0000000000E05000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127650327.0000000000E0F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127667427.0000000000E10000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127686616.0000000000E13000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127704582.0000000000E16000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_de0000_BootStrapper.jbxd

Similarity

API ID: ErrorLast$EnumLocalesSystem
String ID:
API String ID: 2417226690-0
Opcode ID: e66f977da20cb3eb6e84a97cc356e113818a2570825126b00f19471493114188
Instruction ID: 30892dff6cfe2ea6c4d307c61ea7af7e5a02d9c9e14e1c2f5313d211c0453e72
Opcode Fuzzy Hash: e66f977da20cb3eb6e84a97cc356e113818a2570825126b00f19471493114188
Instruction Fuzzy Hash: 80F0E536B0020D5BCB049F36E8A577ABFA4EFC1724F0B8059EB058B290C6B59846C7A0

Function 00DF4EFC Relevance: 1.5, APIs: 1, Instructions: 24COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLocaleInfoW.KERNEL32(00000000,?,00000000,?,-00000050,?,00000000,?,00DEF4FC,?,20001004,00000000,00000002,?,?,00DEE40E), ref: 00DF4F30

Memory Dump Source

Source File: 00000000.00000002.2127598354.0000000000DE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true

Associated: 00000000.00000002.2127576046.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127632958.0000000000E05000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127650327.0000000000E0F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127667427.0000000000E10000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127686616.0000000000E13000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127704582.0000000000E16000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_de0000_BootStrapper.jbxd

Similarity

API ID: InfoLocale
String ID:
API String ID: 2299586839-0
Opcode ID: 4c33ebc570a18ace3195213128bfb286ce28cb9b5fabd71c86a1765b7bb43db8
Instruction ID: e4ba5466a376978ec85f50a196ebc69c83c716ec9c2b39f554b344e067f30774
Opcode Fuzzy Hash: 4c33ebc570a18ace3195213128bfb286ce28cb9b5fabd71c86a1765b7bb43db8
Instruction Fuzzy Hash: 5BE04F3250861CBBDF222F61EC04ABE7F25EF447A1F058011FE0965225CB728D61ABF1

Function 00DE7ECE Relevance: 1.5, APIs: 1, Instructions: 3COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(Function_00007FEF), ref: 00DE7ED3

Memory Dump Source

Source File: 00000000.00000002.2127598354.0000000000DE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true

Associated: 00000000.00000002.2127576046.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127632958.0000000000E05000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127650327.0000000000E0F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127667427.0000000000E10000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127686616.0000000000E13000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127704582.0000000000E16000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_de0000_BootStrapper.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: 7a6d8a04922d658dca86097caafcb86a29817d9de629fb55c72aa41ff9fb0dbf
Instruction ID: cda070009ed39ce8552cca82ddb394060a3643d095519b12009be272d6e61a70
Opcode Fuzzy Hash: 7a6d8a04922d658dca86097caafcb86a29817d9de629fb55c72aa41ff9fb0dbf
Instruction Fuzzy Hash:

Function 00DF5BB5 Relevance: 1.3, APIs: 1, Instructions: 5memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 00DF5BB5

Memory Dump Source

Source File: 00000000.00000002.2127598354.0000000000DE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true

Associated: 00000000.00000002.2127576046.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127632958.0000000000E05000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127650327.0000000000E0F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127667427.0000000000E10000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127686616.0000000000E13000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127704582.0000000000E16000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_de0000_BootStrapper.jbxd

Similarity

API ID: HeapProcess
String ID:
API String ID: 54951025-0
Opcode ID: 092c6ef31f99b3fe5c80006acf16debd795f2b0d570fd14415ddf211726b3f1e
Instruction ID: 5b71e1e4fca8e22f059efdee2cabf763d7b9b865f7d7afab50958d2bd8b630ef
Opcode Fuzzy Hash: 092c6ef31f99b3fe5c80006acf16debd795f2b0d570fd14415ddf211726b3f1e
Instruction Fuzzy Hash: 91A0113020A2028F83008F33AE083083AE8BB88AA0300C0A8A008E0220EA3080888F00

Function 00DEC692 Relevance: .3, Instructions: 318COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2127598354.0000000000DE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true

Associated: 00000000.00000002.2127576046.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127632958.0000000000E05000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127650327.0000000000E0F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127667427.0000000000E10000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127686616.0000000000E13000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127704582.0000000000E16000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_de0000_BootStrapper.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e65c9aba5e68b51de7620cd4c2a558637b5ff585c616ecb408e8528839dd28a0
Instruction ID: d1627c800ac75eda226b11e99ba14eb1ed838cd706f737c777105d4d0ad3ced1
Opcode Fuzzy Hash: e65c9aba5e68b51de7620cd4c2a558637b5ff585c616ecb408e8528839dd28a0
Instruction Fuzzy Hash: D2B1A57192068A8BCB34FE7A8995ABEB7A1AF04300F18661DD592D7691D730DE03CF71

Function 00DE1000 Relevance: .1, Instructions: 129COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2127598354.0000000000DE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true

Associated: 00000000.00000002.2127576046.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127632958.0000000000E05000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127650327.0000000000E0F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127667427.0000000000E10000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127686616.0000000000E13000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127704582.0000000000E16000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_de0000_BootStrapper.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f34e242257f47ac829ee5ccda0ed4c600997801315c33a2cd0d2bcec78d01fdf
Instruction ID: e79045ae1f644f8445365944ab604aaa5e24c8f7b07929bcd90e6cc4466303df
Opcode Fuzzy Hash: f34e242257f47ac829ee5ccda0ed4c600997801315c33a2cd0d2bcec78d01fdf
Instruction Fuzzy Hash: 254125353042514FC758AF79D8A643BBBD9EF8A750B04866DEA068F3A1E630DD00C7E5

Function 00E03052 Relevance: 12.2, APIs: 8, Instructions: 248COMMONLIBRARYCODE

Download Yara Rule

APIs

GetCPInfo.KERNEL32(00C7FEF0,00C7FEF0,00000000,7FFFFFFF,?,00E0303D,00C7FEF0,00C7FEF0,00000000,00C7FEF0,?,?,?,?,00C7FEF0,00000000), ref: 00E030F8
__alloca_probe_16.LIBCMT ref: 00E031B3
__alloca_probe_16.LIBCMT ref: 00E03242
__freea.LIBCMT ref: 00E0328D
__freea.LIBCMT ref: 00E03293
__freea.LIBCMT ref: 00E032C9
__freea.LIBCMT ref: 00E032CF
__freea.LIBCMT ref: 00E032DF

Memory Dump Source

Source File: 00000000.00000002.2127598354.0000000000DE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true

Associated: 00000000.00000002.2127576046.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127632958.0000000000E05000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127650327.0000000000E0F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127667427.0000000000E10000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127686616.0000000000E13000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127704582.0000000000E16000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_de0000_BootStrapper.jbxd

Similarity

API ID: __freea$__alloca_probe_16$Info
String ID:
API String ID: 127012223-0
Opcode ID: 6573fadd78bc2fc68cee2d703acf034759b4f7da3777c44864bb35766cf4bce6
Instruction ID: 803f2255ed5f6ca718b36c5d8f8f45018459fad0ed819ddbca10a132b51680ba
Opcode Fuzzy Hash: 6573fadd78bc2fc68cee2d703acf034759b4f7da3777c44864bb35766cf4bce6
Instruction Fuzzy Hash: C871D432A052496BDF20AEB48C42BEF77BEDF49314F291156E904B72D1DB35DE8087A0

Function 00DE84F5 Relevance: 12.2, APIs: 8, Instructions: 177COMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000001,00000001,?), ref: 00DE853C
__alloca_probe_16.LIBCMT ref: 00DE8568
MultiByteToWideChar.KERNEL32(00000000,00000001,00000001,?,00000000,00000000), ref: 00DE85A7
LCMapStringEx.KERNEL32(?,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00DE85C4
LCMapStringEx.KERNEL32(?,?,00000000,00000000,?,?,00000000,00000000,00000000), ref: 00DE8603
__alloca_probe_16.LIBCMT ref: 00DE8620
LCMapStringEx.KERNEL32(?,?,00000000,00000001,00000000,00000000,00000000,00000000,00000000), ref: 00DE8662
WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,?,?,00000000,00000000), ref: 00DE8685

Memory Dump Source

Source File: 00000000.00000002.2127598354.0000000000DE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true

Associated: 00000000.00000002.2127576046.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127632958.0000000000E05000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127650327.0000000000E0F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127667427.0000000000E10000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127686616.0000000000E13000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127704582.0000000000E16000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_de0000_BootStrapper.jbxd

Similarity

API ID: ByteCharMultiStringWide$__alloca_probe_16
String ID:
API String ID: 2040435927-0
Opcode ID: fe180f332e25159f454f79c6a182b52dd10dbfdce3451fe8f25728e7de33801c
Instruction ID: 4880b5364267334018169af178fc5fe2a45dd79d6a5a494ab1652616ead248c7
Opcode Fuzzy Hash: fe180f332e25159f454f79c6a182b52dd10dbfdce3451fe8f25728e7de33801c
Instruction Fuzzy Hash: 53519572600296AFEF206F66CC45FAA7BB9EF44740F154429F919E61A0DF71CD10AB70

Function 00DF712B Relevance: 10.8, APIs: 7, Instructions: 329COMMON

Download Yara Rule

APIs

_strrchr.LIBCMT ref: 00DF71B1

Memory Dump Source

Source File: 00000000.00000002.2127598354.0000000000DE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true

Associated: 00000000.00000002.2127576046.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127632958.0000000000E05000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127650327.0000000000E0F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127667427.0000000000E10000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127686616.0000000000E13000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127704582.0000000000E16000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_de0000_BootStrapper.jbxd

Similarity

API ID: _strrchr
String ID:
API String ID: 3213747228-0
Opcode ID: 0022c536f264df0fd022f58618f40cd4b78e8be5a313df6415c180dcdaad3927
Instruction ID: 0695cd1e1e6ae1f3c77ce41dec3f76d062159855aea176ce0b5fd57e56cf71b5
Opcode Fuzzy Hash: 0022c536f264df0fd022f58618f40cd4b78e8be5a313df6415c180dcdaad3927
Instruction Fuzzy Hash: ECB13532A08359AFDB118F68CC81BFE7BE5EF55310F1A8155EA54AF282D274E941C7B0

Function 00DE9470 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 130COMMON

Download Yara Rule

APIs

_ValidateLocalCookies.LIBCMT ref: 00DE94A7
___except_validate_context_record.LIBVCRUNTIME ref: 00DE94AF
_ValidateLocalCookies.LIBCMT ref: 00DE9538
__IsNonwritableInCurrentImage.LIBCMT ref: 00DE9563
_ValidateLocalCookies.LIBCMT ref: 00DE95B8

Strings

csm, xrefs: 00DE954D

Memory Dump Source

Source File: 00000000.00000002.2127598354.0000000000DE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true

Associated: 00000000.00000002.2127576046.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127632958.0000000000E05000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127650327.0000000000E0F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127667427.0000000000E10000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127686616.0000000000E13000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127704582.0000000000E16000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_de0000_BootStrapper.jbxd

Similarity

API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
String ID: csm
API String ID: 1170836740-1018135373
Opcode ID: 3f2a77fab19f3edacd7835f55e025b1b1a0e9896461055f27d1c33e875ae7a5f
Instruction ID: 820b9385f84d5b116ff0975f5a78d8e60f27f6cfe0b06f086c8e610330473107
Opcode Fuzzy Hash: 3f2a77fab19f3edacd7835f55e025b1b1a0e9896461055f27d1c33e875ae7a5f
Instruction Fuzzy Hash: 9B41F470A01258ABCF11EF6ACC50AAEBBB0EF45314F188155E914AB392D731DE51CBB0

Function 00DE8397 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 116threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 00DE83AB
AcquireSRWLockExclusive.KERNEL32(00DE3C74,?,?,?,?,?,?,00000000,00000000,00000000,00DE156C,00000000), ref: 00DE83CA
AcquireSRWLockExclusive.KERNEL32(00DE3C74,ios_base::badbit set,?,?,?,?,?,?,?,00000000,00000000,00000000,00DE156C,00000000), ref: 00DE83F8
TryAcquireSRWLockExclusive.KERNEL32(00DE3C74,ios_base::badbit set,?,?,?,?,?,?,?,00000000,00000000,00000000,00DE156C,00000000), ref: 00DE8453
TryAcquireSRWLockExclusive.KERNEL32(00DE3C74,ios_base::badbit set,?,?,?,?,?,?,?,00000000,00000000,00000000,00DE156C,00000000), ref: 00DE846A

Strings

ios_base::badbit set, xrefs: 00DE83E1

Memory Dump Source

Source File: 00000000.00000002.2127598354.0000000000DE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true

Associated: 00000000.00000002.2127576046.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127632958.0000000000E05000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127650327.0000000000E0F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127667427.0000000000E10000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127686616.0000000000E13000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127704582.0000000000E16000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_de0000_BootStrapper.jbxd

Similarity

API ID: AcquireExclusiveLock$CurrentThread
String ID: ios_base::badbit set
API String ID: 66001078-3882152299
Opcode ID: 8186baf1ee1864bc40e2b168836b4f9f6bcdd5d064c8826411c34a26184d3881
Instruction ID: a7348529115968df8e77dbe70d49768eb8c2b82b24eff67b7af2caf5308c33d7
Opcode Fuzzy Hash: 8186baf1ee1864bc40e2b168836b4f9f6bcdd5d064c8826411c34a26184d3881
Instruction Fuzzy Hash: 1E417F3190068BDFCB20EF66C9809AAB3F6FF04310B544A29D59ED7581DB34E984EB71

Function 00DE87AC Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 15libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(kernel32.dll), ref: 00DE87B2
GetProcAddress.KERNEL32(00000000,GetSystemTimePreciseAsFileTime), ref: 00DE87C0
GetProcAddress.KERNEL32(00000000,GetTempPath2W), ref: 00DE87D1

Strings

GetTempPath2W, xrefs: 00DE87C6
GetSystemTimePreciseAsFileTime, xrefs: 00DE87BA
kernel32.dll, xrefs: 00DE87AD

Memory Dump Source

Source File: 00000000.00000002.2127598354.0000000000DE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true

Associated: 00000000.00000002.2127576046.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127632958.0000000000E05000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127650327.0000000000E0F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127667427.0000000000E10000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127686616.0000000000E13000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127704582.0000000000E16000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_de0000_BootStrapper.jbxd

Similarity

API ID: AddressProc$HandleModule
String ID: GetSystemTimePreciseAsFileTime$GetTempPath2W$kernel32.dll
API String ID: 667068680-1047828073
Opcode ID: 599065eaedb5f71178af49c5afb966f26d5d3c03d1e320ec1336d1ab2f5587ce
Instruction ID: 459819d7645375eade34717b5f9fc3dce67cb9507f67429e2071a07c8f46d6ac
Opcode Fuzzy Hash: 599065eaedb5f71178af49c5afb966f26d5d3c03d1e320ec1336d1ab2f5587ce
Instruction Fuzzy Hash: 6AD09231B89324AFC3119FB6BC0E8CA3AA4EBD97127065226F401F26A0D6B504C9DB95

Function 00DFD1ED Relevance: 9.3, APIs: 6, Instructions: 292COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2127598354.0000000000DE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true

Associated: 00000000.00000002.2127576046.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127632958.0000000000E05000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127650327.0000000000E0F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127667427.0000000000E10000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127686616.0000000000E13000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127704582.0000000000E16000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_de0000_BootStrapper.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c020c1041dd1485256da8669917ac8ffd71321b1229cfc5199e8f2c135110de7
Instruction ID: fa3c1e0d2354014cd2989fa8ef9ebdcf589e7a4a2659b384c45f98b437dc9925
Opcode Fuzzy Hash: c020c1041dd1485256da8669917ac8ffd71321b1229cfc5199e8f2c135110de7
Instruction Fuzzy Hash: 70B1E070A0424DAFDF01DF9AD840BBE7BB3EF45314F198258EA10AB292C770A941CB71

Function 00DF2FAC Relevance: 9.1, APIs: 6, Instructions: 60COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,00DF2FA3,00DE9247,00DE8033), ref: 00DF2FBA
___vcrt_FlsGetValue.LIBVCRUNTIME ref: 00DF2FC8
___vcrt_FlsSetValue.LIBVCRUNTIME ref: 00DF2FE1
SetLastError.KERNEL32(00000000,00DF2FA3,00DE9247,00DE8033), ref: 00DF3033

Memory Dump Source

Source File: 00000000.00000002.2127598354.0000000000DE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true

Associated: 00000000.00000002.2127576046.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127632958.0000000000E05000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127650327.0000000000E0F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127667427.0000000000E10000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127686616.0000000000E13000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127704582.0000000000E16000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_de0000_BootStrapper.jbxd

Similarity

API ID: ErrorLastValue___vcrt_
String ID:
API String ID: 3852720340-0
Opcode ID: 1cdc0d9fdaac8ac2b1449e39d592798d14c5a021e75917ad4d8c124de95a5724
Instruction ID: 0bf10dc6f381b32ad6ee8e3187b90b65b820328cc2b03bee55232649f29c7cfc
Opcode Fuzzy Hash: 1cdc0d9fdaac8ac2b1449e39d592798d14c5a021e75917ad4d8c124de95a5724
Instruction Fuzzy Hash: 7501283221E2196ED6342BB67C965372768DF403B1727C33AF710558F5EF924C455270

Function 00DF3874 Relevance: 9.1, APIs: 2, Strings: 3, Instructions: 301COMMONLIBRARYCODE

Download Yara Rule

APIs

type_info::operator==.LIBVCRUNTIME ref: 00DF3993
CallUnexpected.LIBVCRUNTIME ref: 00DF3C0C

Strings

csm, xrefs: 00DF391E
csm, xrefs: 00DF38B1
csm, xrefs: 00DF39CA

Memory Dump Source

Source File: 00000000.00000002.2127598354.0000000000DE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true

Associated: 00000000.00000002.2127576046.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127632958.0000000000E05000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127650327.0000000000E0F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127667427.0000000000E10000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127686616.0000000000E13000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127704582.0000000000E16000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_de0000_BootStrapper.jbxd

Similarity

API ID: CallUnexpectedtype_info::operator==
String ID: csm$csm$csm
API String ID: 2673424686-393685449
Opcode ID: 3b16d3868138efbd767aafba024ec43b708e91218006db5da46ee3124bab8b3a
Instruction ID: 4ce3705854d32fb971d6a4a9218a5f2be4d1986a082f6da776f845d53bc05b09
Opcode Fuzzy Hash: 3b16d3868138efbd767aafba024ec43b708e91218006db5da46ee3124bab8b3a
Instruction Fuzzy Hash: 2AB1567180020DAFCF24EFA5C8819BEBBB5EF04314B1B855AEA156B212D771DA51CBB1

Function 00DE2EF0 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 84COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 00DE2F0C
std::_Lockit::_Lockit.LIBCPMT ref: 00DE2F2A
std::_Lockit::~_Lockit.LIBCPMT ref: 00DE2F4C
std::_Lockit::~_Lockit.LIBCPMT ref: 00DE2FBA

Strings

ios_base::badbit set, xrefs: 00DE2EF2

Memory Dump Source

Source File: 00000000.00000002.2127598354.0000000000DE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true

Associated: 00000000.00000002.2127576046.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127632958.0000000000E05000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127650327.0000000000E0F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127667427.0000000000E10000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127686616.0000000000E13000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127704582.0000000000E16000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_de0000_BootStrapper.jbxd

Similarity

API ID: Lockitstd::_$Lockit::_Lockit::~_
String ID: ios_base::badbit set
API String ID: 593203224-3882152299
Opcode ID: 25eae4eab398cb68d9dfd57a65277488bcb592e5213aeec1cd9f5922a46134a6
Instruction ID: 853b56d5812957b162e938dca860220ab243f04dacdcf3c7b7b3c55b5fe9a2ba
Opcode Fuzzy Hash: 25eae4eab398cb68d9dfd57a65277488bcb592e5213aeec1cd9f5922a46134a6
Instruction Fuzzy Hash: 0821CA719042448FC720FF1BD845A6AB3B4EF54324F09845DF5999B2A2DB30AC44CBA2

Function 00DE4BE3 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 58COMMONLIBRARYCODE

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00DE4BEA
std::_Lockit::_Lockit.LIBCPMT ref: 00DE4BF7
std::_Lockit::_Lockit.LIBCPMT ref: 00DE4C61
std::_Lockit::~_Lockit.LIBCPMT ref: 00DE4C7B

Part of subcall function 00DE433F: _Yarn.LIBCPMT ref: 00DE435F
Part of subcall function 00DE433F: _Yarn.LIBCPMT ref: 00DE4383

Strings

bad locale name, xrefs: 00DE4C45

Memory Dump Source

Source File: 00000000.00000002.2127598354.0000000000DE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true

Associated: 00000000.00000002.2127576046.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127632958.0000000000E05000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127650327.0000000000E0F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127667427.0000000000E10000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127686616.0000000000E13000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127704582.0000000000E16000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_de0000_BootStrapper.jbxd

Similarity

API ID: Lockitstd::_$Lockit::_Yarn$H_prolog3Lockit::~_
String ID: bad locale name
API String ID: 3084819986-1405518554
Opcode ID: c079021154c7a9aab7ebd07d326ff7ac51e23ae9fa8d0e02af973a5a23a090b1
Instruction ID: 7d47e9c31bb9a393cccb988afb7ff0998695806197ad40031942e2b2953ab088
Opcode Fuzzy Hash: c079021154c7a9aab7ebd07d326ff7ac51e23ae9fa8d0e02af973a5a23a090b1
Instruction Fuzzy Hash: C3116371941784DFC720EF6AD58168ABBE4FF18310F50492EE18AD3651D770A544CB79

Function 00DEDC95 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 42libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,495F5382,?,?,00000000,00E046BA,000000FF,?,00DEDD56,00000002,?,00DEDDF2,00DF0A45), ref: 00DEDCCA
GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 00DEDCDC
FreeLibrary.KERNEL32(00000000,?,?,00000000,00E046BA,000000FF,?,00DEDD56,00000002,?,00DEDDF2,00DF0A45), ref: 00DEDCFE

Strings

mscoree.dll, xrefs: 00DEDCC3
CorExitProcess, xrefs: 00DEDCD4

Memory Dump Source

Source File: 00000000.00000002.2127598354.0000000000DE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true

Associated: 00000000.00000002.2127576046.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127632958.0000000000E05000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127650327.0000000000E0F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127667427.0000000000E10000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127686616.0000000000E13000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127704582.0000000000E16000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_de0000_BootStrapper.jbxd

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: fcbac6e40dfd96293f55a4cf884b973e1de8056ad819927269f17dc1e7115fc8
Instruction ID: bd35ccd547a0c0a0919e38cd17d68184dddc250c92e18d025c416558e929bf9c
Opcode Fuzzy Hash: fcbac6e40dfd96293f55a4cf884b973e1de8056ad819927269f17dc1e7115fc8
Instruction Fuzzy Hash: BF01F232A04319AFCB119F91CC09BAEB7B9FB44B20F044125F811B22D0DBB59880CB90

Function 00DF59C6 Relevance: 7.7, APIs: 5, Instructions: 197COMMON

Download Yara Rule

APIs

__alloca_probe_16.LIBCMT ref: 00DF5A4B
__alloca_probe_16.LIBCMT ref: 00DF5B14
__freea.LIBCMT ref: 00DF5B7B

Part of subcall function 00DF4211: RtlAllocateHeap.NTDLL(00000000,00DF61EA,?,?,00DF61EA,00000220,?,00000001,?), ref: 00DF4243

__freea.LIBCMT ref: 00DF5B8E
__freea.LIBCMT ref: 00DF5B9B

Memory Dump Source

Source File: 00000000.00000002.2127598354.0000000000DE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true

Associated: 00000000.00000002.2127576046.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127632958.0000000000E05000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127650327.0000000000E0F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127667427.0000000000E10000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127686616.0000000000E13000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127704582.0000000000E16000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_de0000_BootStrapper.jbxd

Similarity

API ID: __freea$__alloca_probe_16$AllocateHeap
String ID:
API String ID: 1423051803-0
Opcode ID: ca2da58e2e26a0a57baaa8dec529c9f338e038d96d8ea8dd560cc420ab3494ae
Instruction ID: 7677e8dab87c54e5476388ab25f15bf402b9265d04a7a7bc5334177fdc1c5649
Opcode Fuzzy Hash: ca2da58e2e26a0a57baaa8dec529c9f338e038d96d8ea8dd560cc420ab3494ae
Instruction Fuzzy Hash: 4451C47260064EAFEB205F65EC81EBB77A9EF45714B1B8529FF08D6144EB30DD109670

Function 00DE5E93 Relevance: 7.5, APIs: 5, Instructions: 49COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00DE5E9A
std::_Lockit::_Lockit.LIBCPMT ref: 00DE5EA4
int.LIBCPMT ref: 00DE5EBB

Part of subcall function 00DE4C50: std::_Lockit::_Lockit.LIBCPMT ref: 00DE4C61
Part of subcall function 00DE4C50: std::_Lockit::~_Lockit.LIBCPMT ref: 00DE4C7B

codecvt.LIBCPMT ref: 00DE5EDE
std::_Lockit::~_Lockit.LIBCPMT ref: 00DE5F15

Memory Dump Source

Source File: 00000000.00000002.2127598354.0000000000DE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true

Associated: 00000000.00000002.2127576046.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127632958.0000000000E05000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127650327.0000000000E0F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127667427.0000000000E10000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127686616.0000000000E13000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127704582.0000000000E16000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_de0000_BootStrapper.jbxd

Similarity

API ID: Lockitstd::_$Lockit::_Lockit::~_$H_prolog3codecvt
String ID:
API String ID: 3716348337-0
Opcode ID: b96990ff4cfbe5de18ffe3463aee7b1c7bc3c8b3da047d103a28f71f18058c7f
Instruction ID: fdbafd4c422745edf6f9449eb2e835c8f7f5db8d67e75e65d668d0d1e2f7f4a5
Opcode Fuzzy Hash: b96990ff4cfbe5de18ffe3463aee7b1c7bc3c8b3da047d103a28f71f18058c7f
Instruction Fuzzy Hash: F801C0759005998FCB05FBA3E9156AE77B0EF84324F284409F5116B2C1CF709E45CBB1

Function 00DE4565 Relevance: 7.5, APIs: 5, Instructions: 44COMMONLIBRARYCODE

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00DE456C
std::_Lockit::_Lockit.LIBCPMT ref: 00DE4577
std::_Lockit::~_Lockit.LIBCPMT ref: 00DE45E5

Part of subcall function 00DE4439: std::locale::_Locimp::_Locimp.LIBCPMT ref: 00DE4451

std::locale::_Setgloballocale.LIBCPMT ref: 00DE4592
_Yarn.LIBCPMT ref: 00DE45A8

Memory Dump Source

Source File: 00000000.00000002.2127598354.0000000000DE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true

Associated: 00000000.00000002.2127576046.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127632958.0000000000E05000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127650327.0000000000E0F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127667427.0000000000E10000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127686616.0000000000E13000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127704582.0000000000E16000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_de0000_BootStrapper.jbxd

Similarity

API ID: Lockitstd::_std::locale::_$H_prolog3LocimpLocimp::_Lockit::_Lockit::~_SetgloballocaleYarn
String ID:
API String ID: 1088826258-0
Opcode ID: 2812d8d1d106a1008f2db71f0cbcf8db5420a684d8118ac7ae94a34e3b6c53b8
Instruction ID: f86aa15af4d4c04ee5069475a838426308c974eb24ee974880d6ec29ca4dd9e9
Opcode Fuzzy Hash: 2812d8d1d106a1008f2db71f0cbcf8db5420a684d8118ac7ae94a34e3b6c53b8
Instruction Fuzzy Hash: B701F275A006648FC706FF62D85557C77A1FF84740B18400AE912673C1CF74AE86DBB2

Function 00DFEE61 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 27libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(00000000,00000000,00000800,?,00DFEEFD,00000000,?,00E112F0,?,?,?,00DFEE34,00000004,InitializeCriticalSectionEx,00E08254,00E0825C), ref: 00DFEE6E
GetLastError.KERNEL32(?,00DFEEFD,00000000,?,00E112F0,?,?,?,00DFEE34,00000004,InitializeCriticalSectionEx,00E08254,00E0825C,00000000,?,00DF3EBC), ref: 00DFEE78
LoadLibraryExW.KERNEL32(00000000,00000000,00000000), ref: 00DFEEA0

Strings

api-ms-, xrefs: 00DFEE85

Memory Dump Source

Source File: 00000000.00000002.2127598354.0000000000DE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true

Associated: 00000000.00000002.2127576046.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127632958.0000000000E05000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127650327.0000000000E0F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127667427.0000000000E10000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127686616.0000000000E13000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127704582.0000000000E16000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_de0000_BootStrapper.jbxd

Similarity

API ID: LibraryLoad$ErrorLast
String ID: api-ms-
API String ID: 3177248105-2084034818
Opcode ID: ea8487c91dd8a3ed2879f16ee51a38397a10894400ae1d6baa7cf4a8650d6126
Instruction ID: c5556c3ed1bb9602e9e8c8d0c788c9dd49ea6682546d48b9f59783b916232ad2
Opcode Fuzzy Hash: ea8487c91dd8a3ed2879f16ee51a38397a10894400ae1d6baa7cf4a8650d6126
Instruction Fuzzy Hash: DAE01271388209BBEB101BA3EC06B293B649B10B51F148020FA0CB84E1D762A8949698

Function 00DFC20A Relevance: 6.3, APIs: 4, Instructions: 333fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetConsoleOutputCP.KERNEL32(495F5382,00000000,00000000,?), ref: 00DFC26D

Part of subcall function 00DF4321: WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000000,?,-00000008,?,00000000,-00000008,-00000008,00000000,?,00DF5B71,?,00000000,-00000008), ref: 00DF4382

WriteFile.KERNEL32(?,?,00000000,?,00000000), ref: 00DFC4BF
WriteFile.KERNEL32(?,?,00000001,?,00000000), ref: 00DFC505
GetLastError.KERNEL32 ref: 00DFC5A8

Memory Dump Source

Source File: 00000000.00000002.2127598354.0000000000DE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true

Associated: 00000000.00000002.2127576046.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127632958.0000000000E05000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127650327.0000000000E0F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127667427.0000000000E10000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127686616.0000000000E13000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127704582.0000000000E16000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_de0000_BootStrapper.jbxd

Similarity

API ID: FileWrite$ByteCharConsoleErrorLastMultiOutputWide
String ID:
API String ID: 2112829910-0
Opcode ID: 878bbe877c267f06ad24acd7aab3a1b0fe371a98741084019fc88313f775ace8
Instruction ID: bf99068bc3a0f43698068655fdfe5a4c095ad5c97afc0c806ea5a1f4b61e911b
Opcode Fuzzy Hash: 878bbe877c267f06ad24acd7aab3a1b0fe371a98741084019fc88313f775ace8
Instruction Fuzzy Hash: C6D189B5D0024C9FCF15CFE8C9809EDBBB5EF48304F29816AE656EB351D630A955CB60

Function 00DF359B Relevance: 6.2, APIs: 4, Instructions: 168COMMONLIBRARYCODE

Download Yara Rule

APIs

___AdjustPointer.LIBCMT ref: 00DF3662
___AdjustPointer.LIBCMT ref: 00DF3685
___AdjustPointer.LIBCMT ref: 00DF3721

Memory Dump Source

Source File: 00000000.00000002.2127598354.0000000000DE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true

Associated: 00000000.00000002.2127576046.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127632958.0000000000E05000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127650327.0000000000E0F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127667427.0000000000E10000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127686616.0000000000E13000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127704582.0000000000E16000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_de0000_BootStrapper.jbxd

Similarity

API ID: AdjustPointer
String ID:
API String ID: 1740715915-0
Opcode ID: a5ba0e345a314cbb7273280f3ad49105a013c48e6b4cc7e4625951096abf51f0
Instruction ID: 68574aea1de5a43aec77110b2886bc4a2ae6432fcc5beda89d211c1f351cfe3e
Opcode Fuzzy Hash: a5ba0e345a314cbb7273280f3ad49105a013c48e6b4cc7e4625951096abf51f0
Instruction Fuzzy Hash: 7951E77160124ABFEB299F15D841B7AB7A4EF44314F2B842DEA0687791D731EE40CB70

Function 00DE3510 Relevance: 6.1, APIs: 4, Instructions: 84COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 00DE352C
std::_Lockit::_Lockit.LIBCPMT ref: 00DE354A
std::_Lockit::~_Lockit.LIBCPMT ref: 00DE356C
std::_Lockit::~_Lockit.LIBCPMT ref: 00DE35DA

Memory Dump Source

Source File: 00000000.00000002.2127598354.0000000000DE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true

Associated: 00000000.00000002.2127576046.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127632958.0000000000E05000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127650327.0000000000E0F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127667427.0000000000E10000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127686616.0000000000E13000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127704582.0000000000E16000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_de0000_BootStrapper.jbxd

Similarity

API ID: Lockitstd::_$Lockit::_Lockit::~_
String ID:
API String ID: 593203224-0
Opcode ID: 38de123562bd7deafe080d3491a57cf62e026ed0f87d565fc44c96929daf5552
Instruction ID: 6a389e89c771f9287708d1f10cc56ce1eb46f080d3797a1514c177b6169e1d52
Opcode Fuzzy Hash: 38de123562bd7deafe080d3491a57cf62e026ed0f87d565fc44c96929daf5552
Instruction Fuzzy Hash: 3221B1B19042849FC720FF1BD849AAA77A0EF54324F45855EF5495B3A1DB30AD44CFB2

Function 00DFA036 Relevance: 6.1, APIs: 4, Instructions: 82COMMON

Download Yara Rule

APIs

Part of subcall function 00DF4321: WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000000,?,-00000008,?,00000000,-00000008,-00000008,00000000,?,00DF5B71,?,00000000,-00000008), ref: 00DF4382

GetLastError.KERNEL32(00000000,?,?,00000000,00000000,00000000,00000000,00000000,?,?,?,?,?,00000000,00000000), ref: 00DFA09A
__dosmaperr.LIBCMT ref: 00DFA0A1
GetLastError.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000,00000000,?,?,?,?,?,00000000,00000000), ref: 00DFA0DB
__dosmaperr.LIBCMT ref: 00DFA0E2

Memory Dump Source

Source File: 00000000.00000002.2127598354.0000000000DE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true

Associated: 00000000.00000002.2127576046.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127632958.0000000000E05000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127650327.0000000000E0F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127667427.0000000000E10000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127686616.0000000000E13000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127704582.0000000000E16000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_de0000_BootStrapper.jbxd

Similarity

API ID: ErrorLast__dosmaperr$ByteCharMultiWide
String ID:
API String ID: 1913693674-0
Opcode ID: 07fb058642029d844d95e7a804d40982ef6270fbb8e5c6c20a60ae0ae8b204f8
Instruction ID: ea12c9e7d606e860502f12653e258f3cb0ee7bd347cc7f324137f5a954cbecc2
Opcode Fuzzy Hash: 07fb058642029d844d95e7a804d40982ef6270fbb8e5c6c20a60ae0ae8b204f8
Instruction Fuzzy Hash: 5D210AB1600649AFCB20AF6AEC4097BB7A9EF04364715C529FA2D97140DF31EC8087B2

Function 00DEB2D2 Relevance: 6.1, APIs: 4, Instructions: 79COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2127598354.0000000000DE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true

Associated: 00000000.00000002.2127576046.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127632958.0000000000E05000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127650327.0000000000E0F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127667427.0000000000E10000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127686616.0000000000E13000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127704582.0000000000E16000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_de0000_BootStrapper.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 82e9e33f29d57578d96f861caf3447c6f30812a28cb4f57d84e67d422f3ce50b
Instruction ID: 84269e022b1c9b3a6c1cc5b1b3e7e68634371409dc81b431773d51efd41a3402
Opcode Fuzzy Hash: 82e9e33f29d57578d96f861caf3447c6f30812a28cb4f57d84e67d422f3ce50b
Instruction Fuzzy Hash: 58216A31604A89AFDB20BFA78C8296BBBA9EF403747144526F969D7550E731FC508BB0

Function 00DFB42C Relevance: 6.1, APIs: 4, Instructions: 74COMMON

Download Yara Rule

APIs

GetEnvironmentStringsW.KERNEL32 ref: 00DFB434

Part of subcall function 00DF4321: WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000000,?,-00000008,?,00000000,-00000008,-00000008,00000000,?,00DF5B71,?,00000000,-00000008), ref: 00DF4382

FreeEnvironmentStringsW.KERNEL32(00000000), ref: 00DFB46C
FreeEnvironmentStringsW.KERNEL32(00000000), ref: 00DFB48C

Memory Dump Source

Source File: 00000000.00000002.2127598354.0000000000DE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true

Associated: 00000000.00000002.2127576046.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127632958.0000000000E05000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127650327.0000000000E0F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127667427.0000000000E10000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127686616.0000000000E13000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127704582.0000000000E16000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_de0000_BootStrapper.jbxd

Similarity

API ID: EnvironmentStrings$Free$ByteCharMultiWide
String ID:
API String ID: 158306478-0
Opcode ID: 73319c548f6ff80d10e269c3091f42fc678944ed2aaf9cd80bc045f88a8b1a4b
Instruction ID: 07e9f02e4fadea9373482b657fdd409dcc6ae5e1f44047d6eeffe91d345b706b
Opcode Fuzzy Hash: 73319c548f6ff80d10e269c3091f42fc678944ed2aaf9cd80bc045f88a8b1a4b
Instruction Fuzzy Hash: 6011DBF590561D7FA71127B2DE8ACBF696CCE943A8356C016FB05E1102FB64DD408271

Function 00DE7155 Relevance: 6.1, APIs: 4, Instructions: 51COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00DE715C
std::_Lockit::_Lockit.LIBCPMT ref: 00DE7166
int.LIBCPMT ref: 00DE717D

Part of subcall function 00DE4C50: std::_Lockit::_Lockit.LIBCPMT ref: 00DE4C61
Part of subcall function 00DE4C50: std::_Lockit::~_Lockit.LIBCPMT ref: 00DE4C7B

std::_Lockit::~_Lockit.LIBCPMT ref: 00DE71D7

Memory Dump Source

Source File: 00000000.00000002.2127598354.0000000000DE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true

Associated: 00000000.00000002.2127576046.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127632958.0000000000E05000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127650327.0000000000E0F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127667427.0000000000E10000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127686616.0000000000E13000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127704582.0000000000E16000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_de0000_BootStrapper.jbxd

Similarity

API ID: Lockitstd::_$Lockit::_Lockit::~_$H_prolog3
String ID:
API String ID: 1383202999-0
Opcode ID: 99edb1b07d8562155c2a94dd9822cf6b38f75d51df9f4ad4fbaf22ca86d4289f
Instruction ID: 1995c8f72d6d9bed06fe15924fef280f43d3bb54d43644c5576b7a7064cdc4d0
Opcode Fuzzy Hash: 99edb1b07d8562155c2a94dd9822cf6b38f75d51df9f4ad4fbaf22ca86d4289f
Instruction Fuzzy Hash: 8411A1719042A5CFCB05FBA6D8156AD77B0EF84310F294449F9256B281CF709A45CBB1

Function 00E03310 Relevance: 6.0, APIs: 4, Instructions: 29COMMONLIBRARYCODE

Download Yara Rule

APIs

WriteConsoleW.KERNEL32(00000000,?,?,00000000,00000000,?,00E027FF,00000000,00000001,?,?,?,00DFC5FC,?,00000000,00000000), ref: 00E03327
GetLastError.KERNEL32(?,00E027FF,00000000,00000001,?,?,?,00DFC5FC,?,00000000,00000000,?,?,?,00DFBF42,?), ref: 00E03333

Part of subcall function 00E03384: CloseHandle.KERNEL32(FFFFFFFE,00E03343,?,00E027FF,00000000,00000001,?,?,?,00DFC5FC,?,00000000,00000000,?,?), ref: 00E03394

___initconout.LIBCMT ref: 00E03343

Part of subcall function 00E03365: CreateFileW.KERNEL32(CONOUT$,40000000,00000003,00000000,00000003,00000000,00000000,00E03301,00E027EC,?,?,00DFC5FC,?,00000000,00000000,?), ref: 00E03378

WriteConsoleW.KERNEL32(00000000,?,?,00000000,?,00E027FF,00000000,00000001,?,?,?,00DFC5FC,?,00000000,00000000,?), ref: 00E03358

Memory Dump Source

Source File: 00000000.00000002.2127598354.0000000000DE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true

Associated: 00000000.00000002.2127576046.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127632958.0000000000E05000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127650327.0000000000E0F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127667427.0000000000E10000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127686616.0000000000E13000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127704582.0000000000E16000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_de0000_BootStrapper.jbxd

Similarity

API ID: ConsoleWrite$CloseCreateErrorFileHandleLast___initconout
String ID:
API String ID: 2744216297-0
Opcode ID: cc4e862d556074735ced20344520b7aa051e7fe7ad4946ccd5ad33ee4e4db75a
Instruction ID: d72fe8b3c246e4fce20168282a04870b23ca772a4f0ba42df79e1f34fbdbc643
Opcode Fuzzy Hash: cc4e862d556074735ced20344520b7aa051e7fe7ad4946ccd5ad33ee4e4db75a
Instruction Fuzzy Hash: 45F01C3650411ABFCF221FE6DC49A997F6AFB483A0F108010FA18B5570CA7689A0DB90

Function 00DF8C16 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 191COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00DF4463: GetLastError.KERNEL32(?,?,00DEDB66,00E0E6D8,0000000C), ref: 00DF4467
Part of subcall function 00DF4463: SetLastError.KERNEL32(00000000), ref: 00DF4509

GetACP.KERNEL32(-00000002,00000000,?,00000000,00000000,?,00DEE2A6,?,?,?,00000055,?,-00000050,?,?,?), ref: 00DF8CD5
IsValidCodePage.KERNEL32(00000000,-00000002,00000000,?,00000000,00000000,?,00DEE2A6,?,?,?,00000055,?,-00000050,?,?), ref: 00DF8D0C

Strings

utf8, xrefs: 00DF8DDE

Memory Dump Source

Source File: 00000000.00000002.2127598354.0000000000DE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true

Associated: 00000000.00000002.2127576046.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127632958.0000000000E05000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127650327.0000000000E0F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127667427.0000000000E10000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127686616.0000000000E13000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127704582.0000000000E16000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_de0000_BootStrapper.jbxd

Similarity

API ID: ErrorLast$CodePageValid
String ID: utf8
API String ID: 943130320-905460609
Opcode ID: ca1ba663dae4072fcc7d1bd840171ebc387eec7a8bc43f634d50c999a80678b5
Instruction ID: 8da9e6230c049ec25c30fa4851f1ad0fefccaacb67b753751f872493789ce9ee
Opcode Fuzzy Hash: ca1ba663dae4072fcc7d1bd840171ebc387eec7a8bc43f634d50c999a80678b5
Instruction Fuzzy Hash: 7351F731A00309AAD724AB70CC46BB773A8EF04700F1E8419FB55A71C1FF71D980A6B2

Function 00DF3C98 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 114COMMONLIBRARYCODE

Download Yara Rule

APIs

EncodePointer.KERNEL32(00000000,00000000,00000000,?,?,?,?,?,?,00DF3B99,?,?,00000000,00000000,00000000,?), ref: 00DF3CBD

Strings

RCC, xrefs: 00DF3CD7
MOC, xrefs: 00DF3CCF

Memory Dump Source

Source File: 00000000.00000002.2127598354.0000000000DE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true

Associated: 00000000.00000002.2127576046.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127632958.0000000000E05000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127650327.0000000000E0F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127667427.0000000000E10000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127686616.0000000000E13000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127704582.0000000000E16000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_de0000_BootStrapper.jbxd

Similarity

API ID: EncodePointer
String ID: MOC$RCC
API String ID: 2118026453-2084237596
Opcode ID: a747b2b3b00fdc0173e586be40d61b4cfe25941128fc12bfd85d04d77155acc5
Instruction ID: 6746268317bdf318de35c8cb59a8b8bbf87696ca8b7ba4eb2d6d0cb24857c8eb
Opcode Fuzzy Hash: a747b2b3b00fdc0173e586be40d61b4cfe25941128fc12bfd85d04d77155acc5
Instruction Fuzzy Hash: AB41587190024DAFCF15DF98CD81EAEBBB5FF48304F1A8059FA05AB266D3359A50DB60

Function 00DF3504 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 97COMMONLIBRARYCODE

Download Yara Rule

APIs

___except_validate_context_record.LIBVCRUNTIME ref: 00DF377B

Strings

csm, xrefs: 00DF380E
csm, xrefs: 00DF379D

Memory Dump Source

Source File: 00000000.00000002.2127598354.0000000000DE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true

Associated: 00000000.00000002.2127576046.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127632958.0000000000E05000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127650327.0000000000E0F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127667427.0000000000E10000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127686616.0000000000E13000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127704582.0000000000E16000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_de0000_BootStrapper.jbxd

Similarity

API ID: ___except_validate_context_record
String ID: csm$csm
API String ID: 3493665558-3733052814
Opcode ID: 962d52b7a831290f4e8eecde69aebbd20b3eeb5ee7d7208f3fdcf468d98bf376
Instruction ID: 48c4bbcd053e290628a3333048fd607cb67a48a44853bbbc360afa706bf0cf4a
Opcode Fuzzy Hash: 962d52b7a831290f4e8eecde69aebbd20b3eeb5ee7d7208f3fdcf468d98bf376
Instruction Fuzzy Hash: 6831D2B240020CABCF225F55CC4097A7B66FF08755B1FC15AFE584A221C336CEA1DBA1

Analysis Process: BootStrapper.exePID: 2308, Parent PID: 2736COMMON

Execution Graph

Execution Coverage:	1.3%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	13.6%
Total number of Nodes:	59
Total number of Limit Nodes:	2

Executed Functions

Function 004085F0 Relevance: 7.7, APIs: 5, Instructions: 170
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcessId.KERNEL32 ref: 00408614
GetCurrentThreadId.KERNEL32 ref: 0040861E
SHGetSpecialFolderPathW.SHELL32(00000000,?,00000010,00000000), ref: 00408696
GetForegroundWindow.USER32 ref: 00408761

Part of subcall function 0040B470: FreeLibrary.KERNEL32(004087D9), ref: 0040B476
Part of subcall function 0040B470: FreeLibrary.KERNEL32 ref: 0040B497

ExitProcess.KERNEL32 ref: 004087F2

Memory Dump Source

Source File: 00000003.00000002.2169013850.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_BootStrapper.jbxd

Similarity

API ID: CurrentFreeLibraryProcess$ExitFolderForegroundPathSpecialThreadWindow
String ID:
API String ID: 3676751680-0
Opcode ID: 21594b46850de91b9d7f1fcd097cf3db95484819d6bbf04f7650915a64ff1750
Instruction ID: e8cd0a5b1b6602d458645168f9022d0593551acc0d95c8fd4e55ee87bae5c504
Opcode Fuzzy Hash: 21594b46850de91b9d7f1fcd097cf3db95484819d6bbf04f7650915a64ff1750
Instruction Fuzzy Hash: 82418DB3B003004BD3186F798D15766B6C79BD5320F1E863EA895EB3DAEE789C054245

Function 0043EBA0 Relevance: 1.5, APIs: 1, Instructions: 14
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL(00441BF8,?,0000002C,?,?,00000018,?,00000000,?,?,?,?,00000000,00000000), ref: 0043EBCE

Memory Dump Source

Source File: 00000003.00000002.2169013850.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_BootStrapper.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 428b37146f2ab8bbef251fdb989594d24ae2c5b49c4db8728953df82dacde34d
Instruction ID: 0c3231226d6b2b3a527619dcc08e6164a4fafcc19f94aab6dc14dc2c5ea58878
Opcode Fuzzy Hash: 428b37146f2ab8bbef251fdb989594d24ae2c5b49c4db8728953df82dacde34d
Instruction Fuzzy Hash: A2E0FE75908316AF9A08CF45C14444EFBE5BFC4714F11CC8DA4D863210D3B0AD46DF82

Function 0043F39E Relevance: 1.4, Strings: 1, Instructions: 190
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

@, xrefs: 0043F4EA

Memory Dump Source

Source File: 00000003.00000002.2169013850.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_BootStrapper.jbxd

Similarity

API ID: InitializeThunk
String ID: @
API String ID: 2994545307-2766056989
Opcode ID: d029721911ace6ae7146d635cd2610f792fc7e2dd43cd493b89f1baae024793e
Instruction ID: ac99ad69f4e146c84b4f67b549d234f9fa435a805a225365c348144745e62db1
Opcode Fuzzy Hash: d029721911ace6ae7146d635cd2610f792fc7e2dd43cd493b89f1baae024793e
Instruction Fuzzy Hash: 9C51BEB4D112159BEB14CF54C8907BFB7B2FFA9315F04612DD4416B3A0EB785C0A8B98

Function 0040B79B Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2169013850.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_BootStrapper.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a5f67c24f99cd3bc66bd5b873502f9be22687b740bcac6bb5ea83f9132e44f2e
Instruction ID: 006929160d69d297b0fade613808cb138237ee9c33cbc0bff183a40fe4272359
Opcode Fuzzy Hash: a5f67c24f99cd3bc66bd5b873502f9be22687b740bcac6bb5ea83f9132e44f2e
Instruction Fuzzy Hash: 48F024796093805BD348CF34DCE1A6BBBA6E792608F05653CE58293290CA21DC598A4D

Function 00437426 Relevance: 1.6, APIs: 1, Instructions: 50
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetUserDefaultUILanguage.KERNELBASE ref: 0043744B

Memory Dump Source

Source File: 00000003.00000002.2169013850.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_BootStrapper.jbxd

Similarity

API ID: DefaultLanguageUser
String ID:
API String ID: 95929093-0
Opcode ID: 7c68332186bb1eccb24706d0910e4fa35c8b03fbb3c5cb4de671a5428ebb180b
Instruction ID: 927bd0fc9cd42a9714e357c3c949b392570058f034d69ee935772a38c2154aa8
Opcode Fuzzy Hash: 7c68332186bb1eccb24706d0910e4fa35c8b03fbb3c5cb4de671a5428ebb180b
Instruction Fuzzy Hash: 6B113A75A087A24FC7018F3C8D84259BF616B4A610F18C3ECD594573D6CB38A816C7D1

Function 0043ECE8 Relevance: 1.5, APIs: 1, Instructions: 38
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetForegroundWindow.USER32 ref: 0043ED37

Memory Dump Source

Source File: 00000003.00000002.2169013850.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_BootStrapper.jbxd

Similarity

API ID: ForegroundWindow
String ID:
API String ID: 2020703349-0
Opcode ID: a5036223926f76e7a30bb82d8b41372fba638fb8ce1a419d4bb5bda1a50e89be
Instruction ID: c78e23977c3e2a35fed25d62a8fd294347c45f883251edd20cfe32e08262873d
Opcode Fuzzy Hash: a5036223926f76e7a30bb82d8b41372fba638fb8ce1a419d4bb5bda1a50e89be
Instruction Fuzzy Hash: AFF0E2B09445D48BDB00CF7AAC593AA37A0EB56305F241975E112D72A1EB3898528B0D

Function 0043EB40 Relevance: 1.5, APIs: 1, Instructions: 30
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlReAllocateHeap.NTDLL(?,00000000,?,?,?,?,0040B2E9,?,00000001), ref: 0043EB72

Memory Dump Source

Source File: 00000003.00000002.2169013850.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_BootStrapper.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: cfbf4a6718c87aec0984e55126ec68d7d5da04f3355e97993dcb15881ca12bd3
Instruction ID: f8d085a32fc5b2999584d7c69e937369889b9cf04708eea92d38761de7c40dc4
Opcode Fuzzy Hash: cfbf4a6718c87aec0984e55126ec68d7d5da04f3355e97993dcb15881ca12bd3
Instruction Fuzzy Hash: FDE02B72905210EBD301AF357C06F177A64AFCA715F050C36F505E2152D638F81196AF

Function 0043ED29 Relevance: 1.5, APIs: 1, Instructions: 15
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetForegroundWindow.USER32 ref: 0043ED37

Memory Dump Source

Source File: 00000003.00000002.2169013850.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_BootStrapper.jbxd

Similarity

API ID: ForegroundWindow
String ID:
API String ID: 2020703349-0
Opcode ID: a9ffe737249dc3e0122e0f7b10e8a54413ea6789124a50639fd91797d931d788
Instruction ID: e9d83bbf03ffa0495804572a0f9332504b97f5da304552063f637eff08c1ad84
Opcode Fuzzy Hash: a9ffe737249dc3e0122e0f7b10e8a54413ea6789124a50639fd91797d931d788
Instruction Fuzzy Hash: 06E012F9D401548FCB04DF64FC955243374FB562057144439E112C3271D735E522CB59

Function 0043CAF2 Relevance: 1.5, APIs: 1, Instructions: 11
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlFreeHeap.NTDLL(?,00000000), ref: 0043CB0B

Memory Dump Source

Source File: 00000003.00000002.2169013850.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_BootStrapper.jbxd

Similarity

API ID: FreeHeap
String ID:
API String ID: 3298025750-0
Opcode ID: 5a61d3da357a9b9377e023cb1afacc8d5594f4b24d9fa0354fd77178c021c893
Instruction ID: 1226c4ec29f38b57e24691680627c35296be4bb29b2a26d95288c068be923f2f
Opcode Fuzzy Hash: 5a61d3da357a9b9377e023cb1afacc8d5594f4b24d9fa0354fd77178c021c893
Instruction Fuzzy Hash: BAC08C70141122EBD3102F15BC0BB963A10AF01312F0208B2B0006D0B2CA78ECB0C6C8

Function 0043CAC0 Relevance: 1.5, APIs: 1, Instructions: 9
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlAllocateHeap.NTDLL(?,00000000,?,B19801D9,004086F7,B4B7D921), ref: 0043CAD0

Memory Dump Source

Source File: 00000003.00000002.2169013850.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_BootStrapper.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: fc5eda2e49f68f0e30b130f1320f09b628e5b9bd0ed49f4e6fdc7f947bd58373
Instruction ID: 562293d3e3569241bb9a478438e2c4c3206b523b80c2934943ed8cc9fbbd0605
Opcode Fuzzy Hash: fc5eda2e49f68f0e30b130f1320f09b628e5b9bd0ed49f4e6fdc7f947bd58373
Instruction Fuzzy Hash: 76C04C71445121AAD6102B15EC09B867F54AF45751F014095B104660B286B0EC928AD8

Non-executed Functions

Function 00419C90 Relevance: 20.6, APIs: 2, Strings: 9, Instructions: 1349COMMON

Download Yara Rule

APIs

Part of subcall function 0043EBA0: LdrInitializeThunk.NTDLL(00441BF8,?,0000002C,?,?,00000018,?,00000000,?,?,?,?,00000000,00000000), ref: 0043EBCE

FreeLibrary.KERNEL32(?), ref: 0041A269
FreeLibrary.KERNEL32(?), ref: 0041A2DE

Strings

#v, xrefs: 0041A269, 0041A2DE
54+*, xrefs: 00419CC5
8I#K, xrefs: 00419FD6
~Q6S, xrefs: 00419FE6
XY, xrefs: 00419FF6
54+*, xrefs: 0041AA2B
2E'G, xrefs: 00419FCE
8U:W, xrefs: 00419FEE
54+*, xrefs: 0041A185

Memory Dump Source

Source File: 00000003.00000002.2169013850.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_BootStrapper.jbxd

Similarity

API ID: FreeLibrary$InitializeThunk
String ID: 2E'G$54+*$54+*$54+*$8I#K$8U:W$XY$~Q6S$#v
API String ID: 764372645-1564964333
Opcode ID: 0f80e1662aea17d897eb7f5cc82f5f76a7864b0803524b2c06bda07c8fcedbb3
Instruction ID: 2c3f929d4cabc55a225c70deac7f21d0ad3b9eba4449c3fe9de0e78d4448d8f9
Opcode Fuzzy Hash: 0f80e1662aea17d897eb7f5cc82f5f76a7864b0803524b2c06bda07c8fcedbb3
Instruction Fuzzy Hash: 3982067460A3409FD714CB24D990BABBBE2EBC6314F18882DE58587352D779DC92CB4B

Function 004396A0 Relevance: 19.9, APIs: 10, Strings: 1, Instructions: 644memorycomCOMMON

Download Yara Rule

APIs

CoCreateInstance.OLE32(0044468C,00000000,00000001,0044467C,00000000), ref: 004399AB
SysAllocString.OLEAUT32(C197C794), ref: 00439A18
CoSetProxyBlanket.OLE32(?,0000000A,00000000,00000000,00000003,00000003,00000000,00000000), ref: 00439A56
SysAllocString.OLEAUT32(B2ECBC14), ref: 00439AD9
SysAllocString.OLEAUT32(77B37587), ref: 00439B6B
VariantInit.OLEAUT32(BFBEBDA4), ref: 00439BDB
VariantClear.OLEAUT32(BFBEBDA4), ref: 00439D18
SysFreeString.OLEAUT32(?), ref: 00439D3C
SysFreeString.OLEAUT32(?), ref: 00439D42
SysFreeString.OLEAUT32(00000000), ref: 00439D4F

Strings

&v, xrefs: 00439851

Memory Dump Source

Source File: 00000003.00000002.2169013850.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_BootStrapper.jbxd

Similarity

API ID: String$AllocFree$Variant$BlanketClearCreateInitInstanceProxy
String ID: &v
API String ID: 2485776651-996230610
Opcode ID: c76a795488dcaea1087b38c4a21f4ec032b56208ede1dfedf05bb0fa22a11b63
Instruction ID: 2eae229d14a92933328e5725d2ae13478f160aa11d56bd9171fe0ff53e23d803
Opcode Fuzzy Hash: c76a795488dcaea1087b38c4a21f4ec032b56208ede1dfedf05bb0fa22a11b63
Instruction Fuzzy Hash: 4E22F072A083409FD714CF29C845B5BBBE6EFC9324F18992DE5958B381DB78D805CB86

Function 00415200 Relevance: 10.9, Strings: 8, Instructions: 927COMMON

Download Yara Rule

Strings

U, xrefs: 00415C0F
54+*, xrefs: 00415595
iiat, xrefs: 00415947
8"D-, xrefs: 00415D41
BxBG, xrefs: 00415926
eH, xrefs: 00415952
("D-, xrefs: 00415CF1
^123, xrefs: 004152B1

Memory Dump Source

Source File: 00000003.00000002.2169013850.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_BootStrapper.jbxd

Similarity

API ID:
String ID: ("D-$54+*$8"D-$BxBG$U$^123$eH$iiat
API String ID: 0-2540653402
Opcode ID: ece7e7512deb2f3d0905023b68c116b96d26401af29463b746300dd7e0310da3
Instruction ID: 07982f48521f8885066ce7338b4bbbb716ab1cb9c22f471718dbf28f94ce43d7
Opcode Fuzzy Hash: ece7e7512deb2f3d0905023b68c116b96d26401af29463b746300dd7e0310da3
Instruction Fuzzy Hash: 5A5213B5909340CBD7249F24D895BEF77E2FFC5314F08492EE48A8B291E7389841CB96

Function 00DE1730 Relevance: 10.7, APIs: 7, Instructions: 200fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00DE1180: _strlen.LIBCMT ref: 00DE11EA

GetFileSize.KERNEL32(00000000,00000000), ref: 00DE17A1
ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000), ref: 00DE17C7
CloseHandle.KERNEL32(00000000), ref: 00DE17D6
_strlen.LIBCMT ref: 00DE1834
CloseHandle.KERNEL32(00000000), ref: 00DE1946
GetModuleHandleA.KERNEL32(00000000), ref: 00DE19A7
GetModuleFileNameA.KERNEL32(00000000,?,00000104), ref: 00DE19B6

Memory Dump Source

Source File: 00000003.00000002.2169215918.0000000000DE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true

Associated: 00000003.00000002.2169198911.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2169240010.0000000000E05000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2169256794.0000000000E0F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2169271264.0000000000E13000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2169286451.0000000000E16000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_de0000_BootStrapper.jbxd

Similarity

API ID: FileHandle$CloseModule_strlen$NameReadSize
String ID:
API String ID: 3533648253-0
Opcode ID: 30957a93dfa80d009d331c360aa15aa6ef823aad65c672f5bcb3d9e8f8b0113e
Instruction ID: f52a6b6fe08c4e71ee53ea1d8748fe2e714b15de5fd1f3709b19767ddf84f6a4
Opcode Fuzzy Hash: 30957a93dfa80d009d331c360aa15aa6ef823aad65c672f5bcb3d9e8f8b0113e
Instruction Fuzzy Hash: 536106B6A043809FD710FF26CC85B6EB7E4EF88314F454928F49997252E735D9848BB2

Function 00422E3F Relevance: 10.0, Strings: 7, Instructions: 1220COMMON

Download Yara Rule

Strings

"=B, xrefs: 00423D12
%: !, xrefs: 00422F7F
%! 0, xrefs: 00422F87
de, xrefs: 00423253
H, xrefs: 00422FF4
4, xrefs: 00423032
x}}s, xrefs: 00422F17

Memory Dump Source

Source File: 00000003.00000002.2169013850.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_BootStrapper.jbxd

Similarity

API ID:
String ID: "=B$%! 0$%: !$4$H$de$x}}s
API String ID: 0-695511230
Opcode ID: 19c0ccc2f21457345f6c989c8bd1b427ac2a30c96d4d5a23cba524a46654f40a
Instruction ID: 2d009fd93e7b9374216b3497db79d8202485ae03d753f23917b742f1bf9f436d
Opcode Fuzzy Hash: 19c0ccc2f21457345f6c989c8bd1b427ac2a30c96d4d5a23cba524a46654f40a
Instruction Fuzzy Hash: 41821F75708311CFD324CF28E89176BB7E2EB8A311F59897CE59187391D738A906CB86

Function 00417E1A Relevance: 9.7, APIs: 1, Strings: 4, Instructions: 937COMMON

Download Yara Rule

Strings

S<.+, xrefs: 00417C0D, 00417C3A
A, xrefs: 00417BBC
54+*, xrefs: 00417FC5
\xy>, xrefs: 00418912

Memory Dump Source

Source File: 00000003.00000002.2169013850.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_BootStrapper.jbxd

Similarity

API ID:
String ID: 54+*$A$S<.+$\xy>
API String ID: 0-3685461857
Opcode ID: 38d5dddfc1d7d73f8303f266aa0984ee0180c9c2ce3074419444b47f20e9dfdf
Instruction ID: b9dae982806908fc93e9902a33def771db61ac40b6c91c0664327fad2570cd92
Opcode Fuzzy Hash: 38d5dddfc1d7d73f8303f266aa0984ee0180c9c2ce3074419444b47f20e9dfdf
Instruction Fuzzy Hash: 115212726183418BC725CF28C8A17ABB7E2FFD6314F18496EE4C58B391DB399846C746

Function 00433600 Relevance: 9.1, APIs: 6, Instructions: 130clipboardCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32 ref: 00433622
GetClipboardData.USER32 ref: 00433643
CloseClipboard.USER32 ref: 00433788

Memory Dump Source

Source File: 00000003.00000002.2169013850.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_BootStrapper.jbxd

Similarity

API ID: Clipboard$CloseDataOpen
String ID:
API String ID: 2058664381-0
Opcode ID: 9ace8d3d66c656d27122584beaa275d741043033d7610bd44cbfd8939ce7624b
Instruction ID: 5078fe84b0e2f8b0d482d572d4820ca8f51d2eda85a3955b293059345ad65239
Opcode Fuzzy Hash: 9ace8d3d66c656d27122584beaa275d741043033d7610bd44cbfd8939ce7624b
Instruction Fuzzy Hash: 9B41D4F480C7819FD700AF78D14A36ABFE0AB16345F04853ED48587641D37DA659C797

Function 00428770 Relevance: 9.0, APIs: 2, Strings: 3, Instructions: 291COMMON

Download Yara Rule

APIs

RtlExpandEnvironmentStrings.NTDLL(00000000,?,00000009,00000000,00000000,?), ref: 00428850
RtlExpandEnvironmentStrings.NTDLL(00000000,?,00000009,00000000,?,?), ref: 004288B5

Strings

_\efg, xrefs: 00428A38
efg, xrefs: 004289AF
A%g', xrefs: 004287AE

Memory Dump Source

Source File: 00000003.00000002.2169013850.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_BootStrapper.jbxd

Similarity

API ID: EnvironmentExpandStrings
String ID: A%g'$_\efg$efg
API String ID: 237503144-2372333709
Opcode ID: a7a1f39499a5e99c848ff68f033dae6045633c5ac20e702f25ecc2a0062ac25d
Instruction ID: ccad30b6dcc476866ed8e691afcd1205d7334b7ec1782e1d821448a32adf35b5
Opcode Fuzzy Hash: a7a1f39499a5e99c848ff68f033dae6045633c5ac20e702f25ecc2a0062ac25d
Instruction Fuzzy Hash: 41A1ACB2E002688FEB148FA8DC917DEBBB1FB45304F5145B9D91AAB281DB3059468F94

Function 00DF9C77 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 85COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLocaleInfoW.KERNEL32(?,2000000B,00DF9648,00000002,00000000,?,?,?,00DF9648,?,00000000), ref: 00DF9D10
GetLocaleInfoW.KERNEL32(?,20001004,00DF9648,00000002,00000000,?,?,?,00DF9648,?,00000000), ref: 00DF9D39
GetACP.KERNEL32(?,?,00DF9648,?,00000000), ref: 00DF9D4E

Strings

OCP, xrefs: 00DF9CCB
ACP, xrefs: 00DF9C95

Memory Dump Source

Source File: 00000003.00000002.2169215918.0000000000DE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true

Associated: 00000003.00000002.2169198911.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2169240010.0000000000E05000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2169256794.0000000000E0F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2169271264.0000000000E13000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2169286451.0000000000E16000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_de0000_BootStrapper.jbxd

Similarity

API ID: InfoLocale
String ID: ACP$OCP
API String ID: 2299586839-711371036
Opcode ID: 94d01ab8a0081fe6091291e26146c53a1d2f1827b0cfe33b1e74d5b22bc676cc
Instruction ID: 03497b1e79ced1b712e025affa3a3d69797ff06ca9f30cb42690f70699ce396a
Opcode Fuzzy Hash: 94d01ab8a0081fe6091291e26146c53a1d2f1827b0cfe33b1e74d5b22bc676cc
Instruction Fuzzy Hash: 4521B722E00108AAD7348B15CD10BB7F3A6EF94B6476BC524EB49D7214E732DE40C370

Function 0041780D Relevance: 7.9, Strings: 6, Instructions: 427COMMON

Download Yara Rule

Strings

$w=q, xrefs: 004178AF
1c;m, xrefs: 0041788E
S<.+, xrefs: 00417C0D, 00417C3A
A, xrefs: 00417BBC
5k5u, xrefs: 004178A4
o4i, xrefs: 00417899

Memory Dump Source

Source File: 00000003.00000002.2169013850.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_BootStrapper.jbxd

Similarity

API ID:
String ID: o4i$$w=q$1c;m$5k5u$A$S<.+
API String ID: 0-1763114429
Opcode ID: da2264087117273adc8f8cbb7abf3b3369941c733713fa4ddd61a4a78f3232fe
Instruction ID: afb31bd0c27c82544a17a6576629b60a2b4a96c899e5dad63360a4cbb890e339
Opcode Fuzzy Hash: da2264087117273adc8f8cbb7abf3b3369941c733713fa4ddd61a4a78f3232fe
Instruction Fuzzy Hash: D4D1ADB55093808BD7348F29C4A17EBB7E1EFD6314F05896ED4CA8B351EB785901CB86

Function 0040A770 Relevance: 7.9, Strings: 6, Instructions: 400COMMON

Download Yara Rule

Strings

%751, xrefs: 0040A789
j^h, xrefs: 0040A890
4=/U, xrefs: 0040A7DA
wNoL, xrefs: 0040A848
E]Qw, xrefs: 0040AB35
./, xrefs: 0040A93D

Memory Dump Source

Source File: 00000003.00000002.2169013850.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_BootStrapper.jbxd

Similarity

API ID:
String ID: %751$./$4=/U$E]Qw$wNoL$j^h
API String ID: 0-997366216
Opcode ID: 9ad3b405c217e9d1e4c0f6edf70f746ac05b5820c8d0e78aa04361182b97f1d7
Instruction ID: 7a5dc0394ecbf34ac9b8307d7efc7bae40aec903ea1c7f0c69f60aa070f276f3
Opcode Fuzzy Hash: 9ad3b405c217e9d1e4c0f6edf70f746ac05b5820c8d0e78aa04361182b97f1d7
Instruction Fuzzy Hash: 12C19B7564C3444BD324EF6488502ABFBE39FC1304F19883DE4D5AB382D6B9C9168B8B

Function 00DF9512 Relevance: 7.7, APIs: 5, Instructions: 182COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00DF4463: GetLastError.KERNEL32(00000000,?,00DF6842), ref: 00DF4467
Part of subcall function 00DF4463: SetLastError.KERNEL32(00000000,?,?,00000028,00DF0A12), ref: 00DF4509

GetUserDefaultLCID.KERNEL32(-00000002,00000000,?,00000055,?), ref: 00DF961A
IsValidCodePage.KERNEL32(00000000), ref: 00DF9658
IsValidLocale.KERNEL32(?,00000001), ref: 00DF966B
GetLocaleInfoW.KERNEL32(?,00001001,-00000050,00000040,?,000000D0,00000055,00000000,?,?,00000055,00000000), ref: 00DF96B3
GetLocaleInfoW.KERNEL32(?,00001002,00000030,00000040), ref: 00DF96CE

Memory Dump Source

Source File: 00000003.00000002.2169215918.0000000000DE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true

Associated: 00000003.00000002.2169198911.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2169240010.0000000000E05000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2169256794.0000000000E0F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2169271264.0000000000E13000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2169286451.0000000000E16000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_de0000_BootStrapper.jbxd

Similarity

API ID: Locale$ErrorInfoLastValid$CodeDefaultPageUser
String ID:
API String ID: 415426439-0
Opcode ID: a916019a96acba87fb9da3a9433dba0684d52939aa7762203c5f44ada878443a
Instruction ID: 7838c44e3caa50ccc8532e82292858e01f0129d000b075f330729392f214ca2e
Opcode Fuzzy Hash: a916019a96acba87fb9da3a9433dba0684d52939aa7762203c5f44ada878443a
Instruction Fuzzy Hash: 16514F71E002099FDB21EFA5DC91BBAB7B8EF04740F1A8065BA01E7190E77199448B71

Function 00426190 Relevance: 6.5, Strings: 5, Instructions: 244COMMON

Download Yara Rule

Strings

pO, xrefs: 004262AC
*+, xrefs: 00426411
)L, xrefs: 0042629C
@C, xrefs: 004262A4
HR, xrefs: 004262B4

Memory Dump Source

Source File: 00000003.00000002.2169013850.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_BootStrapper.jbxd

Similarity

API ID:
String ID: )L$*+$@C$HR$pO
API String ID: 0-3083683625
Opcode ID: 0aaee39fcba311e15bc1f38c0aae4a491dfa01ec6e052e56f652e43bf11aa76a
Instruction ID: 5fe24d867cb9075332fe1ade04ad22fabc6e99e6679ddeed31bd91dff5edfe56
Opcode Fuzzy Hash: 0aaee39fcba311e15bc1f38c0aae4a491dfa01ec6e052e56f652e43bf11aa76a
Instruction Fuzzy Hash: 637134B06493518BD310DF25E89166BBBF1EFD2360F58891DE4C18B391E7789505CB8B

Function 00DF2370 Relevance: 6.5, APIs: 4, Instructions: 455COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2169215918.0000000000DE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true

Associated: 00000003.00000002.2169198911.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2169240010.0000000000E05000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2169256794.0000000000E0F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2169271264.0000000000E13000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2169286451.0000000000E16000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_de0000_BootStrapper.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bd5e9c3d5b8dfd3e6dc0569d32db29be04432f65769e57fa47aedbbc9c5abd24
Instruction ID: cbd7a8ee87876727b0363ea108418731cc8229e01aac165094c50fa1a31966a9
Opcode Fuzzy Hash: bd5e9c3d5b8dfd3e6dc0569d32db29be04432f65769e57fa47aedbbc9c5abd24
Instruction Fuzzy Hash: 52022D71E012199BDF14DFA9D8906BEBBF1FF48314F258269DA19EB340D731A941CBA0

Function 00DFA259 Relevance: 6.2, APIs: 4, Instructions: 205COMMON

Download Yara Rule

APIs

FindFirstFileExW.KERNEL32(?,00000000,?,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00DFA349

Memory Dump Source

Source File: 00000003.00000002.2169215918.0000000000DE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true

Associated: 00000003.00000002.2169198911.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2169240010.0000000000E05000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2169256794.0000000000E0F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2169271264.0000000000E13000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2169286451.0000000000E16000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_de0000_BootStrapper.jbxd

Similarity

API ID: FileFindFirst
String ID:
API String ID: 1974802433-0
Opcode ID: ae8c24a28bde0d48dba88b705a4be6890d690bc1e9604e6ee67673976ad9159f
Instruction ID: 241324af2d0fc040e74a67a4fcf102f963ba41e9905d55b934a9402f0bd9c4c3
Opcode Fuzzy Hash: ae8c24a28bde0d48dba88b705a4be6890d690bc1e9604e6ee67673976ad9159f
Instruction Fuzzy Hash: 5A71E2B190516C5EDF20AF6CCC89ABAB7B8EB45300F1981D9E24DA7211DA314EC49F35

Function 00DE7EDA Relevance: 6.1, APIs: 4, Instructions: 70COMMON

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32(00000017,?), ref: 00DE7EE6
IsDebuggerPresent.KERNEL32 ref: 00DE7FB2
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 00DE7FCB
UnhandledExceptionFilter.KERNEL32(?), ref: 00DE7FD5

Memory Dump Source

Source File: 00000003.00000002.2169215918.0000000000DE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true

Associated: 00000003.00000002.2169198911.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2169240010.0000000000E05000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2169256794.0000000000E0F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2169271264.0000000000E13000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2169286451.0000000000E16000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_de0000_BootStrapper.jbxd

Similarity

API ID: ExceptionFilterPresentUnhandled$DebuggerFeatureProcessor
String ID:
API String ID: 254469556-0
Opcode ID: 6934686a461ff26f3a8037478603f8f047baefc9e26b154d965c4818f6cb4f4a
Instruction ID: c451b917d866587a9f17451ef9af170abda560b54d017e44cb7e3e63fde58df3
Opcode Fuzzy Hash: 6934686a461ff26f3a8037478603f8f047baefc9e26b154d965c4818f6cb4f4a
Instruction Fuzzy Hash: DA31F7B5D092199BDB60EFA5DD497CDBBB8EF08300F1041EAE40CAB250EB719A85CF55

Function 00418DE6 Relevance: 5.7, APIs: 2, Strings: 1, Instructions: 461COMMON

Download Yara Rule

Strings

-, xrefs: 00418E0A

Memory Dump Source

Source File: 00000003.00000002.2169013850.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_BootStrapper.jbxd

Similarity

API ID:
String ID: -
API String ID: 0-2547889144
Opcode ID: 26e56592e961bea5087d3fbf0724cf14b3badda5f92198c10e7eec8343564e6d
Instruction ID: 2db9ac68f453c0b2d94bf9f393f819a8b1a8f76bd3cef0c41518664d486a93b6
Opcode Fuzzy Hash: 26e56592e961bea5087d3fbf0724cf14b3badda5f92198c10e7eec8343564e6d
Instruction Fuzzy Hash: B0F114766183529BD714CF29C8906ABB7E2EFC9310F08896DE8C587391EB38DD45C752

Function 00415F19 Relevance: 5.3, Strings: 4, Instructions: 336COMMON

Download Yara Rule

Strings

gfff, xrefs: 0041621C
54+*, xrefs: 004162E5
:_A, xrefs: 00415F34
7, xrefs: 00416177

Memory Dump Source

Source File: 00000003.00000002.2169013850.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_BootStrapper.jbxd

Similarity

API ID:
String ID: 54+*$7$:_A$gfff
API String ID: 0-323440868
Opcode ID: ef99c69aae7ebca8759eae803294edf467de6f070c2877fa02e645cc48d7660a
Instruction ID: 974855a4ab02da3001828df224cdb3c791939bff7d675949acd43d199703548e
Opcode Fuzzy Hash: ef99c69aae7ebca8759eae803294edf467de6f070c2877fa02e645cc48d7660a
Instruction Fuzzy Hash: 5EB13972A142118BD328CF38CC527EBBAD6EBC5314F0A867DD885DB395DB78980687C5

Function 0043403E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 78COMMON

Download Yara Rule

APIs

GetSystemMetrics.USER32 ref: 0043406C
GetSystemMetrics.USER32 ref: 0043407B

Strings

, xrefs: 00434129

Memory Dump Source

Source File: 00000003.00000002.2169013850.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_BootStrapper.jbxd

Similarity

API ID: MetricsSystem
String ID:
API String ID: 4116985748-3916222277
Opcode ID: 9263576a989dd9e8dd5ba1139270ca0a2cd30e8eaf9ab1227e7a8ea63402d5a7
Instruction ID: e93982ecca13eb1c7eb5bd9c416ca4066cf6d94eca1d44aa69bf2b87bfcca62b
Opcode Fuzzy Hash: 9263576a989dd9e8dd5ba1139270ca0a2cd30e8eaf9ab1227e7a8ea63402d5a7
Instruction Fuzzy Hash: 3931A3B49143548FDB00EFA8E98565DBBF0BB89704F11852EE498DB360D774A948CF86

Function 00426EB0 Relevance: 5.3, Strings: 4, Instructions: 281COMMON

Download Yara Rule

Strings

bxB, xrefs: 00427855
OI, xrefs: 004277B0
1>, xrefs: 00427687
*+, xrefs: 00427798

Memory Dump Source

Source File: 00000003.00000002.2169013850.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_BootStrapper.jbxd

Similarity

API ID:
String ID: *+$1>$bxB$OI
API String ID: 0-1035774624
Opcode ID: b638a3a3900de88040439206c35891a4249c7e51ff3c4424b8b62b3d3637280b
Instruction ID: 2bcf0024169a31bcf5d17f9542290146e57be21ae5465408edeec82165f3d5e6
Opcode Fuzzy Hash: b638a3a3900de88040439206c35891a4249c7e51ff3c4424b8b62b3d3637280b
Instruction Fuzzy Hash: 3791ECB46083808FD734DF24E852BAFB7A1FB82314F44492DE5898B241DB789946CB5B

Function 00416790 Relevance: 5.2, Strings: 4, Instructions: 248COMMON

Download Yara Rule

Strings

54+*, xrefs: 004167B5
54+*, xrefs: 00416A2F, 004169AF
MnA, xrefs: 00416A4D
54+*, xrefs: 004168C5

Memory Dump Source

Source File: 00000003.00000002.2169013850.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_BootStrapper.jbxd

Similarity

API ID: InitializeThunk
String ID: 54+*$54+*$54+*$MnA
API String ID: 2994545307-957495038
Opcode ID: 8f06322f8e6d6c7ea759cd23599a080b87f48ffbe2650b3fb3614bfedb925110
Instruction ID: dd597300f9b4ef6573e6ef65d23cc5c487566c46e2a7da0a635b7d7db396d5cc
Opcode Fuzzy Hash: 8f06322f8e6d6c7ea759cd23599a080b87f48ffbe2650b3fb3614bfedb925110
Instruction Fuzzy Hash: E261E97461D3808FD315CB3888907EBBBE5EB8A350F25896ED1D1C72A1D738D885CB5A

Function 0041E7A0 Relevance: 4.7, Strings: 3, Instructions: 938COMMON

Download Yara Rule

Strings

v, xrefs: 0041E98E
2"\\, xrefs: 0041EE22
!&& , xrefs: 0041EE1A

Memory Dump Source

Source File: 00000003.00000002.2169013850.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_BootStrapper.jbxd

Similarity

API ID:
String ID: !&& $2"\\$v
API String ID: 0-66690623
Opcode ID: 4dfb5fb78e8a455e5ad835274cf3511fda185d48fb834496ef83a700337ad192
Instruction ID: e9b17d7d6cb25fd7e8af81ca0dca0c33645f5d3503e302bb4264f03f34b07c3b
Opcode Fuzzy Hash: 4dfb5fb78e8a455e5ad835274cf3511fda185d48fb834496ef83a700337ad192
Instruction Fuzzy Hash: 62527B7450C3818FC725CF25C8506AFBFE1AF96314F088A6EE8D54B392D7398946CB56

Function 0043A120 Relevance: 4.2, Strings: 3, Instructions: 478COMMON

Download Yara Rule

Strings

54+*, xrefs: 0043A600, 0043A308
54+*, xrefs: 0043A347
54+*, xrefs: 0043A188

Memory Dump Source

Source File: 00000003.00000002.2169013850.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_BootStrapper.jbxd

Similarity

API ID: InitializeThunk
String ID: 54+*$54+*$54+*
API String ID: 2994545307-26850336
Opcode ID: a67e97fda4feb9dd47d5dd4a0776e3bc287d4b57f4707a9353eb73cb6bf7ee0f
Instruction ID: d7f07654b581cdb91e5346d4e79727cc379c0b8875721e9d15300a6a5d61dc92
Opcode Fuzzy Hash: a67e97fda4feb9dd47d5dd4a0776e3bc287d4b57f4707a9353eb73cb6bf7ee0f
Instruction Fuzzy Hash: 0FD177357883009FDB14CB25C882A7BB7A2EBC9354F18A52EE5C557391C778EC06878B

Function 00409370 Relevance: 4.1, Strings: 3, Instructions: 371COMMON

Download Yara Rule

Strings

,-, xrefs: 00409763
g*V9, xrefs: 00409500
T, xrefs: 004095C1

Memory Dump Source

Source File: 00000003.00000002.2169013850.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_BootStrapper.jbxd

Similarity

API ID:
String ID: ,-$T$g*V9
API String ID: 0-1490858594
Opcode ID: 86bf961c395ed7b7e07ea05ad14cc24c126058a6d268732374085c02ea76dcbd
Instruction ID: a0ce2b4ea5d82b238d504246632dfdecb4304a147a1c54da40f31a80d191d4bf
Opcode Fuzzy Hash: 86bf961c395ed7b7e07ea05ad14cc24c126058a6d268732374085c02ea76dcbd
Instruction Fuzzy Hash: ADC135B16083408BD718CF35C891A6BBBE5EFC2304F14496DE5D29B392DB38D90ACB56

Function 0042D306 Relevance: 4.0, Strings: 3, Instructions: 249COMMON

Download Yara Rule

Strings

Uo#_, xrefs: 0042D752
F]EH, xrefs: 0042D67F
[:, xrefs: 0042D762

Memory Dump Source

Source File: 00000003.00000002.2169013850.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_BootStrapper.jbxd

Similarity

API ID:
String ID: F]EH$Uo#_$[:
API String ID: 0-1241761701
Opcode ID: d3126adfd973d3248ca04cd93e27acaf3fc7bc708df34f2fc2eacb6372e1e1a0
Instruction ID: b3be92acc381a827a91cc0f17c6e37e2be9106d66737dd4d561d2fb3aa3361bd
Opcode Fuzzy Hash: d3126adfd973d3248ca04cd93e27acaf3fc7bc708df34f2fc2eacb6372e1e1a0
Instruction Fuzzy Hash: 3C7158B4A083A19BD3198B3994A033BBBE09F97305F58856EF4D68B381D67D8C04C756

Function 0042D4D0 Relevance: 4.0, Strings: 3, Instructions: 221COMMON

Download Yara Rule

Strings

Uo#_, xrefs: 0042D752
F]EH, xrefs: 0042D67F
[:, xrefs: 0042D762

Memory Dump Source

Source File: 00000003.00000002.2169013850.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_BootStrapper.jbxd

Similarity

API ID:
String ID: F]EH$Uo#_$[:
API String ID: 0-1241761701
Opcode ID: 36fd720ed8d6823c32771bfe1625822d316a9a8a9853b2f702ca3dab545584eb
Instruction ID: 2ffdbc668ff94129819068ea1ed793c8dcaee62cf96c99cff00229467904dbcf
Opcode Fuzzy Hash: 36fd720ed8d6823c32771bfe1625822d316a9a8a9853b2f702ca3dab545584eb
Instruction Fuzzy Hash: BF5168A4A093A18BD3188F2994A0337FFE09FE3305F58956EF4D68B381D67D8804C756

Function 0042D49A Relevance: 4.0, Strings: 3, Instructions: 218COMMON

Download Yara Rule

Strings

Uo#_, xrefs: 0042D752
F]EH, xrefs: 0042D67F
[:, xrefs: 0042D762

Memory Dump Source

Source File: 00000003.00000002.2169013850.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_BootStrapper.jbxd

Similarity

API ID:
String ID: F]EH$Uo#_$[:
API String ID: 0-1241761701
Opcode ID: 4ffe94aedec0ee075d16d5ca1e3e2f6a888b7093a5e75b5c49b8c05ae89e53b4
Instruction ID: 0de7b66c928a3350a22ba3e9d9bb6f9889ec970dbe198820fd9a8fcea16b9496
Opcode Fuzzy Hash: 4ffe94aedec0ee075d16d5ca1e3e2f6a888b7093a5e75b5c49b8c05ae89e53b4
Instruction Fuzzy Hash: 785179B4A093A18BD3098B2994A033BFFE09FD3305F58955EF4D68B381D67D8804C756

Function 0042D64C Relevance: 4.0, Strings: 3, Instructions: 217COMMON

Download Yara Rule

Strings

Uo#_, xrefs: 0042D752
F]EH, xrefs: 0042D67F
[:, xrefs: 0042D762

Memory Dump Source

Source File: 00000003.00000002.2169013850.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_BootStrapper.jbxd

Similarity

API ID:
String ID: F]EH$Uo#_$[:
API String ID: 0-1241761701
Opcode ID: 75d27e60beb243e9c3408e842da1e13c30d6f828246f723bff5a19cc79804c01
Instruction ID: 61dd48889cf855c270f3eeb86a6ea88740ffcb6d6eea17eed08dc00024456671
Opcode Fuzzy Hash: 75d27e60beb243e9c3408e842da1e13c30d6f828246f723bff5a19cc79804c01
Instruction Fuzzy Hash: 355166B0A093A18BD3088B2894A033BFFE09FD3305F58956EE4D68B381D67D8804C756

Function 0042BBE3 Relevance: 3.9, Strings: 3, Instructions: 198COMMON

Download Yara Rule

Strings

g, xrefs: 0042BCC4
(, xrefs: 0042BD9A
0' :, xrefs: 0042BCB9

Memory Dump Source

Source File: 00000003.00000002.2169013850.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_BootStrapper.jbxd

Similarity

API ID:
String ID: ($0' :$g
API String ID: 0-2894493355
Opcode ID: 127e783f08fa03dc1526e31b0ee453c704f7bbf9130a5869e8a9e0373e6e0c28
Instruction ID: 82fddf1245ea9785951fab6b19b0e18f29a6b2d5cfba79b1b40d0bceeec468ca
Opcode Fuzzy Hash: 127e783f08fa03dc1526e31b0ee453c704f7bbf9130a5869e8a9e0373e6e0c28
Instruction Fuzzy Hash: F651F26531D3D24BDB298F3598653FBBBE2DB93304F5C496DC0CA87282DB3984068796

Function 0042BC53 Relevance: 3.9, Strings: 3, Instructions: 177COMMON

Download Yara Rule

Strings

g, xrefs: 0042BCC4
(, xrefs: 0042BD9A
0' :, xrefs: 0042BCB9

Memory Dump Source

Source File: 00000003.00000002.2169013850.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_BootStrapper.jbxd

Similarity

API ID:
String ID: ($0' :$g
API String ID: 0-2894493355
Opcode ID: 60e313afede76628c7910cabc6e2c24f69d92bdb4d83de5ca37a98b6c8095f76
Instruction ID: ab1398b02a8a7281b2a45260371c8ad29eb33f1a8b52771f88fa1d3f98cb6ccb
Opcode Fuzzy Hash: 60e313afede76628c7910cabc6e2c24f69d92bdb4d83de5ca37a98b6c8095f76
Instruction Fuzzy Hash: 7341D37061C3D28ADB394F3494293FBBBE1DB93304F5849ADC0C987282DB394106879A

Function 0042BB19 Relevance: 3.9, Strings: 3, Instructions: 137COMMON

Download Yara Rule

Strings

g, xrefs: 0042BCC4
(, xrefs: 0042BD9A
0' :, xrefs: 0042BCB9

Memory Dump Source

Source File: 00000003.00000002.2169013850.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_BootStrapper.jbxd

Similarity

API ID:
String ID: ($0' :$g
API String ID: 0-2894493355
Opcode ID: b96d02e88c0a58c109baa3d55930f9ba5c7ef7b50bcf42591470675d5c739625
Instruction ID: be085471faecc0e2517363bcce5a64cf4fe5eb468f05be4f0a344c56f6f7ae45
Opcode Fuzzy Hash: b96d02e88c0a58c109baa3d55930f9ba5c7ef7b50bcf42591470675d5c739625
Instruction Fuzzy Hash: 9031F46021C3D28ADB394F3494593FBBBE1DB93304F98496EC0C987292CB394106CB5A

Function 00427917 Relevance: 3.8, Strings: 3, Instructions: 30COMMON

Download Yara Rule

Strings

AL7, xrefs: 0042793B
KNCI, xrefs: 00427943
X, xrefs: 00427953

Memory Dump Source

Source File: 00000003.00000002.2169013850.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_BootStrapper.jbxd

Similarity

API ID:
String ID: AL7$KNCI$X
API String ID: 0-2162001628
Opcode ID: 2d3aa0b5dc2908d3afa6b89691fa5862a8d4e30f209e389472789df3b9353774
Instruction ID: c1efb55ec262374922805156c2cb0b218ab5fdccaf3554e53de449f270c0e8b1
Opcode Fuzzy Hash: 2d3aa0b5dc2908d3afa6b89691fa5862a8d4e30f209e389472789df3b9353774
Instruction Fuzzy Hash: 27F0A9B011D3909BE350AF69969065FFBF8EF96320F502A2CFAD49B242C334C0018F46

Function 0042788F Relevance: 3.7, APIs: 2, Instructions: 692COMMON

Download Yara Rule

APIs

RtlExpandEnvironmentStrings.NTDLL(00000000,?,0000001E,00000000,00000000,?), ref: 00427B68
RtlExpandEnvironmentStrings.NTDLL(00000000,?,0000001E,00000000,?,?), ref: 00427C72

Memory Dump Source

Source File: 00000003.00000002.2169013850.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_BootStrapper.jbxd

Similarity

API ID: EnvironmentExpandStrings
String ID:
API String ID: 237503144-0
Opcode ID: 5a29734b277b2e9b8358fa5ecbf45429ecc3aeb30d586a3974802221ebf8515b
Instruction ID: 247fa94026213c22a70afdfae02ba9db67c982c8a71b05e85d253056af3d2863
Opcode Fuzzy Hash: 5a29734b277b2e9b8358fa5ecbf45429ecc3aeb30d586a3974802221ebf8515b
Instruction Fuzzy Hash: FE324376A0C350CFD3108F29E88072EB7E1EF86314F19867DE99597391DB74E9018B8A

Function 00427A3F Relevance: 3.7, APIs: 2, Instructions: 668COMMON

Download Yara Rule

APIs

RtlExpandEnvironmentStrings.NTDLL(00000000,?,0000001E,00000000,00000000,?), ref: 00427B68
RtlExpandEnvironmentStrings.NTDLL(00000000,?,0000001E,00000000,?,?), ref: 00427C72

Memory Dump Source

Source File: 00000003.00000002.2169013850.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_BootStrapper.jbxd

Similarity

API ID: EnvironmentExpandStrings
String ID:
API String ID: 237503144-0
Opcode ID: 5f34821947dbddbcf30ce221ada36af6612115f31c02cf9bf287c06683c0a9f8
Instruction ID: 345d3084dec7a3450128b1aec3c018c2bdda3eb4c1cf0a9ab4d6be0b7558935f
Opcode Fuzzy Hash: 5f34821947dbddbcf30ce221ada36af6612115f31c02cf9bf287c06683c0a9f8
Instruction Fuzzy Hash: 3B324476A0C350CFD3248F29E88071EB7E1EF86314F19867DE99597391DB34E9018B8A

Function 004146A0 Relevance: 3.5, Strings: 2, Instructions: 1049COMMON

Download Yara Rule

Strings

D]+\, xrefs: 00414D50
C=, xrefs: 004148BE

Memory Dump Source

Source File: 00000003.00000002.2169013850.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_BootStrapper.jbxd

Similarity

API ID:
String ID: C=$D]+\
API String ID: 0-9813778
Opcode ID: b6a84abd2839b95c80c6a07005a96518be76de580fe6589eb625db292694bc81
Instruction ID: cd0c9bfdefc84b350a232778b7e2c0df60d2e4748fd71e5e92d8149e0538340d
Opcode Fuzzy Hash: b6a84abd2839b95c80c6a07005a96518be76de580fe6589eb625db292694bc81
Instruction Fuzzy Hash: 7F5223746093009BD7149F24EC81BABB7A1FFCA314F14492DE581973A1E738E946CB9A

Function 0040D7CF Relevance: 3.3, APIs: 1, Strings: 1, Instructions: 338COMMON

Download Yara Rule

APIs

CoUninitialize.OLE32 ref: 0040D7DF

Strings

x~, xrefs: 0040DA4A

Memory Dump Source

Source File: 00000003.00000002.2169013850.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_BootStrapper.jbxd

Similarity

API ID: Uninitialize
String ID: x~
API String ID: 3861434553-550574277
Opcode ID: e28907237b4d3a91ec5e118e2f9312d913e820380ba1de72427fa36cd9a4d49b
Instruction ID: 6343ddfc659097a6b1acf70417bf2a81d4440c70e9b0de2d3dfcc7ed75506984
Opcode Fuzzy Hash: e28907237b4d3a91ec5e118e2f9312d913e820380ba1de72427fa36cd9a4d49b
Instruction Fuzzy Hash: 32B146B1A047808FD319CF2AC4E0663BFA2EF9730571981ADC8D65F79AC7399806CB55

Function 0041C900 Relevance: 3.1, Strings: 2, Instructions: 645COMMON

Download Yara Rule

Strings

!;P, xrefs: 0041C9DB
3;P, xrefs: 0041CA28

Memory Dump Source

Source File: 00000003.00000002.2169013850.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_BootStrapper.jbxd

Similarity

API ID:
String ID: !;P$3;P
API String ID: 0-2962031992
Opcode ID: d5e4f07c2787d845fb65e5a98866e9f50cd63d594b10ba433d030bc227476e3b
Instruction ID: 40303969f341cab0190b7ffaf639a3eee83e9144fdcd8cc0720d9d15948ab37b
Opcode Fuzzy Hash: d5e4f07c2787d845fb65e5a98866e9f50cd63d594b10ba433d030bc227476e3b
Instruction Fuzzy Hash: 211275B2A50616CFCB048F68CC812EBBBB2FF55314F19856DD445AB391D338A892CBC4

Function 00DE1A80 Relevance: 3.1, APIs: 2, Instructions: 56encryptionCOMMON

Download Yara Rule

APIs

FreeConsole.KERNEL32 ref: 00DE1A90

Part of subcall function 00DE1B30: _strlen.LIBCMT ref: 00DE1B4A

Part of subcall function 00DE3510: std::_Lockit::_Lockit.LIBCPMT ref: 00DE352C
Part of subcall function 00DE3510: std::_Lockit::_Lockit.LIBCPMT ref: 00DE354A
Part of subcall function 00DE3510: std::_Lockit::~_Lockit.LIBCPMT ref: 00DE356C
Part of subcall function 00DE3510: std::_Lockit::~_Lockit.LIBCPMT ref: 00DE35DA

CryptDestroyKey.ADVAPI32(00000000,00000000), ref: 00DE1B07

Memory Dump Source

Source File: 00000003.00000002.2169215918.0000000000DE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true

Associated: 00000003.00000002.2169198911.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2169240010.0000000000E05000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2169256794.0000000000E0F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2169271264.0000000000E13000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2169286451.0000000000E16000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_de0000_BootStrapper.jbxd

Similarity

API ID: Lockitstd::_$Lockit::_Lockit::~_$ConsoleCryptDestroyFree_strlen
String ID:
API String ID: 3784716463-0
Opcode ID: 3e9336403dfdf909e47534b22229385a13cef36c351b5fcef03545efe25f66af
Instruction ID: efc154debf22acb55cef1799093cf26e0ccf69ff206a60a2c308965593cbf9e5
Opcode Fuzzy Hash: 3e9336403dfdf909e47534b22229385a13cef36c351b5fcef03545efe25f66af
Instruction Fuzzy Hash: C81170347003009FC754BB76D85AA2E7BE4FF89741B058068F40ACB3A1DA70DD40CB62

Function 004227E0 Relevance: 2.9, Strings: 2, Instructions: 428COMMON

Download Yara Rule

Strings

.8, xrefs: 00422802
10, xrefs: 00422874

Memory Dump Source

Source File: 00000003.00000002.2169013850.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_BootStrapper.jbxd

Similarity

API ID:
String ID: .8$10
API String ID: 0-814249144
Opcode ID: 32d5e060f1d652f2465254695c79ef22fd30b916abb47e7b2ed794c844420618
Instruction ID: 6ecdc93fcc257772eba09db5fa8149ff251927af64ff6b659e51a55be0f97946
Opcode Fuzzy Hash: 32d5e060f1d652f2465254695c79ef22fd30b916abb47e7b2ed794c844420618
Instruction Fuzzy Hash: 23C15B717083209BD724DF28D95163BF3E1EF91324F49892EE89697391E7B8E801C35A

Function 0041966B Relevance: 2.8, Strings: 2, Instructions: 250COMMON

Download Yara Rule

Strings

L4, xrefs: 00419600
54+*, xrefs: 004195C5

Memory Dump Source

Source File: 00000003.00000002.2169013850.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_BootStrapper.jbxd

Similarity

API ID:
String ID: 54+*$L4
API String ID: 0-1428210418
Opcode ID: b8bc600fa4d70428250f3d62d1b0c4869235ddbcb5ebdaa6d2aff065ca03eef8
Instruction ID: b6df84392dfbbf32e231f27527d6559e31459186b39928bbcdb8bfc668edbfbe
Opcode Fuzzy Hash: b8bc600fa4d70428250f3d62d1b0c4869235ddbcb5ebdaa6d2aff065ca03eef8
Instruction Fuzzy Hash: 6691D1B56083419FD714CF29D8A1BABB7E2BFD5304F14492DE48A83251D738EC46CB5A

Function 00416C77 Relevance: 2.7, Strings: 2, Instructions: 189COMMON

Download Yara Rule

Strings

54+*, xrefs: 00416A75
MnA, xrefs: 00416A4D, 00416CBD

Memory Dump Source

Source File: 00000003.00000002.2169013850.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_BootStrapper.jbxd

Similarity

API ID:
String ID: 54+*$MnA
API String ID: 0-3213807796
Opcode ID: f66647ee9ab0e35559181c8ae5c5de11cfb4496e1a8266f8898e9403b5961e50
Instruction ID: 6e584b5c880dee98a52d54ab6d2185dce934cf6ba25eebf79510f41c98d88442
Opcode Fuzzy Hash: f66647ee9ab0e35559181c8ae5c5de11cfb4496e1a8266f8898e9403b5961e50
Instruction Fuzzy Hash: 0051F67420D3508BD7288B14D9D0BABB7A2EFCA318F25967DD58697291C335E843C78E

Function 0043E9B3 Relevance: 2.6, Strings: 2, Instructions: 97COMMON

Download Yara Rule

Strings

v4vE, xrefs: 0043E9C0
#v, xrefs: 0043EA61

Memory Dump Source

Source File: 00000003.00000002.2169013850.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_BootStrapper.jbxd

Similarity

API ID:
String ID: v4vE$#v
API String ID: 0-1442571820
Opcode ID: 7b64acfa24e2befdd8ac35dee43b38dc2d497a1a5a96ae3d147eba01d7514725
Instruction ID: 34cdfc8a34f78da73259cccf7ab61d51709751dea84dcafbc9ea7b9c9e951e0c
Opcode Fuzzy Hash: 7b64acfa24e2befdd8ac35dee43b38dc2d497a1a5a96ae3d147eba01d7514725
Instruction Fuzzy Hash: D631F4B6A183005BF708DF76AC8255BBAF3EBD5304F19C43DD185D7215EA38C1068B4A

Function 0043EE50 Relevance: 2.6, Strings: 2, Instructions: 52COMMON

Download Yara Rule

Strings

yz, xrefs: 0043EE57
'}, xrefs: 0043EE65

Memory Dump Source

Source File: 00000003.00000002.2169013850.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_BootStrapper.jbxd

Similarity

API ID:
String ID: '}$yz
API String ID: 0-4283282396
Opcode ID: f79d7379e376645b73c42350e5ee51e8a145ed93f69b725fee394d330310c919
Instruction ID: 6c98babec1c2cee739f789cf685c2ea4349774288cd61dce89ebb6089c752d52
Opcode Fuzzy Hash: f79d7379e376645b73c42350e5ee51e8a145ed93f69b725fee394d330310c919
Instruction Fuzzy Hash: A91132759002298FCB00CF54D8D06EE77B2FF41344F151569D851BB2A0CB389946CB99

Function 004402B0 Relevance: 2.0, Strings: 1, Instructions: 703COMMON

Download Yara Rule

Strings

cu16, xrefs: 00440725

Memory Dump Source

Source File: 00000003.00000002.2169013850.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_BootStrapper.jbxd

Similarity

API ID:
String ID: cu16
API String ID: 0-1393213281
Opcode ID: 9ac8e299f1cf1d63ed86c6bd82d1a592ff0dcb59a841c00e2249b3a717890619
Instruction ID: cc1519bfc60c4b12a942df2b806186209cadf443f4b6312827fcc7d0bb8de627
Opcode Fuzzy Hash: 9ac8e299f1cf1d63ed86c6bd82d1a592ff0dcb59a841c00e2249b3a717890619
Instruction Fuzzy Hash: CB22363A608251DFC704CF28D8A126AF7F2FB8A314F09857ED98987351D734E955CB89

Function 004403D0 Relevance: 1.8, Strings: 1, Instructions: 594COMMON

Download Yara Rule

Strings

cu16, xrefs: 00440725

Memory Dump Source

Source File: 00000003.00000002.2169013850.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_BootStrapper.jbxd

Similarity

API ID:
String ID: cu16
API String ID: 0-1393213281
Opcode ID: 0068fcea1fcce90b3d7b75575ae24fd46d4f308cccbdaad663dec9647c00860c
Instruction ID: ab146c73076e2240b060154e7353531ea1e8eb1c5403ea302177df520b4c5a47
Opcode Fuzzy Hash: 0068fcea1fcce90b3d7b75575ae24fd46d4f308cccbdaad663dec9647c00860c
Instruction Fuzzy Hash: 8D120339608250DFC708CF28E8A166AF7F2FB8A314F09857EE98987351D734D955CB89

Function 00440550 Relevance: 1.7, Strings: 1, Instructions: 478COMMON

Download Yara Rule

Strings

cu16, xrefs: 00440725

Memory Dump Source

Source File: 00000003.00000002.2169013850.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_BootStrapper.jbxd

Similarity

API ID:
String ID: cu16
API String ID: 0-1393213281
Opcode ID: a8b42d00aa42b6c5f4fdbec2012c9a4f829a243eac6bcdfeac6ada73ec91b821
Instruction ID: b47343fc74fa199a2dd3296f085def7190a0f10b9a04de121b961ff035c16150
Opcode Fuzzy Hash: a8b42d00aa42b6c5f4fdbec2012c9a4f829a243eac6bcdfeac6ada73ec91b821
Instruction Fuzzy Hash: A6F10136608251DFC704CF28D8A066AF7F2FB8A318F09897EE58987351C735E955CB89

Function 00440690 Relevance: 1.7, Strings: 1, Instructions: 442COMMON

Download Yara Rule

Strings

cu16, xrefs: 00440725

Memory Dump Source

Source File: 00000003.00000002.2169013850.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_BootStrapper.jbxd

Similarity

API ID:
String ID: cu16
API String ID: 0-1393213281
Opcode ID: 2fdcadc8431d5e275e97618014f6d9204e5a36a54ec6d05914a11fb32c429fef
Instruction ID: a8adab88cd6467e8744eccda8f8671d0fd7897d1ea11a103ef712ebcb60b2b94
Opcode Fuzzy Hash: 2fdcadc8431d5e275e97618014f6d9204e5a36a54ec6d05914a11fb32c429fef
Instruction Fuzzy Hash: 3CE100366082508FD304CF38D89066BFBE2EB8A314F09897EE99987351D735D905CB89

Function 00440600 Relevance: 1.7, Strings: 1, Instructions: 441COMMON

Download Yara Rule

Strings

cu16, xrefs: 00440725

Memory Dump Source

Source File: 00000003.00000002.2169013850.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_BootStrapper.jbxd

Similarity

API ID:
String ID: cu16
API String ID: 0-1393213281
Opcode ID: 7970cd6754f9a29d7eb6efe6f2f2c38251dbb01199b4c91cf1d898bcd2063352
Instruction ID: a6b8655c2d4fe843f733019638999d7a326d799a2e10267b81ba0de51ceb402d
Opcode Fuzzy Hash: 7970cd6754f9a29d7eb6efe6f2f2c38251dbb01199b4c91cf1d898bcd2063352
Instruction Fuzzy Hash: 41E10136608250DFD704CF28D8A066AFBE2FB8A314F09897EE59987351C735E915CB89

Function 0041C561 Relevance: 1.5, Strings: 1, Instructions: 281COMMON

Download Yara Rule

Strings

-.-2, xrefs: 0041C7E9

Memory Dump Source

Source File: 00000003.00000002.2169013850.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_BootStrapper.jbxd

Similarity

API ID:
String ID: -.-2
API String ID: 0-2838677626
Opcode ID: 84298f2c1df00ac477d8c9eb7f651bf770509cc0667fa7c23a1cbe41850e76cc
Instruction ID: c65bc0e0fd9ab2b407f4ec274a243cae03b52599eb44c3ec4b920f3608bc9bdb
Opcode Fuzzy Hash: 84298f2c1df00ac477d8c9eb7f651bf770509cc0667fa7c23a1cbe41850e76cc
Instruction Fuzzy Hash: 08912770694B804FE335CF768880763BBE3AB96314F18896DD0D28BB95DB79E446CB14

Function 0042B100 Relevance: 1.5, Strings: 1, Instructions: 236COMMON

Download Yara Rule

Strings

", xrefs: 0042B2FE

Memory Dump Source

Source File: 00000003.00000002.2169013850.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_BootStrapper.jbxd

Similarity

API ID:
String ID: "
API String ID: 0-123907689
Opcode ID: 08379c2cfec4ee4560f7149afc2674de524dbb751cb7c6d8c58db735b762b861
Instruction ID: 981523987b1e43f0f2fbc980dbd505f4044b7fe8cc5f065e6a15477f38c1429d
Opcode Fuzzy Hash: 08379c2cfec4ee4560f7149afc2674de524dbb751cb7c6d8c58db735b762b861
Instruction Fuzzy Hash: 4071C632B083258BD714CE28E49032FB7E2EBC5750FA9856EE89497395D338DD4587CA

Function 00441DA0 Relevance: 1.4, Strings: 1, Instructions: 125COMMON

Download Yara Rule

Strings

@, xrefs: 00441E51

Memory Dump Source

Source File: 00000003.00000002.2169013850.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_BootStrapper.jbxd

Similarity

API ID: InitializeThunk
String ID: @
API String ID: 2994545307-2766056989
Opcode ID: 00ccdfaef0cf493359b405ba2665aa19c664aa536cebf78614738aaa438344e7
Instruction ID: 65ca1ec6d4672f8839795e63c8614bf8e8fa17c57707b6a32643269015e7e6e9
Opcode Fuzzy Hash: 00ccdfaef0cf493359b405ba2665aa19c664aa536cebf78614738aaa438344e7
Instruction Fuzzy Hash: 9A4158B49083109BEB10CF24D88072BB7E1FF99368F24852DEA88573A1E7389D44C7C6

Function 00440CE0 Relevance: 1.3, Strings: 1, Instructions: 97COMMON

Download Yara Rule

Strings

@, xrefs: 00440D49

Memory Dump Source

Source File: 00000003.00000002.2169013850.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_BootStrapper.jbxd

Similarity

API ID: InitializeThunk
String ID: @
API String ID: 2994545307-2766056989
Opcode ID: b277768eaef66f0637a864381fd791a7c7a7d3d97be0c2acc1eb4938501a7204
Instruction ID: 9fac65509ee92f571f5b79e95c1ad94962471f478490a82abc777c74c6c74bd9
Opcode Fuzzy Hash: b277768eaef66f0637a864381fd791a7c7a7d3d97be0c2acc1eb4938501a7204
Instruction Fuzzy Hash: 9A31EEB18083049BD314DF98D8C066BBBF5EB99314F14892DE79987280E335A818CB9A

Function 00426513 Relevance: 1.3, Strings: 1, Instructions: 64COMMON

Download Yara Rule

Strings

/kB, xrefs: 00426B29

Memory Dump Source

Source File: 00000003.00000002.2169013850.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_BootStrapper.jbxd

Similarity

API ID:
String ID: /kB
API String ID: 0-3532343839
Opcode ID: b4b5b7e280f642f85b3dfe5987f8b3969132ef151dffa41fcba20c5fda879f96
Instruction ID: 30b78e98d0376e77b4dedd947e5e84c4a76dc6197d8d4778f9e0425fae07882d
Opcode Fuzzy Hash: b4b5b7e280f642f85b3dfe5987f8b3969132ef151dffa41fcba20c5fda879f96
Instruction Fuzzy Hash: EA1159B4E093649FC320AB25A8D017B76A5DF97314F85852FF9C367361EA3C9C02C65A

Function 004074A0 Relevance: .6, Instructions: 611COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2169013850.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_BootStrapper.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cfa9a842e54d6f6908c7b800668eb5eb2d5e9b27e34123646e38c57c34ffb93e
Instruction ID: 53bedda06ccc27c303568f9e7e6bd49d427b81707e73c2342d6127383662a74f
Opcode Fuzzy Hash: cfa9a842e54d6f6908c7b800668eb5eb2d5e9b27e34123646e38c57c34ffb93e
Instruction Fuzzy Hash: 4F12B472A087118BC725DF18D8806ABB3E1BFC4315F19893ED9C6A7385D738B8558B87

Function 0041D050 Relevance: .5, Instructions: 471COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2169013850.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_BootStrapper.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ba2a651c7b4397c0272f4726fbccc838470ac406de1116525d09835cc8aaf273
Instruction ID: 06ba914754fda528d7acfc96047ccc351decbac5893a7f6043ce80427adf6e18
Opcode Fuzzy Hash: ba2a651c7b4397c0272f4726fbccc838470ac406de1116525d09835cc8aaf273
Instruction Fuzzy Hash: 02C123B5A183118BD728DF28CC526ABB7F1EFD5314F08862DE8958B384E73C9944C795

Function 0043A9D6 Relevance: .5, Instructions: 464COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2169013850.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_BootStrapper.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fb2c410d40d8a7215a23457b42f4989fe7a875ffa95cad037c50274c93334019
Instruction ID: 6ff10e554b56e7d98c0354463b113c8fe134109c80e7cf3690ca443259b71b45
Opcode Fuzzy Hash: fb2c410d40d8a7215a23457b42f4989fe7a875ffa95cad037c50274c93334019
Instruction Fuzzy Hash: 91E1397AA68226CBCB189F24D85116B73F2FF4A751F0BC97DD881472A0E7398960C746

Function 00405930 Relevance: .4, Instructions: 448COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2169013850.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_BootStrapper.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8469296e2ad6377bca0d66c7fdbce60c96d239fa905cce4d846bf08553cb04b8
Instruction ID: 5dc1153c2cae88f14e706d6766014c5310a85aff0076e014daa1ca1314a98a54
Opcode Fuzzy Hash: 8469296e2ad6377bca0d66c7fdbce60c96d239fa905cce4d846bf08553cb04b8
Instruction Fuzzy Hash: 5DF1BD756087418FD724CF29C88076BBBE2EFD9304F08882DE5D597391E639E944CB96

Function 00428307 Relevance: .4, Instructions: 350COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2169013850.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_BootStrapper.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0e71ddd8efcb11a8d109418157ab47fde1022d2a01cbd6712a0ad8640d730c20
Instruction ID: a954b38a6bb1ce87cf69874cc4df31a0facd51f51a0102f5d1bcd2fc66b16d63
Opcode Fuzzy Hash: 0e71ddd8efcb11a8d109418157ab47fde1022d2a01cbd6712a0ad8640d730c20
Instruction Fuzzy Hash: CFA1F476B096114FD71CCF2AD81132FB6D3ABD4310F5A853EE88AC7395DE74E8128685

Function 00440E00 Relevance: .3, Instructions: 275COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2169013850.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_BootStrapper.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 9b8b0fe984b0c526368686a946928a16b95041f210f520b4daf9bb1128f79edd
Instruction ID: c62094c7f2aec0b4591fe89b4ffec96fa28a786c068cd393fffb3f8dac1334b7
Opcode Fuzzy Hash: 9b8b0fe984b0c526368686a946928a16b95041f210f520b4daf9bb1128f79edd
Instruction Fuzzy Hash: 0D7127756082419BEB24DF28C890A3FB3E2EFD9750F19C42EE68587365E73498609786

Function 004410D0 Relevance: .3, Instructions: 269COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2169013850.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_BootStrapper.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 1d4ee9170cb315f71c8184b5a82f458173e5dc386eddf8c79e1ec2de4589c0f9
Instruction ID: 48af3df080d7374f24d22ba405b18466128ca7b67be3218363250a1880df35ed
Opcode Fuzzy Hash: 1d4ee9170cb315f71c8184b5a82f458173e5dc386eddf8c79e1ec2de4589c0f9
Instruction Fuzzy Hash: 8D91DF756083019BE718DF18C490A2BB3E2FF89750F15846EEA85DB361EB34DC41DB8A

Function 004409E0 Relevance: .2, Instructions: 238COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2169013850.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_BootStrapper.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2081274b20256b51a48b52e86fac1d0e917b6bc8052939e7a96106f21d596131
Instruction ID: 396e9f4d8292420b39720d4ebe7e3b2ba50298b7ad3af056df74e370846adae9
Opcode Fuzzy Hash: 2081274b20256b51a48b52e86fac1d0e917b6bc8052939e7a96106f21d596131
Instruction Fuzzy Hash: 4F71353560C2A59FC7048F39D8512AABBE3EBCA314F49896DE8D887350D739DD11CB89

Function 0041F2C0 Relevance: .2, Instructions: 204COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2169013850.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_BootStrapper.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e2ef3ed592ffea8117d6535c71c633ebd8baee3f6d97b41eb70e06c6ff45de06
Instruction ID: 7de542bc9115ef73e19b3091658d28cf0780ac80647d3c93e3c636ac7a511b7b
Opcode Fuzzy Hash: e2ef3ed592ffea8117d6535c71c633ebd8baee3f6d97b41eb70e06c6ff45de06
Instruction Fuzzy Hash: 99614A355083914FD7258F29C84096B7BE0ABA6314F4882BEE8E84B392D635DC4AC796

Function 00439490 Relevance: .2, Instructions: 197COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2169013850.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_BootStrapper.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 76f77a49fba37e77a617a0d652d585f641a783687e7745c1783b0e6500cdef52
Instruction ID: 6b3e4b7f11ac291a21e261308eef6cd7443abca3de393b842f6f559da3e6bac2
Opcode Fuzzy Hash: 76f77a49fba37e77a617a0d652d585f641a783687e7745c1783b0e6500cdef52
Instruction Fuzzy Hash: 8051CE263492116BD7018B25CC81A7BB7EAE7DE360F14952EE5C083342C2BCDC82D79E

Function 0043A640 Relevance: .2, Instructions: 152COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2169013850.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_BootStrapper.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6d1fab72e9f5b1cdff51703c3b7269aa68bcba2dda9f3549e373aaeca11e4806
Instruction ID: 66fd862550092496dbaeb2d3bb1543f7b4ae7d39c68e2cc44db9a05b1b136551
Opcode Fuzzy Hash: 6d1fab72e9f5b1cdff51703c3b7269aa68bcba2dda9f3549e373aaeca11e4806
Instruction Fuzzy Hash: 8C3123B5A04300AFE7109E119CC1B3BB7B5EB89758F10182EF9C5A3201D339EC26879B

Function 00408B00 Relevance: .1, Instructions: 143COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2169013850.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_BootStrapper.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 83a46eb97a1ede892c521cd0a1cf27060ef79bfacc0411b261445066a2a95deb
Instruction ID: 37f3efdb486df1b50b7503efc8676e0e0480c9f1302ca175b3bd99bebac416ea
Opcode Fuzzy Hash: 83a46eb97a1ede892c521cd0a1cf27060ef79bfacc0411b261445066a2a95deb
Instruction Fuzzy Hash: DF4190216493494BEB14CD2889815E77B61DBA2350F08C63EECC55B3C1EA3CDA0AD3A9

Function 0043F7B2 Relevance: .1, Instructions: 138COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2169013850.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_BootStrapper.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b8bd4d7e9bd20bf13d05e542f28e56da8f4d605b247b1b6829d47043411abe16
Instruction ID: 65860a534bcdc61a69b891c8f4b112b5ccb7c4aa6a6d252a23f247d29c97b397
Opcode Fuzzy Hash: b8bd4d7e9bd20bf13d05e542f28e56da8f4d605b247b1b6829d47043411abe16
Instruction Fuzzy Hash: F8410436F245554BDB0CCF6888A157FBAB2AB8E310F19E13EC556E7354CB3899058788

Function 0040DE13 Relevance: .1, Instructions: 119COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2169013850.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_BootStrapper.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 7429881085838c9e2ea473406c0e777441f7560d71a7cb9971c1e3e1e517dda0
Instruction ID: 8192ad4da6690d975133d58e89ccec5cc32f62d7e28f0f863b58bcb031853df0
Opcode Fuzzy Hash: 7429881085838c9e2ea473406c0e777441f7560d71a7cb9971c1e3e1e517dda0
Instruction Fuzzy Hash: 64313938B556018FC725CB68CCC0B3673A3EBD6315B589639E092673D6DB38E8068788

Function 004292E0 Relevance: .1, Instructions: 110COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2169013850.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_BootStrapper.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8820827ab3717a503f23ee1f329a572c2ac425d8331617b1f9b573c8837ef006
Instruction ID: 6483a22a6f500d058f9f4f03b7d1e0b0debdf2b506a58ba5144e8a59cc6fe5a8
Opcode Fuzzy Hash: 8820827ab3717a503f23ee1f329a572c2ac425d8331617b1f9b573c8837ef006
Instruction Fuzzy Hash: DF31C432E00125CFCB14CF64C8516AFB7B2FF46310F19959AD842AB3A1DB385D01CB94

Function 004393C0 Relevance: .1, Instructions: 92COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2169013850.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_BootStrapper.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 311bccfb7c94d63f981d42372d52fcc226d8c5098601f3624a1e21d790acd581
Instruction ID: daeb1bb460313cd135989d5d7c02351c17a175b5b9fd5c5575e707a8a0bfda13
Opcode Fuzzy Hash: 311bccfb7c94d63f981d42372d52fcc226d8c5098601f3624a1e21d790acd581
Instruction Fuzzy Hash: 3C1178217082110AC3249BA9C8C1177F399DBDE724F19967BD9C08F292E2B8CC42C3D5

Function 00436370 Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2169013850.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_BootStrapper.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3e517b76c81f2f0a6076fdce7dc782eea2d3cbf91ba42ade49569ad1c1c074a0
Instruction ID: 91ac4c5b143b02c7d32e682e2a6aab4e0f1bc94368da354689b67666a2c00c8c
Opcode Fuzzy Hash: 3e517b76c81f2f0a6076fdce7dc782eea2d3cbf91ba42ade49569ad1c1c074a0
Instruction Fuzzy Hash: 6311EC336451D50EC3168D3C84005A67FA30B97234F1AD39EF8B49B2D3D7278D8A8359

Function 0042A660 Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2169013850.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_BootStrapper.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2ee26b68ca80d359eea836c05570f0252371bc8a0c72456eea12c8fb01481f6b
Instruction ID: 9eb9525df2382ca65ffc71ea0fe4effccc3bbe68bdeaf4085e84a9653100f2a1
Opcode Fuzzy Hash: 2ee26b68ca80d359eea836c05570f0252371bc8a0c72456eea12c8fb01481f6b
Instruction Fuzzy Hash: A8019EF5B0031247D6209E11A4C4B2BB2A9AF90748F5D443EEC8457342DB7DFC2482AF

Function 00402B70 Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2169013850.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_BootStrapper.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d5d295e9ed382b796e59e78ecd7c3973d9fbade591b377e9c3dd8d664adeac99
Instruction ID: fe22f187d6262aa03d792ec1030457158b6d731bbaaa7045d526425db3de230e
Opcode Fuzzy Hash: d5d295e9ed382b796e59e78ecd7c3973d9fbade591b377e9c3dd8d664adeac99
Instruction Fuzzy Hash: 1D01F46B7A831A0BD700DDBDECD56AAB7A696D5108B1E4139EA80D7781E0B8F8058294

Function 00425E70 Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2169013850.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_BootStrapper.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4230b21a2fd02e58cc7b406f354e8a131570180303f77ccb7a9505112db3ad99
Instruction ID: 18454f57bc8bd7713fef9fb37d3191b327954915f6893786146af46e59a98f16
Opcode Fuzzy Hash: 4230b21a2fd02e58cc7b406f354e8a131570180303f77ccb7a9505112db3ad99
Instruction Fuzzy Hash: AA01B53560E710DFC7188B24948093FB3B2FB9A324FA5556CD59123261D330ED028BCE

Function 00425DEA Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2169013850.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_BootStrapper.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 75cdd2821561e72d22e9e4a155e993369658370f557c2a38552048b2028693a2
Instruction ID: 6fca0e276dc41d176f9258a46a62d3d95cdd6612b9affbec5bcc6b9929d5356f
Opcode Fuzzy Hash: 75cdd2821561e72d22e9e4a155e993369658370f557c2a38552048b2028693a2
Instruction Fuzzy Hash: 3001DF30A096209BC7088B14A48053FF3B2EF8B720FD5552DE68667251C335ED028B8E

Function 0043EC60 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2169013850.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_BootStrapper.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bfa1d9da91f22f173d497c8b9dff6cb2ad0c54e4f2a9c7da531a3c1cc58556e0
Instruction ID: 79179b24096eac5e6ac07bd72d819e76adb0a4e00d37c96423816886d630571d
Opcode Fuzzy Hash: bfa1d9da91f22f173d497c8b9dff6cb2ad0c54e4f2a9c7da531a3c1cc58556e0
Instruction Fuzzy Hash: E7012B3AA519904BC718CF39DC91AE573A1F797305F19A6BCC406E7274EE3499058B48

Function 004318D2 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2169013850.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_BootStrapper.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4524fc0a338ad57f963c04a2a1849163223f2dae8872ce465ca5c5a18a3cbdac
Instruction ID: a73563fd83c1a5f1fe8eb3a12ecc0343a21fa8b04a7e32c0d6862619b683f324
Opcode Fuzzy Hash: 4524fc0a338ad57f963c04a2a1849163223f2dae8872ce465ca5c5a18a3cbdac
Instruction Fuzzy Hash: 670148B44047029FD320EF28C445B57BBF4EB48344F408A2DE8AAC7791E770A404CF82

Function 00431D48 Relevance: 28.1, APIs: 2, Strings: 14, Instructions: 102COMMON

Download Yara Rule

APIs

VariantClear.OLEAUT32 ref: 00431D54
VariantInit.OLEAUT32 ref: 00431D60

Strings

l, xrefs: 00431DD2
`, xrefs: 00431DC2
j, xrefs: 00431DDA
n, xrefs: 00431DCA
", xrefs: 00431D86
m, xrefs: 00431DD6
b, xrefs: 00431DBA
d, xrefs: 00431DB2
-, xrefs: 00431D7E
4, xrefs: 00431D9E
, xrefs: 00431D96
f, xrefs: 00431DAA
3, xrefs: 00431D8E
%, xrefs: 00431DA6

Memory Dump Source

Source File: 00000003.00000002.2169013850.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_BootStrapper.jbxd

Similarity

API ID: Variant$ClearInit
String ID: $"$%$-$3$4$`$b$d$f$j$l$m$n
API String ID: 2610073882-388534048
Opcode ID: 0d47e0fe30014c20ce2d32c7426541ef57348e46fc9c568ff5466d38f1117a37
Instruction ID: 0ed16d0090aa2853db3fa94cf8c83c94d7f5a066e2027e59c45352e3d5823b27
Opcode Fuzzy Hash: 0d47e0fe30014c20ce2d32c7426541ef57348e46fc9c568ff5466d38f1117a37
Instruction Fuzzy Hash: 5C415C612087C1CED725CF38C889346BFA2AB62314F08C69DD8E54F39BD279D516C762

Function 0043285B Relevance: 28.1, APIs: 2, Strings: 14, Instructions: 96COMMON

Download Yara Rule

APIs

VariantClear.OLEAUT32 ref: 00432867
VariantInit.OLEAUT32 ref: 00432873

Strings

n, xrefs: 004328E3
m, xrefs: 004328EF
b, xrefs: 004328D3
4, xrefs: 004328B7
%, xrefs: 004328BF
f, xrefs: 004328C3
", xrefs: 0043289F
`, xrefs: 004328DB
j, xrefs: 004328F3
d, xrefs: 004328CB
, xrefs: 004328AF
l, xrefs: 004328EB
-, xrefs: 00432897
3, xrefs: 004328A7

Memory Dump Source

Source File: 00000003.00000002.2169013850.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_BootStrapper.jbxd

Similarity

API ID: Variant$ClearInit
String ID: $"$%$-$3$4$`$b$d$f$j$l$m$n
API String ID: 2610073882-388534048
Opcode ID: ae5400dcd5d302ef961202c0a16dd426301db3ee827d1cb557e1cc8c01814538
Instruction ID: cf5d184b347ae60a31a8e7b64644b3d0961cef50304e460fca956dadef895e24
Opcode Fuzzy Hash: ae5400dcd5d302ef961202c0a16dd426301db3ee827d1cb557e1cc8c01814538
Instruction Fuzzy Hash: 2F413C612087C08ED726CF3CC885346BFE1AB66314F08869DD8E58F39BD275D516C766

Function 00E03052 Relevance: 12.2, APIs: 8, Instructions: 248COMMONLIBRARYCODE

Download Yara Rule

APIs

GetCPInfo.KERNEL32(?,?,?,7FFFFFFF,?,00E0303D,?,?,?,?,?,?,?,?,?,?), ref: 00E030F8
__alloca_probe_16.LIBCMT ref: 00E031B3
__alloca_probe_16.LIBCMT ref: 00E03242
__freea.LIBCMT ref: 00E0328D
__freea.LIBCMT ref: 00E03293
__freea.LIBCMT ref: 00E032C9
__freea.LIBCMT ref: 00E032CF
__freea.LIBCMT ref: 00E032DF

Memory Dump Source

Source File: 00000003.00000002.2169215918.0000000000DE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true

Associated: 00000003.00000002.2169198911.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2169240010.0000000000E05000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2169256794.0000000000E0F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2169271264.0000000000E13000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2169286451.0000000000E16000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_de0000_BootStrapper.jbxd

Similarity

API ID: __freea$__alloca_probe_16$Info
String ID:
API String ID: 127012223-0
Opcode ID: 43f2c877ce36ab503aaf8233a851a23510404d350270f62417987a4a367b7ef5
Instruction ID: 803f2255ed5f6ca718b36c5d8f8f45018459fad0ed819ddbca10a132b51680ba
Opcode Fuzzy Hash: 43f2c877ce36ab503aaf8233a851a23510404d350270f62417987a4a367b7ef5
Instruction Fuzzy Hash: C871D432A052496BDF20AEB48C42BEF77BEDF49314F291156E904B72D1DB35DE8087A0

Function 00DE84F5 Relevance: 12.2, APIs: 8, Instructions: 177COMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000001,00000001,?), ref: 00DE853C
__alloca_probe_16.LIBCMT ref: 00DE8568
MultiByteToWideChar.KERNEL32(00000000,00000001,00000001,?,00000000,00000000), ref: 00DE85A7
LCMapStringEx.KERNEL32(?,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00DE85C4
LCMapStringEx.KERNEL32(?,?,00000000,00000000,?,?,00000000,00000000,00000000), ref: 00DE8603
__alloca_probe_16.LIBCMT ref: 00DE8620
LCMapStringEx.KERNEL32(?,?,00000000,00000001,00000000,00000000,00000000,00000000,00000000), ref: 00DE8662
WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,?,?,00000000,00000000), ref: 00DE8685

Memory Dump Source

Source File: 00000003.00000002.2169215918.0000000000DE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true

Associated: 00000003.00000002.2169198911.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2169240010.0000000000E05000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2169256794.0000000000E0F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2169271264.0000000000E13000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2169286451.0000000000E16000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_de0000_BootStrapper.jbxd

Similarity

API ID: ByteCharMultiStringWide$__alloca_probe_16
String ID:
API String ID: 2040435927-0
Opcode ID: 5d1745505a245d8996055570830ede9d604877381a88adada333d4c12824f4c0
Instruction ID: 4880b5364267334018169af178fc5fe2a45dd79d6a5a494ab1652616ead248c7
Opcode Fuzzy Hash: 5d1745505a245d8996055570830ede9d604877381a88adada333d4c12824f4c0
Instruction Fuzzy Hash: 53519572600296AFEF206F66CC45FAA7BB9EF44740F154429F919E61A0DF71CD10AB70

Function 00DF712B Relevance: 10.8, APIs: 7, Instructions: 329COMMON

Download Yara Rule

APIs

_strrchr.LIBCMT ref: 00DF71B1

Memory Dump Source

Source File: 00000003.00000002.2169215918.0000000000DE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true

Associated: 00000003.00000002.2169198911.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2169240010.0000000000E05000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2169256794.0000000000E0F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2169271264.0000000000E13000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2169286451.0000000000E16000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_de0000_BootStrapper.jbxd

Similarity

API ID: _strrchr
String ID:
API String ID: 3213747228-0
Opcode ID: 0022c536f264df0fd022f58618f40cd4b78e8be5a313df6415c180dcdaad3927
Instruction ID: 0695cd1e1e6ae1f3c77ce41dec3f76d062159855aea176ce0b5fd57e56cf71b5
Opcode Fuzzy Hash: 0022c536f264df0fd022f58618f40cd4b78e8be5a313df6415c180dcdaad3927
Instruction Fuzzy Hash: ECB13532A08359AFDB118F68CC81BFE7BE5EF55310F1A8155EA54AF282D274E941C7B0

Function 00DE9470 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 130COMMON

Download Yara Rule

APIs

_ValidateLocalCookies.LIBCMT ref: 00DE94A7
___except_validate_context_record.LIBVCRUNTIME ref: 00DE94AF
_ValidateLocalCookies.LIBCMT ref: 00DE9538
__IsNonwritableInCurrentImage.LIBCMT ref: 00DE9563
_ValidateLocalCookies.LIBCMT ref: 00DE95B8

Strings

csm, xrefs: 00DE954D

Memory Dump Source

Source File: 00000003.00000002.2169215918.0000000000DE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true

Associated: 00000003.00000002.2169198911.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2169240010.0000000000E05000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2169256794.0000000000E0F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2169271264.0000000000E13000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2169286451.0000000000E16000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_de0000_BootStrapper.jbxd

Similarity

API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
String ID: csm
API String ID: 1170836740-1018135373
Opcode ID: 8f6ae88901544c2e44636ca3c82167c9f9ec2d6fbe8db2fbea77f3043593e7d8
Instruction ID: 820b9385f84d5b116ff0975f5a78d8e60f27f6cfe0b06f086c8e610330473107
Opcode Fuzzy Hash: 8f6ae88901544c2e44636ca3c82167c9f9ec2d6fbe8db2fbea77f3043593e7d8
Instruction Fuzzy Hash: 9B41F470A01258ABCF11EF6ACC50AAEBBB0EF45314F188155E914AB392D731DE51CBB0

Function 00DE8397 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 116threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 00DE83AB
AcquireSRWLockExclusive.KERNEL32(00DE3C74,?,?,?,?,?,?,00000000,00000000,00000000,00DE156C,00000000), ref: 00DE83CA
AcquireSRWLockExclusive.KERNEL32(00DE3C74,ios_base::badbit set,?,?,?,?,?,?,?,00000000,00000000,00000000,00DE156C,00000000), ref: 00DE83F8
TryAcquireSRWLockExclusive.KERNEL32(00DE3C74,ios_base::badbit set,?,?,?,?,?,?,?,00000000,00000000,00000000,00DE156C,00000000), ref: 00DE8453
TryAcquireSRWLockExclusive.KERNEL32(00DE3C74,ios_base::badbit set,?,?,?,?,?,?,?,00000000,00000000,00000000,00DE156C,00000000), ref: 00DE846A

Strings

ios_base::badbit set, xrefs: 00DE83E1

Memory Dump Source

Source File: 00000003.00000002.2169215918.0000000000DE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true

Associated: 00000003.00000002.2169198911.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2169240010.0000000000E05000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2169256794.0000000000E0F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2169271264.0000000000E13000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2169286451.0000000000E16000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_de0000_BootStrapper.jbxd

Similarity

API ID: AcquireExclusiveLock$CurrentThread
String ID: ios_base::badbit set
API String ID: 66001078-3882152299
Opcode ID: d37359b4dc008fd447c7b70d603892ed86dc942962c87d4aba84164a2f6f7998
Instruction ID: a7348529115968df8e77dbe70d49768eb8c2b82b24eff67b7af2caf5308c33d7
Opcode Fuzzy Hash: d37359b4dc008fd447c7b70d603892ed86dc942962c87d4aba84164a2f6f7998
Instruction Fuzzy Hash: 1E417F3190068BDFCB20EF66C9809AAB3F6FF04310B544A29D59ED7581DB34E984EB71

Function 00DF51F2 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 74COMMONLIBRARYCODE

Download Yara Rule

APIs

FreeLibrary.KERNEL32(00000000,?,00DF5301,00DE1F9A,?,00000000,00DE4A74,00DE1F9C,?,00DF4ED6,00000022,FlsSetValue,00E07C74,00E07C7C,00DE4A74), ref: 00DF52B3

Strings

ext-ms-, xrefs: 00DF525D
api-ms-, xrefs: 00DF5249

Memory Dump Source

Source File: 00000003.00000002.2169215918.0000000000DE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true

Associated: 00000003.00000002.2169198911.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2169240010.0000000000E05000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2169256794.0000000000E0F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2169271264.0000000000E13000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2169286451.0000000000E16000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_de0000_BootStrapper.jbxd

Similarity

API ID: FreeLibrary
String ID: api-ms-$ext-ms-
API String ID: 3664257935-537541572
Opcode ID: b6ed5598f9654778ba3fbcba212659394d62eb865accbc48822a395a5536116e
Instruction ID: 999ba64b4d1832c851bfdf4280089b4bcb3732910a272ef71e7577445e8e25ba
Opcode Fuzzy Hash: b6ed5598f9654778ba3fbcba212659394d62eb865accbc48822a395a5536116e
Instruction Fuzzy Hash: E2212B31A05619AFCB219BB6FC40A7E7768DB41360F2A8250EF15B7284D631ED04C6F8

Function 00DE87AC Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 15libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(kernel32.dll), ref: 00DE87B2
GetProcAddress.KERNEL32(00000000,GetSystemTimePreciseAsFileTime), ref: 00DE87C0
GetProcAddress.KERNEL32(00000000,GetTempPath2W), ref: 00DE87D1

Strings

kernel32.dll, xrefs: 00DE87AD
GetSystemTimePreciseAsFileTime, xrefs: 00DE87BA
GetTempPath2W, xrefs: 00DE87C6

Memory Dump Source

Source File: 00000003.00000002.2169215918.0000000000DE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true

Associated: 00000003.00000002.2169198911.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2169240010.0000000000E05000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2169256794.0000000000E0F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2169271264.0000000000E13000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2169286451.0000000000E16000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_de0000_BootStrapper.jbxd

Similarity

API ID: AddressProc$HandleModule
String ID: GetSystemTimePreciseAsFileTime$GetTempPath2W$kernel32.dll
API String ID: 667068680-1047828073
Opcode ID: 599065eaedb5f71178af49c5afb966f26d5d3c03d1e320ec1336d1ab2f5587ce
Instruction ID: 459819d7645375eade34717b5f9fc3dce67cb9507f67429e2071a07c8f46d6ac
Opcode Fuzzy Hash: 599065eaedb5f71178af49c5afb966f26d5d3c03d1e320ec1336d1ab2f5587ce
Instruction Fuzzy Hash: 6AD09231B89324AFC3119FB6BC0E8CA3AA4EBD97127065226F401F26A0D6B504C9DB95

Function 00DFD1ED Relevance: 9.3, APIs: 6, Instructions: 292COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2169215918.0000000000DE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true

Associated: 00000003.00000002.2169198911.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2169240010.0000000000E05000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2169256794.0000000000E0F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2169271264.0000000000E13000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2169286451.0000000000E16000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_de0000_BootStrapper.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 07372fba175723a75305b9febc7cbb28484c971d2f61555b46cd118d07fd1fec
Instruction ID: fa3c1e0d2354014cd2989fa8ef9ebdcf589e7a4a2659b384c45f98b437dc9925
Opcode Fuzzy Hash: 07372fba175723a75305b9febc7cbb28484c971d2f61555b46cd118d07fd1fec
Instruction Fuzzy Hash: 70B1E070A0424DAFDF01DF9AD840BBE7BB3EF45314F198258EA10AB292C770A941CB71

Function 00DF2FAC Relevance: 9.1, APIs: 6, Instructions: 60COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,00DF2FA3,00DE9247,00DE8033), ref: 00DF2FBA
___vcrt_FlsGetValue.LIBVCRUNTIME ref: 00DF2FC8
___vcrt_FlsSetValue.LIBVCRUNTIME ref: 00DF2FE1
SetLastError.KERNEL32(00000000,00DF2FA3,00DE9247,00DE8033), ref: 00DF3033

Memory Dump Source

Source File: 00000003.00000002.2169215918.0000000000DE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true

Associated: 00000003.00000002.2169198911.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2169240010.0000000000E05000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2169256794.0000000000E0F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2169271264.0000000000E13000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2169286451.0000000000E16000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_de0000_BootStrapper.jbxd

Similarity

API ID: ErrorLastValue___vcrt_
String ID:
API String ID: 3852720340-0
Opcode ID: eec1076700bf0c705365262f9db48d4ac938ad662fc0910de97c945fa2bdfa07
Instruction ID: 0bf10dc6f381b32ad6ee8e3187b90b65b820328cc2b03bee55232649f29c7cfc
Opcode Fuzzy Hash: eec1076700bf0c705365262f9db48d4ac938ad662fc0910de97c945fa2bdfa07
Instruction Fuzzy Hash: 7501283221E2196ED6342BB67C965372768DF403B1727C33AF710558F5EF924C455270

Function 00DF3874 Relevance: 9.1, APIs: 2, Strings: 3, Instructions: 301COMMONLIBRARYCODE

Download Yara Rule

APIs

type_info::operator==.LIBVCRUNTIME ref: 00DF3993
CallUnexpected.LIBVCRUNTIME ref: 00DF3C0C

Strings

csm, xrefs: 00DF391E
csm, xrefs: 00DF38B1
csm, xrefs: 00DF39CA

Memory Dump Source

Source File: 00000003.00000002.2169215918.0000000000DE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true

Associated: 00000003.00000002.2169198911.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2169240010.0000000000E05000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2169256794.0000000000E0F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2169271264.0000000000E13000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2169286451.0000000000E16000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_de0000_BootStrapper.jbxd

Similarity

API ID: CallUnexpectedtype_info::operator==
String ID: csm$csm$csm
API String ID: 2673424686-393685449
Opcode ID: 479ca2b6e3dd9025b70a64e2a612d8f5d32d2d50c34dda586a5962368c8c5d3b
Instruction ID: 4ce3705854d32fb971d6a4a9218a5f2be4d1986a082f6da776f845d53bc05b09
Opcode Fuzzy Hash: 479ca2b6e3dd9025b70a64e2a612d8f5d32d2d50c34dda586a5962368c8c5d3b
Instruction Fuzzy Hash: 2AB1567180020DAFCF24EFA5C8819BEBBB5EF04314B1B855AEA156B212D771DA51CBB1

Function 0042DAFD Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 172COMMON

Download Yara Rule

APIs

FreeLibrary.KERNEL32(?), ref: 0042DC5F

Strings

kdge, xrefs: 0042DB69
#v, xrefs: 0042DC5F
G, xrefs: 0042DC87
glhm, xrefs: 0042DB59

Memory Dump Source

Source File: 00000003.00000002.2169013850.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_BootStrapper.jbxd

Similarity

API ID: FreeLibrary
String ID: G$glhm$kdge$#v
API String ID: 3664257935-4023098897
Opcode ID: efda84222cddbdac5fe667d835128501f3c90b1fd491eb25eb067e342f112da9
Instruction ID: bfd15d46e1ac39dd06e1a04889429419f0e65eafd70abaf615cf56b171db5900
Opcode Fuzzy Hash: efda84222cddbdac5fe667d835128501f3c90b1fd491eb25eb067e342f112da9
Instruction Fuzzy Hash: C451267060C3919FE311CB25D850B6BBFD0EFA6300F14486DF5C5AB392D2B98805CB56

Function 00DE2EF0 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 84COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 00DE2F0C
std::_Lockit::_Lockit.LIBCPMT ref: 00DE2F2A
std::_Lockit::~_Lockit.LIBCPMT ref: 00DE2F4C
std::_Lockit::~_Lockit.LIBCPMT ref: 00DE2FBA

Strings

ios_base::badbit set, xrefs: 00DE2EF2

Memory Dump Source

Source File: 00000003.00000002.2169215918.0000000000DE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true

Associated: 00000003.00000002.2169198911.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2169240010.0000000000E05000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2169256794.0000000000E0F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2169271264.0000000000E13000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2169286451.0000000000E16000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_de0000_BootStrapper.jbxd

Similarity

API ID: Lockitstd::_$Lockit::_Lockit::~_
String ID: ios_base::badbit set
API String ID: 593203224-3882152299
Opcode ID: 8422dcf91a3522f8fa745dcc53bb33d4d847bba7c114cfef0f6524b4fedba4f5
Instruction ID: 853b56d5812957b162e938dca860220ab243f04dacdcf3c7b7b3c55b5fe9a2ba
Opcode Fuzzy Hash: 8422dcf91a3522f8fa745dcc53bb33d4d847bba7c114cfef0f6524b4fedba4f5
Instruction Fuzzy Hash: 0821CA719042448FC720FF1BD845A6AB3B4EF54324F09845DF5999B2A2DB30AC44CBA2

Function 00DE4BE3 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 58COMMONLIBRARYCODE

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00DE4BEA
std::_Lockit::_Lockit.LIBCPMT ref: 00DE4BF7
std::_Lockit::_Lockit.LIBCPMT ref: 00DE4C61
std::_Lockit::~_Lockit.LIBCPMT ref: 00DE4C7B

Part of subcall function 00DE433F: _Yarn.LIBCPMT ref: 00DE435F
Part of subcall function 00DE433F: _Yarn.LIBCPMT ref: 00DE4383

Strings

bad locale name, xrefs: 00DE4C45

Memory Dump Source

Source File: 00000003.00000002.2169215918.0000000000DE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true

Associated: 00000003.00000002.2169198911.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2169240010.0000000000E05000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2169256794.0000000000E0F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2169271264.0000000000E13000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2169286451.0000000000E16000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_de0000_BootStrapper.jbxd

Similarity

API ID: Lockitstd::_$Lockit::_Yarn$H_prolog3Lockit::~_
String ID: bad locale name
API String ID: 3084819986-1405518554
Opcode ID: c079021154c7a9aab7ebd07d326ff7ac51e23ae9fa8d0e02af973a5a23a090b1
Instruction ID: 7d47e9c31bb9a393cccb988afb7ff0998695806197ad40031942e2b2953ab088
Opcode Fuzzy Hash: c079021154c7a9aab7ebd07d326ff7ac51e23ae9fa8d0e02af973a5a23a090b1
Instruction Fuzzy Hash: C3116371941784DFC720EF6AD58168ABBE4FF18310F50492EE18AD3651D770A544CB79

Function 00DEDC95 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 42libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,BB40E64E,?,?,00000000,00E046BA,000000FF,?,00DEDD56,00DEDC3D,?,00DEDDF2,00000000), ref: 00DEDCCA
GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 00DEDCDC
FreeLibrary.KERNEL32(00000000,?,?,00000000,00E046BA,000000FF,?,00DEDD56,00DEDC3D,?,00DEDDF2,00000000), ref: 00DEDCFE

Strings

mscoree.dll, xrefs: 00DEDCC3
CorExitProcess, xrefs: 00DEDCD4

Memory Dump Source

Source File: 00000003.00000002.2169215918.0000000000DE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true

Associated: 00000003.00000002.2169198911.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2169240010.0000000000E05000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2169256794.0000000000E0F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2169271264.0000000000E13000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2169286451.0000000000E16000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_de0000_BootStrapper.jbxd

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: fcbac6e40dfd96293f55a4cf884b973e1de8056ad819927269f17dc1e7115fc8
Instruction ID: bd35ccd547a0c0a0919e38cd17d68184dddc250c92e18d025c416558e929bf9c
Opcode Fuzzy Hash: fcbac6e40dfd96293f55a4cf884b973e1de8056ad819927269f17dc1e7115fc8
Instruction Fuzzy Hash: BF01F232A04319AFCB119F91CC09BAEB7B9FB44B20F044125F811B22D0DBB59880CB90

Function 00DF59C6 Relevance: 7.7, APIs: 5, Instructions: 197COMMON

Download Yara Rule

APIs

__alloca_probe_16.LIBCMT ref: 00DF5A4B
__alloca_probe_16.LIBCMT ref: 00DF5B14
__freea.LIBCMT ref: 00DF5B7B

Part of subcall function 00DF4211: HeapAlloc.KERNEL32(00000000,00DE4A74,00DE1F9A,?,00DE9351,00DE1F9C,00DE1F9A,?,?,?,00DE46D6,00DE4A74,00DE1F9E,00DE1F9A,00DE1F9A,00DE1F9A), ref: 00DF4243

__freea.LIBCMT ref: 00DF5B8E
__freea.LIBCMT ref: 00DF5B9B

Memory Dump Source

Source File: 00000003.00000002.2169215918.0000000000DE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true

Associated: 00000003.00000002.2169198911.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2169240010.0000000000E05000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2169256794.0000000000E0F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2169271264.0000000000E13000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2169286451.0000000000E16000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_de0000_BootStrapper.jbxd

Similarity

API ID: __freea$__alloca_probe_16$AllocHeap
String ID:
API String ID: 1096550386-0
Opcode ID: fd9808c3bae16c3c7b7184992ce558170a23f488568d70a70be18e709c104fa4
Instruction ID: 7677e8dab87c54e5476388ab25f15bf402b9265d04a7a7bc5334177fdc1c5649
Opcode Fuzzy Hash: fd9808c3bae16c3c7b7184992ce558170a23f488568d70a70be18e709c104fa4
Instruction Fuzzy Hash: 4451C47260064EAFEB205F65EC81EBB77A9EF45714B1B8529FF08D6144EB30DD109670

Function 00DE5E93 Relevance: 7.5, APIs: 5, Instructions: 49COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00DE5E9A
std::_Lockit::_Lockit.LIBCPMT ref: 00DE5EA4
int.LIBCPMT ref: 00DE5EBB

Part of subcall function 00DE4C50: std::_Lockit::_Lockit.LIBCPMT ref: 00DE4C61
Part of subcall function 00DE4C50: std::_Lockit::~_Lockit.LIBCPMT ref: 00DE4C7B

codecvt.LIBCPMT ref: 00DE5EDE
std::_Lockit::~_Lockit.LIBCPMT ref: 00DE5F15

Memory Dump Source

Source File: 00000003.00000002.2169215918.0000000000DE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true

Associated: 00000003.00000002.2169198911.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2169240010.0000000000E05000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2169256794.0000000000E0F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2169271264.0000000000E13000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2169286451.0000000000E16000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_de0000_BootStrapper.jbxd

Similarity

API ID: Lockitstd::_$Lockit::_Lockit::~_$H_prolog3codecvt
String ID:
API String ID: 3716348337-0
Opcode ID: b96990ff4cfbe5de18ffe3463aee7b1c7bc3c8b3da047d103a28f71f18058c7f
Instruction ID: fdbafd4c422745edf6f9449eb2e835c8f7f5db8d67e75e65d668d0d1e2f7f4a5
Opcode Fuzzy Hash: b96990ff4cfbe5de18ffe3463aee7b1c7bc3c8b3da047d103a28f71f18058c7f
Instruction Fuzzy Hash: F801C0759005998FCB05FBA3E9156AE77B0EF84324F284409F5116B2C1CF709E45CBB1

Function 00DE4565 Relevance: 7.5, APIs: 5, Instructions: 44COMMONLIBRARYCODE

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00DE456C
std::_Lockit::_Lockit.LIBCPMT ref: 00DE4577
std::_Lockit::~_Lockit.LIBCPMT ref: 00DE45E5

Part of subcall function 00DE4439: std::locale::_Locimp::_Locimp.LIBCPMT ref: 00DE4451

std::locale::_Setgloballocale.LIBCPMT ref: 00DE4592
_Yarn.LIBCPMT ref: 00DE45A8

Memory Dump Source

Source File: 00000003.00000002.2169215918.0000000000DE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true

Associated: 00000003.00000002.2169198911.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2169240010.0000000000E05000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2169256794.0000000000E0F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2169271264.0000000000E13000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2169286451.0000000000E16000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_de0000_BootStrapper.jbxd

Similarity

API ID: Lockitstd::_std::locale::_$H_prolog3LocimpLocimp::_Lockit::_Lockit::~_SetgloballocaleYarn
String ID:
API String ID: 1088826258-0
Opcode ID: 2812d8d1d106a1008f2db71f0cbcf8db5420a684d8118ac7ae94a34e3b6c53b8
Instruction ID: f86aa15af4d4c04ee5069475a838426308c974eb24ee974880d6ec29ca4dd9e9
Opcode Fuzzy Hash: 2812d8d1d106a1008f2db71f0cbcf8db5420a684d8118ac7ae94a34e3b6c53b8
Instruction Fuzzy Hash: B701F275A006648FC706FF62D85557C77A1FF84740B18400AE912673C1CF74AE86DBB2

Function 00DE1B30 Relevance: 7.3, APIs: 1, Strings: 3, Instructions: 324COMMON

Download Yara Rule

APIs

_strlen.LIBCMT ref: 00DE1B4A

Strings

ios_base::failbit set, xrefs: 00DE1ED9
ios_base::badbit set, xrefs: 00DE1EE4, 00DE1F02
ios_base::eofbit set, xrefs: 00DE1ED4

Memory Dump Source

Source File: 00000003.00000002.2169215918.0000000000DE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true

Associated: 00000003.00000002.2169198911.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2169240010.0000000000E05000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2169256794.0000000000E0F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2169271264.0000000000E13000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2169286451.0000000000E16000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_de0000_BootStrapper.jbxd

Similarity

API ID: _strlen
String ID: ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set
API String ID: 4218353326-1866435925
Opcode ID: b7b098005a0d88b009e79402aaab75b030ea4ca0aea8a9e08f97dd1bc2112016
Instruction ID: 71a63f74ad229ff70d62d967c7df8f3aeb2582c428cdc65e3a14137aba0db6fe
Opcode Fuzzy Hash: b7b098005a0d88b009e79402aaab75b030ea4ca0aea8a9e08f97dd1bc2112016
Instruction Fuzzy Hash: 68C17A393006418FC714EF29C484B6AB7E1FF89714F69866CE9998B3A1C735EC45CBA1

Function 00424883 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 101COMMON

Download Yara Rule

APIs

RtlExpandEnvironmentStrings.NTDLL(00000000,?,0000001E,00000000,?,?), ref: 004248C1

Strings

ha, xrefs: 004248F9
q, xrefs: 00424900
ha, xrefs: 00424960, 00424519

Memory Dump Source

Source File: 00000003.00000002.2169013850.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_BootStrapper.jbxd

Similarity

API ID: EnvironmentExpandStrings
String ID: ha$ha$q
API String ID: 237503144-2525095540
Opcode ID: 2afdf2c7a496911d1016a4b7ad03343ecd8edc0553639cf8e445061b07e4d96e
Instruction ID: c658e200b3172b2c4a4d6f089079a709458a382cdb7082564cb6dc42ecfb3a23
Opcode Fuzzy Hash: 2afdf2c7a496911d1016a4b7ad03343ecd8edc0553639cf8e445061b07e4d96e
Instruction Fuzzy Hash: B731D575A00211CFDB10CF98D881BAE7BB1FF49714F158079E914AF396DB75D8028B95

Function 0042C3AE Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 96COMMON

Download Yara Rule

APIs

FreeLibrary.KERNEL32(?), ref: 0042C3E5

Strings

#v, xrefs: 0042C3E5
tidc, xrefs: 0042C40B
-!B, xrefs: 0042C45E

Memory Dump Source

Source File: 00000003.00000002.2169013850.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_BootStrapper.jbxd

Similarity

API ID: FreeLibrary
String ID: -!B$tidc$#v
API String ID: 3664257935-2422405768
Opcode ID: 57dd9652ca8a2e1dfdf703eb478245f04d1e764e2e6b3a4a6fe835d72092e874
Instruction ID: 0cb94904c914ad7ae8bd8e1ac9fe588995fa1e3a88885b05c0f925f6698cc2a9
Opcode Fuzzy Hash: 57dd9652ca8a2e1dfdf703eb478245f04d1e764e2e6b3a4a6fe835d72092e874
Instruction Fuzzy Hash: E321F17420C3918AD7218F39D8507EBBBE6ABE6304F94885ED0C8C7292DA798506C716

Function 0042C3AC Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 71COMMON

Download Yara Rule

APIs

FreeLibrary.KERNEL32(?), ref: 0042C3E5

Strings

#v, xrefs: 0042C3E5
tidc, xrefs: 0042C40B
-!B, xrefs: 0042C45E

Memory Dump Source

Source File: 00000003.00000002.2169013850.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_BootStrapper.jbxd

Similarity

API ID: FreeLibrary
String ID: -!B$tidc$#v
API String ID: 3664257935-2422405768
Opcode ID: 162db42e1e998b1f12c2b9f51427277601aaff401d5d9aca3582506ac13c7d85
Instruction ID: 36f598f07a78be95229329e16d831615469c789e38aad443987067daf5129e6e
Opcode Fuzzy Hash: 162db42e1e998b1f12c2b9f51427277601aaff401d5d9aca3582506ac13c7d85
Instruction Fuzzy Hash: 331136756083908BD720CF35E8407ABBBE6ABD6304F84846ED0C8C7261DF398405C706

Function 00DFEE61 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 27libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(00000000,00000000,00000800,?,00DFEEFD,00000000,?,00E112F0,?,?,?,00DFEE34,00000004,InitializeCriticalSectionEx,00E08254,00E0825C), ref: 00DFEE6E
GetLastError.KERNEL32(?,00DFEEFD,00000000,?,00E112F0,?,?,?,00DFEE34,00000004,InitializeCriticalSectionEx,00E08254,00E0825C,00000000,?,00DF3EBC), ref: 00DFEE78
LoadLibraryExW.KERNEL32(00000000,00000000,00000000), ref: 00DFEEA0

Strings

api-ms-, xrefs: 00DFEE85

Memory Dump Source

Source File: 00000003.00000002.2169215918.0000000000DE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true

Associated: 00000003.00000002.2169198911.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2169240010.0000000000E05000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2169256794.0000000000E0F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2169271264.0000000000E13000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2169286451.0000000000E16000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_de0000_BootStrapper.jbxd

Similarity

API ID: LibraryLoad$ErrorLast
String ID: api-ms-
API String ID: 3177248105-2084034818
Opcode ID: ea8487c91dd8a3ed2879f16ee51a38397a10894400ae1d6baa7cf4a8650d6126
Instruction ID: c5556c3ed1bb9602e9e8c8d0c788c9dd49ea6682546d48b9f59783b916232ad2
Opcode Fuzzy Hash: ea8487c91dd8a3ed2879f16ee51a38397a10894400ae1d6baa7cf4a8650d6126
Instruction Fuzzy Hash: DAE01271388209BBEB101BA3EC06B293B649B10B51F148020FA0CB84E1D762A8949698

Function 00DFC20A Relevance: 6.3, APIs: 4, Instructions: 333fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetConsoleOutputCP.KERNEL32(BB40E64E,00000000,00000000,?), ref: 00DFC26D

Part of subcall function 00DF4321: WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000000,?,-00000008,?,00000000,-00000008,-00000008,00000000,?,00DF5B71,?,00000000,-00000008), ref: 00DF4382

WriteFile.KERNEL32(?,?,00000000,?,00000000), ref: 00DFC4BF
WriteFile.KERNEL32(?,?,00000001,?,00000000), ref: 00DFC505
GetLastError.KERNEL32 ref: 00DFC5A8

Memory Dump Source

Source File: 00000003.00000002.2169215918.0000000000DE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true

Associated: 00000003.00000002.2169198911.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2169240010.0000000000E05000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2169256794.0000000000E0F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2169271264.0000000000E13000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2169286451.0000000000E16000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_de0000_BootStrapper.jbxd

Similarity

API ID: FileWrite$ByteCharConsoleErrorLastMultiOutputWide
String ID:
API String ID: 2112829910-0
Opcode ID: 2d7c19c02932ba9e91a3af8b4e18ccdc1b5a9968ae6a482f0b6133cfbaac0f4f
Instruction ID: bf99068bc3a0f43698068655fdfe5a4c095ad5c97afc0c806ea5a1f4b61e911b
Opcode Fuzzy Hash: 2d7c19c02932ba9e91a3af8b4e18ccdc1b5a9968ae6a482f0b6133cfbaac0f4f
Instruction Fuzzy Hash: C6D189B5D0024C9FCF15CFE8C9809EDBBB5EF48304F29816AE656EB351D630A955CB60

Function 00DF359B Relevance: 6.2, APIs: 4, Instructions: 168COMMONLIBRARYCODE

Download Yara Rule

APIs

___AdjustPointer.LIBCMT ref: 00DF3662
___AdjustPointer.LIBCMT ref: 00DF3685
___AdjustPointer.LIBCMT ref: 00DF3721

Memory Dump Source

Source File: 00000003.00000002.2169215918.0000000000DE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true

Associated: 00000003.00000002.2169198911.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2169240010.0000000000E05000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2169256794.0000000000E0F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2169271264.0000000000E13000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2169286451.0000000000E16000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_de0000_BootStrapper.jbxd

Similarity

API ID: AdjustPointer
String ID:
API String ID: 1740715915-0
Opcode ID: 44a2b5a03c63036a39499abc7f8638e12d5787148991a2b2a0d78790d7e02d20
Instruction ID: 68574aea1de5a43aec77110b2886bc4a2ae6432fcc5beda89d211c1f351cfe3e
Opcode Fuzzy Hash: 44a2b5a03c63036a39499abc7f8638e12d5787148991a2b2a0d78790d7e02d20
Instruction Fuzzy Hash: 7951E77160124ABFEB299F15D841B7AB7A4EF44314F2B842DEA0687791D731EE40CB70

Function 00DE3510 Relevance: 6.1, APIs: 4, Instructions: 84COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 00DE352C
std::_Lockit::_Lockit.LIBCPMT ref: 00DE354A
std::_Lockit::~_Lockit.LIBCPMT ref: 00DE356C
std::_Lockit::~_Lockit.LIBCPMT ref: 00DE35DA

Memory Dump Source

Source File: 00000003.00000002.2169215918.0000000000DE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true

Associated: 00000003.00000002.2169198911.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2169240010.0000000000E05000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2169256794.0000000000E0F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2169271264.0000000000E13000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2169286451.0000000000E16000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_de0000_BootStrapper.jbxd

Similarity

API ID: Lockitstd::_$Lockit::_Lockit::~_
String ID:
API String ID: 593203224-0
Opcode ID: 10d1f2eccdb515c6009deba04d3e7891641b719878602eeeb900a32645bd772d
Instruction ID: 6a389e89c771f9287708d1f10cc56ce1eb46f080d3797a1514c177b6169e1d52
Opcode Fuzzy Hash: 10d1f2eccdb515c6009deba04d3e7891641b719878602eeeb900a32645bd772d
Instruction Fuzzy Hash: 3221B1B19042849FC720FF1BD849AAA77A0EF54324F45855EF5495B3A1DB30AD44CFB2

Function 00DFA036 Relevance: 6.1, APIs: 4, Instructions: 82COMMON

Download Yara Rule

APIs

Part of subcall function 00DF4321: WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000000,?,-00000008,?,00000000,-00000008,-00000008,00000000,?,00DF5B71,?,00000000,-00000008), ref: 00DF4382

GetLastError.KERNEL32(00000000,?,?,00000000,00000000,00000000,00000000,00000000,?,?,?,?,?,00000000,00000000), ref: 00DFA09A
__dosmaperr.LIBCMT ref: 00DFA0A1
GetLastError.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000,00000000,?,?,?,?,?,00000000,00000000), ref: 00DFA0DB
__dosmaperr.LIBCMT ref: 00DFA0E2

Memory Dump Source

Source File: 00000003.00000002.2169215918.0000000000DE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true

Associated: 00000003.00000002.2169198911.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2169240010.0000000000E05000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2169256794.0000000000E0F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2169271264.0000000000E13000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2169286451.0000000000E16000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_de0000_BootStrapper.jbxd

Similarity

API ID: ErrorLast__dosmaperr$ByteCharMultiWide
String ID:
API String ID: 1913693674-0
Opcode ID: d1381130958ae04580323ea62a02ae68fec76333debef3290f2c83317accb01b
Instruction ID: ea12c9e7d606e860502f12653e258f3cb0ee7bd347cc7f324137f5a954cbecc2
Opcode Fuzzy Hash: d1381130958ae04580323ea62a02ae68fec76333debef3290f2c83317accb01b
Instruction Fuzzy Hash: 5D210AB1600649AFCB20AF6AEC4097BB7A9EF04364715C529FA2D97140DF31EC8087B2

Function 00DEB2D2 Relevance: 6.1, APIs: 4, Instructions: 79COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2169215918.0000000000DE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true

Associated: 00000003.00000002.2169198911.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2169240010.0000000000E05000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2169256794.0000000000E0F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2169271264.0000000000E13000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2169286451.0000000000E16000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_de0000_BootStrapper.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 97629b84268d3106e778e68de8e6eb6582b9002a9ea1e94afa64db30172ff639
Instruction ID: 84269e022b1c9b3a6c1cc5b1b3e7e68634371409dc81b431773d51efd41a3402
Opcode Fuzzy Hash: 97629b84268d3106e778e68de8e6eb6582b9002a9ea1e94afa64db30172ff639
Instruction Fuzzy Hash: 58216A31604A89AFDB20BFA78C8296BBBA9EF403747144526F969D7550E731FC508BB0

Function 00DFB42C Relevance: 6.1, APIs: 4, Instructions: 74COMMON

Download Yara Rule

APIs

GetEnvironmentStringsW.KERNEL32 ref: 00DFB434

Part of subcall function 00DF4321: WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000000,?,-00000008,?,00000000,-00000008,-00000008,00000000,?,00DF5B71,?,00000000,-00000008), ref: 00DF4382

FreeEnvironmentStringsW.KERNEL32(00000000), ref: 00DFB46C
FreeEnvironmentStringsW.KERNEL32(00000000), ref: 00DFB48C

Memory Dump Source

Source File: 00000003.00000002.2169215918.0000000000DE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true

Associated: 00000003.00000002.2169198911.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2169240010.0000000000E05000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2169256794.0000000000E0F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2169271264.0000000000E13000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2169286451.0000000000E16000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_de0000_BootStrapper.jbxd

Similarity

API ID: EnvironmentStrings$Free$ByteCharMultiWide
String ID:
API String ID: 158306478-0
Opcode ID: a10df9822f827a0e90c3149806ea8c930760fba596b6dc90a943689463e535c7
Instruction ID: 07e9f02e4fadea9373482b657fdd409dcc6ae5e1f44047d6eeffe91d345b706b
Opcode Fuzzy Hash: a10df9822f827a0e90c3149806ea8c930760fba596b6dc90a943689463e535c7
Instruction Fuzzy Hash: 6011DBF590561D7FA71127B2DE8ACBF696CCE943A8356C016FB05E1102FB64DD408271

Function 00DE7155 Relevance: 6.1, APIs: 4, Instructions: 51COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00DE715C
std::_Lockit::_Lockit.LIBCPMT ref: 00DE7166
int.LIBCPMT ref: 00DE717D

Part of subcall function 00DE4C50: std::_Lockit::_Lockit.LIBCPMT ref: 00DE4C61
Part of subcall function 00DE4C50: std::_Lockit::~_Lockit.LIBCPMT ref: 00DE4C7B

std::_Lockit::~_Lockit.LIBCPMT ref: 00DE71D7

Memory Dump Source

Source File: 00000003.00000002.2169215918.0000000000DE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true

Associated: 00000003.00000002.2169198911.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2169240010.0000000000E05000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2169256794.0000000000E0F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2169271264.0000000000E13000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2169286451.0000000000E16000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_de0000_BootStrapper.jbxd

Similarity

API ID: Lockitstd::_$Lockit::_Lockit::~_$H_prolog3
String ID:
API String ID: 1383202999-0
Opcode ID: 99edb1b07d8562155c2a94dd9822cf6b38f75d51df9f4ad4fbaf22ca86d4289f
Instruction ID: 1995c8f72d6d9bed06fe15924fef280f43d3bb54d43644c5576b7a7064cdc4d0
Opcode Fuzzy Hash: 99edb1b07d8562155c2a94dd9822cf6b38f75d51df9f4ad4fbaf22ca86d4289f
Instruction Fuzzy Hash: 8411A1719042A5CFCB05FBA6D8156AD77B0EF84310F294449F9256B281CF709A45CBB1

Function 00E03310 Relevance: 6.0, APIs: 4, Instructions: 29COMMONLIBRARYCODE

Download Yara Rule

APIs

WriteConsoleW.KERNEL32(00000000,?,?,00000000,00000000,?,00E027FF,00000000,00000001,?,?,?,00DFC5FC,?,00000000,00000000), ref: 00E03327
GetLastError.KERNEL32(?,00E027FF,00000000,00000001,?,?,?,00DFC5FC,?,00000000,00000000,?,?,?,00DFBF42,?), ref: 00E03333

Part of subcall function 00E03384: CloseHandle.KERNEL32(FFFFFFFE,00E03343,?,00E027FF,00000000,00000001,?,?,?,00DFC5FC,?,00000000,00000000,?,?), ref: 00E03394

___initconout.LIBCMT ref: 00E03343

Part of subcall function 00E03365: CreateFileW.KERNEL32(CONOUT$,40000000,00000003,00000000,00000003,00000000,00000000,00E03301,00E027EC,?,?,00DFC5FC,?,00000000,00000000,?), ref: 00E03378

WriteConsoleW.KERNEL32(00000000,?,?,00000000,?,00E027FF,00000000,00000001,?,?,?,00DFC5FC,?,00000000,00000000,?), ref: 00E03358

Memory Dump Source

Source File: 00000003.00000002.2169215918.0000000000DE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true

Associated: 00000003.00000002.2169198911.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2169240010.0000000000E05000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2169256794.0000000000E0F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2169271264.0000000000E13000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2169286451.0000000000E16000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_de0000_BootStrapper.jbxd

Similarity

API ID: ConsoleWrite$CloseCreateErrorFileHandleLast___initconout
String ID:
API String ID: 2744216297-0
Opcode ID: cc4e862d556074735ced20344520b7aa051e7fe7ad4946ccd5ad33ee4e4db75a
Instruction ID: d72fe8b3c246e4fce20168282a04870b23ca772a4f0ba42df79e1f34fbdbc643
Opcode Fuzzy Hash: cc4e862d556074735ced20344520b7aa051e7fe7ad4946ccd5ad33ee4e4db75a
Instruction Fuzzy Hash: 45F01C3650411ABFCF221FE6DC49A997F6AFB483A0F108010FA18B5570CA7689A0DB90

Function 00DE8C37 Relevance: 6.0, APIs: 4, Instructions: 25timethreadCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetSystemTimeAsFileTime.KERNEL32(?), ref: 00DE8C49
GetCurrentThreadId.KERNEL32 ref: 00DE8C58
GetCurrentProcessId.KERNEL32 ref: 00DE8C61
QueryPerformanceCounter.KERNEL32(?), ref: 00DE8C6E

Memory Dump Source

Source File: 00000003.00000002.2169215918.0000000000DE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true

Associated: 00000003.00000002.2169198911.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2169240010.0000000000E05000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2169256794.0000000000E0F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2169271264.0000000000E13000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2169286451.0000000000E16000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_de0000_BootStrapper.jbxd

Similarity

API ID: CurrentTime$CounterFilePerformanceProcessQuerySystemThread
String ID:
API String ID: 2933794660-0
Opcode ID: 500ae6b87a4f1ddc23458c3f1db8f489e605078f19ee3767f6317b1d2b0e6181
Instruction ID: efdec81e2d06600ef4e48ce10edf2320a56d1dabfe293033c7f358f7b2c821b6
Opcode Fuzzy Hash: 500ae6b87a4f1ddc23458c3f1db8f489e605078f19ee3767f6317b1d2b0e6181
Instruction Fuzzy Hash: 9CF05F75D1420DEFCB00DBF5DA4999EBBF4EF1C204B918996A412F6510E730AB889B50

Function 00DF8C16 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 191COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00DF4463: GetLastError.KERNEL32(00000000,?,00DF6842), ref: 00DF4467
Part of subcall function 00DF4463: SetLastError.KERNEL32(00000000,?,?,00000028,00DF0A12), ref: 00DF4509

GetACP.KERNEL32(-00000002,00000000,?,00000000,00000000,?,00DEE2A6,?,?,?,00000055,?,-00000050,?,?,?), ref: 00DF8CD5
IsValidCodePage.KERNEL32(00000000,-00000002,00000000,?,00000000,00000000,?,00DEE2A6,?,?,?,00000055,?,-00000050,?,?), ref: 00DF8D0C

Strings

utf8, xrefs: 00DF8DDE

Memory Dump Source

Source File: 00000003.00000002.2169215918.0000000000DE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true

Associated: 00000003.00000002.2169198911.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2169240010.0000000000E05000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2169256794.0000000000E0F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2169271264.0000000000E13000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2169286451.0000000000E16000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_de0000_BootStrapper.jbxd

Similarity

API ID: ErrorLast$CodePageValid
String ID: utf8
API String ID: 943130320-905460609
Opcode ID: cb8320ecd853d72f1b9d0c89415d37a5e96949511553c48c49c6f36d9ce7109b
Instruction ID: 8da9e6230c049ec25c30fa4851f1ad0fefccaacb67b753751f872493789ce9ee
Opcode Fuzzy Hash: cb8320ecd853d72f1b9d0c89415d37a5e96949511553c48c49c6f36d9ce7109b
Instruction Fuzzy Hash: 7351F731A00309AAD724AB70CC46BB773A8EF04700F1E8419FB55A71C1FF71D980A6B2

Function 0040C5B6 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 116COMMON

Download Yara Rule

APIs

CoInitializeEx.OLE32(00000000,00000002), ref: 0040C5BA
CoInitializeEx.OLE32(00000000,00000002), ref: 0040C6FF

Strings

E)ov, xrefs: 0040C70B

Memory Dump Source

Source File: 00000003.00000002.2169013850.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_BootStrapper.jbxd

Similarity

API ID: Initialize
String ID: E)ov
API String ID: 2538663250-3776031005
Opcode ID: e7a95b8e5ff17603cc907fcbc2df53191815e2a062ed42e83665db1e0f35c6a2
Instruction ID: 7eb1427ce90a185cc1fa67b5dec7511066f0963e0e52bfde8587bb9a189e8e04
Opcode Fuzzy Hash: e7a95b8e5ff17603cc907fcbc2df53191815e2a062ed42e83665db1e0f35c6a2
Instruction Fuzzy Hash: 6941C8B4C10B40AFD370EF39990B7137EB4AB06250F504B1DF9EA866D4E631A4198BD7

Function 00DF3C98 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 114COMMONLIBRARYCODE

Download Yara Rule

APIs

EncodePointer.KERNEL32(00000000,00000000,00000000,?,?,?,?,?,?,00DF3B99,?,?,00000000,00000000,00000000,?), ref: 00DF3CBD

Strings

RCC, xrefs: 00DF3CD7
MOC, xrefs: 00DF3CCF

Memory Dump Source

Source File: 00000003.00000002.2169215918.0000000000DE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true

Associated: 00000003.00000002.2169198911.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2169240010.0000000000E05000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2169256794.0000000000E0F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2169271264.0000000000E13000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2169286451.0000000000E16000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_de0000_BootStrapper.jbxd

Similarity

API ID: EncodePointer
String ID: MOC$RCC
API String ID: 2118026453-2084237596
Opcode ID: 99a6c977f395b4954d13fd576d2a4e15f991b3b56fd047836c7afaa1fc7ff011
Instruction ID: 6746268317bdf318de35c8cb59a8b8bbf87696ca8b7ba4eb2d6d0cb24857c8eb
Opcode Fuzzy Hash: 99a6c977f395b4954d13fd576d2a4e15f991b3b56fd047836c7afaa1fc7ff011
Instruction Fuzzy Hash: AB41587190024DAFCF15DF98CD81EAEBBB5FF48304F1A8059FA05AB266D3359A50DB60

Function 00433B7A Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 108COMMON

Download Yara Rule

APIs

GetSystemMetrics.USER32 ref: 00433BC8
GetSystemMetrics.USER32 ref: 00433BD7

Strings

, xrefs: 00433CAB

Memory Dump Source

Source File: 00000003.00000002.2169013850.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_BootStrapper.jbxd

Similarity

API ID: MetricsSystem
String ID:
API String ID: 4116985748-3916222277
Opcode ID: 66b7d6ddbbaea78e25287b155da9d8360f6552616883599e2b0a62f41b2dcca0
Instruction ID: 01f348f677623f89764fea340cc94f5095fd4e31d5590f1ad9612ee75e4100da
Opcode Fuzzy Hash: 66b7d6ddbbaea78e25287b155da9d8360f6552616883599e2b0a62f41b2dcca0
Instruction Fuzzy Hash: E05172B4D142089FCB40EFACD98569DBBF0BB88300F11852AE498E7310D774A984CF96

Function 00DF3504 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 97COMMONLIBRARYCODE

Download Yara Rule

APIs

___except_validate_context_record.LIBVCRUNTIME ref: 00DF377B

Strings

csm, xrefs: 00DF380E
csm, xrefs: 00DF379D

Memory Dump Source

Source File: 00000003.00000002.2169215918.0000000000DE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true

Associated: 00000003.00000002.2169198911.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2169240010.0000000000E05000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2169256794.0000000000E0F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2169271264.0000000000E13000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2169286451.0000000000E16000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_de0000_BootStrapper.jbxd

Similarity

API ID: ___except_validate_context_record
String ID: csm$csm
API String ID: 3493665558-3733052814
Opcode ID: 81c4441201f7f020b85cae3ead6eee736d4ff339b2bc716dac98eee7a9cfa270
Instruction ID: 48c4bbcd053e290628a3333048fd607cb67a48a44853bbbc360afa706bf0cf4a
Opcode Fuzzy Hash: 81c4441201f7f020b85cae3ead6eee736d4ff339b2bc716dac98eee7a9cfa270
Instruction Fuzzy Hash: 6831D2B240020CABCF225F55CC4097A7B66FF08755B1FC15AFE584A221C336CEA1DBA1

Function 0040B470 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 10COMMON

Download Yara Rule

APIs

FreeLibrary.KERNEL32(004087D9), ref: 0040B476
FreeLibrary.KERNEL32 ref: 0040B497

Strings

#v, xrefs: 0040B476, 0040B497

Memory Dump Source

Source File: 00000003.00000002.2169013850.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_BootStrapper.jbxd

Similarity

API ID: FreeLibrary
String ID: #v
API String ID: 3664257935-554117064
Opcode ID: bb14e4f03ff262a9d0a4fb625346a9907beddf15038352d24ccadd0573c580b9
Instruction ID: 14c24250467d46fcb0e4885f16a1c061d8822480d82cb60a36f5ea4aadaffd71
Opcode Fuzzy Hash: bb14e4f03ff262a9d0a4fb625346a9907beddf15038352d24ccadd0573c580b9
Instruction Fuzzy Hash: 0BC002795424009FFE112B69FE0A8183A21EBA23057070031B94A91431DB3289249B9A

Description:	Adversaries may abuse PowerShell commands and scripts for execution. PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system.Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code. Examples include the `Start-Process` cmdlet which can be used to run an executable and the `Invoke-Command` cmdlet which runs a command locally or on a remote computer (though administrator permissions are required to use PowerShell to connect to remote systems).
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to take screen captures of the desktop to gather information over the course of an operation. Screen capturing functionality may be included as a feature of a remote access tool used in post-compromise operations. Taking a screenshot is also typically possible through native utilities or API calls, such as `CopyFromScreen` , `xwd` , or `screencapture` .
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report BootStrapper.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: LummaC

Yara Signatures

Memory Dumps

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Cryptography

Compliance

Spreading

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Possible Origin

Network Behavior

Suricata IDS Alerts

Network Port Distribution

TCP Packets

UDP Packets

Windows Analysis Report
BootStrapper.exe

Function 00E0F19E Relevance: 42.3, APIs: 10, Strings: 14, Instructions: 295
threadinjectionmemoryCOMMON

Function 00DE1730 Relevance: 12.2, APIs: 8, Instructions: 200
fileCOMMON

Function 00DF51F2 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 74
COMMONLIBRARYCODE

Function 00DE1B30 Relevance: 7.3, APIs: 1, Strings: 3, Instructions: 324
COMMON

Function 00DEDA29 Relevance: 4.6, APIs: 3, Instructions: 51
threadCOMMON

Function 00DEDBBF Relevance: 4.5, APIs: 3, Instructions: 30
threadCOMMON

Function 00DEDD30 Relevance: 4.5, APIs: 3, Instructions: 15
COMMONLIBRARYCODE

Function 00DE2780 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 118
COMMONLIBRARYCODE

Function 00DFBE60 Relevance: 3.2, APIs: 2, Instructions: 196
fileCOMMONLIBRARYCODE

Function 00DFC639 Relevance: 3.1, APIs: 2, Instructions: 80
fileCOMMONLIBRARYCODE

Function 00DF5D12 Relevance: 3.1, APIs: 2, Instructions: 65
COMMON

Function 00DE1A80 Relevance: 3.1, APIs: 2, Instructions: 56
COMMON

Function 00DEDB41 Relevance: 3.0, APIs: 2, Instructions: 38
threadCOMMON