Edit tour

Windows Analysis Report
Bootstrapper.exe

Overview

General Information

Sample name:	Bootstrapper.exe
Analysis ID:	1582549
MD5:	f51a40d5bf9b9c5007742e1b9c4b384a
SHA1:	226ec50e7a706aaa7dfab94c857efce27af86b9e
SHA256:	fadc67d2ed4a8c2a52dc15ffcaaef1e61bab0707b37893e4b45b96df03ee3a0f
Tags:	exeLummaStealeruser-aachum
Infos:

Detection

LummaC

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

Yara detected LummaC Stealer

AI detected suspicious sample

C2 URLs / IPs found in malware configuration

Contains functionality to inject code into remote processes

Injects a PE file into a foreign processes

LummaC encrypted strings found

Machine Learning detection for sample

Performs DNS queries to domains with low reputation

Sample uses string decryption to hide its real strings

Contains functionality for read data from the clipboard

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to read the PEB

Contains functionality to read the clipboard data

Contains functionality to record screenshots

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Found inlined nop instructions (likely shell or obfuscated code)

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

IP address seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

PE / OLE file has an invalid certificate

Suricata IDS alerts with low severity for network traffic

Uses 32bit PE files

Uses Microsoft's Enhanced Cryptographic Provider

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w10x64

Bootstrapper.exe (PID: 380 cmdline: "C:\Users\user\Desktop\Bootstrapper.exe" MD5: F51A40D5BF9B9C5007742E1B9C4B384A)

conhost.exe (PID: 1436 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

Bootstrapper.exe (PID: 1308 cmdline: "C:\Users\user\Desktop\Bootstrapper.exe" MD5: F51A40D5BF9B9C5007742E1B9C4B384A)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Lumma Stealer, LummaC2 Stealer	Lumma Stealer (aka LummaC2 Stealer) is an information stealer written in C language that has been available through a Malware-as-a-Service (MaaS) model on Russian-speaking forums since at least August 2022. It is believed to have been developed by the threat actor "Shamel", who goes by the alias "Lumma". Lumma Stealer primarily targets cryptocurrency wallets and two-factor authentication (2FA) browser extensions, before ultimately stealing sensitive information from the victim's machine. Once the targeted data is obtained, it is exfiltrated to a C2 server via HTTP POST requests using the user agent "TeslaBrowser/5.5"." The stealer also features a non-resident loader that is capable of delivering additional payloads via EXE, DLL, and PowerShell.	No Attribution	https://0xmrmagnezi.github.io/malware%20analysis/LummaStealer/ https://0xtoxin-labs.gitbook.io/malware-analysis/malware-analysis/lummac2-breakdown#chrome-extensions-crx https://any.run/cybersecurity-blog/crackedcantil-breakdown/ https://blog.cyble.com/2023/01/06/lummac2-stealer-a-potent-threat-to-crypto-users/ https://blog.sekoia.io/exposing-fakebat-loader-distribution-methods-and-adversary-infrastructure/	https://malpedia.caad.fkie.fraunhofer.de/details/win.lumma

Malware Configuration

Threatname: LummaC

{"C2 url": ["deafeninggeh.biz", "effecterectz.xyz", "bellflamre.click", "sordid-snaked.cyou", "immureprech.biz", "wrathful-jammy.cyou", "debonairnukk.xyz", "awake-weaves.cyou", "diffuculttan.xyz"], "Build id": "LPnhqo--icmlrimzcuwc"}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
decrypted.memstr	JoeSecurity_LummaCStealer_2	Yara detected LummaC Stealer	Joe Security

Suricata Signatures

ET JA3 Hash - Possible Malware - Fake Firefox Font Update

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-30T21:09:56.764512+0100	2028371	3	Unknown Traffic	192.168.2.5	49707	104.102.49.254	443	TCP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (awake-weaves .cyou)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-30T21:09:56.091520+0100	2058210	1	Domain Observed Used for C2 Detected	192.168.2.5	58409	1.1.1.1	53	UDP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (bellflamre .click)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-30T21:09:56.000788+0100	2058212	1	Domain Observed Used for C2 Detected	192.168.2.5	63758	1.1.1.1	53	UDP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (deafeninggeh .biz)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-30T21:09:56.025567+0100	2058214	1	Domain Observed Used for C2 Detected	192.168.2.5	55432	1.1.1.1	53	UDP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (debonairnukk .xyz)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-30T21:09:56.069311+0100	2058216	1	Domain Observed Used for C2 Detected	192.168.2.5	49259	1.1.1.1	53	UDP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (diffuculttan .xyz)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-30T21:09:56.052755+0100	2058218	1	Domain Observed Used for C2 Detected	192.168.2.5	62510	1.1.1.1	53	UDP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (effecterectz .xyz)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-30T21:09:56.037610+0100	2058220	1	Domain Observed Used for C2 Detected	192.168.2.5	58257	1.1.1.1	53	UDP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (immureprech .biz)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-30T21:09:56.014226+0100	2058222	1	Domain Observed Used for C2 Detected	192.168.2.5	56371	1.1.1.1	53	UDP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (sordid-snaked .cyou)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-30T21:09:56.101702+0100	2058226	1	Domain Observed Used for C2 Detected	192.168.2.5	57224	1.1.1.1	53	UDP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (wrathful-jammy .cyou)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-30T21:09:56.080637+0100	2058236	1	Domain Observed Used for C2 Detected	192.168.2.5	49201	1.1.1.1	53	UDP

ETPRO MALWARE Win32/Lumma Stealer Steam Profile Lookup

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-30T21:09:57.353956+0100	2858666	1	Domain Observed Used for C2 Detected	192.168.2.5	49707	104.102.49.254	443	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Found malware configuration

Source: 00000000.00000002.3261719374.000000000151E000.00000004.00000020.00020000.00000000.sdmp

Malware Configuration Extractor: LummaC {"C2 url": ["deafeninggeh.biz", "effecterectz.xyz", "bellflamre.click", "sordid-snaked.cyou", "immureprech.biz", "wrathful-jammy.cyou", "debonairnukk.xyz", "awake-weaves.cyou", "diffuculttan.xyz"], "Build id": "LPnhqo--icmlrimzcuwc"}

Multi AV Scanner detection for submitted file

Source: Bootstrapper.exe

ReversingLabs: Detection: 71%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 95.7% probability

Machine Learning detection for sample

Source: Bootstrapper.exe

Joe Sandbox ML: detected

Sample uses string decryption to hide its real strings

Source: 00000003.00000002.2047799879.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: sordid-snaked.cyou
Source: 00000003.00000002.2047799879.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: awake-weaves.cyou
Source: 00000003.00000002.2047799879.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: wrathful-jammy.cyou
Source: 00000003.00000002.2047799879.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: debonairnukk.xyz
Source: 00000003.00000002.2047799879.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: diffuculttan.xyz
Source: 00000003.00000002.2047799879.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: effecterectz.xyz
Source: 00000003.00000002.2047799879.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: deafeninggeh.biz
Source: 00000003.00000002.2047799879.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: immureprech.biz
Source: 00000003.00000002.2047799879.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: bellflamre.click
Source: 00000003.00000002.2047799879.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: lid=%s&j=%s&ver=4.0
Source: 00000003.00000002.2047799879.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: TeslaBrowser/5.5
Source: 00000003.00000002.2047799879.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: - Screen Resoluton:
Source: 00000003.00000002.2047799879.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: - Physical Installed Memory:
Source: 00000003.00000002.2047799879.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: Workgroup: -
Source: 00000003.00000002.2047799879.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: LPnhqo--icmlrimzcuwc

Source: C:\Users\user\Desktop\Bootstrapper.exe

Code function: 3_2_00F413B0 CryptContextAddRef,GetLastError,

3_2_00F413B0

Source: Bootstrapper.exe

Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source: unknown

HTTPS traffic detected: 104.102.49.254:443 -> 192.168.2.5:49707 version: TLS 1.2

Source: Bootstrapper.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_ISOLATION, TERMINAL_SERVER_AWARE

Source: C:\Users\user\Desktop\Bootstrapper.exe	Code function: 0_2_00F4E842 FindFirstFileExW,FindNextFileW,FindClose,FindClose,	0_2_00F4E842
Source: C:\Users\user\Desktop\Bootstrapper.exe	Code function: 0_2_00F4E791 FindFirstFileExW,	0_2_00F4E791
Source: C:\Users\user\Desktop\Bootstrapper.exe	Code function: 3_2_00F4E842 FindFirstFileExW,FindNextFileW,FindClose,FindClose,	3_2_00F4E842
Source: C:\Users\user\Desktop\Bootstrapper.exe	Code function: 3_2_00F4E791 FindFirstFileExW,	3_2_00F4E791

Source: C:\Users\user\Desktop\Bootstrapper.exe	Code function: 4x nop then movzx ecx, byte ptr [esp+eax-3Dh]	3_2_00439050
Source: C:\Users\user\Desktop\Bootstrapper.exe	Code function: 4x nop then mov edx, eax	3_2_00439050
Source: C:\Users\user\Desktop\Bootstrapper.exe	Code function: 4x nop then movzx edx, byte ptr [esp+eax-4558C06Bh]	3_2_00427861
Source: C:\Users\user\Desktop\Bootstrapper.exe	Code function: 4x nop then mov edi, edx	3_2_0042986B
Source: C:\Users\user\Desktop\Bootstrapper.exe	Code function: 4x nop then movzx edx, byte ptr [esp+eax+00000090h]	3_2_0042B8D7
Source: C:\Users\user\Desktop\Bootstrapper.exe	Code function: 4x nop then mov byte ptr [esi], al	3_2_0042B8D7
Source: C:\Users\user\Desktop\Bootstrapper.exe	Code function: 4x nop then mov ecx, ebx	3_2_0040D8D8
Source: C:\Users\user\Desktop\Bootstrapper.exe	Code function: 4x nop then movzx edx, byte ptr [esp+eax+00000090h]	3_2_0042B8DF
Source: C:\Users\user\Desktop\Bootstrapper.exe	Code function: 4x nop then mov byte ptr [esi], al	3_2_0042B8DF
Source: C:\Users\user\Desktop\Bootstrapper.exe	Code function: 4x nop then movzx ebx, byte ptr [esp+edx]	3_2_0043D8B0
Source: C:\Users\user\Desktop\Bootstrapper.exe	Code function: 4x nop then test eax, eax	3_2_00436940
Source: C:\Users\user\Desktop\Bootstrapper.exe	Code function: 4x nop then movzx esi, byte ptr [esp+ecx+57C4116Bh]	3_2_00436940
Source: C:\Users\user\Desktop\Bootstrapper.exe	Code function: 4x nop then mov eax, dword ptr [esi+000000BCh]	3_2_0041614F
Source: C:\Users\user\Desktop\Bootstrapper.exe	Code function: 4x nop then mov dword ptr [esi], edx	3_2_0041614F
Source: C:\Users\user\Desktop\Bootstrapper.exe	Code function: 4x nop then mov byte ptr [esi], al	3_2_0042C966
Source: C:\Users\user\Desktop\Bootstrapper.exe	Code function: 4x nop then mov eax, edx	3_2_0041C970
Source: C:\Users\user\Desktop\Bootstrapper.exe	Code function: 4x nop then mov edi, edx	3_2_0042986B
Source: C:\Users\user\Desktop\Bootstrapper.exe	Code function: 4x nop then mov byte ptr [esi], al	3_2_0042C9C1
Source: C:\Users\user\Desktop\Bootstrapper.exe	Code function: 4x nop then mov byte ptr [esi], bl	3_2_0042C1E0
Source: C:\Users\user\Desktop\Bootstrapper.exe	Code function: 4x nop then mov byte ptr [esi], bl	3_2_0042C185
Source: C:\Users\user\Desktop\Bootstrapper.exe	Code function: 4x nop then movzx edx, word ptr [eax]	3_2_0043D190
Source: C:\Users\user\Desktop\Bootstrapper.exe	Code function: 4x nop then mov eax, edx	3_2_004029A0
Source: C:\Users\user\Desktop\Bootstrapper.exe	Code function: 4x nop then mov byte ptr [esi], al	3_2_0042C9B2
Source: C:\Users\user\Desktop\Bootstrapper.exe	Code function: 4x nop then cmp word ptr [ecx+eax+02h], 0000h	3_2_00419A01
Source: C:\Users\user\Desktop\Bootstrapper.exe	Code function: 4x nop then mov word ptr [ecx], dx	3_2_00419A01
Source: C:\Users\user\Desktop\Bootstrapper.exe	Code function: 4x nop then mov ecx, eax	3_2_00414A00
Source: C:\Users\user\Desktop\Bootstrapper.exe	Code function: 4x nop then mov byte ptr [esi], bl	3_2_0042C21E
Source: C:\Users\user\Desktop\Bootstrapper.exe	Code function: 4x nop then cmp byte ptr [esi+ebx], 00000000h	3_2_0042A2D0
Source: C:\Users\user\Desktop\Bootstrapper.exe	Code function: 4x nop then mov esi, edx	3_2_00427A98
Source: C:\Users\user\Desktop\Bootstrapper.exe	Code function: 4x nop then movzx edx, byte ptr [esp+eax-4558C06Bh]	3_2_00427B45
Source: C:\Users\user\Desktop\Bootstrapper.exe	Code function: 4x nop then movzx edx, byte ptr [ebx+eax]	3_2_00416B71
Source: C:\Users\user\Desktop\Bootstrapper.exe	Code function: 4x nop then cmp dword ptr [esi+edx*8], A8F779E4h	3_2_00439300
Source: C:\Users\user\Desktop\Bootstrapper.exe	Code function: 4x nop then cmp dword ptr [edi+esi*8], E095B21Bh	3_2_00439300
Source: C:\Users\user\Desktop\Bootstrapper.exe	Code function: 4x nop then cmp dword ptr [edi+esi*8], 6A2D3EA3h	3_2_00439300
Source: C:\Users\user\Desktop\Bootstrapper.exe	Code function: 4x nop then cmp dword ptr [esi+edx*8], A8F779E4h	3_2_00439300
Source: C:\Users\user\Desktop\Bootstrapper.exe	Code function: 4x nop then cmp dword ptr [ebp+ebx*8+00h], A99F3325h	3_2_00439300
Source: C:\Users\user\Desktop\Bootstrapper.exe	Code function: 4x nop then mov byte ptr [esi], dl	3_2_0042AB20
Source: C:\Users\user\Desktop\Bootstrapper.exe	Code function: 4x nop then add eax, dword ptr [esp+ecx*4+24h]	3_2_004073C0
Source: C:\Users\user\Desktop\Bootstrapper.exe	Code function: 4x nop then movzx ecx, word ptr [ebp+edi*4+00h]	3_2_004073C0
Source: C:\Users\user\Desktop\Bootstrapper.exe	Code function: 4x nop then mov eax, dword ptr [ebp-10h]	3_2_00423BE0
Source: C:\Users\user\Desktop\Bootstrapper.exe	Code function: 4x nop then movzx edi, byte ptr [eax+esi]	3_2_00402B80
Source: C:\Users\user\Desktop\Bootstrapper.exe	Code function: 4x nop then movzx ecx, byte ptr [esp+eax-5Ah]	3_2_00422450
Source: C:\Users\user\Desktop\Bootstrapper.exe	Code function: 4x nop then mov edx, ecx	3_2_0040EC1C
Source: C:\Users\user\Desktop\Bootstrapper.exe	Code function: 4x nop then movzx ecx, byte ptr [esp+eax]	3_2_0043BCC0
Source: C:\Users\user\Desktop\Bootstrapper.exe	Code function: 4x nop then movzx ecx, byte ptr [esp+eax-1B18515Dh]	3_2_00435CD0
Source: C:\Users\user\Desktop\Bootstrapper.exe	Code function: 4x nop then mov word ptr [esi], ax	3_2_004284B0
Source: C:\Users\user\Desktop\Bootstrapper.exe	Code function: 4x nop then mov ebx, dword ptr [edi+04h]	3_2_00429D40
Source: C:\Users\user\Desktop\Bootstrapper.exe	Code function: 4x nop then mov byte ptr [esi], al	3_2_0042B553
Source: C:\Users\user\Desktop\Bootstrapper.exe	Code function: 4x nop then mov edx, eax	3_2_00418D56
Source: C:\Users\user\Desktop\Bootstrapper.exe	Code function: 4x nop then cmp cx, 0020h	3_2_004155F6
Source: C:\Users\user\Desktop\Bootstrapper.exe	Code function: 4x nop then mov word ptr [ebx], cx	3_2_004155F6
Source: C:\Users\user\Desktop\Bootstrapper.exe	Code function: 4x nop then movzx ebx, byte ptr [esp+ecx+70h]	3_2_00409580
Source: C:\Users\user\Desktop\Bootstrapper.exe	Code function: 4x nop then mov edx, ecx	3_2_00409580
Source: C:\Users\user\Desktop\Bootstrapper.exe	Code function: 4x nop then movzx ecx, byte ptr [esp+eax+40h]	3_2_0043A642
Source: C:\Users\user\Desktop\Bootstrapper.exe	Code function: 4x nop then mov word ptr [eax], cx	3_2_00419605
Source: C:\Users\user\Desktop\Bootstrapper.exe	Code function: 4x nop then movzx ebx, byte ptr [edx]	3_2_004336F0
Source: C:\Users\user\Desktop\Bootstrapper.exe	Code function: 4x nop then mov byte ptr [edi], al	3_2_0041BFEB
Source: C:\Users\user\Desktop\Bootstrapper.exe	Code function: 4x nop then mov edx, ecx	3_2_0040C78C
Source: C:\Users\user\Desktop\Bootstrapper.exe	Code function: 4x nop then mov esi, edx	3_2_004277B8

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2058210 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (awake-weaves .cyou) : 192.168.2.5:58409 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2058222 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (immureprech .biz) : 192.168.2.5:56371 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2058214 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (deafeninggeh .biz) : 192.168.2.5:55432 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2058218 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (diffuculttan .xyz) : 192.168.2.5:62510 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2058212 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (bellflamre .click) : 192.168.2.5:63758 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2058220 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (effecterectz .xyz) : 192.168.2.5:58257 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2058226 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (sordid-snaked .cyou) : 192.168.2.5:57224 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2058236 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (wrathful-jammy .cyou) : 192.168.2.5:49201 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2058216 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (debonairnukk .xyz) : 192.168.2.5:49259 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2858666 - Severity 1 - ETPRO MALWARE Win32/Lumma Stealer Steam Profile Lookup : 192.168.2.5:49707 -> 104.102.49.254:443

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor	URLs: deafeninggeh.biz
Source: Malware configuration extractor	URLs: effecterectz.xyz
Source: Malware configuration extractor	URLs: bellflamre.click
Source: Malware configuration extractor	URLs: sordid-snaked.cyou
Source: Malware configuration extractor	URLs: immureprech.biz
Source: Malware configuration extractor	URLs: wrathful-jammy.cyou
Source: Malware configuration extractor	URLs: debonairnukk.xyz
Source: Malware configuration extractor	URLs: awake-weaves.cyou
Source: Malware configuration extractor	URLs: diffuculttan.xyz

Performs DNS queries to domains with low reputation

Source:	DNS query: effecterectz.xyz
Source:	DNS query: diffuculttan.xyz
Source:	DNS query: debonairnukk.xyz

Source: Joe Sandbox View

IP Address: 104.102.49.254 104.102.49.254

Source: Joe Sandbox View

JA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1

Source: Network traffic

Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:49707 -> 104.102.49.254:443

Source: global traffic

HTTP traffic detected: GET /profiles/76561199724331900 HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: steamcommunity.com

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic

Source: Bootstrapper.exe, 00000003.00000003.2047595937.0000000000D47000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Content-Security-Policy: default-src blob: data: https: 'unsafe-inline' 'unsafe-eval'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://community.fastly.steamstatic.com/ https://cdn.fastly.steamstatic.com/steamcommunity/public/assets/ https://api.steampowered.com/ https://recaptcha.net https://www.google.com/recaptcha/ https://www.gstatic.cn/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.youtube.com/ https://s.ytimg.com; object-src 'none'; connect-src 'self' https://community.fastly.steamstatic.com/ https://store.steampowered.com/ https://checkout.steampowered.com/ wss://community.steam-api.com/websocket/ https://api.steampowered.com/ https://login.steampowered.com/ https://help.steampowered.com/ https://steam.tv/ https://steamcommunity.com/ https://.valvesoftware.com https://.steambeta.net https://.discovery.beta.steamserver.net https://.steamcontent.com https://steambroadcast.akamaized.net https://steambroadcast-test.akamaized.net https://broadcast.st.dl.eccdnx.com https://lv.queniujq.cn https://steambroadcastchat.akamaized.net http://127.0.0.1:27060 ws://127.0.0.1:27060; frame-src 'self' steam: https://store.steampowered.com/ https://help.steampowered.com/ https://login.steampowered.com/ https://checkout.steampowered.com/ https://www.youtube.com https://www.google.com https://sketchfab.com https://player.vimeo.com https://medal.tv https://www.google.com/recaptcha/ https://recaptcha.net/recaptcha/; frame-ancestors 'self' https://store.steampowered.com/; equals www.youtube.com (Youtube)
Source: Bootstrapper.exe, 00000003.00000003.2047564460.0000000000D7D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Content-Security-Policydefault-src blob: data: https: 'unsafe-inline' 'unsafe-eval'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://community.fastly.steamstatic.com/ https://cdn.fastly.steamstatic.com/steamcommunity/public/assets/ https://api.steampowered.com/ https://recaptcha.net https://www.google.com/recaptcha/ https://www.gstatic.cn/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.youtube.com/ https://s.ytimg.com; object-src 'none'; connect-src 'self' https://community.fastly.steamstatic.com/ https://store.steampowered.com/ https://checkout.steampowered.com/ wss://community.steam-api.com/websocket/ https://api.steampowered.com/ https://login.steampowered.com/ https://help.steampowered.com/ https://steam.tv/ https://steamcommunity.com/ https://.valvesoftware.com https://.steambeta.net https://.discovery.beta.steamserver.net https://.steamcontent.com https://steambroadcast.akamaized.net https://steambroadcast-test.akamaized.net https://broadcast.st.dl.eccdnx.com https://lv.queniujq.cn https://steambroadcastchat.akamaized.net http://127.0.0.1:27060 ws://127.0.0.1:27060; frame-src 'self' steam: https://store.steampowered.com/ https://help.steampowered.com/ https://login.steampowered.com/ https://checkout.steampowered.com/ https://www.youtube.com https://www.google.com https://sketchfab.com https://player.vimeo.com https://medal.tv https://www.google.com/recaptcha/ https://recaptcha.net/recaptcha/; frame-ancestors 'self' https://store.steampowered.com/;Persistent-AuthWWW-AuthenticateVarysteamCountry=US%7C185ce35c568ebbb18a145d0cabae7186; Path=/; Secure; HttpOnly; SameSite=Nonesessionid=7e40461baa9673e9e66a6c96; Path=/; Secure; SameSite=NoneSet-CookienginxServerRetry-AfterProxy-SupportProxy-AuthenticateP3PLocationETagAuthentication-InfoAgeAccept-RangesLast-ModifiedMon, 26 Jul 1997 05:00:00 GMTExpiresContent-RangeContent-MD5Content-LocationContent-LanguageContent-Encodingtext/html; charset=UTF-8Content-Type25665Content-LengthAllowWarningViaUpgradeTransfer-EncodingTrailerPragmaKeep-AliveMon, 30 Dec 2024 20:09:57 GMTDateProxy-ConnectioncloseConnectionno-cacheCache-Control equals www.youtube.com (Youtube)
Source: Bootstrapper.exe, 00000003.00000003.2047564460.0000000000D7D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: default-src blob: data: https: 'unsafe-inline' 'unsafe-eval'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://community.fastly.steamstatic.com/ https://cdn.fastly.steamstatic.com/steamcommunity/public/assets/ https://api.steampowered.com/ https://recaptcha.net https://www.google.com/recaptcha/ https://www.gstatic.cn/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.youtube.com/ https://s.ytimg.com; object-src 'none'; connect-src 'self' https://community.fastly.steamstatic.com/ https://store.steampowered.com/ https://checkout.steampowered.com/ wss://community.steam-api.com/websocket/ https://api.steampowered.com/ https://login.steampowered.com/ https://help.steampowered.com/ https://steam.tv/ https://steamcommunity.com/ https://.valvesoftware.com https://.steambeta.net https://.discovery.beta.steamserver.net https://.steamcontent.com https://steambroadcast.akamaized.net https://steambroadcast-test.akamaized.net https://broadcast.st.dl.eccdnx.com https://lv.queniujq.cn https://steambroadcastchat.akamaized.net http://127.0.0.1:27060 ws://127.0.0.1:27060; frame-src 'self' steam: https://store.steampowered.com/ https://help.steampowered.com/ https://login.steampowered.com/ https://checkout.steampowered.com/ https://www.youtube.com https://www.google.com https://sketchfab.com https://player.vimeo.com https://medal.tv https://www.google.com/recaptcha/ https://recaptcha.net/recaptcha/; frame-ancestors 'self' https://store.steampowered.com/; equals www.youtube.com (Youtube)

Source: global traffic	DNS traffic detected: DNS query: bellflamre.click
Source: global traffic	DNS traffic detected: DNS query: immureprech.biz
Source: global traffic	DNS traffic detected: DNS query: deafeninggeh.biz
Source: global traffic	DNS traffic detected: DNS query: effecterectz.xyz
Source: global traffic	DNS traffic detected: DNS query: diffuculttan.xyz
Source: global traffic	DNS traffic detected: DNS query: debonairnukk.xyz
Source: global traffic	DNS traffic detected: DNS query: wrathful-jammy.cyou
Source: global traffic	DNS traffic detected: DNS query: awake-weaves.cyou
Source: global traffic	DNS traffic detected: DNS query: sordid-snaked.cyou
Source: global traffic	DNS traffic detected: DNS query: steamcommunity.com

Source: Bootstrapper.exe, 00000003.00000003.2047564460.0000000000D7D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://127.0.0.1:27060
Source: Bootstrapper.exe	String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl04
Source: Bootstrapper.exe, 00000003.00000002.2048170280.0000000000D47000.00000004.00000020.00020000.00000000.sdmp, Bootstrapper.exe, 00000003.00000003.2047595937.0000000000D47000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
Source: Bootstrapper.exe	String found in binary or memory: http://crl.sectigo.com/SectigoPublicCodeSigningCAR36.crl0y
Source: Bootstrapper.exe	String found in binary or memory: http://crl.sectigo.com/SectigoPublicCodeSigningRootR46.crl0
Source: Bootstrapper.exe	String found in binary or memory: http://crl.sectigo.com/SectigoPublicTimeStampingCAR36.crl0z
Source: Bootstrapper.exe	String found in binary or memory: http://crl.sectigo.com/SectigoPublicTimeStampingRootR46.crl0
Source: Bootstrapper.exe	String found in binary or memory: http://crt.sectigo.com/SectigoPublicCodeSigningCAR36.crt0#
Source: Bootstrapper.exe	String found in binary or memory: http://crt.sectigo.com/SectigoPublicCodeSigningRootR46.p7c0#
Source: Bootstrapper.exe	String found in binary or memory: http://crt.sectigo.com/SectigoPublicTimeStampingCAR36.crt0#
Source: Bootstrapper.exe	String found in binary or memory: http://crt.sectigo.com/SectigoPublicTimeStampingRootR46.p7c0#
Source: Bootstrapper.exe	String found in binary or memory: http://ocsp.comodoca.com0
Source: Bootstrapper.exe	String found in binary or memory: http://ocsp.sectigo.com0
Source: Bootstrapper.exe, 00000003.00000003.2047639768.0000000000CF9000.00000004.00000020.00020000.00000000.sdmp, Bootstrapper.exe, 00000003.00000003.2047564460.0000000000D85000.00000004.00000020.00020000.00000000.sdmp, Bootstrapper.exe, 00000003.00000003.2047564460.0000000000D7D000.00000004.00000020.00020000.00000000.sdmp, Bootstrapper.exe, 00000003.00000003.2047623426.0000000000D89000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://store.steampowered.com/account/cookiepreferences/
Source: Bootstrapper.exe, 00000003.00000003.2047639768.0000000000CF9000.00000004.00000020.00020000.00000000.sdmp, Bootstrapper.exe, 00000003.00000003.2047564460.0000000000D85000.00000004.00000020.00020000.00000000.sdmp, Bootstrapper.exe, 00000003.00000003.2047564460.0000000000D7D000.00000004.00000020.00020000.00000000.sdmp, Bootstrapper.exe, 00000003.00000003.2047623426.0000000000D89000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://store.steampowered.com/privacy_agreement/
Source: Bootstrapper.exe, 00000003.00000003.2047639768.0000000000CF9000.00000004.00000020.00020000.00000000.sdmp, Bootstrapper.exe, 00000003.00000003.2047564460.0000000000D85000.00000004.00000020.00020000.00000000.sdmp, Bootstrapper.exe, 00000003.00000003.2047564460.0000000000D7D000.00000004.00000020.00020000.00000000.sdmp, Bootstrapper.exe, 00000003.00000003.2047623426.0000000000D89000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://store.steampowered.com/subscriber_agreement/
Source: Bootstrapper.exe, 00000003.00000003.2047564460.0000000000D85000.00000004.00000020.00020000.00000000.sdmp, Bootstrapper.exe, 00000003.00000003.2047623426.0000000000D89000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.valvesoftware.com/legal.htm
Source: Bootstrapper.exe, 00000003.00000003.2047564460.0000000000D7D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.steampowered.com/
Source: Bootstrapper.exe, 00000003.00000003.2047564460.0000000000D7D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://broadcast.st.dl.eccdnx.com
Source: Bootstrapper.exe, 00000003.00000003.2047564460.0000000000D7D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cdn.fastly.steamstatic.com/steamcommunity/public/assets/
Source: Bootstrapper.exe, 00000003.00000003.2047564460.0000000000D7D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://checkout.steampowered.com/
Source: Bootstrapper.exe, 00000003.00000003.2047564460.0000000000D7D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/
Source: Bootstrapper.exe, 00000003.00000003.2047639768.0000000000CF9000.00000004.00000020.00020000.00000000.sdmp, Bootstrapper.exe, 00000003.00000003.2047564460.0000000000D85000.00000004.00000020.00020000.00000000.sdmp, Bootstrapper.exe, 00000003.00000003.2047564460.0000000000D7D000.00000004.00000020.00020000.00000000.sdmp, Bootstrapper.exe, 00000003.00000003.2047623426.0000000000D89000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/css/applications/community/main.css?v=Lj6X7NKUMfzk&a
Source: Bootstrapper.exe, 00000003.00000003.2047564460.0000000000D85000.00000004.00000020.00020000.00000000.sdmp, Bootstrapper.exe, 00000003.00000003.2047564460.0000000000D7D000.00000004.00000020.00020000.00000000.sdmp, Bootstrapper.exe, 00000003.00000003.2047623426.0000000000D89000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/css/globalv2.css?v=hzEgqbtRcI5V&l=english&_c
Source: Bootstrapper.exe, 00000003.00000003.2047564460.0000000000D85000.00000004.00000020.00020000.00000000.sdmp, Bootstrapper.exe, 00000003.00000003.2047564460.0000000000D7D000.00000004.00000020.00020000.00000000.sdmp, Bootstrapper.exe, 00000003.00000003.2047623426.0000000000D89000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/css/skin_1/fatalerror.css?v=OFUqlcDNiD6y&l=engli
Source: Bootstrapper.exe, 00000003.00000003.2047564460.0000000000D85000.00000004.00000020.00020000.00000000.sdmp, Bootstrapper.exe, 00000003.00000003.2047564460.0000000000D7D000.00000004.00000020.00020000.00000000.sdmp, Bootstrapper.exe, 00000003.00000003.2047623426.0000000000D89000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/css/skin_1/header.css?v=EM4kCu67DNda&l=english&a
Source: Bootstrapper.exe, 00000003.00000003.2047639768.0000000000CF9000.00000004.00000020.00020000.00000000.sdmp, Bootstrapper.exe, 00000003.00000003.2047564460.0000000000D85000.00000004.00000020.00020000.00000000.sdmp, Bootstrapper.exe, 00000003.00000003.2047564460.0000000000D7D000.00000004.00000020.00020000.00000000.sdmp, Bootstrapper.exe, 00000003.00000003.2047623426.0000000000D89000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/images/skin_1/footerLogo_valve.png?v=1
Source: Bootstrapper.exe, 00000003.00000003.2047639768.0000000000CF9000.00000004.00000020.00020000.00000000.sdmp, Bootstrapper.exe, 00000003.00000003.2047564460.0000000000D85000.00000004.00000020.00020000.00000000.sdmp, Bootstrapper.exe, 00000003.00000003.2047564460.0000000000D7D000.00000004.00000020.00020000.00000000.sdmp, Bootstrapper.exe, 00000003.00000003.2047623426.0000000000D89000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/applications/community/libraries~b28b7af6
Source: Bootstrapper.exe, 00000003.00000003.2047639768.0000000000CF9000.00000004.00000020.00020000.00000000.sdmp, Bootstrapper.exe, 00000003.00000003.2047564460.0000000000D85000.00000004.00000020.00020000.00000000.sdmp, Bootstrapper.exe, 00000003.00000003.2047564460.0000000000D7D000.00000004.00000020.00020000.00000000.sdmp, Bootstrapper.exe, 00000003.00000003.2047623426.0000000000D89000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/applications/community/main.js?v=_92TWn81
Source: Bootstrapper.exe, 00000003.00000003.2047639768.0000000000CF9000.00000004.00000020.00020000.00000000.sdmp, Bootstrapper.exe, 00000003.00000003.2047564460.0000000000D85000.00000004.00000020.00020000.00000000.sdmp, Bootstrapper.exe, 00000003.00000003.2047564460.0000000000D7D000.00000004.00000020.00020000.00000000.sdmp, Bootstrapper.exe, 00000003.00000003.2047623426.0000000000D89000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/applications/community/manifest.js?v=FRRi
Source: Bootstrapper.exe, 00000003.00000003.2047564460.0000000000D85000.00000004.00000020.00020000.00000000.sdmp, Bootstrapper.exe, 00000003.00000003.2047564460.0000000000D7D000.00000004.00000020.00020000.00000000.sdmp, Bootstrapper.exe, 00000003.00000003.2047623426.0000000000D89000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/global.js?v=jWc2JLWHx5Kn&l=english&am
Source: Bootstrapper.exe, 00000003.00000003.2047564460.0000000000D85000.00000004.00000020.00020000.00000000.sdmp, Bootstrapper.exe, 00000003.00000003.2047564460.0000000000D7D000.00000004.00000020.00020000.00000000.sdmp, Bootstrapper.exe, 00000003.00000003.2047623426.0000000000D89000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/jquery-1.11.1.min.js?v=gQHVlrK4-jX-&l
Source: Bootstrapper.exe, 00000003.00000003.2047564460.0000000000D85000.00000004.00000020.00020000.00000000.sdmp, Bootstrapper.exe, 00000003.00000003.2047564460.0000000000D7D000.00000004.00000020.00020000.00000000.sdmp, Bootstrapper.exe, 00000003.00000003.2047623426.0000000000D89000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/prototype-1.7.js?v=npJElBnrEO6W&l=eng
Source: Bootstrapper.exe, 00000003.00000003.2047564460.0000000000D85000.00000004.00000020.00020000.00000000.sdmp, Bootstrapper.exe, 00000003.00000003.2047564460.0000000000D7D000.00000004.00000020.00020000.00000000.sdmp, Bootstrapper.exe, 00000003.00000003.2047623426.0000000000D89000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/scriptaculous/_combined.js?v=pbdAKOcDIgbC
Source: Bootstrapper.exe, 00000003.00000003.2047564460.0000000000D85000.00000004.00000020.00020000.00000000.sdmp, Bootstrapper.exe, 00000003.00000003.2047564460.0000000000D7D000.00000004.00000020.00020000.00000000.sdmp, Bootstrapper.exe, 00000003.00000003.2047623426.0000000000D89000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/shared/css/buttons.css?v=qhQgyjWi6LgJ&l=english&
Source: Bootstrapper.exe, 00000003.00000003.2047564460.0000000000D85000.00000004.00000020.00020000.00000000.sdmp, Bootstrapper.exe, 00000003.00000003.2047564460.0000000000D7D000.00000004.00000020.00020000.00000000.sdmp, Bootstrapper.exe, 00000003.00000003.2047623426.0000000000D89000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/shared/css/motiva_sans.css?v=-yZgCk0Nu7kH&l=engl
Source: Bootstrapper.exe, 00000003.00000003.2047564460.0000000000D85000.00000004.00000020.00020000.00000000.sdmp, Bootstrapper.exe, 00000003.00000003.2047564460.0000000000D7D000.00000004.00000020.00020000.00000000.sdmp, Bootstrapper.exe, 00000003.00000003.2047623426.0000000000D89000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/shared/css/shared_global.css?v=wuA4X_n5-mo0&l=en
Source: Bootstrapper.exe, 00000003.00000003.2047564460.0000000000D85000.00000004.00000020.00020000.00000000.sdmp, Bootstrapper.exe, 00000003.00000003.2047564460.0000000000D7D000.00000004.00000020.00020000.00000000.sdmp, Bootstrapper.exe, 00000003.00000003.2047623426.0000000000D89000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/shared/css/shared_responsive.css?v=JL1e4uQSrVGe&
Source: Bootstrapper.exe, 00000003.00000003.2047564460.0000000000D85000.00000004.00000020.00020000.00000000.sdmp, Bootstrapper.exe, 00000003.00000003.2047623426.0000000000D89000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/shared/images/header/logo_steam.svg?t=962016
Source: Bootstrapper.exe, 00000003.00000003.2047564460.0000000000D85000.00000004.00000020.00020000.00000000.sdmp, Bootstrapper.exe, 00000003.00000003.2047623426.0000000000D89000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/shared/images/responsive/header_logo.png
Source: Bootstrapper.exe, 00000003.00000003.2047564460.0000000000D85000.00000004.00000020.00020000.00000000.sdmp, Bootstrapper.exe, 00000003.00000003.2047623426.0000000000D89000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/shared/images/responsive/header_menu_hamburger.png
Source: Bootstrapper.exe, 00000003.00000003.2047564460.0000000000D85000.00000004.00000020.00020000.00000000.sdmp, Bootstrapper.exe, 00000003.00000003.2047623426.0000000000D89000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/shared/images/responsive/logo_valve_footer.png
Source: Bootstrapper.exe, 00000003.00000003.2047564460.0000000000D85000.00000004.00000020.00020000.00000000.sdmp, Bootstrapper.exe, 00000003.00000003.2047564460.0000000000D7D000.00000004.00000020.00020000.00000000.sdmp, Bootstrapper.exe, 00000003.00000003.2047623426.0000000000D89000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/shared/javascript/auth_refresh.js?v=w6QbwI-5-j2S&amp
Source: Bootstrapper.exe, 00000003.00000003.2047564460.0000000000D85000.00000004.00000020.00020000.00000000.sdmp, Bootstrapper.exe, 00000003.00000003.2047564460.0000000000D7D000.00000004.00000020.00020000.00000000.sdmp, Bootstrapper.exe, 00000003.00000003.2047623426.0000000000D89000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/shared/javascript/shared_global.js?v=Gr6TbGRvDtNE&am
Source: Bootstrapper.exe, 00000003.00000003.2047564460.0000000000D85000.00000004.00000020.00020000.00000000.sdmp, Bootstrapper.exe, 00000003.00000003.2047564460.0000000000D7D000.00000004.00000020.00020000.00000000.sdmp, Bootstrapper.exe, 00000003.00000003.2047623426.0000000000D89000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/shared/javascript/shared_responsive_adapter.js?v=tvQ
Source: Bootstrapper.exe, 00000003.00000003.2047564460.0000000000D85000.00000004.00000020.00020000.00000000.sdmp, Bootstrapper.exe, 00000003.00000003.2047564460.0000000000D7D000.00000004.00000020.00020000.00000000.sdmp, Bootstrapper.exe, 00000003.00000003.2047623426.0000000000D89000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/shared/javascript/tooltip.js?v=QYkT4eS5mbTN&l=en
Source: Bootstrapper.exe, 00000003.00000003.2047564460.0000000000D7D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://help.steampowered.com/
Source: Bootstrapper.exe, 00000003.00000003.2047564460.0000000000D85000.00000004.00000020.00020000.00000000.sdmp, Bootstrapper.exe, 00000003.00000003.2047623426.0000000000D89000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://help.steampowered.com/en/
Source: Bootstrapper.exe, 00000003.00000003.2047564460.0000000000D7D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.steampowered.com/
Source: Bootstrapper.exe, 00000003.00000003.2047564460.0000000000D7D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://lv.queniujq.cn
Source: Bootstrapper.exe, 00000003.00000003.2047564460.0000000000D7D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://medal.tv
Source: Bootstrapper.exe, 00000003.00000003.2047564460.0000000000D7D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://player.vimeo.com
Source: Bootstrapper.exe, 00000003.00000003.2047564460.0000000000D7D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://recaptcha.net
Source: Bootstrapper.exe, 00000003.00000003.2047564460.0000000000D7D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://recaptcha.net/recaptcha/;
Source: Bootstrapper.exe, 00000003.00000003.2047564460.0000000000D7D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://s.ytimg.com;
Source: Bootstrapper.exe	String found in binary or memory: https://sectigo.com/CPS0
Source: Bootstrapper.exe, 00000003.00000003.2047564460.0000000000D7D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://sketchfab.com
Source: Bootstrapper.exe, 00000003.00000003.2047564460.0000000000D7D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steam.tv/
Source: Bootstrapper.exe, 00000003.00000003.2047564460.0000000000D7D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steambroadcast-test.akamaized.net
Source: Bootstrapper.exe, 00000003.00000003.2047564460.0000000000D7D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steambroadcast.akamaized.net
Source: Bootstrapper.exe, 00000003.00000003.2047564460.0000000000D7D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steambroadcastchat.akamaized.net
Source: Bootstrapper.exe, 00000003.00000003.2047639768.0000000000CF9000.00000004.00000020.00020000.00000000.sdmp, Bootstrapper.exe, 00000003.00000003.2047564460.0000000000D85000.00000004.00000020.00020000.00000000.sdmp, Bootstrapper.exe, 00000003.00000003.2047564460.0000000000D7D000.00000004.00000020.00020000.00000000.sdmp, Bootstrapper.exe, 00000003.00000003.2047623426.0000000000D89000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com
Source: Bootstrapper.exe, 00000003.00000003.2047623426.0000000000D89000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/
Source: Bootstrapper.exe, 00000003.00000002.2048170280.0000000000D47000.00000004.00000020.00020000.00000000.sdmp, Bootstrapper.exe, 00000003.00000003.2047595937.0000000000D47000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/-
Source: Bootstrapper.exe, 00000003.00000003.2047564460.0000000000D85000.00000004.00000020.00020000.00000000.sdmp, Bootstrapper.exe, 00000003.00000003.2047623426.0000000000D89000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/?subsection=broadcasts
Source: Bootstrapper.exe, 00000003.00000003.2047564460.0000000000D85000.00000004.00000020.00020000.00000000.sdmp, Bootstrapper.exe, 00000003.00000003.2047623426.0000000000D89000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/discussions/
Source: Bootstrapper.exe, 00000003.00000003.2047639768.0000000000CF9000.00000004.00000020.00020000.00000000.sdmp, Bootstrapper.exe, 00000003.00000003.2047564460.0000000000D85000.00000004.00000020.00020000.00000000.sdmp, Bootstrapper.exe, 00000003.00000003.2047564460.0000000000D7D000.00000004.00000020.00020000.00000000.sdmp, Bootstrapper.exe, 00000003.00000003.2047623426.0000000000D89000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/linkfilter/?u=http%3A%2F%2Fwww.geonames.org
Source: Bootstrapper.exe, 00000003.00000003.2047623426.0000000000D89000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/login/home/?goto=profiles%2F76561199724331900
Source: Bootstrapper.exe, 00000003.00000003.2047564460.0000000000D85000.00000004.00000020.00020000.00000000.sdmp, Bootstrapper.exe, 00000003.00000003.2047623426.0000000000D89000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/market/
Source: Bootstrapper.exe, 00000003.00000003.2047564460.0000000000D85000.00000004.00000020.00020000.00000000.sdmp, Bootstrapper.exe, 00000003.00000003.2047564460.0000000000D7D000.00000004.00000020.00020000.00000000.sdmp, Bootstrapper.exe, 00000003.00000003.2047623426.0000000000D89000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/my/wishlist/
Source: Bootstrapper.exe, 00000003.00000003.2047639768.0000000000CF9000.00000004.00000020.00020000.00000000.sdmp, Bootstrapper.exe, 00000003.00000002.2047945625.0000000000CFB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/p
Source: Bootstrapper.exe, 00000003.00000003.2047639768.0000000000CF9000.00000004.00000020.00020000.00000000.sdmp, Bootstrapper.exe, 00000003.00000002.2047945625.0000000000CFB000.00000004.00000020.00020000.00000000.sdmp, Bootstrapper.exe, 00000003.00000003.2047639768.0000000000D18000.00000004.00000020.00020000.00000000.sdmp, Bootstrapper.exe, 00000003.00000002.2048123283.0000000000D1B000.00000004.00000020.00020000.00000000.sdmp, Bootstrapper.exe, 00000003.00000003.2047701587.0000000000D1A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/profiles/76561199724331900
Source: Bootstrapper.exe, 00000003.00000003.2047639768.0000000000CF9000.00000004.00000020.00020000.00000000.sdmp, Bootstrapper.exe, 00000003.00000002.2047945625.0000000000CFB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/profiles/76561199724331900h
Source: Bootstrapper.exe, 00000003.00000003.2047564460.0000000000D85000.00000004.00000020.00020000.00000000.sdmp, Bootstrapper.exe, 00000003.00000003.2047623426.0000000000D89000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/workshop/
Source: Bootstrapper.exe, 00000003.00000003.2047623426.0000000000D89000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/
Source: Bootstrapper.exe, 00000003.00000002.2048170280.0000000000D47000.00000004.00000020.00020000.00000000.sdmp, Bootstrapper.exe, 00000003.00000003.2047595937.0000000000D47000.00000004.00000020.00020000.00000000.sdmp, Bootstrapper.exe, 00000003.00000003.2047564460.0000000000D7D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/;
Source: Bootstrapper.exe, 00000003.00000003.2047564460.0000000000D7D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/;Persistent-AuthWWW-AuthenticateVarysteamCountry=US%7C185ce35c568ebbb
Source: Bootstrapper.exe, 00000003.00000003.2047623426.0000000000D89000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/about/
Source: Bootstrapper.exe, 00000003.00000003.2047564460.0000000000D85000.00000004.00000020.00020000.00000000.sdmp, Bootstrapper.exe, 00000003.00000003.2047564460.0000000000D7D000.00000004.00000020.00020000.00000000.sdmp, Bootstrapper.exe, 00000003.00000003.2047623426.0000000000D89000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/explore/
Source: Bootstrapper.exe, 00000003.00000003.2047639768.0000000000CF9000.00000004.00000020.00020000.00000000.sdmp, Bootstrapper.exe, 00000003.00000003.2047564460.0000000000D85000.00000004.00000020.00020000.00000000.sdmp, Bootstrapper.exe, 00000003.00000003.2047564460.0000000000D7D000.00000004.00000020.00020000.00000000.sdmp, Bootstrapper.exe, 00000003.00000003.2047623426.0000000000D89000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/legal/
Source: Bootstrapper.exe, 00000003.00000003.2047564460.0000000000D85000.00000004.00000020.00020000.00000000.sdmp, Bootstrapper.exe, 00000003.00000003.2047623426.0000000000D89000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/mobile
Source: Bootstrapper.exe, 00000003.00000003.2047564460.0000000000D85000.00000004.00000020.00020000.00000000.sdmp, Bootstrapper.exe, 00000003.00000003.2047623426.0000000000D89000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/news/
Source: Bootstrapper.exe, 00000003.00000003.2047564460.0000000000D7D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/points/shop
Source: Bootstrapper.exe, 00000003.00000003.2047564460.0000000000D85000.00000004.00000020.00020000.00000000.sdmp, Bootstrapper.exe, 00000003.00000003.2047623426.0000000000D89000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/points/shop/
Source: Bootstrapper.exe, 00000003.00000003.2047564460.0000000000D85000.00000004.00000020.00020000.00000000.sdmp, Bootstrapper.exe, 00000003.00000003.2047623426.0000000000D89000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/privacy_agreement/
Source: Bootstrapper.exe, 00000003.00000003.2047564460.0000000000D85000.00000004.00000020.00020000.00000000.sdmp, Bootstrapper.exe, 00000003.00000003.2047623426.0000000000D89000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/stats/
Source: Bootstrapper.exe, 00000003.00000003.2047564460.0000000000D85000.00000004.00000020.00020000.00000000.sdmp, Bootstrapper.exe, 00000003.00000003.2047623426.0000000000D89000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/steam_refunds/
Source: Bootstrapper.exe, 00000003.00000003.2047564460.0000000000D85000.00000004.00000020.00020000.00000000.sdmp, Bootstrapper.exe, 00000003.00000003.2047623426.0000000000D89000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/subscriber_agreement/
Source: Bootstrapper.exe, 00000003.00000003.2047564460.0000000000D7D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com
Source: Bootstrapper.exe, 00000003.00000003.2047564460.0000000000D7D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/recaptcha/
Source: Bootstrapper.exe, 00000003.00000003.2047564460.0000000000D7D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.gstatic.cn/recaptcha/
Source: Bootstrapper.exe, 00000003.00000003.2047564460.0000000000D7D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.gstatic.com/recaptcha/
Source: Bootstrapper.exe, 00000003.00000003.2047639768.0000000000CF9000.00000004.00000020.00020000.00000000.sdmp, Bootstrapper.exe, 00000003.00000003.2047564460.0000000000D85000.00000004.00000020.00020000.00000000.sdmp, Bootstrapper.exe, 00000003.00000003.2047564460.0000000000D7D000.00000004.00000020.00020000.00000000.sdmp, Bootstrapper.exe, 00000003.00000003.2047623426.0000000000D89000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.valvesoftware.com/en/contact?contact-person=Translation%20Team%20Feedback
Source: Bootstrapper.exe, 00000003.00000003.2047564460.0000000000D7D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com
Source: Bootstrapper.exe, 00000003.00000003.2047564460.0000000000D7D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/

Source: unknown	Network traffic detected: HTTP traffic on port 49707 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49707

Source: unknown

HTTPS traffic detected: 104.102.49.254:443 -> 192.168.2.5:49707 version: TLS 1.2

Source: C:\Users\user\Desktop\Bootstrapper.exe

Code function: 3_2_004310F0 OpenClipboard,GetWindowLongW,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,

3_2_004310F0

Source: C:\Users\user\Desktop\Bootstrapper.exe

Code function: 3_2_004310F0 OpenClipboard,GetWindowLongW,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,

3_2_004310F0

Source: C:\Users\user\Desktop\Bootstrapper.exe

Code function: 3_2_00432138 GetDC,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,GetCurrentObject,GetObjectW,DeleteObject,CreateCompatibleDC,CreateCompatibleBitmap,SelectObject,BitBlt,

3_2_00432138

Source: C:\Users\user\Desktop\Bootstrapper.exe	Code function: 0_2_00F41000	0_2_00F41000
Source: C:\Users\user\Desktop\Bootstrapper.exe	Code function: 0_2_00F52930	0_2_00F52930
Source: C:\Users\user\Desktop\Bootstrapper.exe	Code function: 0_2_00F46B72	0_2_00F46B72
Source: C:\Users\user\Desktop\Bootstrapper.exe	Code function: 0_2_00F51342	0_2_00F51342
Source: C:\Users\user\Desktop\Bootstrapper.exe	Code function: 0_2_00F44B25	0_2_00F44B25
Source: C:\Users\user\Desktop\Bootstrapper.exe	Code function: 0_2_00F5658E	0_2_00F5658E
Source: C:\Users\user\Desktop\Bootstrapper.exe	Code function: 3_2_00408690	3_2_00408690
Source: C:\Users\user\Desktop\Bootstrapper.exe	Code function: 3_2_0040AF40	3_2_0040AF40
Source: C:\Users\user\Desktop\Bootstrapper.exe	Code function: 3_2_00421860	3_2_00421860
Source: C:\Users\user\Desktop\Bootstrapper.exe	Code function: 3_2_00428076	3_2_00428076
Source: C:\Users\user\Desktop\Bootstrapper.exe	Code function: 3_2_00408810	3_2_00408810
Source: C:\Users\user\Desktop\Bootstrapper.exe	Code function: 3_2_00426020	3_2_00426020
Source: C:\Users\user\Desktop\Bootstrapper.exe	Code function: 3_2_004348CA	3_2_004348CA
Source: C:\Users\user\Desktop\Bootstrapper.exe	Code function: 3_2_004038D0	3_2_004038D0
Source: C:\Users\user\Desktop\Bootstrapper.exe	Code function: 3_2_0042B8D7	3_2_0042B8D7
Source: C:\Users\user\Desktop\Bootstrapper.exe	Code function: 3_2_004058F0	3_2_004058F0
Source: C:\Users\user\Desktop\Bootstrapper.exe	Code function: 3_2_004258B0	3_2_004258B0
Source: C:\Users\user\Desktop\Bootstrapper.exe	Code function: 3_2_0043D8B0	3_2_0043D8B0
Source: C:\Users\user\Desktop\Bootstrapper.exe	Code function: 3_2_00436940	3_2_00436940
Source: C:\Users\user\Desktop\Bootstrapper.exe	Code function: 3_2_0041194F	3_2_0041194F
Source: C:\Users\user\Desktop\Bootstrapper.exe	Code function: 3_2_0041614F	3_2_0041614F
Source: C:\Users\user\Desktop\Bootstrapper.exe	Code function: 3_2_00406150	3_2_00406150
Source: C:\Users\user\Desktop\Bootstrapper.exe	Code function: 3_2_0042C966	3_2_0042C966
Source: C:\Users\user\Desktop\Bootstrapper.exe	Code function: 3_2_00409170	3_2_00409170
Source: C:\Users\user\Desktop\Bootstrapper.exe	Code function: 3_2_0041C970	3_2_0041C970
Source: C:\Users\user\Desktop\Bootstrapper.exe	Code function: 3_2_00428122	3_2_00428122
Source: C:\Users\user\Desktop\Bootstrapper.exe	Code function: 3_2_00417920	3_2_00417920
Source: C:\Users\user\Desktop\Bootstrapper.exe	Code function: 3_2_0042C9C1	3_2_0042C9C1
Source: C:\Users\user\Desktop\Bootstrapper.exe	Code function: 3_2_0041818E	3_2_0041818E
Source: C:\Users\user\Desktop\Bootstrapper.exe	Code function: 3_2_0043D190	3_2_0043D190
Source: C:\Users\user\Desktop\Bootstrapper.exe	Code function: 3_2_0041D9A0	3_2_0041D9A0
Source: C:\Users\user\Desktop\Bootstrapper.exe	Code function: 3_2_004371A4	3_2_004371A4
Source: C:\Users\user\Desktop\Bootstrapper.exe	Code function: 3_2_0040E1A8	3_2_0040E1A8
Source: C:\Users\user\Desktop\Bootstrapper.exe	Code function: 3_2_0042C9B2	3_2_0042C9B2
Source: C:\Users\user\Desktop\Bootstrapper.exe	Code function: 3_2_00424240	3_2_00424240
Source: C:\Users\user\Desktop\Bootstrapper.exe	Code function: 3_2_0042F250	3_2_0042F250
Source: C:\Users\user\Desktop\Bootstrapper.exe	Code function: 3_2_00414A00	3_2_00414A00
Source: C:\Users\user\Desktop\Bootstrapper.exe	Code function: 3_2_0040AAC0	3_2_0040AAC0
Source: C:\Users\user\Desktop\Bootstrapper.exe	Code function: 3_2_00428AD2	3_2_00428AD2
Source: C:\Users\user\Desktop\Bootstrapper.exe	Code function: 3_2_00435AD0	3_2_00435AD0
Source: C:\Users\user\Desktop\Bootstrapper.exe	Code function: 3_2_00445ADA	3_2_00445ADA
Source: C:\Users\user\Desktop\Bootstrapper.exe	Code function: 3_2_00404280	3_2_00404280
Source: C:\Users\user\Desktop\Bootstrapper.exe	Code function: 3_2_0041B360	3_2_0041B360
Source: C:\Users\user\Desktop\Bootstrapper.exe	Code function: 3_2_00416B71	3_2_00416B71
Source: C:\Users\user\Desktop\Bootstrapper.exe	Code function: 3_2_00439300	3_2_00439300
Source: C:\Users\user\Desktop\Bootstrapper.exe	Code function: 3_2_00435300	3_2_00435300
Source: C:\Users\user\Desktop\Bootstrapper.exe	Code function: 3_2_0041BB12	3_2_0041BB12
Source: C:\Users\user\Desktop\Bootstrapper.exe	Code function: 3_2_0043C331	3_2_0043C331
Source: C:\Users\user\Desktop\Bootstrapper.exe	Code function: 3_2_00404BC0	3_2_00404BC0
Source: C:\Users\user\Desktop\Bootstrapper.exe	Code function: 3_2_004073C0	3_2_004073C0
Source: C:\Users\user\Desktop\Bootstrapper.exe	Code function: 3_2_00423BE0	3_2_00423BE0
Source: C:\Users\user\Desktop\Bootstrapper.exe	Code function: 3_2_004263F0	3_2_004263F0
Source: C:\Users\user\Desktop\Bootstrapper.exe	Code function: 3_2_00412380	3_2_00412380
Source: C:\Users\user\Desktop\Bootstrapper.exe	Code function: 3_2_00422450	3_2_00422450
Source: C:\Users\user\Desktop\Bootstrapper.exe	Code function: 3_2_00427451	3_2_00427451
Source: C:\Users\user\Desktop\Bootstrapper.exe	Code function: 3_2_00423455	3_2_00423455
Source: C:\Users\user\Desktop\Bootstrapper.exe	Code function: 3_2_00426410	3_2_00426410
Source: C:\Users\user\Desktop\Bootstrapper.exe	Code function: 3_2_00438C30	3_2_00438C30
Source: C:\Users\user\Desktop\Bootstrapper.exe	Code function: 3_2_00435CD0	3_2_00435CD0
Source: C:\Users\user\Desktop\Bootstrapper.exe	Code function: 3_2_0041DC90	3_2_0041DC90
Source: C:\Users\user\Desktop\Bootstrapper.exe	Code function: 3_2_0043DCA0	3_2_0043DCA0
Source: C:\Users\user\Desktop\Bootstrapper.exe	Code function: 3_2_00433D40	3_2_00433D40
Source: C:\Users\user\Desktop\Bootstrapper.exe	Code function: 3_2_0040E549	3_2_0040E549
Source: C:\Users\user\Desktop\Bootstrapper.exe	Code function: 3_2_0042B553	3_2_0042B553
Source: C:\Users\user\Desktop\Bootstrapper.exe	Code function: 3_2_00418D56	3_2_00418D56
Source: C:\Users\user\Desktop\Bootstrapper.exe	Code function: 3_2_0042CD5A	3_2_0042CD5A
Source: C:\Users\user\Desktop\Bootstrapper.exe	Code function: 3_2_00422D5B	3_2_00422D5B
Source: C:\Users\user\Desktop\Bootstrapper.exe	Code function: 3_2_00435560	3_2_00435560
Source: C:\Users\user\Desktop\Bootstrapper.exe	Code function: 3_2_0043BD6B	3_2_0043BD6B
Source: C:\Users\user\Desktop\Bootstrapper.exe	Code function: 3_2_00425570	3_2_00425570
Source: C:\Users\user\Desktop\Bootstrapper.exe	Code function: 3_2_0043D500	3_2_0043D500
Source: C:\Users\user\Desktop\Bootstrapper.exe	Code function: 3_2_00430D20	3_2_00430D20
Source: C:\Users\user\Desktop\Bootstrapper.exe	Code function: 3_2_004065E0	3_2_004065E0
Source: C:\Users\user\Desktop\Bootstrapper.exe	Code function: 3_2_004155F6	3_2_004155F6
Source: C:\Users\user\Desktop\Bootstrapper.exe	Code function: 3_2_0041BDFE	3_2_0041BDFE
Source: C:\Users\user\Desktop\Bootstrapper.exe	Code function: 3_2_00409580	3_2_00409580
Source: C:\Users\user\Desktop\Bootstrapper.exe	Code function: 3_2_0042FD8D	3_2_0042FD8D
Source: C:\Users\user\Desktop\Bootstrapper.exe	Code function: 3_2_0041E590	3_2_0041E590
Source: C:\Users\user\Desktop\Bootstrapper.exe	Code function: 3_2_00405DB0	3_2_00405DB0
Source: C:\Users\user\Desktop\Bootstrapper.exe	Code function: 3_2_0043BE50	3_2_0043BE50
Source: C:\Users\user\Desktop\Bootstrapper.exe	Code function: 3_2_00416E30	3_2_00416E30
Source: C:\Users\user\Desktop\Bootstrapper.exe	Code function: 3_2_00402ED0	3_2_00402ED0
Source: C:\Users\user\Desktop\Bootstrapper.exe	Code function: 3_2_00436700	3_2_00436700
Source: C:\Users\user\Desktop\Bootstrapper.exe	Code function: 3_2_0040CF25	3_2_0040CF25
Source: C:\Users\user\Desktop\Bootstrapper.exe	Code function: 3_2_00419FD0	3_2_00419FD0
Source: C:\Users\user\Desktop\Bootstrapper.exe	Code function: 3_2_0041F780	3_2_0041F780
Source: C:\Users\user\Desktop\Bootstrapper.exe	Code function: 3_2_00429781	3_2_00429781
Source: C:\Users\user\Desktop\Bootstrapper.exe	Code function: 3_2_004277B8	3_2_004277B8
Source: C:\Users\user\Desktop\Bootstrapper.exe	Code function: 3_2_00428FB8	3_2_00428FB8
Source: C:\Users\user\Desktop\Bootstrapper.exe	Code function: 3_2_00F41000	3_2_00F41000
Source: C:\Users\user\Desktop\Bootstrapper.exe	Code function: 3_2_00F52930	3_2_00F52930
Source: C:\Users\user\Desktop\Bootstrapper.exe	Code function: 3_2_00F46B72	3_2_00F46B72
Source: C:\Users\user\Desktop\Bootstrapper.exe	Code function: 3_2_00F51342	3_2_00F51342
Source: C:\Users\user\Desktop\Bootstrapper.exe	Code function: 3_2_00F44B25	3_2_00F44B25
Source: C:\Users\user\Desktop\Bootstrapper.exe	Code function: 3_2_00F5658E	3_2_00F5658E

Source: C:\Users\user\Desktop\Bootstrapper.exe	Code function: String function: 004149F0 appears 52 times
Source: C:\Users\user\Desktop\Bootstrapper.exe	Code function: String function: 00407EF0 appears 43 times
Source: C:\Users\user\Desktop\Bootstrapper.exe	Code function: String function: 00F44AE0 appears 68 times
Source: C:\Users\user\Desktop\Bootstrapper.exe	Code function: String function: 00F4AD1F appears 36 times

Source: Bootstrapper.exe

Static PE information: invalid certificate

Source: Bootstrapper.exe

Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source: Bootstrapper.exe

Static PE information: Section: .bss ZLIB complexity 1.0003255208333333

Source: classification engine

Classification label: mal100.troj.evad.winEXE@4/0@10/1

Source: C:\Users\user\Desktop\Bootstrapper.exe

Code function: 3_2_00430849 VariantClear,CoCreateInstance,

3_2_00430849

Source: C:\Windows\System32\conhost.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1436:120:WilError_03

Source: Bootstrapper.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\Bootstrapper.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: Bootstrapper.exe

ReversingLabs: Detection: 71%

Source: C:\Users\user\Desktop\Bootstrapper.exe

File read: C:\Users\user\Desktop\Bootstrapper.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\Bootstrapper.exe "C:\Users\user\Desktop\Bootstrapper.exe"
Source: C:\Users\user\Desktop\Bootstrapper.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Bootstrapper.exe	Process created: C:\Users\user\Desktop\Bootstrapper.exe "C:\Users\user\Desktop\Bootstrapper.exe"
Source: C:\Users\user\Desktop\Bootstrapper.exe	Process created: C:\Users\user\Desktop\Bootstrapper.exe "C:\Users\user\Desktop\Bootstrapper.exe"	Jump to behavior

Source: C:\Users\user\Desktop\Bootstrapper.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Bootstrapper.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\Bootstrapper.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Bootstrapper.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\Bootstrapper.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Bootstrapper.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Bootstrapper.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\Bootstrapper.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Users\user\Desktop\Bootstrapper.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\Bootstrapper.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Bootstrapper.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Bootstrapper.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Bootstrapper.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Bootstrapper.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Bootstrapper.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\Bootstrapper.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\Bootstrapper.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\Bootstrapper.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\Bootstrapper.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\Bootstrapper.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\Bootstrapper.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Desktop\Bootstrapper.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\Desktop\Bootstrapper.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\Bootstrapper.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\Bootstrapper.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Bootstrapper.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\Bootstrapper.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Bootstrapper.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\Bootstrapper.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\Bootstrapper.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Bootstrapper.exe	Section loaded: dpapi.dll	Jump to behavior

Source: Bootstrapper.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_ISOLATION, TERMINAL_SERVER_AWARE

Source: Bootstrapper.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: Bootstrapper.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: Bootstrapper.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: Bootstrapper.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: Bootstrapper.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Source: C:\Users\user\Desktop\Bootstrapper.exe	Code function: 0_2_00F43F92 push ecx; ret	0_2_00F43FA5
Source: C:\Users\user\Desktop\Bootstrapper.exe	Code function: 3_2_00442978 push esi; iretd	3_2_0044298A
Source: C:\Users\user\Desktop\Bootstrapper.exe	Code function: 3_2_0043BCC0 push eax; mov dword ptr [esp], CAC9C807h	3_2_0043BCC3
Source: C:\Users\user\Desktop\Bootstrapper.exe	Code function: 3_2_00438FC0 push eax; mov dword ptr [esp], 3F303132h	3_2_00438FCE
Source: C:\Users\user\Desktop\Bootstrapper.exe	Code function: 3_2_00F43F92 push ecx; ret	3_2_00F43FA5

Source: C:\Users\user\Desktop\Bootstrapper.exe

API coverage: 4.6 %

Source: C:\Users\user\Desktop\Bootstrapper.exe TID: 4768	Thread sleep time: -60000s >= -30000s			Jump to behavior
Source: C:\Users\user\Desktop\Bootstrapper.exe TID: 2104	Thread sleep time: -30000s >= -30000s			Jump to behavior

Source: C:\Users\user\Desktop\Bootstrapper.exe	Code function: 0_2_00F4E842 FindFirstFileExW,FindNextFileW,FindClose,FindClose,	0_2_00F4E842
Source: C:\Users\user\Desktop\Bootstrapper.exe	Code function: 0_2_00F4E791 FindFirstFileExW,	0_2_00F4E791
Source: C:\Users\user\Desktop\Bootstrapper.exe	Code function: 3_2_00F4E842 FindFirstFileExW,FindNextFileW,FindClose,FindClose,	3_2_00F4E842
Source: C:\Users\user\Desktop\Bootstrapper.exe	Code function: 3_2_00F4E791 FindFirstFileExW,	3_2_00F4E791

Source: Bootstrapper.exe, 00000003.00000002.2047945625.0000000000CEC000.00000004.00000020.00020000.00000000.sdmp, Bootstrapper.exe, 00000003.00000002.2048123283.0000000000D36000.00000004.00000020.00020000.00000000.sdmp, Bootstrapper.exe, 00000003.00000003.2047639768.0000000000D36000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: Hyper-V RAW

Source: C:\Users\user\Desktop\Bootstrapper.exe

Code function: 3_2_0043A590 LdrInitializeThunk,

3_2_0043A590

Source: C:\Users\user\Desktop\Bootstrapper.exe

Code function: 0_2_00F44911 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

0_2_00F44911

Source: C:\Users\user\Desktop\Bootstrapper.exe	Code function: 0_2_00F5F1A9 mov edi, dword ptr fs:[00000030h]	0_2_00F5F1A9
Source: C:\Users\user\Desktop\Bootstrapper.exe	Code function: 0_2_00F41710 mov edi, dword ptr fs:[00000030h]	0_2_00F41710
Source: C:\Users\user\Desktop\Bootstrapper.exe	Code function: 3_2_00F41710 mov edi, dword ptr fs:[00000030h]	3_2_00F41710

Source: C:\Users\user\Desktop\Bootstrapper.exe

Code function: 0_2_00F4AD36 GetProcessHeap,

0_2_00F4AD36

Source: C:\Users\user\Desktop\Bootstrapper.exe	Code function: 0_2_00F44911 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_00F44911
Source: C:\Users\user\Desktop\Bootstrapper.exe	Code function: 0_2_00F44905 SetUnhandledExceptionFilter,	0_2_00F44905
Source: C:\Users\user\Desktop\Bootstrapper.exe	Code function: 0_2_00F43EA6 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_00F43EA6
Source: C:\Users\user\Desktop\Bootstrapper.exe	Code function: 0_2_00F48F97 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_00F48F97
Source: C:\Users\user\Desktop\Bootstrapper.exe	Code function: 3_2_00F44911 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	3_2_00F44911
Source: C:\Users\user\Desktop\Bootstrapper.exe	Code function: 3_2_00F44905 SetUnhandledExceptionFilter,	3_2_00F44905
Source: C:\Users\user\Desktop\Bootstrapper.exe	Code function: 3_2_00F43EA6 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	3_2_00F43EA6
Source: C:\Users\user\Desktop\Bootstrapper.exe	Code function: 3_2_00F48F97 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	3_2_00F48F97

HIPS / PFW / Operating System Protection Evasion

Contains functionality to inject code into remote processes

Source: C:\Users\user\Desktop\Bootstrapper.exe

Code function: 0_2_00F5F1A9 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,CreateProcessW,CreateProcessW,VirtualAlloc,VirtualAlloc,GetThreadContext,Wow64GetThreadContext,ReadProcessMemory,ReadProcessMemory,VirtualAllocEx,VirtualAllocEx,GetProcAddress,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,SetThreadContext,Wow64SetThreadContext,ResumeThread,ResumeThread,

0_2_00F5F1A9

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\Bootstrapper.exe

Memory written: C:\Users\user\Desktop\Bootstrapper.exe base: 400000 value starts with: 4D5A

Jump to behavior

LummaC encrypted strings found

Source: Bootstrapper.exe, 00000000.00000002.3261719374.000000000151E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: debonairnukk.xyz
Source: Bootstrapper.exe, 00000000.00000002.3261719374.000000000151E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: diffuculttan.xyz
Source: Bootstrapper.exe, 00000000.00000002.3261719374.000000000151E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: effecterectz.xyz
Source: Bootstrapper.exe, 00000000.00000002.3261719374.000000000151E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: deafeninggeh.biz
Source: Bootstrapper.exe, 00000000.00000002.3261719374.000000000151E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: immureprech.biz
Source: Bootstrapper.exe, 00000000.00000002.3261719374.000000000151E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: bellflamre.click

Source: C:\Users\user\Desktop\Bootstrapper.exe

Process created: C:\Users\user\Desktop\Bootstrapper.exe "C:\Users\user\Desktop\Bootstrapper.exe"

Jump to behavior

Source: C:\Users\user\Desktop\Bootstrapper.exe

Code function: 0_2_00F441C1 GetSystemTimePreciseAsFileTime,GetSystemTimePreciseAsFileTime,GetSystemTimeAsFileTime,

0_2_00F441C1

Source: C:\Users\user\Desktop\Bootstrapper.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected LummaC Stealer

Source: Yara match

File source: decrypted.memstr, type: MEMORYSTR

Remote Access Functionality

Yara detected LummaC Stealer

Source: Yara match

File source: decrypted.memstr, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	1 PowerShell	1 DLL Side-Loading	211 Process Injection	1 Virtualization/Sandbox Evasion	OS Credential Dumping	1 System Time Discovery	Remote Services	1 Screen Capture	21 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	1 DLL Side-Loading	211 Process Injection	LSASS Memory	21 Security Software Discovery	Remote Desktop Protocol	1 Archive Collected Data	1 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	11 Deobfuscate/Decode Files or Information	Security Account Manager	1 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	2 Clipboard Data	2 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	3 Obfuscated Files or Information	NTDS	1 File and Directory Discovery	Distributed Component Object Model	Input Capture	113 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Software Packing	LSA Secrets	3 System Information Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 DLL Side-Loading	Cached Domain Credentials	Wi-Fi Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
Bootstrapper.exe	71%	ReversingLabs	Win32.Trojan.LummaStealer
Bootstrapper.exe	100%	Joe Sandbox ML

Name	IP	Active	Malicious	Reputation
steamcommunity.com	104.102.49.254	true	false	high
sordid-snaked.cyou	unknown	unknown	false	high
diffuculttan.xyz	unknown	unknown	false	high
effecterectz.xyz	unknown	unknown	false	high
bellflamre.click	unknown	unknown	false	high
awake-weaves.cyou	unknown	unknown	false	high
immureprech.biz	unknown	unknown	false	high
wrathful-jammy.cyou	unknown	unknown	false	high
deafeninggeh.biz	unknown	unknown	false	high
debonairnukk.xyz	unknown	unknown	false	high

Contacted URLs

Name	Malicious	Reputation
sordid-snaked.cyou	false	high
deafeninggeh.biz	false	high
diffuculttan.xyz	false	high
effecterectz.xyz	false	high
wrathful-jammy.cyou	false	high
bellflamre.click	false	high
https://steamcommunity.com/profiles/76561199724331900	false	high
awake-weaves.cyou	false	high
immureprech.biz	false	high
debonairnukk.xyz	false	high

URLs from Memory and Binaries

Name	Source	Malicious	Reputation
https://steamcommunity.com/my/wishlist/	Bootstrapper.exe, 00000003.00000003.2047564460.0000000000D85000.00000004.00000020.00020000.00000000.sdmp, Bootstrapper.exe, 00000003.00000003.2047564460.0000000000D7D000.00000004.00000020.00020000.00000000.sdmp, Bootstrapper.exe, 00000003.00000003.2047623426.0000000000D89000.00000004.00000020.00020000.00000000.sdmp	false	high
https://community.fastly.steamstatic.com/public/shared/images/responsive/header_menu_hamburger.png	Bootstrapper.exe, 00000003.00000003.2047564460.0000000000D85000.00000004.00000020.00020000.00000000.sdmp, Bootstrapper.exe, 00000003.00000003.2047623426.0000000000D89000.00000004.00000020.00020000.00000000.sdmp	false	high
https://player.vimeo.com	Bootstrapper.exe, 00000003.00000003.2047564460.0000000000D7D000.00000004.00000020.00020000.00000000.sdmp	false	high
https://steamcommunity.com/-	Bootstrapper.exe, 00000003.00000002.2048170280.0000000000D47000.00000004.00000020.00020000.00000000.sdmp, Bootstrapper.exe, 00000003.00000003.2047595937.0000000000D47000.00000004.00000020.00020000.00000000.sdmp	false	high
http://crt.sectigo.com/SectigoPublicTimeStampingCAR36.crt0#	Bootstrapper.exe	false	high
https://community.fastly.steamstatic.com/public/shared/css/shared_responsive.css?v=JL1e4uQSrVGe&	Bootstrapper.exe, 00000003.00000003.2047564460.0000000000D85000.00000004.00000020.00020000.00000000.sdmp, Bootstrapper.exe, 00000003.00000003.2047564460.0000000000D7D000.00000004.00000020.00020000.00000000.sdmp, Bootstrapper.exe, 00000003.00000003.2047623426.0000000000D89000.00000004.00000020.00020000.00000000.sdmp	false	high
http://crl.sectigo.com/SectigoPublicCodeSigningRootR46.crl0	Bootstrapper.exe	false	high
http://ocsp.sectigo.com0	Bootstrapper.exe	false	high
https://steamcommunity.com/?subsection=broadcasts	Bootstrapper.exe, 00000003.00000003.2047564460.0000000000D85000.00000004.00000020.00020000.00000000.sdmp, Bootstrapper.exe, 00000003.00000003.2047623426.0000000000D89000.00000004.00000020.00020000.00000000.sdmp	false	high
https://help.steampowered.com/en/	Bootstrapper.exe, 00000003.00000003.2047564460.0000000000D85000.00000004.00000020.00020000.00000000.sdmp, Bootstrapper.exe, 00000003.00000003.2047623426.0000000000D89000.00000004.00000020.00020000.00000000.sdmp	false	high
https://steamcommunity.com/market/	Bootstrapper.exe, 00000003.00000003.2047564460.0000000000D85000.00000004.00000020.00020000.00000000.sdmp, Bootstrapper.exe, 00000003.00000003.2047623426.0000000000D89000.00000004.00000020.00020000.00000000.sdmp	false	high
https://store.steampowered.com/news/	Bootstrapper.exe, 00000003.00000003.2047564460.0000000000D85000.00000004.00000020.00020000.00000000.sdmp, Bootstrapper.exe, 00000003.00000003.2047623426.0000000000D89000.00000004.00000020.00020000.00000000.sdmp	false	high
https://store.steampowered.com/subscriber_agreement/	Bootstrapper.exe, 00000003.00000003.2047564460.0000000000D85000.00000004.00000020.00020000.00000000.sdmp, Bootstrapper.exe, 00000003.00000003.2047623426.0000000000D89000.00000004.00000020.00020000.00000000.sdmp	false	high
https://www.gstatic.cn/recaptcha/	Bootstrapper.exe, 00000003.00000003.2047564460.0000000000D7D000.00000004.00000020.00020000.00000000.sdmp	false	high
http://store.steampowered.com/subscriber_agreement/	Bootstrapper.exe, 00000003.00000003.2047639768.0000000000CF9000.00000004.00000020.00020000.00000000.sdmp, Bootstrapper.exe, 00000003.00000003.2047564460.0000000000D85000.00000004.00000020.00020000.00000000.sdmp, Bootstrapper.exe, 00000003.00000003.2047564460.0000000000D7D000.00000004.00000020.00020000.00000000.sdmp, Bootstrapper.exe, 00000003.00000003.2047623426.0000000000D89000.00000004.00000020.00020000.00000000.sdmp	false	high
http://crt.sectigo.com/SectigoPublicCodeSigningRootR46.p7c0#	Bootstrapper.exe	false	high
https://steamcommunity.com/linkfilter/?u=http%3A%2F%2Fwww.geonames.org	Bootstrapper.exe, 00000003.00000003.2047639768.0000000000CF9000.00000004.00000020.00020000.00000000.sdmp, Bootstrapper.exe, 00000003.00000003.2047564460.0000000000D85000.00000004.00000020.00020000.00000000.sdmp, Bootstrapper.exe, 00000003.00000003.2047564460.0000000000D7D000.00000004.00000020.00020000.00000000.sdmp, Bootstrapper.exe, 00000003.00000003.2047623426.0000000000D89000.00000004.00000020.00020000.00000000.sdmp	false	high
https://recaptcha.net/recaptcha/;	Bootstrapper.exe, 00000003.00000003.2047564460.0000000000D7D000.00000004.00000020.00020000.00000000.sdmp	false	high
http://www.valvesoftware.com/legal.htm	Bootstrapper.exe, 00000003.00000003.2047564460.0000000000D85000.00000004.00000020.00020000.00000000.sdmp, Bootstrapper.exe, 00000003.00000003.2047623426.0000000000D89000.00000004.00000020.00020000.00000000.sdmp	false	high
https://community.fastly.steamstatic.com/public/shared/css/shared_global.css?v=wuA4X_n5-mo0&l=en	Bootstrapper.exe, 00000003.00000003.2047564460.0000000000D85000.00000004.00000020.00020000.00000000.sdmp, Bootstrapper.exe, 00000003.00000003.2047564460.0000000000D7D000.00000004.00000020.00020000.00000000.sdmp, Bootstrapper.exe, 00000003.00000003.2047623426.0000000000D89000.00000004.00000020.00020000.00000000.sdmp	false	high
https://steamcommunity.com/discussions/	Bootstrapper.exe, 00000003.00000003.2047564460.0000000000D85000.00000004.00000020.00020000.00000000.sdmp, Bootstrapper.exe, 00000003.00000003.2047623426.0000000000D89000.00000004.00000020.00020000.00000000.sdmp	false	high
https://www.youtube.com	Bootstrapper.exe, 00000003.00000003.2047564460.0000000000D7D000.00000004.00000020.00020000.00000000.sdmp	false	high
https://www.google.com	Bootstrapper.exe, 00000003.00000003.2047564460.0000000000D7D000.00000004.00000020.00020000.00000000.sdmp	false	high
http://crl.sectigo.com/SectigoPublicTimeStampingRootR46.crl0	Bootstrapper.exe	false	high
https://store.steampowered.com/stats/	Bootstrapper.exe, 00000003.00000003.2047564460.0000000000D85000.00000004.00000020.00020000.00000000.sdmp, Bootstrapper.exe, 00000003.00000003.2047623426.0000000000D89000.00000004.00000020.00020000.00000000.sdmp	false	high
https://community.fastly.steamstatic.com/public/shared/javascript/shared_global.js?v=Gr6TbGRvDtNE&am	Bootstrapper.exe, 00000003.00000003.2047564460.0000000000D85000.00000004.00000020.00020000.00000000.sdmp, Bootstrapper.exe, 00000003.00000003.2047564460.0000000000D7D000.00000004.00000020.00020000.00000000.sdmp, Bootstrapper.exe, 00000003.00000003.2047623426.0000000000D89000.00000004.00000020.00020000.00000000.sdmp	false	high
https://medal.tv	Bootstrapper.exe, 00000003.00000003.2047564460.0000000000D7D000.00000004.00000020.00020000.00000000.sdmp	false	high
https://broadcast.st.dl.eccdnx.com	Bootstrapper.exe, 00000003.00000003.2047564460.0000000000D7D000.00000004.00000020.00020000.00000000.sdmp	false	high
https://community.fastly.steamstatic.com/public/shared/images/responsive/logo_valve_footer.png	Bootstrapper.exe, 00000003.00000003.2047564460.0000000000D85000.00000004.00000020.00020000.00000000.sdmp, Bootstrapper.exe, 00000003.00000003.2047623426.0000000000D89000.00000004.00000020.00020000.00000000.sdmp	false	high
https://community.fastly.steamstatic.com/public/css/skin_1/header.css?v=EM4kCu67DNda&l=english&a	Bootstrapper.exe, 00000003.00000003.2047564460.0000000000D85000.00000004.00000020.00020000.00000000.sdmp, Bootstrapper.exe, 00000003.00000003.2047564460.0000000000D7D000.00000004.00000020.00020000.00000000.sdmp, Bootstrapper.exe, 00000003.00000003.2047623426.0000000000D89000.00000004.00000020.00020000.00000000.sdmp	false	high
https://store.steampowered.com/steam_refunds/	Bootstrapper.exe, 00000003.00000003.2047564460.0000000000D85000.00000004.00000020.00020000.00000000.sdmp, Bootstrapper.exe, 00000003.00000003.2047623426.0000000000D89000.00000004.00000020.00020000.00000000.sdmp	false	high
https://www.valvesoftware.com/en/contact?contact-person=Translation%20Team%20Feedback	Bootstrapper.exe, 00000003.00000003.2047639768.0000000000CF9000.00000004.00000020.00020000.00000000.sdmp, Bootstrapper.exe, 00000003.00000003.2047564460.0000000000D85000.00000004.00000020.00020000.00000000.sdmp, Bootstrapper.exe, 00000003.00000003.2047564460.0000000000D7D000.00000004.00000020.00020000.00000000.sdmp, Bootstrapper.exe, 00000003.00000003.2047623426.0000000000D89000.00000004.00000020.00020000.00000000.sdmp	false	high
https://community.fastly.steamstatic.com/public/css/applications/community/main.css?v=Lj6X7NKUMfzk&a	Bootstrapper.exe, 00000003.00000003.2047639768.0000000000CF9000.00000004.00000020.00020000.00000000.sdmp, Bootstrapper.exe, 00000003.00000003.2047564460.0000000000D85000.00000004.00000020.00020000.00000000.sdmp, Bootstrapper.exe, 00000003.00000003.2047564460.0000000000D7D000.00000004.00000020.00020000.00000000.sdmp, Bootstrapper.exe, 00000003.00000003.2047623426.0000000000D89000.00000004.00000020.00020000.00000000.sdmp	false	high
https://steamcommunity.com/login/home/?goto=profiles%2F76561199724331900	Bootstrapper.exe, 00000003.00000003.2047623426.0000000000D89000.00000004.00000020.00020000.00000000.sdmp	false	high
https://community.fastly.steamstatic.com/public/javascript/applications/community/libraries~b28b7af6	Bootstrapper.exe, 00000003.00000003.2047639768.0000000000CF9000.00000004.00000020.00020000.00000000.sdmp, Bootstrapper.exe, 00000003.00000003.2047564460.0000000000D85000.00000004.00000020.00020000.00000000.sdmp, Bootstrapper.exe, 00000003.00000003.2047564460.0000000000D7D000.00000004.00000020.00020000.00000000.sdmp, Bootstrapper.exe, 00000003.00000003.2047623426.0000000000D89000.00000004.00000020.00020000.00000000.sdmp	false	high
https://community.fastly.steamstatic.com/public/shared/images/header/logo_steam.svg?t=962016	Bootstrapper.exe, 00000003.00000003.2047564460.0000000000D85000.00000004.00000020.00020000.00000000.sdmp, Bootstrapper.exe, 00000003.00000003.2047623426.0000000000D89000.00000004.00000020.00020000.00000000.sdmp	false	high
https://cdn.fastly.steamstatic.com/steamcommunity/public/assets/	Bootstrapper.exe, 00000003.00000003.2047564460.0000000000D7D000.00000004.00000020.00020000.00000000.sdmp	false	high
https://community.fastly.steamstatic.com/public/shared/css/motiva_sans.css?v=-yZgCk0Nu7kH&l=engl	Bootstrapper.exe, 00000003.00000003.2047564460.0000000000D85000.00000004.00000020.00020000.00000000.sdmp, Bootstrapper.exe, 00000003.00000003.2047564460.0000000000D7D000.00000004.00000020.00020000.00000000.sdmp, Bootstrapper.exe, 00000003.00000003.2047623426.0000000000D89000.00000004.00000020.00020000.00000000.sdmp	false	high
https://community.fastly.steamstatic.com/public/javascript/scriptaculous/_combined.js?v=pbdAKOcDIgbC	Bootstrapper.exe, 00000003.00000003.2047564460.0000000000D85000.00000004.00000020.00020000.00000000.sdmp, Bootstrapper.exe, 00000003.00000003.2047564460.0000000000D7D000.00000004.00000020.00020000.00000000.sdmp, Bootstrapper.exe, 00000003.00000003.2047623426.0000000000D89000.00000004.00000020.00020000.00000000.sdmp	false	high
https://s.ytimg.com;	Bootstrapper.exe, 00000003.00000003.2047564460.0000000000D7D000.00000004.00000020.00020000.00000000.sdmp	false	high
https://community.fastly.steamstatic.com/public/javascript/applications/community/manifest.js?v=FRRi	Bootstrapper.exe, 00000003.00000003.2047639768.0000000000CF9000.00000004.00000020.00020000.00000000.sdmp, Bootstrapper.exe, 00000003.00000003.2047564460.0000000000D85000.00000004.00000020.00020000.00000000.sdmp, Bootstrapper.exe, 00000003.00000003.2047564460.0000000000D7D000.00000004.00000020.00020000.00000000.sdmp, Bootstrapper.exe, 00000003.00000003.2047623426.0000000000D89000.00000004.00000020.00020000.00000000.sdmp	false	high
https://steamcommunity.com/workshop/	Bootstrapper.exe, 00000003.00000003.2047564460.0000000000D85000.00000004.00000020.00020000.00000000.sdmp, Bootstrapper.exe, 00000003.00000003.2047623426.0000000000D89000.00000004.00000020.00020000.00000000.sdmp	false	high
https://login.steampowered.com/	Bootstrapper.exe, 00000003.00000003.2047564460.0000000000D7D000.00000004.00000020.00020000.00000000.sdmp	false	high
https://store.steampowered.com/;Persistent-AuthWWW-AuthenticateVarysteamCountry=US%7C185ce35c568ebbb	Bootstrapper.exe, 00000003.00000003.2047564460.0000000000D7D000.00000004.00000020.00020000.00000000.sdmp	false	high
https://community.fastly.steamstatic.com/public/css/globalv2.css?v=hzEgqbtRcI5V&l=english&_c	Bootstrapper.exe, 00000003.00000003.2047564460.0000000000D85000.00000004.00000020.00020000.00000000.sdmp, Bootstrapper.exe, 00000003.00000003.2047564460.0000000000D7D000.00000004.00000020.00020000.00000000.sdmp, Bootstrapper.exe, 00000003.00000003.2047623426.0000000000D89000.00000004.00000020.00020000.00000000.sdmp	false	high
https://community.fastly.steamstatic.com/public/images/skin_1/footerLogo_valve.png?v=1	Bootstrapper.exe, 00000003.00000003.2047639768.0000000000CF9000.00000004.00000020.00020000.00000000.sdmp, Bootstrapper.exe, 00000003.00000003.2047564460.0000000000D85000.00000004.00000020.00020000.00000000.sdmp, Bootstrapper.exe, 00000003.00000003.2047564460.0000000000D7D000.00000004.00000020.00020000.00000000.sdmp, Bootstrapper.exe, 00000003.00000003.2047623426.0000000000D89000.00000004.00000020.00020000.00000000.sdmp	false	high
https://community.fastly.steamstatic.com/public/shared/css/buttons.css?v=qhQgyjWi6LgJ&l=english&	Bootstrapper.exe, 00000003.00000003.2047564460.0000000000D85000.00000004.00000020.00020000.00000000.sdmp, Bootstrapper.exe, 00000003.00000003.2047564460.0000000000D7D000.00000004.00000020.00020000.00000000.sdmp, Bootstrapper.exe, 00000003.00000003.2047623426.0000000000D89000.00000004.00000020.00020000.00000000.sdmp	false	high
https://store.steampowered.com/legal/	Bootstrapper.exe, 00000003.00000003.2047639768.0000000000CF9000.00000004.00000020.00020000.00000000.sdmp, Bootstrapper.exe, 00000003.00000003.2047564460.0000000000D85000.00000004.00000020.00020000.00000000.sdmp, Bootstrapper.exe, 00000003.00000003.2047564460.0000000000D7D000.00000004.00000020.00020000.00000000.sdmp, Bootstrapper.exe, 00000003.00000003.2047623426.0000000000D89000.00000004.00000020.00020000.00000000.sdmp	false	high
https://community.fastly.steamstatic.com/	Bootstrapper.exe, 00000003.00000003.2047564460.0000000000D7D000.00000004.00000020.00020000.00000000.sdmp	false	high
https://community.fastly.steamstatic.com/public/css/skin_1/fatalerror.css?v=OFUqlcDNiD6y&l=engli	Bootstrapper.exe, 00000003.00000003.2047564460.0000000000D85000.00000004.00000020.00020000.00000000.sdmp, Bootstrapper.exe, 00000003.00000003.2047564460.0000000000D7D000.00000004.00000020.00020000.00000000.sdmp, Bootstrapper.exe, 00000003.00000003.2047623426.0000000000D89000.00000004.00000020.00020000.00000000.sdmp	false	high
https://steam.tv/	Bootstrapper.exe, 00000003.00000003.2047564460.0000000000D7D000.00000004.00000020.00020000.00000000.sdmp	false	high
http://crt.sectigo.com/SectigoPublicTimeStampingRootR46.p7c0#	Bootstrapper.exe	false	high
https://community.fastly.steamstatic.com/public/shared/javascript/tooltip.js?v=QYkT4eS5mbTN&l=en	Bootstrapper.exe, 00000003.00000003.2047564460.0000000000D85000.00000004.00000020.00020000.00000000.sdmp, Bootstrapper.exe, 00000003.00000003.2047564460.0000000000D7D000.00000004.00000020.00020000.00000000.sdmp, Bootstrapper.exe, 00000003.00000003.2047623426.0000000000D89000.00000004.00000020.00020000.00000000.sdmp	false	high
https://community.fastly.steamstatic.com/public/javascript/prototype-1.7.js?v=npJElBnrEO6W&l=eng	Bootstrapper.exe, 00000003.00000003.2047564460.0000000000D85000.00000004.00000020.00020000.00000000.sdmp, Bootstrapper.exe, 00000003.00000003.2047564460.0000000000D7D000.00000004.00000020.00020000.00000000.sdmp, Bootstrapper.exe, 00000003.00000003.2047623426.0000000000D89000.00000004.00000020.00020000.00000000.sdmp	false	high
https://steamcommunity.com/profiles/76561199724331900h	Bootstrapper.exe, 00000003.00000003.2047639768.0000000000CF9000.00000004.00000020.00020000.00000000.sdmp, Bootstrapper.exe, 00000003.00000002.2047945625.0000000000CFB000.00000004.00000020.00020000.00000000.sdmp	false	high
https://sectigo.com/CPS0	Bootstrapper.exe	false	high
https://steamcommunity.com/p	Bootstrapper.exe, 00000003.00000003.2047639768.0000000000CF9000.00000004.00000020.00020000.00000000.sdmp, Bootstrapper.exe, 00000003.00000002.2047945625.0000000000CFB000.00000004.00000020.00020000.00000000.sdmp	false	high
http://store.steampowered.com/privacy_agreement/	Bootstrapper.exe, 00000003.00000003.2047639768.0000000000CF9000.00000004.00000020.00020000.00000000.sdmp, Bootstrapper.exe, 00000003.00000003.2047564460.0000000000D85000.00000004.00000020.00020000.00000000.sdmp, Bootstrapper.exe, 00000003.00000003.2047564460.0000000000D7D000.00000004.00000020.00020000.00000000.sdmp, Bootstrapper.exe, 00000003.00000003.2047623426.0000000000D89000.00000004.00000020.00020000.00000000.sdmp	false	high
https://store.steampowered.com/points/shop/	Bootstrapper.exe, 00000003.00000003.2047564460.0000000000D85000.00000004.00000020.00020000.00000000.sdmp, Bootstrapper.exe, 00000003.00000003.2047623426.0000000000D89000.00000004.00000020.00020000.00000000.sdmp	false	high
http://crt.sectigo.com/SectigoPublicCodeSigningCAR36.crt0#	Bootstrapper.exe	false	high
https://recaptcha.net	Bootstrapper.exe, 00000003.00000003.2047564460.0000000000D7D000.00000004.00000020.00020000.00000000.sdmp	false	high
https://store.steampowered.com/	Bootstrapper.exe, 00000003.00000003.2047623426.0000000000D89000.00000004.00000020.00020000.00000000.sdmp	false	high
https://steamcommunity.com	Bootstrapper.exe, 00000003.00000003.2047639768.0000000000CF9000.00000004.00000020.00020000.00000000.sdmp, Bootstrapper.exe, 00000003.00000003.2047564460.0000000000D85000.00000004.00000020.00020000.00000000.sdmp, Bootstrapper.exe, 00000003.00000003.2047564460.0000000000D7D000.00000004.00000020.00020000.00000000.sdmp, Bootstrapper.exe, 00000003.00000003.2047623426.0000000000D89000.00000004.00000020.00020000.00000000.sdmp	false	high
https://sketchfab.com	Bootstrapper.exe, 00000003.00000003.2047564460.0000000000D7D000.00000004.00000020.00020000.00000000.sdmp	false	high
https://lv.queniujq.cn	Bootstrapper.exe, 00000003.00000003.2047564460.0000000000D7D000.00000004.00000020.00020000.00000000.sdmp	false	high
https://community.fastly.steamstatic.com/public/shared/images/responsive/header_logo.png	Bootstrapper.exe, 00000003.00000003.2047564460.0000000000D85000.00000004.00000020.00020000.00000000.sdmp, Bootstrapper.exe, 00000003.00000003.2047623426.0000000000D89000.00000004.00000020.00020000.00000000.sdmp	false	high
https://www.youtube.com/	Bootstrapper.exe, 00000003.00000003.2047564460.0000000000D7D000.00000004.00000020.00020000.00000000.sdmp	false	high
http://127.0.0.1:27060	Bootstrapper.exe, 00000003.00000003.2047564460.0000000000D7D000.00000004.00000020.00020000.00000000.sdmp	false	high
https://store.steampowered.com/privacy_agreement/	Bootstrapper.exe, 00000003.00000003.2047564460.0000000000D85000.00000004.00000020.00020000.00000000.sdmp, Bootstrapper.exe, 00000003.00000003.2047623426.0000000000D89000.00000004.00000020.00020000.00000000.sdmp	false	high
http://crl.sectigo.com/SectigoPublicCodeSigningCAR36.crl0y	Bootstrapper.exe	false	high
https://community.fastly.steamstatic.com/public/shared/javascript/shared_responsive_adapter.js?v=tvQ	Bootstrapper.exe, 00000003.00000003.2047564460.0000000000D85000.00000004.00000020.00020000.00000000.sdmp, Bootstrapper.exe, 00000003.00000003.2047564460.0000000000D7D000.00000004.00000020.00020000.00000000.sdmp, Bootstrapper.exe, 00000003.00000003.2047623426.0000000000D89000.00000004.00000020.00020000.00000000.sdmp	false	high
http://crl.sectigo.com/SectigoPublicTimeStampingCAR36.crl0z	Bootstrapper.exe	false	high
https://community.fastly.steamstatic.com/public/javascript/global.js?v=jWc2JLWHx5Kn&l=english&am	Bootstrapper.exe, 00000003.00000003.2047564460.0000000000D85000.00000004.00000020.00020000.00000000.sdmp, Bootstrapper.exe, 00000003.00000003.2047564460.0000000000D7D000.00000004.00000020.00020000.00000000.sdmp, Bootstrapper.exe, 00000003.00000003.2047623426.0000000000D89000.00000004.00000020.00020000.00000000.sdmp	false	high
https://www.google.com/recaptcha/	Bootstrapper.exe, 00000003.00000003.2047564460.0000000000D7D000.00000004.00000020.00020000.00000000.sdmp	false	high
https://checkout.steampowered.com/	Bootstrapper.exe, 00000003.00000003.2047564460.0000000000D7D000.00000004.00000020.00020000.00000000.sdmp	false	high
https://community.fastly.steamstatic.com/public/shared/javascript/auth_refresh.js?v=w6QbwI-5-j2S&amp	Bootstrapper.exe, 00000003.00000003.2047564460.0000000000D85000.00000004.00000020.00020000.00000000.sdmp, Bootstrapper.exe, 00000003.00000003.2047564460.0000000000D7D000.00000004.00000020.00020000.00000000.sdmp, Bootstrapper.exe, 00000003.00000003.2047623426.0000000000D89000.00000004.00000020.00020000.00000000.sdmp	false	high
https://help.steampowered.com/	Bootstrapper.exe, 00000003.00000003.2047564460.0000000000D7D000.00000004.00000020.00020000.00000000.sdmp	false	high
https://api.steampowered.com/	Bootstrapper.exe, 00000003.00000003.2047564460.0000000000D7D000.00000004.00000020.00020000.00000000.sdmp	false	high
https://store.steampowered.com/points/shop	Bootstrapper.exe, 00000003.00000003.2047564460.0000000000D7D000.00000004.00000020.00020000.00000000.sdmp	false	high
http://store.steampowered.com/account/cookiepreferences/	Bootstrapper.exe, 00000003.00000003.2047639768.0000000000CF9000.00000004.00000020.00020000.00000000.sdmp, Bootstrapper.exe, 00000003.00000003.2047564460.0000000000D85000.00000004.00000020.00020000.00000000.sdmp, Bootstrapper.exe, 00000003.00000003.2047564460.0000000000D7D000.00000004.00000020.00020000.00000000.sdmp, Bootstrapper.exe, 00000003.00000003.2047623426.0000000000D89000.00000004.00000020.00020000.00000000.sdmp	false	high
https://store.steampowered.com/mobile	Bootstrapper.exe, 00000003.00000003.2047564460.0000000000D85000.00000004.00000020.00020000.00000000.sdmp, Bootstrapper.exe, 00000003.00000003.2047623426.0000000000D89000.00000004.00000020.00020000.00000000.sdmp	false	high
https://steamcommunity.com/	Bootstrapper.exe, 00000003.00000003.2047623426.0000000000D89000.00000004.00000020.00020000.00000000.sdmp	false	high
https://community.fastly.steamstatic.com/public/javascript/applications/community/main.js?v=_92TWn81	Bootstrapper.exe, 00000003.00000003.2047639768.0000000000CF9000.00000004.00000020.00020000.00000000.sdmp, Bootstrapper.exe, 00000003.00000003.2047564460.0000000000D85000.00000004.00000020.00020000.00000000.sdmp, Bootstrapper.exe, 00000003.00000003.2047564460.0000000000D7D000.00000004.00000020.00020000.00000000.sdmp, Bootstrapper.exe, 00000003.00000003.2047623426.0000000000D89000.00000004.00000020.00020000.00000000.sdmp	false	high
https://store.steampowered.com/;	Bootstrapper.exe, 00000003.00000002.2048170280.0000000000D47000.00000004.00000020.00020000.00000000.sdmp, Bootstrapper.exe, 00000003.00000003.2047595937.0000000000D47000.00000004.00000020.00020000.00000000.sdmp, Bootstrapper.exe, 00000003.00000003.2047564460.0000000000D7D000.00000004.00000020.00020000.00000000.sdmp	false	high
https://store.steampowered.com/about/	Bootstrapper.exe, 00000003.00000003.2047623426.0000000000D89000.00000004.00000020.00020000.00000000.sdmp	false	high
https://community.fastly.steamstatic.com/public/javascript/jquery-1.11.1.min.js?v=gQHVlrK4-jX-&l	Bootstrapper.exe, 00000003.00000003.2047564460.0000000000D85000.00000004.00000020.00020000.00000000.sdmp, Bootstrapper.exe, 00000003.00000003.2047564460.0000000000D7D000.00000004.00000020.00020000.00000000.sdmp, Bootstrapper.exe, 00000003.00000003.2047623426.0000000000D89000.00000004.00000020.00020000.00000000.sdmp	false	high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
104.102.49.254	steamcommunity.com	United States		16625	AKAMAI-ASUS	false

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1582549
Start date and time:	2024-12-30 21:09:05 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 4m 33s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	6
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	Bootstrapper.exe
Detection:	MAL
Classification:	mal100.troj.evad.winEXE@4/0@10/1
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 96% Number of executed functions: 21 Number of non-executed functions: 116
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe
Excluded IPs from analysis (whitelisted): 172.202.163.200, 13.107.246.45
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryValueKey calls found.
VT rate limit hit for: Bootstrapper.exe

Simulations

Behavior and APIs

Time	Type	Description
15:09:55	API Interceptor	3x Sleep call for process: Bootstrapper.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
104.102.49.254	r4xiHKy8aM.exe	Get hash	malicious	Socks5Systemz	Browse	/ISteamUser/GetFriendList/v1/?key=AE2AE4DBF33A541E83BC08989DB1F397&steamid=76561198400860497
104.102.49.254	http://gtm-cn-j4g3qqvf603.steamproxy1.com/	Get hash	malicious	Unknown	Browse	www.valvesoftware.com/legal.htm

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
steamcommunity.com	GPU-Z.exe	Get hash	malicious	LummaC, DarkTortilla, LummaC Stealer	Browse	104.102.49.254
	gdi32.dll	Get hash	malicious	LummaC	Browse	23.55.153.106
	Loader.exe	Get hash	malicious	LummaC	Browse	23.55.153.106
	Crosshair-X.exe	Get hash	malicious	LummaC	Browse	104.121.10.34
	iien1HBbB3.exe	Get hash	malicious	LummaC	Browse	23.55.153.106
	oe9KS7ZHUc.exe	Get hash	malicious	LummaC	Browse	23.55.153.106
	MPgkx6bQIQ.exe	Get hash	malicious	LummaC	Browse	23.55.153.106
	l0zocrLiVW.exe	Get hash	malicious	LummaC	Browse	23.55.153.106
	SQHE4Hsjo6.exe	Get hash	malicious	LummaC	Browse	23.55.153.106
	XYQ1pqHNiT.exe	Get hash	malicious	LummaC	Browse	23.55.153.106

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
AKAMAI-ASUS	kwari.arm7.elf	Get hash	malicious	Mirai	Browse	104.64.19.63
	https://N0.kolivane.ru/da4scmQ/#Memily.gamble@amd.com	Get hash	malicious	Unknown	Browse	23.32.221.157
	botx.mips.elf	Get hash	malicious	Mirai	Browse	72.247.1.141
	loligang.ppc.elf	Get hash	malicious	Mirai	Browse	23.54.12.227
	loligang.mips.elf	Get hash	malicious	Mirai	Browse	23.211.115.2
	sh4.elf	Get hash	malicious	Mirai, Moobot	Browse	23.218.100.64
	m68k.elf	Get hash	malicious	Mirai, Moobot	Browse	23.6.144.120
	GPU-Z.exe	Get hash	malicious	LummaC, DarkTortilla, LummaC Stealer	Browse	104.102.49.254
	Tool_Unlock_v1.2.exe	Get hash	malicious	Vidar	Browse	23.49.251.25
	db0fa4b8db0333367e9bda3ab68b8042.m68k.elf	Get hash	malicious	Mirai, Gafgyt	Browse	2.16.80.56

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
a0e9f5d64349fb13191bc781f81f42e1	Launcher.exe	Get hash	malicious	LummaC	Browse	104.102.49.254
	GTA-5-Mod-Menu-2025.exe	Get hash	malicious	LummaC	Browse	104.102.49.254
	AquaDiscord-2.0.exe	Get hash	malicious	LummaC	Browse	104.102.49.254
	hoEtvOOrYH.exe	Get hash	malicious	SmokeLoader	Browse	104.102.49.254
	web44.mp4.hta	Get hash	malicious	LummaC	Browse	104.102.49.254
	setup.exe	Get hash	malicious	LummaC	Browse	104.102.49.254
	SharkHack.exe	Get hash	malicious	LummaC, DarkTortilla, LummaC Stealer, PureLog Stealer, zgRAT	Browse	104.102.49.254
	Active_Setup.exe	Get hash	malicious	LummaC	Browse	104.102.49.254
	Set-up.exe	Get hash	malicious	LummaC	Browse	104.102.49.254
	#Setup.exe	Get hash	malicious	LummaC	Browse	104.102.49.254

File type:	PE32 executable (console) Intel 80386, for MS Windows
Entropy (8bit):	7.753834955780266
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	Bootstrapper.exe
File size:	439'936 bytes
MD5:	f51a40d5bf9b9c5007742e1b9c4b384a
SHA1:	226ec50e7a706aaa7dfab94c857efce27af86b9e
SHA256:	fadc67d2ed4a8c2a52dc15ffcaaef1e61bab0707b37893e4b45b96df03ee3a0f
SHA512:	fdd0eaf8b7f731d215b3ec881acb4fb83922f25eaceddb621a9324a6e147c3bc7305f1a742526a4dc83bafccf7b8e93d3d42672c34e1f0ec778990fd70055363
SSDEEP:	12288:GxNrLsok+24E7KlqmWIp2wWdgoyCdvs/OssEelr7v:G7n3k+C1xvwWdVXdvmOuqr7v
TLSH:	D594021275C0C073D6B3283325A4DBB28A3DFA304F609ADF53984A7A5F342D25735A6B
File Content Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L...@r]g.........."......^..........LE............@.......................................@.....................................P..

File Icon


Icon Hash:	00928e8e8686b000

Static PE Info

General

Entrypoint:	0x40454c
Entrypoint Section:	.text
Digitally signed:	true
Imagebase:	0x400000
Subsystem:	windows cui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, NO_ISOLATION, TERMINAL_SERVER_AWARE
Time Stamp:	0x675D7240 [Sat Dec 14 11:55:44 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	6
OS Version Minor:	0
File Version Major:	6
File Version Minor:	0
Subsystem Version Major:	6
Subsystem Version Minor:	0
Import Hash:	1ba5ee037d17edba1d86aee5816aeb76

Authenticode Signature

Signature Valid:	false
Signature Issuer:	CN=Sectigo Public Code Signing CA R36, O=Sectigo Limited, C=GB
Signature Validation Error:	The digital signature of the object did not verify
Error Number:	-2146869232
Not Before, Not After	31/08/2023 02:00:00 31/08/2026 01:59:59
Subject Chain	CN=Privacy Technologies OU, O=Privacy Technologies OU, S=Harjumaa, C=EE
Version:	3
Thumbprint MD5:	AD1BCBF19AE2F91BB114D33B85359E56
Thumbprint SHA-1:	141D90A1BA8F61863FBEDDF7DD1D66C1D1E0B128
Thumbprint SHA-256:	A08EA2A7A257AD690B988446951E9DEF2986A2F3F546B6F0902805330F3B6B48
Serial:	00D0461B529F67189D43744E9CEFE172AE

Entrypoint Preview

Instruction
call 00007FD4E4B1128Ah
jmp 00007FD4E4B10EA9h
push ebp
mov ebp, esp
push dword ptr [ebp+08h]
call 00007FD4E4B1103Fh
neg eax
pop ecx
sbb eax, eax
neg eax
dec eax
pop ebp
ret
push ebp
mov ebp, esp
cmp dword ptr [00420530h], FFFFFFFFh
push dword ptr [ebp+08h]
jne 00007FD4E4B11039h
call 00007FD4E4B1542Ch
jmp 00007FD4E4B1103Dh
push 00420530h
call 00007FD4E4B153AFh
pop ecx
pop ecx
xor ecx, ecx
test eax, eax
cmove ecx, dword ptr [ebp+08h]
mov eax, ecx
pop ebp
ret
push 00000008h
push 0041E560h
call 00007FD4E4B11570h
and dword ptr [ebp-04h], 00000000h
mov eax, 00005A4Dh
cmp word ptr [00400000h], ax
jne 00007FD4E4B1108Fh
mov eax, dword ptr [0040003Ch]
cmp dword ptr [eax+00400000h], 00004550h
jne 00007FD4E4B1107Eh
mov ecx, 0000010Bh
cmp word ptr [eax+00400018h], cx
jne 00007FD4E4B11070h
mov eax, dword ptr [ebp+08h]
mov ecx, 00400000h
sub eax, ecx
push eax
push ecx
call 00007FD4E4B111B2h
pop ecx
pop ecx
test eax, eax
je 00007FD4E4B11059h
cmp dword ptr [eax+24h], 00000000h
jl 00007FD4E4B11053h
mov dword ptr [ebp-04h], FFFFFFFEh
mov al, 01h
jmp 00007FD4E4B11051h
mov eax, dword ptr [ebp-14h]
mov eax, dword ptr [eax]
xor ecx, ecx
cmp dword ptr [eax], C0000005h
sete cl
mov eax, ecx
ret
mov esp, dword ptr [ebp-18h]

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x1d9d4	0x50	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x21000	0xe8	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x68800	0x2e80	.bss
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x22000	0x1358	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x17808	0xc0	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x1db80	0x15c	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x15c61	0x15e00	06bd1d4fa7bcf52a430738d7732675ea	False	0.5842745535714285	data	6.583661914726466	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x17000	0x7afc	0x7c00	09e0d0c1de43f9ace28d40ff424875cc	False	0.46137852822580644	data	5.096582523498804	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x1f000	0x1c4c	0x1200	996f830a50204a5374ed37009290179a	False	0.4312065972222222	data	4.62380972489563	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x21000	0xe8	0x200	797ccf8a170b4e76647519bf302a73e2	False	0.306640625	data	2.344915704357875	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x22000	0x1358	0x1400	0b96ae99a82a3916c252b5ea2c77becb	False	0.7873046875	data	6.4713484928883025	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
.bss	0x24000	0x48000	0x48000	e74e44730f0ea125a19d0c13e20a187a	False	1.0003255208333333	data	7.999381678040562	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_MANIFEST	0x21060	0x87	XML 1.0 document, ASCII text	English	United States	0.8222222222222222

Imports

DLL	Import
ADVAPI32.dll	CryptContextAddRef
KERNEL32.dll	AcquireSRWLockExclusive, CloseHandle, CompareStringW, CreateFileW, CreateThread, DecodePointer, DeleteCriticalSection, EncodePointer, EnterCriticalSection, ExitProcess, ExitThread, FindClose, FindFirstFileExW, FindNextFileW, FlushFileBuffers, FreeEnvironmentStringsW, FreeLibrary, FreeLibraryAndExitThread, GetACP, GetCPInfo, GetCommandLineA, GetCommandLineW, GetConsoleMode, GetConsoleOutputCP, GetCurrentProcess, GetCurrentProcessId, GetCurrentThreadId, GetEnvironmentStringsW, GetExitCodeThread, GetFileSize, GetFileSizeEx, GetFileType, GetLastError, GetModuleFileNameA, GetModuleFileNameW, GetModuleHandleA, GetModuleHandleExW, GetModuleHandleW, GetOEMCP, GetProcAddress, GetProcessHeap, GetStartupInfoW, GetStdHandle, GetStringTypeW, GetSystemTimeAsFileTime, HeapAlloc, HeapFree, HeapReAlloc, HeapSize, InitializeCriticalSectionAndSpinCount, InitializeSListHead, IsDebuggerPresent, IsProcessorFeaturePresent, IsValidCodePage, LCMapStringW, LeaveCriticalSection, LoadLibraryExW, MultiByteToWideChar, QueryPerformanceCounter, RaiseException, ReadFile, ReleaseSRWLockExclusive, RtlUnwind, SetEnvironmentVariableW, SetFilePointerEx, SetLastError, SetStdHandle, SetUnhandledExceptionFilter, TerminateProcess, TlsAlloc, TlsFree, TlsGetValue, TlsSetValue, TryAcquireSRWLockExclusive, UnhandledExceptionFilter, WaitForSingleObjectEx, WakeAllConditionVariable, WideCharToMultiByte, WriteConsoleW, WriteFile
USER32.dll	DefWindowProcW, GetMessageA, RegisterClassW

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2024-12-30T21:09:56.000788+0100	2058212	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (bellflamre .click)	1	192.168.2.5	63758	1.1.1.1	53	UDP
2024-12-30T21:09:56.014226+0100	2058222	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (immureprech .biz)	1	192.168.2.5	56371	1.1.1.1	53	UDP
2024-12-30T21:09:56.025567+0100	2058214	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (deafeninggeh .biz)	1	192.168.2.5	55432	1.1.1.1	53	UDP
2024-12-30T21:09:56.037610+0100	2058220	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (effecterectz .xyz)	1	192.168.2.5	58257	1.1.1.1	53	UDP
2024-12-30T21:09:56.052755+0100	2058218	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (diffuculttan .xyz)	1	192.168.2.5	62510	1.1.1.1	53	UDP
2024-12-30T21:09:56.069311+0100	2058216	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (debonairnukk .xyz)	1	192.168.2.5	49259	1.1.1.1	53	UDP
2024-12-30T21:09:56.080637+0100	2058236	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (wrathful-jammy .cyou)	1	192.168.2.5	49201	1.1.1.1	53	UDP
2024-12-30T21:09:56.091520+0100	2058210	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (awake-weaves .cyou)	1	192.168.2.5	58409	1.1.1.1	53	UDP
2024-12-30T21:09:56.101702+0100	2058226	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (sordid-snaked .cyou)	1	192.168.2.5	57224	1.1.1.1	53	UDP
2024-12-30T21:09:56.764512+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.5	49707	104.102.49.254	443	TCP
2024-12-30T21:09:57.353956+0100	2858666	ETPRO MALWARE Win32/Lumma Stealer Steam Profile Lookup	1	192.168.2.5	49707	104.102.49.254	443	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 30, 2024 21:09:56.130490065 CET	49707	443	192.168.2.5	104.102.49.254
Dec 30, 2024 21:09:56.130516052 CET	443	49707	104.102.49.254	192.168.2.5
Dec 30, 2024 21:09:56.130686045 CET	49707	443	192.168.2.5	104.102.49.254
Dec 30, 2024 21:09:56.131717920 CET	49707	443	192.168.2.5	104.102.49.254
Dec 30, 2024 21:09:56.131731987 CET	443	49707	104.102.49.254	192.168.2.5
Dec 30, 2024 21:09:56.764394045 CET	443	49707	104.102.49.254	192.168.2.5
Dec 30, 2024 21:09:56.764512062 CET	49707	443	192.168.2.5	104.102.49.254
Dec 30, 2024 21:09:56.768649101 CET	49707	443	192.168.2.5	104.102.49.254
Dec 30, 2024 21:09:56.768656969 CET	443	49707	104.102.49.254	192.168.2.5
Dec 30, 2024 21:09:56.768969059 CET	443	49707	104.102.49.254	192.168.2.5
Dec 30, 2024 21:09:56.818586111 CET	49707	443	192.168.2.5	104.102.49.254
Dec 30, 2024 21:09:56.825825930 CET	49707	443	192.168.2.5	104.102.49.254
Dec 30, 2024 21:09:56.867340088 CET	443	49707	104.102.49.254	192.168.2.5
Dec 30, 2024 21:09:57.353936911 CET	443	49707	104.102.49.254	192.168.2.5
Dec 30, 2024 21:09:57.353964090 CET	443	49707	104.102.49.254	192.168.2.5
Dec 30, 2024 21:09:57.353996038 CET	443	49707	104.102.49.254	192.168.2.5
Dec 30, 2024 21:09:57.354010105 CET	443	49707	104.102.49.254	192.168.2.5
Dec 30, 2024 21:09:57.354016066 CET	49707	443	192.168.2.5	104.102.49.254
Dec 30, 2024 21:09:57.354028940 CET	443	49707	104.102.49.254	192.168.2.5
Dec 30, 2024 21:09:57.354042053 CET	443	49707	104.102.49.254	192.168.2.5
Dec 30, 2024 21:09:57.354075909 CET	49707	443	192.168.2.5	104.102.49.254
Dec 30, 2024 21:09:57.354110003 CET	49707	443	192.168.2.5	104.102.49.254
Dec 30, 2024 21:09:57.438916922 CET	443	49707	104.102.49.254	192.168.2.5
Dec 30, 2024 21:09:57.438956022 CET	443	49707	104.102.49.254	192.168.2.5
Dec 30, 2024 21:09:57.438980103 CET	443	49707	104.102.49.254	192.168.2.5
Dec 30, 2024 21:09:57.439152956 CET	49707	443	192.168.2.5	104.102.49.254
Dec 30, 2024 21:09:57.439152956 CET	49707	443	192.168.2.5	104.102.49.254
Dec 30, 2024 21:09:57.440663099 CET	49707	443	192.168.2.5	104.102.49.254
Dec 30, 2024 21:09:57.440675974 CET	443	49707	104.102.49.254	192.168.2.5
Dec 30, 2024 21:09:57.440687895 CET	49707	443	192.168.2.5	104.102.49.254
Dec 30, 2024 21:09:57.440694094 CET	443	49707	104.102.49.254	192.168.2.5

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 30, 2024 21:09:56.000787973 CET	63758	53	192.168.2.5	1.1.1.1
Dec 30, 2024 21:09:56.010924101 CET	53	63758	1.1.1.1	192.168.2.5
Dec 30, 2024 21:09:56.014225960 CET	56371	53	192.168.2.5	1.1.1.1
Dec 30, 2024 21:09:56.024116993 CET	53	56371	1.1.1.1	192.168.2.5
Dec 30, 2024 21:09:56.025567055 CET	55432	53	192.168.2.5	1.1.1.1
Dec 30, 2024 21:09:56.034466028 CET	53	55432	1.1.1.1	192.168.2.5
Dec 30, 2024 21:09:56.037610054 CET	58257	53	192.168.2.5	1.1.1.1
Dec 30, 2024 21:09:56.050440073 CET	53	58257	1.1.1.1	192.168.2.5
Dec 30, 2024 21:09:56.052755117 CET	62510	53	192.168.2.5	1.1.1.1
Dec 30, 2024 21:09:56.067105055 CET	53	62510	1.1.1.1	192.168.2.5
Dec 30, 2024 21:09:56.069310904 CET	49259	53	192.168.2.5	1.1.1.1
Dec 30, 2024 21:09:56.078432083 CET	53	49259	1.1.1.1	192.168.2.5
Dec 30, 2024 21:09:56.080636978 CET	49201	53	192.168.2.5	1.1.1.1
Dec 30, 2024 21:09:56.090440989 CET	53	49201	1.1.1.1	192.168.2.5
Dec 30, 2024 21:09:56.091520071 CET	58409	53	192.168.2.5	1.1.1.1
Dec 30, 2024 21:09:56.100522995 CET	53	58409	1.1.1.1	192.168.2.5
Dec 30, 2024 21:09:56.101701975 CET	57224	53	192.168.2.5	1.1.1.1
Dec 30, 2024 21:09:56.111206055 CET	53	57224	1.1.1.1	192.168.2.5
Dec 30, 2024 21:09:56.118400097 CET	62408	53	192.168.2.5	1.1.1.1
Dec 30, 2024 21:09:56.125283003 CET	53	62408	1.1.1.1	192.168.2.5

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Dec 30, 2024 21:09:56.000787973 CET	192.168.2.5	1.1.1.1	0x7449	Standard query (0)	bellflamre.click	A (IP address)	IN (0x0001)	false
Dec 30, 2024 21:09:56.014225960 CET	192.168.2.5	1.1.1.1	0xf30a	Standard query (0)	immureprech.biz	A (IP address)	IN (0x0001)	false
Dec 30, 2024 21:09:56.025567055 CET	192.168.2.5	1.1.1.1	0xd808	Standard query (0)	deafeninggeh.biz	A (IP address)	IN (0x0001)	false
Dec 30, 2024 21:09:56.037610054 CET	192.168.2.5	1.1.1.1	0x4dda	Standard query (0)	effecterectz.xyz	A (IP address)	IN (0x0001)	false
Dec 30, 2024 21:09:56.052755117 CET	192.168.2.5	1.1.1.1	0xb86c	Standard query (0)	diffuculttan.xyz	A (IP address)	IN (0x0001)	false
Dec 30, 2024 21:09:56.069310904 CET	192.168.2.5	1.1.1.1	0x884b	Standard query (0)	debonairnukk.xyz	A (IP address)	IN (0x0001)	false
Dec 30, 2024 21:09:56.080636978 CET	192.168.2.5	1.1.1.1	0xd31	Standard query (0)	wrathful-jammy.cyou	A (IP address)	IN (0x0001)	false
Dec 30, 2024 21:09:56.091520071 CET	192.168.2.5	1.1.1.1	0x62ee	Standard query (0)	awake-weaves.cyou	A (IP address)	IN (0x0001)	false
Dec 30, 2024 21:09:56.101701975 CET	192.168.2.5	1.1.1.1	0x5ed8	Standard query (0)	sordid-snaked.cyou	A (IP address)	IN (0x0001)	false
Dec 30, 2024 21:09:56.118400097 CET	192.168.2.5	1.1.1.1	0xb11	Standard query (0)	steamcommunity.com	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Dec 30, 2024 21:09:56.010924101 CET	1.1.1.1	192.168.2.5	0x7449	Name error (3)	bellflamre.click	none	none	A (IP address)	IN (0x0001)	false
Dec 30, 2024 21:09:56.024116993 CET	1.1.1.1	192.168.2.5	0xf30a	Name error (3)	immureprech.biz	none	none	A (IP address)	IN (0x0001)	false
Dec 30, 2024 21:09:56.034466028 CET	1.1.1.1	192.168.2.5	0xd808	Name error (3)	deafeninggeh.biz	none	none	A (IP address)	IN (0x0001)	false
Dec 30, 2024 21:09:56.050440073 CET	1.1.1.1	192.168.2.5	0x4dda	Name error (3)	effecterectz.xyz	none	none	A (IP address)	IN (0x0001)	false
Dec 30, 2024 21:09:56.067105055 CET	1.1.1.1	192.168.2.5	0xb86c	Name error (3)	diffuculttan.xyz	none	none	A (IP address)	IN (0x0001)	false
Dec 30, 2024 21:09:56.078432083 CET	1.1.1.1	192.168.2.5	0x884b	Name error (3)	debonairnukk.xyz	none	none	A (IP address)	IN (0x0001)	false
Dec 30, 2024 21:09:56.090440989 CET	1.1.1.1	192.168.2.5	0xd31	Name error (3)	wrathful-jammy.cyou	none	none	A (IP address)	IN (0x0001)	false
Dec 30, 2024 21:09:56.100522995 CET	1.1.1.1	192.168.2.5	0x62ee	Name error (3)	awake-weaves.cyou	none	none	A (IP address)	IN (0x0001)	false
Dec 30, 2024 21:09:56.111206055 CET	1.1.1.1	192.168.2.5	0x5ed8	Name error (3)	sordid-snaked.cyou	none	none	A (IP address)	IN (0x0001)	false
Dec 30, 2024 21:09:56.125283003 CET	1.1.1.1	192.168.2.5	0xb11	No error (0)	steamcommunity.com		104.102.49.254	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

steamcommunity.com

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.5	49707	104.102.49.254	443	1308	C:\Users\user\Desktop\Bootstrapper.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-30 20:09:56 UTC	219	OUT	GET /profiles/76561199724331900 HTTP/1.1 Connection: Keep-Alive User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Host: steamcommunity.com
2024-12-30 20:09:57 UTC	1905	IN	HTTP/1.1 200 OK Server: nginx Content-Type: text/html; charset=UTF-8 Content-Security-Policy: default-src blob: data: https: 'unsafe-inline' 'unsafe-eval'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://community.fastly.steamstatic.com/ https://cdn.fastly.steamstatic.com/steamcommunity/public/assets/ https://api.steampowered.com/ https://recaptcha.net https://www.google.com/recaptcha/ https://www.gstatic.cn/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.youtube.com/ https://s.ytimg.com; object-src 'none'; connect-src 'self' https://community.fastly.steamstatic.com/ https://store.steampowered.com/ https://checkout.steampowered.com/ wss://community.steam-api.com/websocket/ https://api.steampowered.com/ https://login.steampowered.com/ https://help.steampowered.com/ https://steam.tv/ https://steamcommunity.com/ https://.valvesoftware.com https://.steambeta.net https://.discovery.beta.steamserver.net https://.steamcontent.com https://steambroadcast.akamaized.net https://steambroadcast-test.akamaized.net https://broadcast.st.dl.eccdnx.com https://lv.queniujq. [TRUNCATED] Expires: Mon, 26 Jul 1997 05:00:00 GMT Cache-Control: no-cache Date: Mon, 30 Dec 2024 20:09:57 GMT Content-Length: 25665 Connection: close Set-Cookie: sessionid=7e40461baa9673e9e66a6c96; Path=/; Secure; SameSite=None Set-Cookie: steamCountry=US%7C185ce35c568ebbb18a145d0cabae7186; Path=/; Secure; HttpOnly; SameSite=None
2024-12-30 20:09:57 UTC	14479	IN	Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 20 72 65 73 70 6f 6e 73 69 76 65 22 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 09 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 3e 0a 09 09 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 0a 09 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 74 68 65 6d 65 2d 63 6f 6c 6f 72 22 20 63 6f 6e 74 65 6e 74 3d 22 23 31 37 31 61 32 31 22 3e 0a 09 09 3c 74 69 74 6c 65 3e Data Ascii: <!DOCTYPE html><html class=" responsive" lang="en"><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8"><meta name="viewport" content="width=device-width,initial-scale=1"><meta name="theme-color" content="#171a21"><title>
2024-12-30 20:09:57 UTC	11186	IN	Data Raw: 3f 6c 3d 6b 6f 72 65 61 6e 61 22 20 6f 6e 63 6c 69 63 6b 3d 22 43 68 61 6e 67 65 4c 61 6e 67 75 61 67 65 28 20 27 6b 6f 72 65 61 6e 61 27 20 29 3b 20 72 65 74 75 72 6e 20 66 61 6c 73 65 3b 22 3e ed 95 9c ea b5 ad ec 96 b4 20 28 4b 6f 72 65 61 6e 29 3c 2f 61 3e 0a 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 3c 61 20 63 6c 61 73 73 3d 22 70 6f 70 75 70 5f 6d 65 6e 75 5f 69 74 65 6d 20 74 69 67 68 74 22 20 68 72 65 66 3d 22 3f 6c 3d 74 68 61 69 22 20 6f 6e 63 6c 69 63 6b 3d 22 43 68 61 6e 67 65 4c 61 6e 67 75 61 67 65 28 20 27 74 68 61 69 27 20 29 3b 20 72 65 74 75 72 6e 20 66 61 6c 73 65 3b 22 3e e0 b9 84 e0 b8 97 e0 b8 a2 20 28 54 68 61 69 29 3c 2f 61 3e 0a 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 Data Ascii: ?l=koreana" onclick="ChangeLanguage( 'koreana' ); return false;"> (Korean)</a><a class="popup_menu_item tight" href="?l=thai" onclick="ChangeLanguage( 'thai' ); return false;"> (Thai)</a>

Target ID:	0
Start time:	15:09:51
Start date:	30/12/2024
Path:	C:\Users\user\Desktop\Bootstrapper.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\Bootstrapper.exe"
Imagebase:	0xf40000
File size:	439'936 bytes
MD5 hash:	F51A40D5BF9B9C5007742E1B9C4B384A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	1
Start time:	15:09:51
Start date:	30/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	15:09:54
Start date:	30/12/2024
Path:	C:\Users\user\Desktop\Bootstrapper.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\Bootstrapper.exe"
Imagebase:	0xf40000
File size:	439'936 bytes
MD5 hash:	F51A40D5BF9B9C5007742E1B9C4B384A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	4.9%
Dynamic/Decrypted Code Coverage:	0.6%
Signature Coverage:	1.8%
Total number of Nodes:	1444
Total number of Limit Nodes:	13

Executed Functions

Function 00F5F1A9 Relevance: 42.3, APIs: 10, Strings: 14, Instructions: 295
threadinjectionmemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessW.KERNELBASE(?,00000000,00000000,00000000,00000000,00000004,00000000,00000000,00F5F11B,00F5F10B), ref: 00F5F33F
VirtualAlloc.KERNELBASE(00000000,00000004,00001000,00000004), ref: 00F5F352
Wow64GetThreadContext.KERNEL32(00000094,00000000), ref: 00F5F370
ReadProcessMemory.KERNELBASE(0000008C,?,00F5F15F,00000004,00000000), ref: 00F5F394
VirtualAllocEx.KERNELBASE(0000008C,?,?,00003000,00000040), ref: 00F5F3BF
WriteProcessMemory.KERNELBASE(0000008C,00000000,?,?,00000000,?), ref: 00F5F417
WriteProcessMemory.KERNELBASE(0000008C,00400000,?,?,00000000,?,00000028), ref: 00F5F462
WriteProcessMemory.KERNELBASE(0000008C,?,?,00000004,00000000), ref: 00F5F4A0
Wow64SetThreadContext.KERNEL32(00000094,014E0000), ref: 00F5F4DC
ResumeThread.KERNELBASE(00000094), ref: 00F5F4EB

Strings

GetP, xrefs: 00F5F229
SetThreadContext, xrefs: 00F5F2CD
aryA, xrefs: 00F5F1ED
Load, xrefs: 00F5F1E5
ResumeThread, xrefs: 00F5F2E3
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe, xrefs: 00F5F33E
VirtualAlloc, xrefs: 00F5F26E
TerminateProcess, xrefs: 00F5F3CE
CreateProcessW, xrefs: 00F5F25B
VirtualAllocEx, xrefs: 00F5F2A7
GetThreadContext, xrefs: 00F5F281
ress, xrefs: 00F5F231
ReadProcessMemory, xrefs: 00F5F294
WriteProcessMemory, xrefs: 00F5F2BA

Memory Dump Source

Source File: 00000000.00000002.3261565289.0000000000F5F000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.3261510358.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3261530485.0000000000F41000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3261549522.0000000000F57000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3261579872.0000000000F60000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3261593154.0000000000F61000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3261605958.0000000000F64000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_Bootstrapper.jbxd

Similarity

API ID: Process$Memory$ThreadWrite$AllocContextVirtualWow64$CreateReadResume
String ID: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe$CreateProcessW$GetP$GetThreadContext$Load$ReadProcessMemory$ResumeThread$SetThreadContext$TerminateProcess$VirtualAlloc$VirtualAllocEx$WriteProcessMemory$aryA$ress
API String ID: 2687962208-3857624555
Opcode ID: 4d4c1a7e65f8d0d38951af6025ef960edc15c7aa7ffa2998c2434409f37e51df
Instruction ID: e2795eaf4c5ea5cfb959168fe70ec2f0c7432b959fdded2690f9c53ccc591837
Opcode Fuzzy Hash: 4d4c1a7e65f8d0d38951af6025ef960edc15c7aa7ffa2998c2434409f37e51df
Instruction Fuzzy Hash: 34B1F67660064AAFDB60CF68CC80BDA73A5FF88725F158164EA08EB341D770FA55CB94

Function 00F4AADE Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 74
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FreeLibrary.KERNEL32(00000000,?,00000000,00000800,00000000,?,?,1C088254,?,00F4ABED,?,?,00000000), ref: 00F4AB9F

Strings

ext-ms-, xrefs: 00F4AB49
api-ms-, xrefs: 00F4AB35

Memory Dump Source

Source File: 00000000.00000002.3261530485.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.3261510358.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3261549522.0000000000F57000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3261565289.0000000000F5F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3261579872.0000000000F60000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3261593154.0000000000F61000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3261605958.0000000000F64000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_Bootstrapper.jbxd

Similarity

API ID: FreeLibrary
String ID: api-ms-$ext-ms-
API String ID: 3664257935-537541572
Opcode ID: fd241aa37901b99f677743bb57979d44c800ad3464c9c84f6c459630fee0986f
Instruction ID: e577fa26303120b996c8cfae953c92683b53158bdf1c16e71e027b267d5c8dc0
Opcode Fuzzy Hash: fd241aa37901b99f677743bb57979d44c800ad3464c9c84f6c459630fee0986f
Instruction Fuzzy Hash: 5621D871E41314ABCB229724DC44E5A7F6ADF817B1F250114EE16A72D0EB70ED00E6D2

Function 00F418D0 Relevance: 9.2, APIs: 6, Instructions: 162
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileA.KERNELBASE ref: 00F41953
GetFileSize.KERNEL32 ref: 00F41982
CloseHandle.KERNEL32 ref: 00F4199E

Memory Dump Source

Source File: 00000000.00000002.3261530485.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.3261510358.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3261549522.0000000000F57000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3261565289.0000000000F5F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3261579872.0000000000F60000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3261593154.0000000000F61000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3261605958.0000000000F64000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_Bootstrapper.jbxd

Similarity

API ID: File$CloseCreateHandleSize
String ID:
API String ID: 1378416451-0
Opcode ID: fe6d7a44644caf9da162c0b2dca5cb82bccdd96a5e9f1289e674ae588a525e05
Instruction ID: dbe1e8180a400bba41ea000923be6cc80cbb50a95d3008259561c7f589c56a29
Opcode Fuzzy Hash: fe6d7a44644caf9da162c0b2dca5cb82bccdd96a5e9f1289e674ae588a525e05
Instruction Fuzzy Hash: 8471A0B0D05248DFDB10DFA8D58879DBBF0BF48314F108429E899AB341E774A989DF52

Function 00F413B0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 141
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

KiUserExceptionDispatcher.NTDLL ref: 00F41530
GetLastError.KERNEL32 ref: 00F4158B

Strings

Fu, xrefs: 00F41530

Memory Dump Source

Source File: 00000000.00000002.3261530485.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.3261510358.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3261549522.0000000000F57000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3261565289.0000000000F5F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3261579872.0000000000F60000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3261593154.0000000000F61000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3261605958.0000000000F64000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_Bootstrapper.jbxd

Similarity

API ID: DispatcherErrorExceptionLastUser
String ID: Fu
API String ID: 2542788420-2244517181
Opcode ID: b1b7225fdb88834a779aa467e8a441ba5ed3616d20a3add5cd80c4b3656de4ef
Instruction ID: 9d9bedcc1ae8c770d4a508f8e8a0d8a1c3ed3f59926a31063c7f19d3b8c67084
Opcode Fuzzy Hash: b1b7225fdb88834a779aa467e8a441ba5ed3616d20a3add5cd80c4b3656de4ef
Instruction Fuzzy Hash: 597113B4A4922D8BCB64DF58D8987D9BBF0AB28304F1440E9E88D97351C6749AC4DF61

Function 00F41780 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 77
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FreeConsole.KERNELBASE ref: 00F417E9

Part of subcall function 00F413B0: KiUserExceptionDispatcher.NTDLL ref: 00F41530

Part of subcall function 00F413B0: GetLastError.KERNEL32 ref: 00F4158B

VirtualProtect.KERNELBASE ref: 00F41897

Strings

@, xrefs: 00F4188B

Memory Dump Source

Source File: 00000000.00000002.3261530485.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.3261510358.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3261549522.0000000000F57000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3261565289.0000000000F5F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3261579872.0000000000F60000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3261593154.0000000000F61000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3261605958.0000000000F64000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_Bootstrapper.jbxd

Similarity

API ID: ConsoleDispatcherErrorExceptionFreeLastProtectUserVirtual
String ID: @
API String ID: 1907986952-2766056989
Opcode ID: 2b07e702c23a8e2cb18e06ecfcc136193a8984a1de109b83d5ffccd4bdd74a5b
Instruction ID: 2d9b89e5eb28d6cbeabe1ad8fdc81b7d305cba84a004ff57d99bdb339fb066a0
Opcode Fuzzy Hash: 2b07e702c23a8e2cb18e06ecfcc136193a8984a1de109b83d5ffccd4bdd74a5b
Instruction Fuzzy Hash: AD31B0B0904308DFDB00DFA9D98969EBFF0BF48314F108569E858AB351D7789988DF95

Function 00F47EBF Relevance: 4.6, APIs: 3, Instructions: 51
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateThread.KERNELBASE(?,?,Function_00007FD7,00000000,?,?), ref: 00F47F08
GetLastError.KERNEL32(?,00000000,00000000,?,00F42E17), ref: 00F47F14
__dosmaperr.LIBCMT ref: 00F47F1B

Memory Dump Source

Source File: 00000000.00000002.3261530485.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.3261510358.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3261549522.0000000000F57000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3261565289.0000000000F5F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3261579872.0000000000F60000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3261593154.0000000000F61000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3261605958.0000000000F64000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_Bootstrapper.jbxd

Similarity

API ID: CreateErrorLastThread__dosmaperr
String ID:
API String ID: 2744730728-0
Opcode ID: f2921f57687580dead8be48e66ebfb11b973f23ca6819ea1a14d38138ee9d174
Instruction ID: 3d42e4a6ff0b45906a20db96baf8c789124cacaa9282b150f8bbf9b779645923
Opcode Fuzzy Hash: f2921f57687580dead8be48e66ebfb11b973f23ca6819ea1a14d38138ee9d174
Instruction Fuzzy Hash: FB016572919309ABDF25AFA0DC06AAE3FA9EF00374F004058FC0196190EB79CA54FAD0

Function 00F48055 Relevance: 4.5, APIs: 3, Instructions: 30
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00F4AEE8: GetLastError.KERNEL32(00000000,?,00F4C603,00F4C700,?,?,00F4ADE4,00000001,00000364,?,00000006,000000FF,?,00F47FFC,00F5E5C0,0000000C), ref: 00F4AEEC
Part of subcall function 00F4AEE8: SetLastError.KERNEL32(00000000), ref: 00F4AF8E

CloseHandle.KERNEL32(?,?,?,00F47F4F,?,?,00F48035,00000000), ref: 00F48086
FreeLibraryAndExitThread.KERNELBASE(?,?,?,?,00F47F4F,?,?,00F48035,00000000), ref: 00F4809C
ExitThread.KERNEL32 ref: 00F480A5

Memory Dump Source

Source File: 00000000.00000002.3261530485.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.3261510358.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3261549522.0000000000F57000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3261565289.0000000000F5F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3261579872.0000000000F60000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3261593154.0000000000F61000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3261605958.0000000000F64000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_Bootstrapper.jbxd

Similarity

API ID: ErrorExitLastThread$CloseFreeHandleLibrary
String ID:
API String ID: 1991824761-0
Opcode ID: 9d12449f4d000ee904cc787a5cc3fd42badcc550e9094e246871af2b8631e680
Instruction ID: b4a4d8600458465e8426e6089318496fc26e989459f2c4f8de520578086ec0e7
Opcode Fuzzy Hash: 9d12449f4d000ee904cc787a5cc3fd42badcc550e9094e246871af2b8631e680
Instruction Fuzzy Hash: 9CF05E31911704ABDB315B6ACC08A1E3EA9AF403B1F094620BC25C31E1DF34DC4AE650

Function 00F4B4BC Relevance: 3.1, APIs: 2, Instructions: 65
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetStdHandle.KERNEL32(000000F6,?,?,?,?,?,?,?,00000000,00F4B3AB,00F5E900,0000000C), ref: 00F4B508
GetFileType.KERNELBASE(00000000,?,?,?,?,?,?,?,00000000,00F4B3AB,00F5E900,0000000C), ref: 00F4B51A

Memory Dump Source

Source File: 00000000.00000002.3261530485.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.3261510358.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3261549522.0000000000F57000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3261565289.0000000000F5F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3261579872.0000000000F60000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3261593154.0000000000F61000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3261605958.0000000000F64000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_Bootstrapper.jbxd

Similarity

API ID: FileHandleType
String ID:
API String ID: 3000768030-0
Opcode ID: 20605d71fedd03bb908a8cfae564c5814b26d9e8a49608e3ba37f1ce375892ca
Instruction ID: 9354eadf5b53891336c17f6128563c0d1f6f198423308fa31f12f69243fb0ac1
Opcode Fuzzy Hash: 20605d71fedd03bb908a8cfae564c5814b26d9e8a49608e3ba37f1ce375892ca
Instruction Fuzzy Hash: 9D11847290875546D7304E3E8C88622FE94A756331B3C071AD9B6865FBD730D985F640

Function 00F41D20 Relevance: 3.0, APIs: 2, Instructions: 48
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleA.KERNEL32 ref: 00F41D48
GetModuleFileNameA.KERNEL32 ref: 00F41D68

Part of subcall function 00F41E40: std::_Throw_Cpp_error.LIBCPMT ref: 00F41E6D
Part of subcall function 00F41E40: GetCurrentThreadId.KERNEL32 ref: 00F41E7B
Part of subcall function 00F41E40: std::_Throw_Cpp_error.LIBCPMT ref: 00F41E94
Part of subcall function 00F41E40: std::_Throw_Cpp_error.LIBCPMT ref: 00F41ED3

Memory Dump Source

Source File: 00000000.00000002.3261530485.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.3261510358.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3261549522.0000000000F57000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3261565289.0000000000F5F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3261579872.0000000000F60000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3261593154.0000000000F61000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3261605958.0000000000F64000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_Bootstrapper.jbxd

Similarity

API ID: Cpp_errorThrow_std::_$Module$CurrentFileHandleNameThread
String ID:
API String ID: 1246727395-0
Opcode ID: e837d1b8d1cdb433d210fda9598b4870a9b1e962e797d400935c99f23fd78514
Instruction ID: 3d8027ee4a7c77270a81c1a2bfc536d723958e60c6cd23687afb7894c80d313f
Opcode Fuzzy Hash: e837d1b8d1cdb433d210fda9598b4870a9b1e962e797d400935c99f23fd78514
Instruction Fuzzy Hash: B911A7B4D0421C8FCB54EF68D9467DDBBF0BB48300F0149A9D98997251EB745AC8DF92

Function 00F47FD7 Relevance: 3.0, APIs: 2, Instructions: 38
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetLastError.KERNEL32(00F5E5C0,0000000C), ref: 00F47FEA
ExitThread.KERNEL32 ref: 00F47FF1

Memory Dump Source

Source File: 00000000.00000002.3261530485.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.3261510358.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3261549522.0000000000F57000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3261565289.0000000000F5F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3261579872.0000000000F60000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3261593154.0000000000F61000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3261605958.0000000000F64000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_Bootstrapper.jbxd

Similarity

API ID: ErrorExitLastThread
String ID:
API String ID: 1611280651-0
Opcode ID: cb87f4fc339e21f168383c25b2ff30c8ee974a64eab9c408716a85da2302e2dd
Instruction ID: 7e4087b8457c6375030f15c7585a182f3d23a3b6af773884644f850ab7741d63
Opcode Fuzzy Hash: cb87f4fc339e21f168383c25b2ff30c8ee974a64eab9c408716a85da2302e2dd
Instruction Fuzzy Hash: 1AF0AF71940604AFDB10BFB0CC0AA6E7FB4FF45721F100149F90197252DB789945FBA1

Function 00F4ABA9 Relevance: 1.6, APIs: 1, Instructions: 56
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000000.00000002.3261530485.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.3261510358.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3261549522.0000000000F57000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3261565289.0000000000F5F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3261579872.0000000000F60000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3261593154.0000000000F61000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3261605958.0000000000F64000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_Bootstrapper.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a414a2816275b2f63ddb2b40476a38e7b54f12ec0aa2b129b9c1e745a4768c96
Instruction ID: f0b0559a1b942d24a2ed5bea7879769f008f9d46e6ea2e3557690fe626c99f93
Opcode Fuzzy Hash: a414a2816275b2f63ddb2b40476a38e7b54f12ec0aa2b129b9c1e745a4768c96
Instruction Fuzzy Hash: 2A01B537A40229AF9B168F68FC81A563BAAFBC47217344524FE1197194EA31D811BB51

Function 00F42D90 Relevance: 1.6, APIs: 1, Instructions: 56
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

std::_Throw_Cpp_error.LIBCPMT ref: 00F42E45

Memory Dump Source

Source File: 00000000.00000002.3261530485.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.3261510358.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3261549522.0000000000F57000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3261565289.0000000000F5F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3261579872.0000000000F60000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3261593154.0000000000F61000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3261605958.0000000000F64000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_Bootstrapper.jbxd

Similarity

API ID: Cpp_errorThrow_std::_
String ID:
API String ID: 2134207285-0
Opcode ID: d54e8504b96f3f1388dcbea5df0b64fd9cc38dd9eb742307fe847597955bb9bb
Instruction ID: 352b43a0b702baf031ebb9e69a89e327376322515196b4cbf1f237233e6e5a12
Opcode Fuzzy Hash: d54e8504b96f3f1388dcbea5df0b64fd9cc38dd9eb742307fe847597955bb9bb
Instruction Fuzzy Hash: E821E7B4904209DFCB44EFA8C5516AEBBF1FF48310F40846DF8499B350E7749A44DB91

Function 00F43290 Relevance: 1.6, APIs: 1, Instructions: 53
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

std::_Throw_Cpp_error.LIBCPMT ref: 00F4333B

Memory Dump Source

Source File: 00000000.00000002.3261530485.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.3261510358.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3261549522.0000000000F57000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3261565289.0000000000F5F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3261579872.0000000000F60000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3261593154.0000000000F61000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3261605958.0000000000F64000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_Bootstrapper.jbxd

Similarity

API ID: Cpp_errorThrow_std::_
String ID:
API String ID: 2134207285-0
Opcode ID: 4f5ff57c77d2bf0aef068905c8d8653e99cff65cc642bf72859c10d264ee9630
Instruction ID: 6b96c392fa89786da384e369197ce68d95a218daf5072fd15fc3b80720b5e719
Opcode Fuzzy Hash: 4f5ff57c77d2bf0aef068905c8d8653e99cff65cc642bf72859c10d264ee9630
Instruction Fuzzy Hash: 7021D6B4A042099FDB04EFA8D9516AEBFF0BF58310F40846DE845AB351EB789A44DB91

Function 00F4C7F6 Relevance: 1.5, APIs: 1, Instructions: 32
memoryCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlAllocateHeap.NTDLL(00000000,00F4BA97,?,?,00F4BA97,00000220,?,00000000,?), ref: 00F4C828

Memory Dump Source

Source File: 00000000.00000002.3261530485.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.3261510358.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3261549522.0000000000F57000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3261565289.0000000000F5F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3261579872.0000000000F60000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3261593154.0000000000F61000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3261605958.0000000000F64000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_Bootstrapper.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 73cd02b1c5dd3bf1a991b564e9912f16938633497949ac20a9d98163ff789631
Instruction ID: b4ef710aab169c91fdd378e039acd55770fa44b598475bbfdf86b5cfc5695524
Opcode Fuzzy Hash: 73cd02b1c5dd3bf1a991b564e9912f16938633497949ac20a9d98163ff789631
Instruction Fuzzy Hash: A8E09B3190322457E7B126A55D05B6F3E88AF817F0F197121FD15961E2EFA5DC00F1E1

Non-executed Functions

Function 00F51342 Relevance: 10.2, APIs: 1, Strings: 4, Instructions: 1479COMMON

Download Yara Rule

APIs

__floor_pentium4.LIBCMT ref: 00F51559

Strings

1#IND, xrefs: 00F51447
1#QNAN, xrefs: 00F51455
1#INF, xrefs: 00F51478
1#SNAN, xrefs: 00F5144E

Memory Dump Source

Source File: 00000000.00000002.3261530485.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.3261510358.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3261549522.0000000000F57000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3261565289.0000000000F5F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3261579872.0000000000F60000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3261593154.0000000000F61000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3261605958.0000000000F64000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_Bootstrapper.jbxd

Similarity

API ID: __floor_pentium4
String ID: 1#IND$1#INF$1#QNAN$1#SNAN
API String ID: 4168288129-2761157908
Opcode ID: e493dae262dd1039e7ff82ed3039abd8f03884cdb8e23ce4aae38334abe786f3
Instruction ID: a3553ae5726db3a451df2045c4c4b20f0ae31d6426280ce31866eae957e45e66
Opcode Fuzzy Hash: e493dae262dd1039e7ff82ed3039abd8f03884cdb8e23ce4aae38334abe786f3
Instruction Fuzzy Hash: 47D24F71E082288FDB65CE28DC407E9B7B5FB45316F1441EAD90DE7240D778AE899F41

Function 00F52930 Relevance: 6.5, APIs: 4, Instructions: 455COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3261530485.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.3261510358.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3261549522.0000000000F57000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3261565289.0000000000F5F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3261579872.0000000000F60000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3261593154.0000000000F61000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3261605958.0000000000F64000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_Bootstrapper.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fd8eb3cd4a956a794ca677142f179592e97daeae2fe173f9db45350db7659e00
Instruction ID: b9d88cfbf2351792ee9f3b98354c52f25d7eec183df54f767ecbfb3beff486d3
Opcode Fuzzy Hash: fd8eb3cd4a956a794ca677142f179592e97daeae2fe173f9db45350db7659e00
Instruction Fuzzy Hash: 94023C71E002199BDF14CFA8D8806AEFBF1FF49325F248269DA19E7341D731AA45DB90

Function 00F4E842 Relevance: 6.2, APIs: 4, Instructions: 205COMMON

Download Yara Rule

APIs

FindFirstFileExW.KERNEL32(?,00000000,?,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00F4E932

Memory Dump Source

Source File: 00000000.00000002.3261530485.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.3261510358.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3261549522.0000000000F57000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3261565289.0000000000F5F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3261579872.0000000000F60000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3261593154.0000000000F61000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3261605958.0000000000F64000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_Bootstrapper.jbxd

Similarity

API ID: FileFindFirst
String ID:
API String ID: 1974802433-0
Opcode ID: 8eb2416f6f1c61ffb63a2cf3625269d8d0d6ac63ecabeb2a570bf0cfc0634695
Instruction ID: 276cc164ed93dd22d6347533eefbb97c086d571590b2952a992d1972c49b1beb
Opcode Fuzzy Hash: 8eb2416f6f1c61ffb63a2cf3625269d8d0d6ac63ecabeb2a570bf0cfc0634695
Instruction Fuzzy Hash: A071E271C05119AFDF21EF388C99ABABFB9BF45310F1441D9E848A7251EB348E85AF10

Function 00F44911 Relevance: 6.1, APIs: 4, Instructions: 70COMMON

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32(00000017,?), ref: 00F4491D
IsDebuggerPresent.KERNEL32 ref: 00F449E9
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 00F44A02
UnhandledExceptionFilter.KERNEL32(?), ref: 00F44A0C

Memory Dump Source

Source File: 00000000.00000002.3261530485.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.3261510358.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3261549522.0000000000F57000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3261565289.0000000000F5F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3261579872.0000000000F60000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3261593154.0000000000F61000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3261605958.0000000000F64000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_Bootstrapper.jbxd

Similarity

API ID: ExceptionFilterPresentUnhandled$DebuggerFeatureProcessor
String ID:
API String ID: 254469556-0
Opcode ID: 276d1e6807bba935b36edfb548a6132bfb153bacd30685c45c720356b9fc9072
Instruction ID: c62589740308da59fe610b9bb659f5f586c6f967c12a86f84a7fed0f32cb1d44
Opcode Fuzzy Hash: 276d1e6807bba935b36edfb548a6132bfb153bacd30685c45c720356b9fc9072
Instruction Fuzzy Hash: 5931F875D0532C9BDB21DFA4DD497CDBBB8AF08301F1041AAE90CAB250EB749A84EF45

Function 00F48F97 Relevance: 4.6, APIs: 3, Instructions: 77COMMONLIBRARYCODE

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32(?,?,?,?,?,00000000), ref: 00F4908F
SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,?,?,?,00000000), ref: 00F49099
UnhandledExceptionFilter.KERNEL32(-00000327,?,?,?,?,?,00000000), ref: 00F490A6

Memory Dump Source

Source File: 00000000.00000002.3261530485.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.3261510358.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3261549522.0000000000F57000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3261565289.0000000000F5F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3261579872.0000000000F60000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3261593154.0000000000F61000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3261605958.0000000000F64000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_Bootstrapper.jbxd

Similarity

API ID: ExceptionFilterUnhandled$DebuggerPresent
String ID:
API String ID: 3906539128-0
Opcode ID: d1e363d4e843149f5ac1c769d06b1dfe86cf2ff90cbcd36ceef6a6bd13565860
Instruction ID: cae4911aeb1ea95852efedfa8d63e17307beb11e01167bac31a4e17cbe5860b8
Opcode Fuzzy Hash: d1e363d4e843149f5ac1c769d06b1dfe86cf2ff90cbcd36ceef6a6bd13565860
Instruction Fuzzy Hash: 3B31B47490122C9BCB21DF68DD8978DBBB4AF08310F5041EAE91CA7251EB749B859F44

Function 00F441C1 Relevance: 3.0, APIs: 2, Instructions: 27timeCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetSystemTimePreciseAsFileTime.KERNEL32(?,00F44133,?,?,?,?,00F44157,000000FF,?,?,?,00F4406F,00000000), ref: 00F441F9
GetSystemTimeAsFileTime.KERNEL32(?,1C088254,?,?,00F56B89,000000FF,?,00F44133,?,?,?,?,00F44157,000000FF,?), ref: 00F441FD

Memory Dump Source

Source File: 00000000.00000002.3261530485.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.3261510358.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3261549522.0000000000F57000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3261565289.0000000000F5F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3261579872.0000000000F60000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3261593154.0000000000F61000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3261605958.0000000000F64000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_Bootstrapper.jbxd

Similarity

API ID: Time$FileSystem$Precise
String ID:
API String ID: 743729956-0
Opcode ID: 718e2d0b3eb9e01bcfbfa84ed36afeaf6a4dddaf60a8b7852658f0c6cbbf2bda
Instruction ID: 610e883ba0bd3f3b53b19f53de4a57783eabba9d867dc179cadd0ff39dc50096
Opcode Fuzzy Hash: 718e2d0b3eb9e01bcfbfa84ed36afeaf6a4dddaf60a8b7852658f0c6cbbf2bda
Instruction Fuzzy Hash: D1F0653290565CEFCB119F48DC04B59BBA8FB48B21F11416AED22D3790DB75A900AB80

Function 00F5658E Relevance: 1.8, APIs: 1, Instructions: 269COMMONLIBRARYCODE

Download Yara Rule

APIs

RaiseException.KERNEL32(C000000D,00000000,00000001,?,?,00000008,?,?,00F564E9,?,?,00000008,?,?,00F560BB,00000000), ref: 00F567BB

Memory Dump Source

Source File: 00000000.00000002.3261530485.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.3261510358.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3261549522.0000000000F57000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3261565289.0000000000F5F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3261579872.0000000000F60000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3261593154.0000000000F61000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3261605958.0000000000F64000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_Bootstrapper.jbxd

Similarity

API ID: ExceptionRaise
String ID:
API String ID: 3997070919-0
Opcode ID: 9d289db249eaa383b7d7154173a1a42138fde3cd40492180341e179a1b0a6953
Instruction ID: 854400ec63fa84ed05c7ce7a1a24eb3748d188aaa1c896bcaf5590b1d8e9028f
Opcode Fuzzy Hash: 9d289db249eaa383b7d7154173a1a42138fde3cd40492180341e179a1b0a6953
Instruction Fuzzy Hash: B6B17E32610608CFD715CF28C48AB647BE0FF0536AF698658EEA9CF2A1C735D985DB40

Function 00F44B25 Relevance: 1.7, APIs: 1, Instructions: 242COMMON

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32(0000000A), ref: 00F44B3B

Memory Dump Source

Source File: 00000000.00000002.3261530485.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.3261510358.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3261549522.0000000000F57000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3261565289.0000000000F5F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3261579872.0000000000F60000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3261593154.0000000000F61000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3261605958.0000000000F64000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_Bootstrapper.jbxd

Similarity

API ID: FeaturePresentProcessor
String ID:
API String ID: 2325560087-0
Opcode ID: 9a492ee4226e9ae16f24628d5ed2783d8ce2f5afe331017df40607148a74ba0b
Instruction ID: 94d4b1de1d0774e73ccc01e5e1f30cc1453b11ffdb9091e3cfaeb295e081b5c5
Opcode Fuzzy Hash: 9a492ee4226e9ae16f24628d5ed2783d8ce2f5afe331017df40607148a74ba0b
Instruction Fuzzy Hash: 32A16DB1D117098FDB18CF64D9827AABBF0FB49325F28816AE915E7360D374A844EF50

Function 00F4E791 Relevance: 1.7, APIs: 1, Instructions: 199fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00F4C6AE: HeapAlloc.KERNEL32(00000008,?,?,?,00F4ADE4,00000001,00000364,?,00000006,000000FF,?,00F47FFC,00F5E5C0,0000000C), ref: 00F4C6EF

FindFirstFileExW.KERNEL32(?,00000000,?,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00F4E932
FindNextFileW.KERNEL32(00000000,?), ref: 00F4EA26
FindClose.KERNEL32(00000000), ref: 00F4EA65
FindClose.KERNEL32(00000000), ref: 00F4EA98

Memory Dump Source

Source File: 00000000.00000002.3261530485.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.3261510358.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3261549522.0000000000F57000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3261565289.0000000000F5F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3261579872.0000000000F60000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3261593154.0000000000F61000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3261605958.0000000000F64000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_Bootstrapper.jbxd

Similarity

API ID: Find$CloseFile$AllocFirstHeapNext
String ID:
API String ID: 2701053895-0
Opcode ID: 267da2cac7d207b9f7c94f4f5fc72520059b23dd4e86e6eded6e89d28055d0e0
Instruction ID: 41750e86736d3ac203abdefbc6c6baa0fec137b45038fd54fb6ab09684d5d7e4
Opcode Fuzzy Hash: 267da2cac7d207b9f7c94f4f5fc72520059b23dd4e86e6eded6e89d28055d0e0
Instruction Fuzzy Hash: 3A515972D00119AFDF24AF389C849BE7FA9FF85324F1441A9FC1997241EA348D41BB60

Function 00F46B72 Relevance: 1.6, Strings: 1, Instructions: 318COMMON

Download Yara Rule

Strings

0, xrefs: 00F46CF6

Memory Dump Source

Source File: 00000000.00000002.3261530485.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.3261510358.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3261549522.0000000000F57000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3261565289.0000000000F5F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3261579872.0000000000F60000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3261593154.0000000000F61000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3261605958.0000000000F64000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_Bootstrapper.jbxd

Similarity

API ID:
String ID: 0
API String ID: 0-4108050209
Opcode ID: fa2e33d229d679771122b2398453e16362a8bc7866854fe4773a78fdb44e5386
Instruction ID: f29f214de32a48e603512979ecf0b9513956350ce4f27874e4c9df309b7ee463
Opcode Fuzzy Hash: fa2e33d229d679771122b2398453e16362a8bc7866854fe4773a78fdb44e5386
Instruction Fuzzy Hash: A3B1F071E0060A8BCB248F68CA956BEBFB1EF46320F14061DED92D7691C7349A05EB57

Function 00F44905 Relevance: 1.5, APIs: 1, Instructions: 3COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(Function_00004A26,00F443BD), ref: 00F4490A

Memory Dump Source

Source File: 00000000.00000002.3261530485.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.3261510358.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3261549522.0000000000F57000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3261565289.0000000000F5F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3261579872.0000000000F60000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3261593154.0000000000F61000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3261605958.0000000000F64000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_Bootstrapper.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: 331e8a5fee63b7a74b61d28fc572e410b9e0993d4c2c577c6c3e590767a9111c
Instruction ID: a52c44c2399bf914a722f19ebc20076ddabe04eeb902f4539ac3a0605cd133af
Opcode Fuzzy Hash: 331e8a5fee63b7a74b61d28fc572e410b9e0993d4c2c577c6c3e590767a9111c
Instruction Fuzzy Hash:

Function 00F4AD36 Relevance: 1.3, APIs: 1, Instructions: 5memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 00F4AD36

Memory Dump Source

Source File: 00000000.00000002.3261530485.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.3261510358.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3261549522.0000000000F57000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3261565289.0000000000F5F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3261579872.0000000000F60000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3261593154.0000000000F61000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3261605958.0000000000F64000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_Bootstrapper.jbxd

Similarity

API ID: HeapProcess
String ID:
API String ID: 54951025-0
Opcode ID: 9feb8015fbd948a93286c52a326a724bf3207c334b91a928b327eeae72cd7af6
Instruction ID: 50c0abd19b1df77370ff05376e9065d5a5f39d1182a7e3e31f39e4db2803dec5
Opcode Fuzzy Hash: 9feb8015fbd948a93286c52a326a724bf3207c334b91a928b327eeae72cd7af6
Instruction Fuzzy Hash: A0A012701023088B53008F35590860A369559052A130444189000C0220DF604040BF01

Function 00F41000 Relevance: .1, Instructions: 109COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3261530485.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.3261510358.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3261549522.0000000000F57000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3261565289.0000000000F5F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3261579872.0000000000F60000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3261593154.0000000000F61000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3261605958.0000000000F64000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_Bootstrapper.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f20fd77ec47f1bf11cfd994f3cb3058dd0bab4411cc50a03e1d618ec53617c6f
Instruction ID: 98051c0dee48df859f8b58cab451d5025862c1d1f94b27f517e117fc0c7f95f7
Opcode Fuzzy Hash: f20fd77ec47f1bf11cfd994f3cb3058dd0bab4411cc50a03e1d618ec53617c6f
Instruction Fuzzy Hash: EB5179B0D1020D9FCB40DFA8D591AEEBFF4BB49350F24545AE815FB310E634AA81DB65

Function 00F41710 Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3261530485.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.3261510358.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3261549522.0000000000F57000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3261565289.0000000000F5F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3261579872.0000000000F60000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3261593154.0000000000F61000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3261605958.0000000000F64000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_Bootstrapper.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dcebdd081831f5d40d0dfc4ff9555453f80925fc8f79891eacc6ce3409bfe4b7
Instruction ID: 78274eae3fbbfc8061421e4067f5165c22b061edd507b30f975bd67dd356a228
Opcode Fuzzy Hash: dcebdd081831f5d40d0dfc4ff9555453f80925fc8f79891eacc6ce3409bfe4b7
Instruction Fuzzy Hash: 42D0923A651A98AFC211CF49E440D42F7B8FB8D670B254066EE18A3B20C371FC11CBE0

Function 00F54EFE Relevance: 12.2, APIs: 8, Instructions: 248COMMONLIBRARYCODE

Download Yara Rule

APIs

GetCPInfo.KERNEL32(01520E78,01520E78,00000000,7FFFFFFF,?,00F54EE9,01520E78,01520E78,00000000,01520E78,?,?,?,?,01520E78,00000000), ref: 00F54FA4
__alloca_probe_16.LIBCMT ref: 00F5505F
__alloca_probe_16.LIBCMT ref: 00F550EE
__freea.LIBCMT ref: 00F55139
__freea.LIBCMT ref: 00F5513F
__freea.LIBCMT ref: 00F55175
__freea.LIBCMT ref: 00F5517B
__freea.LIBCMT ref: 00F5518B

Memory Dump Source

Source File: 00000000.00000002.3261530485.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.3261510358.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3261549522.0000000000F57000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3261565289.0000000000F5F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3261579872.0000000000F60000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3261593154.0000000000F61000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3261605958.0000000000F64000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_Bootstrapper.jbxd

Similarity

API ID: __freea$__alloca_probe_16$Info
String ID:
API String ID: 127012223-0
Opcode ID: e0c4fe16b0d5e45e9c66d91513db9c6ef4441a9e7ce7fa14fb9b110d320579cb
Instruction ID: 3a0fd7ded522c55029b3d5c77a392a05cac3c72c4e5abcb1f70400091c131a58
Opcode Fuzzy Hash: e0c4fe16b0d5e45e9c66d91513db9c6ef4441a9e7ce7fa14fb9b110d320579cb
Instruction Fuzzy Hash: CE71E972D00A066BDF209EA4CC61FAE7FF99F45B26F190055EF04AB281E6359C48E790

Function 00F4D1AB Relevance: 10.8, APIs: 7, Instructions: 329COMMON

Download Yara Rule

APIs

_strrchr.LIBCMT ref: 00F4D231

Memory Dump Source

Source File: 00000000.00000002.3261530485.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.3261510358.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3261549522.0000000000F57000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3261565289.0000000000F5F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3261579872.0000000000F60000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3261593154.0000000000F61000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3261605958.0000000000F64000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_Bootstrapper.jbxd

Similarity

API ID: _strrchr
String ID:
API String ID: 3213747228-0
Opcode ID: d342e6d9dd7ece84147137a26a5d8741f20fb399666de0e3a91680ebf0403a46
Instruction ID: 917de40494e99f5710665ae4a2dbee887aa39ac356cd82eb1b09d8deb9ed3256
Opcode Fuzzy Hash: d342e6d9dd7ece84147137a26a5d8741f20fb399666de0e3a91680ebf0403a46
Instruction Fuzzy Hash: 2FB13432E01355AFDB15CF64CC82BBE7FA5EF55320F144165ED44AB282D2B4E901E7A1

Function 00F45570 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 122COMMON

Download Yara Rule

APIs

_ValidateLocalCookies.LIBCMT ref: 00F455A7
___except_validate_context_record.LIBVCRUNTIME ref: 00F455AF
_ValidateLocalCookies.LIBCMT ref: 00F45638
__IsNonwritableInCurrentImage.LIBCMT ref: 00F45663
_ValidateLocalCookies.LIBCMT ref: 00F456B8

Strings

csm, xrefs: 00F4564D

Memory Dump Source

Source File: 00000000.00000002.3261530485.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.3261510358.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3261549522.0000000000F57000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3261565289.0000000000F5F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3261579872.0000000000F60000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3261593154.0000000000F61000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3261605958.0000000000F64000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_Bootstrapper.jbxd

Similarity

API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
String ID: csm
API String ID: 1170836740-1018135373
Opcode ID: 5be20ea3547939befd86c72b04d5459679fd4dca201e01989e2fc50cdc12df1d
Instruction ID: 5da696a8222069b3c859550719fc5bd69ea8e0078d80b3afc7d23dd5b70d9afa
Opcode Fuzzy Hash: 5be20ea3547939befd86c72b04d5459679fd4dca201e01989e2fc50cdc12df1d
Instruction Fuzzy Hash: 4941DF34E00608ABCF10EF68CC84AAEBFB5AF05724F558055ED149B293D735EA45EB91

Function 00F4418D Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 15libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(kernel32.dll), ref: 00F44193
GetProcAddress.KERNEL32(00000000,GetSystemTimePreciseAsFileTime), ref: 00F441A1
GetProcAddress.KERNEL32(00000000,GetTempPath2W), ref: 00F441B2

Strings

GetTempPath2W, xrefs: 00F441A7
kernel32.dll, xrefs: 00F4418E
GetSystemTimePreciseAsFileTime, xrefs: 00F4419B

Memory Dump Source

Source File: 00000000.00000002.3261530485.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.3261510358.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3261549522.0000000000F57000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3261565289.0000000000F5F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3261579872.0000000000F60000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3261593154.0000000000F61000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3261605958.0000000000F64000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_Bootstrapper.jbxd

Similarity

API ID: AddressProc$HandleModule
String ID: GetSystemTimePreciseAsFileTime$GetTempPath2W$kernel32.dll
API String ID: 667068680-1047828073
Opcode ID: 461a41042fa83f2a7a0cddad98942bd8c8174b65016094d6839ba84ca5f65e77
Instruction ID: f6e53b740d9c22b7a6637d70b1b79a800f9126aaf07a651875f8fb90e947ff89
Opcode Fuzzy Hash: 461a41042fa83f2a7a0cddad98942bd8c8174b65016094d6839ba84ca5f65e77
Instruction Fuzzy Hash: 3BD09E715463286F97105B707D0D8967AD4EA196133054496FA02D2250DBF08906FEE5

Function 00F49559 Relevance: 9.1, APIs: 6, Instructions: 60COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,00F49550,00F4535B,00F44A6A), ref: 00F49567
___vcrt_FlsGetValue.LIBVCRUNTIME ref: 00F49575
___vcrt_FlsSetValue.LIBVCRUNTIME ref: 00F4958E
SetLastError.KERNEL32(00000000,00F49550,00F4535B,00F44A6A), ref: 00F495E0

Memory Dump Source

Source File: 00000000.00000002.3261530485.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.3261510358.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3261549522.0000000000F57000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3261565289.0000000000F5F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3261579872.0000000000F60000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3261593154.0000000000F61000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3261605958.0000000000F64000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_Bootstrapper.jbxd

Similarity

API ID: ErrorLastValue___vcrt_
String ID:
API String ID: 3852720340-0
Opcode ID: 746132f3e1303b46791c983a1034551b465335ffb764084647e3f81c251dd23a
Instruction ID: a9656f75dd01f601dbc3982dafff4654708efcef9866e71248a829157d80df75
Opcode Fuzzy Hash: 746132f3e1303b46791c983a1034551b465335ffb764084647e3f81c251dd23a
Instruction Fuzzy Hash: AF01D433B1D3165EA62627B4BC8996B3F94DB197767344339FE24461E0EF954C0AB140

Function 00F49DE9 Relevance: 9.1, APIs: 2, Strings: 3, Instructions: 301COMMONLIBRARYCODE

Download Yara Rule

APIs

type_info::operator==.LIBVCRUNTIME ref: 00F49F08
CallUnexpected.LIBVCRUNTIME ref: 00F4A181

Strings

csm, xrefs: 00F49E93
csm, xrefs: 00F49F3F
csm, xrefs: 00F49E26

Memory Dump Source

Source File: 00000000.00000002.3261530485.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.3261510358.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3261549522.0000000000F57000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3261565289.0000000000F5F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3261579872.0000000000F60000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3261593154.0000000000F61000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3261605958.0000000000F64000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_Bootstrapper.jbxd

Similarity

API ID: CallUnexpectedtype_info::operator==
String ID: csm$csm$csm
API String ID: 2673424686-393685449
Opcode ID: 2d590664ad3db87a0ec298c182d4fdb2556d4bfb6c9506dfa120afbce424250e
Instruction ID: c169dfcfd7303423a43f465e9bddccc01ad0b818bf32c6cc82a3b5a7b2859287
Opcode Fuzzy Hash: 2d590664ad3db87a0ec298c182d4fdb2556d4bfb6c9506dfa120afbce424250e
Instruction Fuzzy Hash: 6FB16771E04209AFCF29DFA4C8819AEBFB5BF54320F14415AEC116B206D379DA51EF92

Function 00F4EBBB Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 79COMMON

Download Yara Rule

Strings

C:\Users\user\Desktop\Bootstrapper.exe, xrefs: 00F4EBD7

Memory Dump Source

Source File: 00000000.00000002.3261530485.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.3261510358.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3261549522.0000000000F57000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3261565289.0000000000F5F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3261579872.0000000000F60000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3261593154.0000000000F61000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3261605958.0000000000F64000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_Bootstrapper.jbxd

Similarity

API ID:
String ID: C:\Users\user\Desktop\Bootstrapper.exe
API String ID: 0-3446393282
Opcode ID: fad07bf095191b1ad187319764fa5321296b602c8e2402deb70f7f06cee48c9a
Instruction ID: 07fe882ae1f1aa1b6a3dbd691ac3101bd745ed4cf32712877c53919f8f0b31f3
Opcode Fuzzy Hash: fad07bf095191b1ad187319764fa5321296b602c8e2402deb70f7f06cee48c9a
Instruction Fuzzy Hash: 44219D72A00216AF9B20AF658C8496A7FA9FF503647148524FE1A97150EB34EC50F7A0

Function 00F41C20 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 63registrywindowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32 ref: 00F41C80
RegisterClassW.USER32 ref: 00F41C98
GetMessageA.USER32 ref: 00F41CED

Strings

(, xrefs: 00F41C49
grDee, xrefs: 00F41C56

Memory Dump Source

Source File: 00000000.00000002.3261530485.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.3261510358.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3261549522.0000000000F57000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3261565289.0000000000F5F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3261579872.0000000000F60000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3261593154.0000000000F61000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3261605958.0000000000F64000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_Bootstrapper.jbxd

Similarity

API ID: ClassHandleMessageModuleRegister
String ID: ($grDee
API String ID: 1585107554-1172702150
Opcode ID: 7861c10b77597598e12fa9a07a24f6cb8de2b2ec06ec14933ee5d29d6c655532
Instruction ID: 4c8b1b68c5507be1e96960a4c7c8777b5dddff1101988de9523137d8ba3c9a41
Opcode Fuzzy Hash: 7861c10b77597598e12fa9a07a24f6cb8de2b2ec06ec14933ee5d29d6c655532
Instruction Fuzzy Hash: 4C21C6B09043089FDB00EFA8D58879EBFF4BB08305F50842AE859DB254E7749988EB42

Function 00F4812B Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 42libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,1C088254,?,?,00000000,00F56BC3,000000FF,?,00F481EC,00000002,?,00F48288,00F493CD), ref: 00F48160
GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 00F48172
FreeLibrary.KERNEL32(00000000,?,?,00000000,00F56BC3,000000FF,?,00F481EC,00000002,?,00F48288,00F493CD), ref: 00F48194

Strings

mscoree.dll, xrefs: 00F48159
CorExitProcess, xrefs: 00F4816A

Memory Dump Source

Source File: 00000000.00000002.3261530485.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.3261510358.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3261549522.0000000000F57000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3261565289.0000000000F5F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3261579872.0000000000F60000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3261593154.0000000000F61000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3261605958.0000000000F64000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_Bootstrapper.jbxd

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: ad8d1291ebf774f7ddf6bcda73277c09dfa85bbf480ef8589278bedb140fc663
Instruction ID: fcaf7d3f40e08e64e79030cabfd013f0aeb05784fb579b75e01eb1fc796f9a62
Opcode Fuzzy Hash: ad8d1291ebf774f7ddf6bcda73277c09dfa85bbf480ef8589278bedb140fc663
Instruction Fuzzy Hash: BC01A231904719BFDB118F54CC09FAEBBB8FB44B62F040626ED11A22A0DBB49905EA80

Function 00F500C5 Relevance: 7.7, APIs: 5, Instructions: 197COMMON

Download Yara Rule

APIs

__alloca_probe_16.LIBCMT ref: 00F5014A
__alloca_probe_16.LIBCMT ref: 00F50213
__freea.LIBCMT ref: 00F5027A

Part of subcall function 00F4C7F6: RtlAllocateHeap.NTDLL(00000000,00F4BA97,?,?,00F4BA97,00000220,?,00000000,?), ref: 00F4C828

__freea.LIBCMT ref: 00F5028D
__freea.LIBCMT ref: 00F5029A

Memory Dump Source

Source File: 00000000.00000002.3261530485.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.3261510358.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3261549522.0000000000F57000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3261565289.0000000000F5F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3261579872.0000000000F60000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3261593154.0000000000F61000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3261605958.0000000000F64000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_Bootstrapper.jbxd

Similarity

API ID: __freea$__alloca_probe_16$AllocateHeap
String ID:
API String ID: 1423051803-0
Opcode ID: c6236037add3544fe65bcde77772a69adc83b0d575d774bef942fd43cbeca2e6
Instruction ID: fb0de4bd7a3f6b4b7bd51890cdc79bcf816ce3f2d8cac6c9a3711b511bf401d9
Opcode Fuzzy Hash: c6236037add3544fe65bcde77772a69adc83b0d575d774bef942fd43cbeca2e6
Instruction Fuzzy Hash: D4519372A0020AAFEB205FA4CC89EBB7BA9DF45761F190528FE04D6151EF74DC58E660

Function 00F43FE5 Relevance: 7.6, APIs: 5, Instructions: 116threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 00F43FF9
AcquireSRWLockExclusive.KERNEL32(?,?,00000000,00F56B6C,000000FF,?,00F42F4E), ref: 00F44018
AcquireSRWLockExclusive.KERNEL32(?,?,?,?,00000000,00F56B6C,000000FF,?,00F42F4E), ref: 00F44046
TryAcquireSRWLockExclusive.KERNEL32(?,?,?,?,00000000,00F56B6C,000000FF,?,00F42F4E), ref: 00F440A1
TryAcquireSRWLockExclusive.KERNEL32(?,?,?,?,00000000,00F56B6C,000000FF,?,00F42F4E), ref: 00F440B8

Memory Dump Source

Source File: 00000000.00000002.3261530485.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.3261510358.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3261549522.0000000000F57000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3261565289.0000000000F5F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3261579872.0000000000F60000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3261593154.0000000000F61000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3261605958.0000000000F64000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_Bootstrapper.jbxd

Similarity

API ID: AcquireExclusiveLock$CurrentThread
String ID:
API String ID: 66001078-0
Opcode ID: fc58e6fb5ea892f500ae5de3ad83d7f681267d016c03b06d6a5993be1920c010
Instruction ID: fd5ecca83c2bfd6822a6297d8306d9e4cb21d3390363ac406afe05fc99e7c747
Opcode Fuzzy Hash: fc58e6fb5ea892f500ae5de3ad83d7f681267d016c03b06d6a5993be1920c010
Instruction Fuzzy Hash: AA417C3190060ADFCB20DF68C881B6AFBF5FF44321B104A29DA56E7A40D730F9A4EB51

Function 00F4FE06 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 27libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(00000000,00000000,00000800,?,00F4FEA2,00000000,?,00F60760,?,?,?,00F4FDD9,00000004,InitializeCriticalSectionEx,00F58880,00F58888), ref: 00F4FE13
GetLastError.KERNEL32(?,00F4FEA2,00000000,?,00F60760,?,?,?,00F4FDD9,00000004,InitializeCriticalSectionEx,00F58880,00F58888,00000000,?,00F4A43C), ref: 00F4FE1D
LoadLibraryExW.KERNEL32(00000000,00000000,00000000), ref: 00F4FE45

Strings

api-ms-, xrefs: 00F4FE2A

Memory Dump Source

Source File: 00000000.00000002.3261530485.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.3261510358.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3261549522.0000000000F57000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3261565289.0000000000F5F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3261579872.0000000000F60000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3261593154.0000000000F61000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3261605958.0000000000F64000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_Bootstrapper.jbxd

Similarity

API ID: LibraryLoad$ErrorLast
String ID: api-ms-
API String ID: 3177248105-2084034818
Opcode ID: 2d42f01c6430f1735d78cf4569c79d559135ef56756ed4c23d905658951e26f1
Instruction ID: 53c577909f4a9f08982e536f8d69ca26c97a19f973239617ad6a160834a19796
Opcode Fuzzy Hash: 2d42f01c6430f1735d78cf4569c79d559135ef56756ed4c23d905658951e26f1
Instruction Fuzzy Hash: BBE01A30680349B6EA312B64EC4AF593E599F00B62F104434FE0CE90E2EBA1E894F545

Function 00F5078C Relevance: 6.3, APIs: 4, Instructions: 333fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetConsoleOutputCP.KERNEL32(1C088254,00000000,00000000,?), ref: 00F507EF

Part of subcall function 00F4F276: WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000000,?,-00000008,?,00000000,-00000008,-00000008,00000000,?,00F50270,?,00000000,-00000008), ref: 00F4F2D7

WriteFile.KERNEL32(?,?,00000000,?,00000000), ref: 00F50A41
WriteFile.KERNEL32(?,?,00000001,?,00000000), ref: 00F50A87
GetLastError.KERNEL32 ref: 00F50B2A

Memory Dump Source

Source File: 00000000.00000002.3261530485.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.3261510358.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3261549522.0000000000F57000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3261565289.0000000000F5F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3261579872.0000000000F60000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3261593154.0000000000F61000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3261605958.0000000000F64000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_Bootstrapper.jbxd

Similarity

API ID: FileWrite$ByteCharConsoleErrorLastMultiOutputWide
String ID:
API String ID: 2112829910-0
Opcode ID: 617134ab95bf3d00097057bf87febb7e49799fb8469e5433a821de2e9241751e
Instruction ID: 090242c76d4964937a405033327e02bbeed0fe15ddd7c83e54e2ec6e6d711413
Opcode Fuzzy Hash: 617134ab95bf3d00097057bf87febb7e49799fb8469e5433a821de2e9241751e
Instruction Fuzzy Hash: 21D1AFB5D00248AFCF15CFA8C8809EDBBB5FF48315F24416AE956EB352DB30A945DB50

Function 00F49B10 Relevance: 6.2, APIs: 4, Instructions: 168COMMONLIBRARYCODE

Download Yara Rule

APIs

___AdjustPointer.LIBCMT ref: 00F49BD7
___AdjustPointer.LIBCMT ref: 00F49BFA
___AdjustPointer.LIBCMT ref: 00F49C96

Memory Dump Source

Source File: 00000000.00000002.3261530485.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.3261510358.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3261549522.0000000000F57000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3261565289.0000000000F5F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3261579872.0000000000F60000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3261593154.0000000000F61000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3261605958.0000000000F64000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_Bootstrapper.jbxd

Similarity

API ID: AdjustPointer
String ID:
API String ID: 1740715915-0
Opcode ID: ccade4e4eb9abbd19825e7fa6f575ce478d7c94e19330f2db8130ee6cd7c44e0
Instruction ID: d1e047171af51aabebf650a32fb7786ffd4a4915ff3fb1276771d023575d6b5b
Opcode Fuzzy Hash: ccade4e4eb9abbd19825e7fa6f575ce478d7c94e19330f2db8130ee6cd7c44e0
Instruction Fuzzy Hash: 1351D172B086069FDB299F10D881BBB7BE4EF44725F24052DEE1146291D7B5ED80E790

Function 00F4E61F Relevance: 6.1, APIs: 4, Instructions: 82COMMON

Download Yara Rule

APIs

Part of subcall function 00F4F276: WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000000,?,-00000008,?,00000000,-00000008,-00000008,00000000,?,00F50270,?,00000000,-00000008), ref: 00F4F2D7

GetLastError.KERNEL32(?,?,?,00000000,00000000,?,00F4E9C5,?,?,?,00000000), ref: 00F4E683
__dosmaperr.LIBCMT ref: 00F4E68A
GetLastError.KERNEL32(00000000,00F4E9C5,?,?,00000000,?,?,?,00000000,00000000,?,00F4E9C5,?,?,?,00000000), ref: 00F4E6C4
__dosmaperr.LIBCMT ref: 00F4E6CB

Memory Dump Source

Source File: 00000000.00000002.3261530485.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.3261510358.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3261549522.0000000000F57000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3261565289.0000000000F5F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3261579872.0000000000F60000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3261593154.0000000000F61000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3261605958.0000000000F64000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_Bootstrapper.jbxd

Similarity

API ID: ErrorLast__dosmaperr$ByteCharMultiWide
String ID:
API String ID: 1913693674-0
Opcode ID: 00da19cc4078883941444e9cc6074fbf271ae2394ee693263999c96cb3b9b2e0
Instruction ID: e3d2ac319adf6d764c0e9e2bf4867a1a443bbdb84b3375f4b971d6cce0305a3c
Opcode Fuzzy Hash: 00da19cc4078883941444e9cc6074fbf271ae2394ee693263999c96cb3b9b2e0
Instruction Fuzzy Hash: BA21D471A10205AFDB20AF65CC8196ABFA9FF20374B058528FD59D7250EB34EC50BB90

Function 00F4F372 Relevance: 6.1, APIs: 4, Instructions: 74COMMON

Download Yara Rule

APIs

GetEnvironmentStringsW.KERNEL32 ref: 00F4F37A

Part of subcall function 00F4F276: WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000000,?,-00000008,?,00000000,-00000008,-00000008,00000000,?,00F50270,?,00000000,-00000008), ref: 00F4F2D7

FreeEnvironmentStringsW.KERNEL32(00000000), ref: 00F4F3B2
FreeEnvironmentStringsW.KERNEL32(00000000), ref: 00F4F3D2

Memory Dump Source

Source File: 00000000.00000002.3261530485.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.3261510358.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3261549522.0000000000F57000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3261565289.0000000000F5F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3261579872.0000000000F60000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3261593154.0000000000F61000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3261605958.0000000000F64000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_Bootstrapper.jbxd

Similarity

API ID: EnvironmentStrings$Free$ByteCharMultiWide
String ID:
API String ID: 158306478-0
Opcode ID: b5a6af2d0ff049c379036bc597fabb249b72f886e5c2b98a854dbdf69938b112
Instruction ID: b2f816fcb3a8f29c9f40bf7373d30f93c24c69541746ecba9a95880db27cf2e3
Opcode Fuzzy Hash: b5a6af2d0ff049c379036bc597fabb249b72f886e5c2b98a854dbdf69938b112
Instruction Fuzzy Hash: 8D11C4B290161A7FA62167719D89CBF7DADDE853A47100034FE09D1111FF64DF0571B1

Function 00F41E40 Relevance: 6.1, APIs: 4, Instructions: 53threadCOMMON

Download Yara Rule

APIs

std::_Throw_Cpp_error.LIBCPMT ref: 00F41E6D
GetCurrentThreadId.KERNEL32 ref: 00F41E7B
std::_Throw_Cpp_error.LIBCPMT ref: 00F41E94
std::_Throw_Cpp_error.LIBCPMT ref: 00F41ED3

Memory Dump Source

Source File: 00000000.00000002.3261530485.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.3261510358.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3261549522.0000000000F57000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3261565289.0000000000F5F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3261579872.0000000000F60000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3261593154.0000000000F61000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3261605958.0000000000F64000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_Bootstrapper.jbxd

Similarity

API ID: Cpp_errorThrow_std::_$CurrentThread
String ID:
API String ID: 2261580123-0
Opcode ID: ae7f5642fe8f68ecee87c41d256c985a557cb4d4734cf10ab75937ac26a6a344
Instruction ID: ef2acfc9329be898bfd47eef691c2d6a43bd0820ce2fb8d2c12b83a823dd4454
Opcode Fuzzy Hash: ae7f5642fe8f68ecee87c41d256c985a557cb4d4734cf10ab75937ac26a6a344
Instruction Fuzzy Hash: E421B4B4E042098FCB04EFA9C5957AEBBF1FF48300F11846DE859A7351D738AA40DB61

Function 00F551BC Relevance: 6.0, APIs: 4, Instructions: 29COMMONLIBRARYCODE

Download Yara Rule

APIs

WriteConsoleW.KERNEL32(00000000,?,?,00000000,00000000,?,00F5403E,00000000,00000001,?,?,?,00F50B7E,?,00000000,00000000), ref: 00F551D3
GetLastError.KERNEL32(?,00F5403E,00000000,00000001,?,?,?,00F50B7E,?,00000000,00000000,?,?,?,00F504C4,?), ref: 00F551DF

Part of subcall function 00F55230: CloseHandle.KERNEL32(FFFFFFFE,00F551EF,?,00F5403E,00000000,00000001,?,?,?,00F50B7E,?,00000000,00000000,?,?), ref: 00F55240

___initconout.LIBCMT ref: 00F551EF

Part of subcall function 00F55211: CreateFileW.KERNEL32(CONOUT$,40000000,00000003,00000000,00000003,00000000,00000000,00F551AD,00F5402B,?,?,00F50B7E,?,00000000,00000000,?), ref: 00F55224

WriteConsoleW.KERNEL32(00000000,?,?,00000000,?,00F5403E,00000000,00000001,?,?,?,00F50B7E,?,00000000,00000000,?), ref: 00F55204

Memory Dump Source

Source File: 00000000.00000002.3261530485.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.3261510358.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3261549522.0000000000F57000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3261565289.0000000000F5F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3261579872.0000000000F60000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3261593154.0000000000F61000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3261605958.0000000000F64000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_Bootstrapper.jbxd

Similarity

API ID: ConsoleWrite$CloseCreateErrorFileHandleLast___initconout
String ID:
API String ID: 2744216297-0
Opcode ID: 7640ff582bcd58daee26c49f37e0887e6ac07df7cf90b1e34a071718518807f7
Instruction ID: 65396f3f550551488a92305a18f803ea395f190cdbe3773172e653b1ab55eec2
Opcode Fuzzy Hash: 7640ff582bcd58daee26c49f37e0887e6ac07df7cf90b1e34a071718518807f7
Instruction Fuzzy Hash: 5DF0AC37501618BBCF222F95DC1899E7F66FB097A2F054150FF19D6130CA728864FB91

Function 00F447F1 Relevance: 6.0, APIs: 4, Instructions: 25timethreadCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetSystemTimeAsFileTime.KERNEL32(?), ref: 00F44803
GetCurrentThreadId.KERNEL32 ref: 00F44812
GetCurrentProcessId.KERNEL32 ref: 00F4481B
QueryPerformanceCounter.KERNEL32(?), ref: 00F44828

Memory Dump Source

Source File: 00000000.00000002.3261530485.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.3261510358.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3261549522.0000000000F57000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3261565289.0000000000F5F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3261579872.0000000000F60000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3261593154.0000000000F61000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3261605958.0000000000F64000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_Bootstrapper.jbxd

Similarity

API ID: CurrentTime$CounterFilePerformanceProcessQuerySystemThread
String ID:
API String ID: 2933794660-0
Opcode ID: 17b98e3124da9789f9b1824509c2a45c9a973dc314a0b734dccf932f70d3b2cf
Instruction ID: fcec763aa5a2f3ac12e9f355f7d58ce8732940cabb1795571fc40afd0fdefe79
Opcode Fuzzy Hash: 17b98e3124da9789f9b1824509c2a45c9a973dc314a0b734dccf932f70d3b2cf
Instruction Fuzzy Hash: 26F06274D1120DEBCB10DBB4D94999EBBF8FF1C205B924595A512E7110EB30AB44EB51

Function 00F4A20D Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 125COMMONLIBRARYCODE

Download Yara Rule

APIs

EncodePointer.KERNEL32(00000000,00000000,00000000,?,?,?,?,?,?,00F4A10E,?,?,00000000,00000000,00000000,?), ref: 00F4A232

Strings

RCC, xrefs: 00F4A24C
MOC, xrefs: 00F4A244

Memory Dump Source

Source File: 00000000.00000002.3261530485.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.3261510358.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3261549522.0000000000F57000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3261565289.0000000000F5F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3261579872.0000000000F60000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3261593154.0000000000F61000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3261605958.0000000000F64000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_Bootstrapper.jbxd

Similarity

API ID: EncodePointer
String ID: MOC$RCC
API String ID: 2118026453-2084237596
Opcode ID: 5bc4ea05e952d1b7904c5ed5fb6b9b1b11f609275c6fb624d8ebf96b5e36fbbe
Instruction ID: bcfee902ebfb0a9d1ae81a24aa129f6a40fdbc2edf1b02d725729b7cbb10229a
Opcode Fuzzy Hash: 5bc4ea05e952d1b7904c5ed5fb6b9b1b11f609275c6fb624d8ebf96b5e36fbbe
Instruction Fuzzy Hash: 52415872D00209AFCF15DF98CC81AEE7BB5BF49310F184159FD04A6215D37A9A50EB52

Function 00F49A79 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 97COMMONLIBRARYCODE

Download Yara Rule

APIs

___except_validate_context_record.LIBVCRUNTIME ref: 00F49CF0

Strings

csm, xrefs: 00F49D83
csm, xrefs: 00F49D12

Memory Dump Source

Source File: 00000000.00000002.3261530485.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.3261510358.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3261549522.0000000000F57000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3261565289.0000000000F5F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3261579872.0000000000F60000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3261593154.0000000000F61000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3261605958.0000000000F64000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_Bootstrapper.jbxd

Similarity

API ID: ___except_validate_context_record
String ID: csm$csm
API String ID: 3493665558-3733052814
Opcode ID: 86a1529ad5f6c66507ce6f90fce3412c339b5c988d598ce30420958807f91ff6
Instruction ID: fa380287b6d38476570ca33f62c2f93856080c00b3135388c13b6f101b91f34d
Opcode Fuzzy Hash: 86a1529ad5f6c66507ce6f90fce3412c339b5c988d598ce30420958807f91ff6
Instruction Fuzzy Hash: 97318172F086189BCF269F90CC4496BBF75FB08325B18455AFC9849211C3B6CCA2FB81

Analysis Process: Bootstrapper.exePID: 1308, Parent PID: 380COMMON

Execution Graph

Execution Coverage:	1.3%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	15.2%
Total number of Nodes:	46
Total number of Limit Nodes:	2

Executed Functions

Function 00408690 Relevance: 7.6, APIs: 5, Instructions: 116
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcessId.KERNEL32 ref: 004086B4
GetCurrentThreadId.KERNEL32 ref: 004086BD
SHGetSpecialFolderPathW.SHELL32(00000000,?,00000010,00000000), ref: 00408747
GetForegroundWindow.USER32 ref: 0040875C
ExitProcess.KERNEL32 ref: 00408802

Memory Dump Source

Source File: 00000003.00000002.2047799879.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_Bootstrapper.jbxd

Similarity

API ID: CurrentProcess$ExitFolderForegroundPathSpecialThreadWindow
String ID:
API String ID: 4063528623-0
Opcode ID: 37a0ec6870dc0fb0ad318479aee5d7f12ed29ffaede1747beb4ee3a8cdfeb443
Instruction ID: 0bad5f28080b8470d048b721433eb90ba7a94f9a9d90223e094da1d7e483a355
Opcode Fuzzy Hash: 37a0ec6870dc0fb0ad318479aee5d7f12ed29ffaede1747beb4ee3a8cdfeb443
Instruction Fuzzy Hash: 723126B7F442181BD7583AF88C1A76AB1464784750F0E813E6A85AB3C6ED7D9C0892D8

Function 0043A590 Relevance: 1.5, APIs: 1, Instructions: 14
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL(0043C78E,005C003F,0000002C,?,?,00000018,?,00000000,?,?,?,?,00000000,00000000), ref: 0043A5BE

Memory Dump Source

Source File: 00000003.00000002.2047799879.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_Bootstrapper.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 428b37146f2ab8bbef251fdb989594d24ae2c5b49c4db8728953df82dacde34d
Instruction ID: 0c3231226d6b2b3a527619dcc08e6164a4fafcc19f94aab6dc14dc2c5ea58878
Opcode Fuzzy Hash: 428b37146f2ab8bbef251fdb989594d24ae2c5b49c4db8728953df82dacde34d
Instruction Fuzzy Hash: A2E0FE75908316AF9A08CF45C14444EFBE5BFC4714F11CC8DA4D863210D3B0AD46DF82

Function 00433C4C Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 59
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetUserDefaultUILanguage.KERNELBASE ref: 00433C7B

Strings

B, xrefs: 00433C90
X, xrefs: 00433C98
G, xrefs: 00433C94

Memory Dump Source

Source File: 00000003.00000002.2047799879.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_Bootstrapper.jbxd

Similarity

API ID: DefaultLanguageUser
String ID: B$G$X
API String ID: 95929093-718038904
Opcode ID: cea6caf367456735cccd22bf7fecc7ea61469d3043e6cfdfc41ca1aa6f93d917
Instruction ID: c0f093f9165898debdab45cf0d2857b73eed0ceda59580a634d27313590495e8
Opcode Fuzzy Hash: cea6caf367456735cccd22bf7fecc7ea61469d3043e6cfdfc41ca1aa6f93d917
Instruction Fuzzy Hash: 5421C372E052A48FCB19CF78C85429D7BA16B5E310F1942BDD959B73D1CA744A008B14

Function 0043A520 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 39
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlReAllocateHeap.NTDLL(?,00000000,YiC,?,00004000,?,00436959,00000000,00004000,?,?,?,?,?,00000001,?), ref: 0043A552

Strings

YiC, xrefs: 0043A526, 0043A54C

Memory Dump Source

Source File: 00000003.00000002.2047799879.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_Bootstrapper.jbxd

Similarity

API ID: AllocateHeap
String ID: YiC
API String ID: 1279760036-3351645417
Opcode ID: ccb52fcee44fa2503c15d62f1d55caf44795b902a86d6c70093645d462611f20
Instruction ID: d269fb777d92cde2a11258156df0a8d19cd57ae4fcf315b42c433fa53933ea0b
Opcode Fuzzy Hash: ccb52fcee44fa2503c15d62f1d55caf44795b902a86d6c70093645d462611f20
Instruction Fuzzy Hash: 11F020B6508201FBC3006B24BC05A173B68BF8B791F02147AF404A7221EB29E812C2AF

Function 0043A7FE Relevance: 3.0, APIs: 2, Instructions: 17
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetForegroundWindow.USER32 ref: 0043A7FE
GetForegroundWindow.USER32 ref: 0043A810

Memory Dump Source

Source File: 00000003.00000002.2047799879.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_Bootstrapper.jbxd

Similarity

API ID: ForegroundWindow
String ID:
API String ID: 2020703349-0
Opcode ID: c24ecbb9dcec99d33ca91be8b2ab620748ccc2aa726f67644dafeeccb8d23412
Instruction ID: 42817ac93fc1a763581e5e5671a54b6cf7b21fa61aec8cc4ddbf826641c85c6d
Opcode Fuzzy Hash: c24ecbb9dcec99d33ca91be8b2ab620748ccc2aa726f67644dafeeccb8d23412
Instruction Fuzzy Hash: 6DD05EFEB20300E7C60497B5FC4A4163E15A78B21DB140838E8028331AE935A5198A8A

Function 00438C00 Relevance: 1.5, APIs: 1, Instructions: 13
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlFreeHeap.NTDLL(?,00000000,?,00412D44), ref: 00438C1E

Memory Dump Source

Source File: 00000003.00000002.2047799879.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_Bootstrapper.jbxd

Similarity

API ID: FreeHeap
String ID:
API String ID: 3298025750-0
Opcode ID: 97eb6e28a9088ddfa10615d9232fb41269813c6520c0580c8971cbc254142f5a
Instruction ID: 4ab641daebeca8f47e2ee9210594741c4393d6cd6d13037877c581f6269ef0b5
Opcode Fuzzy Hash: 97eb6e28a9088ddfa10615d9232fb41269813c6520c0580c8971cbc254142f5a
Instruction Fuzzy Hash: 71D01231405222FBC6111F15FC06BC63A54DF0A761F030465B440AF572C774DC518AD8

Function 00438BE0 Relevance: 1.5, APIs: 1, Instructions: 9
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlAllocateHeap.NTDLL(?,00000000,00414DBA,00000000,00414DBA,00000400), ref: 00438BF0

Memory Dump Source

Source File: 00000003.00000002.2047799879.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_Bootstrapper.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 498cc4acdbbea44767197380d009527ce82c69219abb2adda7a13de7568a67c3
Instruction ID: df19a07321e80c7305b6568635d78d0218809de2539a36665761b217ce541d88
Opcode Fuzzy Hash: 498cc4acdbbea44767197380d009527ce82c69219abb2adda7a13de7568a67c3
Instruction Fuzzy Hash: 78C09B31045121ABD7112B15FC05FC67F94DF55355F015455B50467172C770AC52C6D8

Non-executed Functions

Function 00435CD0 Relevance: 28.9, APIs: 10, Strings: 6, Instructions: 855memorycomCOMMON

Download Yara Rule

APIs

CoCreateInstance.OLE32(0044068C,00000000,00000001,0044067C,00000000), ref: 00435F27
SysAllocString.OLEAUT32(24FC22F3), ref: 00435F9E
CoSetProxyBlanket.OLE32(?,0000000A,00000000,00000000,00000003,00000003,00000000,00000000), ref: 00435FE0
SysAllocString.OLEAUT32(E7B7E5B3), ref: 00436038
SysAllocString.OLEAUT32(2FEB2DFF), ref: 00436127
VariantInit.OLEAUT32(?), ref: 004361A3
SysFreeString.OLEAUT32(?), ref: 004364A0

Strings

g., xrefs: 00435E19
$:;<, xrefs: 00435D72, 00435E03
C|}~, xrefs: 00435D06
>0, xrefs: 00435F50
56, xrefs: 00435F60
C, xrefs: 00435E0F

Memory Dump Source

Source File: 00000003.00000002.2047799879.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_Bootstrapper.jbxd

Similarity

API ID: String$Alloc$BlanketCreateFreeInitInstanceProxyVariant
String ID: $:;<$56$C$C|}~$g.$>0
API String ID: 2895375541-3651939093
Opcode ID: b47a5b7ce8a07a53a0c7c1511aea60c1a4b147cfd01d2a8195d1484da4a599f5
Instruction ID: 890a40299c4320638d04f71d51de2d8bf3c1d26d075bb548c266c7b932209c4c
Opcode Fuzzy Hash: b47a5b7ce8a07a53a0c7c1511aea60c1a4b147cfd01d2a8195d1484da4a599f5
Instruction Fuzzy Hash: 0542F0726083419BD314CF29C88176BBBE2FFD9314F15CA2EE5958B391D778D8068B46

Function 00423BE0 Relevance: 24.8, Strings: 19, Instructions: 1074COMMON

Download Yara Rule

Strings

>p'r, xrefs: 004243F4
%y, xrefs: 004246F3
Y>Ny, xrefs: 0042497C
,,, xrefs: 0042404F
51, xrefs: 0042405D
wXZ, xrefs: 0042439F
4<, xrefs: 00424056
OD, xrefs: 0042454D
z b", xrefs: 00424391
210?, xrefs: 00424BB5
BrDt, xrefs: 004248EB
MB, xrefs: 00424543
h~, xrefs: 00424313
1, xrefs: 004246E5
e$c&, xrefs: 00424398
9|/~, xrefs: 004243EA
%t"v, xrefs: 004243FE
[(`*, xrefs: 00424383
6T, xrefs: 004246EC

Memory Dump Source

Source File: 00000003.00000002.2047799879.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_Bootstrapper.jbxd

Similarity

API ID:
String ID: %t"v$%y$,,$1$210?$4<$51$6T$9|/~$>p'r$BrDt$MB$OD$Y>Ny$[(`*$e$c&$h~$wXZ$z b"
API String ID: 0-1201204788
Opcode ID: 4b1015466e278b929e118ce4ed626084a23a137f5fc1726ece6e0787df70160f
Instruction ID: 73f6a621109cc90ddff3c6aa43f55eb060d26912469c65db532073efbdc61d51
Opcode Fuzzy Hash: 4b1015466e278b929e118ce4ed626084a23a137f5fc1726ece6e0787df70160f
Instruction Fuzzy Hash: E7A2C8B4A00314CFDB24CF69D98179ABBB0FB45304F1485ADE499AF362C775A846CF86

Function 004310F0 Relevance: 22.9, APIs: 6, Strings: 7, Instructions: 115clipboardCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32 ref: 00431100
GetWindowLongW.USER32 ref: 00431125
GetClipboardData.USER32 ref: 00431135
GlobalLock.KERNEL32 ref: 0043114E
GlobalUnlock.KERNEL32 ref: 00431260
CloseClipboard.USER32 ref: 00431269

Strings

Y, xrefs: 00431199
f, xrefs: 004311C1
p, xrefs: 004311B2
a, xrefs: 004311B7
u, xrefs: 004311A3
|, xrefs: 004311AD
w, xrefs: 0043119E

Memory Dump Source

Source File: 00000003.00000002.2047799879.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_Bootstrapper.jbxd

Similarity

API ID: Clipboard$Global$CloseDataLockLongOpenUnlockWindow
String ID: Y$a$f$p$u$w$|
API String ID: 2832541153-2284292085
Opcode ID: 5e36e375f1d3616efb5925b98702682964678bac67f534981d514f7104df9693
Instruction ID: a7bb48f9588a08ba5d4e74781bd5dda47cb13f750a9a9469d6e38ccf83cb7dd4
Opcode Fuzzy Hash: 5e36e375f1d3616efb5925b98702682964678bac67f534981d514f7104df9693
Instruction Fuzzy Hash: B741B27150C3808ED300AFB8D48936FBEE09B95304F08487EE8D997292D6BC954CD7A7

Function 0041614F Relevance: 12.1, Strings: 9, Instructions: 858COMMON

Download Yara Rule

Strings

8kIm, xrefs: 004162C4
T%V', xrefs: 00415FF6
d9:;, xrefs: 00416019
2g;i, xrefs: 004162BD
~k2k, xrefs: 004169ED
O-O/, xrefs: 00416004
[5X7, xrefs: 00416012
D)C+, xrefs: 00415FFD
D1[3, xrefs: 0041600B

Memory Dump Source

Source File: 00000003.00000002.2047799879.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_Bootstrapper.jbxd

Similarity

API ID:
String ID: 2g;i$8kIm$D)C+$D1[3$O-O/$T%V'$[5X7$d9:;$~k2k
API String ID: 0-2097714346
Opcode ID: b51fa1176c5b6392b39a591ed784388f41530b1d19164dd194162514ffc6249e
Instruction ID: 6676156bf484a26a91f4244351072eab9ed3cd47fae5c89b60e60c1fcce1d4df
Opcode Fuzzy Hash: b51fa1176c5b6392b39a591ed784388f41530b1d19164dd194162514ffc6249e
Instruction Fuzzy Hash: A552C1756007028FC324CF29C8917A3B7F2FF9A314B19866ED8968B7A5D739E841CB54

Function 0041C970 Relevance: 9.4, Strings: 7, Instructions: 640COMMON

Download Yara Rule

Strings

mn, xrefs: 0041D159
G5B7, xrefs: 0041CCB0
W9H;, xrefs: 0041CCB8
VW, xrefs: 0041CA50
23, xrefs: 0041CF65
x1[3, xrefs: 0041CCD0
E=>?, xrefs: 0041CCC0

Memory Dump Source

Source File: 00000003.00000002.2047799879.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_Bootstrapper.jbxd

Similarity

API ID:
String ID: 23$E=>?$G5B7$VW$W9H;$mn$x1[3
API String ID: 0-1932231205
Opcode ID: 578cdd8ec54e5127dde402a7af58c4273ae186bfa85492365f354deb87b46444
Instruction ID: bc73f2a168b3373ead856b180f3c4f045646724e8183eb4d54cb76ba599439d0
Opcode Fuzzy Hash: 578cdd8ec54e5127dde402a7af58c4273ae186bfa85492365f354deb87b46444
Instruction Fuzzy Hash: 9B12EEB564C3409BC704CF29D8916ABBBE2EFD5314F08892CF4C58B351D638DA46CB8A

Function 00423455 Relevance: 9.2, APIs: 1, Strings: 4, Instructions: 444COMMON

Download Yara Rule

APIs

GetLogicalDrives.KERNEL32 ref: 00423736

Strings

n, xrefs: 004234F7
)~, xrefs: 0042369B
`8\:, xrefs: 00423505
EG, xrefs: 0042394C

Memory Dump Source

Source File: 00000003.00000002.2047799879.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_Bootstrapper.jbxd

Similarity

API ID: DrivesLogical
String ID: )~$`8\:$n$EG
API String ID: 999431828-1333577173
Opcode ID: 76a2f19b132b5b1ce4695d878575fd38bb0991c3c506a5b209fabfd3ca67eb46
Instruction ID: a56b4e4231ed61e16d409fafa911a127b25f0407a846935af76d05a876e27409
Opcode Fuzzy Hash: 76a2f19b132b5b1ce4695d878575fd38bb0991c3c506a5b209fabfd3ca67eb46
Instruction Fuzzy Hash: EEE176F5A00221CFCB14CF64D8C16AABBB1FF4A314B5542A9E8459F366D378E941CF98

Function 0042AB20 Relevance: 9.0, Strings: 7, Instructions: 260COMMON

Download Yara Rule

Strings

NO?, xrefs: 0042AD20
S"., xrefs: 0042AD15
j, xrefs: 0042ABEA
RI, xrefs: 0042ABE0
=, xrefs: 0042AD2B
Gi`c, xrefs: 0042ACF4
1alj, xrefs: 0042AD0A

Memory Dump Source

Source File: 00000003.00000002.2047799879.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_Bootstrapper.jbxd

Similarity

API ID:
String ID: 1alj$=$Gi`c$NO?$RI$S".$j
API String ID: 0-3348695509
Opcode ID: d4fdf16ececc3d62630d683be0476c3f7931c9760f23a33a7f6d2af70448cc19
Instruction ID: 0ff019a2f508e9586a8b9ad149e009e8a57ee93c3348e62945e462fc401ba87c
Opcode Fuzzy Hash: d4fdf16ececc3d62630d683be0476c3f7931c9760f23a33a7f6d2af70448cc19
Instruction Fuzzy Hash: E081DDB1A8C3D18BD334CF2598517ABBBE2ABD2300F19896DC9D96B381D7790405CB97

Function 004155F6 Relevance: 8.6, Strings: 6, Instructions: 1131COMMON

Download Yara Rule

Strings

T%V', xrefs: 00415FF6
d9:;, xrefs: 00416019
O-O/, xrefs: 00416004
[5X7, xrefs: 00416012
D)C+, xrefs: 00415FFD
D1[3, xrefs: 0041600B

Memory Dump Source

Source File: 00000003.00000002.2047799879.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_Bootstrapper.jbxd

Similarity

API ID:
String ID: D)C+$D1[3$O-O/$T%V'$[5X7$d9:;
API String ID: 0-2763997609
Opcode ID: e02ed64a53c6d696775c77669c1fbcbe43d39e93506cae7a4caf129e0a232799
Instruction ID: 9f59d2ee2bd389c1700a31ec1e6ca30451fea2ea1485e604e77a7b22202e602d
Opcode Fuzzy Hash: e02ed64a53c6d696775c77669c1fbcbe43d39e93506cae7a4caf129e0a232799
Instruction Fuzzy Hash: 4B62D175610B01CFD724CF29C891AA3B7F2FF9A310B19859ED4868B7A5D738E842CB54

Function 00F52930 Relevance: 6.5, APIs: 4, Instructions: 455COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2048263538.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000003.00000002.2048251857.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2048279205.0000000000F57000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2048295332.0000000000F5F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2048310701.0000000000F61000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2048325439.0000000000F64000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_f40000_Bootstrapper.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fd8eb3cd4a956a794ca677142f179592e97daeae2fe173f9db45350db7659e00
Instruction ID: b9d88cfbf2351792ee9f3b98354c52f25d7eec183df54f767ecbfb3beff486d3
Opcode Fuzzy Hash: fd8eb3cd4a956a794ca677142f179592e97daeae2fe173f9db45350db7659e00
Instruction Fuzzy Hash: 94023C71E002199BDF14CFA8D8806AEFBF1FF49325F248269DA19E7341D731AA45DB90

Function 0040E1A8 Relevance: 6.3, APIs: 1, Strings: 3, Instructions: 334COMMON

Download Yara Rule

APIs

CoUninitialize.OLE32 ref: 0040E1AF

Strings

#$!, xrefs: 0040E2E0
H(%, xrefs: 0040E1CD
krst, xrefs: 0040E49B

Memory Dump Source

Source File: 00000003.00000002.2047799879.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_Bootstrapper.jbxd

Similarity

API ID: Uninitialize
String ID: #$!$H(%$krst
API String ID: 3861434553-4192019920
Opcode ID: dbdaf06eba881b6418bc1f4d5699aecd49c8ad2f0957e29080ecd8f341898625
Instruction ID: e66bc40a07cd52d388ef7ac057983ac102ae640f2da7b4283466f0a0331308d4
Opcode Fuzzy Hash: dbdaf06eba881b6418bc1f4d5699aecd49c8ad2f0957e29080ecd8f341898625
Instruction Fuzzy Hash: A4A1F770204B818FD329CF26C590653BFA2FF573007188A9DC4D65BB96C779A826CF95

Function 0040E549 Relevance: 6.3, APIs: 1, Strings: 3, Instructions: 328COMMON

Download Yara Rule

APIs

CoUninitialize.OLE32 ref: 0040E550

Strings

krst, xrefs: 0040E83B
H(%, xrefs: 0040E56E
#$!, xrefs: 0040E680

Memory Dump Source

Source File: 00000003.00000002.2047799879.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_Bootstrapper.jbxd

Similarity

API ID: Uninitialize
String ID: #$!$H(%$krst
API String ID: 3861434553-4192019920
Opcode ID: 47a7aa3e3d96a992367a25aa71c21a70bf38283d291385805ea68fb64790d12e
Instruction ID: 5c44be82dbc321d4541e17c0427a7c295b267d3634a3b3ae1657fea28557917a
Opcode Fuzzy Hash: 47a7aa3e3d96a992367a25aa71c21a70bf38283d291385805ea68fb64790d12e
Instruction Fuzzy Hash: 38A10670204B818FD329CF26C590663BFA2FF57300718CA9DC4D65BB96C779A826CB95

Function 00F4E842 Relevance: 6.2, APIs: 4, Instructions: 205COMMON

Download Yara Rule

APIs

FindFirstFileExW.KERNEL32(?,00000000,?,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00F4E932

Memory Dump Source

Source File: 00000003.00000002.2048263538.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000003.00000002.2048251857.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2048279205.0000000000F57000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2048295332.0000000000F5F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2048310701.0000000000F61000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2048325439.0000000000F64000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_f40000_Bootstrapper.jbxd

Similarity

API ID: FileFindFirst
String ID:
API String ID: 1974802433-0
Opcode ID: 686a080d42ceb8f8ac773b3670694c73cb0f36c749e3c12bc20db2edf05dad77
Instruction ID: 276cc164ed93dd22d6347533eefbb97c086d571590b2952a992d1972c49b1beb
Opcode Fuzzy Hash: 686a080d42ceb8f8ac773b3670694c73cb0f36c749e3c12bc20db2edf05dad77
Instruction Fuzzy Hash: A071E271C05119AFDF21EF388C99ABABFB9BF45310F1441D9E848A7251EB348E85AF10

Function 00F44911 Relevance: 6.1, APIs: 4, Instructions: 70COMMON

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32(00000017,?), ref: 00F4491D
IsDebuggerPresent.KERNEL32 ref: 00F449E9
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 00F44A02
UnhandledExceptionFilter.KERNEL32(?), ref: 00F44A0C

Memory Dump Source

Source File: 00000003.00000002.2048263538.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000003.00000002.2048251857.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2048279205.0000000000F57000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2048295332.0000000000F5F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2048310701.0000000000F61000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2048325439.0000000000F64000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_f40000_Bootstrapper.jbxd

Similarity

API ID: ExceptionFilterPresentUnhandled$DebuggerFeatureProcessor
String ID:
API String ID: 254469556-0
Opcode ID: 276d1e6807bba935b36edfb548a6132bfb153bacd30685c45c720356b9fc9072
Instruction ID: c62589740308da59fe610b9bb659f5f586c6f967c12a86f84a7fed0f32cb1d44
Opcode Fuzzy Hash: 276d1e6807bba935b36edfb548a6132bfb153bacd30685c45c720356b9fc9072
Instruction Fuzzy Hash: 5931F875D0532C9BDB21DFA4DD497CDBBB8AF08301F1041AAE90CAB250EB749A84EF45

Function 00418D56 Relevance: 5.6, Strings: 4, Instructions: 623COMMON

Download Yara Rule

Strings

kSkh, xrefs: 00419348
5380, xrefs: 00419414
~pla, xrefs: 00419356
krx, xrefs: 0041935D

Memory Dump Source

Source File: 00000003.00000002.2047799879.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_Bootstrapper.jbxd

Similarity

API ID:
String ID: 5380$kSkh$krx$~pla
API String ID: 0-2908192372
Opcode ID: c9c2b8fc20147209f90d65674ef612d312ee29b9bc66546f83948c1daa11e5ae
Instruction ID: cb52675cb9ed87c35e4e4348e767a4754d3b29f81b45857b690a847853848972
Opcode Fuzzy Hash: c9c2b8fc20147209f90d65674ef612d312ee29b9bc66546f83948c1daa11e5ae
Instruction Fuzzy Hash: EA1267B1A007018FD724CF24C892763B7B2FF96314F14866DD4968B792E738E846CB95

Function 00432138 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 93COMMON

Download Yara Rule

APIs

GetSystemMetrics.USER32 ref: 0043217E
GetSystemMetrics.USER32 ref: 0043218D

Strings

, xrefs: 00432238

Memory Dump Source

Source File: 00000003.00000002.2047799879.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_Bootstrapper.jbxd

Similarity

API ID: MetricsSystem
String ID:
API String ID: 4116985748-3916222277
Opcode ID: 897b2a568388da43d22a3e767c69447b08e956819552e96d124528c164c22b58
Instruction ID: 8769f04a02a87c161b6b7a4cc8516171739a3373e8756ae1f6ef6cc818a55e9e
Opcode Fuzzy Hash: 897b2a568388da43d22a3e767c69447b08e956819552e96d124528c164c22b58
Instruction Fuzzy Hash: B941E2B49143048FDB40EFA8D98465EBBF0BF89304F11852EE588DB360D374A959CF86

Function 0042B553 Relevance: 5.3, Strings: 4, Instructions: 279COMMON

Download Yara Rule

Strings

)*, xrefs: 0042CCDF
V(, xrefs: 0042CCD4
26^e, xrefs: 0042CBFC
xJ|I, xrefs: 0042CB5B

Memory Dump Source

Source File: 00000003.00000002.2047799879.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_Bootstrapper.jbxd

Similarity

API ID:
String ID: )*$26^e$xJ|I$V(
API String ID: 0-2174692793
Opcode ID: ea6aff3e0e25c68ab1c86142d7f0d1413e6a47f2af432d74343317d13fe57de9
Instruction ID: 30d74bc065f9781b72d3ccadea17247dd91ec55f8288094b7595731dc73d9f55
Opcode Fuzzy Hash: ea6aff3e0e25c68ab1c86142d7f0d1413e6a47f2af432d74343317d13fe57de9
Instruction Fuzzy Hash: A081396160C3A14BD329CB39A4A13BFBBD1AF96304F58495DD4DA9B383CB784805C796

Function 0042C966 Relevance: 5.3, Strings: 4, Instructions: 273COMMON

Download Yara Rule

Strings

)*, xrefs: 0042CCDF
V(, xrefs: 0042CCD4
26^e, xrefs: 0042CBFC
xJ|I, xrefs: 0042CB5B

Memory Dump Source

Source File: 00000003.00000002.2047799879.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_Bootstrapper.jbxd

Similarity

API ID:
String ID: )*$26^e$xJ|I$V(
API String ID: 0-2174692793
Opcode ID: 41e8fa62b6d6a2de42cb7e8edad9a3ffab431eb5b8b4eb99403d4888b686f5c9
Instruction ID: 093ebe7d07539bdf74cc64dd433371b1d5765c9779d79198450fee30ee88e5e9
Opcode Fuzzy Hash: 41e8fa62b6d6a2de42cb7e8edad9a3ffab431eb5b8b4eb99403d4888b686f5c9
Instruction Fuzzy Hash: 1081386060C3E14BE3398B3994A23BFBFD1AF96305F58495DD4CA9B383DA784805C796

Function 0042C9C1 Relevance: 5.3, Strings: 4, Instructions: 269COMMON

Download Yara Rule

Strings

)*, xrefs: 0042CCDF
V(, xrefs: 0042CCD4
26^e, xrefs: 0042CBFC
xJ|I, xrefs: 0042CB5B

Memory Dump Source

Source File: 00000003.00000002.2047799879.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_Bootstrapper.jbxd

Similarity

API ID:
String ID: )*$26^e$xJ|I$V(
API String ID: 0-2174692793
Opcode ID: 648f1223baad129a040d1258ecc42bcffedf9a927b5609999e3667dfe1182e60
Instruction ID: 8657dfeea71b9e8893e202bc0e65d1c4a1887ce88452c116a4fe278a5986026e
Opcode Fuzzy Hash: 648f1223baad129a040d1258ecc42bcffedf9a927b5609999e3667dfe1182e60
Instruction Fuzzy Hash: 8581386060C3A04BE329CB39A4A23BFBFD1AF96304F54495DD4DA9B383CB784805C796

Function 0042C9B2 Relevance: 5.2, Strings: 4, Instructions: 249COMMON

Download Yara Rule

Strings

)*, xrefs: 0042CCDF
V(, xrefs: 0042CCD4
26^e, xrefs: 0042CBFC
xJ|I, xrefs: 0042CB5B

Memory Dump Source

Source File: 00000003.00000002.2047799879.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_Bootstrapper.jbxd

Similarity

API ID:
String ID: )*$26^e$xJ|I$V(
API String ID: 0-2174692793
Opcode ID: 94ef87026091cfed7405ea4e50fb0aa2bccfe77fbba8838840769a329f44787b
Instruction ID: 794c04b3ec4755db32f8cbeb5d0221f6b60ed36bbd984cecfb9d8c689eda2f2f
Opcode Fuzzy Hash: 94ef87026091cfed7405ea4e50fb0aa2bccfe77fbba8838840769a329f44787b
Instruction Fuzzy Hash: B171286160C3D08AD3258F39A4A27BBBFD1AFA7301F58495DD4C95B383D7784405CB96

Function 00439300 Relevance: 4.4, Strings: 3, Instructions: 656COMMON

Download Yara Rule

Strings

f, xrefs: 00439521
210?, xrefs: 00439339
210?, xrefs: 00439495

Memory Dump Source

Source File: 00000003.00000002.2047799879.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_Bootstrapper.jbxd

Similarity

API ID: InitializeThunk
String ID: 210?$210?$f
API String ID: 2994545307-2320006892
Opcode ID: 2c86bcf09b7d5e4f9b7e50c93d560ae57b09dfa56a2ead75fb89d6c2754f74c0
Instruction ID: e6edcced7924e74a55f857a553a5063923ae893db509157f008ad858b20908a0
Opcode Fuzzy Hash: 2c86bcf09b7d5e4f9b7e50c93d560ae57b09dfa56a2ead75fb89d6c2754f74c0
Instruction Fuzzy Hash: 1612E37160C3419FD715CF28C880A2BBBE1AB8E714F189A2DE495D7392D7B5DC05CB8A

Function 0042B8DF Relevance: 4.3, Strings: 3, Instructions: 526COMMON

Download Yara Rule

Strings

\N9%, xrefs: 0042BC2C
7G`;, xrefs: 0042B931
AG`;, xrefs: 0042B97F

Memory Dump Source

Source File: 00000003.00000002.2047799879.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_Bootstrapper.jbxd

Similarity

API ID:
String ID: 7G`;$AG`;$\N9%
API String ID: 0-1062577256
Opcode ID: 12816982e55be7fb6fc54c0b319f2af02f43be937ab524284dbd41131b9a768f
Instruction ID: 3568086db77f74a640ff0ae79394bd14b863fc36d557ecdf044ddcfa3ae0eebd
Opcode Fuzzy Hash: 12816982e55be7fb6fc54c0b319f2af02f43be937ab524284dbd41131b9a768f
Instruction Fuzzy Hash: 93E1FE302083D18ED7358F3998517BBBBE1EFA6304F5849AEC4D987283DB794506CB96

Function 00436940 Relevance: 4.2, Strings: 3, Instructions: 470COMMON

Download Yara Rule

Strings

210?, xrefs: 00436B08
210?, xrefs: 00436E10, 00436AC8
210?, xrefs: 00436999

Memory Dump Source

Source File: 00000003.00000002.2047799879.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_Bootstrapper.jbxd

Similarity

API ID:
String ID: 210?$210?$210?
API String ID: 0-2665767194
Opcode ID: 4bf036c7a9a434af90a404b37b818febbf139421217001b462c41d857f08ff4f
Instruction ID: 649a8447bb70194d7bd0e87574610e1e74ee594a4d07a19cb75e97491fcaecf9
Opcode Fuzzy Hash: 4bf036c7a9a434af90a404b37b818febbf139421217001b462c41d857f08ff4f
Instruction Fuzzy Hash: B4C14775708311ABD724DF29C881A2BB7A2AFCE704F16E52EE4D557381D734DC018B9A

Function 00427861 Relevance: 3.8, Strings: 3, Instructions: 80COMMON

Download Yara Rule

Strings

h"iv, xrefs: 004278B8
RSS], xrefs: 00427924, 00427928
N+(^, xrefs: 00427890

Memory Dump Source

Source File: 00000003.00000002.2047799879.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_Bootstrapper.jbxd

Similarity

API ID:
String ID: N+(^$RSS]$h"iv
API String ID: 0-2752406265
Opcode ID: 1f4c0e7af09dbfcc043e85539a70e4c12e4f6cde8a80e52916f57e1bbcf73a30
Instruction ID: a425d5edb8d9279626c1f55cee52559f388cfdc4269d46aa7beb27abd3f512ee
Opcode Fuzzy Hash: 1f4c0e7af09dbfcc043e85539a70e4c12e4f6cde8a80e52916f57e1bbcf73a30
Instruction Fuzzy Hash: 4A21FBF2A0C3508BC3208F65D8C166FF7E1AB91704F491A7DE4D4AB341D679D8418B97

Function 00427B45 Relevance: 3.8, Strings: 3, Instructions: 78COMMON

Download Yara Rule

Strings

h"iv, xrefs: 004278B8
RSS], xrefs: 00427924, 00427928
N+(^, xrefs: 00427890

Memory Dump Source

Source File: 00000003.00000002.2047799879.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_Bootstrapper.jbxd

Similarity

API ID:
String ID: N+(^$RSS]$h"iv
API String ID: 0-2752406265
Opcode ID: c58147787ce70ef63d30b43a27cf0b2b40ce232c8300a28f29aa15dbfc30c002
Instruction ID: ac7c0b8b6c3103885e10049798810521acebbe1871769e6a0b0995a1e1e07e91
Opcode Fuzzy Hash: c58147787ce70ef63d30b43a27cf0b2b40ce232c8300a28f29aa15dbfc30c002
Instruction Fuzzy Hash: 1321E4F2A0C3508BC3208F6999C166FF7E0AB91704F491A6DE4D4AB340D679D8418B9A

Function 00414A00 Relevance: 3.7, Strings: 2, Instructions: 1165COMMON

Download Yara Rule

Strings

210?, xrefs: 004154D0
3xZ`, xrefs: 00414C1C

Memory Dump Source

Source File: 00000003.00000002.2047799879.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_Bootstrapper.jbxd

Similarity

API ID:
String ID: 210?$3xZ`
API String ID: 0-1933413590
Opcode ID: e82e5d3d7626e221038b1ea27d7ef429d056a23e876d3b638bb933096259eed3
Instruction ID: 710837367b41bfaad32bf4d4fea55541e548e1daa200e261bc48e5b0399addfc
Opcode Fuzzy Hash: e82e5d3d7626e221038b1ea27d7ef429d056a23e876d3b638bb933096259eed3
Instruction Fuzzy Hash: 97526575A08300DBD714DF28D8516ABB3E2EFCA705F09892DE88597391E739DC41CB8A

Function 00F413B0 Relevance: 3.1, APIs: 2, Instructions: 141encryptionCOMMON

Download Yara Rule

APIs

CryptContextAddRef.ADVAPI32 ref: 00F41530
GetLastError.KERNEL32 ref: 00F4158B

Memory Dump Source

Source File: 00000003.00000002.2048263538.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000003.00000002.2048251857.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2048279205.0000000000F57000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2048295332.0000000000F5F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2048310701.0000000000F61000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2048325439.0000000000F64000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_f40000_Bootstrapper.jbxd

Similarity

API ID: ContextCryptErrorLast
String ID:
API String ID: 3905322190-0
Opcode ID: 81db6ecc1f7772762e6774a3f15964c3278e8993d08609e38a4c0011a6bee2ec
Instruction ID: 9d9bedcc1ae8c770d4a508f8e8a0d8a1c3ed3f59926a31063c7f19d3b8c67084
Opcode Fuzzy Hash: 81db6ecc1f7772762e6774a3f15964c3278e8993d08609e38a4c0011a6bee2ec
Instruction Fuzzy Hash: 597113B4A4922D8BCB64DF58D8987D9BBF0AB28304F1440E9E88D97351C6749AC4DF61

Function 00422450 Relevance: 3.0, Strings: 2, Instructions: 455COMMON

Download Yara Rule

Strings

de, xrefs: 0042247C
210?, xrefs: 00422885

Memory Dump Source

Source File: 00000003.00000002.2047799879.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_Bootstrapper.jbxd

Similarity

API ID:
String ID: 210?$de
API String ID: 0-1741830708
Opcode ID: 80d08d7239720e34b09b9edab5f9fdf9ef2fa831507600d3eb9165a949558ce4
Instruction ID: 4fbf6b7cdb8289c859ac6cb7c93f2c404f0fcd68c5fb35de272243c3f10293f5
Opcode Fuzzy Hash: 80d08d7239720e34b09b9edab5f9fdf9ef2fa831507600d3eb9165a949558ce4
Instruction Fuzzy Hash: 95C13471B083206BD714DF24D992B6BB3A1EFD1314F58D52EE88587392E6BCD805C35A

Function 00409580 Relevance: 2.9, Strings: 2, Instructions: 399COMMON

Download Yara Rule

Strings

WH, xrefs: 004099D3
N, xrefs: 004097A3

Memory Dump Source

Source File: 00000003.00000002.2047799879.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_Bootstrapper.jbxd

Similarity

API ID:
String ID: N$WH
API String ID: 0-3895860255
Opcode ID: 62bb7bd6a0935084da48d2886e296d59ac9586f3944fc0ff9a54673561e1a073
Instruction ID: 581768a3ce189c17b304531f19e3b090f2c39dfa5a3e3caf25af5d669bcdebff
Opcode Fuzzy Hash: 62bb7bd6a0935084da48d2886e296d59ac9586f3944fc0ff9a54673561e1a073
Instruction Fuzzy Hash: 14C124B191C7408BD314CF65D84166BBBE2EBC1304F18897DE4D29B392D739D90ACB9A

Function 004277B8 Relevance: 2.7, Strings: 2, Instructions: 191COMMON

Download Yara Rule

Strings

]xB, xrefs: 00427857, 00427B3F, 00427B7C
nzB, xrefs: 00427A68

Memory Dump Source

Source File: 00000003.00000002.2047799879.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_Bootstrapper.jbxd

Similarity

API ID:
String ID: ]xB$nzB
API String ID: 0-976731151
Opcode ID: 3d73b7628c8a07daff5eca8bc6c295222b6fd97b7e3ffd65d4f5b1c78b19d4bf
Instruction ID: 534044aca68354eb9b94e3fcff7d753e6b160dd7afd08eb72693ec1398f9b7bd
Opcode Fuzzy Hash: 3d73b7628c8a07daff5eca8bc6c295222b6fd97b7e3ffd65d4f5b1c78b19d4bf
Instruction Fuzzy Hash: F961F5B5A08350CFE7209F54EC81B1BB7A4EB89314F54067EE98467392D379ED40CB9A

Function 00416B71 Relevance: 2.6, Strings: 2, Instructions: 148COMMON

Download Yara Rule

Strings

210?, xrefs: 00416ED3
210?, xrefs: 00416ABB

Memory Dump Source

Source File: 00000003.00000002.2047799879.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_Bootstrapper.jbxd

Similarity

API ID:
String ID: 210?$210?
API String ID: 0-3490484916
Opcode ID: 364ba9bd90a781e768f79669ba861c23eaa962029b66036966d7df30daac8958
Instruction ID: 9cb695568b054339bc6a8dc68afd0e2b509d0485f003788af663f51a09b6657e
Opcode Fuzzy Hash: 364ba9bd90a781e768f79669ba861c23eaa962029b66036966d7df30daac8958
Instruction Fuzzy Hash: 87412F393147019FD328CF2AC89066777E3AFCA700F1AC439D48287796CA38E842CB09

Function 0042B8D7 Relevance: 1.8, Strings: 1, Instructions: 533COMMON

Download Yara Rule

Strings

\N9%, xrefs: 0042BC2C

Memory Dump Source

Source File: 00000003.00000002.2047799879.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_Bootstrapper.jbxd

Similarity

API ID:
String ID: \N9%
API String ID: 0-2669385265
Opcode ID: 0cd15ef453903435dd8dde7ae0daef208e5e5e7f96671c33a2b62639ff4484ba
Instruction ID: 4cd8241abdc2e43077e1ec48be651c3c73ed4ba870b9322e17aa6b1538665864
Opcode Fuzzy Hash: 0cd15ef453903435dd8dde7ae0daef208e5e5e7f96671c33a2b62639ff4484ba
Instruction Fuzzy Hash: 6FF134316183918ED725CF38D8517ABBBE2EF96300F58896ED4C887383D7789506CB96

Function 0042A2D0 Relevance: 1.6, Strings: 1, Instructions: 382COMMON

Download Yara Rule

Strings

", xrefs: 0042A5B8

Memory Dump Source

Source File: 00000003.00000002.2047799879.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_Bootstrapper.jbxd

Similarity

API ID:
String ID: "
API String ID: 0-123907689
Opcode ID: afed6c6e40ad8eb197b9acf80ca715f0559aa0dae0f1a7f803cc99b3613ecc01
Instruction ID: 962c74fdfc7dd2b9b8b0cfa6f6da456b965c12865c59331e1ae6e68aef09792a
Opcode Fuzzy Hash: afed6c6e40ad8eb197b9acf80ca715f0559aa0dae0f1a7f803cc99b3613ecc01
Instruction Fuzzy Hash: B7C12472B083205BD714CE24E480B6BB7E5AB84354F58896FEC9587382D738EC55C79B

Function 00439050 Relevance: 1.5, Strings: 1, Instructions: 207COMMON

Download Yara Rule

Strings

210?, xrefs: 00439155

Memory Dump Source

Source File: 00000003.00000002.2047799879.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_Bootstrapper.jbxd

Similarity

API ID:
String ID: 210?
API String ID: 0-938441567
Opcode ID: 11da66e547eb90841fa350b98deecddaf63ddd35682f3574d0083c02f41da2f8
Instruction ID: c5a190ae2e3102fd1b7980d02a061b7b4cd586cfa7b7398819f9712b181c5f54
Opcode Fuzzy Hash: 11da66e547eb90841fa350b98deecddaf63ddd35682f3574d0083c02f41da2f8
Instruction Fuzzy Hash: 5E513D356043515FDB209F2888C066BB7A1EB8F720F14A97DD8D567391D3B9DC01CB8A

Function 0042C21E Relevance: 1.3, Strings: 1, Instructions: 71COMMON

Download Yara Rule

Strings

f, xrefs: 0042C229

Memory Dump Source

Source File: 00000003.00000002.2047799879.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_Bootstrapper.jbxd

Similarity

API ID:
String ID: f
API String ID: 0-1993550816
Opcode ID: 6ef1cfbacb5223f3d32c222bfe609745a97f6316de94e96703c7bf34bc788ec8
Instruction ID: 4ff711ab5437e464cc44c846211233292f294d8415037d1b6670eb6382a03a82
Opcode Fuzzy Hash: 6ef1cfbacb5223f3d32c222bfe609745a97f6316de94e96703c7bf34bc788ec8
Instruction Fuzzy Hash: F7110A33F9826247D32CCA3998A13AA7792ABD3310F1E43BD88D917681C678080583D4

Function 00427A98 Relevance: 1.3, Strings: 1, Instructions: 54COMMON

Download Yara Rule

Strings

]xB, xrefs: 00427B3F

Memory Dump Source

Source File: 00000003.00000002.2047799879.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_Bootstrapper.jbxd

Similarity

API ID:
String ID: ]xB
API String ID: 0-3826366387
Opcode ID: 06aff3cf582a54048c623b0d4426254b7ce8c0e13653ec095548b465aa20fc20
Instruction ID: dfee0d253845ac456938f5bc369d05fc81ccb2e50205e66ca216bd80713e0958
Opcode Fuzzy Hash: 06aff3cf582a54048c623b0d4426254b7ce8c0e13653ec095548b465aa20fc20
Instruction Fuzzy Hash: 9101D872B5C7608BD714CE14E8E112BF7A1ABDA718F5D462DC88927702C239EC41C79A

Function 004073C0 Relevance: .6, Instructions: 615COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2047799879.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_Bootstrapper.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1672c51fd9c31e9ea42bd1d32d72c55b1e9c8f18c9c17d969d1c6f9363df8bf0
Instruction ID: 909556d5ba2d3180738a3d432f2a54970f06f284602b5f041396e940d91f092a
Opcode Fuzzy Hash: 1672c51fd9c31e9ea42bd1d32d72c55b1e9c8f18c9c17d969d1c6f9363df8bf0
Instruction Fuzzy Hash: 5A12A532A087118BD7259F18D9806ABB3E1FFC4319F29893ED586A7381D738B855CB47

Function 0043D8B0 Relevance: .4, Instructions: 356COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2047799879.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_Bootstrapper.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 0d0a5d87afe7ca8244c737bec1ed3dee8c7103595d10d07319c3635f0f2ee27d
Instruction ID: d2e68c6212b2d418fcc9c6c41bf6e3ee0cfb523e00bbd8b1f07afb0b2c398bba
Opcode Fuzzy Hash: 0d0a5d87afe7ca8244c737bec1ed3dee8c7103595d10d07319c3635f0f2ee27d
Instruction Fuzzy Hash: 7AB16A36A183158FC728DE18DC8166FB3A2EFCD310F19A52DEC955B355EA78AC00D785

Function 0043D190 Relevance: .3, Instructions: 332COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2047799879.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_Bootstrapper.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 04453b511abb79dc221dd30baa67d22a5f28ac6b70ad0762b6841261758a0154
Instruction ID: 2b9dfd8351571ff50df1fac108fdd276648c8f7a78c04cb702c3cc79e2d77476
Opcode Fuzzy Hash: 04453b511abb79dc221dd30baa67d22a5f28ac6b70ad0762b6841261758a0154
Instruction Fuzzy Hash: EF912636A043019BC718DF18DC9197FB3A2EFD9710F1A952DE8868B355EB78AC10C786

Function 00419605 Relevance: .3, Instructions: 315COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2047799879.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_Bootstrapper.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 12db8b2629787f40ba0f1ffd88a1155af22dd2c487ca9ea803d42afc9d8bc4c2
Instruction ID: d0de0f159c41512e2efd9e05ba497228843a48ddcb593f5b1f614f5ad6c21bfc
Opcode Fuzzy Hash: 12db8b2629787f40ba0f1ffd88a1155af22dd2c487ca9ea803d42afc9d8bc4c2
Instruction Fuzzy Hash: DAC10DB4800B00AFC364AF39C947797BEF4EB05310F544A1EE8EA9B795E33064598BD6

Function 004284B0 Relevance: .3, Instructions: 290COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2047799879.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_Bootstrapper.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e54d4812cbdca9efaa4dd32d03d885854ba23668ddb929f22a7283977812ad24
Instruction ID: 01d695be4883e32dbece0a297ecc7df25d3bf3eacdd3029b9bf0540eaa5a7029
Opcode Fuzzy Hash: e54d4812cbdca9efaa4dd32d03d885854ba23668ddb929f22a7283977812ad24
Instruction Fuzzy Hash: 35711675E016258BCB24CF69C8512BFB7B1FF45314F14865ED892AB390E738AC41CB99

Function 0040EC1C Relevance: .2, Instructions: 169COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2047799879.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_Bootstrapper.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9587f3d4142d8066fb7a4deaed8682cfe77aa77e352f3085c3b6ba36cb29a5f5
Instruction ID: 699ed5de78d8dc34789aa6bba5767e062bb1b8046d559df5f7d7a761b2f87b8f
Opcode Fuzzy Hash: 9587f3d4142d8066fb7a4deaed8682cfe77aa77e352f3085c3b6ba36cb29a5f5
Instruction Fuzzy Hash: D2417975A107018FD3158F39CC926A7BBE3EF9A304B09C83DD48597766E739A8168B04

Function 004029A0 Relevance: .2, Instructions: 168COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2047799879.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_Bootstrapper.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 43b2279d4686ff0c87edb1c3a6f29c6685d2769c842c8bbb36dd4f1b40847b56
Instruction ID: e3fae022a431186262310cc81af73b7b76c588403854c4afa19441851e9de486
Opcode Fuzzy Hash: 43b2279d4686ff0c87edb1c3a6f29c6685d2769c842c8bbb36dd4f1b40847b56
Instruction Fuzzy Hash: D5510932B0C2754BC7189E2D8D5417AFBD25FC5204F0DC67AA8D9AB7CBE578980057C8

Function 0042986B Relevance: .1, Instructions: 128COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2047799879.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_Bootstrapper.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: f6a7a981ee012297f9133f453376dfccb15add75bcc5cc5997a18c150477da0d
Instruction ID: e801c44f46acfe8f663ed99a147166636ba3db88eebbf5ad2c1000c2e56f75c1
Opcode Fuzzy Hash: f6a7a981ee012297f9133f453376dfccb15add75bcc5cc5997a18c150477da0d
Instruction Fuzzy Hash: 6331B0B27156209FEB189F05E96163FB352ABDA728F9C091EC88307354D639CD40C38D

Function 00419A01 Relevance: .1, Instructions: 125COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2047799879.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_Bootstrapper.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7ad1c27e05bae48526ef21d37114fa96da9618c47996e24cf24727eb0d9bd21c
Instruction ID: 17ba294a447aadd7df7427a815413c326a457c8cb1dddb66d2ab5f3abc514f59
Opcode Fuzzy Hash: 7ad1c27e05bae48526ef21d37114fa96da9618c47996e24cf24727eb0d9bd21c
Instruction Fuzzy Hash: F431F5B1A046119BC728CF39C862663B7F2FF65310B18972ED456CB794E739E841CB98

Function 0040D8D8 Relevance: .1, Instructions: 120COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2047799879.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_Bootstrapper.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c459cf8f02962a5d539cef486ad953421bc1c1d217806a6684b2281ab3ff285e
Instruction ID: 537a01804f10d92c98ec764eee65ed1f33cb1548c16a72211717f76f9ed4d69b
Opcode Fuzzy Hash: c459cf8f02962a5d539cef486ad953421bc1c1d217806a6684b2281ab3ff285e
Instruction Fuzzy Hash: 1D310320340A015FF3459F358D81A7AB7A1AF86314B08963EE556A7BD2CF3DA8198788

Function 00430849 Relevance: .1, Instructions: 79COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2047799879.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_Bootstrapper.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e26b7d40aa7537a39fad7d97b1f825fbf516368abde1e050343f5ca4301ab275
Instruction ID: d043dc3d1535046ddc5e876ec5856c1e1be8bfd47996db60ba50d234ddbf66ac
Opcode Fuzzy Hash: e26b7d40aa7537a39fad7d97b1f825fbf516368abde1e050343f5ca4301ab275
Instruction Fuzzy Hash: FF21A1B0510641AFEB04EF3CC956A277BE8EB49204F50865DF992CB291D73498198B92

Function 004336F0 Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2047799879.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_Bootstrapper.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3e517b76c81f2f0a6076fdce7dc782eea2d3cbf91ba42ade49569ad1c1c074a0
Instruction ID: 6ef30ca1445592a9c3b53a5e2af72c938ffc6a907e50ef6da1edd17ea95b01e6
Opcode Fuzzy Hash: 3e517b76c81f2f0a6076fdce7dc782eea2d3cbf91ba42ade49569ad1c1c074a0
Instruction Fuzzy Hash: 8611ECB3A091D40EC3158D3C8400575BFD30A97636F59D39AF4B4972D6D72A8E8B8359

Function 00429D40 Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2047799879.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_Bootstrapper.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 97a843b89005db5e1f8be9cdea031cfeaf9828db738bbd44e69a8755a80b10e4
Instruction ID: a81b3d00bc8aa10a62545a0fc1aeee7cfa2ef7ce61e8c1db04029c3fe76537da
Opcode Fuzzy Hash: 97a843b89005db5e1f8be9cdea031cfeaf9828db738bbd44e69a8755a80b10e4
Instruction Fuzzy Hash: 0001B1F1B1131147DB20AE12E4C072BB2A96F80708F48003EE80857742DB7AFC05E6DA

Function 0042C185 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2047799879.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_Bootstrapper.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cabd174780cc9aa189e3fc3c3e3d439c7013008dcd643942a0217721b449113c
Instruction ID: 1b1e28f142fc40dada570eccfb75ec32d4c42bd48a6a0e085ce28370048e8f8e
Opcode Fuzzy Hash: cabd174780cc9aa189e3fc3c3e3d439c7013008dcd643942a0217721b449113c
Instruction Fuzzy Hash: 23110832B593A247C728CF3491B037FBAD1ABD7300F2D466E88C657381D6644C018795

Function 0040C78C Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2047799879.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_Bootstrapper.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eae93686c9fd5d4a93ba27be6d46edbba98973eb85845054974411c389a1951c
Instruction ID: b8258f4aaadd2724199e8eb162b64155f514f2e49493870b5ded072f3b4a80df
Opcode Fuzzy Hash: eae93686c9fd5d4a93ba27be6d46edbba98973eb85845054974411c389a1951c
Instruction Fuzzy Hash: 0101C03435D3419BD358CF28A99176FBBA1DFD2324F18692CE186932D2D6B4D8018E0E

Function 0042C1E0 Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2047799879.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_Bootstrapper.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6c14aba6950bcc1f08e2d29361257fa2396dd7e4b507fce0b451e9fc6049fdc3
Instruction ID: 1fa2e484e41c3c9bd547b1aa8145b7012835ffbead1e0b0c6fcc3640ce6fdd11
Opcode Fuzzy Hash: 6c14aba6950bcc1f08e2d29361257fa2396dd7e4b507fce0b451e9fc6049fdc3
Instruction Fuzzy Hash: 3301F235E482B18BD3288B3590A03ABB7E1ABD7350F6D56ADCCCA17742D6380C0683D6

Function 0041BFEB Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2047799879.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_Bootstrapper.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8fda5c452843f1e5a81f077192f6974bd7e88381cb8319f3bb522b56a1e0dd18
Instruction ID: eb46b275d29c56c9900951392990b2da4fe5ba5c14a3e19c101530e62f6af2c6
Opcode Fuzzy Hash: 8fda5c452843f1e5a81f077192f6974bd7e88381cb8319f3bb522b56a1e0dd18
Instruction Fuzzy Hash: 0911A1311083818EC744CF38D96476BBFE19B87218F49596DE0D2972D2C739C649CB56

Function 0043BCC0 Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2047799879.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_Bootstrapper.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 336073fb1b5229e8b528e604c8f86988a02f6c696b1ec01ddb9a673e56657336
Instruction ID: 79793bb17aad9fe90058005dffc1790c55e66d42de7cf847024cfd1ab97f4b8c
Opcode Fuzzy Hash: 336073fb1b5229e8b528e604c8f86988a02f6c696b1ec01ddb9a673e56657336
Instruction Fuzzy Hash: 15F02873F0506047D328C93DDC320A7B6D2DBD6224F1AE67DC496DB658DC3898018281

Function 00402B80 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2047799879.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_Bootstrapper.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4b20dbc0ea9093b2c88654f9c8a57ead3f6235fee2f7e22621284e15a2560ff1
Instruction ID: 7880e47b932dfe555dd59905053796492add6ec29f70d345eb0ed74041150195
Opcode Fuzzy Hash: 4b20dbc0ea9093b2c88654f9c8a57ead3f6235fee2f7e22621284e15a2560ff1
Instruction Fuzzy Hash: 31F08B367581160BD71CDD55ECE0977B366E7C6205B19003EDD42E33C0C9B4F809C268

Function 0043A642 Relevance: .0, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2047799879.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_Bootstrapper.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dd95364430e9fbca85025ab4fdc0c06da95b6833750380dfae17f43fb2356eea
Instruction ID: 60b8f70e4424480c3934848cb6dc129aac56d7dc313b8c3c81a3ba2faa60c4cb
Opcode Fuzzy Hash: dd95364430e9fbca85025ab4fdc0c06da95b6833750380dfae17f43fb2356eea
Instruction Fuzzy Hash: B5F0C2BAA142504BEB1CDF38D861426B6E4AB8B200B06657DDA43E3645CB20D800CA8A

Function 00F54EFE Relevance: 12.2, APIs: 8, Instructions: 248COMMONLIBRARYCODE

Download Yara Rule

APIs

GetCPInfo.KERNEL32(?,?,?,7FFFFFFF,?,00F54EE9,?,?,?,?,?,?,?,?,?,?), ref: 00F54FA4
__alloca_probe_16.LIBCMT ref: 00F5505F
__alloca_probe_16.LIBCMT ref: 00F550EE
__freea.LIBCMT ref: 00F55139
__freea.LIBCMT ref: 00F5513F
__freea.LIBCMT ref: 00F55175
__freea.LIBCMT ref: 00F5517B
__freea.LIBCMT ref: 00F5518B

Memory Dump Source

Source File: 00000003.00000002.2048263538.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000003.00000002.2048251857.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2048279205.0000000000F57000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2048295332.0000000000F5F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2048310701.0000000000F61000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2048325439.0000000000F64000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_f40000_Bootstrapper.jbxd

Similarity

API ID: __freea$__alloca_probe_16$Info
String ID:
API String ID: 127012223-0
Opcode ID: 60fb3e4154b23c112a5d0c1972e8924ad2f9876eda3e12cb7fad82033e87dbc4
Instruction ID: 3a0fd7ded522c55029b3d5c77a392a05cac3c72c4e5abcb1f70400091c131a58
Opcode Fuzzy Hash: 60fb3e4154b23c112a5d0c1972e8924ad2f9876eda3e12cb7fad82033e87dbc4
Instruction Fuzzy Hash: CE71E972D00A066BDF209EA4CC61FAE7FF99F45B26F190055EF04AB281E6359C48E790

Function 00F4D1AB Relevance: 10.8, APIs: 7, Instructions: 329COMMON

Download Yara Rule

APIs

_strrchr.LIBCMT ref: 00F4D231

Memory Dump Source

Source File: 00000003.00000002.2048263538.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000003.00000002.2048251857.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2048279205.0000000000F57000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2048295332.0000000000F5F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2048310701.0000000000F61000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2048325439.0000000000F64000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_f40000_Bootstrapper.jbxd

Similarity

API ID: _strrchr
String ID:
API String ID: 3213747228-0
Opcode ID: d342e6d9dd7ece84147137a26a5d8741f20fb399666de0e3a91680ebf0403a46
Instruction ID: 917de40494e99f5710665ae4a2dbee887aa39ac356cd82eb1b09d8deb9ed3256
Opcode Fuzzy Hash: d342e6d9dd7ece84147137a26a5d8741f20fb399666de0e3a91680ebf0403a46
Instruction Fuzzy Hash: 2FB13432E01355AFDB15CF64CC82BBE7FA5EF55320F144165ED44AB282D2B4E901E7A1

Function 00F45570 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 122COMMON

Download Yara Rule

APIs

_ValidateLocalCookies.LIBCMT ref: 00F455A7
___except_validate_context_record.LIBVCRUNTIME ref: 00F455AF
_ValidateLocalCookies.LIBCMT ref: 00F45638
__IsNonwritableInCurrentImage.LIBCMT ref: 00F45663
_ValidateLocalCookies.LIBCMT ref: 00F456B8

Strings

csm, xrefs: 00F4564D

Memory Dump Source

Source File: 00000003.00000002.2048263538.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000003.00000002.2048251857.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2048279205.0000000000F57000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2048295332.0000000000F5F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2048310701.0000000000F61000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2048325439.0000000000F64000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_f40000_Bootstrapper.jbxd

Similarity

API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
String ID: csm
API String ID: 1170836740-1018135373
Opcode ID: 49481e09400c6f79310423717fa2181c041ae24d22a70855818d4c26bd816a26
Instruction ID: 5da696a8222069b3c859550719fc5bd69ea8e0078d80b3afc7d23dd5b70d9afa
Opcode Fuzzy Hash: 49481e09400c6f79310423717fa2181c041ae24d22a70855818d4c26bd816a26
Instruction Fuzzy Hash: 4941DF34E00608ABCF10EF68CC84AAEBFB5AF05724F558055ED149B293D735EA45EB91

Function 00F4AADE Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 74COMMONLIBRARYCODE

Download Yara Rule

APIs

FreeLibrary.KERNEL32(00000000,?,00000000,00000800,00000000,?,?,BB40E64E,?,00F4ABED,00F42A12,?,00000000,?), ref: 00F4AB9F

Strings

api-ms-, xrefs: 00F4AB35
ext-ms-, xrefs: 00F4AB49

Memory Dump Source

Source File: 00000003.00000002.2048263538.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000003.00000002.2048251857.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2048279205.0000000000F57000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2048295332.0000000000F5F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2048310701.0000000000F61000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2048325439.0000000000F64000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_f40000_Bootstrapper.jbxd

Similarity

API ID: FreeLibrary
String ID: api-ms-$ext-ms-
API String ID: 3664257935-537541572
Opcode ID: fd241aa37901b99f677743bb57979d44c800ad3464c9c84f6c459630fee0986f
Instruction ID: e577fa26303120b996c8cfae953c92683b53158bdf1c16e71e027b267d5c8dc0
Opcode Fuzzy Hash: fd241aa37901b99f677743bb57979d44c800ad3464c9c84f6c459630fee0986f
Instruction Fuzzy Hash: 5621D871E41314ABCB229724DC44E5A7F6ADF817B1F250114EE16A72D0EB70ED00E6D2

Function 00F4418D Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 15libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(kernel32.dll), ref: 00F44193
GetProcAddress.KERNEL32(00000000,GetSystemTimePreciseAsFileTime), ref: 00F441A1
GetProcAddress.KERNEL32(00000000,GetTempPath2W), ref: 00F441B2

Strings

GetTempPath2W, xrefs: 00F441A7
kernel32.dll, xrefs: 00F4418E
GetSystemTimePreciseAsFileTime, xrefs: 00F4419B

Memory Dump Source

Source File: 00000003.00000002.2048263538.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000003.00000002.2048251857.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2048279205.0000000000F57000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2048295332.0000000000F5F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2048310701.0000000000F61000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2048325439.0000000000F64000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_f40000_Bootstrapper.jbxd

Similarity

API ID: AddressProc$HandleModule
String ID: GetSystemTimePreciseAsFileTime$GetTempPath2W$kernel32.dll
API String ID: 667068680-1047828073
Opcode ID: 461a41042fa83f2a7a0cddad98942bd8c8174b65016094d6839ba84ca5f65e77
Instruction ID: f6e53b740d9c22b7a6637d70b1b79a800f9126aaf07a651875f8fb90e947ff89
Opcode Fuzzy Hash: 461a41042fa83f2a7a0cddad98942bd8c8174b65016094d6839ba84ca5f65e77
Instruction Fuzzy Hash: 3BD09E715463286F97105B707D0D8967AD4EA196133054496FA02D2250DBF08906FEE5

Function 00F49559 Relevance: 9.1, APIs: 6, Instructions: 60COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,00F49550,00F4535B,00F44A6A), ref: 00F49567
___vcrt_FlsGetValue.LIBVCRUNTIME ref: 00F49575
___vcrt_FlsSetValue.LIBVCRUNTIME ref: 00F4958E
SetLastError.KERNEL32(00000000,00F49550,00F4535B,00F44A6A), ref: 00F495E0

Memory Dump Source

Source File: 00000003.00000002.2048263538.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000003.00000002.2048251857.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2048279205.0000000000F57000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2048295332.0000000000F5F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2048310701.0000000000F61000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2048325439.0000000000F64000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_f40000_Bootstrapper.jbxd

Similarity

API ID: ErrorLastValue___vcrt_
String ID:
API String ID: 3852720340-0
Opcode ID: 746132f3e1303b46791c983a1034551b465335ffb764084647e3f81c251dd23a
Instruction ID: a9656f75dd01f601dbc3982dafff4654708efcef9866e71248a829157d80df75
Opcode Fuzzy Hash: 746132f3e1303b46791c983a1034551b465335ffb764084647e3f81c251dd23a
Instruction Fuzzy Hash: AF01D433B1D3165EA62627B4BC8996B3F94DB197767344339FE24461E0EF954C0AB140

Function 00F49DE9 Relevance: 9.1, APIs: 2, Strings: 3, Instructions: 301COMMONLIBRARYCODE

Download Yara Rule

APIs

type_info::operator==.LIBVCRUNTIME ref: 00F49F08
CallUnexpected.LIBVCRUNTIME ref: 00F4A181

Strings

csm, xrefs: 00F49F3F
csm, xrefs: 00F49E26
csm, xrefs: 00F49E93

Memory Dump Source

Source File: 00000003.00000002.2048263538.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000003.00000002.2048251857.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2048279205.0000000000F57000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2048295332.0000000000F5F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2048310701.0000000000F61000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2048325439.0000000000F64000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_f40000_Bootstrapper.jbxd

Similarity

API ID: CallUnexpectedtype_info::operator==
String ID: csm$csm$csm
API String ID: 2673424686-393685449
Opcode ID: e45d00dbcf7494aa175ecec83da2358cc8bafc4eeb9ee822f44b24d2441465bf
Instruction ID: c169dfcfd7303423a43f465e9bddccc01ad0b818bf32c6cc82a3b5a7b2859287
Opcode Fuzzy Hash: e45d00dbcf7494aa175ecec83da2358cc8bafc4eeb9ee822f44b24d2441465bf
Instruction Fuzzy Hash: 6FB16771E04209AFCF29DFA4C8819AEBFB5BF54320F14415AEC116B206D379DA51EF92

Function 00F41C20 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 63registrywindowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32 ref: 00F41C80
RegisterClassW.USER32 ref: 00F41C98
GetMessageA.USER32 ref: 00F41CED

Strings

(, xrefs: 00F41C49
grDee, xrefs: 00F41C56

Memory Dump Source

Source File: 00000003.00000002.2048263538.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000003.00000002.2048251857.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2048279205.0000000000F57000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2048295332.0000000000F5F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2048310701.0000000000F61000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2048325439.0000000000F64000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_f40000_Bootstrapper.jbxd

Similarity

API ID: ClassHandleMessageModuleRegister
String ID: ($grDee
API String ID: 1585107554-1172702150
Opcode ID: e571d02dc761f1c277b96b65af66af54db60c89176833cc87281179ff223baed
Instruction ID: 4c8b1b68c5507be1e96960a4c7c8777b5dddff1101988de9523137d8ba3c9a41
Opcode Fuzzy Hash: e571d02dc761f1c277b96b65af66af54db60c89176833cc87281179ff223baed
Instruction Fuzzy Hash: 4C21C6B09043089FDB00EFA8D58879EBFF4BB08305F50842AE859DB254E7749988EB42

Function 00F4812B Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 42libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,BB40E64E,?,?,00000000,00F56BC3,000000FF,?,00F481EC,00F480D3,?,00F48288,00000000), ref: 00F48160
GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 00F48172
FreeLibrary.KERNEL32(00000000,?,?,00000000,00F56BC3,000000FF,?,00F481EC,00F480D3,?,00F48288,00000000), ref: 00F48194

Strings

mscoree.dll, xrefs: 00F48159
CorExitProcess, xrefs: 00F4816A

Memory Dump Source

Source File: 00000003.00000002.2048263538.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000003.00000002.2048251857.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2048279205.0000000000F57000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2048295332.0000000000F5F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2048310701.0000000000F61000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2048325439.0000000000F64000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_f40000_Bootstrapper.jbxd

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: ad8d1291ebf774f7ddf6bcda73277c09dfa85bbf480ef8589278bedb140fc663
Instruction ID: fcaf7d3f40e08e64e79030cabfd013f0aeb05784fb579b75e01eb1fc796f9a62
Opcode Fuzzy Hash: ad8d1291ebf774f7ddf6bcda73277c09dfa85bbf480ef8589278bedb140fc663
Instruction Fuzzy Hash: BC01A231904719BFDB118F54CC09FAEBBB8FB44B62F040626ED11A22A0DBB49905EA80

Function 00F500C5 Relevance: 7.7, APIs: 5, Instructions: 197COMMON

Download Yara Rule

APIs

__alloca_probe_16.LIBCMT ref: 00F5014A
__alloca_probe_16.LIBCMT ref: 00F50213
__freea.LIBCMT ref: 00F5027A

Part of subcall function 00F4C7F6: HeapAlloc.KERNEL32(00000000,?,?,?,00F434B7,?,?,00F42A12,00001000,?,00F4295A), ref: 00F4C828

__freea.LIBCMT ref: 00F5028D
__freea.LIBCMT ref: 00F5029A

Memory Dump Source

Source File: 00000003.00000002.2048263538.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000003.00000002.2048251857.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2048279205.0000000000F57000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2048295332.0000000000F5F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2048310701.0000000000F61000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2048325439.0000000000F64000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_f40000_Bootstrapper.jbxd

Similarity

API ID: __freea$__alloca_probe_16$AllocHeap
String ID:
API String ID: 1096550386-0
Opcode ID: 1376476f16b596bb8e23b2c995a4293449fdaa91cf21593603380e0fd2517d7e
Instruction ID: fb0de4bd7a3f6b4b7bd51890cdc79bcf816ce3f2d8cac6c9a3711b511bf401d9
Opcode Fuzzy Hash: 1376476f16b596bb8e23b2c995a4293449fdaa91cf21593603380e0fd2517d7e
Instruction Fuzzy Hash: D4519372A0020AAFEB205FA4CC89EBB7BA9DF45761F190528FE04D6151EF74DC58E660

Function 00F418D0 Relevance: 7.7, APIs: 5, Instructions: 162COMMON

Download Yara Rule

APIs

GetFileSize.KERNEL32 ref: 00F41982
CloseHandle.KERNEL32 ref: 00F4199E

Memory Dump Source

Source File: 00000003.00000002.2048263538.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000003.00000002.2048251857.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2048279205.0000000000F57000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2048295332.0000000000F5F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2048310701.0000000000F61000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2048325439.0000000000F64000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_f40000_Bootstrapper.jbxd

Similarity

API ID: CloseFileHandleSize
String ID:
API String ID: 3849164406-0
Opcode ID: 12aa4ae8f82028466e3f064bf4f76d4ad24a65988c13196b31b29a55dba7d8d3
Instruction ID: dbe1e8180a400bba41ea000923be6cc80cbb50a95d3008259561c7f589c56a29
Opcode Fuzzy Hash: 12aa4ae8f82028466e3f064bf4f76d4ad24a65988c13196b31b29a55dba7d8d3
Instruction Fuzzy Hash: 8471A0B0D05248DFDB10DFA8D58879DBBF0BF48314F108429E899AB341E774A989DF52

Function 00F43FE5 Relevance: 7.6, APIs: 5, Instructions: 116threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 00F43FF9
AcquireSRWLockExclusive.KERNEL32(?,?,00000000,00F56B6C,000000FF,?,00F42F4E), ref: 00F44018
AcquireSRWLockExclusive.KERNEL32(?,?,?,?,00000000,00F56B6C,000000FF,?,00F42F4E), ref: 00F44046
TryAcquireSRWLockExclusive.KERNEL32(?,?,?,?,00000000,00F56B6C,000000FF,?,00F42F4E), ref: 00F440A1
TryAcquireSRWLockExclusive.KERNEL32(?,?,?,?,00000000,00F56B6C,000000FF,?,00F42F4E), ref: 00F440B8

Memory Dump Source

Source File: 00000003.00000002.2048263538.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000003.00000002.2048251857.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2048279205.0000000000F57000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2048295332.0000000000F5F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2048310701.0000000000F61000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2048325439.0000000000F64000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_f40000_Bootstrapper.jbxd

Similarity

API ID: AcquireExclusiveLock$CurrentThread
String ID:
API String ID: 66001078-0
Opcode ID: dcbafa97ca081a568a6eadbb37372c0f10ff74db66a9043dfdb3a555b7eb4516
Instruction ID: fd5ecca83c2bfd6822a6297d8306d9e4cb21d3390363ac406afe05fc99e7c747
Opcode Fuzzy Hash: dcbafa97ca081a568a6eadbb37372c0f10ff74db66a9043dfdb3a555b7eb4516
Instruction Fuzzy Hash: AA417C3190060ADFCB20DF68C881B6AFBF5FF44321B104A29DA56E7A40D730F9A4EB51

Function 00F4FE06 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 27libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(00000000,00000000,00000800,?,00F4FEA2,00000000,?,00F60760,?,?,?,00F4FDD9,00000004,InitializeCriticalSectionEx,00F58880,00F58888), ref: 00F4FE13
GetLastError.KERNEL32(?,00F4FEA2,00000000,?,00F60760,?,?,?,00F4FDD9,00000004,InitializeCriticalSectionEx,00F58880,00F58888,00000000,?,00F4A43C), ref: 00F4FE1D
LoadLibraryExW.KERNEL32(00000000,00000000,00000000), ref: 00F4FE45

Strings

api-ms-, xrefs: 00F4FE2A

Memory Dump Source

Source File: 00000003.00000002.2048263538.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000003.00000002.2048251857.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2048279205.0000000000F57000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2048295332.0000000000F5F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2048310701.0000000000F61000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2048325439.0000000000F64000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_f40000_Bootstrapper.jbxd

Similarity

API ID: LibraryLoad$ErrorLast
String ID: api-ms-
API String ID: 3177248105-2084034818
Opcode ID: 2d42f01c6430f1735d78cf4569c79d559135ef56756ed4c23d905658951e26f1
Instruction ID: 53c577909f4a9f08982e536f8d69ca26c97a19f973239617ad6a160834a19796
Opcode Fuzzy Hash: 2d42f01c6430f1735d78cf4569c79d559135ef56756ed4c23d905658951e26f1
Instruction Fuzzy Hash: BBE01A30680349B6EA312B64EC4AF593E599F00B62F104434FE0CE90E2EBA1E894F545

Function 00F5078C Relevance: 6.3, APIs: 4, Instructions: 333fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetConsoleOutputCP.KERNEL32(BB40E64E,00000000,00000000,?), ref: 00F507EF

Part of subcall function 00F4F276: WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000000,?,-00000008,?,00000000,-00000008,-00000008,00000000,?,00F50270,?,00000000,-00000008), ref: 00F4F2D7

WriteFile.KERNEL32(?,?,00000000,?,00000000), ref: 00F50A41
WriteFile.KERNEL32(?,?,00000001,?,00000000), ref: 00F50A87
GetLastError.KERNEL32 ref: 00F50B2A

Memory Dump Source

Source File: 00000003.00000002.2048263538.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000003.00000002.2048251857.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2048279205.0000000000F57000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2048295332.0000000000F5F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2048310701.0000000000F61000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2048325439.0000000000F64000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_f40000_Bootstrapper.jbxd

Similarity

API ID: FileWrite$ByteCharConsoleErrorLastMultiOutputWide
String ID:
API String ID: 2112829910-0
Opcode ID: 684af49273844ed3e4ebc48b7d6efb7c4e1c618f9506ece9f59559e02557583a
Instruction ID: 090242c76d4964937a405033327e02bbeed0fe15ddd7c83e54e2ec6e6d711413
Opcode Fuzzy Hash: 684af49273844ed3e4ebc48b7d6efb7c4e1c618f9506ece9f59559e02557583a
Instruction Fuzzy Hash: 21D1AFB5D00248AFCF15CFA8C8809EDBBB5FF48315F24416AE956EB352DB30A945DB50

Function 00F49B10 Relevance: 6.2, APIs: 4, Instructions: 168COMMONLIBRARYCODE

Download Yara Rule

APIs

___AdjustPointer.LIBCMT ref: 00F49BD7
___AdjustPointer.LIBCMT ref: 00F49BFA
___AdjustPointer.LIBCMT ref: 00F49C96

Memory Dump Source

Source File: 00000003.00000002.2048263538.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000003.00000002.2048251857.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2048279205.0000000000F57000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2048295332.0000000000F5F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2048310701.0000000000F61000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2048325439.0000000000F64000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_f40000_Bootstrapper.jbxd

Similarity

API ID: AdjustPointer
String ID:
API String ID: 1740715915-0
Opcode ID: ad2d43df6a2e2907bdd34d4a3e2f90db3106ad1fc1474620cea267c370e4a3ed
Instruction ID: d1e047171af51aabebf650a32fb7786ffd4a4915ff3fb1276771d023575d6b5b
Opcode Fuzzy Hash: ad2d43df6a2e2907bdd34d4a3e2f90db3106ad1fc1474620cea267c370e4a3ed
Instruction Fuzzy Hash: 1351D172B086069FDB299F10D881BBB7BE4EF44725F24052DEE1146291D7B5ED80E790

Function 00F4E61F Relevance: 6.1, APIs: 4, Instructions: 82COMMON

Download Yara Rule

APIs

Part of subcall function 00F4F276: WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000000,?,-00000008,?,00000000,-00000008,-00000008,00000000,?,00F50270,?,00000000,-00000008), ref: 00F4F2D7

GetLastError.KERNEL32(?,?,?,00000000,00000000,?,00F4E9C5,?,?,?,00000000), ref: 00F4E683
__dosmaperr.LIBCMT ref: 00F4E68A
GetLastError.KERNEL32(00000000,00F4E9C5,?,?,00000000,?,?,?,00000000,00000000,?,00F4E9C5,?,?,?,00000000), ref: 00F4E6C4
__dosmaperr.LIBCMT ref: 00F4E6CB

Memory Dump Source

Source File: 00000003.00000002.2048263538.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000003.00000002.2048251857.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2048279205.0000000000F57000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2048295332.0000000000F5F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2048310701.0000000000F61000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2048325439.0000000000F64000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_f40000_Bootstrapper.jbxd

Similarity

API ID: ErrorLast__dosmaperr$ByteCharMultiWide
String ID:
API String ID: 1913693674-0
Opcode ID: f759bdd073fe399ce59d11b341a18263fb68a0812b5cb04afa55962b38a30bc9
Instruction ID: e3d2ac319adf6d764c0e9e2bf4867a1a443bbdb84b3375f4b971d6cce0305a3c
Opcode Fuzzy Hash: f759bdd073fe399ce59d11b341a18263fb68a0812b5cb04afa55962b38a30bc9
Instruction Fuzzy Hash: BA21D471A10205AFDB20AF65CC8196ABFA9FF20374B058528FD59D7250EB34EC50BB90

Function 00F4EBBB Relevance: 6.1, APIs: 4, Instructions: 79COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2048263538.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000003.00000002.2048251857.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2048279205.0000000000F57000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2048295332.0000000000F5F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2048310701.0000000000F61000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2048325439.0000000000F64000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_f40000_Bootstrapper.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 20e3ccc04168ad247bf6b6dad5131faa03a128f1c9af48acb0797e7c846c2329
Instruction ID: 07fe882ae1f1aa1b6a3dbd691ac3101bd745ed4cf32712877c53919f8f0b31f3
Opcode Fuzzy Hash: 20e3ccc04168ad247bf6b6dad5131faa03a128f1c9af48acb0797e7c846c2329
Instruction Fuzzy Hash: 44219D72A00216AF9B20AF658C8496A7FA9FF503647148524FE1A97150EB34EC50F7A0

Function 00F4F372 Relevance: 6.1, APIs: 4, Instructions: 74COMMON

Download Yara Rule

APIs

GetEnvironmentStringsW.KERNEL32 ref: 00F4F37A

Part of subcall function 00F4F276: WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000000,?,-00000008,?,00000000,-00000008,-00000008,00000000,?,00F50270,?,00000000,-00000008), ref: 00F4F2D7

FreeEnvironmentStringsW.KERNEL32(00000000), ref: 00F4F3B2
FreeEnvironmentStringsW.KERNEL32(00000000), ref: 00F4F3D2

Memory Dump Source

Source File: 00000003.00000002.2048263538.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000003.00000002.2048251857.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2048279205.0000000000F57000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2048295332.0000000000F5F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2048310701.0000000000F61000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2048325439.0000000000F64000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_f40000_Bootstrapper.jbxd

Similarity

API ID: EnvironmentStrings$Free$ByteCharMultiWide
String ID:
API String ID: 158306478-0
Opcode ID: b5a6af2d0ff049c379036bc597fabb249b72f886e5c2b98a854dbdf69938b112
Instruction ID: b2f816fcb3a8f29c9f40bf7373d30f93c24c69541746ecba9a95880db27cf2e3
Opcode Fuzzy Hash: b5a6af2d0ff049c379036bc597fabb249b72f886e5c2b98a854dbdf69938b112
Instruction Fuzzy Hash: 8D11C4B290161A7FA62167719D89CBF7DADDE853A47100034FE09D1111FF64DF0571B1

Function 00F41E40 Relevance: 6.1, APIs: 4, Instructions: 53threadCOMMON

Download Yara Rule

APIs

std::_Throw_Cpp_error.LIBCPMT ref: 00F41E6D
GetCurrentThreadId.KERNEL32 ref: 00F41E7B
std::_Throw_Cpp_error.LIBCPMT ref: 00F41E94
std::_Throw_Cpp_error.LIBCPMT ref: 00F41ED3

Memory Dump Source

Source File: 00000003.00000002.2048263538.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000003.00000002.2048251857.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2048279205.0000000000F57000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2048295332.0000000000F5F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2048310701.0000000000F61000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2048325439.0000000000F64000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_f40000_Bootstrapper.jbxd

Similarity

API ID: Cpp_errorThrow_std::_$CurrentThread
String ID:
API String ID: 2261580123-0
Opcode ID: f6bb9fd16c0acd39b6dbc7881f85455cdd41ff2208bcc144a669479d182aabb6
Instruction ID: ef2acfc9329be898bfd47eef691c2d6a43bd0820ce2fb8d2c12b83a823dd4454
Opcode Fuzzy Hash: f6bb9fd16c0acd39b6dbc7881f85455cdd41ff2208bcc144a669479d182aabb6
Instruction Fuzzy Hash: E421B4B4E042098FCB04EFA9C5957AEBBF1FF48300F11846DE859A7351D738AA40DB61

Function 00F551BC Relevance: 6.0, APIs: 4, Instructions: 29COMMONLIBRARYCODE

Download Yara Rule

APIs

WriteConsoleW.KERNEL32(00000000,?,?,00000000,00000000,?,00F5403E,00000000,00000001,?,?,?,00F50B7E,?,00000000,00000000), ref: 00F551D3
GetLastError.KERNEL32(?,00F5403E,00000000,00000001,?,?,?,00F50B7E,?,00000000,00000000,?,?,?,00F504C4,?), ref: 00F551DF

Part of subcall function 00F55230: CloseHandle.KERNEL32(FFFFFFFE,00F551EF,?,00F5403E,00000000,00000001,?,?,?,00F50B7E,?,00000000,00000000,?,?), ref: 00F55240

___initconout.LIBCMT ref: 00F551EF

Part of subcall function 00F55211: CreateFileW.KERNEL32(CONOUT$,40000000,00000003,00000000,00000003,00000000,00000000,00F551AD,00F5402B,?,?,00F50B7E,?,00000000,00000000,?), ref: 00F55224

WriteConsoleW.KERNEL32(00000000,?,?,00000000,?,00F5403E,00000000,00000001,?,?,?,00F50B7E,?,00000000,00000000,?), ref: 00F55204

Memory Dump Source

Source File: 00000003.00000002.2048263538.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000003.00000002.2048251857.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2048279205.0000000000F57000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2048295332.0000000000F5F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2048310701.0000000000F61000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2048325439.0000000000F64000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_f40000_Bootstrapper.jbxd

Similarity

API ID: ConsoleWrite$CloseCreateErrorFileHandleLast___initconout
String ID:
API String ID: 2744216297-0
Opcode ID: 7640ff582bcd58daee26c49f37e0887e6ac07df7cf90b1e34a071718518807f7
Instruction ID: 65396f3f550551488a92305a18f803ea395f190cdbe3773172e653b1ab55eec2
Opcode Fuzzy Hash: 7640ff582bcd58daee26c49f37e0887e6ac07df7cf90b1e34a071718518807f7
Instruction Fuzzy Hash: 5DF0AC37501618BBCF222F95DC1899E7F66FB097A2F054150FF19D6130CA728864FB91

Function 00F447F1 Relevance: 6.0, APIs: 4, Instructions: 25timethreadCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetSystemTimeAsFileTime.KERNEL32(?), ref: 00F44803
GetCurrentThreadId.KERNEL32 ref: 00F44812
GetCurrentProcessId.KERNEL32 ref: 00F4481B
QueryPerformanceCounter.KERNEL32(?), ref: 00F44828

Memory Dump Source

Source File: 00000003.00000002.2048263538.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000003.00000002.2048251857.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2048279205.0000000000F57000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2048295332.0000000000F5F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2048310701.0000000000F61000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2048325439.0000000000F64000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_f40000_Bootstrapper.jbxd

Similarity

API ID: CurrentTime$CounterFilePerformanceProcessQuerySystemThread
String ID:
API String ID: 2933794660-0
Opcode ID: 17b98e3124da9789f9b1824509c2a45c9a973dc314a0b734dccf932f70d3b2cf
Instruction ID: fcec763aa5a2f3ac12e9f355f7d58ce8732940cabb1795571fc40afd0fdefe79
Opcode Fuzzy Hash: 17b98e3124da9789f9b1824509c2a45c9a973dc314a0b734dccf932f70d3b2cf
Instruction Fuzzy Hash: 26F06274D1120DEBCB10DBB4D94999EBBF8FF1C205B924595A512E7110EB30AB44EB51

Function 00430314 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 140COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32 ref: 00430356

Strings

l, xrefs: 00430370
y, xrefs: 004303A0

Memory Dump Source

Source File: 00000003.00000002.2047799879.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_Bootstrapper.jbxd

Similarity

API ID: InitVariant
String ID: l$y
API String ID: 1927566239-1723712360
Opcode ID: 2965b5208355ac1d90e7818a98be3fa3eea2c2d56be576910414874b0b90331d
Instruction ID: 007e0513793a602b76b1761f342ba59ebafd827c6d3cfcf6cb550af947ed34ce
Opcode Fuzzy Hash: 2965b5208355ac1d90e7818a98be3fa3eea2c2d56be576910414874b0b90331d
Instruction Fuzzy Hash: 5751CF71208B818BD719CF38C894356BED26B96324F0DC7ACD9A64F3DAD7789405C762

Function 0042F945 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 127COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32 ref: 0042F96E

Strings

l, xrefs: 0042F98B
y, xrefs: 0042F9BB

Memory Dump Source

Source File: 00000003.00000002.2047799879.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_Bootstrapper.jbxd

Similarity

API ID: InitVariant
String ID: l$y
API String ID: 1927566239-1723712360
Opcode ID: f53dbae8c872c39f4bca788a68fe4d1ac632ec4fc3c1810e851fb7043fba4ce0
Instruction ID: 4936c864c7c7b2b0f7fd1e64c3b16b971512418a45338bcd5f8015eb110826ed
Opcode Fuzzy Hash: f53dbae8c872c39f4bca788a68fe4d1ac632ec4fc3c1810e851fb7043fba4ce0
Instruction Fuzzy Hash: 4951AC71208B818FD719CF3CC894326BED25B96224F0D86ACD9A68F3DAC6789405C762

Function 00F4A20D Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 125COMMONLIBRARYCODE

Download Yara Rule

APIs

EncodePointer.KERNEL32(00000000,00000000,00000000,?,?,?,?,?,?,00F4A10E,?,?,00000000,00000000,00000000,?), ref: 00F4A232

Strings

MOC, xrefs: 00F4A244
RCC, xrefs: 00F4A24C

Memory Dump Source

Source File: 00000003.00000002.2048263538.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000003.00000002.2048251857.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2048279205.0000000000F57000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2048295332.0000000000F5F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2048310701.0000000000F61000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2048325439.0000000000F64000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_f40000_Bootstrapper.jbxd

Similarity

API ID: EncodePointer
String ID: MOC$RCC
API String ID: 2118026453-2084237596
Opcode ID: 6ae9f5b354fbe9e86b614bb30643984b07ed470db6d74d18f88c5961a25bc6f1
Instruction ID: bcfee902ebfb0a9d1ae81a24aa129f6a40fdbc2edf1b02d725729b7cbb10229a
Opcode Fuzzy Hash: 6ae9f5b354fbe9e86b614bb30643984b07ed470db6d74d18f88c5961a25bc6f1
Instruction Fuzzy Hash: 52415872D00209AFCF15DF98CC81AEE7BB5BF49310F184159FD04A6215D37A9A50EB52

Function 00431F2D Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 102COMMON

Download Yara Rule

APIs

GetSystemMetrics.USER32 ref: 00431F7B
GetSystemMetrics.USER32 ref: 00431F8A

Strings

, xrefs: 0043205E

Memory Dump Source

Source File: 00000003.00000002.2047799879.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_Bootstrapper.jbxd

Similarity

API ID: MetricsSystem
String ID:
API String ID: 4116985748-3916222277
Opcode ID: 29707184e06c37306edc17f7ab043fbeedb3be21c6a60bb4e5d7b75b504481d7
Instruction ID: 8eba3c713eb958cd1637f2e2636999d49f4b2a3804faa046c76b99a12d00feaa
Opcode Fuzzy Hash: 29707184e06c37306edc17f7ab043fbeedb3be21c6a60bb4e5d7b75b504481d7
Instruction Fuzzy Hash: EC4162B4D142089FCB40EFACD98569DBBF0BB89300F11852EE998E7310D734A958CF96

Function 00F49A79 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 97COMMONLIBRARYCODE

Download Yara Rule

APIs

___except_validate_context_record.LIBVCRUNTIME ref: 00F49CF0

Strings

csm, xrefs: 00F49D83
csm, xrefs: 00F49D12

Memory Dump Source

Source File: 00000003.00000002.2048263538.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000003.00000002.2048251857.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2048279205.0000000000F57000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2048295332.0000000000F5F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2048310701.0000000000F61000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2048325439.0000000000F64000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_f40000_Bootstrapper.jbxd

Similarity

API ID: ___except_validate_context_record
String ID: csm$csm
API String ID: 3493665558-3733052814
Opcode ID: 280ae6b063ad7c55a338a4dcbdaf83077a2867911dfcacd058ea9b529e043f92
Instruction ID: fa380287b6d38476570ca33f62c2f93856080c00b3135388c13b6f101b91f34d
Opcode Fuzzy Hash: 280ae6b063ad7c55a338a4dcbdaf83077a2867911dfcacd058ea9b529e043f92
Instruction Fuzzy Hash: 97318172F086189BCF269F90CC4496BBF75FB08325B18455AFC9849211C3B6CCA2FB81

Description:	Adversaries may abuse PowerShell commands and scripts for execution. PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system.Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code. Examples include the `Start-Process` cmdlet which can be used to run an executable and the `Invoke-Command` cmdlet which runs a command locally or on a remote computer (though administrator permissions are required to use PowerShell to connect to remote systems).
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to take screen captures of the desktop to gather information over the course of an operation. Screen capturing functionality may be included as a feature of a remote access tool used in post-compromise operations. Taking a screenshot is also typically possible through native utilities or API calls, such as `CopyFromScreen` , `xwd` , or `screencapture` .
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report Bootstrapper.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: LummaC

Yara Signatures

Memory Dumps

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Cryptography

Compliance

Spreading

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Authenticode Signature

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Possible Origin

Network Behavior

Suricata IDS Alerts

Network Port Distribution

TCP Packets

Windows Analysis Report
Bootstrapper.exe

Function 00F5F1A9 Relevance: 42.3, APIs: 10, Strings: 14, Instructions: 295
threadinjectionmemoryCOMMON

Function 00F4AADE Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 74
COMMONLIBRARYCODE

Function 00F418D0 Relevance: 9.2, APIs: 6, Instructions: 162
fileCOMMON

Function 00F413B0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 141
COMMON

Function 00F41780 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 77
memoryCOMMON

Function 00F47EBF Relevance: 4.6, APIs: 3, Instructions: 51
threadCOMMON

Function 00F48055 Relevance: 4.5, APIs: 3, Instructions: 30
threadCOMMON

Function 00F4B4BC Relevance: 3.1, APIs: 2, Instructions: 65
COMMON

Function 00F41D20 Relevance: 3.0, APIs: 2, Instructions: 48
COMMON

Function 00F47FD7 Relevance: 3.0, APIs: 2, Instructions: 38
threadCOMMON

Function 00F4ABA9 Relevance: 1.6, APIs: 1, Instructions: 56
COMMONLIBRARYCODE

Function 00F42D90 Relevance: 1.6, APIs: 1, Instructions: 56
COMMON

Function 00F43290 Relevance: 1.6, APIs: 1, Instructions: 53
COMMON

Function 00F4C7F6 Relevance: 1.5, APIs: 1, Instructions: 32
memoryCOMMONLIBRARYCODE