Edit tour

Windows Analysis Report
neo.msi

Overview

General Information

Sample name:	neo.msi
Analysis ID:	1432285
MD5:	37605a3eb80f3366e56938031a9ac917
SHA1:	0582a0dd69d6027fb94765254ed91ad736ade305
SHA256:	4e7ac0bdb516e983b3cab7f79850d8102d2bf4117bb343b68d0da73780cceb1a
Infos:

Detection

Latrodectus

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Multi AV Scanner detection for dropped file

System process connects to network (likely due to code injection or exploit)

Yara detected Latrodectus

C2 URLs / IPs found in malware configuration

Contains functionality to compare user and computer (likely to detect sandboxes)

Contains functionality to detect sleep reduction / modifications

Contains functionality to inject threads in other processes

Drops executables to the windows directory (C:\Windows) and starts them

Rundll32 performs DNS lookup (likely malicious behavior)

Sample uses string decryption to hide its real strings

AV process strings found (often used to terminate AV products)

Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)

Checks for available system drives (often done to infect USB drives)

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to call native functions

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)

Contains functionality to communicate with device drivers

Contains functionality to dynamically determine API calls

Contains functionality to launch a process as a different user

Contains functionality to launch a program with higher privileges

Contains functionality to query CPU information (cpuid)

Contains functionality to query locales information (e.g. system language)

Contains functionality to query network adapater information

Contains functionality to read the PEB

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Creates COM task schedule object (often to register a task for autostart)

Creates a process in suspended mode (likely to inject code)

Creates files inside the system directory

Creates or modifies windows services

Deletes files inside the Windows folder

Detected potential crypto function

Drops PE files

Drops PE files to the windows directory (C:\Windows)

Extensive use of GetProcAddress (often used to hide API calls)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found dropped PE file which has not been started or loaded

Found evasive API chain checking for process token information

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

May check if the current machine is a sandbox (GetTickCount - Sleep)

May sleep (evasive loops) to hinder dynamic analysis

May use bcdedit to modify the Windows boot settings

Modifies existing windows services

PE file contains an invalid checksum

PE file contains sections with non-standard names

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Uses Microsoft's Enhanced Cryptographic Provider

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w7x64

msiexec.exe (PID: 1072 cmdline: "C:\Windows\System32\msiexec.exe" /i "C:\Users\user\Desktop\neo.msi" MD5: AC2E7152124CEED36846BD1B6592A00F)

msiexec.exe (PID: 152 cmdline: C:\Windows\system32\msiexec.exe /V MD5: AC2E7152124CEED36846BD1B6592A00F)

msiexec.exe (PID: 2864 cmdline: C:\Windows\syswow64\MsiExec.exe -Embedding 274E0059499F24D0FC6E34D9DC99A829 C MD5: 4315D6ECAE85024A0567DF2CB253B7B0)

msiexec.exe (PID: 3348 cmdline: C:\Windows\syswow64\MsiExec.exe -Embedding 5FD089C2C199466E3D17DC881ED4AD10 MD5: 4315D6ECAE85024A0567DF2CB253B7B0)

MSI1B42.tmp (PID: 3540 cmdline: "C:\Windows\Installer\MSI1B42.tmp" C:/Windows/System32/rundll32.exe C:\Users\user\AppData\Local\sharepoint\360total.dll, homq MD5: B9545ED17695A32FACE8C3408A6A3553)

rundll32.exe (PID: 3572 cmdline: "C:\Windows\System32\rundll32.exe" C:\Users\user\AppData\Local\sharepoint\360total.dll, homq MD5: DD81D91FF3B0763C392422865C9AC12E)

rundll32.exe (PID: 3580 cmdline: rundll32.exe "C:\Users\user\AppData\Roaming\Custom_update\Update_6a61d649.dll", homq MD5: DD81D91FF3B0763C392422865C9AC12E)

taskeng.exe (PID: 3620 cmdline: taskeng.exe {9EB3A60F-302F-4AB2-B149-897715BB8B05} S-1-5-21-966771315-3019405637-367336477-1006:user-PC\user:Interactive:[1] MD5: 65EA57712340C09B1B0C427B4848AE05)

rundll32.exe (PID: 3700 cmdline: rundll32.exe "C:\Users\user\AppData\Roaming\Custom_update\Update_6a61d649.dll", homq MD5: DD81D91FF3B0763C392422865C9AC12E)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Unidentified 111 (Latrodectus), Latrodectus	First discovered in October 2023, BLACKWIDOW is a backdoor written in C that communicates over HTTP using RC4 encrypted requests. The malware has the capability to execute discovery commands, query information about the victim's machine, update itself, as well as download and execute an EXE, DLL, or shellcode. The malware is believed to have been developed by LUNAR SPIDER, the creators of IcedID (aka BokBot) Malware.	No Attribution	https://embee-research.ghost.io/phishing-domain-analysis-with-passive-dns-latrodectus/ https://exchange.xforce.ibmcloud.com/malware-analysis/guid:dab8a02f9161933bc2eff5ba4a5f8412 https://medium.com/walmartglobaltech/icedid-gets-loaded-af073b7b6d39 https://twitter.com/Myrtus0x0/status/1732997981866209550 https://www.embeeresearch.io/latrodectus-script-deobfuscation/	https://malpedia.caad.fkie.fraunhofer.de/details/win.unidentified_111

Malware Configuration

Threatname: Latrodectus

{"C2 url": ["https://jarinamaers.shop/live/", "https://startmast.shop/live/"]}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author
00000009.00000003.614395824.0000000000470000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_Latrodectus	Yara detected Latrodectus	Joe Security
00000008.00000002.446771476.00000000000A0000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_Latrodectus	Yara detected Latrodectus	Joe Security
00000009.00000002.619163772.0000000001E80000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_Latrodectus	Yara detected Latrodectus	Joe Security
0000000D.00000002.420736655.00000000002A0000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_Latrodectus	Yara detected Latrodectus	Joe Security
00000008.00000002.446779994.0000000000130000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_Latrodectus	Yara detected Latrodectus	Joe Security
00000009.00000002.619168848.0000000001F0A000.00000004.00000010.00020000.00000000.sdmp	JoeSecurity_Latrodectus	Yara detected Latrodectus	Joe Security
0000000D.00000002.420775529.0000000001AD0000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_Latrodectus	Yara detected Latrodectus	Joe Security
00000009.00000002.618961213.0000000000110000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_Latrodectus	Yara detected Latrodectus	Joe Security
00000009.00000002.619007012.00000000001C0000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_Latrodectus	Yara detected Latrodectus	Joe Security
Process Memory Space: rundll32.exe PID: 3580	JoeSecurity_Latrodectus	Yara detected Latrodectus	Joe Security
Click to see the 5 entries

Unpacked PEs

Source	Rule	Description	Author
13.2.rundll32.exe.2a0000.0.unpack	JoeSecurity_Latrodectus	Yara detected Latrodectus	Joe Security
8.2.rundll32.exe.a0000.0.unpack	JoeSecurity_Latrodectus	Yara detected Latrodectus	Joe Security
13.2.rundll32.exe.2a0000.0.raw.unpack	JoeSecurity_Latrodectus	Yara detected Latrodectus	Joe Security
9.2.rundll32.exe.110000.0.raw.unpack	JoeSecurity_Latrodectus	Yara detected Latrodectus	Joe Security
8.2.rundll32.exe.130000.1.raw.unpack	JoeSecurity_Latrodectus	Yara detected Latrodectus	Joe Security
13.2.rundll32.exe.1ad0000.1.raw.unpack	JoeSecurity_Latrodectus	Yara detected Latrodectus	Joe Security
13.2.rundll32.exe.1ad0000.1.unpack	JoeSecurity_Latrodectus	Yara detected Latrodectus	Joe Security
9.2.rundll32.exe.110000.0.unpack	JoeSecurity_Latrodectus	Yara detected Latrodectus	Joe Security
9.2.rundll32.exe.1c0000.1.unpack	JoeSecurity_Latrodectus	Yara detected Latrodectus	Joe Security
8.2.rundll32.exe.130000.1.unpack	JoeSecurity_Latrodectus	Yara detected Latrodectus	Joe Security
8.2.rundll32.exe.a0000.0.raw.unpack	JoeSecurity_Latrodectus	Yara detected Latrodectus	Joe Security
9.2.rundll32.exe.1c0000.1.raw.unpack	JoeSecurity_Latrodectus	Yara detected Latrodectus	Joe Security
Click to see the 7 entries

Sigma Signatures

System Summary

Sigma detected: Modification of IE Registry Settings

Source: Registry Key set

Author: frack113: Data: Details: 46 00 00 00 2A 00 00 00 09 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 02 00 00 00 C0 A8 02 16 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 , EventID: 13, EventType: SetValue, Image: C:\Windows\System32\rundll32.exe, ProcessId: 3580, TargetObject: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings

Snort Signatures

⊘No Snort rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Found malware configuration

Source: 8.2.rundll32.exe.130000.1.unpack

Malware Configuration Extractor: Latrodectus {"C2 url": ["https://jarinamaers.shop/live/", "https://startmast.shop/live/"]}

Multi AV Scanner detection for dropped file

Source: :wtfbbq (copy)	Virustotal: Detection: 9%	Perma Link
Source: C:\Users\user\AppData\Local\sharepoint\360total.dll	Virustotal: Detection: 9%	Perma Link
Source: C:\Users\user\AppData\Roaming\Custom_update\Update_6a61d649.dll	Virustotal: Detection: 9%	Perma Link

Sample uses string decryption to hide its real strings

Source: 13.2.rundll32.exe.1ad0000.1.raw.unpack	String decryptor:
Source: 13.2.rundll32.exe.1ad0000.1.raw.unpack	String decryptor: "
Source: 13.2.rundll32.exe.1ad0000.1.raw.unpack	String decryptor: uau3"#%,''!
Source: 13.2.rundll32.exe.1ad0000.1.raw.unpack	String decryptor: FfD!6""#'& )<
Source: 13.2.rundll32.exe.1ad0000.1.raw.unpack	String decryptor: jB!
Source: 13.2.rundll32.exe.1ad0000.1.raw.unpack	String decryptor:
Source: 13.2.rundll32.exe.1ad0000.1.raw.unpack	String decryptor: 3efal9#"
Source: 13.2.rundll32.exe.1ad0000.1.raw.unpack	String decryptor: #kl&+=>4>@F[yz1

Source: C:\Windows\System32\rundll32.exe

Code function: 8_2_000000018003BC0C CryptAcquireContextW,GetLastError,CryptAcquireContextW,CryptGenRandom,CryptReleaseContext,

8_2_000000018003BC0C

Source:	Binary string: C:\JobRelease\win\Release\custact\x86\viewer.pdb: source: MSI1B42.tmp, 00000007.00000002.447220101.0000000000D57000.00000002.00000001.01000000.00000005.sdmp, MSI1B42.tmp, 00000007.00000000.402335120.0000000000D57000.00000002.00000001.01000000.00000005.sdmp, neo.msi, 747f6e.msi.1.dr, MSI19CA.tmp.1.dr, MSI1B42.tmp.1.dr
Source:	Binary string: C:\JobRelease\win\Release\custact\x86\AICustAct.pdb source: neo.msi, 747f6e.msi.1.dr, MSI8029.tmp.1.dr, MSI829C.tmp.0.dr, MSIADBD.tmp.0.dr, MSI827B.tmp.0.dr, MSI82BC.tmp.0.dr, MSI825B.tmp.0.dr
Source:	Binary string: C:\JobRelease\win\Release\custact\x86\AICustAct.pdbn source: neo.msi, 747f6e.msi.1.dr, MSI8029.tmp.1.dr, MSI829C.tmp.0.dr, MSIADBD.tmp.0.dr, MSI827B.tmp.0.dr, MSI82BC.tmp.0.dr, MSI825B.tmp.0.dr
Source:	Binary string: C:\JobRelease\win\Release\custact\x86\viewer.pdb source: MSI1B42.tmp, 00000007.00000002.447220101.0000000000D57000.00000002.00000001.01000000.00000005.sdmp, MSI1B42.tmp, 00000007.00000000.402335120.0000000000D57000.00000002.00000001.01000000.00000005.sdmp, neo.msi, 747f6e.msi.1.dr, MSI19CA.tmp.1.dr, MSI1B42.tmp.1.dr
Source:	Binary string: C:\vmagent_new\bin\joblist\574019\out\Release\360Util64.pdb source: rundll32.exe, 00000008.00000003.405624482.0000000001FC0000.00000040.00001000.00020000.00000000.sdmp, rundll32.exe, 00000008.00000002.447008267.0000000180086000.00000002.00000001.01000000.00000000.sdmp, rundll32.exe, 00000009.00000002.619259049.0000000180086000.00000002.00000001.01000000.00000009.sdmp, Update_6a61d649.dll.8.dr, 360total.dll.1.dr

Source: C:\Windows\System32\msiexec.exe	File opened: z:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: x:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: v:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: t:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: r:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: p:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: n:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: l:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: j:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: h:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: f:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: b:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: y:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: w:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: u:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: s:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: q:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: o:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: m:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: k:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: i:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: g:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: e:	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	File opened: c:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: a:	Jump to behavior

Source: C:\Windows\System32\rundll32.exe	Key opened: HKEY_CURRENT_USER_CLASSES\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Key opened: HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Key opened: HKEY_CURRENT_USER_Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}\TreatAs	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}\TreatAs	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Key opened: HKEY_CURRENT_USER_Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}\Progid	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}\Progid	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Key opened: HKEY_CURRENT_USER_Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}\ProgID	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Key opened: HKEY_CURRENT_USER_Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}\Progid	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}\Progid	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Key opened: HKEY_CURRENT_USER_Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}\ProgID	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Key opened: HKEY_CURRENT_USER_Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Key opened: HKEY_CURRENT_USER_Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Key opened: HKEY_CURRENT_USER_Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}\InprocServer32	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}\InprocServer32	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Key opened: HKEY_CURRENT_USER_Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}\InprocServer32	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Key opened: HKEY_CURRENT_USER_Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}\InprocHandler32	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}\InprocHandler32	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Key opened: HKEY_CURRENT_USER_Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}\InprocHandler	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}\InprocHandler	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Key opened: HKEY_CURRENT_USER_CLASSES\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Key opened: HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Key opened: HKEY_CURRENT_USER_Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}\TreatAs	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}\TreatAs	Jump to behavior

Source: C:\Windows\Installer\MSI1B42.tmp	Code function: 7_2_00D4AF79 FindFirstFileExW,	7_2_00D4AF79
Source: C:\Windows\System32\rundll32.exe	Code function: 8_2_0013A350 FindFirstFileW,FindNextFileW,LoadLibraryW,LoadLibraryExW,	8_2_0013A350
Source: C:\Windows\System32\rundll32.exe	Code function: 8_2_00131A08 FindFirstFileA,wsprintfA,FindNextFileA,FindClose,	8_2_00131A08
Source: C:\Windows\System32\rundll32.exe	Code function: 8_2_00140DD8 FindFirstFileA,	8_2_00140DD8
Source: C:\Windows\System32\rundll32.exe	Code function: 8_2_00140DE0 FindFirstFileW,	8_2_00140DE0
Source: C:\Windows\System32\rundll32.exe	Code function: 9_2_001CA350 FindFirstFileW,FindNextFileW,LoadLibraryW,LoadLibraryExW,	9_2_001CA350
Source: C:\Windows\System32\rundll32.exe	Code function: 9_2_001C1A08 FindFirstFileA,wsprintfA,FindNextFileA,FindClose,	9_2_001C1A08
Source: C:\Windows\System32\rundll32.exe	Code function: 13_2_01ADA350 FindFirstFileW,FindNextFileW,LoadLibraryW,LoadLibraryExW,	13_2_01ADA350
Source: C:\Windows\System32\rundll32.exe	Code function: 13_2_01AE0DE0 FindFirstFileW,	13_2_01AE0DE0
Source: C:\Windows\System32\rundll32.exe	Code function: 13_2_01AE0DD8 FindFirstFileA,	13_2_01AE0DD8
Source: C:\Windows\System32\rundll32.exe	Code function: 13_2_01AD1A08 FindFirstFileA,wsprintfA,FindNextFileA,FindClose,	13_2_01AD1A08

Networking

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\System32\rundll32.exe

Domain query: jarinamaers.shop

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor	URLs: https://jarinamaers.shop/live/
Source: Malware configuration extractor	URLs: https://startmast.shop/live/

Source: C:\Windows\System32\rundll32.exe

Code function: 8_2_00134F58 InternetReadFile,

8_2_00134F58

Source: global traffic

DNS traffic detected: DNS query: jarinamaers.shop

Source: rundll32.exe, 00000008.00000003.405624482.0000000001FC0000.00000040.00001000.00020000.00000000.sdmp, rundll32.exe, 00000008.00000002.447008267.0000000180086000.00000002.00000001.01000000.00000000.sdmp, rundll32.exe, 00000009.00000002.619259049.0000000180086000.00000002.00000001.01000000.00000009.sdmp, Update_6a61d649.dll.8.dr, 360total.dll.1.dr	String found in binary or memory: ftp://ftp%2desktop.ini
Source: neo.msi, 747f6e.msi.1.dr, MSI8029.tmp.1.dr, MSI829C.tmp.0.dr, MSIADBD.tmp.0.dr, MSI827B.tmp.0.dr, MSI19CA.tmp.1.dr, MSI1B42.tmp.1.dr, MSI82BC.tmp.0.dr, MSI825B.tmp.0.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: neo.msi, 747f6e.msi.1.dr, MSI8029.tmp.1.dr, MSI829C.tmp.0.dr, MSIADBD.tmp.0.dr, MSI827B.tmp.0.dr, MSI19CA.tmp.1.dr, MSI1B42.tmp.1.dr, MSI82BC.tmp.0.dr, MSI825B.tmp.0.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0
Source: neo.msi, 747f6e.msi.1.dr, MSI8029.tmp.1.dr, MSI829C.tmp.0.dr, MSIADBD.tmp.0.dr, MSI827B.tmp.0.dr, MSI19CA.tmp.1.dr, MSI1B42.tmp.1.dr, MSI82BC.tmp.0.dr, MSI825B.tmp.0.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0P
Source: neo.msi, 747f6e.msi.1.dr, MSI8029.tmp.1.dr, MSI829C.tmp.0.dr, MSIADBD.tmp.0.dr, MSI827B.tmp.0.dr, MSI19CA.tmp.1.dr, MSI1B42.tmp.1.dr, MSI82BC.tmp.0.dr, MSI825B.tmp.0.dr	String found in binary or memory: http://crl3.digicert.com/sha2-assured-ts.crl02
Source: neo.msi, 747f6e.msi.1.dr, MSI8029.tmp.1.dr, MSI829C.tmp.0.dr, MSIADBD.tmp.0.dr, MSI827B.tmp.0.dr, MSI19CA.tmp.1.dr, MSI1B42.tmp.1.dr, MSI82BC.tmp.0.dr, MSI825B.tmp.0.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: neo.msi, 747f6e.msi.1.dr, MSI8029.tmp.1.dr, MSI829C.tmp.0.dr, MSIADBD.tmp.0.dr, MSI827B.tmp.0.dr, MSI19CA.tmp.1.dr, MSI1B42.tmp.1.dr, MSI82BC.tmp.0.dr, MSI825B.tmp.0.dr	String found in binary or memory: http://crl4.digicert.com/sha2-assured-ts.crl0
Source: rundll32.exe	String found in binary or memory: http://dr.f.360.cn/scan
Source: rundll32.exe, 00000008.00000003.405624482.0000000001FC0000.00000040.00001000.00020000.00000000.sdmp, rundll32.exe, 00000008.00000002.447008267.0000000180086000.00000002.00000001.01000000.00000000.sdmp, rundll32.exe, 00000009.00000002.619259049.0000000180086000.00000002.00000001.01000000.00000009.sdmp, Update_6a61d649.dll.8.dr, 360total.dll.1.dr	String found in binary or memory: http://dr.f.360.cn/scanlist
Source: neo.msi, 747f6e.msi.1.dr, MSI8029.tmp.1.dr, MSI829C.tmp.0.dr, MSIADBD.tmp.0.dr, MSI827B.tmp.0.dr, MSI19CA.tmp.1.dr, MSI1B42.tmp.1.dr, MSI82BC.tmp.0.dr, MSI825B.tmp.0.dr	String found in binary or memory: http://ocsp.digicert.com0C
Source: neo.msi, 747f6e.msi.1.dr, MSI8029.tmp.1.dr, MSI829C.tmp.0.dr, MSIADBD.tmp.0.dr, MSI827B.tmp.0.dr, MSI19CA.tmp.1.dr, MSI1B42.tmp.1.dr, MSI82BC.tmp.0.dr, MSI825B.tmp.0.dr	String found in binary or memory: http://ocsp.digicert.com0O
Source: rundll32.exe	String found in binary or memory: http://pconf.f.360.cn/safe_update.php
Source: rundll32.exe	String found in binary or memory: http://pscan.f.360.cn/safe_update.php
Source: rundll32.exe, 00000008.00000003.405624482.0000000001FC0000.00000040.00001000.00020000.00000000.sdmp, rundll32.exe, 00000008.00000002.447008267.0000000180086000.00000002.00000001.01000000.00000000.sdmp, rundll32.exe, 00000009.00000002.619259049.0000000180086000.00000002.00000001.01000000.00000009.sdmp, Update_6a61d649.dll.8.dr, 360total.dll.1.dr	String found in binary or memory: http://pscan.f.360.cn/safe_update.phphttp://pconf.f.360.cn/safe_update.phphttp://sconf.f.360.cn/clie
Source: rundll32.exe	String found in binary or memory: http://sconf.f.360.cn/client_security_conf
Source: neo.msi, 747f6e.msi.1.dr, MSI8029.tmp.1.dr, MSI829C.tmp.0.dr, MSIADBD.tmp.0.dr, MSI827B.tmp.0.dr, MSI19CA.tmp.1.dr, MSI1B42.tmp.1.dr, MSI82BC.tmp.0.dr, MSI825B.tmp.0.dr	String found in binary or memory: http://t1.symcb.com/ThawtePCA.crl0
Source: neo.msi, 747f6e.msi.1.dr, MSI8029.tmp.1.dr, MSI829C.tmp.0.dr, MSIADBD.tmp.0.dr, MSI827B.tmp.0.dr, MSI19CA.tmp.1.dr, MSI1B42.tmp.1.dr, MSI82BC.tmp.0.dr, MSI825B.tmp.0.dr	String found in binary or memory: http://t2.symcb.com0
Source: neo.msi, 747f6e.msi.1.dr, MSI8029.tmp.1.dr, MSI829C.tmp.0.dr, MSIADBD.tmp.0.dr, MSI827B.tmp.0.dr, MSI19CA.tmp.1.dr, MSI1B42.tmp.1.dr, MSI82BC.tmp.0.dr, MSI825B.tmp.0.dr	String found in binary or memory: http://tl.symcb.com/tl.crl0
Source: neo.msi, 747f6e.msi.1.dr, MSI8029.tmp.1.dr, MSI829C.tmp.0.dr, MSIADBD.tmp.0.dr, MSI827B.tmp.0.dr, MSI19CA.tmp.1.dr, MSI1B42.tmp.1.dr, MSI82BC.tmp.0.dr, MSI825B.tmp.0.dr	String found in binary or memory: http://tl.symcb.com/tl.crt0
Source: neo.msi, 747f6e.msi.1.dr, MSI8029.tmp.1.dr, MSI829C.tmp.0.dr, MSIADBD.tmp.0.dr, MSI827B.tmp.0.dr, MSI19CA.tmp.1.dr, MSI1B42.tmp.1.dr, MSI82BC.tmp.0.dr, MSI825B.tmp.0.dr	String found in binary or memory: http://tl.symcd.com0&
Source: neo.msi, 747f6e.msi.1.dr, MSI8029.tmp.1.dr, MSI829C.tmp.0.dr, MSIADBD.tmp.0.dr, MSI827B.tmp.0.dr, MSI19CA.tmp.1.dr, MSI1B42.tmp.1.dr, MSI82BC.tmp.0.dr, MSI825B.tmp.0.dr	String found in binary or memory: http://www.digicert.com/CPS0
Source: rundll32.exe, 00000009.00000002.619056856.000000000056B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://jarinamaers.shop/G
Source: rundll32.exe, 00000009.00000002.619056856.000000000056B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://jarinamaers.shop/O
Source: rundll32.exe, 00000009.00000002.619056856.00000000004F3000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000009.00000002.619056856.0000000000508000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://jarinamaers.shop/live/
Source: neo.msi, 747f6e.msi.1.dr, MSI8029.tmp.1.dr, MSI829C.tmp.0.dr, MSIADBD.tmp.0.dr, MSI827B.tmp.0.dr, MSI19CA.tmp.1.dr, MSI1B42.tmp.1.dr, MSI82BC.tmp.0.dr, MSI825B.tmp.0.dr	String found in binary or memory: https://www.advancedinstaller.com
Source: neo.msi, 747f6e.msi.1.dr, MSI8029.tmp.1.dr, MSI829C.tmp.0.dr, MSIADBD.tmp.0.dr, MSI827B.tmp.0.dr, MSI19CA.tmp.1.dr, MSI1B42.tmp.1.dr, MSI82BC.tmp.0.dr, MSI825B.tmp.0.dr	String found in binary or memory: https://www.digicert.com/CPS0
Source: neo.msi, 747f6e.msi.1.dr, MSI8029.tmp.1.dr, MSI829C.tmp.0.dr, MSIADBD.tmp.0.dr, MSI827B.tmp.0.dr, MSI19CA.tmp.1.dr, MSI1B42.tmp.1.dr, MSI82BC.tmp.0.dr, MSI825B.tmp.0.dr	String found in binary or memory: https://www.thawte.com/cps0/
Source: neo.msi, 747f6e.msi.1.dr, MSI8029.tmp.1.dr, MSI829C.tmp.0.dr, MSIADBD.tmp.0.dr, MSI827B.tmp.0.dr, MSI19CA.tmp.1.dr, MSI1B42.tmp.1.dr, MSI82BC.tmp.0.dr, MSI825B.tmp.0.dr	String found in binary or memory: https://www.thawte.com/repository0W

System Summary

Rundll32 performs DNS lookup (likely malicious behavior)

Source: C:\Windows\System32\rundll32.exe	DNS query: name: jarinamaers.shop
Source: C:\Windows\System32\rundll32.exe	DNS query: name: jarinamaers.shop
Source: C:\Windows\System32\rundll32.exe	DNS query: name: jarinamaers.shop
Source: C:\Windows\System32\rundll32.exe	DNS query: name: jarinamaers.shop
Source: C:\Windows\System32\rundll32.exe	DNS query: name: jarinamaers.shop

Source: C:\Windows\Installer\MSI1B42.tmp

Memory allocated: 770B0000 page execute and read and write

Jump to behavior

Source: C:\Windows\Installer\MSI1B42.tmp	Code function: 7_2_00D13C20 GetProcAddress,NtQueryInformationProcess,ReadProcessMemory,ReadProcessMemory,ReadProcessMemory,GetLastError,FreeLibrary,	7_2_00D13C20
Source: C:\Windows\System32\rundll32.exe	Code function: 8_2_0013463C GetModuleHandleW,GetCurrentProcessId,GetCurrentProcessId,GetCurrentProcessId,OpenProcess,NtQueryInformationProcess,ReadProcessMemory,ReadProcessMemory,WideCharToMultiByte,CloseHandle,	8_2_0013463C
Source: C:\Windows\System32\rundll32.exe	Code function: 8_2_00137A54 NtWriteFile,	8_2_00137A54
Source: C:\Windows\System32\rundll32.exe	Code function: 8_2_001378C0 NtReadFile,	8_2_001378C0
Source: C:\Windows\System32\rundll32.exe	Code function: 8_2_0013B0C4 NtOpenKey,RtlpNtOpenKey,	8_2_0013B0C4
Source: C:\Windows\System32\rundll32.exe	Code function: 8_2_0013AD34 NtAllocateVirtualMemory,	8_2_0013AD34
Source: C:\Windows\System32\rundll32.exe	Code function: 8_2_00137B40 NtFreeVirtualMemory,	8_2_00137B40
Source: C:\Windows\System32\rundll32.exe	Code function: 8_2_00137588 RtlInitUnicodeString,NtCreateFile,NtClose,	8_2_00137588
Source: C:\Windows\System32\rundll32.exe	Code function: 8_2_0013378C NtClose,	8_2_0013378C
Source: C:\Windows\System32\rundll32.exe	Code function: 8_2_001377B0 RtlInitUnicodeString,NtCreateFile,	8_2_001377B0
Source: C:\Windows\System32\rundll32.exe	Code function: 8_2_0013B1D4 NtQueryValueKey,NtQueryValueKey,NtClose,	8_2_0013B1D4
Source: C:\Windows\System32\rundll32.exe	Code function: 8_2_001379C8 NtClose,	8_2_001379C8
Source: C:\Windows\System32\rundll32.exe	Code function: 8_2_00140A18 NtQueryInformationProcess,LdrLoadDll,NtAllocateVirtualMemory,	8_2_00140A18
Source: C:\Windows\System32\rundll32.exe	Code function: 8_2_0013745C RtlInitUnicodeString,NtOpenFile,NtClose,	8_2_0013745C
Source: C:\Windows\System32\rundll32.exe	Code function: 8_2_00137694 RtlInitUnicodeString,NtDeleteFile,	8_2_00137694
Source: C:\Windows\System32\rundll32.exe	Code function: 8_2_00140A80 NtCreateFile,	8_2_00140A80
Source: C:\Windows\System32\rundll32.exe	Code function: 8_2_00140AC0 NtFreeVirtualMemory,NtFlushInstructionCache,	8_2_00140AC0
Source: C:\Windows\System32\rundll32.exe	Code function: 8_2_00137ACC NtClose,	8_2_00137ACC
Source: C:\Windows\System32\rundll32.exe	Code function: 8_2_00140AF0 NtWriteFile,	8_2_00140AF0
Source: C:\Windows\System32\rundll32.exe	Code function: 8_2_00140AF8 NtReadFile,	8_2_00140AF8
Source: C:\Windows\System32\rundll32.exe	Code function: 8_2_00140B00 NtDelayExecution,	8_2_00140B00
Source: C:\Windows\System32\rundll32.exe	Code function: 8_2_00137704 NtQueryInformationFile,	8_2_00137704
Source: C:\Windows\System32\rundll32.exe	Code function: 8_2_00140B08 NtOpenKey,NtSetValueKey,VirtualFree,OpenProcess,VirtualAllocEx,VirtualFreeEx,WriteProcessMemory,CreateRemoteThread,	8_2_00140B08
Source: C:\Windows\System32\rundll32.exe	Code function: 8_2_00140B28 NtQueryInformationFile,VirtualAlloc,VirtualFree,OpenProcess,VirtualAllocEx,VirtualFreeEx,WriteProcessMemory,CreateRemoteThread,	8_2_00140B28
Source: C:\Windows\System32\rundll32.exe	Code function: 8_2_0013CB54 NtDelayExecution,	8_2_0013CB54
Source: C:\Windows\System32\rundll32.exe	Code function: 9_2_001C463C GetModuleHandleW,GetCurrentProcessId,GetCurrentProcessId,GetCurrentProcessId,OpenProcess,NtQueryInformationProcess,ReadProcessMemory,ReadProcessMemory,WideCharToMultiByte,CloseHandle,	9_2_001C463C
Source: C:\Windows\System32\rundll32.exe	Code function: 9_2_001CB0C4 NtOpenKey,RtlpNtOpenKey,	9_2_001CB0C4
Source: C:\Windows\System32\rundll32.exe	Code function: 9_2_001CAD34 NtAllocateVirtualMemory,	9_2_001CAD34
Source: C:\Windows\System32\rundll32.exe	Code function: 9_2_001CCB54 NtDelayExecution,	9_2_001CCB54
Source: C:\Windows\System32\rundll32.exe	Code function: 9_2_001C7B40 NtFreeVirtualMemory,	9_2_001C7B40
Source: C:\Windows\System32\rundll32.exe	Code function: 9_2_001C378C NtClose,	9_2_001C378C
Source: C:\Windows\System32\rundll32.exe	Code function: 9_2_001C77B0 RtlInitUnicodeString,NtCreateFile,	9_2_001C77B0
Source: C:\Windows\System32\rundll32.exe	Code function: 9_2_001CB1D4 NtQueryValueKey,NtQueryValueKey,NtClose,	9_2_001CB1D4
Source: C:\Windows\System32\rundll32.exe	Code function: 9_2_001D0A18 NtQueryInformationProcess,LdrLoadDll,NtAllocateVirtualMemory,	9_2_001D0A18
Source: C:\Windows\System32\rundll32.exe	Code function: 9_2_001C745C RtlInitUnicodeString,NtOpenFile,NtClose,	9_2_001C745C
Source: C:\Windows\System32\rundll32.exe	Code function: 9_2_001C7A54 NtWriteFile,	9_2_001C7A54
Source: C:\Windows\System32\rundll32.exe	Code function: 9_2_001C7694 RtlInitUnicodeString,NtDeleteFile,	9_2_001C7694
Source: C:\Windows\System32\rundll32.exe	Code function: 9_2_001C7ACC NtClose,	9_2_001C7ACC
Source: C:\Windows\System32\rundll32.exe	Code function: 9_2_001C78C0 NtReadFile,	9_2_001C78C0
Source: C:\Windows\System32\rundll32.exe	Code function: 9_2_001D0AC0 NtFreeVirtualMemory,NtFlushInstructionCache,	9_2_001D0AC0
Source: C:\Windows\System32\rundll32.exe	Code function: 9_2_001D0AF0 NtWriteFile,	9_2_001D0AF0
Source: C:\Windows\System32\rundll32.exe	Code function: 9_2_001C7704 NtQueryInformationFile,	9_2_001C7704
Source: C:\Windows\System32\rundll32.exe	Code function: 9_2_001D0B00 NtDelayExecution,	9_2_001D0B00
Source: C:\Windows\System32\rundll32.exe	Code function: 9_2_001C7588 RtlInitUnicodeString,NtCreateFile,NtClose,	9_2_001C7588
Source: C:\Windows\System32\rundll32.exe	Code function: 9_2_001C79C8 NtClose,	9_2_001C79C8
Source: C:\Windows\System32\rundll32.exe	Code function: 13_2_01ADAD34 NtAllocateVirtualMemory,	13_2_01ADAD34
Source: C:\Windows\System32\rundll32.exe	Code function: 13_2_01AD7B40 NtFreeVirtualMemory,	13_2_01AD7B40
Source: C:\Windows\System32\rundll32.exe	Code function: 13_2_01AD77B0 RtlInitUnicodeString,NtCreateFile,	13_2_01AD77B0
Source: C:\Windows\System32\rundll32.exe	Code function: 13_2_01AD378C NtClose,	13_2_01AD378C
Source: C:\Windows\System32\rundll32.exe	Code function: 13_2_01AD7588 RtlInitUnicodeString,NtCreateFile,NtClose,	13_2_01AD7588
Source: C:\Windows\System32\rundll32.exe	Code function: 13_2_01AD79C8 NtClose,	13_2_01AD79C8
Source: C:\Windows\System32\rundll32.exe	Code function: 13_2_01ADB1D4 NtQueryValueKey,NtQueryValueKey,NtClose,	13_2_01ADB1D4
Source: C:\Windows\System32\rundll32.exe	Code function: 13_2_01AD7704 NtQueryInformationFile,	13_2_01AD7704
Source: C:\Windows\System32\rundll32.exe	Code function: 13_2_01AE0B00 NtDelayExecution,	13_2_01AE0B00
Source: C:\Windows\System32\rundll32.exe	Code function: 13_2_01ADCB54 NtDelayExecution,	13_2_01ADCB54
Source: C:\Windows\System32\rundll32.exe	Code function: 13_2_01AD7694 RtlInitUnicodeString,NtDeleteFile,	13_2_01AD7694
Source: C:\Windows\System32\rundll32.exe	Code function: 13_2_01AD7ACC NtClose,	13_2_01AD7ACC
Source: C:\Windows\System32\rundll32.exe	Code function: 13_2_01ADB0C4 NtOpenKey,	13_2_01ADB0C4
Source: C:\Windows\System32\rundll32.exe	Code function: 13_2_01AD78C0 NtReadFile,	13_2_01AD78C0
Source: C:\Windows\System32\rundll32.exe	Code function: 13_2_01AE0AC0 NtFreeVirtualMemory,NtFlushInstructionCache,	13_2_01AE0AC0
Source: C:\Windows\System32\rundll32.exe	Code function: 13_2_01AD463C GetModuleHandleW,GetCurrentProcessId,GetCurrentProcessId,GetCurrentProcessId,OpenProcess,NtQueryInformationProcess,ReadProcessMemory,ReadProcessMemory,WideCharToMultiByte,CloseHandle,	13_2_01AD463C
Source: C:\Windows\System32\rundll32.exe	Code function: 13_2_01AE0A18 NtQueryInformationProcess,LdrLoadDll,NtAllocateVirtualMemory,	13_2_01AE0A18
Source: C:\Windows\System32\rundll32.exe	Code function: 13_2_01AD745C RtlInitUnicodeString,NtOpenFile,NtClose,	13_2_01AD745C
Source: C:\Windows\System32\rundll32.exe	Code function: 13_2_01AD7A54 NtWriteFile,	13_2_01AD7A54

Source: C:\Windows\System32\rundll32.exe

Code function: 8_2_000000018006A2C8: DeviceIoControl,

8_2_000000018006A2C8

Source: C:\Windows\System32\rundll32.exe

Code function: 8_2_000000018004B1A4 memset,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,WTSGetActiveConsoleSessionId,WTSQueryUserToken,GetTokenInformation,DuplicateTokenEx,CreateEnvironmentBlock,CreateProcessAsUserW,GetLastError,DestroyEnvironmentBlock,CloseHandle,CloseHandle,AdjustTokenPrivileges,CloseHandle,

8_2_000000018004B1A4

Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\747f6e.msi	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI8029.tmp	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\747f6f.ipi	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\747f6f.ipi	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\SourceHash{B135729E-0574-44D1-B7A1-6E44550F506B}	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI19CA.tmp	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI1B42.tmp	Jump to behavior

Source: C:\Windows\System32\msiexec.exe

File deleted: C:\Windows\Installer\MSI8029.tmp

Jump to behavior

Source: C:\Windows\Installer\MSI1B42.tmp	Code function: 7_2_00D16A50	7_2_00D16A50
Source: C:\Windows\Installer\MSI1B42.tmp	Code function: 7_2_00D4F032	7_2_00D4F032
Source: C:\Windows\Installer\MSI1B42.tmp	Code function: 7_2_00D3C2CA	7_2_00D3C2CA
Source: C:\Windows\Installer\MSI1B42.tmp	Code function: 7_2_00D492A9	7_2_00D492A9
Source: C:\Windows\Installer\MSI1B42.tmp	Code function: 7_2_00D3E270	7_2_00D3E270
Source: C:\Windows\Installer\MSI1B42.tmp	Code function: 7_2_00D484BD	7_2_00D484BD
Source: C:\Windows\Installer\MSI1B42.tmp	Code function: 7_2_00D3A587	7_2_00D3A587
Source: C:\Windows\Installer\MSI1B42.tmp	Code function: 7_2_00D4D8D5	7_2_00D4D8D5
Source: C:\Windows\Installer\MSI1B42.tmp	Code function: 7_2_00D1C870	7_2_00D1C870
Source: C:\Windows\Installer\MSI1B42.tmp	Code function: 7_2_00D3A915	7_2_00D3A915
Source: C:\Windows\Installer\MSI1B42.tmp	Code function: 7_2_00D34920	7_2_00D34920
Source: C:\Windows\Installer\MSI1B42.tmp	Code function: 7_2_00D40A48	7_2_00D40A48
Source: C:\Windows\Installer\MSI1B42.tmp	Code function: 7_2_00D19CC0	7_2_00D19CC0
Source: C:\Windows\Installer\MSI1B42.tmp	Code function: 7_2_00D45D6D	7_2_00D45D6D
Source: C:\Windows\System32\rundll32.exe	Code function: 8_2_00131030	8_2_00131030
Source: C:\Windows\System32\rundll32.exe	Code function: 8_2_0000000180017FE8	8_2_0000000180017FE8
Source: C:\Windows\System32\rundll32.exe	Code function: 8_2_000000018006DFF4	8_2_000000018006DFF4
Source: C:\Windows\System32\rundll32.exe	Code function: 8_2_00000001800220D8	8_2_00000001800220D8
Source: C:\Windows\System32\rundll32.exe	Code function: 8_2_000000018007C140	8_2_000000018007C140
Source: C:\Windows\System32\rundll32.exe	Code function: 8_2_0000000180060174	8_2_0000000180060174
Source: C:\Windows\System32\rundll32.exe	Code function: 8_2_000000018008023C	8_2_000000018008023C
Source: C:\Windows\System32\rundll32.exe	Code function: 8_2_000000018000834C	8_2_000000018000834C
Source: C:\Windows\System32\rundll32.exe	Code function: 8_2_000000018006C470	8_2_000000018006C470
Source: C:\Windows\System32\rundll32.exe	Code function: 8_2_00000001800784E0	8_2_00000001800784E0
Source: C:\Windows\System32\rundll32.exe	Code function: 8_2_00000001800764F0	8_2_00000001800764F0
Source: C:\Windows\System32\rundll32.exe	Code function: 8_2_0000000180060578	8_2_0000000180060578
Source: C:\Windows\System32\rundll32.exe	Code function: 8_2_0000000180010580	8_2_0000000180010580
Source: C:\Windows\System32\rundll32.exe	Code function: 8_2_000000018004E5DC	8_2_000000018004E5DC
Source: C:\Windows\System32\rundll32.exe	Code function: 8_2_0000000180062600	8_2_0000000180062600
Source: C:\Windows\System32\rundll32.exe	Code function: 8_2_0000000180002610	8_2_0000000180002610
Source: C:\Windows\System32\rundll32.exe	Code function: 8_2_0000000180004638	8_2_0000000180004638
Source: C:\Windows\System32\rundll32.exe	Code function: 8_2_000000018004A650	8_2_000000018004A650
Source: C:\Windows\System32\rundll32.exe	Code function: 8_2_000000018006E760	8_2_000000018006E760
Source: C:\Windows\System32\rundll32.exe	Code function: 8_2_00000001800647B0	8_2_00000001800647B0
Source: C:\Windows\System32\rundll32.exe	Code function: 8_2_000000018007E7C7	8_2_000000018007E7C7
Source: C:\Windows\System32\rundll32.exe	Code function: 8_2_0000000180076930	8_2_0000000180076930
Source: C:\Windows\System32\rundll32.exe	Code function: 8_2_0000000180062954	8_2_0000000180062954
Source: C:\Windows\System32\rundll32.exe	Code function: 8_2_000000018006A994	8_2_000000018006A994
Source: C:\Windows\System32\rundll32.exe	Code function: 8_2_000000018006E9FC	8_2_000000018006E9FC
Source: C:\Windows\System32\rundll32.exe	Code function: 8_2_0000000180082A18	8_2_0000000180082A18
Source: C:\Windows\System32\rundll32.exe	Code function: 8_2_0000000180072A27	8_2_0000000180072A27
Source: C:\Windows\System32\rundll32.exe	Code function: 8_2_0000000180010B58	8_2_0000000180010B58
Source: C:\Windows\System32\rundll32.exe	Code function: 8_2_0000000180026C84	8_2_0000000180026C84
Source: C:\Windows\System32\rundll32.exe	Code function: 8_2_000000018001ECF4	8_2_000000018001ECF4
Source: C:\Windows\System32\rundll32.exe	Code function: 8_2_0000000180008E20	8_2_0000000180008E20
Source: C:\Windows\System32\rundll32.exe	Code function: 8_2_0000000180052FD8	8_2_0000000180052FD8
Source: C:\Windows\System32\rundll32.exe	Code function: 8_2_000000018003AFE8	8_2_000000018003AFE8
Source: C:\Windows\System32\rundll32.exe	Code function: 8_2_000000018005D014	8_2_000000018005D014
Source: C:\Windows\System32\rundll32.exe	Code function: 8_2_000000018006F0B4	8_2_000000018006F0B4
Source: C:\Windows\System32\rundll32.exe	Code function: 8_2_00000001800630CC	8_2_00000001800630CC
Source: C:\Windows\System32\rundll32.exe	Code function: 8_2_000000018005912C	8_2_000000018005912C
Source: C:\Windows\System32\rundll32.exe	Code function: 8_2_000000018004B1A4	8_2_000000018004B1A4
Source: C:\Windows\System32\rundll32.exe	Code function: 8_2_0000000180049278	8_2_0000000180049278
Source: C:\Windows\System32\rundll32.exe	Code function: 8_2_000000018007B2D0	8_2_000000018007B2D0
Source: C:\Windows\System32\rundll32.exe	Code function: 8_2_000000018002B2EC	8_2_000000018002B2EC
Source: C:\Windows\System32\rundll32.exe	Code function: 8_2_000000018006D3D4	8_2_000000018006D3D4
Source: C:\Windows\System32\rundll32.exe	Code function: 8_2_00000001800033E0	8_2_00000001800033E0
Source: C:\Windows\System32\rundll32.exe	Code function: 8_2_0000000180075480	8_2_0000000180075480
Source: C:\Windows\System32\rundll32.exe	Code function: 8_2_00000001800694A0	8_2_00000001800694A0
Source: C:\Windows\System32\rundll32.exe	Code function: 8_2_000000018005958C	8_2_000000018005958C
Source: C:\Windows\System32\rundll32.exe	Code function: 8_2_00000001800576DC	8_2_00000001800576DC
Source: C:\Windows\System32\rundll32.exe	Code function: 8_2_00000001800097E0	8_2_00000001800097E0
Source: C:\Windows\System32\rundll32.exe	Code function: 8_2_00000001800277FC	8_2_00000001800277FC
Source: C:\Windows\System32\rundll32.exe	Code function: 8_2_000000018002D964	8_2_000000018002D964
Source: C:\Windows\System32\rundll32.exe	Code function: 8_2_0000000180073B60	8_2_0000000180073B60
Source: C:\Windows\System32\rundll32.exe	Code function: 8_2_000000018007BBB0	8_2_000000018007BBB0
Source: C:\Windows\System32\rundll32.exe	Code function: 8_2_000000018001BC38	8_2_000000018001BC38
Source: C:\Windows\System32\rundll32.exe	Code function: 8_2_000000018005DD18	8_2_000000018005DD18
Source: C:\Windows\System32\rundll32.exe	Code function: 8_2_0000000180073DF0	8_2_0000000180073DF0
Source: C:\Windows\System32\rundll32.exe	Code function: 8_2_0000000180011DF0	8_2_0000000180011DF0
Source: C:\Windows\System32\rundll32.exe	Code function: 8_2_000000018005BE6C	8_2_000000018005BE6C
Source: C:\Windows\System32\rundll32.exe	Code function: 8_2_000000018004FF88	8_2_000000018004FF88
Source: C:\Windows\System32\rundll32.exe	Code function: 9_2_001C1030	9_2_001C1030
Source: C:\Windows\System32\rundll32.exe	Code function: 13_2_01AD1030	13_2_01AD1030

Source: C:\Windows\System32\rundll32.exe	Code function: String function: 000000018000CF30 appears 33 times
Source: C:\Windows\System32\rundll32.exe	Code function: String function: 0000000180005348 appears 71 times
Source: C:\Windows\Installer\MSI1B42.tmp	Code function: String function: 00D33790 appears 39 times
Source: C:\Windows\Installer\MSI1B42.tmp	Code function: String function: 00D3325F appears 103 times
Source: C:\Windows\Installer\MSI1B42.tmp	Code function: String function: 00D33292 appears 70 times

Source: neo.msi	Binary or memory string: OriginalFilenameviewer.exeF vs neo.msi
Source: neo.msi	Binary or memory string: OriginalFilenameAICustAct.dllF vs neo.msi

Source: metadata-2.1.dr	Binary string: highlight.png22\\?\Volume{8049f198-1016-11e7-b87b-806e6f6e6963}\66program files\windows sidebar\gadgets\rssfeeds.gadgeticon.png22\\?\Volume{8049f198-1016-11e7-b87b-806e6f6e6963}\QQprogramdata\microsoft\device stage\device\{113527a4-45d4-4b6f-b567-97838f1b04b0}
Source: metadata-2.1.dr	Binary string: wmplayer.exe.mui22\\?\Volume{8049f198-1016-11e7-b87b-806e6f6e6963}\BBprogram files (x86)\windows sidebar\gadgets\weather.gadget\images**undocked_black_moon-new_partly-cloudy.png22\\?\Volume{8049f198-1016-11e7-b87b-806e6f6e6963}\((windows\diagnostics\system\device\en-us
Source: metadata-2.1.dr	Binary string: buttonup_off.png22\\?\Volume{8049f198-1016-11e7-b87b-806e6f6e6963}\QQprogramdata\microsoft\device stage\device\{113527a4-45d4-4b6f-b567-97838f1b04b0}
Source: metadata-2.1.dr	Binary string: system.web.dynamicdata.dll22\\?\Volume{8049f198-1016-11e7-b87b-806e6f6e6963}\BBprogram files (x86)\windows sidebar\gadgets\weather.gadget\images33docked_black_moon-waxing-gibbous_partly-cloudy.png22\\?\Volume{8049f198-1016-11e7-b87b-806e6f6e6963}\QQprogramdata\microsoft\device stage\device\{8702d817-5aad-4674-9ef3-4d3decd87120}
Source: metadata-2.1.dr	Binary string: system.addin.contract.dll22\\?\Volume{8049f198-1016-11e7-b87b-806e6f6e6963}\QQprogramdata\microsoft\device stage\device\{113527a4-45d4-4b6f-b567-97838f1b04b0}
Source: metadata-2.1.dr	Binary string: btn-previous-static.png22\\?\Volume{8049f198-1016-11e7-b87b-806e6f6e6963}\QQprogramdata\microsoft\device stage\device\{8702d817-5aad-4674-9ef3-4d3decd87120}
Source: metadata-2.1.dr	Binary string: keypad.xml22\\?\Volume{8049f198-1016-11e7-b87b-806e6f6e6963}\99program files\dvd maker\shared\dvdstyles\specialoccasion,,specialnavigationup_selectionsubpicture.png22\\?\Volume{8049f198-1016-11e7-b87b-806e6f6e6963}\QQprogramdata\microsoft\device stage\device\{8702d817-5aad-4674-9ef3-4d3decd87120}
Source: metadata-2.1.dr	Binary string: scenes_intro_bg_pal.wmv22\\?\Volume{8049f198-1016-11e7-b87b-806e6f6e6963}\QQprogramdata\microsoft\device stage\device\{113527a4-45d4-4b6f-b567-97838f1b04b0}
Source: metadata-2.1.dr	Binary string: acxtrnal.dll22\\?\Volume{8049f198-1016-11e7-b87b-806e6f6e6963}\((windows\diagnostics\system\device\en-us
Source: metadata-2.1.dr	Binary string: sbdrop.dll22\\?\Volume{8049f198-1016-11e7-b87b-806e6f6e6963}\QQprogramdata\microsoft\device stage\device\{113527a4-45d4-4b6f-b567-97838f1b04b0}

Source: classification engine

Classification label: mal100.troj.evad.winMSI@14/22@5/0

Source: C:\Windows\System32\rundll32.exe	Code function: 8_2_0000000180049050 GetCurrentProcessId,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,SetLastError,AdjustTokenPrivileges,GetLastError,CloseHandle,CloseHandle,OpenProcess,	8_2_0000000180049050
Source: C:\Windows\System32\rundll32.exe	Code function: 8_2_000000018004B1A4 memset,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,WTSGetActiveConsoleSessionId,WTSQueryUserToken,GetTokenInformation,DuplicateTokenEx,CreateEnvironmentBlock,CreateProcessAsUserW,GetLastError,DestroyEnvironmentBlock,CloseHandle,CloseHandle,AdjustTokenPrivileges,CloseHandle,	8_2_000000018004B1A4
Source: C:\Windows\System32\rundll32.exe	Code function: 8_2_0000000180049278 LookupPrivilegeValueW,LookupPrivilegeValueW,LookupPrivilegeValueW,LookupPrivilegeValueW,??_U@YAPEAX_K@Z,GetCurrentProcess,OpenProcessToken,CreateRestrictedToken,CloseHandle,CloseHandle,AllocateAndInitializeSid,GetLengthSid,SetTokenInformation,FreeSid,AdjustTokenPrivileges,??_V@YAXPEAX@Z,	8_2_0000000180049278
Source: C:\Windows\System32\rundll32.exe	Code function: 8_2_000000018008395A DestroyEnvironmentBlock,CloseHandle,CloseHandle,AdjustTokenPrivileges,CloseHandle,	8_2_000000018008395A

Source: C:\Windows\Installer\MSI1B42.tmp

Code function: 7_2_00D13860 CreateToolhelp32Snapshot,CloseHandle,Process32FirstW,OpenProcess,CloseHandle,Process32NextW,CloseHandle,

7_2_00D13860

Source: C:\Windows\Installer\MSI1B42.tmp

Code function: 7_2_00D14BA0 CoInitialize,CoCreateInstance,VariantInit,ObjectStublessClient10,VariantClear,IUnknown_QueryService,ObjectStublessClient9,CoAllowSetForegroundWindow,SysAllocString,SysAllocString,SysAllocString,SysAllocString,VariantInit,OpenProcess,WaitForSingleObject,GetExitCodeProcess,CloseHandle,LocalFree,VariantClear,VariantClear,VariantClear,VariantClear,VariantClear,SysFreeString,VariantClear,OleUninitialize,_com_issue_error,

7_2_00D14BA0

Source: C:\Windows\Installer\MSI1B42.tmp

Code function: 7_2_00D145B0 LoadResource,LockResource,SizeofResource,

7_2_00D145B0

Source: C:\Windows\System32\rundll32.exe

Code function: 8_2_0000000180049AEC OpenSCManagerW,OpenServiceW,ChangeServiceConfigW,StartServiceW,GetTickCount,Sleep,GetTickCount,QueryServiceStatus,CloseServiceHandle,CloseServiceHandle,

8_2_0000000180049AEC

Source: C:\Windows\System32\msiexec.exe

File created: C:\Users\user\AppData\Roaming\HuMaster LLC

Jump to behavior

Source: C:\Windows\System32\msiexec.exe	Mutant created: \BaseNamedObjects\Local\RstrMgr-3887CAB8-533F-4C85-B0DC-3E5639F8D511-Session0000
Source: C:\Windows\System32\msiexec.exe	Mutant created: \BaseNamedObjects\Local\RstrMgr3887CAB8-533F-4C85-B0DC-3E5639F8D511
Source: C:\Windows\System32\rundll32.exe	Mutant created: \Sessions\1\BaseNamedObjects\runnung

Source: C:\Windows\System32\msiexec.exe

File created: C:\Users\user\AppData\Local\Temp\MSIADBD.tmp

Jump to behavior

Source: C:\Windows\Installer\MSI1B42.tmp

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Windows\System32\rundll32.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Windows\System32\rundll32.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior

Source: unknown

Process created: C:\Windows\System32\rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\user\AppData\Local\sharepoint\360total.dll, homq

Source: rundll32.exe, rundll32.exe, 00000008.00000003.405624482.0000000001FC0000.00000040.00001000.00020000.00000000.sdmp, rundll32.exe, 00000008.00000002.447008267.0000000180086000.00000002.00000001.01000000.00000000.sdmp, rundll32.exe, 00000009.00000002.619259049.0000000180086000.00000002.00000001.01000000.00000009.sdmp, Update_6a61d649.dll.8.dr, 360total.dll.1.dr	Binary or memory string: select * from sqlite_sequence;
Source: rundll32.exe, rundll32.exe, 00000008.00000003.405624482.0000000001FC0000.00000040.00001000.00020000.00000000.sdmp, rundll32.exe, 00000008.00000002.447008267.0000000180086000.00000002.00000001.01000000.00000000.sdmp, rundll32.exe, 00000009.00000002.619259049.0000000180086000.00000002.00000001.01000000.00000009.sdmp, Update_6a61d649.dll.8.dr, 360total.dll.1.dr	Binary or memory string: update sqlite_sequence set seq = 0 where name='MT';

Source: unknown	Process created: C:\Windows\System32\msiexec.exe "C:\Windows\System32\msiexec.exe" /i "C:\Users\user\Desktop\neo.msi"
Source: unknown	Process created: C:\Windows\System32\msiexec.exe C:\Windows\system32\msiexec.exe /V
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding 274E0059499F24D0FC6E34D9DC99A829 C
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding 5FD089C2C199466E3D17DC881ED4AD10
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Windows\Installer\MSI1B42.tmp "C:\Windows\Installer\MSI1B42.tmp" C:/Windows/System32/rundll32.exe C:\Users\user\AppData\Local\sharepoint\360total.dll, homq
Source: unknown	Process created: C:\Windows\System32\rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\user\AppData\Local\sharepoint\360total.dll, homq
Source: C:\Windows\System32\rundll32.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\AppData\Roaming\Custom_update\Update_6a61d649.dll", homq
Source: unknown	Process created: C:\Windows\System32\taskeng.exe taskeng.exe {9EB3A60F-302F-4AB2-B149-897715BB8B05} S-1-5-21-966771315-3019405637-367336477-1006:user-PC\user:Interactive:[1]
Source: C:\Windows\System32\taskeng.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\AppData\Roaming\Custom_update\Update_6a61d649.dll", homq
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding 274E0059499F24D0FC6E34D9DC99A829 C	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding 5FD089C2C199466E3D17DC881ED4AD10	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Windows\Installer\MSI1B42.tmp "C:\Windows\Installer\MSI1B42.tmp" C:/Windows/System32/rundll32.exe C:\Users\user\AppData\Local\sharepoint\360total.dll, homq	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\AppData\Roaming\Custom_update\Update_6a61d649.dll", homq	Jump to behavior
Source: C:\Windows\System32\taskeng.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\AppData\Roaming\Custom_update\Update_6a61d649.dll", homq	Jump to behavior

Source: C:\Windows\System32\msiexec.exe	Section loaded: msi.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: rpcrtremote.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: msihnd.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: msi.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: rpcrtremote.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: spp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: vssapi.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: vsstrace.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: dsrole.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: bcrypt.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: samlib.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: devrtl.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: cabinet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: wow64win.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: wow64cpu.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: msi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: msacm32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: rpcrtremote.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: logoncli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: logoncli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: logoncli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: logoncli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: logoncli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: wow64win.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: wow64cpu.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: msi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: msacm32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: rpcrtremote.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: logoncli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\Installer\MSI1B42.tmp	Section loaded: wow64win.dll	Jump to behavior
Source: C:\Windows\Installer\MSI1B42.tmp	Section loaded: wow64cpu.dll	Jump to behavior
Source: C:\Windows\Installer\MSI1B42.tmp	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\Installer\MSI1B42.tmp	Section loaded: rpcrtremote.dll	Jump to behavior
Source: C:\Windows\Installer\MSI1B42.tmp	Section loaded: sxs.dll	Jump to behavior
Source: C:\Windows\System32\taskeng.exe	Section loaded: ktmw32.dll	Jump to behavior
Source: C:\Windows\System32\taskeng.exe	Section loaded: wevtapi.dll	Jump to behavior
Source: C:\Windows\System32\taskeng.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\taskeng.exe	Section loaded: rpcrtremote.dll	Jump to behavior
Source: C:\Windows\System32\taskeng.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Windows\System32\taskeng.exe	Section loaded: dwmapi.dll	Jump to behavior

Source: C:\Windows\Installer\MSI1B42.tmp

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{00020424-0000-0000-C000-000000000046}\InprocServer32

Jump to behavior

Source: neo.msi

Static file information: File size 1620480 > 1048576

Source:	Binary string: C:\JobRelease\win\Release\custact\x86\viewer.pdb: source: MSI1B42.tmp, 00000007.00000002.447220101.0000000000D57000.00000002.00000001.01000000.00000005.sdmp, MSI1B42.tmp, 00000007.00000000.402335120.0000000000D57000.00000002.00000001.01000000.00000005.sdmp, neo.msi, 747f6e.msi.1.dr, MSI19CA.tmp.1.dr, MSI1B42.tmp.1.dr
Source:	Binary string: C:\JobRelease\win\Release\custact\x86\AICustAct.pdb source: neo.msi, 747f6e.msi.1.dr, MSI8029.tmp.1.dr, MSI829C.tmp.0.dr, MSIADBD.tmp.0.dr, MSI827B.tmp.0.dr, MSI82BC.tmp.0.dr, MSI825B.tmp.0.dr
Source:	Binary string: C:\JobRelease\win\Release\custact\x86\AICustAct.pdbn source: neo.msi, 747f6e.msi.1.dr, MSI8029.tmp.1.dr, MSI829C.tmp.0.dr, MSIADBD.tmp.0.dr, MSI827B.tmp.0.dr, MSI82BC.tmp.0.dr, MSI825B.tmp.0.dr
Source:	Binary string: C:\JobRelease\win\Release\custact\x86\viewer.pdb source: MSI1B42.tmp, 00000007.00000002.447220101.0000000000D57000.00000002.00000001.01000000.00000005.sdmp, MSI1B42.tmp, 00000007.00000000.402335120.0000000000D57000.00000002.00000001.01000000.00000005.sdmp, neo.msi, 747f6e.msi.1.dr, MSI19CA.tmp.1.dr, MSI1B42.tmp.1.dr
Source:	Binary string: C:\vmagent_new\bin\joblist\574019\out\Release\360Util64.pdb source: rundll32.exe, 00000008.00000003.405624482.0000000001FC0000.00000040.00001000.00020000.00000000.sdmp, rundll32.exe, 00000008.00000002.447008267.0000000180086000.00000002.00000001.01000000.00000000.sdmp, rundll32.exe, 00000009.00000002.619259049.0000000180086000.00000002.00000001.01000000.00000009.sdmp, Update_6a61d649.dll.8.dr, 360total.dll.1.dr

Source: C:\Windows\System32\rundll32.exe

Code function: 8_2_00000001800033E0 memset,memset,memset,memset,CreateFileW,GetFileInformationByHandle,ReadFile,ReadFile,CoTaskMemAlloc,ReadFile,CoTaskMemFree,SetFilePointer,ReadFile,SetFilePointer,ReadFile,SetFilePointer,??_U@YAPEAX_K@Z,ReadFile,??_U@YAPEAX_K@Z,ReadFile,??_U@YAPEAX_K@Z,ReadFile,??_U@YAPEAX_K@Z,ReadFile,PathRemoveFileSpecW,PathCombineW,PathRemoveFileSpecW,PathCombineW,free,??_U@YAPEAX_K@Z,ReadFile,ReadFile,SetFilePointer,ReadFile,ReadFile,ReadFile,ILFree,ReadFile,memset,GetSystemDirectoryW,LoadLibraryW,GetProcAddress,CoTaskMemFree,GetLastError,FreeLibrary,CloseHandle,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,SetLastError,

8_2_00000001800033E0

Source: 360total.dll.1.dr	Static PE information: real checksum: 0xd8785 should be: 0xe745c
Source: Update_6a61d649.dll.8.dr	Static PE information: real checksum: 0xd8785 should be: 0xe745c

Source: 360total.dll.1.dr	Static PE information: section name: wsgi2
Source: Update_6a61d649.dll.8.dr	Static PE information: section name: wsgi2

Source: C:\Windows\Installer\MSI1B42.tmp	Code function: 7_2_00D3323C push ecx; ret	7_2_00D3324F
Source: C:\Windows\System32\rundll32.exe	Code function: 8_2_0000000180010451 push rcx; ret	8_2_0000000180010452
Source: C:\Windows\System32\rundll32.exe	Code function: 8_2_000000018001045A push rcx; ret	8_2_000000018001045B
Source: C:\Windows\System32\rundll32.exe	Code function: 8_2_00000001801758FC push rsp; ret	8_2_00000001801758FD
Source: C:\Windows\System32\rundll32.exe	Code function: 8_2_0000000180175CDE push 2027C70Fh; ret	8_2_0000000180175CE5

Persistence and Installation Behavior

Drops executables to the windows directory (C:\Windows) and starts them

Source: C:\Windows\System32\msiexec.exe

Executable created and started: C:\Windows\Installer\MSI1B42.tmp

Jump to behavior

Source: C:\Windows\System32\rundll32.exe	File created: :wtfbbq (copy)	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Local\Temp\MSI829C.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Local\Temp\MSIADBD.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Local\Temp\MSI825B.tmp	Jump to dropped file
Source: C:\Windows\System32\rundll32.exe	File created: C:\Users\user\AppData\Roaming\Custom_update\Update_6a61d649.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Local\Temp\MSI82BC.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI1B42.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI8029.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Local\sharepoint\360total.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Local\Temp\MSI827B.tmp	Jump to dropped file

Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI1B42.tmp			Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI8029.tmp			Jump to dropped file

Source: metadata-2.1.dr	Binary or memory string: bcdedit.exe22\\?\Volume{8049f198-1016-11e7-b87b-806e6f6e6963}\
Source: metadata-2.1.dr	Binary or memory string: bcdedit.exe.mui22\\?\Volume{8049f198-1016-11e7-b87b-806e6f6e6963}\

Source: C:\Windows\System32\msiexec.exe

Registry key created: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\VssapiPublisher

Jump to behavior

Source: C:\Windows\System32\msiexec.exe

Registry key value modified: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\SystemRestore

Jump to behavior

Source: C:\Windows\System32\rundll32.exe

Code function: 8_2_0000000180049AEC OpenSCManagerW,OpenServiceW,ChangeServiceConfigW,StartServiceW,GetTickCount,Sleep,GetTickCount,QueryServiceStatus,CloseServiceHandle,CloseServiceHandle,

8_2_0000000180049AEC

Source: C:\Windows\System32\rundll32.exe

Code function: 8_2_0000000180062148 memset,GetModuleFileNameW,PathCombineW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,FreeLibrary,

8_2_0000000180062148

Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Contains functionality to compare user and computer (likely to detect sandboxes)

Source: C:\Windows\System32\rundll32.exe

Code function: EnterCriticalSection,memset,GetModuleFileNameW,PathAppendW,StrStrIW,PathFileExistsW,PathAppendW,PathFileExistsW,memset,SHGetValueW,PathAppendW,PathFileExistsW,LoadLibraryW,GetProcAddress,GetProcAddress,GetModuleFileNameW,PathAppendW,PathFileExistsW,PathAppendW,PathFileExistsW,memset,SHGetValueW,PathAppendW,PathFileExistsW,LoadLibraryW,GetProcAddress,GetProcAddress,LeaveCriticalSection,

8_2_00000001800655A8

Contains functionality to detect sleep reduction / modifications

Source: C:\Windows\System32\rundll32.exe

Code function: 8_2_0000000180049AEC

8_2_0000000180049AEC

Source: C:\Windows\System32\rundll32.exe	Code function: GetAdaptersInfo,GetAdaptersInfo,	8_2_001368E8
Source: C:\Windows\System32\rundll32.exe	Code function: GetAdaptersInfo,GetAdaptersInfo,wsprintfA,wsprintfA,wsprintfA,GetComputerNameExA,wsprintfA,GetComputerNameExA,wsprintfA,	8_2_00137FA8
Source: C:\Windows\System32\rundll32.exe	Code function: GetAdaptersInfo,GetAdaptersInfo,	9_2_001C68E8
Source: C:\Windows\System32\rundll32.exe	Code function: GetAdaptersInfo,GetAdaptersInfo,wsprintfA,wsprintfA,wsprintfA,GetComputerNameExA,wsprintfA,GetComputerNameExA,wsprintfA,	9_2_001C7FA8
Source: C:\Windows\System32\rundll32.exe	Code function: GetAdaptersInfo,GetAdaptersInfo,	13_2_01AD68E8
Source: C:\Windows\System32\rundll32.exe	Code function: GetAdaptersInfo,GetAdaptersInfo,wsprintfA,wsprintfA,wsprintfA,GetComputerNameExA,wsprintfA,GetComputerNameExA,wsprintfA,	13_2_01AD7FA8

Source: C:\Windows\System32\rundll32.exe	Window / User API: threadDelayed 647			Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Window / User API: threadDelayed 9092			Jump to behavior

Source: C:\Windows\System32\rundll32.exe	Dropped PE file which has not been started: :wtfbbq (copy)	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\MSI829C.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\MSI825B.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\MSIADBD.tmp	Jump to dropped file
Source: C:\Windows\System32\rundll32.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Custom_update\Update_6a61d649.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\MSI82BC.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSI8029.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\sharepoint\360total.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\MSI827B.tmp	Jump to dropped file

Source: C:\Windows\Installer\MSI1B42.tmp

Check user administrative privileges: GetTokenInformation,DecisionNodes

graph_7-34046

Source: C:\Windows\System32\rundll32.exe	API coverage: 1.6 %
Source: C:\Windows\System32\rundll32.exe	API coverage: 8.5 %

Source: C:\Windows\System32\rundll32.exe

Code function: 8_2_0000000180049AEC

8_2_0000000180049AEC

Source: C:\Windows\System32\msiexec.exe TID: 828	Thread sleep time: -300000s >= -30000s	Jump to behavior
Source: C:\Windows\System32\msiexec.exe TID: 3792	Thread sleep time: -60000s >= -30000s	Jump to behavior
Source: C:\Windows\System32\msiexec.exe TID: 1648	Thread sleep time: -720000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 3084	Thread sleep time: -120000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 3796	Thread sleep time: -60000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 3368	Thread sleep time: -60000s >= -30000s	Jump to behavior
Source: C:\Windows\Installer\MSI1B42.tmp TID: 3560	Thread sleep time: -180000s >= -30000s	Jump to behavior
Source: C:\Windows\Installer\MSI1B42.tmp TID: 3560	Thread sleep time: -60000s >= -30000s	Jump to behavior
Source: C:\Windows\System32\rundll32.exe TID: 3584	Thread sleep count: 261 > 30	Jump to behavior
Source: C:\Windows\System32\rundll32.exe TID: 3584	Thread sleep time: -261000s >= -30000s	Jump to behavior
Source: C:\Windows\System32\rundll32.exe TID: 3632	Thread sleep count: 647 > 30	Jump to behavior
Source: C:\Windows\System32\rundll32.exe TID: 3632	Thread sleep time: -64700s >= -30000s	Jump to behavior
Source: C:\Windows\System32\rundll32.exe TID: 3584	Thread sleep count: 9092 > 30	Jump to behavior
Source: C:\Windows\System32\rundll32.exe TID: 3584	Thread sleep time: -9092000s >= -30000s	Jump to behavior
Source: C:\Windows\System32\taskeng.exe TID: 3684	Thread sleep time: -60000s >= -30000s	Jump to behavior

Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior

Source: C:\Windows\Installer\MSI1B42.tmp	Code function: 7_2_00D4AF79 FindFirstFileExW,	7_2_00D4AF79
Source: C:\Windows\System32\rundll32.exe	Code function: 8_2_0013A350 FindFirstFileW,FindNextFileW,LoadLibraryW,LoadLibraryExW,	8_2_0013A350
Source: C:\Windows\System32\rundll32.exe	Code function: 8_2_00131A08 FindFirstFileA,wsprintfA,FindNextFileA,FindClose,	8_2_00131A08
Source: C:\Windows\System32\rundll32.exe	Code function: 8_2_00140DD8 FindFirstFileA,	8_2_00140DD8
Source: C:\Windows\System32\rundll32.exe	Code function: 8_2_00140DE0 FindFirstFileW,	8_2_00140DE0
Source: C:\Windows\System32\rundll32.exe	Code function: 9_2_001CA350 FindFirstFileW,FindNextFileW,LoadLibraryW,LoadLibraryExW,	9_2_001CA350
Source: C:\Windows\System32\rundll32.exe	Code function: 9_2_001C1A08 FindFirstFileA,wsprintfA,FindNextFileA,FindClose,	9_2_001C1A08
Source: C:\Windows\System32\rundll32.exe	Code function: 13_2_01ADA350 FindFirstFileW,FindNextFileW,LoadLibraryW,LoadLibraryExW,	13_2_01ADA350
Source: C:\Windows\System32\rundll32.exe	Code function: 13_2_01AE0DE0 FindFirstFileW,	13_2_01AE0DE0
Source: C:\Windows\System32\rundll32.exe	Code function: 13_2_01AE0DD8 FindFirstFileA,	13_2_01AE0DD8
Source: C:\Windows\System32\rundll32.exe	Code function: 13_2_01AD1A08 FindFirstFileA,wsprintfA,FindNextFileA,FindClose,	13_2_01AD1A08

Source: rundll32.exe, 00000008.00000002.446788834.00000000001D7000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: "MWar_VMware_SATA_CD01______
Source: metadata-2.1.dr	Binary or memory string: lsm.exe22\\?\Volume{8049f198-1016-11e7-b87b-806e6f6e6963}\--windows\system32\migwiz\replacementmanifests,,microsoft-hyper-v-migration-replacement.man22\\?\Volume{8049f198-1016-11e7-b87b-806e6f6e6963}\
Source: metadata-2.1.dr	Binary or memory string: iasmigplugin-dl.man22\\?\Volume{8049f198-1016-11e7-b87b-806e6f6e6963}\--windows\system32\migwiz\replacementmanifests33microsoft-hyper-v-client-migration-replacement.man22\\?\Volume{8049f198-1016-11e7-b87b-806e6f6e6963}\##windows\system32\spp\tokens\ppdlic
Source: metadata-2.1.dr	Binary or memory string: iasmigplugin-dl.man22\\?\Volume{8049f198-1016-11e7-b87b-806e6f6e6963}\--windows\syswow64\migwiz\replacementmanifests33microsoft-hyper-v-client-migration-replacement.man22\\?\Volume{8049f198-1016-11e7-b87b-806e6f6e6963}\,,program files (x86)\internet explorer\en-us
Source: metadata-2.1.dr	Binary or memory string: imscmig.dll22\\?\Volume{8049f198-1016-11e7-b87b-806e6f6e6963}\--windows\system32\migwiz\replacementmanifests44microsoft-hyper-v-drivers-migration-replacement.man22\\?\Volume{8049f198-1016-11e7-b87b-806e6f6e6963}\

Source: C:\Windows\System32\msiexec.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Windows\System32\rundll32.exe

Code function: 8_2_00140A18 NtQueryInformationProcess,LdrLoadDll,NtAllocateVirtualMemory,

8_2_00140A18

Source: C:\Windows\Installer\MSI1B42.tmp

Code function: 7_2_00D1D0A5 IsDebuggerPresent,OutputDebugStringW,

7_2_00D1D0A5

Source: C:\Windows\System32\rundll32.exe

Code function: 8_2_0000000180066C3C memset,GetLastError,IsDebuggerPresent,OutputDebugStringW,

8_2_0000000180066C3C

Source: C:\Windows\System32\rundll32.exe

8_2_00000001800033E0

Source: C:\Windows\Installer\MSI1B42.tmp	Code function: 7_2_00D42DCC mov ecx, dword ptr fs:[00000030h]		7_2_00D42DCC
Source: C:\Windows\Installer\MSI1B42.tmp	Code function: 7_2_00D4AD78 mov eax, dword ptr fs:[00000030h]		7_2_00D4AD78

Source: C:\Windows\Installer\MSI1B42.tmp

Code function: 7_2_00D12310 GetProcessHeap,

7_2_00D12310

Source: C:\Windows\Installer\MSI1B42.tmp	Code function: 7_2_00D3353F SetUnhandledExceptionFilter,	7_2_00D3353F
Source: C:\Windows\Installer\MSI1B42.tmp	Code function: 7_2_00D333A8 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	7_2_00D333A8
Source: C:\Windows\Installer\MSI1B42.tmp	Code function: 7_2_00D32968 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	7_2_00D32968
Source: C:\Windows\Installer\MSI1B42.tmp	Code function: 7_2_00D36E1B IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	7_2_00D36E1B
Source: C:\Windows\System32\rundll32.exe	Code function: 8_2_0000000180070760 IsProcessorFeaturePresent,memset,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	8_2_0000000180070760
Source: C:\Windows\System32\rundll32.exe	Code function: 8_2_000000018006F6E0 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	8_2_000000018006F6E0

HIPS / PFW / Operating System Protection Evasion

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\System32\rundll32.exe

Domain query: jarinamaers.shop

Contains functionality to inject threads in other processes

Source: C:\Windows\System32\rundll32.exe	Code function: 8_2_00140B08 NtOpenKey,NtSetValueKey,VirtualFree,OpenProcess,VirtualAllocEx,VirtualFreeEx,WriteProcessMemory,CreateRemoteThread,	8_2_00140B08
Source: C:\Windows\System32\rundll32.exe	Code function: 8_2_00140B38 RtlFormatCurrentUserKeyPath,VirtualAlloc,VirtualFree,OpenProcess,VirtualAllocEx,VirtualFreeEx,WriteProcessMemory,CreateRemoteThread,	8_2_00140B38
Source: C:\Windows\System32\rundll32.exe	Code function: 8_2_00140B28 NtQueryInformationFile,VirtualAlloc,VirtualFree,OpenProcess,VirtualAllocEx,VirtualFreeEx,WriteProcessMemory,CreateRemoteThread,	8_2_00140B28
Source: C:\Windows\System32\rundll32.exe	Code function: 13_2_01AE0B38 RtlFormatCurrentUserKeyPath,VirtualAlloc,VirtualFree,OpenProcess,VirtualAllocEx,VirtualFreeEx,WriteProcessMemory,CreateRemoteThread,	13_2_01AE0B38

Source: C:\Windows\Installer\MSI1B42.tmp

Code function: 7_2_00D152F0 GetWindowsDirectoryW,GetForegroundWindow,ShellExecuteExW,ShellExecuteExW,ShellExecuteExW,GetModuleHandleW,GetModuleHandleW,GetProcAddress,GetProcAddress,AllowSetForegroundWindow,GetModuleHandleW,GetProcAddress,Sleep,Sleep,EnumWindows,BringWindowToTop,WaitForSingleObject,GetExitCodeProcess,

7_2_00D152F0

Source: C:\Windows\System32\msiexec.exe	Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding 274E0059499F24D0FC6E34D9DC99A829 C	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding 5FD089C2C199466E3D17DC881ED4AD10	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Windows\Installer\MSI1B42.tmp "C:\Windows\Installer\MSI1B42.tmp" C:/Windows/System32/rundll32.exe C:\Users\user\AppData\Local\sharepoint\360total.dll, homq	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\AppData\Roaming\Custom_update\Update_6a61d649.dll", homq	Jump to behavior
Source: C:\Windows\System32\taskeng.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\AppData\Roaming\Custom_update\Update_6a61d649.dll", homq	Jump to behavior

Source: C:\Windows\System32\rundll32.exe

Code function: 8_2_000000018004A650 memset,GetModuleFileNameW,PathAppendW,ShellExecuteExW,ILGetSize,GetTickCount,srand,GetCurrentProcess,GetProcessId,GetCurrentThreadId,rand,LocalAlloc,InitializeSecurityDescriptor,LocalFree,SetSecurityDescriptorDacl,CreateFileMappingW,LocalFree,CreateFileMappingW,MapViewOfFile,CloseHandle,memset,memmove,memmove,memmove,memmove,memmove,UnmapViewOfFile,FindWindowW,SetForegroundWindow,memset,wsprintfW,memset,WaitForSingleObject,Sleep,CloseHandle,CloseHandle,CloseHandle,

8_2_000000018004A650

Source: C:\Windows\System32\rundll32.exe

Code function: 8_2_0000000180049278 LookupPrivilegeValueW,LookupPrivilegeValueW,LookupPrivilegeValueW,LookupPrivilegeValueW,??_U@YAPEAX_K@Z,GetCurrentProcess,OpenProcessToken,CreateRestrictedToken,CloseHandle,CloseHandle,AllocateAndInitializeSid,GetLengthSid,SetTokenInformation,FreeSid,AdjustTokenPrivileges,??_V@YAXPEAX@Z,

8_2_0000000180049278

Source: 360total.dll.1.dr	Binary or memory string: Program managerProgmanSeShutdownPrivilegeSeTimeZonePrivilegeSeIncreaseWorkingSetPrivilegeSeUndockPrivilegeSeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeEnableLUASoftware\Microsoft\Windows\CurrentVersion\Policies\Systemseclogonwdc.dllWdcRunTaskAsInteractiveUser"%s" %swinsta0\defaultadvapi32.dllCreateProcessWithTokenW:open..\360DeskAna64.exe%u_%d_%d_%d_%use2/%s %s %use1SeTcbPrivilegeNT AUTHORITYLOCAL SERVICENETWORK SERVICE360utilexplorer.exe,
Source: rundll32.exe	Binary or memory string: Progman
Source: rundll32.exe	Binary or memory string: Program manager

Source: C:\Windows\Installer\MSI1B42.tmp

Code function: 7_2_00D335A9 cpuid

7_2_00D335A9

Source: C:\Windows\Installer\MSI1B42.tmp	Code function: EnumSystemLocalesW,	7_2_00D4E0C6
Source: C:\Windows\Installer\MSI1B42.tmp	Code function: EnumSystemLocalesW,	7_2_00D4E1AC
Source: C:\Windows\Installer\MSI1B42.tmp	Code function: EnumSystemLocalesW,	7_2_00D4E111
Source: C:\Windows\Installer\MSI1B42.tmp	Code function: EnumSystemLocalesW,	7_2_00D47132
Source: C:\Windows\Installer\MSI1B42.tmp	Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,	7_2_00D4E237
Source: C:\Windows\Installer\MSI1B42.tmp	Code function: GetLocaleInfoEx,	7_2_00D323F8
Source: C:\Windows\Installer\MSI1B42.tmp	Code function: GetLocaleInfoW,	7_2_00D4E48A
Source: C:\Windows\Installer\MSI1B42.tmp	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	7_2_00D4E5B3
Source: C:\Windows\Installer\MSI1B42.tmp	Code function: GetLocaleInfoW,	7_2_00D4E6B9
Source: C:\Windows\Installer\MSI1B42.tmp	Code function: GetLocaleInfoW,	7_2_00D476AF
Source: C:\Windows\Installer\MSI1B42.tmp	Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,	7_2_00D4E788
Source: C:\Windows\Installer\MSI1B42.tmp	Code function: GetACP,IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW,	7_2_00D4DE24

Source: C:\Windows\System32\msiexec.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior

Source: C:\Windows\Installer\MSI1B42.tmp

Code function: 7_2_00D337D5 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

7_2_00D337D5

Source: C:\Windows\System32\rundll32.exe

Code function: 8_2_00138AE0 GetUserNameA,wsprintfA,

8_2_00138AE0

Source: C:\Windows\Installer\MSI1B42.tmp

Code function: 7_2_00D47B1F GetTimeZoneInformation,

7_2_00D47B1F

Source: C:\Windows\System32\rundll32.exe

Code function: 8_2_00138560 RtlGetVersion,GetVersionExW,

8_2_00138560

Source: C:\Windows\Installer\MSI1B42.tmp

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: rundll32.exe	Binary or memory string: 360tray.exe
Source: rundll32.exe	Binary or memory string: SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\App Paths\360safe.exe
Source: rundll32.exe	Binary or memory string: SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\360safe.exe

Stealing of Sensitive Information

Yara detected Latrodectus

Source: Yara match	File source: 13.2.rundll32.exe.2a0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.rundll32.exe.a0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.rundll32.exe.2a0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.rundll32.exe.110000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.rundll32.exe.130000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.rundll32.exe.1ad0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.rundll32.exe.1ad0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.rundll32.exe.110000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.rundll32.exe.1c0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.rundll32.exe.130000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.rundll32.exe.a0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.rundll32.exe.1c0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000009.00000003.614395824.0000000000470000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.446771476.00000000000A0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.619163772.0000000001E80000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.420736655.00000000002A0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.446779994.0000000000130000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.619168848.0000000001F0A000.00000004.00000010.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.420775529.0000000001AD0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.618961213.0000000000110000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.619007012.00000000001C0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 3580, type: MEMORYSTR

Remote Access Functionality

Yara detected Latrodectus

Source: Yara match	File source: 13.2.rundll32.exe.2a0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.rundll32.exe.a0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.rundll32.exe.2a0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.rundll32.exe.110000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.rundll32.exe.130000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.rundll32.exe.1ad0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.rundll32.exe.1ad0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.rundll32.exe.110000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.rundll32.exe.1c0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.rundll32.exe.130000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.rundll32.exe.a0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.rundll32.exe.1c0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000009.00000003.614395824.0000000000470000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.446771476.00000000000A0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.619163772.0000000001E80000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.420736655.00000000002A0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.446779994.0000000000130000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.619168848.0000000001F0A000.00000004.00000010.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.420775529.0000000001AD0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.618961213.0000000000110000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.619007012.00000000001C0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 3580, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	1 Valid Accounts	2 Native API	1 DLL Side-Loading	1 Exploitation for Privilege Escalation	1 Deobfuscate/Decode Files or Information	OS Credential Dumping	2 System Time Discovery	Remote Services	1 Archive Collected Data	1 Ingress Tool Transfer	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	1 Replication Through Removable Media	1 Scheduled Task/Job	1 Valid Accounts	1 DLL Side-Loading	2 Obfuscated Files or Information	LSASS Memory	11 Peripheral Device Discovery	Remote Desktop Protocol	Data from Removable Media	2 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	2 Service Execution	21 Windows Service	1 Valid Accounts	1 DLL Side-Loading	Security Account Manager	1 Account Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	1 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	1 Scheduled Task/Job	11 Access Token Manipulation	1 File Deletion	NTDS	1 File and Directory Discovery	Distributed Component Object Model	Input Capture	11 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	1 Bootkit	21 Windows Service	121 Masquerading	LSA Secrets	35 System Information Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	212 Process Injection	1 Valid Accounts	Cached Domain Credentials	351 Security Software Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	1 Scheduled Task/Job	1 Virtualization/Sandbox Evasion	DCSync	1 Virtualization/Sandbox Evasion	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	11 Access Token Manipulation	Proc Filesystem	3 Process Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	212 Process Injection	/etc/passwd and /etc/shadow	1 Application Window Discovery	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement
IP Addresses	Compromise Infrastructure	Supply Chain Compromise	PowerShell	Cron	Cron	1 Bootkit	Network Sniffing	1 System Owner/User Discovery	Shared Webroot	Local Data Staging	File Transfer Protocols	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	External Defacement
Network Security Appliances	Domains	Compromise Software Dependencies and Development Tools	AppleScript	Launchd	Launchd	11 Rundll32	Input Capture	1 Remote System Discovery	Software Deployment Tools	Remote Data Staging	Mail Protocols	Exfiltration Over Unencrypted Non-C2 Protocol	Firmware Corruption
Gather Victim Org Information	DNS Server	Compromise Software Supply Chain	Windows Command Shell	Scheduled Task	Scheduled Task	Embedded Payloads	Keylogging	1 System Network Configuration Discovery	Taint Shared Content	Screen Capture	DNS	Exfiltration Over Physical Medium	Resource Hijacking

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Link
:wtfbbq (copy)	10%	Virustotal	Browse
C:\Users\user\AppData\Local\Temp\MSI825B.tmp	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\MSI825B.tmp	0%	Virustotal	Browse
C:\Users\user\AppData\Local\Temp\MSI827B.tmp	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\MSI827B.tmp	0%	Virustotal	Browse
C:\Users\user\AppData\Local\Temp\MSI829C.tmp	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\MSI829C.tmp	0%	Virustotal	Browse
C:\Users\user\AppData\Local\Temp\MSI82BC.tmp	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\MSI82BC.tmp	0%	Virustotal	Browse
C:\Users\user\AppData\Local\Temp\MSIADBD.tmp	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\MSIADBD.tmp	0%	Virustotal	Browse
C:\Users\user\AppData\Local\sharepoint\360total.dll	10%	Virustotal	Browse
C:\Users\user\AppData\Roaming\Custom_update\Update_6a61d649.dll	10%	Virustotal	Browse
C:\Windows\Installer\MSI1B42.tmp	0%	ReversingLabs
C:\Windows\Installer\MSI1B42.tmp	0%	Virustotal	Browse
C:\Windows\Installer\MSI8029.tmp	0%	ReversingLabs
C:\Windows\Installer\MSI8029.tmp	0%	Virustotal	Browse

Unpacked PE Files

⊘No Antivirus matches

Domains

Source	Detection	Scanner	Label	Link
jarinamaers.shop	1%	Virustotal		Browse

URLs

Source	Detection	Scanner	Label	Link
https://jarinamaers.shop/O	0%	Avira URL Cloud	safe
https://startmast.shop/live/	0%	Avira URL Cloud	safe
https://jarinamaers.shop/G	0%	Avira URL Cloud	safe
ftp://ftp%2desktop.ini	0%	Avira URL Cloud	safe
https://jarinamaers.shop/live/	0%	Avira URL Cloud	safe
https://jarinamaers.shop/live/	1%	Virustotal		Browse

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
jarinamaers.shop	104.21.46.75	true	true	1%, Virustotal, Browse	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://startmast.shop/live/	true	Avira URL Cloud: safe	unknown
https://jarinamaers.shop/live/	true	1%, Virustotal, Browse Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://pscan.f.360.cn/safe_update.php	rundll32.exe	false		high
https://jarinamaers.shop/O	rundll32.exe, 00000009.00000002.619056856.000000000056B000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://dr.f.360.cn/scanlist	rundll32.exe, 00000008.00000003.405624482.0000000001FC0000.00000040.00001000.00020000.00000000.sdmp, rundll32.exe, 00000008.00000002.447008267.0000000180086000.00000002.00000001.01000000.00000000.sdmp, rundll32.exe, 00000009.00000002.619259049.0000000180086000.00000002.00000001.01000000.00000009.sdmp, Update_6a61d649.dll.8.dr, 360total.dll.1.dr	false		high
https://www.thawte.com/cps0/	neo.msi, 747f6e.msi.1.dr, MSI8029.tmp.1.dr, MSI829C.tmp.0.dr, MSIADBD.tmp.0.dr, MSI827B.tmp.0.dr, MSI19CA.tmp.1.dr, MSI1B42.tmp.1.dr, MSI82BC.tmp.0.dr, MSI825B.tmp.0.dr	false		high
http://pscan.f.360.cn/safe_update.phphttp://pconf.f.360.cn/safe_update.phphttp://sconf.f.360.cn/clie	rundll32.exe, 00000008.00000003.405624482.0000000001FC0000.00000040.00001000.00020000.00000000.sdmp, rundll32.exe, 00000008.00000002.447008267.0000000180086000.00000002.00000001.01000000.00000000.sdmp, rundll32.exe, 00000009.00000002.619259049.0000000180086000.00000002.00000001.01000000.00000009.sdmp, Update_6a61d649.dll.8.dr, 360total.dll.1.dr	false		high
https://www.thawte.com/repository0W	neo.msi, 747f6e.msi.1.dr, MSI8029.tmp.1.dr, MSI829C.tmp.0.dr, MSIADBD.tmp.0.dr, MSI827B.tmp.0.dr, MSI19CA.tmp.1.dr, MSI1B42.tmp.1.dr, MSI82BC.tmp.0.dr, MSI825B.tmp.0.dr	false		high
http://pconf.f.360.cn/safe_update.php	rundll32.exe	false		high
ftp://ftp%2desktop.ini	rundll32.exe, 00000008.00000003.405624482.0000000001FC0000.00000040.00001000.00020000.00000000.sdmp, rundll32.exe, 00000008.00000002.447008267.0000000180086000.00000002.00000001.01000000.00000000.sdmp, rundll32.exe, 00000009.00000002.619259049.0000000180086000.00000002.00000001.01000000.00000009.sdmp, Update_6a61d649.dll.8.dr, 360total.dll.1.dr	false	Avira URL Cloud: safe	low
http://sconf.f.360.cn/client_security_conf	rundll32.exe	false		high
http://dr.f.360.cn/scan	rundll32.exe	false		high
https://www.advancedinstaller.com	neo.msi, 747f6e.msi.1.dr, MSI8029.tmp.1.dr, MSI829C.tmp.0.dr, MSIADBD.tmp.0.dr, MSI827B.tmp.0.dr, MSI19CA.tmp.1.dr, MSI1B42.tmp.1.dr, MSI82BC.tmp.0.dr, MSI825B.tmp.0.dr	false		high
https://jarinamaers.shop/G	rundll32.exe, 00000009.00000002.619056856.000000000056B000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown

World Map of Contacted IPs

⊘No contacted IP infos

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1432285
Start date and time:	2024-04-26 19:24:05 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 7m 13s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 7 x64 SP1 with Office 2010 SP1 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2)
Number of analysed new started processes analysed:	17
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	neo.msi
Detection:	MAL
Classification:	mal100.troj.evad.winMSI@14/22@5/0
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 99% Number of executed functions: 52 Number of non-executed functions: 326
Cookbook Comments:	Found application associated with file extension: .msi

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WerFault.exe, WMIADAP.exe, VSSVC.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 104.208.16.93
Excluded domains from analysis (whitelisted): onedsblobprdcus07.centralus.cloudapp.azure.com, watson.microsoft.com, legacywatson.trafficmanager.net
Report size exceeded maximum capacity and may have missing disassembly code.
Report size getting too big, too many NtCreateFile calls found.
Report size getting too big, too many NtFsControlFile calls found.
Report size getting too big, too many NtOpenFile calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
19:24:56	API Interceptor	1894x Sleep call for process: msiexec.exe modified
19:25:21	API Interceptor	146x Sleep call for process: MSI1B42.tmp modified
19:25:27	API Interceptor	117x Sleep call for process: taskeng.exe modified
19:26:02	API Interceptor	2355164x Sleep call for process: rundll32.exe modified

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
jarinamaers.shop	ad.msi	Get hash	malicious	Latrodectus	Browse	104.21.46.75
	Document_a19_79b555791-28h97348k5477-3219g9.js	Get hash	malicious	Latrodectus	Browse	172.67.136.103
	360total.dll.dll	Get hash	malicious	Latrodectus	Browse	172.67.136.103
	ad.msi	Get hash	malicious	Latrodectus	Browse	104.21.46.75

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
C:\Users\user\AppData\Local\Temp\MSI827B.tmp	ad.msi	Get hash	malicious	Latrodectus	Browse
	Document_a19_79b555791-28h97348k5477-3219g9.js	Get hash	malicious	Latrodectus	Browse
	ad.msi	Get hash	malicious	Latrodectus	Browse
	avp.msi	Get hash	malicious	Unknown	Browse
	Cheater Pro 1.6.0.msi	Get hash	malicious	Unknown	Browse
	Cheat Lab 2.7.2.msi	Get hash	malicious	Unknown	Browse
	payload.js	Get hash	malicious	Unknown	Browse
	payload.js	Get hash	malicious	Unknown	Browse
	Doc_m42_81h118103-88o62135w8623-1999q9.js	Get hash	malicious	Unknown	Browse
	avp.msi	Get hash	malicious	Unknown	Browse
C:\Users\user\AppData\Local\Temp\MSI825B.tmp	ad.msi	Get hash	malicious	Latrodectus	Browse
	Document_a19_79b555791-28h97348k5477-3219g9.js	Get hash	malicious	Latrodectus	Browse
	ad.msi	Get hash	malicious	Latrodectus	Browse
	avp.msi	Get hash	malicious	Unknown	Browse
	Cheater Pro 1.6.0.msi	Get hash	malicious	Unknown	Browse
	Cheat Lab 2.7.2.msi	Get hash	malicious	Unknown	Browse
	payload.js	Get hash	malicious	Unknown	Browse
	payload.js	Get hash	malicious	Unknown	Browse
	Doc_m42_81h118103-88o62135w8623-1999q9.js	Get hash	malicious	Unknown	Browse
	avp.msi	Get hash	malicious	Unknown	Browse

Created / dropped Files

:wtfbbq (copy)

Download File

Process:	C:\Windows\System32\rundll32.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	906752
Entropy (8bit):	6.271226161679794
Encrypted:	false
SSDEEP:	12288:WfPSAAUHV4fZUv/TrguVTax7hNRu18VAyJFoxMk/wYeDKDMyPDi:MPSAAUHV4fZUvfgmaxpu1FyJ6xMYHMke
MD5:	BD3A3714EE9A071EBEB59AC91D9EBB5A
SHA1:	55110A221F20A4CEEC34C58D0179FA31F8C102E9
SHA-256:	4CF2B612939359977DF51A32D2F63E2CB0C6C601E114B8E4812BD548D1DB85FE
SHA-512:	7244220F29057339C99A22C20268187BA6F6681251F4CE4F305AD22DC030F6078B4F298EF10AD392DC5D036C41C7B8C28C2BD997EA39EF7AB023CB9B5C946DC8
Malicious:	false
Antivirus:	Antivirus: Virustotal, Detection: 10%, Browse
Reputation:	low
Preview:	MZ......................@...................................h...........!..L.!This program cannot be run in DOS mode....$........,>5.MPf.MPf.MPf.<Qg.MPf..Qg.MPf.%Tg.MPf.%Sg.MPf.&Ug.MPf-$Qg.MPf.<Ug.MPf.<Ug.MPf+.f.MPf/$Tg.MPf.Ug.MPf.Tg.MPf/$Ug.MPf.$Ug.MPf.%Ug.MPf.&Tg.MPf.&Vg.MPf.&Qg.MPf.MQfoLPf.$Yg.MPf.$Pg.MPf.$.f.MPf.M.f.MPf.$Rg.MPfRich.MPf................PE..d...:5.`..........# .....J..........`........................................@............ ..........................................+......`,..,....0...........d......H?...@..........T.......................(....................`...............................text...(I.......J.................. ..`.rdata.......`.......N..............@..@.data....e...P...0...<..............@....pdata...d.......f...l..............@..@.rsrc........0......................@..@.reloc.......@......................@..Bwsgi2........P.........................@..........!1)FX?@T#s9Cey$lE<HI0x&%czAYeH9a))*C9%fd8%Z<@zCvcK....................................

C:\Config.Msi\747f70.rbs

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	modified
Size (bytes):	1204
Entropy (8bit):	5.67558499361017
Encrypted:	false
SSDEEP:	24:zgyI6AE6jIMaI3I4iItRpUcFPRMi4iDDhiSrokfCLK:zB+jhaxt+bTPRMi4iDD8Srx
MD5:	EA918F400E4A1EB3E4527F94AD42A8E2
SHA1:	49B4A4675B082257E39692BEE2CA653CE166D0CE
SHA-256:	1BA0EC81998B368DAD946B67B0E6B82286340DD3CCCA0E4EE843C0947CAC6C08
SHA-512:	6FD0072CECD7D13E17B9E9BF34E299E3B51F1762F8F91308DF995CB83146DEE9DFD71B5315C393FD35C0658AF811492239709BC0EBB6E0C84F4C3DC4A03720B8
Malicious:	false
Reputation:	low
Preview:	...@IXOS.@.....@...X.@.....@.....@.....@.....@.....@......&.{B135729E-0574-44D1-B7A1-6E44550F506B}..360 Total..neo.msi.@.....@.....@.....@........&.{6C81CEE0-3161-4D91-A688-254B67D7D838}.....@.....@.....@.....@.......@.....@.....@.......@......360 Total......Rollback..Rolling back action:....RollbackCleanup..Removing backup files..File: [1]....ProcessComponents..Updating component registration..&.{B48CC27C-9823-4256-8235-834BFD2D0DBB}&.{B135729E-0574-44D1-B7A1-6E44550F506B}.@......&.{4A323D5F-6D73-4C26-8E39-BE8928DA13EB}&.{B135729E-0574-44D1-B7A1-6E44550F506B}.@......&.{ADF9F598-7B84-45C9-B1CA-E80968A538BA}&.{B135729E-0574-44D1-B7A1-6E44550F506B}.@........CreateFolders..Creating folders..Folder: [1]#.6.C:\Users\user\AppData\Roaming\HuMaster LLC\360 Total\.@........InstallFiles..Copying new files&.File: [1], Directory: [9], Size: [6]..(.C:\Users\user\AppData\Local\sharepoint\....4.C:\Users\user\AppData\Local\sharepoint\360total.dll....WriteRegistryValues..Writing system registry va

C:\System Volume Information\SPP\OnlineMetadataCache\{f14178ee-79d6-4c4a-804e-c18354b90115}_OnDiskSnapshotProp

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	3048
Entropy (8bit):	3.669078455925044
Encrypted:	false
SSDEEP:	48:qDGv+6N38RN3xp/7wP8c1SFjwL7feGp9bHfOIgbR1fOIgBKEBKRC6v6Rey8H:qDGvJ4PUiF8fHzbOHXOHB9BpiV
MD5:	75CDF3F1112E5F9922F9E1CC3A34E72D
SHA1:	26DFEE703703EB5DCA338D58B04FC42579AEF31B
SHA-256:	BBD26345804B58BE3F41323421CB492DA1426253CD82DD8EB82C916889CF0690
SHA-512:	AF42CC8A966E750F1F45B797A68B6DAE1B7E48B3EDC3AEC7CCCB58E7A13856642D7C2CDBFAEEA3B17E0788819C7EE94F6D6E8B47B5AE4D93AE17E7827BDE6BA9
Malicious:	false
Reputation:	low
Preview:	.D.....M..,....c...6.....................xA..yJL.N..T...9.........z............M..0.<fK...; ...............................$.......8...............I.n.s.t.a.l.l.e.d. .3.6.0. .T.o.t.a.l...............C.:.\.W.i.n.d.o.w.s.\...............3.0.2.4.9.4.................W.O.R.K.G.R.O.U.P.........A.'.3C..wZ......................).(?..P............. ...2.......2...\.\.?.\.V.o.l.u.m.e.{.8.0.4.9.f.1.9.8.-.1.0.1.6.-.1.1.e.7.-.b.8.7.b.-.8.0.6.e.6.f.6.e.6.9.6.3.}.\...............C.:.\...........N).A.j..j...............(...0.......,...2.......2...\.\.?.\.V.o.l.u.m.e.{.8.0.4.9.f.1.9.8.-.1.0.1.6.-.1.1.e.7.-.b.8.7.b.-.8.0.6.e.6.f.6.e.6.9.6.3.}.\.......4...............(.C.:.).........<...@...D...H...L...P...T...X...\...`...d...h...l...p...t...x...\|...........%.......%...A.d.o.b.e. .A.c.r.o.b.a.t. .R.e.a.d.e.r. .D.C. .1.9...0.1.0...2.0.0.9.8.....).......)...A.d.o.b.e. .F.l.a.s.h. .P.l.a.y.e.r. .2.5. .A.c.t.i.v.e.X. .2.5...0...0...1.2.7.....'.......'...A.d.o.b.e. .F.l.a.s.h. .P.l.a.y.e.r. .2.5. .N.P.A.P.

C:\System Volume Information\SPP\metadata-2

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	SysEx File - Twister
Category:	dropped
Size (bytes):	9068216
Entropy (8bit):	3.679389249730728
Encrypted:	false
SSDEEP:	12288:GF4TYOYEzT4G09w6LB9K43gd8caDtDIY8/mhjTLQSI5JnJYKnAOYlTL9VZYbEIIw:s4j69g8caP7y0ljdAGmm/rmHp
MD5:	1BD864E31838B776694C4E0B26CCAE68
SHA1:	9851F2BE7B3335BF27FABD2B48F2D3FBD83252B0
SHA-256:	2C0B39FED8EF3BD4215C5AE1CE8BDFA627436F44DBD0AFCB6D1852FAD5474940
SHA-512:	88C177985B8E675A8923552D4E71518168244A01B57F6F286B90FA644DDA7928170B3864BB2AF3B99FB3B583CC4CCB2097705CAD0E3F7429E0FD50A8485782CD
Malicious:	false
Reputation:	low
Preview:	.%..=..J.....>.(4].y............^...................... ...Y.......Y...<.B.A.C.K.U.P._.C.O.M.P.O.N.E.N.T.S. .x.m.l.n.s.=.".x.-.s.c.h.e.m.a.:.#.V.s.s.C.o.m.p.o.n.e.n.t.M.e.t.a.d.a.t.a.". .v.e.r.s.i.o.n.=.".1...2.". .b.o.o.t.a.b.l.e.S.y.s.t.e.m.S.t.a.t.e.B.a.c.k.u.p.=.".y.e.s.". .s.e.l.e.c.t.C.o.m.p.o.n.e.n.t.s.=.".y.e.s.". .b.a.c.k.u.p.T.y.p.e.=.".f.u.l.l.". .p.a.r.t.i.a.l.F.i.l.e.S.u.p.p.o.r.t.=.".y.e.s.". .s.n.a.p.s.h.o.t.S.e.t.I.d.=.".f.1.4.1.7.8.e.e.-.7.9.d.6.-.4.c.4.a.-.8.0.4.e.-.c.1.8.3.5.4.b.9.0.1.1.5.".>.<.W.R.I.T.E.R._.C.O.M.P.O.N.E.N.T.S. .i.n.s.t.a.n.c.e.I.d.=.".d.a.8.6.8.4.4.e.-.5.b.2.9.-.4.d.2.8.-.a.e.8.d.-.a.8.6.1.2.0.f.3.8.a.4.4.". .w.r.i.t.e.r.I.d.=.".a.f.b.a.b.4.a.2.-.3.6.7.d.-.4.d.1.5.-.a.5.8.6.-.7.1.d.b.b.1.8.f.8.4.8.5.". .b.a.c.k.u.p.S.c.h.e.m.a.=.".0.".>.<.C.O.M.P.O.N.E.N.T. .c.o.m.p.o.n.e.n.t.N.a.m.e.=.".R.e.g.i.s.t.r.y.". .c.o.m.p.o.n.e.n.t.T.y.p.e.=.".f.i.l.e.g.r.o.u.p."./.>.<./.W.R.I.T.E.R._.C.O.M.P.O.N.E.N.T.S.>.<.W.R.I.T.E.R._.C.O.M.P.O.N.E.N.T.S. .i.n.s.t.a.

C:\System Volume Information\SPP\snapshot-2

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	3048
Entropy (8bit):	3.669078455925044
Encrypted:	false
SSDEEP:	48:qDGv+6N38RN3xp/7wP8c1SFjwL7feGp9bHfOIgbR1fOIgBKEBKRC6v6Rey8H:qDGvJ4PUiF8fHzbOHXOHB9BpiV
MD5:	75CDF3F1112E5F9922F9E1CC3A34E72D
SHA1:	26DFEE703703EB5DCA338D58B04FC42579AEF31B
SHA-256:	BBD26345804B58BE3F41323421CB492DA1426253CD82DD8EB82C916889CF0690
SHA-512:	AF42CC8A966E750F1F45B797A68B6DAE1B7E48B3EDC3AEC7CCCB58E7A13856642D7C2CDBFAEEA3B17E0788819C7EE94F6D6E8B47B5AE4D93AE17E7827BDE6BA9
Malicious:	false
Reputation:	low
Preview:	.D.....M..,....c...6.....................xA..yJL.N..T...9.........z............M..0.<fK...; ...............................$.......8...............I.n.s.t.a.l.l.e.d. .3.6.0. .T.o.t.a.l...............C.:.\.W.i.n.d.o.w.s.\...............3.0.2.4.9.4.................W.O.R.K.G.R.O.U.P.........A.'.3C..wZ......................).(?..P............. ...2.......2...\.\.?.\.V.o.l.u.m.e.{.8.0.4.9.f.1.9.8.-.1.0.1.6.-.1.1.e.7.-.b.8.7.b.-.8.0.6.e.6.f.6.e.6.9.6.3.}.\...............C.:.\...........N).A.j..j...............(...0.......,...2.......2...\.\.?.\.V.o.l.u.m.e.{.8.0.4.9.f.1.9.8.-.1.0.1.6.-.1.1.e.7.-.b.8.7.b.-.8.0.6.e.6.f.6.e.6.9.6.3.}.\.......4...............(.C.:.).........<...@...D...H...L...P...T...X...\...`...d...h...l...p...t...x...\|...........%.......%...A.d.o.b.e. .A.c.r.o.b.a.t. .R.e.a.d.e.r. .D.C. .1.9...0.1.0...2.0.0.9.8.....).......)...A.d.o.b.e. .F.l.a.s.h. .P.l.a.y.e.r. .2.5. .A.c.t.i.v.e.X. .2.5...0...0...1.2.7.....'.......'...A.d.o.b.e. .F.l.a.s.h. .P.l.a.y.e.r. .2.5. .N.P.A.P.

C:\Users\user\AppData\Local\Temp\MSI782b9.LOG

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	Unicode text, UTF-16, little-endian text, with very long lines (346), with CRLF line terminators
Category:	dropped
Size (bytes):	934
Entropy (8bit):	3.522851285172858
Encrypted:	false
SSDEEP:	24:Q+W9OOkfIS3nMClWYsRO5nMClqDI+CVQlnqmmjFZ:7Wor3IpROJBRQlqmmH
MD5:	F5D67B0709309FC672AE4032CE057E00
SHA1:	7F96BF7FC81731C786322DFB063236A22CBFCE40
SHA-256:	02400657525EAA2D3ACF866D7B91AE651AEA730D326CD4327611386F2DF77ADA
SHA-512:	F6EF1B83C34C2BDA5884C55110D5920CAA5CDCAAD3EA0B2E268C2F37069288E553E4CF75440ADA200E35D8BF217F788F1B131F7F99939FCDADAD9CDFB7AEE0D9
Malicious:	false
Preview:	..E.r.r.o.r. .2.8.0.3... .D.i.a.l.o.g. .V.i.e.w. .d.i.d. .n.o.t. .f.i.n.d. .a. .r.e.c.o.r.d. .f.o.r. .t.h.e. .d.i.a.l.o.g. .E.r.r.o.r.D.l.g.......E.r.r.o.r. .1.7.2.2... .T.h.e.r.e. .i.s. .a. .p.r.o.b.l.e.m. .w.i.t.h. .t.h.i.s. .W.i.n.d.o.w.s. .I.n.s.t.a.l.l.e.r. .p.a.c.k.a.g.e... .A. .p.r.o.g.r.a.m. .r.u.n. .a.s. .p.a.r.t. .o.f. .t.h.e. .s.e.t.u.p. .d.i.d. .n.o.t. .f.i.n.i.s.h. .a.s. .e.x.p.e.c.t.e.d... .C.o.n.t.a.c.t. .y.o.u.r. .s.u.p.p.o.r.t. .p.e.r.s.o.n.n.e.l. .o.r. .p.a.c.k.a.g.e. .v.e.n.d.o.r... . .A.c.t.i.o.n. .L.a.u.n.c.h.F.i.l.e.,. .l.o.c.a.t.i.o.n.:. .C.:.\.W.i.n.d.o.w.s.\.I.n.s.t.a.l.l.e.r.\.M.S.I.1.B.4.2...t.m.p.,. .c.o.m.m.a.n.d.:. .C.:./.W.i.n.d.o.w.s./.S.y.s.t.e.m.3.2./.r.u.n.d.l.l.3.2...e.x.e. .C.:.\.U.s.e.r.s.\.A.l.b.u.s.\.A.p.p.D.a.t.a.\.L.o.c.a.l.\.s.h.a.r.e.p.o.i.n.t.\.3.6.0.t.o.t.a.l...d.l.l.,. .h.o.m.q. .....=.=.=. .L.o.g.g.i.n.g. .s.t.o.p.p.e.d.:. .4./.2.6./.2.0.2.4. . .1.9.:.2.9.:.4.8. .=.=.=.....

C:\Users\user\AppData\Local\Temp\MSI825B.tmp

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	446944
Entropy (8bit):	6.403916470886214
Encrypted:	false
SSDEEP:	6144:5x0A4eCDsgvSd7ftYx5fnLHT7ybjfgaUFfQiAOuv2IaZeB+:5x0ECIgYOx5fnL/tYi8OBZr
MD5:	475D20C0EA477A35660E3F67ECF0A1DF
SHA1:	67340739F51E1134AE8F0FFC5AE9DD710E8E3A08
SHA-256:	426E6CF199A8268E8A7763EC3A4DD7ADD982B28C51D89EBEA90CA792CBAE14DD
SHA-512:	99525AAAB2AB608134B5D66B5313E7FC3C2E2877395C5C171897D7A6C66EFB26B606DE1A4CB01118C2738EA4B6542E4EB4983E631231B3F340BF85E509A9589E
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0% Antivirus: Virustotal, Detection: 0%, Browse
Joe Sandbox View:	Filename: ad.msi, Detection: malicious, Browse Filename: Document_a19_79b555791-28h97348k5477-3219g9.js, Detection: malicious, Browse Filename: ad.msi, Detection: malicious, Browse Filename: avp.msi, Detection: malicious, Browse Filename: Cheater Pro 1.6.0.msi, Detection: malicious, Browse Filename: Cheat Lab 2.7.2.msi, Detection: malicious, Browse Filename: payload.js, Detection: malicious, Browse Filename: payload.js, Detection: malicious, Browse Filename: Doc_m42_81h118103-88o62135w8623-1999q9.js, Detection: malicious, Browse Filename: avp.msi, Detection: malicious, Browse
Preview:	MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$..........0...c...c...c...b...c...bZ..c...b...c...b...c...b...c...b...c...b...c...b...c...c...cF..b...cF..b...cF..c...c..{c...cF..b...cRich...c........................PE..L....;.a.........."!.....t...P......'.....................................................@.........................PK......$S..........0........................L......p...............................@...............4............................text....r.......t.................. ..`.rdata..@............x..............@..@.data....!...p.......R..............@....rsrc...0............d..............@..@.reloc...L.......N...j..............@..B........................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\MSI827B.tmp

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	446944
Entropy (8bit):	6.403916470886214
Encrypted:	false
SSDEEP:	6144:5x0A4eCDsgvSd7ftYx5fnLHT7ybjfgaUFfQiAOuv2IaZeB+:5x0ECIgYOx5fnL/tYi8OBZr
MD5:	475D20C0EA477A35660E3F67ECF0A1DF
SHA1:	67340739F51E1134AE8F0FFC5AE9DD710E8E3A08
SHA-256:	426E6CF199A8268E8A7763EC3A4DD7ADD982B28C51D89EBEA90CA792CBAE14DD
SHA-512:	99525AAAB2AB608134B5D66B5313E7FC3C2E2877395C5C171897D7A6C66EFB26B606DE1A4CB01118C2738EA4B6542E4EB4983E631231B3F340BF85E509A9589E
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0% Antivirus: Virustotal, Detection: 0%, Browse
Joe Sandbox View:	Filename: ad.msi, Detection: malicious, Browse Filename: Document_a19_79b555791-28h97348k5477-3219g9.js, Detection: malicious, Browse Filename: ad.msi, Detection: malicious, Browse Filename: avp.msi, Detection: malicious, Browse Filename: Cheater Pro 1.6.0.msi, Detection: malicious, Browse Filename: Cheat Lab 2.7.2.msi, Detection: malicious, Browse Filename: payload.js, Detection: malicious, Browse Filename: payload.js, Detection: malicious, Browse Filename: Doc_m42_81h118103-88o62135w8623-1999q9.js, Detection: malicious, Browse Filename: avp.msi, Detection: malicious, Browse
Preview:	MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$..........0...c...c...c...b...c...bZ..c...b...c...b...c...b...c...b...c...b...c...b...c...c...cF..b...cF..b...cF..c...c..{c...cF..b...cRich...c........................PE..L....;.a.........."!.....t...P......'.....................................................@.........................PK......$S..........0........................L......p...............................@...............4............................text....r.......t.................. ..`.rdata..@............x..............@..@.data....!...p.......R..............@....rsrc...0............d..............@..@.reloc...L.......N...j..............@..B........................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\MSI829C.tmp

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	446944
Entropy (8bit):	6.403916470886214
Encrypted:	false
SSDEEP:	6144:5x0A4eCDsgvSd7ftYx5fnLHT7ybjfgaUFfQiAOuv2IaZeB+:5x0ECIgYOx5fnL/tYi8OBZr
MD5:	475D20C0EA477A35660E3F67ECF0A1DF
SHA1:	67340739F51E1134AE8F0FFC5AE9DD710E8E3A08
SHA-256:	426E6CF199A8268E8A7763EC3A4DD7ADD982B28C51D89EBEA90CA792CBAE14DD
SHA-512:	99525AAAB2AB608134B5D66B5313E7FC3C2E2877395C5C171897D7A6C66EFB26B606DE1A4CB01118C2738EA4B6542E4EB4983E631231B3F340BF85E509A9589E
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0% Antivirus: Virustotal, Detection: 0%, Browse
Preview:	MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$..........0...c...c...c...b...c...bZ..c...b...c...b...c...b...c...b...c...b...c...b...c...c...cF..b...cF..b...cF..c...c..{c...cF..b...cRich...c........................PE..L....;.a.........."!.....t...P......'.....................................................@.........................PK......$S..........0........................L......p...............................@...............4............................text....r.......t.................. ..`.rdata..@............x..............@..@.data....!...p.......R..............@....rsrc...0............d..............@..@.reloc...L.......N...j..............@..B........................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\MSI82BC.tmp

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	446944
Entropy (8bit):	6.403916470886214
Encrypted:	false
SSDEEP:	6144:5x0A4eCDsgvSd7ftYx5fnLHT7ybjfgaUFfQiAOuv2IaZeB+:5x0ECIgYOx5fnL/tYi8OBZr
MD5:	475D20C0EA477A35660E3F67ECF0A1DF
SHA1:	67340739F51E1134AE8F0FFC5AE9DD710E8E3A08
SHA-256:	426E6CF199A8268E8A7763EC3A4DD7ADD982B28C51D89EBEA90CA792CBAE14DD
SHA-512:	99525AAAB2AB608134B5D66B5313E7FC3C2E2877395C5C171897D7A6C66EFB26B606DE1A4CB01118C2738EA4B6542E4EB4983E631231B3F340BF85E509A9589E
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0% Antivirus: Virustotal, Detection: 0%, Browse
Preview:	MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$..........0...c...c...c...b...c...bZ..c...b...c...b...c...b...c...b...c...b...c...b...c...c...cF..b...cF..b...cF..c...c..{c...cF..b...cRich...c........................PE..L....;.a.........."!.....t...P......'.....................................................@.........................PK......$S..........0........................L......p...............................@...............4............................text....r.......t.................. ..`.rdata..@............x..............@..@.data....!...p.......R..............@....rsrc...0............d..............@..@.reloc...L.......N...j..............@..B........................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\MSIADBD.tmp

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	446944
Entropy (8bit):	6.403916470886214
Encrypted:	false
SSDEEP:	6144:5x0A4eCDsgvSd7ftYx5fnLHT7ybjfgaUFfQiAOuv2IaZeB+:5x0ECIgYOx5fnL/tYi8OBZr
MD5:	475D20C0EA477A35660E3F67ECF0A1DF
SHA1:	67340739F51E1134AE8F0FFC5AE9DD710E8E3A08
SHA-256:	426E6CF199A8268E8A7763EC3A4DD7ADD982B28C51D89EBEA90CA792CBAE14DD
SHA-512:	99525AAAB2AB608134B5D66B5313E7FC3C2E2877395C5C171897D7A6C66EFB26B606DE1A4CB01118C2738EA4B6542E4EB4983E631231B3F340BF85E509A9589E
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0% Antivirus: Virustotal, Detection: 0%, Browse
Preview:	MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$..........0...c...c...c...b...c...bZ..c...b...c...b...c...b...c...b...c...b...c...b...c...c...cF..b...cF..b...cF..c...c..{c...cF..b...cRich...c........................PE..L....;.a.........."!.....t...P......'.....................................................@.........................PK......$S..........0........................L......p...............................@...............4............................text....r.......t.................. ..`.rdata..@............x..............@..@.data....!...p.......R..............@....rsrc...0............d..............@..@.reloc...L.......N...j..............@..B........................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\~DF675E700E3E268100.TMP

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	512
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3::
MD5:	BF619EAC0CDF3F68D496EA9344137E8B
SHA1:	5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
SHA-256:	076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
SHA-512:	DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
Malicious:	false
Preview:	................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\~DF84AA1769D646EEA7.TMP

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	73728
Entropy (8bit):	0.1434969816921214
Encrypted:	false
SSDEEP:	24:vOsTxtqEsipVtqE+tqEsipVtqEgVAEVtqyjCycVIwGuKO2BLBB+WY:2sTuSjSiVAEjCycf2BLBBG
MD5:	230E0E4EC375BB7B60D47E0B783A3C60
SHA1:	F80D7CCC6D6822E765BEE7159CD8F9917724DF7C
SHA-256:	256B5CAF68651A065FA4EC99D80F0045FA374CAB9EC7309C864527D4C3CDA474
SHA-512:	5B8FBEA097E4C42FFCA62744959545E3E9F6789EA1C6546F063AD95C8CB1E2476D77F3138F3A210C1C440CCB49DE2314B24AF9276C5F56EB05D2703B31D5045A
Malicious:	false
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\~DFF4C5D3C8AB30DF96.TMP

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	0.06865124144599899
Encrypted:	false
SSDEEP:	6:2/9LG7iVCnLG7iVrKOzPLHKOFK0TlHXLboX/st6Vky6lZ:2F0i8n0itFzDHFFKsqX/2Z
MD5:	F164F17683B82A5A48D60CB5420CE46B
SHA1:	8613E8F06FAFFA42E1929EEC4260DB25523DFD5D
SHA-256:	C54B7BE1C2C71FF44223F7FEABB7C293B20F2BA48D02D2AF9685FB143EE7A5B4
SHA-512:	D492CF172EF702B16E66B6E372948446DD43B1741A5001C357FAB797EED6103D51D78C58056485E5E9E4B2C2E9A86451884CA42EB86C70B365799889071813B2
Malicious:	false
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\sharepoint\360total.dll

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	906752
Entropy (8bit):	6.271226161679794
Encrypted:	false
SSDEEP:	12288:WfPSAAUHV4fZUv/TrguVTax7hNRu18VAyJFoxMk/wYeDKDMyPDi:MPSAAUHV4fZUvfgmaxpu1FyJ6xMYHMke
MD5:	BD3A3714EE9A071EBEB59AC91D9EBB5A
SHA1:	55110A221F20A4CEEC34C58D0179FA31F8C102E9
SHA-256:	4CF2B612939359977DF51A32D2F63E2CB0C6C601E114B8E4812BD548D1DB85FE
SHA-512:	7244220F29057339C99A22C20268187BA6F6681251F4CE4F305AD22DC030F6078B4F298EF10AD392DC5D036C41C7B8C28C2BD997EA39EF7AB023CB9B5C946DC8
Malicious:	false
Antivirus:	Antivirus: Virustotal, Detection: 10%, Browse
Preview:	MZ......................@...................................h...........!..L.!This program cannot be run in DOS mode....$........,>5.MPf.MPf.MPf.<Qg.MPf..Qg.MPf.%Tg.MPf.%Sg.MPf.&Ug.MPf-$Qg.MPf.<Ug.MPf.<Ug.MPf+.f.MPf/$Tg.MPf.Ug.MPf.Tg.MPf/$Ug.MPf.$Ug.MPf.%Ug.MPf.&Tg.MPf.&Vg.MPf.&Qg.MPf.MQfoLPf.$Yg.MPf.$Pg.MPf.$.f.MPf.M.f.MPf.$Rg.MPfRich.MPf................PE..d...:5.`..........# .....J..........`........................................@............ ..........................................+......`,..,....0...........d......H?...@..........T.......................(....................`...............................text...(I.......J.................. ..`.rdata.......`.......N..............@..@.data....e...P...0...<..............@....pdata...d.......f...l..............@..@.rsrc........0......................@..@.reloc.......@......................@..Bwsgi2........P.........................@..........!1)FX?@T#s9Cey$lE<HI0x&%czAYeH9a))*C9%fd8%Z<@zCvcK....................................

C:\Users\user\AppData\Roaming\Custom_update\Update_6a61d649.dll

Download File

Process:	C:\Windows\System32\rundll32.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	906752
Entropy (8bit):	6.271226161679794
Encrypted:	false
SSDEEP:	12288:WfPSAAUHV4fZUv/TrguVTax7hNRu18VAyJFoxMk/wYeDKDMyPDi:MPSAAUHV4fZUvfgmaxpu1FyJ6xMYHMke
MD5:	BD3A3714EE9A071EBEB59AC91D9EBB5A
SHA1:	55110A221F20A4CEEC34C58D0179FA31F8C102E9
SHA-256:	4CF2B612939359977DF51A32D2F63E2CB0C6C601E114B8E4812BD548D1DB85FE
SHA-512:	7244220F29057339C99A22C20268187BA6F6681251F4CE4F305AD22DC030F6078B4F298EF10AD392DC5D036C41C7B8C28C2BD997EA39EF7AB023CB9B5C946DC8
Malicious:	false
Antivirus:	Antivirus: Virustotal, Detection: 10%, Browse
Preview:	MZ......................@...................................h...........!..L.!This program cannot be run in DOS mode....$........,>5.MPf.MPf.MPf.<Qg.MPf..Qg.MPf.%Tg.MPf.%Sg.MPf.&Ug.MPf-$Qg.MPf.<Ug.MPf.<Ug.MPf+.f.MPf/$Tg.MPf.Ug.MPf.Tg.MPf/$Ug.MPf.$Ug.MPf.%Ug.MPf.&Tg.MPf.&Vg.MPf.&Qg.MPf.MQfoLPf.$Yg.MPf.$Pg.MPf.$.f.MPf.M.f.MPf.$Rg.MPfRich.MPf................PE..d...:5.`..........# .....J..........`........................................@............ ..........................................+......`,..,....0...........d......H?...@..........T.......................(....................`...............................text...(I.......J.................. ..`.rdata.......`.......N..............@..@.data....e...P...0...<..............@....pdata...d.......f...l..............@..@.rsrc........0......................@..@.reloc.......@......................@..Bwsgi2........P.........................@..........!1)FX?@T#s9Cey$lE<HI0x&%czAYeH9a))*C9%fd8%Z<@zCvcK....................................

C:\Windows\Installer\747f6e.msi

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, MSI Installer, Last Printed: Fri Dec 11 11:47:44 2009, Create Time/Date: Fri Dec 11 11:47:44 2009, Last Saved Time/Date: Fri Sep 18 15:06:51 2020, Security: 0, Code page: 1252, Revision Number: {6C81CEE0-3161-4D91-A688-254B67D7D838}, Number of Words: 10, Subject: 360 Total, Author: HuMaster LLC, Name of Creating Application: 360 Total, Template: ;1033, Comments: This installer database contains the logic and data required to install 360 Total., Title: Installation Database, Keywords: Installer, MSI, Database, Number of Pages: 200
Category:	dropped
Size (bytes):	1620480
Entropy (8bit):	7.153702346443201
Encrypted:	false
SSDEEP:	49152:JZH3YuW8zBQSc0ZnSKmZKumZr7AQB7aLTB:7Y90Zn0K/AQwLF
MD5:	37605A3EB80F3366E56938031A9AC917
SHA1:	0582A0DD69D6027FB94765254ED91AD736ADE305
SHA-256:	4E7AC0BDB516E983B3CAB7F79850D8102D2BF4117BB343B68D0DA73780CCEB1A
SHA-512:	772BB5538F5AF14146D9BCF8D8C29A70860ECDF84B4AF6CC99DAE7589F60847CA7CB87B068BD2AA86F620E79D394C223B96C9FE95FE390E8A9C8422282F5B405
Malicious:	false
Preview:	......................>.......................................................E.......a...............................(...)......+...,...-...........A...B...C...D...E...F...............................................................................................................................................................................................................................................................................................................................................................;...........!...3............................................................................................... ...+..."...#...$...%...&...'...(...)......1...,...-......./...0...4...2...:...?...5...6...7...8...9...>...<.......=...........@...A...B...C...D...........G...H...I...J...K...L...M...N...O...P...Q...R...S...T...U...V...W...X...Y...Z...[...\...]...^..._...`...a...b...c...d...e...f...g...h...i...j...k...l...m...n...o...p...q...r...s...t...u...v...w...x...y...z...

C:\Windows\Installer\747f6f.ipi

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	Composite Document File V2 Document, Cannot read section info
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	1.6038146071945973
Encrypted:	false
SSDEEP:	48:g80ccDH0luWqw1LCSiVAEjCycf27SOT5:g8RUDNZeQCG/
MD5:	D19184246803D4518495AFE1200E4D6E
SHA1:	BB4710FDC5C8D656893FE569550D9DF9FF35C2CA
SHA-256:	72ECA19ACA5A7F267EA3F700702590CEDB7288B075D227082791FDE26A877D60
SHA-512:	1C83C6A6013D85111F9AD4DEC5762E4282A5164040BB86329B36D0F015393058B7DC1D9C2EAEF09468F80D6B82BCE091AA2B27605CAC01D1077C12AAB3987496
Malicious:	false
Preview:	......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Installer\MSI19CA.tmp

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	401012
Entropy (8bit):	6.591583801241678
Encrypted:	false
SSDEEP:	6144:cMvZx0Flyv/UB8zBQSnuJnO6n4ZSaHwLvFnNLqrFWeyp1uBxfAOT3VDqO1O:cMvZx0FlS68zBQSncb4ZPQTpAjZxqO1O
MD5:	2CA1525269AABDEC54BBE29C75CA2C9C
SHA1:	71C6FDD065A92B32CA27A3D839521D3F4667E2F4
SHA-256:	E8DCBD749DBB471272C4555235E6923B946D93FF957800C64A53C8A6399300C4
SHA-512:	15CAAC4A58C2CE994B016D207FB4313A63BC6EB3A5F2836315A9E95AC5A559E53B18769746117BA6E17ABC58C44697C10BD4B9956BE832B9CC59E07C982303D5
Malicious:	false
Preview:	...@IXOS.@.....@...X.@.....@.....@.....@.....@.....@......&.{B135729E-0574-44D1-B7A1-6E44550F506B}..360 Total..neo.msi.@.....@.....@.....@........&.{6C81CEE0-3161-4D91-A688-254B67D7D838}.....@.....@.....@.....@.......@.....@.....@.......@......360 Total......Rollback..Rolling back action:....RollbackCleanup..Removing backup files..File: [1]...@.......@........ProcessComponents..Updating component registration...@.....@.....@.]....&.{B48CC27C-9823-4256-8235-834BFD2D0DBB}6.C:\Users\user\AppData\Roaming\HuMaster LLC\360 Total\.@.......@.....@.....@......&.{4A323D5F-6D73-4C26-8E39-BE8928DA13EB}+.01:\Software\HuMaster LLC\360 Total\Version.@.......@.....@.....@......&.{ADF9F598-7B84-45C9-B1CA-E80968A538BA}4.C:\Users\user\AppData\Local\sharepoint\360total.dll.@.......@.....@.....@........CreateFolders..Creating folders..Folder: [1]".6.C:\Users\user\AppData\Roaming\HuMaster LLC\360 Total\.@........InstallFiles..Copying new files&.File: [1], Directory: [9], Size: [6]...@.....@.....@......

C:\Windows\Installer\MSI1B42.tmp

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	399328
Entropy (8bit):	6.589290025452677
Encrypted:	false
SSDEEP:	6144:gMvZx0Flyv/UB8zBQSnuJnO6n4ZSaHwLvFnNLqrFWeyp1uBxfAOT3VDqO1:gMvZx0FlS68zBQSncb4ZPQTpAjZxqO1
MD5:	B9545ED17695A32FACE8C3408A6A3553
SHA1:	F6C31C9CD832AE2AEBCD88E7B2FA6803AE93FC83
SHA-256:	1E0E63B446EECF6C9781C7D1CAE1F46A3BB31654A70612F71F31538FB4F4729A
SHA-512:	F6D6DC40DCBA5FF091452D7CC257427DCB7CE2A21816B4FEC2EE249E63246B64667F5C4095220623533243103876433EF8C12C9B612C0E95FDFFFE41D1504E04
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0% Antivirus: Virustotal, Detection: 0%, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$......................J......J..5.......................J......J......J..........Y..."......".q............."......Rich....................PE..L....<.a.........."......^...........2.......p....@..........................P......".....@.................................0....................................5...V..p....................X.......W..@............p.. ............................text....\.......^.................. ..`.rdata..XA...p...B...b..............@..@.data....6..........................@....rsrc...............................@..@.reloc...5.......6..................@..B........................................................................................................................................................................................................................................................................................

C:\Windows\Installer\MSI8029.tmp

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	446944
Entropy (8bit):	6.403916470886214
Encrypted:	false
SSDEEP:	6144:5x0A4eCDsgvSd7ftYx5fnLHT7ybjfgaUFfQiAOuv2IaZeB+:5x0ECIgYOx5fnL/tYi8OBZr
MD5:	475D20C0EA477A35660E3F67ECF0A1DF
SHA1:	67340739F51E1134AE8F0FFC5AE9DD710E8E3A08
SHA-256:	426E6CF199A8268E8A7763EC3A4DD7ADD982B28C51D89EBEA90CA792CBAE14DD
SHA-512:	99525AAAB2AB608134B5D66B5313E7FC3C2E2877395C5C171897D7A6C66EFB26B606DE1A4CB01118C2738EA4B6542E4EB4983E631231B3F340BF85E509A9589E
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0% Antivirus: Virustotal, Detection: 0%, Browse
Preview:	MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$..........0...c...c...c...b...c...bZ..c...b...c...b...c...b...c...b...c...b...c...b...c...c...cF..b...cF..b...cF..c...c..{c...cF..b...cRich...c........................PE..L....;.a.........."!.....t...P......'.....................................................@.........................PK......$S..........0........................L......p...............................@...............4............................text....r.......t.................. ..`.rdata..@............x..............@..@.data....!...p.......R..............@....rsrc...0............d..............@..@.reloc...L.......N...j..............@..B........................................................................................................................................................................................................................................................................

C:\Windows\Installer\SourceHash{B135729E-0574-44D1-B7A1-6E44550F506B}

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	Composite Document File V2 Document, Cannot read section info
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	1.1618073920076895
Encrypted:	false
SSDEEP:	12:JSbX72FjQiAGiLIlHVRpqh/7777777777777777777777777vDHFFKsqX/DpZl0G:J5QI56foeF
MD5:	AB251117F6DE2E0E2F3E42A8A6C8CD4E
SHA1:	67C3E4AFC3E1FBBB311C66CA729F8878ECE2F87A
SHA-256:	A6673048BBC5DAD8F2905310E97D31ECB97A3DD60FA4DD526AA773BCE2B4A446
SHA-512:	0BC9A2F72AC358261F5955E70962154FA999BF8BC900A9CE58A232080EE5DDF2CC3761CDBDE19A4A0D8D7EBE70BED34D31193FCD762A1120D26BAE4EFDC3A7CA
Malicious:	false
Preview:	......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

Static File Info

General

File type:	Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, MSI Installer, Last Printed: Fri Dec 11 11:47:44 2009, Create Time/Date: Fri Dec 11 11:47:44 2009, Last Saved Time/Date: Fri Sep 18 15:06:51 2020, Security: 0, Code page: 1252, Revision Number: {6C81CEE0-3161-4D91-A688-254B67D7D838}, Number of Words: 10, Subject: 360 Total, Author: HuMaster LLC, Name of Creating Application: 360 Total, Template: ;1033, Comments: This installer database contains the logic and data required to install 360 Total., Title: Installation Database, Keywords: Installer, MSI, Database, Number of Pages: 200
Entropy (8bit):	7.153702346443201
TrID:	Windows SDK Setup Transform Script (63028/2) 47.91% Microsoft Windows Installer (60509/1) 46.00% Generic OLE2 / Multistream Compound File (8008/1) 6.09%
File name:	neo.msi
File size:	1'620'480 bytes
MD5:	37605a3eb80f3366e56938031a9ac917
SHA1:	0582a0dd69d6027fb94765254ed91ad736ade305
SHA256:	4e7ac0bdb516e983b3cab7f79850d8102d2bf4117bb343b68d0da73780cceb1a
SHA512:	772bb5538f5af14146d9bcf8d8c29a70860ecdf84b4af6cc99dae7589f60847ca7cb87b068bd2aa86f620e79d394c223b96c9fe95fe390e8a9c8422282f5b405
SSDEEP:	49152:JZH3YuW8zBQSc0ZnSKmZKumZr7AQB7aLTB:7Y90Zn0K/AQwLF
TLSH:	6175D0227386C537C96E01303A19D66B5179FDB74B3140DBA3C8292E9EB45C1A739FA3
File Content Preview:	........................>.......................................................E.......a...............................(...)...*...+...,...-...........A...B...C...D...E...F..................................................................................

File Icon


Icon Hash:	2d2e3797b32b2b99

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Apr 26, 2024 19:27:00.940279961 CEST	54821	53	192.168.2.22	8.8.8.8
Apr 26, 2024 19:27:01.125499964 CEST	53	54821	8.8.8.8	192.168.2.22
Apr 26, 2024 19:27:01.136775970 CEST	54821	53	192.168.2.22	8.8.8.8
Apr 26, 2024 19:27:01.335549116 CEST	53	54821	8.8.8.8	192.168.2.22
Apr 26, 2024 19:27:01.335982084 CEST	54821	53	192.168.2.22	8.8.8.8
Apr 26, 2024 19:27:01.506666899 CEST	53	54821	8.8.8.8	192.168.2.22
Apr 26, 2024 19:27:01.506907940 CEST	54821	53	192.168.2.22	8.8.8.8
Apr 26, 2024 19:27:01.677035093 CEST	53	54821	8.8.8.8	192.168.2.22
Apr 26, 2024 19:27:01.680134058 CEST	54821	53	192.168.2.22	8.8.8.8

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Apr 26, 2024 19:27:00.940279961 CEST	192.168.2.22	8.8.8.8	0xa11a	Standard query (0)	jarinamaers.shop	A (IP address)	IN (0x0001)	false
Apr 26, 2024 19:27:01.136775970 CEST	192.168.2.22	8.8.8.8	0xa11a	Standard query (0)	jarinamaers.shop	A (IP address)	IN (0x0001)	false
Apr 26, 2024 19:27:01.335982084 CEST	192.168.2.22	8.8.8.8	0xa11a	Standard query (0)	jarinamaers.shop	A (IP address)	IN (0x0001)	false
Apr 26, 2024 19:27:01.506907940 CEST	192.168.2.22	8.8.8.8	0xa11a	Standard query (0)	jarinamaers.shop	A (IP address)	IN (0x0001)	false
Apr 26, 2024 19:27:01.680134058 CEST	192.168.2.22	8.8.8.8	0xa11a	Standard query (0)	jarinamaers.shop	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	Address	Type	Class	DNS over HTTPS
Apr 26, 2024 19:27:01.125499964 CEST	8.8.8.8	192.168.2.22	0xa11a	No error (0)	jarinamaers.shop	104.21.46.75	A (IP address)	IN (0x0001)	false
Apr 26, 2024 19:27:01.125499964 CEST	8.8.8.8	192.168.2.22	0xa11a	No error (0)	jarinamaers.shop	172.67.136.103	A (IP address)	IN (0x0001)	false
Apr 26, 2024 19:27:01.335549116 CEST	8.8.8.8	192.168.2.22	0xa11a	No error (0)	jarinamaers.shop	104.21.46.75	A (IP address)	IN (0x0001)	false
Apr 26, 2024 19:27:01.335549116 CEST	8.8.8.8	192.168.2.22	0xa11a	No error (0)	jarinamaers.shop	172.67.136.103	A (IP address)	IN (0x0001)	false
Apr 26, 2024 19:27:01.506666899 CEST	8.8.8.8	192.168.2.22	0xa11a	No error (0)	jarinamaers.shop	104.21.46.75	A (IP address)	IN (0x0001)	false
Apr 26, 2024 19:27:01.506666899 CEST	8.8.8.8	192.168.2.22	0xa11a	No error (0)	jarinamaers.shop	172.67.136.103	A (IP address)	IN (0x0001)	false
Apr 26, 2024 19:27:01.677035093 CEST	8.8.8.8	192.168.2.22	0xa11a	No error (0)	jarinamaers.shop	104.21.46.75	A (IP address)	IN (0x0001)	false
Apr 26, 2024 19:27:01.677035093 CEST	8.8.8.8	192.168.2.22	0xa11a	No error (0)	jarinamaers.shop	172.67.136.103	A (IP address)	IN (0x0001)	false

Target ID:	0
Start time:	19:24:56
Start date:	26/04/2024
Path:	C:\Windows\System32\msiexec.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\System32\msiexec.exe" /i "C:\Users\user\Desktop\neo.msi"
Imagebase:	0xff9d0000
File size:	128'512 bytes
MD5 hash:	AC2E7152124CEED36846BD1B6592A00F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	19:24:56
Start date:	26/04/2024
Path:	C:\Windows\System32\msiexec.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\msiexec.exe /V
Imagebase:	0xff9d0000
File size:	128'512 bytes
MD5 hash:	AC2E7152124CEED36846BD1B6592A00F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	false

Show Windows behavior

Target ID:	3
Start time:	19:24:56
Start date:	26/04/2024
Path:	C:\Windows\SysWOW64\msiexec.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\syswow64\MsiExec.exe -Embedding 274E0059499F24D0FC6E34D9DC99A829 C
Imagebase:	0x2d0000
File size:	73'216 bytes
MD5 hash:	4315D6ECAE85024A0567DF2CB253B7B0
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	19:25:10
Start date:	26/04/2024
Path:	C:\Windows\SysWOW64\msiexec.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\syswow64\MsiExec.exe -Embedding 5FD089C2C199466E3D17DC881ED4AD10
Imagebase:	0x2d0000
File size:	73'216 bytes
MD5 hash:	4315D6ECAE85024A0567DF2CB253B7B0
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	7
Start time:	19:25:20
Start date:	26/04/2024
Path:	C:\Windows\Installer\MSI1B42.tmp
Wow64 process (32bit):	true
Commandline:	"C:\Windows\Installer\MSI1B42.tmp" C:/Windows/System32/rundll32.exe C:\Users\user\AppData\Local\sharepoint\360total.dll, homq
Imagebase:	0xd10000
File size:	399'328 bytes
MD5 hash:	B9545ED17695A32FACE8C3408A6A3553
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 0%, ReversingLabs Detection: 0%, Virustotal, Browse
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	8
Start time:	19:25:21
Start date:	26/04/2024
Path:	C:\Windows\System32\rundll32.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\System32\rundll32.exe" C:\Users\user\AppData\Local\sharepoint\360total.dll, homq
Imagebase:	0xffa40000
File size:	45'568 bytes
MD5 hash:	DD81D91FF3B0763C392422865C9AC12E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Latrodectus, Description: Yara detected Latrodectus, Source: 00000008.00000002.446771476.00000000000A0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Latrodectus, Description: Yara detected Latrodectus, Source: 00000008.00000002.446779994.0000000000130000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	9
Start time:	19:25:21
Start date:	26/04/2024
Path:	C:\Windows\System32\rundll32.exe
Wow64 process (32bit):	false
Commandline:	rundll32.exe "C:\Users\user\AppData\Roaming\Custom_update\Update_6a61d649.dll", homq
Imagebase:	0xffa40000
File size:	45'568 bytes
MD5 hash:	DD81D91FF3B0763C392422865C9AC12E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Latrodectus, Description: Yara detected Latrodectus, Source: 00000009.00000003.614395824.0000000000470000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Latrodectus, Description: Yara detected Latrodectus, Source: 00000009.00000002.619163772.0000000001E80000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Latrodectus, Description: Yara detected Latrodectus, Source: 00000009.00000002.619168848.0000000001F0A000.00000004.00000010.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Latrodectus, Description: Yara detected Latrodectus, Source: 00000009.00000002.618961213.0000000000110000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Latrodectus, Description: Yara detected Latrodectus, Source: 00000009.00000002.619007012.00000000001C0000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	11
Start time:	19:25:25
Start date:	26/04/2024
Path:	C:\Windows\System32\taskeng.exe
Wow64 process (32bit):	false
Commandline:	taskeng.exe {9EB3A60F-302F-4AB2-B149-897715BB8B05} S-1-5-21-966771315-3019405637-367336477-1006:user-PC\user:Interactive:[1]
Imagebase:	0xff6a0000
File size:	464'384 bytes
MD5 hash:	65EA57712340C09B1B0C427B4848AE05
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	13
Start time:	19:25:28
Start date:	26/04/2024
Path:	C:\Windows\System32\rundll32.exe
Wow64 process (32bit):	false
Commandline:	rundll32.exe "C:\Users\user\AppData\Roaming\Custom_update\Update_6a61d649.dll", homq
Imagebase:	0xffa40000
File size:	45'568 bytes
MD5 hash:	DD81D91FF3B0763C392422865C9AC12E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Latrodectus, Description: Yara detected Latrodectus, Source: 0000000D.00000002.420736655.00000000002A0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Latrodectus, Description: Yara detected Latrodectus, Source: 0000000D.00000002.420775529.0000000001AD0000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
Reputation:	high
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	4.4%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	15.9%
Total number of Nodes:	1178
Total number of Limit Nodes:	20

Executed Functions

Function 00D14BA0 Relevance: 36.5, APIs: 24, Instructions: 502
comCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00D157C0: GetCurrentProcess.KERNEL32(00000008,?,F83EBEA6,?,-00000010), ref: 00D157D0
Part of subcall function 00D157C0: OpenProcessToken.ADVAPI32(00000000), ref: 00D157D7

CoInitialize.OLE32(00000000), ref: 00D14C15
CoCreateInstance.OLE32(00D572B0,00000000,00000004,00D65104,00000000), ref: 00D14C45
OleUninitialize.OLE32 ref: 00D15187
_com_issue_error.COMSUPP ref: 00D151B5

Memory Dump Source

Source File: 00000007.00000002.447210235.0000000000D11000.00000020.00000001.01000000.00000005.sdmp, Offset: 00D10000, based on PE: true

Associated: 00000007.00000002.447205918.0000000000D10000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.447220101.0000000000D57000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.447225552.0000000000D6C000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.447230127.0000000000D70000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_d10000_MSI1B42.jbxd

Similarity

API ID: Process$CreateCurrentInitializeInstanceOpenTokenUninitialize_com_issue_error
String ID:
API String ID: 928366108-0
Opcode ID: c807a461d715d6fa1131d6d6a4f7579d11f70501de1456bba8123504fc8b971c
Instruction ID: 909dc11eac9c3874045a40d15ef89a5bb7e4d0a71f9d31d393d55406e3688f73
Opcode Fuzzy Hash: c807a461d715d6fa1131d6d6a4f7579d11f70501de1456bba8123504fc8b971c
Instruction Fuzzy Hash: 17229270904348EFEF11CFA8E948BDDBBB4AF45304F248199E845EB381DB759A85CB61

Uniqueness

Uniqueness Score: -1.00%

Function 00D13C20 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 225
librarynativeloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00D136D0: GetSystemDirectoryW.KERNEL32(?,00000105), ref: 00D13735
Part of subcall function 00D136D0: _wcschr.LIBVCRUNTIME ref: 00D137C6

GetProcAddress.KERNEL32(?,NtQueryInformationProcess), ref: 00D13CA8
NtQueryInformationProcess.NTDLL(?,00000000,00000000,00000018,00000000), ref: 00D13CC4
ReadProcessMemory.KERNELBASE(?,?,?,000001D8,00000000,00000000,00000018,00000000), ref: 00D13D01
ReadProcessMemory.KERNELBASE(?,?,?,00000048,00000000,?,000001D8,00000000,00000000,00000018,00000000), ref: 00D13D7A
ReadProcessMemory.KERNELBASE(?,?,00000000,?,00000000,?,?,?,00000000,?,?,?,00000048,00000000,?,000001D8), ref: 00D13EB1
GetLastError.KERNEL32 ref: 00D13F34
FreeLibrary.KERNEL32(?), ref: 00D13F7B

Strings

NtQueryInformationProcess, xrefs: 00D13CA2

Memory Dump Source

Source File: 00000007.00000002.447210235.0000000000D11000.00000020.00000001.01000000.00000005.sdmp, Offset: 00D10000, based on PE: true

Associated: 00000007.00000002.447205918.0000000000D10000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.447220101.0000000000D57000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.447225552.0000000000D6C000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.447230127.0000000000D70000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_d10000_MSI1B42.jbxd

Similarity

API ID: Process$MemoryRead$AddressDirectoryErrorFreeInformationLastLibraryProcQuerySystem_wcschr
String ID: NtQueryInformationProcess
API String ID: 847666571-2781105232
Opcode ID: de3c7cea94bf982ce80ad4b22ee4050a6ee8e9de74e30e2849f12fd1e897e5ef
Instruction ID: 7303e911669f328bd4acc4add514e140d6b9457ec7ab3e2c38d35ded99267cd0
Opcode Fuzzy Hash: de3c7cea94bf982ce80ad4b22ee4050a6ee8e9de74e30e2849f12fd1e897e5ef
Instruction Fuzzy Hash: ACA14A709047499EDB20CF64DC49BEEBBF0EF48314F244599E449A7280EBB5AAC4CF61

Uniqueness

Uniqueness Score: -1.00%

Function 00D13860 Relevance: 10.7, APIs: 7, Instructions: 227
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 00D138CB
CloseHandle.KERNEL32(00000000), ref: 00D1390B
Process32FirstW.KERNEL32(?,00000000), ref: 00D1395F
OpenProcess.KERNEL32(00000410,00000000,?), ref: 00D1397A
CloseHandle.KERNELBASE(00000000), ref: 00D13A8E
Process32NextW.KERNEL32(?,00000000), ref: 00D13AA2
CloseHandle.KERNEL32(?), ref: 00D13AF0

Memory Dump Source

Source File: 00000007.00000002.447210235.0000000000D11000.00000020.00000001.01000000.00000005.sdmp, Offset: 00D10000, based on PE: true

Associated: 00000007.00000002.447205918.0000000000D10000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.447220101.0000000000D57000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.447225552.0000000000D6C000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.447230127.0000000000D70000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_d10000_MSI1B42.jbxd

Similarity

API ID: CloseHandle$Process32$CreateFirstNextOpenProcessSnapshotToolhelp32
String ID:
API String ID: 708755948-0
Opcode ID: 64ede5f8d2b4d9ccbf43f26a88ac47715ea03add9ac47ab2c9ecc9cb1b40f7dd
Instruction ID: 87afba110853b1ecdbbac79fa01fa53d176e42b934e88dddc9ee6e85ebbcef56
Opcode Fuzzy Hash: 64ede5f8d2b4d9ccbf43f26a88ac47715ea03add9ac47ab2c9ecc9cb1b40f7dd
Instruction Fuzzy Hash: 5CA1F9B1905249EFDF10CFA8D988BDEBBF8BF48304F244159E815AB380D7759A44CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00D16A50 Relevance: 9.2, APIs: 4, Strings: 1, Instructions: 461
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 00D16AC8
OpenProcessToken.ADVAPI32(00000000,00000008,00000000), ref: 00D16AD5
CloseHandle.KERNEL32(00000000), ref: 00D16AF5

Strings

S-1-5-18, xrefs: 00D16B69

Memory Dump Source

Source File: 00000007.00000002.447210235.0000000000D11000.00000020.00000001.01000000.00000005.sdmp, Offset: 00D10000, based on PE: true

Associated: 00000007.00000002.447205918.0000000000D10000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.447220101.0000000000D57000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.447225552.0000000000D6C000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.447230127.0000000000D70000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_d10000_MSI1B42.jbxd

Similarity

API ID: Process$CloseCurrentHandleOpenToken
String ID: S-1-5-18
API String ID: 4052875653-4289277601
Opcode ID: 42d12eaf4ffed2deedeb0e7948c5905c74eadc2f238ef51e16dba0603c89fdb4
Instruction ID: 52df4e798d5e30ac641eca1b0648fd857b2a9cda4266e002e907cbe9bc668e99
Opcode Fuzzy Hash: 42d12eaf4ffed2deedeb0e7948c5905c74eadc2f238ef51e16dba0603c89fdb4
Instruction Fuzzy Hash: 7E02A470900215AFDF14DFA4E9557EEBBB5EF05304F188258E841AB285EF349D85CBB0

Uniqueness

Uniqueness Score: -1.00%

Function 00D3353F Relevance: 1.5, APIs: 1, Instructions: 3COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32 ref: 00D33544

Memory Dump Source

Source File: 00000007.00000002.447210235.0000000000D11000.00000020.00000001.01000000.00000005.sdmp, Offset: 00D10000, based on PE: true

Associated: 00000007.00000002.447205918.0000000000D10000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.447220101.0000000000D57000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.447225552.0000000000D6C000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.447230127.0000000000D70000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_d10000_MSI1B42.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: bddd7870faf969fc0976618737168fdb562a594b36d77b4507b5b71f5c058f71
Instruction ID: bd32dcf9bebef354ea77bc685c2827fc25652db6b702fdcba4527a2374ac6061
Opcode Fuzzy Hash: bddd7870faf969fc0976618737168fdb562a594b36d77b4507b5b71f5c058f71
Instruction Fuzzy Hash:

Uniqueness

Uniqueness Score: -1.00%

Function 00D19730 Relevance: 12.6, APIs: 6, Strings: 1, Instructions: 398
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

std::locale::_Init.LIBCPMT ref: 00D19763

Part of subcall function 00D20C94: __EH_prolog3.LIBCMT ref: 00D20C9B
Part of subcall function 00D20C94: std::_Lockit::_Lockit.LIBCPMT ref: 00D20CA6
Part of subcall function 00D20C94: std::locale::_Setgloballocale.LIBCPMT ref: 00D20CC1
Part of subcall function 00D20C94: std::_Lockit::~_Lockit.LIBCPMT ref: 00D20D17

std::_Lockit::_Lockit.LIBCPMT ref: 00D1978A
std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 00D197F0
std::locale::_Locimp::_Makeloc.LIBCPMT ref: 00D1984A

Part of subcall function 00D1F57A: __EH_prolog3.LIBCMT ref: 00D1F581
Part of subcall function 00D1F57A: std::locale::_Locimp::_Locimp_Addfac.LIBCPMT ref: 00D1F5C8
Part of subcall function 00D1F57A: std::locale::_Locimp::_Locimp_Addfac.LIBCPMT ref: 00D1F620
Part of subcall function 00D1F57A: std::locale::_Locimp::_Locimp_Addfac.LIBCPMT ref: 00D1F654
Part of subcall function 00D1F57A: std::locale::_Locimp::_Locimp_Addfac.LIBCPMT ref: 00D1F6A8

LocalFree.KERNEL32(00000000,00000000,?,00D654B1,00000000), ref: 00D199BF
__cftoe.LIBCMT ref: 00D19B0B

Strings

bad locale name, xrefs: 00D198FF

Memory Dump Source

Source File: 00000007.00000002.447210235.0000000000D11000.00000020.00000001.01000000.00000005.sdmp, Offset: 00D10000, based on PE: true

Associated: 00000007.00000002.447205918.0000000000D10000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.447220101.0000000000D57000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.447225552.0000000000D6C000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.447230127.0000000000D70000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_d10000_MSI1B42.jbxd

Similarity

API ID: std::locale::_$Locimp::_$AddfacLocimp_std::_$Lockit$H_prolog3Lockit::_$FreeInitLocalLocinfo::_Locinfo_ctorLockit::~_MakelocSetgloballocale__cftoe
String ID: bad locale name
API String ID: 3103716676-1405518554
Opcode ID: 8161fa3a612e21cb02fa91bfe300768d6e3837109596c34e576bd7296481f798
Instruction ID: 6ef3c4a4c137b9321d1a27cafb50df424d9d5cff84b0bc9a3651ba52c44b98e9
Opcode Fuzzy Hash: 8161fa3a612e21cb02fa91bfe300768d6e3837109596c34e576bd7296481f798
Instruction Fuzzy Hash: A9F19F70904248EFDB14CFA8E9A4BEEFBB5EF09304F144169E845A7381DB759A44CBB0

Uniqueness

Uniqueness Score: -1.00%

Function 00D472FB Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 74
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FreeLibrary.KERNEL32(00000000,?,00D47408,00D43841,0000000C,?,00000000,00000000,?,00D47632,00000021,FlsSetValue,00D5BD58,00D5BD60,?), ref: 00D473BC

Strings

ext-ms-, xrefs: 00D47366
api-ms-, xrefs: 00D47352

Memory Dump Source

Source File: 00000007.00000002.447210235.0000000000D11000.00000020.00000001.01000000.00000005.sdmp, Offset: 00D10000, based on PE: true

Associated: 00000007.00000002.447205918.0000000000D10000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.447220101.0000000000D57000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.447225552.0000000000D6C000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.447230127.0000000000D70000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_d10000_MSI1B42.jbxd

Similarity

API ID: FreeLibrary
String ID: api-ms-$ext-ms-
API String ID: 3664257935-537541572
Opcode ID: 22c9f838b6fe57ab6fbd2af541a0f1b8ad382058ed3eee24fb37eae6f05c0a6b
Instruction ID: 1263adde15cb273eb4d36db97b36ce3ecbda4a7572fb589aa02764c97cacdccd
Opcode Fuzzy Hash: 22c9f838b6fe57ab6fbd2af541a0f1b8ad382058ed3eee24fb37eae6f05c0a6b
Instruction Fuzzy Hash: 8121D276A09311EBCB219FA5EC49A6A37A89B41771F290110ED61E7390DB70ED00D6F0

Uniqueness

Uniqueness Score: -1.00%

Function 00D136D0 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 129
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSystemDirectoryW.KERNEL32(?,00000105), ref: 00D13735
GetLastError.KERNEL32(?,?,?,00D54215,000000FF), ref: 00D1381A

Part of subcall function 00D12310: GetProcessHeap.KERNEL32 ref: 00D12365

Part of subcall function 00D146F0: FindResourceExW.KERNEL32(00000000,00000006,?,00000000,00000000,?,?,?,?,00D13778,-00000010,?,?,?,00D54215,000000FF), ref: 00D14736

_wcschr.LIBVCRUNTIME ref: 00D137C6
LoadLibraryExW.KERNELBASE(?,00000000,00000000,?,?,00D54215,000000FF), ref: 00D137DB

Strings

ntdll.dll, xrefs: 00D137B3

Memory Dump Source

Source File: 00000007.00000002.447210235.0000000000D11000.00000020.00000001.01000000.00000005.sdmp, Offset: 00D10000, based on PE: true

Associated: 00000007.00000002.447205918.0000000000D10000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.447220101.0000000000D57000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.447225552.0000000000D6C000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.447230127.0000000000D70000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_d10000_MSI1B42.jbxd

Similarity

API ID: DirectoryErrorFindHeapLastLibraryLoadProcessResourceSystem_wcschr
String ID: ntdll.dll
API String ID: 3941625479-2227199552
Opcode ID: 38bc56faf30dc250c4b513dca0c2a295fafe1f22da384bd5012e87e5e769d8bd
Instruction ID: 01309638b8257cb6db9572ba2b79f9d34979780500eea28710d5864c55563dee
Opcode Fuzzy Hash: 38bc56faf30dc250c4b513dca0c2a295fafe1f22da384bd5012e87e5e769d8bd
Instruction Fuzzy Hash: 144180B1A00605AFDB10DFA8EC45BEEB7A4FF04310F144529E926D72C1EBB09A44CBB1

Uniqueness

Uniqueness Score: -1.00%

Function 00D369E2 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 62
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FreeLibrary.KERNEL32(00000000,?,?,?,00D36AA3,?,?,00D6DDCC,00000000,?,00D36BCE,00000004,InitializeCriticalSectionEx,00D597E8,InitializeCriticalSectionEx,00000000), ref: 00D36A72

Strings

api-ms-, xrefs: 00D36A32

Memory Dump Source

Source File: 00000007.00000002.447210235.0000000000D11000.00000020.00000001.01000000.00000005.sdmp, Offset: 00D10000, based on PE: true

Associated: 00000007.00000002.447205918.0000000000D10000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.447220101.0000000000D57000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.447225552.0000000000D6C000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.447230127.0000000000D70000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_d10000_MSI1B42.jbxd

Similarity

API ID: FreeLibrary
String ID: api-ms-
API String ID: 3664257935-2084034818
Opcode ID: 7391e49cde8450611e3a1b914585c5513d3d61acad6d959be2209627b6612420
Instruction ID: ce98feb7cd5850792f540449dfb8bdbc3fef9ca575d58fa0052589c10cfb5cf0
Opcode Fuzzy Hash: 7391e49cde8450611e3a1b914585c5513d3d61acad6d959be2209627b6612420
Instruction Fuzzy Hash: F111A331A04725BBCF228B68AC41B5973A4AF01771F28C260FE55FB380E670EE0086F5

Uniqueness

Uniqueness Score: -1.00%

Function 00D46DB9 Relevance: 7.7, APIs: 5, Instructions: 202
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__alloca_probe_16.LIBCMT ref: 00D46E40
__alloca_probe_16.LIBCMT ref: 00D46F01
__freea.LIBCMT ref: 00D46F68

Part of subcall function 00D45BDC: RtlAllocateHeap.NTDLL(00000000,00000000,00D43841,?,00D4543A,?,00000000,?,00D36CE7,00000000,00D43841,00000000,?,?,?,00D4363B), ref: 00D45C0E

__freea.LIBCMT ref: 00D46F7D
__freea.LIBCMT ref: 00D46F8D

Memory Dump Source

Source File: 00000007.00000002.447210235.0000000000D11000.00000020.00000001.01000000.00000005.sdmp, Offset: 00D10000, based on PE: true

Associated: 00000007.00000002.447205918.0000000000D10000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.447220101.0000000000D57000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.447225552.0000000000D6C000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.447230127.0000000000D70000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_d10000_MSI1B42.jbxd

Similarity

API ID: __freea$__alloca_probe_16$AllocateHeap
String ID:
API String ID: 1423051803-0
Opcode ID: 8f2328c8a308e4e14fae874aa95d2e594098df584c50869e6ee85fe4fd6b98bd
Instruction ID: cfe2fe9975ef3ae1f91e16f7a1df5d25e99e6f172ef09a1ed3f03eed6d71286d
Opcode Fuzzy Hash: 8f2328c8a308e4e14fae874aa95d2e594098df584c50869e6ee85fe4fd6b98bd
Instruction Fuzzy Hash: 35519072A00206AFEF219FA4DC41EBF3AA9EF05750F194129FD46D6251E735DC148B72

Uniqueness

Uniqueness Score: -1.00%

Function 00D157C0 Relevance: 6.0, APIs: 4, Instructions: 35
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32(00000008,?,F83EBEA6,?,-00000010), ref: 00D157D0
OpenProcessToken.ADVAPI32(00000000), ref: 00D157D7
GetTokenInformation.KERNELBASE(?,00000014(TokenIntegrityLevel),?,00000004,?), ref: 00D1580C
CloseHandle.KERNEL32(?), ref: 00D15822

Memory Dump Source

Source File: 00000007.00000002.447210235.0000000000D11000.00000020.00000001.01000000.00000005.sdmp, Offset: 00D10000, based on PE: true

Associated: 00000007.00000002.447205918.0000000000D10000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.447220101.0000000000D57000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.447225552.0000000000D6C000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.447230127.0000000000D70000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_d10000_MSI1B42.jbxd

Similarity

API ID: ProcessToken$CloseCurrentHandleInformationOpen
String ID:
API String ID: 215268677-0
Opcode ID: 16100d999469399fa299953f3486169504bb7b28e382edbc949ae7540ffa4ffe
Instruction ID: cd0ef502c69d42af115e3bc798c5752c13f9bae3a41cab63a572283918b82d37
Opcode Fuzzy Hash: 16100d999469399fa299953f3486169504bb7b28e382edbc949ae7540ffa4ffe
Instruction Fuzzy Hash: 0AF0F9B4148301AFEB109F24FC49BAA7BE8BB84701F948819FD84C22A0D779955CDA72

Uniqueness

Uniqueness Score: -1.00%

Function 00D1CDB0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 77
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCommandLineW.KERNEL32(F83EBEA6,?,?,?,?,?,?,?,?,?,00D556D5,000000FF), ref: 00D1CDE8

Part of subcall function 00D11F80: LocalAlloc.KERNEL32(00000040,00000000,?,?,vector too long,00D14251,F83EBEA6,00000000,?,00000000,?,?,?,00D54400,000000FF,?), ref: 00D11F9D

ExitProcess.KERNEL32 ref: 00D1CEB1

Part of subcall function 00D16600: CreateFileW.KERNEL32(00000000,40000000,00000000,00000000,00000002,00000080,00000000), ref: 00D1667E

Strings

Full command line:, xrefs: 00D1CE13

Memory Dump Source

Source File: 00000007.00000002.447210235.0000000000D11000.00000020.00000001.01000000.00000005.sdmp, Offset: 00D10000, based on PE: true

Associated: 00000007.00000002.447205918.0000000000D10000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.447220101.0000000000D57000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.447225552.0000000000D6C000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.447230127.0000000000D70000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_d10000_MSI1B42.jbxd

Similarity

API ID: AllocCommandCreateExitFileLineLocalProcess
String ID: Full command line:
API String ID: 1878577176-831861440
Opcode ID: 175e70f95ed389efc216460209472895fe59f833e6e2cc9b1457f51357092c72
Instruction ID: 3a78ef9acd13de894f5e1b39a09c19c07e8d90608b44d5ee7c77134a0ca52665
Opcode Fuzzy Hash: 175e70f95ed389efc216460209472895fe59f833e6e2cc9b1457f51357092c72
Instruction Fuzzy Hash: AC21DE71A20254BBCB15EB60EC56BEE77B5EF44740F144118F802AB296EF749A88C7B1

Uniqueness

Uniqueness Score: -1.00%

Function 00D15E40 Relevance: 4.6, APIs: 3, Instructions: 85
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetTokenInformation.KERNELBASE(?,00000001(TokenIntegrityLevel),00000000,00000000,00D15E18,F83EBEA6,?), ref: 00D15EB4
GetLastError.KERNEL32(?,TokenIntegrityLevel,00000000,00000000,00D15E18,F83EBEA6,?), ref: 00D15EBE
GetTokenInformation.KERNELBASE(?,00000001(TokenIntegrityLevel),?,00000000,00000000,?,TokenIntegrityLevel,00000000,00000000,00D15E18,F83EBEA6,?), ref: 00D15F1A

Memory Dump Source

Source File: 00000007.00000002.447210235.0000000000D11000.00000020.00000001.01000000.00000005.sdmp, Offset: 00D10000, based on PE: true

Associated: 00000007.00000002.447205918.0000000000D10000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.447220101.0000000000D57000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.447225552.0000000000D6C000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.447230127.0000000000D70000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_d10000_MSI1B42.jbxd

Similarity

API ID: InformationToken$ErrorLast
String ID:
API String ID: 2567405617-0
Opcode ID: 8171796db47c06a5fc839a842a9e9af0f9db9ecaf03dad0ab71754602e896225
Instruction ID: de90742d0eeaefbdc08ff73c54e14dd15022a625dec88f59f3c6ba0c8790faa2
Opcode Fuzzy Hash: 8171796db47c06a5fc839a842a9e9af0f9db9ecaf03dad0ab71754602e896225
Instruction Fuzzy Hash: B5317C71A00605EFDB14CF98EC45BAFBBF9FB84710F20452AF415E7284DBB5A9448BA0

Uniqueness

Uniqueness Score: -1.00%

Function 00D4B860 Relevance: 3.2, APIs: 2, Instructions: 177
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00D4B390: GetOEMCP.KERNEL32(00000000,?,?,?,?), ref: 00D4B3BB

IsValidCodePage.KERNEL32(-00000030,00000000,?,?,?,?,?,?,?,?,00D4B6A7,?,00000000,?,?,?), ref: 00D4B8C1
GetCPInfo.KERNEL32(00000000,?,?,?,?,?,?,?,?,00D4B6A7,?,00000000,?,?,?), ref: 00D4B903

Memory Dump Source

Source File: 00000007.00000002.447210235.0000000000D11000.00000020.00000001.01000000.00000005.sdmp, Offset: 00D10000, based on PE: true

Associated: 00000007.00000002.447205918.0000000000D10000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.447220101.0000000000D57000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.447225552.0000000000D6C000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.447230127.0000000000D70000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_d10000_MSI1B42.jbxd

Similarity

API ID: CodeInfoPageValid
String ID:
API String ID: 546120528-0
Opcode ID: 10e93eef763c7a98ac47894edd12aca4e95f27db5ccc60761031996de107e084
Instruction ID: 0cc49fe49b010fcc61a3b0ff27ce57cc0a3955ef788aad7937ef55d1aed2e18a
Opcode Fuzzy Hash: 10e93eef763c7a98ac47894edd12aca4e95f27db5ccc60761031996de107e084
Instruction Fuzzy Hash: E851E070A003459FDB20CF76C881AAABBE4EF65324F18456FD18687252D7B5E946CFB0

Uniqueness

Uniqueness Score: -1.00%

Function 00D32096 Relevance: 3.0, APIs: 2, Instructions: 35
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlEncodePointer.NTDLL(?,?,00D20E39,00D20E7F,?,00D20CC6,00000000,00000000,00000000,00000004,00D19768,00000000,F83EBEA6,?,?), ref: 00D320A9
IsProcessorFeaturePresent.KERNEL32(00000017), ref: 00D42A23

Memory Dump Source

Source File: 00000007.00000002.447210235.0000000000D11000.00000020.00000001.01000000.00000005.sdmp, Offset: 00D10000, based on PE: true

Associated: 00000007.00000002.447205918.0000000000D10000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.447220101.0000000000D57000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.447225552.0000000000D6C000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.447230127.0000000000D70000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_d10000_MSI1B42.jbxd

Similarity

API ID: EncodeFeaturePointerPresentProcessor
String ID:
API String ID: 4030241255-0
Opcode ID: a0cead2c01ca200f84056e76271e11f25b5302a99a7fd3b5f3310f711267a17e
Instruction ID: dcc1d2ce93fd55d061e910639cf6a84edee77b6503a79741c253b3268d5fdc98
Opcode Fuzzy Hash: a0cead2c01ca200f84056e76271e11f25b5302a99a7fd3b5f3310f711267a17e
Instruction Fuzzy Hash: 8EF0B470284705EBE725BB14FC0BB303B58DB14705F588029FE48E82E2DAB08441CA32

Uniqueness

Uniqueness Score: -1.00%

Function 00D35A0A Relevance: 3.0, APIs: 2, Instructions: 19
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

___vcrt_FlsSetValue.LIBVCRUNTIME ref: 00D35A28
___vcrt_uninitialize_ptd.LIBVCRUNTIME ref: 00D35A33

Memory Dump Source

Source File: 00000007.00000002.447210235.0000000000D11000.00000020.00000001.01000000.00000005.sdmp, Offset: 00D10000, based on PE: true

Associated: 00000007.00000002.447205918.0000000000D10000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.447220101.0000000000D57000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.447225552.0000000000D6C000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.447230127.0000000000D70000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_d10000_MSI1B42.jbxd

Similarity

API ID: Value___vcrt____vcrt_uninitialize_ptd
String ID:
API String ID: 1660781231-0
Opcode ID: 23a23881630025d7106eebc979a0781bfdc7751a1dc309a96ef77ac9fb994acf
Instruction ID: c927d6f9d7f4b6a2b0f32d79b0bba167e7bdf7b99a9da74d83177b79b7d8c1d7
Opcode Fuzzy Hash: 23a23881630025d7106eebc979a0781bfdc7751a1dc309a96ef77ac9fb994acf
Instruction Fuzzy Hash: 7DD02230558F00AD0E007670BC8396823408E027BCFA4E386F020C79CAFE20E4087D32

Uniqueness

Uniqueness Score: -1.00%

Function 00D28666 Relevance: 3.0, APIs: 2, Instructions: 17COMMONLIBRARYCODE

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00D2866D
_Getvals.LIBCPMT ref: 00D28689

Part of subcall function 00D21DA1: std::_Locinfo::_W_Getdays.LIBCPMT ref: 00D21DC3
Part of subcall function 00D21DA1: std::_Locinfo::_W_Getmonths.LIBCPMT ref: 00D21DD5

Part of subcall function 00D323F8: GetLocaleInfoEx.KERNEL32(?,00000022,00000000,00000002,?,?,00D300E2,00000000,00000000,00000004,00D2ED14,00000000,00000004,00D2F127,00000000,00000000), ref: 00D32410

Memory Dump Source

Source File: 00000007.00000002.447210235.0000000000D11000.00000020.00000001.01000000.00000005.sdmp, Offset: 00D10000, based on PE: true

Associated: 00000007.00000002.447205918.0000000000D10000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.447220101.0000000000D57000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.447225552.0000000000D6C000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.447230127.0000000000D70000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_d10000_MSI1B42.jbxd

Similarity

API ID: Locinfo::_std::_$GetdaysGetmonthsGetvalsH_prolog3InfoLocale
String ID:
API String ID: 3247073284-0
Opcode ID: 57b7a81ea20d531140a11f847abbccef67751b4c8d7acb00c3ef55aa96bb362b
Instruction ID: 90652d4181237fc8a9806dc0578d7c3b0227f25e83f26010a238956461b88d8c
Opcode Fuzzy Hash: 57b7a81ea20d531140a11f847abbccef67751b4c8d7acb00c3ef55aa96bb362b
Instruction Fuzzy Hash: 69E0B6B5D007509FDB64EFB4950162EBAE1EB14310B10892EA959D7602D77496048BB5

Uniqueness

Uniqueness Score: -1.00%

Function 00D4B464 Relevance: 1.6, APIs: 1, Instructions: 147COMMON

Download Yara Rule

APIs

GetCPInfo.KERNEL32(E8458D00,?,00D4B6B3,00D4B6A7,00000000), ref: 00D4B496

Memory Dump Source

Source File: 00000007.00000002.447210235.0000000000D11000.00000020.00000001.01000000.00000005.sdmp, Offset: 00D10000, based on PE: true

Associated: 00000007.00000002.447205918.0000000000D10000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.447220101.0000000000D57000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.447225552.0000000000D6C000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.447230127.0000000000D70000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_d10000_MSI1B42.jbxd

Similarity

API ID: Info
String ID:
API String ID: 1807457897-0
Opcode ID: 736b48a4813aebaab1d925f77713f393216b9f17c63dc0ae5a137c99776b8b01
Instruction ID: d243bf5d83af5bab089c5dafed1582001518bed7a3215a86f2014131bd4f06d6
Opcode Fuzzy Hash: 736b48a4813aebaab1d925f77713f393216b9f17c63dc0ae5a137c99776b8b01
Instruction Fuzzy Hash: EE5109719082589BDB218F28CD80AE6BBB8EB65324F2405AAE5DAD7142D335DD46DF30

Uniqueness

Uniqueness Score: -1.00%

Function 00D473C6 Relevance: 1.6, APIs: 1, Instructions: 57COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.447210235.0000000000D11000.00000020.00000001.01000000.00000005.sdmp, Offset: 00D10000, based on PE: true

Associated: 00000007.00000002.447205918.0000000000D10000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.447220101.0000000000D57000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.447225552.0000000000D6C000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.447230127.0000000000D70000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_d10000_MSI1B42.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 048ed38e7db160375a75e73b8eceea5ed11a1927d7f46c4050e4e8e5dc9dfb3c
Instruction ID: b61d5c8e17481053e31aa0665541147d2daff83cc31af03d00c7f7a79234eff9
Opcode Fuzzy Hash: 048ed38e7db160375a75e73b8eceea5ed11a1927d7f46c4050e4e8e5dc9dfb3c
Instruction Fuzzy Hash: A901D837718311AF9F16DE7DEC40A6A37D6EB897607249120F954DB254DB30D801D7B1

Uniqueness

Uniqueness Score: -1.00%

Function 00D470BB Relevance: 1.5, APIs: 1, Instructions: 39memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000008,?,?,?,00D4596A,00000001,00000364,?,00000004,000000FF,?,00D36CE7,00000000,00D43841,00000000), ref: 00D470FC

Memory Dump Source

Source File: 00000007.00000002.447210235.0000000000D11000.00000020.00000001.01000000.00000005.sdmp, Offset: 00D10000, based on PE: true

Associated: 00000007.00000002.447205918.0000000000D10000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.447220101.0000000000D57000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.447225552.0000000000D6C000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.447230127.0000000000D70000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_d10000_MSI1B42.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 7eea66514cc2d93d42a80de058a66f2695512c49b55d304f94b8354f0e854f32
Instruction ID: 918a15361e3da4e887bbe05bc15e6cfcee05853fca1ca34a277587127559a15c
Opcode Fuzzy Hash: 7eea66514cc2d93d42a80de058a66f2695512c49b55d304f94b8354f0e854f32
Instruction Fuzzy Hash: 42F0E23124E7646B9B325A269C01B5B77ADEF517B1B184022FC58EA190CBA0EC0086F1

Uniqueness

Uniqueness Score: -1.00%

Function 00D36A7C Relevance: 1.5, APIs: 1, Instructions: 33libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetProcAddress.KERNEL32(00000000,?,00D6DDCC,00000000,?,00D36BCE,00000004,InitializeCriticalSectionEx,00D597E8,InitializeCriticalSectionEx,00000000,?,00D3698D,00D6DDCC,00000FA0,00000000), ref: 00D36AAD

Memory Dump Source

Source File: 00000007.00000002.447210235.0000000000D11000.00000020.00000001.01000000.00000005.sdmp, Offset: 00D10000, based on PE: true

Associated: 00000007.00000002.447205918.0000000000D10000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.447220101.0000000000D57000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.447225552.0000000000D6C000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.447230127.0000000000D70000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_d10000_MSI1B42.jbxd

Similarity

API ID: AddressProc
String ID:
API String ID: 190572456-0
Opcode ID: 4eab16ed76a313d52732e9a16894d9edfb551aaf4598899af2e4bd73b8c98294
Instruction ID: eb6c39714a6f27d2a9e7f17b7319e7a7e10677137f1a104cffe906a2ac4409ef
Opcode Fuzzy Hash: 4eab16ed76a313d52732e9a16894d9edfb551aaf4598899af2e4bd73b8c98294
Instruction Fuzzy Hash: 8EF08C36304316AF8F129EA9AC0089A77A9EF00720F28C024FD14E7290EB31D9208BB0

Uniqueness

Uniqueness Score: -1.00%

Function 00D45BDC Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000000,00000000,00D43841,?,00D4543A,?,00000000,?,00D36CE7,00000000,00D43841,00000000,?,?,?,00D4363B), ref: 00D45C0E

Memory Dump Source

Source File: 00000007.00000002.447210235.0000000000D11000.00000020.00000001.01000000.00000005.sdmp, Offset: 00D10000, based on PE: true

Associated: 00000007.00000002.447205918.0000000000D10000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.447220101.0000000000D57000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.447225552.0000000000D6C000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.447230127.0000000000D70000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_d10000_MSI1B42.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 7087639666ce4164c046206c6455ca34608aa9b3bfdb4caaa9998d4100d7405d
Instruction ID: a4175df7f57a9fcc2228efc355ee48d5a2ca52ac850d14318c8bf5e6962d71e8
Opcode Fuzzy Hash: 7087639666ce4164c046206c6455ca34608aa9b3bfdb4caaa9998d4100d7405d
Instruction Fuzzy Hash: 0DE0ED21204F215BD6312AA9BD81B9A379CEF127A1F190221FC96D62DBCB60CC0089F9

Uniqueness

Uniqueness Score: -1.00%

Function 00D19910 Relevance: 1.3, APIs: 1, Instructions: 67COMMON

Download Yara Rule

APIs

Part of subcall function 00D20DF9: std::locale::_Locimp::_Locimp.LIBCPMT ref: 00D20E11

Part of subcall function 00D19730: std::locale::_Init.LIBCPMT ref: 00D19763
Part of subcall function 00D19730: std::_Lockit::_Lockit.LIBCPMT ref: 00D1978A
Part of subcall function 00D19730: std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 00D197F0

LocalFree.KERNEL32(00000000,00000000,?,00D654B1,00000000), ref: 00D199BF
__cftoe.LIBCMT ref: 00D19B0B

Memory Dump Source

Source File: 00000007.00000002.447210235.0000000000D11000.00000020.00000001.01000000.00000005.sdmp, Offset: 00D10000, based on PE: true

Associated: 00000007.00000002.447205918.0000000000D10000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.447220101.0000000000D57000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.447225552.0000000000D6C000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.447230127.0000000000D70000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_d10000_MSI1B42.jbxd

Similarity

API ID: std::_std::locale::_$FreeInitLocalLocimpLocimp::_Locinfo::_Locinfo_ctorLockitLockit::___cftoe
String ID:
API String ID: 810108568-0
Opcode ID: bb141986e259aac4dc8fe8379f619c792e2170b63b62c5c88cfa8aa51c24c1ad
Instruction ID: ae0c7c7169b5c150edf524e9bf00e8f7b302c00492d22179e87b7bd884fe70c5
Opcode Fuzzy Hash: bb141986e259aac4dc8fe8379f619c792e2170b63b62c5c88cfa8aa51c24c1ad
Instruction Fuzzy Hash: 182180B09042499FEB04DF98D969BEEFBB5EB08710F24011DE415A73C0DB795A88CBB1

Uniqueness

Uniqueness Score: -1.00%

Function 00D45425 Relevance: 1.3, APIs: 1, Instructions: 44memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00D45BDC: RtlAllocateHeap.NTDLL(00000000,00000000,00D43841,?,00D4543A,?,00000000,?,00D36CE7,00000000,00D43841,00000000,?,?,?,00D4363B), ref: 00D45C0E

HeapReAlloc.KERNEL32(00000000,00000000,?,00D43841,00000000,?,00D36CE7,00000000,00D43841,00000000,?,?,?,00D4363B,?,00000000), ref: 00D45482

Memory Dump Source

Source File: 00000007.00000002.447210235.0000000000D11000.00000020.00000001.01000000.00000005.sdmp, Offset: 00D10000, based on PE: true

Associated: 00000007.00000002.447205918.0000000000D10000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.447220101.0000000000D57000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.447225552.0000000000D6C000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.447230127.0000000000D70000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_d10000_MSI1B42.jbxd

Similarity

API ID: Heap$AllocAllocate
String ID:
API String ID: 2177240990-0
Opcode ID: 7d712a7dd82f98d303af2ebced1542e12c9eb4c37c4279508b30351204a55386
Instruction ID: 220adb0ff346e407ea3f12a6d006538a103d6b2830beeb048576451745cc249c
Opcode Fuzzy Hash: 7d712a7dd82f98d303af2ebced1542e12c9eb4c37c4279508b30351204a55386
Instruction Fuzzy Hash: 0BF0C232200E1967CB212A25BC00B6B2758CF827B2B2C8016F95DAE1ABDA70C98081B1

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 00D152F0 Relevance: 52.9, APIs: 14, Strings: 16, Instructions: 402libraryloadersleepCOMMON

Download Yara Rule

APIs

GetWindowsDirectoryW.KERNEL32(?,00000104,00000000,?,?,?,?,?), ref: 00D1549C
GetForegroundWindow.USER32 ref: 00D1551D
ShellExecuteExW.SHELL32(?), ref: 00D15601
ShellExecuteExW.SHELL32(?), ref: 00D15637
GetModuleHandleW.KERNEL32(Kernel32.dll,GetProcessId,?,?,?,?,?,?), ref: 00D1567C
GetProcAddress.KERNEL32(00000000,?,?,?,?,?,?), ref: 00D15685
AllowSetForegroundWindow.USER32(00000000), ref: 00D1568B
GetModuleHandleW.KERNEL32(Kernel32.dll,GetProcessId,?,?,?,?,?,?), ref: 00D156AB
GetProcAddress.KERNEL32(00000000,?,?,?,?,?,?), ref: 00D156AE
Sleep.KERNEL32(00000064,?,?,?,?,?,?), ref: 00D156CA
EnumWindows.USER32(00D15830,?), ref: 00D156DF
BringWindowToTop.USER32(00000000), ref: 00D156F4
WaitForSingleObject.KERNEL32(?,000000FF,?,?,?,?,?,?), ref: 00D15711
GetExitCodeProcess.KERNEL32(?,?), ref: 00D1571B

Strings

runas, xrefs: 00D154EC
.bat, xrefs: 00D15422
Visible, xrefs: 00D155DB, 00D155EA
Window Visibility:, xrefs: 00D155E3
GetProcessId, xrefs: 00D15672, 00D156A1
Verb:<, xrefs: 00D1559E
.cmd, xrefs: 00D1545F
open, xrefs: 00D154D5
Parameters:<, xrefs: 00D155C6
/C ""%s" %s", xrefs: 00D154C1
FilePath:<, xrefs: 00D15589
Kernel32.dll, xrefs: 00D15677, 00D156A6
Hidden, xrefs: 00D155D6
ShellExecuteInfo members:, xrefs: 00D15540
Directory:<, xrefs: 00D155B2
%s\System32\cmd.exe, xrefs: 00D154A9

Memory Dump Source

Source File: 00000007.00000002.447210235.0000000000D11000.00000020.00000001.01000000.00000005.sdmp, Offset: 00D10000, based on PE: true

Associated: 00000007.00000002.447205918.0000000000D10000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.447220101.0000000000D57000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.447225552.0000000000D6C000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.447230127.0000000000D70000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_d10000_MSI1B42.jbxd

Similarity

API ID: Window$AddressExecuteForegroundHandleModuleProcShellWindows$AllowBringCodeDirectoryEnumExitObjectProcessSingleSleepWait
String ID: %s\System32\cmd.exe$.bat$.cmd$/C ""%s" %s"$Directory:<$FilePath:<$GetProcessId$Hidden$Kernel32.dll$Parameters:<$ShellExecuteInfo members:$Verb:<$Visible$Window Visibility:$open$runas
API String ID: 697762045-2796270252
Opcode ID: 3f5bac6a8d6f938b552b2a0c6c20bc91335c29628a62f5ad718a4148bc158197
Instruction ID: 075d2973f3cd5eb08941fdecedc970b41898a5e86d3e62da04413e7b13839fe3
Opcode Fuzzy Hash: 3f5bac6a8d6f938b552b2a0c6c20bc91335c29628a62f5ad718a4148bc158197
Instruction Fuzzy Hash: E9E1A271A00B05EBCB10DFA4E844BEEB7B1EF85710F584169E815AB399DB389D85CB70

Uniqueness

Uniqueness Score: -1.00%

Function 00D1C870 Relevance: 14.4, APIs: 2, Strings: 6, Instructions: 366registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.ADVAPI32 ref: 00D1CBB6
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,00D6E6D0,00000800), ref: 00D1CBD3

Strings

/HideWindow, xrefs: 00D1C98E, 00D1C9AC, 00D1C9B1
/RunAsAdmin , xrefs: 00D1C92B, 00D1C94C, 00D1C951
/LogFile, xrefs: 00D1CA07
/DontWait , xrefs: 00D1C8D8, 00D1C8EE, 00D1C8F3
/DIR , xrefs: 00D1C9F3
/EnforcedRunAsAdmin , xrefs: 00D1C893, 00D1C8A3, 00D1C8A8

Memory Dump Source

Source File: 00000007.00000002.447210235.0000000000D11000.00000020.00000001.01000000.00000005.sdmp, Offset: 00D10000, based on PE: true

Associated: 00000007.00000002.447205918.0000000000D10000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.447220101.0000000000D57000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.447225552.0000000000D6C000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.447230127.0000000000D70000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_d10000_MSI1B42.jbxd

Similarity

API ID: OpenQueryValue
String ID: /DIR $/DontWait $/EnforcedRunAsAdmin $/HideWindow$/LogFile$/RunAsAdmin
API String ID: 4153817207-482544602
Opcode ID: 66422456219bec6796f08a0d3e1c5af975abf17f1de70f4e94d30adf8830a625
Instruction ID: bd414ecf640c694af2ea5fd43afbade4a5b9ed0f807bc2f9fd47347b613e103d
Opcode Fuzzy Hash: 66422456219bec6796f08a0d3e1c5af975abf17f1de70f4e94d30adf8830a625
Instruction Fuzzy Hash: 67C1C1356A4216AACB359F14F4012FA73A2EF90740F5C6459E88ADB294EF70CDC1C7B1

Uniqueness

Uniqueness Score: -1.00%

Function 00D4DE24 Relevance: 10.8, APIs: 5, Strings: 1, Instructions: 251COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00D457CC: GetLastError.KERNEL32(?,00000008,00D4AD4C), ref: 00D457D0
Part of subcall function 00D457CC: SetLastError.KERNEL32(00000000,00000000,00000004,000000FF), ref: 00D45872

GetACP.KERNEL32(?,?,?,?,?,?,00D442D9,?,?,?,00000055,?,-00000050,?,?,00000004), ref: 00D4DEE5
IsValidCodePage.KERNEL32(00000000,?,?,?,?,?,?,00D442D9,?,?,?,00000055,?,-00000050,?,?), ref: 00D4DF10
_wcschr.LIBVCRUNTIME ref: 00D4DFA4
_wcschr.LIBVCRUNTIME ref: 00D4DFB2
GetLocaleInfoW.KERNEL32(00000000,?,?,00000078,-00000050,00000000,000000D0), ref: 00D4E073

Strings

utf8, xrefs: 00D4DFE2

Memory Dump Source

Source File: 00000007.00000002.447210235.0000000000D11000.00000020.00000001.01000000.00000005.sdmp, Offset: 00D10000, based on PE: true

Associated: 00000007.00000002.447205918.0000000000D10000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.447220101.0000000000D57000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.447225552.0000000000D6C000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.447230127.0000000000D70000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_d10000_MSI1B42.jbxd

Similarity

API ID: ErrorLast_wcschr$CodeInfoLocalePageValid
String ID: utf8
API String ID: 4147378913-905460609
Opcode ID: 3e3b048905023c0512739791ea8b001f2d3df554d1737ff265e12145c1406b43
Instruction ID: 52ff195b61393a37d5353f29a92648a3ce9f4ec55cfe6b722d5467d487f21ec5
Opcode Fuzzy Hash: 3e3b048905023c0512739791ea8b001f2d3df554d1737ff265e12145c1406b43
Instruction Fuzzy Hash: 6771D171A00706ABDB24AB75DC86BBB73A9EF14700F184439F956DB181EBB4E940CB71

Uniqueness

Uniqueness Score: -1.00%

Function 00D4F032 Relevance: 10.2, APIs: 1, Strings: 4, Instructions: 1436COMMONLIBRARYCODE

Download Yara Rule

APIs

__floor_pentium4.LIBCMT ref: 00D4F216

Strings

1#INF, xrefs: 00D4F168
1#IND, xrefs: 00D4F137
1#SNAN, xrefs: 00D4F13E
1#QNAN, xrefs: 00D4F145

Memory Dump Source

Source File: 00000007.00000002.447210235.0000000000D11000.00000020.00000001.01000000.00000005.sdmp, Offset: 00D10000, based on PE: true

Associated: 00000007.00000002.447205918.0000000000D10000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.447220101.0000000000D57000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.447225552.0000000000D6C000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.447230127.0000000000D70000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_d10000_MSI1B42.jbxd

Similarity

API ID: __floor_pentium4
String ID: 1#IND$1#INF$1#QNAN$1#SNAN
API String ID: 4168288129-2761157908
Opcode ID: 4c3ec9692b54b778a77fe6793857979dd749596a0ea1610cdefe315c91802e15
Instruction ID: 3698741d7889152c61f5c18ffad0d039e83aa8aef7e29c632c3015a3c05a6c02
Opcode Fuzzy Hash: 4c3ec9692b54b778a77fe6793857979dd749596a0ea1610cdefe315c91802e15
Instruction Fuzzy Hash: 72D22972E082288FDB65CF28DD407EAB7B5EB44305F1841EAD84DE7250E774AE858F61

Uniqueness

Uniqueness Score: -1.00%

Function 00D4E5B3 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 85COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLocaleInfoW.KERNEL32(?,2000000B,00D4E8D1,00000002,00000000,?,?,?,00D4E8D1,?,00000000), ref: 00D4E64C
GetLocaleInfoW.KERNEL32(?,20001004,00D4E8D1,00000002,00000000,?,?,?,00D4E8D1,?,00000000), ref: 00D4E675
GetACP.KERNEL32(?,?,00D4E8D1,?,00000000), ref: 00D4E68A

Strings

ACP, xrefs: 00D4E5D1
OCP, xrefs: 00D4E607

Memory Dump Source

Source File: 00000007.00000002.447210235.0000000000D11000.00000020.00000001.01000000.00000005.sdmp, Offset: 00D10000, based on PE: true

Associated: 00000007.00000002.447205918.0000000000D10000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.447220101.0000000000D57000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.447225552.0000000000D6C000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.447230127.0000000000D70000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_d10000_MSI1B42.jbxd

Similarity

API ID: InfoLocale
String ID: ACP$OCP
API String ID: 2299586839-711371036
Opcode ID: 3ded65032ce266ef3c78480abc672a38e59c48063fd9daf4e0a4b50076d49b94
Instruction ID: 0307b112424314f389379b8f0a5cda87800191e5fa2f7f1e675293023b481610
Opcode Fuzzy Hash: 3ded65032ce266ef3c78480abc672a38e59c48063fd9daf4e0a4b50076d49b94
Instruction Fuzzy Hash: 82216A22B00200BBDB34CF24C905AA7B7A6BF64B65F5B8864ED4AD7214EB32DD40C770

Uniqueness

Uniqueness Score: -1.00%

Function 00D19CC0 Relevance: 7.9, APIs: 5, Instructions: 441COMMON

Download Yara Rule

APIs

_swprintf.LIBCMT ref: 00D19E60
LocalFree.KERNEL32(00000000), ref: 00D19EB7
_swprintf.LIBCMT ref: 00D1A0A0
LocalFree.KERNEL32(00000000), ref: 00D1A0F7
_swprintf.LIBCMT ref: 00D1A183

Memory Dump Source

Source File: 00000007.00000002.447210235.0000000000D11000.00000020.00000001.01000000.00000005.sdmp, Offset: 00D10000, based on PE: true

Associated: 00000007.00000002.447205918.0000000000D10000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.447220101.0000000000D57000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.447225552.0000000000D6C000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.447230127.0000000000D70000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_d10000_MSI1B42.jbxd

Similarity

API ID: _swprintf$FreeLocal
String ID:
API String ID: 2429749586-0
Opcode ID: 833f08989ead5d8a4cb149ab238aee6055d37603299272aa2888134f396d0fc9
Instruction ID: e07eada19ebaff8e33e8a093ad6f0529fccf9f29fbc7d36ef7c75b27c2c4ace8
Opcode Fuzzy Hash: 833f08989ead5d8a4cb149ab238aee6055d37603299272aa2888134f396d0fc9
Instruction Fuzzy Hash: D3F19B71D10219ABDF14DFA8EC50BEEBBB5FF48310F144229F911A7280DB35A9818BB1

Uniqueness

Uniqueness Score: -1.00%

Function 00D4E788 Relevance: 7.7, APIs: 5, Instructions: 183COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00D457CC: GetLastError.KERNEL32(?,00000008,00D4AD4C), ref: 00D457D0
Part of subcall function 00D457CC: SetLastError.KERNEL32(00000000,00000000,00000004,000000FF), ref: 00D45872

GetUserDefaultLCID.KERNEL32(?,?,?,00000055,?), ref: 00D4E894
IsValidCodePage.KERNEL32(00000000), ref: 00D4E8DD
IsValidLocale.KERNEL32(?,00000001), ref: 00D4E8EC
GetLocaleInfoW.KERNEL32(?,00001001,-00000050,00000040,?,000000D0,00000055,00000000,?,?,00000055,00000000), ref: 00D4E934
GetLocaleInfoW.KERNEL32(?,00001002,00000030,00000040), ref: 00D4E953

Memory Dump Source

Source File: 00000007.00000002.447210235.0000000000D11000.00000020.00000001.01000000.00000005.sdmp, Offset: 00D10000, based on PE: true

Associated: 00000007.00000002.447205918.0000000000D10000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.447220101.0000000000D57000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.447225552.0000000000D6C000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.447230127.0000000000D70000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_d10000_MSI1B42.jbxd

Similarity

API ID: Locale$ErrorInfoLastValid$CodeDefaultPageUser
String ID:
API String ID: 415426439-0
Opcode ID: 4b39d2e2cb144d1127058e928ecfc3923a86953b1f3a238d4178cce95333b9bb
Instruction ID: 9bd5a038c0d053ee7c69000ea7c2dbae28353c1ddbb4edd27284f1a7805d3640
Opcode Fuzzy Hash: 4b39d2e2cb144d1127058e928ecfc3923a86953b1f3a238d4178cce95333b9bb
Instruction Fuzzy Hash: DD512A71A00319BFEF20DFA5DC45ABAB7B8FF88701F184469E950E7191E77099448BB1

Uniqueness

Uniqueness Score: -1.00%

Function 00D45D6D Relevance: 6.3, APIs: 4, Instructions: 337COMMONLIBRARYCODE

Download Yara Rule

APIs

_strrchr.LIBCMT ref: 00D45DFA

Memory Dump Source

Source File: 00000007.00000002.447210235.0000000000D11000.00000020.00000001.01000000.00000005.sdmp, Offset: 00D10000, based on PE: true

Associated: 00000007.00000002.447205918.0000000000D10000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.447220101.0000000000D57000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.447225552.0000000000D6C000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.447230127.0000000000D70000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_d10000_MSI1B42.jbxd

Similarity

API ID: _strrchr
String ID:
API String ID: 3213747228-0
Opcode ID: c088d6f79354faf8b1bce494a29b4de1bf964f76c3977490bbe1990304a04063
Instruction ID: 484aa4fac37f2da1ea9537954a887693b2c5f63cc616385efbda5c4f5cb46059
Opcode Fuzzy Hash: c088d6f79354faf8b1bce494a29b4de1bf964f76c3977490bbe1990304a04063
Instruction Fuzzy Hash: 59B177729046459FDF15CF68C881BEEBBE5EF1A300F18816AE841AB346D235DD05CBB2

Uniqueness

Uniqueness Score: -1.00%

Function 00D333A8 Relevance: 6.1, APIs: 4, Instructions: 73COMMON

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32(00000017), ref: 00D333B4
IsDebuggerPresent.KERNEL32 ref: 00D33480
SetUnhandledExceptionFilter.KERNEL32 ref: 00D334A0
UnhandledExceptionFilter.KERNEL32(?), ref: 00D334AA

Memory Dump Source

Source File: 00000007.00000002.447210235.0000000000D11000.00000020.00000001.01000000.00000005.sdmp, Offset: 00D10000, based on PE: true

Associated: 00000007.00000002.447205918.0000000000D10000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.447220101.0000000000D57000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.447225552.0000000000D6C000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.447230127.0000000000D70000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_d10000_MSI1B42.jbxd

Similarity

API ID: ExceptionFilterPresentUnhandled$DebuggerFeatureProcessor
String ID:
API String ID: 254469556-0
Opcode ID: 4c2b0a19072e5310d8015f2fd2c9b1df85665060fec095bceb6f2ec9914471a3
Instruction ID: 9affc74a23b7738f81ea2dafef67f05f26109806099c7c8575277aa7ba582180
Opcode Fuzzy Hash: 4c2b0a19072e5310d8015f2fd2c9b1df85665060fec095bceb6f2ec9914471a3
Instruction Fuzzy Hash: BC314775D053189BDB11DFA4DA89BCCBBB8AF08304F1040AAE50CAB250EB759B858F64

Uniqueness

Uniqueness Score: -1.00%

Function 00D1D0A5 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 22COMMON

Download Yara Rule

APIs

Part of subcall function 00D1C630: InitializeCriticalSectionEx.KERNEL32(?,00000000,00000000,F83EBEA6,?,00D53D30,000000FF), ref: 00D1C657
Part of subcall function 00D1C630: GetLastError.KERNEL32(?,00000000,00000000,F83EBEA6,?,00D53D30,000000FF), ref: 00D1C661

IsDebuggerPresent.KERNEL32(?,?,00D68AF0), ref: 00D1D0D8
OutputDebugStringW.KERNEL32(ERROR : Unable to initialize critical section in CAtlBaseModule,?,?,00D68AF0), ref: 00D1D0E7

Strings

ERROR : Unable to initialize critical section in CAtlBaseModule, xrefs: 00D1D0E2

Memory Dump Source

Source File: 00000007.00000002.447210235.0000000000D11000.00000020.00000001.01000000.00000005.sdmp, Offset: 00D10000, based on PE: true

Associated: 00000007.00000002.447205918.0000000000D10000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.447220101.0000000000D57000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.447225552.0000000000D6C000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.447230127.0000000000D70000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_d10000_MSI1B42.jbxd

Similarity

API ID: CriticalDebugDebuggerErrorInitializeLastOutputPresentSectionString
String ID: ERROR : Unable to initialize critical section in CAtlBaseModule
API String ID: 3511171328-631824599
Opcode ID: 27dff9f266873cb6a1a7397572bd341e0c50c888752f792b0de50ee3c567fbf0
Instruction ID: 61486fe48bfcb74c241cff1e13a563c3ce39c925b20f87330bac33313e1956db
Opcode Fuzzy Hash: 27dff9f266873cb6a1a7397572bd341e0c50c888752f792b0de50ee3c567fbf0
Instruction Fuzzy Hash: 92E06D702047519FD320AF68F4047867BE4AB28341F14885CEC59C2790DFB4E4CD8BB1

Uniqueness

Uniqueness Score: -1.00%

Function 00D4E237 Relevance: 4.7, APIs: 3, Instructions: 205COMMON

Download Yara Rule

APIs

Part of subcall function 00D457CC: GetLastError.KERNEL32(?,00000008,00D4AD4C), ref: 00D457D0
Part of subcall function 00D457CC: SetLastError.KERNEL32(00000000,00000000,00000004,000000FF), ref: 00D45872

GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 00D4E28B
GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 00D4E2D5
GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 00D4E39B

Memory Dump Source

Source File: 00000007.00000002.447210235.0000000000D11000.00000020.00000001.01000000.00000005.sdmp, Offset: 00D10000, based on PE: true

Associated: 00000007.00000002.447205918.0000000000D10000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.447220101.0000000000D57000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.447225552.0000000000D6C000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.447230127.0000000000D70000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_d10000_MSI1B42.jbxd

Similarity

API ID: InfoLocale$ErrorLast
String ID:
API String ID: 661929714-0
Opcode ID: 17e118d8c8e3882bf60a38bcdfe72468dc4be8f9d1d6a5451a3e172469c84f14
Instruction ID: 2ba31367c42e4530e16c24df82d8c787cf62e3672ac1af8b8f7fad0f3decadef
Opcode Fuzzy Hash: 17e118d8c8e3882bf60a38bcdfe72468dc4be8f9d1d6a5451a3e172469c84f14
Instruction Fuzzy Hash: 22619071500617AFEB299F24CC86BBA77A8FF14311F184179E909C7285E778E985CB70

Uniqueness

Uniqueness Score: -1.00%

Function 00D36E1B Relevance: 4.6, APIs: 3, Instructions: 77COMMONLIBRARYCODE

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32(?,?,?,?,?,00000000), ref: 00D36F13
SetUnhandledExceptionFilter.KERNEL32 ref: 00D36F1D
UnhandledExceptionFilter.KERNEL32(?), ref: 00D36F2A

Memory Dump Source

Source File: 00000007.00000002.447210235.0000000000D11000.00000020.00000001.01000000.00000005.sdmp, Offset: 00D10000, based on PE: true

Associated: 00000007.00000002.447205918.0000000000D10000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.447220101.0000000000D57000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.447225552.0000000000D6C000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.447230127.0000000000D70000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_d10000_MSI1B42.jbxd

Similarity

API ID: ExceptionFilterUnhandled$DebuggerPresent
String ID:
API String ID: 3906539128-0
Opcode ID: fa78b4d68b76d17be60feaba681e38c654fe40b907ac50e9ee721e5b2eba8a82
Instruction ID: 3e4251dc0ed6fa2d76a7e19253d43e66572c8cd0674d4cc40b8f9ba46a2f6b68
Opcode Fuzzy Hash: fa78b4d68b76d17be60feaba681e38c654fe40b907ac50e9ee721e5b2eba8a82
Instruction Fuzzy Hash: 7D31D474901318ABCB21DF64D988B8DBBB8FF08310F5041EAE41CA7250E7709B818F64

Uniqueness

Uniqueness Score: -1.00%

Function 00D145B0 Relevance: 4.6, APIs: 3, Instructions: 64COMMON

Download Yara Rule

APIs

LoadResource.KERNEL32(00000000,00000000,F83EBEA6,00000001,00000000,?,00000000,00D54460,000000FF,?,00D1474D,00D13778,?,00000000,00000000,?), ref: 00D145DB
LockResource.KERNEL32(00000000,?,00000000,00D54460,000000FF,?,00D1474D,00D13778,?,00000000,00000000,?,?,?,?,00D13778), ref: 00D145E6
SizeofResource.KERNEL32(00000000,00000000,?,00000000,00D54460,000000FF,?,00D1474D,00D13778,?,00000000,00000000,?,?,?), ref: 00D145F4

Memory Dump Source

Source File: 00000007.00000002.447210235.0000000000D11000.00000020.00000001.01000000.00000005.sdmp, Offset: 00D10000, based on PE: true

Associated: 00000007.00000002.447205918.0000000000D10000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.447220101.0000000000D57000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.447225552.0000000000D6C000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.447230127.0000000000D70000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_d10000_MSI1B42.jbxd

Similarity

API ID: Resource$LoadLockSizeof
String ID:
API String ID: 2853612939-0
Opcode ID: 4ab8f2b6cf7ad033a850efad0f5a7603909997e0bf56ef5f229cc899f172a68d
Instruction ID: 6c3051d2ff1694d54a2eb17ee396e4a1fe48df59f1d3056b756625a4b294eaf1
Opcode Fuzzy Hash: 4ab8f2b6cf7ad033a850efad0f5a7603909997e0bf56ef5f229cc899f172a68d
Instruction Fuzzy Hash: F711A732A04654ABC7358F59EC44BE6B7F8E785719F14052AEC19D3380EA759C4486B0

Uniqueness

Uniqueness Score: -1.00%

Function 00D3E270 Relevance: 3.4, APIs: 2, Instructions: 449COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.447210235.0000000000D11000.00000020.00000001.01000000.00000005.sdmp, Offset: 00D10000, based on PE: true

Associated: 00000007.00000002.447205918.0000000000D10000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.447220101.0000000000D57000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.447225552.0000000000D6C000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.447230127.0000000000D70000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_d10000_MSI1B42.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c3b8607f755f17a23646f2bf370a959f638319f8f7f89048cc653de111095432
Instruction ID: 7afeceed0cff0c079f65a10166e0b5c3f3a825fb9c5ae613c758b3ca7f074643
Opcode Fuzzy Hash: c3b8607f755f17a23646f2bf370a959f638319f8f7f89048cc653de111095432
Instruction Fuzzy Hash: D1F13F71E012199FDF14CFA8C9806ADB7B1FF98324F198669E815A73C1D730AD05CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00D47B1F Relevance: 1.9, APIs: 1, Instructions: 408timeCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetTimeZoneInformation.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,?,?,?,00D47F64,00000000,00000000,00000000), ref: 00D47E23

Memory Dump Source

Source File: 00000007.00000002.447210235.0000000000D11000.00000020.00000001.01000000.00000005.sdmp, Offset: 00D10000, based on PE: true

Associated: 00000007.00000002.447205918.0000000000D10000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.447220101.0000000000D57000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.447225552.0000000000D6C000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.447230127.0000000000D70000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_d10000_MSI1B42.jbxd

Similarity

API ID: InformationTimeZone
String ID:
API String ID: 565725191-0
Opcode ID: cf33aa62f14b767a5a61797bbde638942fb7eec6a92cd1638d6e939feda2de42
Instruction ID: d61afd99afc6afbf33ad8ee118f853c646fcb5d09f26d8a05016e75347397c9c
Opcode Fuzzy Hash: cf33aa62f14b767a5a61797bbde638942fb7eec6a92cd1638d6e939feda2de42
Instruction Fuzzy Hash: 60C11672E04215ABDB24AF64DC02ABE7BB9EF04750F584066F941EB291F7709E41CBB0

Uniqueness

Uniqueness Score: -1.00%

Function 00D484BD Relevance: 1.8, APIs: 1, Instructions: 274COMMONLIBRARYCODE

Download Yara Rule

APIs

RaiseException.KERNEL32(C000000D,00000000,00000001,?,?,00000008,?,?,00D484B8,?,?,00000008,?,?,00D514E4,00000000), ref: 00D486EA

Memory Dump Source

Source File: 00000007.00000002.447210235.0000000000D11000.00000020.00000001.01000000.00000005.sdmp, Offset: 00D10000, based on PE: true

Associated: 00000007.00000002.447205918.0000000000D10000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.447220101.0000000000D57000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.447225552.0000000000D6C000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.447230127.0000000000D70000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_d10000_MSI1B42.jbxd

Similarity

API ID: ExceptionRaise
String ID:
API String ID: 3997070919-0
Opcode ID: a0dd34b348e1abfbce755151d737b8d3a274d711042f50f895a0e4f7f83ce3bd
Instruction ID: 3887b7ccb99211fb5404c03828ecd09528eba7facde21396f137d689c0898f2c
Opcode Fuzzy Hash: a0dd34b348e1abfbce755151d737b8d3a274d711042f50f895a0e4f7f83ce3bd
Instruction Fuzzy Hash: 76B16D31610608CFD715CF28C49AB687BE0FF453A5F298658E8DACF2A1CB35E981DB50

Uniqueness

Uniqueness Score: -1.00%

Function 00D335A9 Relevance: 1.6, APIs: 1, Instructions: 144COMMON

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32(0000000A), ref: 00D335BF

Memory Dump Source

Source File: 00000007.00000002.447210235.0000000000D11000.00000020.00000001.01000000.00000005.sdmp, Offset: 00D10000, based on PE: true

Associated: 00000007.00000002.447205918.0000000000D10000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.447220101.0000000000D57000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.447225552.0000000000D6C000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.447230127.0000000000D70000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_d10000_MSI1B42.jbxd

Similarity

API ID: FeaturePresentProcessor
String ID:
API String ID: 2325560087-0
Opcode ID: a2a78e96e99d4e91841ad39d39e7f4bd018718f8c8ca5ab778419f20d94e6b52
Instruction ID: 19a8cd9e43e8bc1c44f4ce8e1c3fb32e083528edd680d31fed3767cf0911cc3a
Opcode Fuzzy Hash: a2a78e96e99d4e91841ad39d39e7f4bd018718f8c8ca5ab778419f20d94e6b52
Instruction Fuzzy Hash: F05149B1A143159FEB25CF59E9817AABBF1FB44354F28852AD405EB350D3B59A00CF70

Uniqueness

Uniqueness Score: -1.00%

Function 00D4AF79 Relevance: 1.6, APIs: 1, Instructions: 108COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.447210235.0000000000D11000.00000020.00000001.01000000.00000005.sdmp, Offset: 00D10000, based on PE: true

Associated: 00000007.00000002.447205918.0000000000D10000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.447220101.0000000000D57000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.447225552.0000000000D6C000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.447230127.0000000000D70000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_d10000_MSI1B42.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 247b5e3547bfb1266486f237e50a606736d9faa5349c41c05299f08b650abe4d
Instruction ID: 099751aa7c439ca006b4466514b66d004fc5cf7d5f3f16ccb14bceaf0a221707
Opcode Fuzzy Hash: 247b5e3547bfb1266486f237e50a606736d9faa5349c41c05299f08b650abe4d
Instruction Fuzzy Hash: BB31B276900219AFCB20DFA8CC859BBB77DEB85351F184159F91597240EA30EE448B70

Uniqueness

Uniqueness Score: -1.00%

Function 00D3A587 Relevance: 1.6, Strings: 1, Instructions: 344COMMONLIBRARYCODE

Download Yara Rule

Strings

0, xrefs: 00D3A715

Memory Dump Source

Source File: 00000007.00000002.447210235.0000000000D11000.00000020.00000001.01000000.00000005.sdmp, Offset: 00D10000, based on PE: true

Associated: 00000007.00000002.447205918.0000000000D10000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.447220101.0000000000D57000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.447225552.0000000000D6C000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.447230127.0000000000D70000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_d10000_MSI1B42.jbxd

Similarity

API ID:
String ID: 0
API String ID: 0-4108050209
Opcode ID: 8b3582d752a9892e37588021e30282540cfe27c7c5dd136deb97b398bf7917c5
Instruction ID: 95874b7eec1bfaa9006e0eaa4a1c57e0c520ed4741949cc692eeccde2ff9894f
Opcode Fuzzy Hash: 8b3582d752a9892e37588021e30282540cfe27c7c5dd136deb97b398bf7917c5
Instruction Fuzzy Hash: 37C18CB4B00A468FCB28CF2CC495ABABBB1AF45310F2C4619D5D697291C731ED46CB72

Uniqueness

Uniqueness Score: -1.00%

Function 00D4E48A Relevance: 1.6, APIs: 1, Instructions: 83COMMON

Download Yara Rule

APIs

Part of subcall function 00D457CC: GetLastError.KERNEL32(?,00000008,00D4AD4C), ref: 00D457D0
Part of subcall function 00D457CC: SetLastError.KERNEL32(00000000,00000000,00000004,000000FF), ref: 00D45872

GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 00D4E4DE

Memory Dump Source

Source File: 00000007.00000002.447210235.0000000000D11000.00000020.00000001.01000000.00000005.sdmp, Offset: 00D10000, based on PE: true

Associated: 00000007.00000002.447205918.0000000000D10000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.447220101.0000000000D57000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.447225552.0000000000D6C000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.447230127.0000000000D70000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_d10000_MSI1B42.jbxd

Similarity

API ID: ErrorLast$InfoLocale
String ID:
API String ID: 3736152602-0
Opcode ID: 857e13bb820f54a1f92c3a720eda38655cec050f9a3bd1611d3c64c198d88ffb
Instruction ID: 26879e3f955cac00eab81d31c3fab1c4fe9504034e299413ba4c2fb2810c32d1
Opcode Fuzzy Hash: 857e13bb820f54a1f92c3a720eda38655cec050f9a3bd1611d3c64c198d88ffb
Instruction Fuzzy Hash: 90218E72654206BBDB289F29DC42BBA77A8FF04718F14017AF905D6241FB74ED008B70

Uniqueness

Uniqueness Score: -1.00%

Function 00D4E111 Relevance: 1.6, APIs: 1, Instructions: 63COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00D457CC: GetLastError.KERNEL32(?,00000008,00D4AD4C), ref: 00D457D0
Part of subcall function 00D457CC: SetLastError.KERNEL32(00000000,00000000,00000004,000000FF), ref: 00D45872

EnumSystemLocalesW.KERNEL32(00D4E237,00000001,00000000,?,-00000050,?,00D4E868,00000000,?,?,?,00000055,?), ref: 00D4E183

Memory Dump Source

Source File: 00000007.00000002.447210235.0000000000D11000.00000020.00000001.01000000.00000005.sdmp, Offset: 00D10000, based on PE: true

Associated: 00000007.00000002.447205918.0000000000D10000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.447220101.0000000000D57000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.447225552.0000000000D6C000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.447230127.0000000000D70000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_d10000_MSI1B42.jbxd

Similarity

API ID: ErrorLast$EnumLocalesSystem
String ID:
API String ID: 2417226690-0
Opcode ID: 5eb77c68aeb284640efe8db6decb9df9f45602fa61969d6ccdef9081f9bd5a7e
Instruction ID: 204864b332279ec93d6a76e73c44be6edc0d773b5861791ba4328bce1d6b7007
Opcode Fuzzy Hash: 5eb77c68aeb284640efe8db6decb9df9f45602fa61969d6ccdef9081f9bd5a7e
Instruction Fuzzy Hash: 88110C3B200701AFDB189F39D8919BAB791FF84759B19442DE94687B40D7717943CB60

Uniqueness

Uniqueness Score: -1.00%

Function 00D4E6B9 Relevance: 1.5, APIs: 1, Instructions: 45COMMON

Download Yara Rule

APIs

Part of subcall function 00D457CC: GetLastError.KERNEL32(?,00000008,00D4AD4C), ref: 00D457D0
Part of subcall function 00D457CC: SetLastError.KERNEL32(00000000,00000000,00000004,000000FF), ref: 00D45872

GetLocaleInfoW.KERNEL32(?,20000001,?,00000002,?,00000000,?,?,00D4E453,00000000,00000000,?), ref: 00D4E6E5

Memory Dump Source

Source File: 00000007.00000002.447210235.0000000000D11000.00000020.00000001.01000000.00000005.sdmp, Offset: 00D10000, based on PE: true

Associated: 00000007.00000002.447205918.0000000000D10000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.447220101.0000000000D57000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.447225552.0000000000D6C000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.447230127.0000000000D70000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_d10000_MSI1B42.jbxd

Similarity

API ID: ErrorLast$InfoLocale
String ID:
API String ID: 3736152602-0
Opcode ID: 6299d1907b94ac9dd20b8bf6c8f2dde0bc5d141d082a16c64e927164c5b62ae3
Instruction ID: c8570a09e1a0b03b7c48818d923afb051771deace5056b99f4609f9eb4d0e5b9
Opcode Fuzzy Hash: 6299d1907b94ac9dd20b8bf6c8f2dde0bc5d141d082a16c64e927164c5b62ae3
Instruction Fuzzy Hash: B5F0F236600312BBDB285764CC45BBA7B58FB407B4F190464ED15E3180EA74FD41C6F0

Uniqueness

Uniqueness Score: -1.00%

Function 00D4E1AC Relevance: 1.5, APIs: 1, Instructions: 41COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00D457CC: GetLastError.KERNEL32(?,00000008,00D4AD4C), ref: 00D457D0
Part of subcall function 00D457CC: SetLastError.KERNEL32(00000000,00000000,00000004,000000FF), ref: 00D45872

EnumSystemLocalesW.KERNEL32(00D4E48A,00000001,?,?,-00000050,?,00D4E82C,-00000050,?,?,?,00000055,?,-00000050,?,?), ref: 00D4E1F6

Memory Dump Source

Source File: 00000007.00000002.447210235.0000000000D11000.00000020.00000001.01000000.00000005.sdmp, Offset: 00D10000, based on PE: true

Associated: 00000007.00000002.447205918.0000000000D10000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.447220101.0000000000D57000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.447225552.0000000000D6C000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.447230127.0000000000D70000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_d10000_MSI1B42.jbxd

Similarity

API ID: ErrorLast$EnumLocalesSystem
String ID:
API String ID: 2417226690-0
Opcode ID: d1bd7164c07cf01f85b843df3beed7788f3ef31b9bb755454484ca718a17d848
Instruction ID: 3c7c12399ffd37f124a402d5cd7b86fabedadd7217864e3a969854fbb78d8766
Opcode Fuzzy Hash: d1bd7164c07cf01f85b843df3beed7788f3ef31b9bb755454484ca718a17d848
Instruction Fuzzy Hash: 8EF0F6362007047FDB245F399C85A7A7B95FF80768F19442CFA458B680D6B19C42DA74

Uniqueness

Uniqueness Score: -1.00%

Function 00D47132 Relevance: 1.5, APIs: 1, Instructions: 33COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00D41C9A: EnterCriticalSection.KERNEL32(-00D6DE50,?,00D43576,?,00D6A078,0000000C,00D43841,?), ref: 00D41CA9

EnumSystemLocalesW.KERNEL32(00D47125,00000001,00D6A1D8,0000000C,00D47554,00000000), ref: 00D4716A

Memory Dump Source

Source File: 00000007.00000002.447210235.0000000000D11000.00000020.00000001.01000000.00000005.sdmp, Offset: 00D10000, based on PE: true

Associated: 00000007.00000002.447205918.0000000000D10000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.447220101.0000000000D57000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.447225552.0000000000D6C000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.447230127.0000000000D70000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_d10000_MSI1B42.jbxd

Similarity

API ID: CriticalEnterEnumLocalesSectionSystem
String ID:
API String ID: 1272433827-0
Opcode ID: 1c11ab9ade6b843586766087ab04ca50b6e95f2dfbfb36999b7094b594aec546
Instruction ID: 0ba2734259a004d60bc3b5b63093ad2f17da4989b6fa6dee0c90e8d410eed93c
Opcode Fuzzy Hash: 1c11ab9ade6b843586766087ab04ca50b6e95f2dfbfb36999b7094b594aec546
Instruction Fuzzy Hash: 95F03776A54300EFD700EF98E946B9877E0FB48722F10455AF415EB3A0EBB949048F70

Uniqueness

Uniqueness Score: -1.00%

Function 00D4E0C6 Relevance: 1.5, APIs: 1, Instructions: 31COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00D457CC: GetLastError.KERNEL32(?,00000008,00D4AD4C), ref: 00D457D0
Part of subcall function 00D457CC: SetLastError.KERNEL32(00000000,00000000,00000004,000000FF), ref: 00D45872

EnumSystemLocalesW.KERNEL32(00D4E01F,00000001,?,?,?,00D4E88A,-00000050,?,?,?,00000055,?,-00000050,?,?,00000004), ref: 00D4E0FD

Memory Dump Source

Source File: 00000007.00000002.447210235.0000000000D11000.00000020.00000001.01000000.00000005.sdmp, Offset: 00D10000, based on PE: true

Associated: 00000007.00000002.447205918.0000000000D10000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.447220101.0000000000D57000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.447225552.0000000000D6C000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.447230127.0000000000D70000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_d10000_MSI1B42.jbxd

Similarity

API ID: ErrorLast$EnumLocalesSystem
String ID:
API String ID: 2417226690-0
Opcode ID: 36e47730b56429a359037d3002e8ff344343b50b9d22fb33c396a1bdae9bf4b4
Instruction ID: 42e7406e5b0056bfd7dc9f6f70f685364acf03666e84a4c2c785e4d9fffd2234
Opcode Fuzzy Hash: 36e47730b56429a359037d3002e8ff344343b50b9d22fb33c396a1bdae9bf4b4
Instruction Fuzzy Hash: 57F02B3A300305ABCB04AF35DC45A6ABF95FFC1760F0A4068FE15CB651C6729882CBB0

Uniqueness

Uniqueness Score: -1.00%

Function 00D323F8 Relevance: 1.5, APIs: 1, Instructions: 31COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLocaleInfoEx.KERNEL32(?,00000022,00000000,00000002,?,?,00D300E2,00000000,00000000,00000004,00D2ED14,00000000,00000004,00D2F127,00000000,00000000), ref: 00D32410

Memory Dump Source

Source File: 00000007.00000002.447210235.0000000000D11000.00000020.00000001.01000000.00000005.sdmp, Offset: 00D10000, based on PE: true

Associated: 00000007.00000002.447205918.0000000000D10000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.447220101.0000000000D57000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.447225552.0000000000D6C000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.447230127.0000000000D70000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_d10000_MSI1B42.jbxd

Similarity

API ID: InfoLocale
String ID:
API String ID: 2299586839-0
Opcode ID: f285ce673b17a6082e2d3f981b42fd26b5aaf41ccf64ad12aa7fa751a0274a86
Instruction ID: b3bd104e9dad6def0d75add31f1e17a0ed6272749aecf1d5691eaecce0b80421
Opcode Fuzzy Hash: f285ce673b17a6082e2d3f981b42fd26b5aaf41ccf64ad12aa7fa751a0274a86
Instruction Fuzzy Hash: 9EE0D832A54208B6D7154BB8AE0FFBA76A8D71070AF544151EA02D40D1DAA1CB10A171

Uniqueness

Uniqueness Score: -1.00%

Function 00D476AF Relevance: 1.5, APIs: 1, Instructions: 24COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLocaleInfoW.KERNEL32(00000000,?,00000000,?,-00000050,?,?,?,00D44E3F,?,20001004,00000000,00000002,?,?,00D44441), ref: 00D476E3

Memory Dump Source

Source File: 00000007.00000002.447210235.0000000000D11000.00000020.00000001.01000000.00000005.sdmp, Offset: 00D10000, based on PE: true

Associated: 00000007.00000002.447205918.0000000000D10000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.447220101.0000000000D57000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.447225552.0000000000D6C000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.447230127.0000000000D70000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_d10000_MSI1B42.jbxd

Similarity

API ID: InfoLocale
String ID:
API String ID: 2299586839-0
Opcode ID: 932fbf8eceeefd23f03d0d92c1fd6a55ea4dd102b0ed1a08fa20224786122a00
Instruction ID: 1cb8f10a916ec615bcd3805b3a1f92741003a784484780904cd21be95f5d2f58
Opcode Fuzzy Hash: 932fbf8eceeefd23f03d0d92c1fd6a55ea4dd102b0ed1a08fa20224786122a00
Instruction Fuzzy Hash: FCE04F3250871DBBCF122F61EC08EAE3E26EF44751F154010FC4565220CB718920AAF9

Uniqueness

Uniqueness Score: -1.00%

Function 00D12310 Relevance: 1.3, APIs: 1, Instructions: 64memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00D32C98: EnterCriticalSection.KERNEL32(hG,?,?,?,00D123B6,00D6E638,F83EBEA6,?,?,00D53D6D,000000FF), ref: 00D32CA3
Part of subcall function 00D32C98: LeaveCriticalSection.KERNEL32(hG,?,?,?,00D123B6,00D6E638,F83EBEA6,?,?,00D53D6D,000000FF), ref: 00D32CE0

GetProcessHeap.KERNEL32 ref: 00D12365

Part of subcall function 00D32C4E: EnterCriticalSection.KERNEL32(hG,?,?,00D12427,00D6E638,00D56B40), ref: 00D32C58
Part of subcall function 00D32C4E: LeaveCriticalSection.KERNEL32(hG,?,?,00D12427,00D6E638,00D56B40), ref: 00D32C8B
Part of subcall function 00D32C4E: RtlWakeAllConditionVariable.NTDLL ref: 00D32D02

Memory Dump Source

Source File: 00000007.00000002.447210235.0000000000D11000.00000020.00000001.01000000.00000005.sdmp, Offset: 00D10000, based on PE: true

Associated: 00000007.00000002.447205918.0000000000D10000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.447220101.0000000000D57000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.447225552.0000000000D6C000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.447230127.0000000000D70000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_d10000_MSI1B42.jbxd

Similarity

API ID: CriticalSection$EnterLeave$ConditionHeapProcessVariableWake
String ID:
API String ID: 325507722-0
Opcode ID: 99660c9e871e225f8ca156c31bd45bfa815ace2d4616f9fb0475f7fdb980d4a9
Instruction ID: f7fffd8e9aed0d1ddfcf9cf67cd1525fac39712e0b7d6f1bbf68d371063406e3
Opcode Fuzzy Hash: 99660c9e871e225f8ca156c31bd45bfa815ace2d4616f9fb0475f7fdb980d4a9
Instruction Fuzzy Hash: A72157B8901340DFD710DF98ED4679977B0E725720F105B29E825DB3E1D7B659088BB2

Uniqueness

Uniqueness Score: -1.00%

Function 00D40A48 Relevance: .7, Instructions: 655COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.447210235.0000000000D11000.00000020.00000001.01000000.00000005.sdmp, Offset: 00D10000, based on PE: true

Associated: 00000007.00000002.447205918.0000000000D10000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.447220101.0000000000D57000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.447225552.0000000000D6C000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.447230127.0000000000D70000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_d10000_MSI1B42.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 19985175945e013be11795148f7f951fa2f51accbe04c3ced831b3b586493099
Instruction ID: f1985afa78fe488a986b088f53e2f5bd7076788865cc1b4fabd2d70994b4c1b6
Opcode Fuzzy Hash: 19985175945e013be11795148f7f951fa2f51accbe04c3ced831b3b586493099
Instruction Fuzzy Hash: 04328D74E0061ADFCF28CF98C991ABEBBB5EF44304F184169D945A7315D732AE46CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00D492A9 Relevance: .6, Instructions: 637COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.447210235.0000000000D11000.00000020.00000001.01000000.00000005.sdmp, Offset: 00D10000, based on PE: true

Associated: 00000007.00000002.447205918.0000000000D10000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.447220101.0000000000D57000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.447225552.0000000000D6C000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.447230127.0000000000D70000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_d10000_MSI1B42.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d0d516049d5b9ac03af6c7016f6eb103bce98819b3104bf01d3fbf4f6fafc86a
Instruction ID: a427b4fea17256f87be65ff5a30d9ab20442a257aa3e1b92ff5e07cf1b34bb8a
Opcode Fuzzy Hash: d0d516049d5b9ac03af6c7016f6eb103bce98819b3104bf01d3fbf4f6fafc86a
Instruction Fuzzy Hash: 27323721D28F414ED7235639DC7233AA288AFB73D5F15D727FC1AB5AA9EB29C4834110

Uniqueness

Uniqueness Score: -1.00%

Function 00D3A915 Relevance: .4, Instructions: 388COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.447210235.0000000000D11000.00000020.00000001.01000000.00000005.sdmp, Offset: 00D10000, based on PE: true

Associated: 00000007.00000002.447205918.0000000000D10000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.447220101.0000000000D57000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.447225552.0000000000D6C000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.447230127.0000000000D70000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_d10000_MSI1B42.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8a0b8f300b4750f939fb895fc3e71f6ba08ad7c38262be2b58e5f23929268bca
Instruction ID: 9f223c4285ce8b583c31ab88c0cdbeb565ee15d90f035bb3c6b5c881011a60c2
Opcode Fuzzy Hash: 8a0b8f300b4750f939fb895fc3e71f6ba08ad7c38262be2b58e5f23929268bca
Instruction Fuzzy Hash: A0E179747006058FCB28CF6CC580AAAB7B1FF49310F69865AD5D6AB291D731ED42CB72

Uniqueness

Uniqueness Score: -1.00%

Function 00D4D8D5 Relevance: .3, Instructions: 327COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.447210235.0000000000D11000.00000020.00000001.01000000.00000005.sdmp, Offset: 00D10000, based on PE: true

Associated: 00000007.00000002.447205918.0000000000D10000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.447220101.0000000000D57000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.447225552.0000000000D6C000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.447230127.0000000000D70000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_d10000_MSI1B42.jbxd

Similarity

API ID: ErrorLastProcess$CurrentFeatureInfoLocalePresentProcessorTerminate
String ID:
API String ID: 3471368781-0
Opcode ID: 2488e6b7928953762777d45b6c230696ae8edd920eb5caf5069f0e4883c7d2b4
Instruction ID: 7f5acaa878eeb4c26ea90e62e221796c0112af76facba432ae5648168c89d987
Opcode Fuzzy Hash: 2488e6b7928953762777d45b6c230696ae8edd920eb5caf5069f0e4883c7d2b4
Instruction Fuzzy Hash: 0AB1D4755007419BDB38DF24CC92BB7B3BAEF54308F18456DE986C6680EA75E985CB30

Uniqueness

Uniqueness Score: -1.00%

Function 00D3C2CA Relevance: .2, Instructions: 158COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.447210235.0000000000D11000.00000020.00000001.01000000.00000005.sdmp, Offset: 00D10000, based on PE: true

Associated: 00000007.00000002.447205918.0000000000D10000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.447220101.0000000000D57000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.447225552.0000000000D6C000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.447230127.0000000000D70000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_d10000_MSI1B42.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d45df35f10881d6221681adf7eefdf880ea19ec113d03b89221ba79bb02f15a8
Instruction ID: cdc3065efea9e83f156ea069740ca5d480412e0cf2f167f1126fe14edea96168
Opcode Fuzzy Hash: d45df35f10881d6221681adf7eefdf880ea19ec113d03b89221ba79bb02f15a8
Instruction Fuzzy Hash: 96516472E00219EFDF14CF99C951AEEBBB1EF88350F598059E915BB241C734AE50CB61

Uniqueness

Uniqueness Score: -1.00%

Function 00D34920 Relevance: .1, Instructions: 76COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.447210235.0000000000D11000.00000020.00000001.01000000.00000005.sdmp, Offset: 00D10000, based on PE: true

Associated: 00000007.00000002.447205918.0000000000D10000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.447220101.0000000000D57000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.447225552.0000000000D6C000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.447230127.0000000000D70000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_d10000_MSI1B42.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 567adef0f6a617ff7e9a8750fccc1eb3e230b1b82912df90697507ac2483188c
Instruction ID: 8e43556b91eabd0625a4277d729cfb0ba59d09e2c53474a62f47d69d9adde3b4
Opcode Fuzzy Hash: 567adef0f6a617ff7e9a8750fccc1eb3e230b1b82912df90697507ac2483188c
Instruction Fuzzy Hash: 0511087720114243D604C62EC9B47B7E795EBC6335F2D836ED0918B758D62AF9459E30

Uniqueness

Uniqueness Score: -1.00%

Function 00D4AD78 Relevance: .0, Instructions: 22COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.447210235.0000000000D11000.00000020.00000001.01000000.00000005.sdmp, Offset: 00D10000, based on PE: true

Associated: 00000007.00000002.447205918.0000000000D10000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.447220101.0000000000D57000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.447225552.0000000000D6C000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.447230127.0000000000D70000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_d10000_MSI1B42.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2864318f6dce3f34aa64f3b9f5968b0c36cd4cfae0ffe164939727a64b01d4d1
Instruction ID: 38e2ec799675e6d67270ba3eb0195ade0fcf41786bc7c99b04216bed6ac1bf44
Opcode Fuzzy Hash: 2864318f6dce3f34aa64f3b9f5968b0c36cd4cfae0ffe164939727a64b01d4d1
Instruction Fuzzy Hash: B1E08C72A11238EBCB14DBDCC90498AF3ECEB88B01B15049AF501E3500D370DE00D7E1

Uniqueness

Uniqueness Score: -1.00%

Function 00D42DCC Relevance: .0, Instructions: 12COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.447210235.0000000000D11000.00000020.00000001.01000000.00000005.sdmp, Offset: 00D10000, based on PE: true

Associated: 00000007.00000002.447205918.0000000000D10000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.447220101.0000000000D57000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.447225552.0000000000D6C000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.447230127.0000000000D70000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_d10000_MSI1B42.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b3db29eff45ca403c5659c65b9b04778331e453842759ddf3eba89ef405327b8
Instruction ID: 23f19a9985905387ab5895242a94ba2140173441612e0c74e124536a06103363
Opcode Fuzzy Hash: b3db29eff45ca403c5659c65b9b04778331e453842759ddf3eba89ef405327b8
Instruction Fuzzy Hash: 69C08C38840E0047CE2989148AB13B83354FB91792FC8058CD4030BA46C71EAC83D671

Uniqueness

Uniqueness Score: -1.00%

Function 00D30116 Relevance: 30.3, APIs: 20, Instructions: 287COMMONLIBRARYCODE

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00D3011D
collate.LIBCPMT ref: 00D30126

Part of subcall function 00D2EDF2: __EH_prolog3_GS.LIBCMT ref: 00D2EDF9
Part of subcall function 00D2EDF2: __Getcoll.LIBCPMT ref: 00D2EE5D

__Getcoll.LIBCPMT ref: 00D3016C
std::locale::_Locimp::_Locimp_Addfac.LIBCPMT ref: 00D30180
std::locale::_Locimp::_Locimp_Addfac.LIBCPMT ref: 00D30195
std::locale::_Locimp::_Locimp_Addfac.LIBCPMT ref: 00D301D3
std::locale::_Locimp::_Locimp_Addfac.LIBCPMT ref: 00D301E6
std::locale::_Locimp::_Locimp_Addfac.LIBCPMT ref: 00D3022C
std::locale::_Locimp::_Locimp_Addfac.LIBCPMT ref: 00D30260
std::locale::_Locimp::_Locimp_Addfac.LIBCPMT ref: 00D3031B
std::locale::_Locimp::_Locimp_Addfac.LIBCPMT ref: 00D3032E
std::locale::_Locimp::_Locimp_Addfac.LIBCPMT ref: 00D3034B
std::locale::_Locimp::_Locimp_Addfac.LIBCPMT ref: 00D30368
std::locale::_Locimp::_Locimp_Addfac.LIBCPMT ref: 00D30385
std::locale::_Locimp::_Locimp_Addfac.LIBCPMT ref: 00D302BD

Part of subcall function 00D18C20: std::_Lockit::_Lockit.LIBCPMT ref: 00D18C50
Part of subcall function 00D18C20: std::_Lockit::~_Lockit.LIBCPMT ref: 00D18C78

numpunct.LIBCPMT ref: 00D303C4
std::locale::_Locimp::_Locimp_Addfac.LIBCPMT ref: 00D303D4
std::locale::_Locimp::_Locimp_Addfac.LIBCPMT ref: 00D30418

Part of subcall function 00D16330: LocalAlloc.KERNEL32(00000040,?,00D20E04,00000020,?,?,00D19942,00000000,F83EBEA6,?,?,?,?,00D550DD,000000FF), ref: 00D16336

std::locale::_Locimp::_Locimp_Addfac.LIBCPMT ref: 00D3042B
std::locale::_Locimp::_Locimp_Addfac.LIBCPMT ref: 00D30448

Memory Dump Source

Source File: 00000007.00000002.447210235.0000000000D11000.00000020.00000001.01000000.00000005.sdmp, Offset: 00D10000, based on PE: true

Associated: 00000007.00000002.447205918.0000000000D10000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.447220101.0000000000D57000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.447225552.0000000000D6C000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.447230127.0000000000D70000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_d10000_MSI1B42.jbxd

Similarity

API ID: AddfacLocimp::_Locimp_std::locale::_$GetcollLockitstd::_$AllocH_prolog3H_prolog3_LocalLockit::_Lockit::~_collatenumpunct
String ID:
API String ID: 3717464618-0
Opcode ID: 2f95ac132c653f1ff3770ace050b953f4c8fde8f73359392f28b3f6d52b582f2
Instruction ID: 21a4679a2d1bc72e5ec76e6230a590c2c922bafef62348962270dba621c9f945
Opcode Fuzzy Hash: 2f95ac132c653f1ff3770ace050b953f4c8fde8f73359392f28b3f6d52b582f2
Instruction Fuzzy Hash: 38910871D013117BE720BBB46C12BBFBEAADF51760F584429F85AA7281DE70894097F2

Uniqueness

Uniqueness Score: -1.00%

Function 00D16600 Relevance: 30.1, APIs: 13, Strings: 4, Instructions: 319filememoryCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(00000000,40000000,00000000,00000000,00000002,00000080,00000000), ref: 00D1667E
WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,000000FF,00000000,00000000,00000000,00000000), ref: 00D166D7
LocalAlloc.KERNEL32(00000040,00000000,?,000000FF,00000000,00000000,00000000,00000000), ref: 00D166E2
WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,000000FF,00000000,00000000,00000000,00000000,?,000000FF,00000000,00000000,00000000,00000000), ref: 00D166FE
WriteFile.KERNEL32(?,?,?,?,00000000), ref: 00D167DB
CloseHandle.KERNEL32(?), ref: 00D167E7
MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,000000FF,00000000,00000000,?,?,?,?,?,?,?,?,?,00D549E5), ref: 00D1682F
LocalAlloc.KERNEL32(00000040,00000000,?,?,?,?,?,?,?,?,?,00D549E5,000000FF), ref: 00D1684A
MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,000000FF,00000000,00000000,?,?,?,?,?,?,?,?,?,00D549E5), ref: 00D16867
LocalFree.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,00D549E5,000000FF), ref: 00D16891
ShellExecuteW.SHELL32(00000000,open,00000000,00000000,00000000,00000005), ref: 00D168D8
ShellExecuteW.SHELL32(00000000,00000000,00000000,00000000,00000000,00000005), ref: 00D1692A
LocalFree.KERNEL32(?,?,?,?,?,?,?,?,?,?,00D549E5,000000FF), ref: 00D1695C

Strings

open, xrefs: 00D168D1, 00D168F0
[InternetShortcut]URL=, xrefs: 00D1670A
-_.~!*'();:@&=+$,/?#[], xrefs: 00D16757, 00D1676E
URL Shortcut content:, xrefs: 00D16875

Memory Dump Source

Source File: 00000007.00000002.447210235.0000000000D11000.00000020.00000001.01000000.00000005.sdmp, Offset: 00D10000, based on PE: true

Associated: 00000007.00000002.447205918.0000000000D10000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.447220101.0000000000D57000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.447225552.0000000000D6C000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.447230127.0000000000D70000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_d10000_MSI1B42.jbxd

Similarity

API ID: ByteCharLocalMultiWide$AllocExecuteFileFreeShell$CloseCreateHandleWrite
String ID: -_.~!*'();:@&=+$,/?#[]$URL Shortcut content:$[InternetShortcut]URL=$open
API String ID: 2199533872-3004881174
Opcode ID: 498bf079c80ea376f254b90d103b26cd54904b42f97467ba7f0d3499c9bc0051
Instruction ID: d4d56a86952fea39a82cf1cf95a7f12d51823c0c0da51b9c34f0f611e86e4001
Opcode Fuzzy Hash: 498bf079c80ea376f254b90d103b26cd54904b42f97467ba7f0d3499c9bc0051
Instruction Fuzzy Hash: 02B11471904249AFEB20CF68EC45BEFBBB5EF45700F144119E904AB2C1DB709A88CBB1

Uniqueness

Uniqueness Score: -1.00%

Function 00D32B8C Relevance: 22.8, APIs: 8, Strings: 5, Instructions: 51libraryloaderCOMMON

Download Yara Rule

APIs

InitializeCriticalSectionAndSpinCount.KERNEL32(hG,00000FA0,?,?,00D32B6A), ref: 00D32B98
GetModuleHandleW.KERNEL32(api-ms-win-core-synch-l1-2-0.dll,?,?,00D32B6A), ref: 00D32BA3
GetModuleHandleW.KERNEL32(kernel32.dll,?,?,00D32B6A), ref: 00D32BB4
GetProcAddress.KERNEL32(00000000,SleepConditionVariableCS,?,?,00D32B6A), ref: 00D32BC6
GetProcAddress.KERNEL32(00000000,WakeAllConditionVariable,?,?,00D32B6A), ref: 00D32BD4
CreateEventW.KERNEL32(00000000,00000001,00000000,00000000,?,?,00D32B6A), ref: 00D32BF7
DeleteCriticalSection.KERNEL32(hG,00000007,?,?,00D32B6A), ref: 00D32C13
CloseHandle.KERNEL32(00000000), ref: 00D32C23

Strings

api-ms-win-core-synch-l1-2-0.dll, xrefs: 00D32B9E
kernel32.dll, xrefs: 00D32BAF
SleepConditionVariableCS, xrefs: 00D32BC0
WakeAllConditionVariable, xrefs: 00D32BCC
hG, xrefs: 00D32B93, 00D32C0E

Memory Dump Source

Source File: 00000007.00000002.447210235.0000000000D11000.00000020.00000001.01000000.00000005.sdmp, Offset: 00D10000, based on PE: true

Associated: 00000007.00000002.447205918.0000000000D10000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.447220101.0000000000D57000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.447225552.0000000000D6C000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.447230127.0000000000D70000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_d10000_MSI1B42.jbxd

Similarity

API ID: Handle$AddressCriticalModuleProcSection$CloseCountCreateDeleteEventInitializeSpin
String ID: SleepConditionVariableCS$WakeAllConditionVariable$api-ms-win-core-synch-l1-2-0.dll$hG$kernel32.dll
API String ID: 2565136772-2402821984
Opcode ID: ad1d69512dcde28f61a708644596d719ef6ab4442fcb55466c43d4d4274095c6
Instruction ID: c8ce277aba0e215d5681814a8504cbce011055a3301caf953774d7c8ec104a68
Opcode Fuzzy Hash: ad1d69512dcde28f61a708644596d719ef6ab4442fcb55466c43d4d4274095c6
Instruction Fuzzy Hash: CF017171F45711AFDA212F78BC09E6A7BB9DF55B53B290811FD04E23A4DEB4C8048A71

Uniqueness

Uniqueness Score: -1.00%

Function 00D35CAF Relevance: 16.1, APIs: 6, Strings: 3, Instructions: 304COMMONLIBRARYCODE

Download Yara Rule

APIs

IsInExceptionSpec.LIBVCRUNTIME ref: 00D35DAC
type_info::operator==.LIBVCRUNTIME ref: 00D35DCE
___TypeMatch.LIBVCRUNTIME ref: 00D35EDD
IsInExceptionSpec.LIBVCRUNTIME ref: 00D35FAF
_UnwindNestedFrames.LIBCMT ref: 00D36033
CallUnexpected.LIBVCRUNTIME ref: 00D3604E

Strings

csm, xrefs: 00D35D59
csm, xrefs: 00D35E05
csm, xrefs: 00D35CEC

Memory Dump Source

Source File: 00000007.00000002.447210235.0000000000D11000.00000020.00000001.01000000.00000005.sdmp, Offset: 00D10000, based on PE: true

Associated: 00000007.00000002.447205918.0000000000D10000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.447220101.0000000000D57000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.447225552.0000000000D6C000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.447230127.0000000000D70000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_d10000_MSI1B42.jbxd

Similarity

API ID: ExceptionSpec$CallFramesMatchNestedTypeUnexpectedUnwindtype_info::operator==
String ID: csm$csm$csm
API String ID: 2123188842-393685449
Opcode ID: 59a267addb191385fce0af06aa896c85ceaa9cf4ded0208b34c3eee4196b04cc
Instruction ID: 63f452cf2c868a58f54443964145ead3c147d9f17296cdf4110aca4936c33a55
Opcode Fuzzy Hash: 59a267addb191385fce0af06aa896c85ceaa9cf4ded0208b34c3eee4196b04cc
Instruction Fuzzy Hash: F5B17D71800609EFCF29DFA4E8819AEBBB5FF14310F18815AE8156B21AD771DA51CFB1

Uniqueness

Uniqueness Score: -1.00%

Function 00D14270 Relevance: 15.1, APIs: 10, Instructions: 137timeCOMMON

Download Yara Rule

APIs

OpenProcess.KERNEL32(00000400,00000000,?,F83EBEA6,?,?,?), ref: 00D142D2
OpenProcess.KERNEL32(00000400,00000000,?,?,F83EBEA6,?,?,?), ref: 00D142F3
GetProcessTimes.KERNEL32(00000000,?,00000000,00000000,00000000,?,F83EBEA6,?,?,?), ref: 00D14326
GetProcessTimes.KERNEL32(00000000,?,00000000,00000000,00000000,?,F83EBEA6,?,?,?), ref: 00D14337
CloseHandle.KERNEL32(00000000), ref: 00D14355
CloseHandle.KERNEL32(00000000), ref: 00D14371
CloseHandle.KERNEL32(00000000), ref: 00D14399
CloseHandle.KERNEL32(00000000), ref: 00D143B5
CloseHandle.KERNEL32(00000000), ref: 00D143D3
CloseHandle.KERNEL32(00000000), ref: 00D143EF

Memory Dump Source

Source File: 00000007.00000002.447210235.0000000000D11000.00000020.00000001.01000000.00000005.sdmp, Offset: 00D10000, based on PE: true

Associated: 00000007.00000002.447205918.0000000000D10000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.447220101.0000000000D57000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.447225552.0000000000D6C000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.447230127.0000000000D70000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_d10000_MSI1B42.jbxd

Similarity

API ID: CloseHandle$Process$OpenTimes
String ID:
API String ID: 1711917922-0
Opcode ID: 79ac19ffcc93c5ca323a1fee9469b796208b3c6a42bff631a3e40cb809e54dee
Instruction ID: 8035115cc3af7b589236f11af6352345ea34118eabbed24640f70cd8757f27a4
Opcode Fuzzy Hash: 79ac19ffcc93c5ca323a1fee9469b796208b3c6a42bff631a3e40cb809e54dee
Instruction Fuzzy Hash: 19514870D41218AFDB10CF98E984BEEBBF4AF49714F294219E924B73C0CB7459458BB4

Uniqueness

Uniqueness Score: -1.00%

Function 00D2BBBD Relevance: 14.3, APIs: 1, Strings: 7, Instructions: 325COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00D2BBC4

Part of subcall function 00D2254E: __EH_prolog3.LIBCMT ref: 00D22555
Part of subcall function 00D2254E: std::_Lockit::_Lockit.LIBCPMT ref: 00D2255F
Part of subcall function 00D2254E: std::_Lockit::~_Lockit.LIBCPMT ref: 00D225D0

Strings

%I : %M : %S %p, xrefs: 00D2BF1F
%H : %M : %S, xrefs: 00D2BD5D
:AM:am:PM:pm, xrefs: 00D2BF2A
%H : %M, xrefs: 00D2BD03
%d / %m / %y, xrefs: 00D2BEFA
%m / %d / %y, xrefs: 00D2BCBB
%b %d %H : %M : %S %Y, xrefs: 00D2BE52

Memory Dump Source

Source File: 00000007.00000002.447210235.0000000000D11000.00000020.00000001.01000000.00000005.sdmp, Offset: 00D10000, based on PE: true

Associated: 00000007.00000002.447205918.0000000000D10000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.447220101.0000000000D57000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.447225552.0000000000D6C000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.447230127.0000000000D70000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_d10000_MSI1B42.jbxd

Similarity

API ID: H_prolog3Lockitstd::_$Lockit::_Lockit::~_
String ID: %H : %M$%H : %M : %S$%I : %M : %S %p$%b %d %H : %M : %S %Y$%d / %m / %y$%m / %d / %y$:AM:am:PM:pm
API String ID: 1538362411-2891247106
Opcode ID: 0c1f886c73a1adda9d68b9b7dccb8503b140ceddbcd8f7b822c48b52bbbb3c77
Instruction ID: 0024fa7fdf609c12ea6f998b2550f89a50ecdbfec348290eea60fc61a93e424a
Opcode Fuzzy Hash: 0c1f886c73a1adda9d68b9b7dccb8503b140ceddbcd8f7b822c48b52bbbb3c77
Instruction Fuzzy Hash: 4EB1BF7150011AAFCF19DF68ED55DFE3BA9EF24328F09411AFA46A2251D7B1CA10DB30

Uniqueness

Uniqueness Score: -1.00%

Function 00D30C9D Relevance: 14.3, APIs: 1, Strings: 7, Instructions: 325COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00D30CA4

Part of subcall function 00D19270: std::_Lockit::_Lockit.LIBCPMT ref: 00D192A0
Part of subcall function 00D19270: std::_Lockit::_Lockit.LIBCPMT ref: 00D192C2
Part of subcall function 00D19270: std::_Lockit::~_Lockit.LIBCPMT ref: 00D192EA
Part of subcall function 00D19270: std::_Lockit::~_Lockit.LIBCPMT ref: 00D19422

Strings

%I : %M : %S %p, xrefs: 00D30FFF
%H : %M : %S, xrefs: 00D30E3D
:AM:am:PM:pm, xrefs: 00D3100A
%H : %M, xrefs: 00D30DE3
%d / %m / %y, xrefs: 00D30FDA
%m / %d / %y, xrefs: 00D30D9B
%b %d %H : %M : %S %Y, xrefs: 00D30F32

Memory Dump Source

Source File: 00000007.00000002.447210235.0000000000D11000.00000020.00000001.01000000.00000005.sdmp, Offset: 00D10000, based on PE: true

Associated: 00000007.00000002.447205918.0000000000D10000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.447220101.0000000000D57000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.447225552.0000000000D6C000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.447230127.0000000000D70000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_d10000_MSI1B42.jbxd

Similarity

API ID: Lockitstd::_$Lockit::_Lockit::~_$H_prolog3
String ID: %H : %M$%H : %M : %S$%I : %M : %S %p$%b %d %H : %M : %S %Y$%d / %m / %y$%m / %d / %y$:AM:am:PM:pm
API String ID: 1383202999-2891247106
Opcode ID: e7372e0d6df9a6b45d7bb537c0a7d0e08ede2922fd7149db2d471e0486b0c6f3
Instruction ID: 047e4572b5f27ff3c7eb926419392bf84d0e6c5051bdc6df704451013b9f703d
Opcode Fuzzy Hash: e7372e0d6df9a6b45d7bb537c0a7d0e08ede2922fd7149db2d471e0486b0c6f3
Instruction Fuzzy Hash: 6AB19D7650020AAFCF29DFA8C969DFE3FB9EF18304F184519FA46A6251D631DA10DB70

Uniqueness

Uniqueness Score: -1.00%

Function 00D2BF7E Relevance: 14.3, APIs: 1, Strings: 7, Instructions: 325COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00D2BF85

Part of subcall function 00D18610: std::_Lockit::_Lockit.LIBCPMT ref: 00D18657
Part of subcall function 00D18610: std::_Lockit::_Lockit.LIBCPMT ref: 00D18679
Part of subcall function 00D18610: std::_Lockit::~_Lockit.LIBCPMT ref: 00D186A1
Part of subcall function 00D18610: std::_Lockit::~_Lockit.LIBCPMT ref: 00D1880E

Strings

%I : %M : %S %p, xrefs: 00D2C2E0
%H : %M : %S, xrefs: 00D2C11E
:AM:am:PM:pm, xrefs: 00D2C2EB
%H : %M, xrefs: 00D2C0C4
%d / %m / %y, xrefs: 00D2C2BB
%m / %d / %y, xrefs: 00D2C07C
%b %d %H : %M : %S %Y, xrefs: 00D2C213

Memory Dump Source

Source File: 00000007.00000002.447210235.0000000000D11000.00000020.00000001.01000000.00000005.sdmp, Offset: 00D10000, based on PE: true

Associated: 00000007.00000002.447205918.0000000000D10000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.447220101.0000000000D57000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.447225552.0000000000D6C000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.447230127.0000000000D70000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_d10000_MSI1B42.jbxd

Similarity

API ID: Lockitstd::_$Lockit::_Lockit::~_$H_prolog3
String ID: %H : %M$%H : %M : %S$%I : %M : %S %p$%b %d %H : %M : %S %Y$%d / %m / %y$%m / %d / %y$:AM:am:PM:pm
API String ID: 1383202999-2891247106
Opcode ID: 074c8c8fe29916bc5b642b3a3ac335a47847cea5ac6040afe3a31071e6ef074f
Instruction ID: b58210b7ef8b14d421cf51db6e500ae9df3b0704cb98cfae83626e8c9a97e410
Opcode Fuzzy Hash: 074c8c8fe29916bc5b642b3a3ac335a47847cea5ac6040afe3a31071e6ef074f
Instruction Fuzzy Hash: 24B1CF7151021AEFCF19DFA4E956DBE3BB9EF29348F044109FA02A2252D631CE10DB70

Uniqueness

Uniqueness Score: -1.00%

Function 00D28555 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 78COMMONLIBRARYCODE

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 00D2855C
_Maklocstr.LIBCPMT ref: 00D285C5
_Maklocstr.LIBCPMT ref: 00D285D7
_Maklocchr.LIBCPMT ref: 00D285EF
_Maklocchr.LIBCPMT ref: 00D285FF
_Getvals.LIBCPMT ref: 00D28621

Part of subcall function 00D21CD4: _Maklocchr.LIBCPMT ref: 00D21D03
Part of subcall function 00D21CD4: _Maklocchr.LIBCPMT ref: 00D21D19

Strings

true, xrefs: 00D285D2
false, xrefs: 00D285C0

Memory Dump Source

Source File: 00000007.00000002.447210235.0000000000D11000.00000020.00000001.01000000.00000005.sdmp, Offset: 00D10000, based on PE: true

Associated: 00000007.00000002.447205918.0000000000D10000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.447220101.0000000000D57000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.447225552.0000000000D6C000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.447230127.0000000000D70000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_d10000_MSI1B42.jbxd

Similarity

API ID: Maklocchr$Maklocstr$GetvalsH_prolog3_
String ID: false$true
API String ID: 3549167292-2658103896
Opcode ID: 9bfbaaa44439fcd23631241e63d7b7c323e081b4628b06d3a22fe97b154cc852
Instruction ID: 7b87751d00270218ab006038c63553c9837cc3677244c1460228d5a580d10b29
Opcode Fuzzy Hash: 9bfbaaa44439fcd23631241e63d7b7c323e081b4628b06d3a22fe97b154cc852
Instruction Fuzzy Hash: 5B21A1B5D00324ABDF14EFA0E886ACF7B68EF14314F008156F9049F242DA70D944CBB1

Uniqueness

Uniqueness Score: -1.00%

Function 00D140B0 Relevance: 12.2, APIs: 8, Instructions: 233memorytimeCOMMON

Download Yara Rule

APIs

LocalAlloc.KERNEL32(00000040,40000022,F83EBEA6,?,?,00000000,?,?,?,?,?,?,?,?,00000000), ref: 00D14154
LocalAlloc.KERNEL32(00000040,3FFFFFFF,F83EBEA6,?,?,00000000,?,?,?,?,?,?,?,?,00000000), ref: 00D14177
LocalFree.KERNEL32(?,?,?,?,?,?,00000000,?,?,?,?,?,?,?,?), ref: 00D14217
OpenProcess.KERNEL32(00000400,00000000,?,F83EBEA6,?,?,?), ref: 00D142D2
OpenProcess.KERNEL32(00000400,00000000,?,?,F83EBEA6,?,?,?), ref: 00D142F3
GetProcessTimes.KERNEL32(00000000,?,00000000,00000000,00000000,?,F83EBEA6,?,?,?), ref: 00D14326
GetProcessTimes.KERNEL32(00000000,?,00000000,00000000,00000000,?,F83EBEA6,?,?,?), ref: 00D14337
CloseHandle.KERNEL32(00000000), ref: 00D14355
CloseHandle.KERNEL32(00000000), ref: 00D14371

Memory Dump Source

Source File: 00000007.00000002.447210235.0000000000D11000.00000020.00000001.01000000.00000005.sdmp, Offset: 00D10000, based on PE: true

Associated: 00000007.00000002.447205918.0000000000D10000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.447220101.0000000000D57000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.447225552.0000000000D6C000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.447230127.0000000000D70000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_d10000_MSI1B42.jbxd

Similarity

API ID: Process$Local$AllocCloseHandleOpenTimes$Free
String ID:
API String ID: 1424318461-0
Opcode ID: 6aec0fdc0ec0d75cea40d6602de39a2fa5eb93be69d22e3e973267d8610b2f4e
Instruction ID: 0e0f28ac17fe076e973c369a3a2fe51689fd0d0651ec3003baf36ecfad8a5dc4
Opcode Fuzzy Hash: 6aec0fdc0ec0d75cea40d6602de39a2fa5eb93be69d22e3e973267d8610b2f4e
Instruction Fuzzy Hash: 97818771E00205AFDB14CF98D985BEDBBB5FB48710F244229E925E73D0DB70A9818BB4

Uniqueness

Uniqueness Score: -1.00%

Function 00D3266D Relevance: 12.2, APIs: 8, Instructions: 224COMMONLIBRARYCODE

Download Yara Rule

APIs

GetCPInfo.KERNEL32(?,?,?,?,?), ref: 00D326F8
MultiByteToWideChar.KERNEL32(?,00000009,?,?,00000000,00000000), ref: 00D32786
__alloca_probe_16.LIBCMT ref: 00D327B0
MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 00D327F8
MultiByteToWideChar.KERNEL32(?,00000009,?,?,00000000,00000000), ref: 00D32812
__alloca_probe_16.LIBCMT ref: 00D32838
MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 00D32875
CompareStringEx.KERNEL32(?,?,?,?,00000000,?,00000000,00000000,00000000), ref: 00D32892

Memory Dump Source

Source File: 00000007.00000002.447210235.0000000000D11000.00000020.00000001.01000000.00000005.sdmp, Offset: 00D10000, based on PE: true

Associated: 00000007.00000002.447205918.0000000000D10000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.447220101.0000000000D57000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.447225552.0000000000D6C000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.447230127.0000000000D70000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_d10000_MSI1B42.jbxd

Similarity

API ID: ByteCharMultiWide$__alloca_probe_16$CompareInfoString
String ID:
API String ID: 3603178046-0
Opcode ID: 94ffd8e88e75b3522b91e85b2f48f6e9184c84c33a4bda5e477fa311276e3661
Instruction ID: 8f3f3b519783156eb35edf2246c5082d634cc9467d87f7da94c04f634d5f9bf5
Opcode Fuzzy Hash: 94ffd8e88e75b3522b91e85b2f48f6e9184c84c33a4bda5e477fa311276e3661
Instruction Fuzzy Hash: A3718176D0020AABDF219FA9DC45AFE7BB6FF45750F280059E944A7250DB75C900CBB0

Uniqueness

Uniqueness Score: -1.00%

Function 00D3215A Relevance: 12.2, APIs: 8, Instructions: 175COMMONLIBRARYCODE

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,00000001,?,00000000,00000000,?,?,?,00000001), ref: 00D321A3
__alloca_probe_16.LIBCMT ref: 00D321CF
MultiByteToWideChar.KERNEL32(00000001,00000001,00000000,?,00000000,00000000), ref: 00D3220E
LCMapStringEx.KERNEL32(?,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00D3222B
LCMapStringEx.KERNEL32(?,?,00000000,00000000,00000000,?,00000000,00000000,00000000), ref: 00D3226A
__alloca_probe_16.LIBCMT ref: 00D32287
LCMapStringEx.KERNEL32(?,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00D322C9
WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,?,?,00000000,00000000), ref: 00D322EC

Memory Dump Source

Source File: 00000007.00000002.447210235.0000000000D11000.00000020.00000001.01000000.00000005.sdmp, Offset: 00D10000, based on PE: true

Associated: 00000007.00000002.447205918.0000000000D10000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.447220101.0000000000D57000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.447225552.0000000000D6C000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.447230127.0000000000D70000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_d10000_MSI1B42.jbxd

Similarity

API ID: ByteCharMultiStringWide$__alloca_probe_16
String ID:
API String ID: 2040435927-0
Opcode ID: c549993042bc26eec041dc323d5f51044e0a24e340d0628919c9d0771ab31723
Instruction ID: 229dc84e9a50f536480be789c2019a7e1439c104631f91903cb29df5089da433
Opcode Fuzzy Hash: c549993042bc26eec041dc323d5f51044e0a24e340d0628919c9d0771ab31723
Instruction Fuzzy Hash: 68519B7290030ABBDB208F64DC85FBB7BA9EF44B50F294028FA15E6190D774CD109B70

Uniqueness

Uniqueness Score: -1.00%

Function 00D18610 Relevance: 10.7, APIs: 7, Instructions: 157memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 00D18657
std::_Lockit::_Lockit.LIBCPMT ref: 00D18679
std::_Lockit::~_Lockit.LIBCPMT ref: 00D186A1
LocalAlloc.KERNEL32(00000040,00000044,00000000,F83EBEA6,?,00000000), ref: 00D186F9
__Getctype.LIBCPMT ref: 00D1877B
std::_Facet_Register.LIBCPMT ref: 00D187E4
std::_Lockit::~_Lockit.LIBCPMT ref: 00D1880E

Memory Dump Source

Source File: 00000007.00000002.447210235.0000000000D11000.00000020.00000001.01000000.00000005.sdmp, Offset: 00D10000, based on PE: true

Associated: 00000007.00000002.447205918.0000000000D10000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.447220101.0000000000D57000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.447225552.0000000000D6C000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.447230127.0000000000D70000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_d10000_MSI1B42.jbxd

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$AllocFacet_GetctypeLocalRegister
String ID:
API String ID: 2372200979-0
Opcode ID: 9000578a4bc6f365de64188f2e820a901e8d71cc39fc94eecc6c8b84250063ac
Instruction ID: eb99f22cadb72b8a655e417559e8b579ec30744caf3e6d2ff9499939739ccaab
Opcode Fuzzy Hash: 9000578a4bc6f365de64188f2e820a901e8d71cc39fc94eecc6c8b84250063ac
Instruction Fuzzy Hash: AC61C1B0D00754DFDB11CF68E940B9ABBF0EF14314F248159E845AB392EB70AA84DBB1

Uniqueness

Uniqueness Score: -1.00%

Function 00D19270 Relevance: 10.6, APIs: 7, Instructions: 135memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 00D192A0
std::_Lockit::_Lockit.LIBCPMT ref: 00D192C2
std::_Lockit::~_Lockit.LIBCPMT ref: 00D192EA
LocalAlloc.KERNEL32(00000040,00000018,00000000,F83EBEA6,?,00000000,?,?,?,?,?,?,?,?,?,00000000), ref: 00D19342
__Getctype.LIBCPMT ref: 00D193BD
std::_Facet_Register.LIBCPMT ref: 00D193F8
std::_Lockit::~_Lockit.LIBCPMT ref: 00D19422

Memory Dump Source

Source File: 00000007.00000002.447210235.0000000000D11000.00000020.00000001.01000000.00000005.sdmp, Offset: 00D10000, based on PE: true

Associated: 00000007.00000002.447205918.0000000000D10000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.447220101.0000000000D57000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.447225552.0000000000D6C000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.447230127.0000000000D70000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_d10000_MSI1B42.jbxd

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$AllocFacet_GetctypeLocalRegister
String ID:
API String ID: 2372200979-0
Opcode ID: abe3ac0184d6bf574029eedd730842ebd7592091fcce3d5ddcbdbc6bbb5f8013
Instruction ID: 28d3ba773af16f064307cd17a01a386def4a5013a8087d2c367b708ce4dabda1
Opcode Fuzzy Hash: abe3ac0184d6bf574029eedd730842ebd7592091fcce3d5ddcbdbc6bbb5f8013
Instruction Fuzzy Hash: 9551CDB0D04214EFDB11CF68E56079EBBF4EF14714F248159E855AB391DBB0AA84CBB1

Uniqueness

Uniqueness Score: -1.00%

Function 00D33F20 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 122COMMON

Download Yara Rule

APIs

_ValidateLocalCookies.LIBCMT ref: 00D33F57
___except_validate_context_record.LIBVCRUNTIME ref: 00D33F5F
_ValidateLocalCookies.LIBCMT ref: 00D33FE8
__IsNonwritableInCurrentImage.LIBCMT ref: 00D34013
_ValidateLocalCookies.LIBCMT ref: 00D34068

Strings

csm, xrefs: 00D33FFD

Memory Dump Source

Source File: 00000007.00000002.447210235.0000000000D11000.00000020.00000001.01000000.00000005.sdmp, Offset: 00D10000, based on PE: true

Associated: 00000007.00000002.447205918.0000000000D10000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.447220101.0000000000D57000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.447225552.0000000000D6C000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.447230127.0000000000D70000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_d10000_MSI1B42.jbxd

Similarity

API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
String ID: csm
API String ID: 1170836740-1018135373
Opcode ID: c00a3696d34793b8b3a31666c82b503eafc49aa84ca96610161d42a447e5ccef
Instruction ID: 83bad509702c177447b75a891f6fcb59cf1cf5833ae27b1453e0ec41f911a54e
Opcode Fuzzy Hash: c00a3696d34793b8b3a31666c82b503eafc49aa84ca96610161d42a447e5ccef
Instruction Fuzzy Hash: 1A417D34E00209AFCF10DF68C981A9EBBB5EF44324F188156E915AB392D775EA05CBB1

Uniqueness

Uniqueness Score: -1.00%

Function 00D32C4E Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 37COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(hG,?,?,00D12427,00D6E638,00D56B40), ref: 00D32C58
LeaveCriticalSection.KERNEL32(hG,?,?,00D12427,00D6E638,00D56B40), ref: 00D32C8B
RtlWakeAllConditionVariable.NTDLL ref: 00D32D02
SetEvent.KERNEL32(?,00D12427,00D6E638,00D56B40), ref: 00D32D0C
ResetEvent.KERNEL32(?,00D12427,00D6E638,00D56B40), ref: 00D32D18

Strings

hG, xrefs: 00D32C52, 00D32C57, 00D32C6E

Memory Dump Source

Source File: 00000007.00000002.447210235.0000000000D11000.00000020.00000001.01000000.00000005.sdmp, Offset: 00D10000, based on PE: true

Associated: 00000007.00000002.447205918.0000000000D10000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.447220101.0000000000D57000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.447225552.0000000000D6C000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.447230127.0000000000D70000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_d10000_MSI1B42.jbxd

Similarity

API ID: CriticalEventSection$ConditionEnterLeaveResetVariableWake
String ID: hG
API String ID: 3916383385-2527930132
Opcode ID: 3faa04cb824e6890971b82654db714c30bbba77a12305a9a9420ebe724f8486d
Instruction ID: 2b72b166546762bffdb1be1d228324073bb6ca7f649926e35d47dc388c9b8a81
Opcode Fuzzy Hash: 3faa04cb824e6890971b82654db714c30bbba77a12305a9a9420ebe724f8486d
Instruction Fuzzy Hash: 24014231A08760DFCB11AF18FC08AA97BA6FB4A352B060469F802C3320CBB05801CFB0

Uniqueness

Uniqueness Score: -1.00%

Function 00D1B500 Relevance: 9.2, APIs: 6, Instructions: 151memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 00D1B531
std::_Lockit::_Lockit.LIBCPMT ref: 00D1B54F
std::_Lockit::~_Lockit.LIBCPMT ref: 00D1B577
LocalAlloc.KERNEL32(00000040,0000000C,00000000,F83EBEA6,?,00000000,00000000), ref: 00D1B5CF
std::_Facet_Register.LIBCPMT ref: 00D1B6B7
std::_Lockit::~_Lockit.LIBCPMT ref: 00D1B6E1

Memory Dump Source

Source File: 00000007.00000002.447210235.0000000000D11000.00000020.00000001.01000000.00000005.sdmp, Offset: 00D10000, based on PE: true

Associated: 00000007.00000002.447205918.0000000000D10000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.447220101.0000000000D57000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.447225552.0000000000D6C000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.447230127.0000000000D70000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_d10000_MSI1B42.jbxd

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$AllocFacet_LocalRegister
String ID:
API String ID: 3931714976-0
Opcode ID: 5d9b949cb0a596faa8a24739b8e30acbbe040ab796562224dad53cd3290a1d42
Instruction ID: 5b2d493cc6b5867cd1819e57da580085a8e37ee597c4b69d492a092c6dd34758
Opcode Fuzzy Hash: 5d9b949cb0a596faa8a24739b8e30acbbe040ab796562224dad53cd3290a1d42
Instruction Fuzzy Hash: 5451A1B4900354EFDB11CF98E8807AEBBB4FF10324F24455AE855AB391DBB59A44CBB1

Uniqueness

Uniqueness Score: -1.00%

Function 00D1B700 Relevance: 9.1, APIs: 6, Instructions: 128memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 00D1B731
std::_Lockit::_Lockit.LIBCPMT ref: 00D1B74F
std::_Lockit::~_Lockit.LIBCPMT ref: 00D1B777
LocalAlloc.KERNEL32(00000040,00000008,00000000,F83EBEA6,?,00000000,00000000), ref: 00D1B7CF
std::_Facet_Register.LIBCPMT ref: 00D1B863
std::_Lockit::~_Lockit.LIBCPMT ref: 00D1B88D

Memory Dump Source

Source File: 00000007.00000002.447210235.0000000000D11000.00000020.00000001.01000000.00000005.sdmp, Offset: 00D10000, based on PE: true

Associated: 00000007.00000002.447205918.0000000000D10000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.447220101.0000000000D57000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.447225552.0000000000D6C000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.447230127.0000000000D70000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_d10000_MSI1B42.jbxd

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$AllocFacet_LocalRegister
String ID:
API String ID: 3931714976-0
Opcode ID: 390b7c96f7dba029a1c0a743ebd073cd11c4835a1f9fc6c7be811d72ee90446e
Instruction ID: e145f4ee51b6de01dcd776e702c91023dfa588f1a0e457992d6eee53674148b8
Opcode Fuzzy Hash: 390b7c96f7dba029a1c0a743ebd073cd11c4835a1f9fc6c7be811d72ee90446e
Instruction Fuzzy Hash: 8A51AEB4904314EFCB11CF98E58079EBBB4EB14724F24855EE851AB391DBB09E44CBB0

Uniqueness

Uniqueness Score: -1.00%

Function 00D40351 Relevance: 9.1, APIs: 3, Strings: 2, Instructions: 369COMMONLIBRARYCODE

Download Yara Rule

APIs

__alloca_probe_16.LIBCMT ref: 00D4043B
__freea.LIBCMT ref: 00D404D1
__freea.LIBCMT ref: 00D404ED

Strings

a/p, xrefs: 00D405B5
am/pm, xrefs: 00D40551

Memory Dump Source

Source File: 00000007.00000002.447210235.0000000000D11000.00000020.00000001.01000000.00000005.sdmp, Offset: 00D10000, based on PE: true

Associated: 00000007.00000002.447205918.0000000000D10000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.447220101.0000000000D57000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.447225552.0000000000D6C000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.447230127.0000000000D70000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_d10000_MSI1B42.jbxd

Similarity

API ID: __freea$__alloca_probe_16
String ID: a/p$am/pm
API String ID: 3509577899-3206640213
Opcode ID: 984ef6541f0cad6fd8b5f3e9ace550dfb813a1520b71cd1587731cdb997fe683
Instruction ID: 4f1a0ae81971ebb788fd07bb32ae1198b7db3e37ccb345a854065457de755bc8
Opcode Fuzzy Hash: 984ef6541f0cad6fd8b5f3e9ace550dfb813a1520b71cd1587731cdb997fe683
Instruction Fuzzy Hash: 9AC1CD35900216DBDB249F68C989ABABFB1FF45710F284049EB49AB650D335ED41CFB2

Uniqueness

Uniqueness Score: -1.00%

Function 00D35978 Relevance: 9.1, APIs: 6, Instructions: 60COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,00D3596F,00D34900,00D3358F), ref: 00D35986
___vcrt_FlsGetValue.LIBVCRUNTIME ref: 00D35994
___vcrt_FlsSetValue.LIBVCRUNTIME ref: 00D359AD
SetLastError.KERNEL32(00000000,00D3596F,00D34900,00D3358F), ref: 00D359FF

Memory Dump Source

Source File: 00000007.00000002.447210235.0000000000D11000.00000020.00000001.01000000.00000005.sdmp, Offset: 00D10000, based on PE: true

Associated: 00000007.00000002.447205918.0000000000D10000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.447220101.0000000000D57000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.447225552.0000000000D6C000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.447230127.0000000000D70000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_d10000_MSI1B42.jbxd

Similarity

API ID: ErrorLastValue___vcrt_
String ID:
API String ID: 3852720340-0
Opcode ID: 12b74afd58dbe99649e6790aacf3d3b64c1087c0a7a04a79c09ef3d7a1a3d917
Instruction ID: ff3f34d9b4bcde6f849e4da9c3a81cbc2822f8ba7ee2e7aa26b81508ae0ae0aa
Opcode Fuzzy Hash: 12b74afd58dbe99649e6790aacf3d3b64c1087c0a7a04a79c09ef3d7a1a3d917
Instruction Fuzzy Hash: E101D43721DB12EFA72426B4BD86B6A6B54DB0177AF240329F418C52E4EE918C0199B0

Uniqueness

Uniqueness Score: -1.00%

Function 00D13230 Relevance: 9.0, APIs: 3, Strings: 2, Instructions: 260fileCOMMON

Download Yara Rule

APIs

GetTempFileNameW.KERNEL32(?,URL,00000000,?,F83EBEA6,?,00000004), ref: 00D13294
MoveFileW.KERNEL32 ref: 00D1354A
DeleteFileW.KERNEL32(?), ref: 00D13592

Part of subcall function 00D11A70: LocalAlloc.KERNEL32(00000040,80000022), ref: 00D11AF7
Part of subcall function 00D11A70: LocalFree.KERNEL32(7FFFFFFE), ref: 00D11B7D

Part of subcall function 00D12E60: LocalFree.KERNEL32(?,F83EBEA6,?,?,00D53C40,000000FF,?,00D11242,F83EBEA6,?,?,00D53C75,000000FF), ref: 00D12EB1

Strings

URL, xrefs: 00D1328E, 00D1357A
url, xrefs: 00D133B9, 00D13575

Memory Dump Source

Source File: 00000007.00000002.447210235.0000000000D11000.00000020.00000001.01000000.00000005.sdmp, Offset: 00D10000, based on PE: true

Associated: 00000007.00000002.447205918.0000000000D10000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.447220101.0000000000D57000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.447225552.0000000000D6C000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.447230127.0000000000D70000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_d10000_MSI1B42.jbxd

Similarity

API ID: FileLocal$Free$AllocDeleteMoveNameTemp
String ID: URL$url
API String ID: 853893950-346267919
Opcode ID: 0dfaae88180d9b709880954353dd3679e03e5c88ea723aac25d41afdf3804037
Instruction ID: c4066eb92dc577edfbccdb0c8889bc5dfd88e3aa216df2361eddc6fbcf305315
Opcode Fuzzy Hash: 0dfaae88180d9b709880954353dd3679e03e5c88ea723aac25d41afdf3804037
Instruction Fuzzy Hash: A3C15870D14268AADB24DF28DC987DDBBB4BF14304F1442D9D409A7291EBB56BC8CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 00D1621F Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 77libraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 00D11A20: LocalFree.KERNEL32(?), ref: 00D11A42

Part of subcall function 00D33E5A: RaiseException.KERNEL32(E06D7363,00000001,00000003,00D11434,?,?,00D1D341,00D11434,00D68B5C,?,00D11434,?,00000000), ref: 00D33EBA

GetCurrentProcess.KERNEL32(F83EBEA6,F83EBEA6,?,?,00000000,00D54981,000000FF), ref: 00D162EB

Part of subcall function 00D32C98: EnterCriticalSection.KERNEL32(hG,?,?,?,00D123B6,00D6E638,F83EBEA6,?,?,00D53D6D,000000FF), ref: 00D32CA3
Part of subcall function 00D32C98: LeaveCriticalSection.KERNEL32(hG,?,?,?,00D123B6,00D6E638,F83EBEA6,?,?,00D53D6D,000000FF), ref: 00D32CE0

GetModuleHandleW.KERNEL32(kernel32,IsWow64Process), ref: 00D162B0
GetProcAddress.KERNEL32(00000000), ref: 00D162B7

Part of subcall function 00D32C4E: EnterCriticalSection.KERNEL32(hG,?,?,00D12427,00D6E638,00D56B40), ref: 00D32C58
Part of subcall function 00D32C4E: LeaveCriticalSection.KERNEL32(hG,?,?,00D12427,00D6E638,00D56B40), ref: 00D32C8B
Part of subcall function 00D32C4E: RtlWakeAllConditionVariable.NTDLL ref: 00D32D02

Strings

kernel32, xrefs: 00D162AB
IsWow64Process, xrefs: 00D162A6

Memory Dump Source

Source File: 00000007.00000002.447210235.0000000000D11000.00000020.00000001.01000000.00000005.sdmp, Offset: 00D10000, based on PE: true

Associated: 00000007.00000002.447205918.0000000000D10000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.447220101.0000000000D57000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.447225552.0000000000D6C000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.447230127.0000000000D70000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_d10000_MSI1B42.jbxd

Similarity

API ID: CriticalSection$EnterLeave$AddressConditionCurrentExceptionFreeHandleLocalModuleProcProcessRaiseVariableWake
String ID: IsWow64Process$kernel32
API String ID: 1333104975-3789238822
Opcode ID: 314cb12642a54923aad232cffe966daba0419da7ffe264b28a5a12ea6c042516
Instruction ID: 96ae6e0d90ab3ced7b47b319a45bd3e670d8542c3f6f6de93f2b3bdac9215d2e
Opcode Fuzzy Hash: 314cb12642a54923aad232cffe966daba0419da7ffe264b28a5a12ea6c042516
Instruction Fuzzy Hash: EA21DE75944705EFCB10DFA4ED06B9DB7B8EB18B11F100629F911E33D0DBB4A9448A71

Uniqueness

Uniqueness Score: -1.00%

Function 00D28451 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 73COMMONLIBRARYCODE

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00D28458
_Getvals.LIBCPMT ref: 00D284AA
_Mpunct.LIBCPMT ref: 00D284E5
_Mpunct.LIBCPMT ref: 00D284FF

Strings

$+xv, xrefs: 00D2850A

Memory Dump Source

Source File: 00000007.00000002.447210235.0000000000D11000.00000020.00000001.01000000.00000005.sdmp, Offset: 00D10000, based on PE: true

Associated: 00000007.00000002.447205918.0000000000D10000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.447220101.0000000000D57000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.447225552.0000000000D6C000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.447230127.0000000000D70000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_d10000_MSI1B42.jbxd

Similarity

API ID: Mpunct$GetvalsH_prolog3
String ID: $+xv
API String ID: 2204710431-1686923651
Opcode ID: be13076b66305cd707f876776a9a040cd2617c840116fce456e1ad3cc21adfa2
Instruction ID: 52cfc0ce46eb5a205a0ec7f1584641ca96842291fe89ccf83fe35e7b32e1f460
Opcode Fuzzy Hash: be13076b66305cd707f876776a9a040cd2617c840116fce456e1ad3cc21adfa2
Instruction Fuzzy Hash: 862192B1904BA2AFDB25EF74D49077BBEE8EB18305F04455AE459C7A42D734E602CBB0

Uniqueness

Uniqueness Score: -1.00%

Function 00D16250 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 62libraryloaderCOMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(F83EBEA6,F83EBEA6,?,?,00000000,00D54981,000000FF), ref: 00D162EB

Part of subcall function 00D32C98: EnterCriticalSection.KERNEL32(hG,?,?,?,00D123B6,00D6E638,F83EBEA6,?,?,00D53D6D,000000FF), ref: 00D32CA3
Part of subcall function 00D32C98: LeaveCriticalSection.KERNEL32(hG,?,?,?,00D123B6,00D6E638,F83EBEA6,?,?,00D53D6D,000000FF), ref: 00D32CE0

GetModuleHandleW.KERNEL32(kernel32,IsWow64Process), ref: 00D162B0
GetProcAddress.KERNEL32(00000000), ref: 00D162B7

Part of subcall function 00D32C4E: EnterCriticalSection.KERNEL32(hG,?,?,00D12427,00D6E638,00D56B40), ref: 00D32C58
Part of subcall function 00D32C4E: LeaveCriticalSection.KERNEL32(hG,?,?,00D12427,00D6E638,00D56B40), ref: 00D32C8B
Part of subcall function 00D32C4E: RtlWakeAllConditionVariable.NTDLL ref: 00D32D02

Strings

kernel32, xrefs: 00D162AB
IsWow64Process, xrefs: 00D162A6

Memory Dump Source

Source File: 00000007.00000002.447210235.0000000000D11000.00000020.00000001.01000000.00000005.sdmp, Offset: 00D10000, based on PE: true

Associated: 00000007.00000002.447205918.0000000000D10000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.447220101.0000000000D57000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.447225552.0000000000D6C000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.447230127.0000000000D70000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_d10000_MSI1B42.jbxd

Similarity

API ID: CriticalSection$EnterLeave$AddressConditionCurrentHandleModuleProcProcessVariableWake
String ID: IsWow64Process$kernel32
API String ID: 2056477612-3789238822
Opcode ID: 6f03bd4daad9cc7ac7768ac23938a6a9297be66d03f0ee4e0283bb485626714e
Instruction ID: e572f765f2deff8e829aaa9e51bf98e127105570869ed72fa593944aff619f86
Opcode Fuzzy Hash: 6f03bd4daad9cc7ac7768ac23938a6a9297be66d03f0ee4e0283bb485626714e
Instruction Fuzzy Hash: E8118E76D04715EFCB10CF98ED05B99B7A8E714B11F14066AE811D37D0EBB5A9048A71

Uniqueness

Uniqueness Score: -1.00%

Function 00D42DEE Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 42libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,F83EBEA6,?,?,00000000,00D56A6C,000000FF,?,00D42DC1,?,?,00D42D95,?), ref: 00D42E23
GetProcAddress.KERNEL32(00000000,CorExitProcess,?,00000000,00D56A6C,000000FF,?,00D42DC1,?,?,00D42D95,?), ref: 00D42E35
FreeLibrary.KERNEL32(00000000,?,00000000,00D56A6C,000000FF,?,00D42DC1,?,?,00D42D95,?), ref: 00D42E57

Strings

mscoree.dll, xrefs: 00D42E1C
CorExitProcess, xrefs: 00D42E2D

Memory Dump Source

Source File: 00000007.00000002.447210235.0000000000D11000.00000020.00000001.01000000.00000005.sdmp, Offset: 00D10000, based on PE: true

Associated: 00000007.00000002.447205918.0000000000D10000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.447220101.0000000000D57000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.447225552.0000000000D6C000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.447230127.0000000000D70000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_d10000_MSI1B42.jbxd

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: e6c0fb7c2ade8362339411a57254d638378ceff4248fdf6c32e1897a91e75425
Instruction ID: 23e2a4fad52d96905d70e2994303663c1de2ac1479a7416f1ad264e3eff49389
Opcode Fuzzy Hash: e6c0fb7c2ade8362339411a57254d638378ceff4248fdf6c32e1897a91e75425
Instruction Fuzzy Hash: D7016272918729AFDB128F54DC05FBEBBB8FB04B12F044625FC11E27A0DB749904CAA0

Uniqueness

Uniqueness Score: -1.00%

Function 00D32D20 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 25COMMON

Download Yara Rule

APIs

SleepConditionVariableCS.KERNEL32(?,00D32CBD,00000064), ref: 00D32D43
LeaveCriticalSection.KERNEL32(hG,?,?,00D32CBD,00000064,?,?,?,00D123B6,00D6E638,F83EBEA6,?,?,00D53D6D,000000FF), ref: 00D32D4D
WaitForSingleObjectEx.KERNEL32(?,00000000), ref: 00D32D5E
EnterCriticalSection.KERNEL32(hG,?,00D32CBD,00000064,?,?,?,00D123B6,00D6E638,F83EBEA6,?,?,00D53D6D,000000FF), ref: 00D32D65

Strings

hG, xrefs: 00D32D33, 00D32D47, 00D32D4C, 00D32D64

Memory Dump Source

Source File: 00000007.00000002.447210235.0000000000D11000.00000020.00000001.01000000.00000005.sdmp, Offset: 00D10000, based on PE: true

Associated: 00000007.00000002.447205918.0000000000D10000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.447220101.0000000000D57000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.447225552.0000000000D6C000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.447230127.0000000000D70000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_d10000_MSI1B42.jbxd

Similarity

API ID: CriticalSection$ConditionEnterLeaveObjectSingleSleepVariableWait
String ID: hG
API String ID: 3269011525-2527930132
Opcode ID: 0756e6048c0b9ccc453705607d70320881ae71c8386f734bbe4bda6ec607c4ff
Instruction ID: 8fb46d4a1a4a4edce5385995f3bd9a7fb95077ff620f9eb86c4927e578383d06
Opcode Fuzzy Hash: 0756e6048c0b9ccc453705607d70320881ae71c8386f734bbe4bda6ec607c4ff
Instruction Fuzzy Hash: B0E0ED32E45724ABCA123B54FC08ADE3E2AAB09B52F150051F949A6271CAA159108FF5

Uniqueness

Uniqueness Score: -1.00%

Function 00D1B8B0 Relevance: 7.6, APIs: 5, Instructions: 105COMMONLIBRARYCODE

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 00D1B8DD
std::_Lockit::_Lockit.LIBCPMT ref: 00D1B900
std::_Lockit::~_Lockit.LIBCPMT ref: 00D1B928
std::_Facet_Register.LIBCPMT ref: 00D1B98D
std::_Lockit::~_Lockit.LIBCPMT ref: 00D1B9B7

Memory Dump Source

Source File: 00000007.00000002.447210235.0000000000D11000.00000020.00000001.01000000.00000005.sdmp, Offset: 00D10000, based on PE: true

Associated: 00000007.00000002.447205918.0000000000D10000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.447220101.0000000000D57000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.447225552.0000000000D6C000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.447230127.0000000000D70000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_d10000_MSI1B42.jbxd

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_Register
String ID:
API String ID: 459529453-0
Opcode ID: a124901a30eeeadbce2e512d695588b626fb05e991b7c4d9db28db6a9c852e7b
Instruction ID: c744ca534041f6712f8dcd51a94b4dcd54c4fbe4cb9e6aff31fe5c31f8a0a1f6
Opcode Fuzzy Hash: a124901a30eeeadbce2e512d695588b626fb05e991b7c4d9db28db6a9c852e7b
Instruction Fuzzy Hash: E1315775900214EFCB11DF58E940BADBBB4EF24734F14419AE800A73A2DB70AE42CBB1

Uniqueness

Uniqueness Score: -1.00%

Function 00D15890 Relevance: 7.6, APIs: 1, Strings: 4, Instructions: 60COMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(00000000,?,?,75D61E4D,00D15646,?,?,?,?,?), ref: 00D15898

Strings

true, xrefs: 00D158A7, 00D158B6
Last error=, xrefs: 00D158D9
Call to ShellExecuteEx() returned:, xrefs: 00D158AF
false, xrefs: 00D158A2

Memory Dump Source

Source File: 00000007.00000002.447210235.0000000000D11000.00000020.00000001.01000000.00000005.sdmp, Offset: 00D10000, based on PE: true

Associated: 00000007.00000002.447205918.0000000000D10000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.447220101.0000000000D57000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.447225552.0000000000D6C000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.447230127.0000000000D70000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_d10000_MSI1B42.jbxd

Similarity

API ID: ErrorLast
String ID: Call to ShellExecuteEx() returned:$Last error=$false$true
API String ID: 1452528299-1782174991
Opcode ID: 6efb6a5da13112727db0e5aaa42a3998686d5f7371c74152d227b0a2e132fc34
Instruction ID: babafd8484c1361f428dcd58fcf21c8b92e0c43790327b905b6cd003725eaa14
Opcode Fuzzy Hash: 6efb6a5da13112727db0e5aaa42a3998686d5f7371c74152d227b0a2e132fc34
Instruction Fuzzy Hash: 2F118255A10621D7CB301F6CB8103A6A2E4DF94764F69047FE889D7395EAA98CC183B5

Uniqueness

Uniqueness Score: -1.00%

Function 00D21C42 Relevance: 7.6, APIs: 5, Instructions: 58COMMONLIBRARYCODE

Download Yara Rule

APIs

_Maklocstr.LIBCPMT ref: 00D21C62
_Maklocstr.LIBCPMT ref: 00D21C7F
_Maklocstr.LIBCPMT ref: 00D21C9C
_Maklocchr.LIBCPMT ref: 00D21CAE
_Maklocchr.LIBCPMT ref: 00D21CC1

Memory Dump Source

Source File: 00000007.00000002.447210235.0000000000D11000.00000020.00000001.01000000.00000005.sdmp, Offset: 00D10000, based on PE: true

Associated: 00000007.00000002.447205918.0000000000D10000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.447220101.0000000000D57000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.447225552.0000000000D6C000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.447230127.0000000000D70000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_d10000_MSI1B42.jbxd

Similarity

API ID: Maklocstr$Maklocchr
String ID:
API String ID: 2020259771-0
Opcode ID: 03ab7def85c8cdd80758cf191135069fb5b511cbd7496d136c767e59c0a8e0fc
Instruction ID: 4e63506ec14b02dd966128becf8b5212bc53cce391cc825d9a36a2b8ed09cbbf
Opcode Fuzzy Hash: 03ab7def85c8cdd80758cf191135069fb5b511cbd7496d136c767e59c0a8e0fc
Instruction Fuzzy Hash: F011BCF5940794BBE720DBA4AC81F12B7ACEF24318F088619FA458BA40C264FC4487B4

Uniqueness

Uniqueness Score: -1.00%

Function 00D1D87C Relevance: 7.6, APIs: 5, Instructions: 53COMMONLIBRARYCODE

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00D1D883
std::_Lockit::_Lockit.LIBCPMT ref: 00D1D88D

Part of subcall function 00D18C20: std::_Lockit::_Lockit.LIBCPMT ref: 00D18C50
Part of subcall function 00D18C20: std::_Lockit::~_Lockit.LIBCPMT ref: 00D18C78

numpunct.LIBCPMT ref: 00D1D8C7
std::_Facet_Register.LIBCPMT ref: 00D1D8DE
std::_Lockit::~_Lockit.LIBCPMT ref: 00D1D8FE

Memory Dump Source

Source File: 00000007.00000002.447210235.0000000000D11000.00000020.00000001.01000000.00000005.sdmp, Offset: 00D10000, based on PE: true

Associated: 00000007.00000002.447205918.0000000000D10000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.447220101.0000000000D57000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.447225552.0000000000D6C000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.447230127.0000000000D70000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_d10000_MSI1B42.jbxd

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_H_prolog3Registernumpunct
String ID:
API String ID: 743221004-0
Opcode ID: b459dd1f9926d12816031f3ac0b685fdab5432bbac8313a2fafae74f3e560b4b
Instruction ID: 0f51c90d1b0bcdd6fde93ed33b56944db203a0e14c41eaf6692f67cbfca5cfa3
Opcode Fuzzy Hash: b459dd1f9926d12816031f3ac0b685fdab5432bbac8313a2fafae74f3e560b4b
Instruction Fuzzy Hash: 7511CE75A00225ABCB04EB60B8116EEB762EF94315F280409F801AB391CF709E41CBB1

Uniqueness

Uniqueness Score: -1.00%

Function 00D222FA Relevance: 7.5, APIs: 5, Instructions: 49COMMONLIBRARYCODE

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00D22301
std::_Lockit::_Lockit.LIBCPMT ref: 00D2230B

Part of subcall function 00D18C20: std::_Lockit::_Lockit.LIBCPMT ref: 00D18C50
Part of subcall function 00D18C20: std::_Lockit::~_Lockit.LIBCPMT ref: 00D18C78

codecvt.LIBCPMT ref: 00D22345
std::_Facet_Register.LIBCPMT ref: 00D2235C
std::_Lockit::~_Lockit.LIBCPMT ref: 00D2237C

Memory Dump Source

Source File: 00000007.00000002.447210235.0000000000D11000.00000020.00000001.01000000.00000005.sdmp, Offset: 00D10000, based on PE: true

Associated: 00000007.00000002.447205918.0000000000D10000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.447220101.0000000000D57000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.447225552.0000000000D6C000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.447230127.0000000000D70000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_d10000_MSI1B42.jbxd

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_H_prolog3Registercodecvt
String ID:
API String ID: 712880209-0
Opcode ID: 9b9d3d5f5aced9831b7b07fa7d6d90cd7050920a1d7e9a32aa5dba82304c5007
Instruction ID: e6a76003cab060406c0a729ec6355df4caba4ad0fc252793f05f66cbc3808b58
Opcode Fuzzy Hash: 9b9d3d5f5aced9831b7b07fa7d6d90cd7050920a1d7e9a32aa5dba82304c5007
Instruction Fuzzy Hash: 4E01D635900225EFCB15EB64F8016BEB762EF94714F240509F400AB391DF749E408BF1

Uniqueness

Uniqueness Score: -1.00%

Function 00D2238F Relevance: 7.5, APIs: 5, Instructions: 49COMMONLIBRARYCODE

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00D22396
std::_Lockit::_Lockit.LIBCPMT ref: 00D223A0

Part of subcall function 00D18C20: std::_Lockit::_Lockit.LIBCPMT ref: 00D18C50
Part of subcall function 00D18C20: std::_Lockit::~_Lockit.LIBCPMT ref: 00D18C78

codecvt.LIBCPMT ref: 00D223DA
std::_Facet_Register.LIBCPMT ref: 00D223F1
std::_Lockit::~_Lockit.LIBCPMT ref: 00D22411

Memory Dump Source

Source File: 00000007.00000002.447210235.0000000000D11000.00000020.00000001.01000000.00000005.sdmp, Offset: 00D10000, based on PE: true

Associated: 00000007.00000002.447205918.0000000000D10000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.447220101.0000000000D57000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.447225552.0000000000D6C000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.447230127.0000000000D70000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_d10000_MSI1B42.jbxd

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_H_prolog3Registercodecvt
String ID:
API String ID: 712880209-0
Opcode ID: ea2a603c51a00f4c5671de02af73912cc8d2588184d0aa333f78b9de162c1e75
Instruction ID: a4e7f5050b75f37c7e129fcb3e4d7c51240c52231c5f4a1b87c615e304a62062
Opcode Fuzzy Hash: ea2a603c51a00f4c5671de02af73912cc8d2588184d0aa333f78b9de162c1e75
Instruction Fuzzy Hash: B801D635A00229AFCB05EB64F9416BE7762EFA4714F280409F411AB392DF74DE45CBB1

Uniqueness

Uniqueness Score: -1.00%

Function 00D224B9 Relevance: 7.5, APIs: 5, Instructions: 49COMMONLIBRARYCODE

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00D224C0
std::_Lockit::_Lockit.LIBCPMT ref: 00D224CA

Part of subcall function 00D18C20: std::_Lockit::_Lockit.LIBCPMT ref: 00D18C50
Part of subcall function 00D18C20: std::_Lockit::~_Lockit.LIBCPMT ref: 00D18C78

collate.LIBCPMT ref: 00D22504
std::_Facet_Register.LIBCPMT ref: 00D2251B
std::_Lockit::~_Lockit.LIBCPMT ref: 00D2253B

Memory Dump Source

Source File: 00000007.00000002.447210235.0000000000D11000.00000020.00000001.01000000.00000005.sdmp, Offset: 00D10000, based on PE: true

Associated: 00000007.00000002.447205918.0000000000D10000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.447220101.0000000000D57000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.447225552.0000000000D6C000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.447230127.0000000000D70000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_d10000_MSI1B42.jbxd

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_H_prolog3Registercollate
String ID:
API String ID: 1007100420-0
Opcode ID: 88f2e9f94ff5cff21aa063455268f3eb91d7ca234b15bd79870cc4b935df3da2
Instruction ID: e362ffb994bd4d5b21dcb2b3d0cf4160ec45c5fa134d18b627fdc5523b592673
Opcode Fuzzy Hash: 88f2e9f94ff5cff21aa063455268f3eb91d7ca234b15bd79870cc4b935df3da2
Instruction Fuzzy Hash: 1301C435900225ABCB05EB64F8556BEB762EFA4724F254409F400AB392CF749E418BB1

Uniqueness

Uniqueness Score: -1.00%

Function 00D22424 Relevance: 7.5, APIs: 5, Instructions: 49COMMONLIBRARYCODE

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00D2242B
std::_Lockit::_Lockit.LIBCPMT ref: 00D22435

Part of subcall function 00D18C20: std::_Lockit::_Lockit.LIBCPMT ref: 00D18C50
Part of subcall function 00D18C20: std::_Lockit::~_Lockit.LIBCPMT ref: 00D18C78

collate.LIBCPMT ref: 00D2246F
std::_Facet_Register.LIBCPMT ref: 00D22486
std::_Lockit::~_Lockit.LIBCPMT ref: 00D224A6

Memory Dump Source

Source File: 00000007.00000002.447210235.0000000000D11000.00000020.00000001.01000000.00000005.sdmp, Offset: 00D10000, based on PE: true

Associated: 00000007.00000002.447205918.0000000000D10000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.447220101.0000000000D57000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.447225552.0000000000D6C000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.447230127.0000000000D70000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_d10000_MSI1B42.jbxd

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_H_prolog3Registercollate
String ID:
API String ID: 1007100420-0
Opcode ID: f7a1a77fa8842e26cb04d373e83a4c134debf0433014d5096e473deea105766a
Instruction ID: 18ca82221c958258dd053199ebaecdc3cf125d251425085ac3dddedf73bfe2b1
Opcode Fuzzy Hash: f7a1a77fa8842e26cb04d373e83a4c134debf0433014d5096e473deea105766a
Instruction Fuzzy Hash: D9018435900225AFCB05EB64F9516BE7B62EFA4728F280549F400AB392DF749E45CBB1

Uniqueness

Uniqueness Score: -1.00%

Function 00D225E3 Relevance: 7.5, APIs: 5, Instructions: 49COMMONLIBRARYCODE

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00D225EA
std::_Lockit::_Lockit.LIBCPMT ref: 00D225F4

Part of subcall function 00D18C20: std::_Lockit::_Lockit.LIBCPMT ref: 00D18C50
Part of subcall function 00D18C20: std::_Lockit::~_Lockit.LIBCPMT ref: 00D18C78

messages.LIBCPMT ref: 00D2262E
std::_Facet_Register.LIBCPMT ref: 00D22645
std::_Lockit::~_Lockit.LIBCPMT ref: 00D22665

Memory Dump Source

Source File: 00000007.00000002.447210235.0000000000D11000.00000020.00000001.01000000.00000005.sdmp, Offset: 00D10000, based on PE: true

Associated: 00000007.00000002.447205918.0000000000D10000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.447220101.0000000000D57000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.447225552.0000000000D6C000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.447230127.0000000000D70000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_d10000_MSI1B42.jbxd

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_H_prolog3Registermessages
String ID:
API String ID: 2750803064-0
Opcode ID: 71864064cf3db49cf1c8973968a7eebae57f8866bf57b6a206140e496035549b
Instruction ID: dc05c340ae168b00d4f491a6b9d5b9c4751c8a9146b45ee0dc7f4b39a830e33b
Opcode Fuzzy Hash: 71864064cf3db49cf1c8973968a7eebae57f8866bf57b6a206140e496035549b
Instruction Fuzzy Hash: AE019636900225ABCB05EB64F815ABEBB72FFA4715F244509F411AB392DF749E40CBB1

Uniqueness

Uniqueness Score: -1.00%

Function 00D2254E Relevance: 7.5, APIs: 5, Instructions: 49COMMONLIBRARYCODE

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00D22555
std::_Lockit::_Lockit.LIBCPMT ref: 00D2255F

Part of subcall function 00D18C20: std::_Lockit::_Lockit.LIBCPMT ref: 00D18C50
Part of subcall function 00D18C20: std::_Lockit::~_Lockit.LIBCPMT ref: 00D18C78

ctype.LIBCPMT ref: 00D22599
std::_Facet_Register.LIBCPMT ref: 00D225B0
std::_Lockit::~_Lockit.LIBCPMT ref: 00D225D0

Memory Dump Source

Source File: 00000007.00000002.447210235.0000000000D11000.00000020.00000001.01000000.00000005.sdmp, Offset: 00D10000, based on PE: true

Associated: 00000007.00000002.447205918.0000000000D10000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.447220101.0000000000D57000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.447225552.0000000000D6C000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.447230127.0000000000D70000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_d10000_MSI1B42.jbxd

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_H_prolog3Registerctype
String ID:
API String ID: 83828444-0
Opcode ID: 90b3e8e991acde85d4a85e99fbce809ffdcaf03c062af45ff26807012d15e143
Instruction ID: 7472d68ab3251ebbd34546be3a90b7cad555f7731d4315f771df4da3c59c5873
Opcode Fuzzy Hash: 90b3e8e991acde85d4a85e99fbce809ffdcaf03c062af45ff26807012d15e143
Instruction Fuzzy Hash: A201C435900229ABCB05EB60F811ABE7762EF94314F244409F411AB392DF749E40CBB1

Uniqueness

Uniqueness Score: -1.00%

Function 00D1D6BD Relevance: 7.5, APIs: 5, Instructions: 49COMMONLIBRARYCODE

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00D1D6C4
std::_Lockit::_Lockit.LIBCPMT ref: 00D1D6CE

Part of subcall function 00D18C20: std::_Lockit::_Lockit.LIBCPMT ref: 00D18C50
Part of subcall function 00D18C20: std::_Lockit::~_Lockit.LIBCPMT ref: 00D18C78

codecvt.LIBCPMT ref: 00D1D708
std::_Facet_Register.LIBCPMT ref: 00D1D71F
std::_Lockit::~_Lockit.LIBCPMT ref: 00D1D73F

Memory Dump Source

Source File: 00000007.00000002.447210235.0000000000D11000.00000020.00000001.01000000.00000005.sdmp, Offset: 00D10000, based on PE: true

Associated: 00000007.00000002.447205918.0000000000D10000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.447220101.0000000000D57000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.447225552.0000000000D6C000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.447230127.0000000000D70000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_d10000_MSI1B42.jbxd

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_H_prolog3Registercodecvt
String ID:
API String ID: 712880209-0
Opcode ID: 2fd9b3669f9394952a796d78be80858d8eb01222de74c709362d26bb8951ae04
Instruction ID: 99f4de0802da2c5ec81ccd2ae54a60acb82a8377e4cc90a9a877218181ba591e
Opcode Fuzzy Hash: 2fd9b3669f9394952a796d78be80858d8eb01222de74c709362d26bb8951ae04
Instruction Fuzzy Hash: A0018035900225ABCB15EB64B9516EEBBA2FF94710F290509F802AB3D2DF749E41C7B1

Uniqueness

Uniqueness Score: -1.00%

Function 00D22678 Relevance: 7.5, APIs: 5, Instructions: 49COMMONLIBRARYCODE

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00D2267F
std::_Lockit::_Lockit.LIBCPMT ref: 00D22689

Part of subcall function 00D18C20: std::_Lockit::_Lockit.LIBCPMT ref: 00D18C50
Part of subcall function 00D18C20: std::_Lockit::~_Lockit.LIBCPMT ref: 00D18C78

messages.LIBCPMT ref: 00D226C3
std::_Facet_Register.LIBCPMT ref: 00D226DA
std::_Lockit::~_Lockit.LIBCPMT ref: 00D226FA

Memory Dump Source

Source File: 00000007.00000002.447210235.0000000000D11000.00000020.00000001.01000000.00000005.sdmp, Offset: 00D10000, based on PE: true

Associated: 00000007.00000002.447205918.0000000000D10000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.447220101.0000000000D57000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.447225552.0000000000D6C000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.447230127.0000000000D70000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_d10000_MSI1B42.jbxd

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_H_prolog3Registermessages
String ID:
API String ID: 2750803064-0
Opcode ID: d8a00b82484e03f07bda2ca0409cd96dbc63931270af3dc9618a80db7701f873
Instruction ID: a8fdc3e58420fd1306a2ba4b717ddcc17f0ae24876205830d2378cb3ad241ea7
Opcode Fuzzy Hash: d8a00b82484e03f07bda2ca0409cd96dbc63931270af3dc9618a80db7701f873
Instruction Fuzzy Hash: 8D01D635900225AFCB05EB64F8456BEB772EF94314F250409F411AB392CF749E01CBB1

Uniqueness

Uniqueness Score: -1.00%

Function 00D2E8D8 Relevance: 7.5, APIs: 5, Instructions: 49COMMONLIBRARYCODE

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00D2E8DF
std::_Lockit::_Lockit.LIBCPMT ref: 00D2E8E9

Part of subcall function 00D18C20: std::_Lockit::_Lockit.LIBCPMT ref: 00D18C50
Part of subcall function 00D18C20: std::_Lockit::~_Lockit.LIBCPMT ref: 00D18C78

messages.LIBCPMT ref: 00D2E923
std::_Facet_Register.LIBCPMT ref: 00D2E93A
std::_Lockit::~_Lockit.LIBCPMT ref: 00D2E95A

Memory Dump Source

Source File: 00000007.00000002.447210235.0000000000D11000.00000020.00000001.01000000.00000005.sdmp, Offset: 00D10000, based on PE: true

Associated: 00000007.00000002.447205918.0000000000D10000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.447220101.0000000000D57000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.447225552.0000000000D6C000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.447230127.0000000000D70000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_d10000_MSI1B42.jbxd

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_H_prolog3Registermessages
String ID:
API String ID: 2750803064-0
Opcode ID: 545489b2c375014b83b423efee879518e0bd792dbbd3115945274447deec775a
Instruction ID: 8c0e659a6bb9045eb47fb4ab8f8911e8e5d68fc5a05035cc06bda917fac839b4
Opcode Fuzzy Hash: 545489b2c375014b83b423efee879518e0bd792dbbd3115945274447deec775a
Instruction Fuzzy Hash: A401D2359002259FCB15EB60F9016BEBBA2FFA4714F29050AF400AB392CF749E40CBB1

Uniqueness

Uniqueness Score: -1.00%

Function 00D2E843 Relevance: 7.5, APIs: 5, Instructions: 49COMMONLIBRARYCODE

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00D2E84A
std::_Lockit::_Lockit.LIBCPMT ref: 00D2E854

Part of subcall function 00D18C20: std::_Lockit::_Lockit.LIBCPMT ref: 00D18C50
Part of subcall function 00D18C20: std::_Lockit::~_Lockit.LIBCPMT ref: 00D18C78

collate.LIBCPMT ref: 00D2E88E
std::_Facet_Register.LIBCPMT ref: 00D2E8A5
std::_Lockit::~_Lockit.LIBCPMT ref: 00D2E8C5

Memory Dump Source

Source File: 00000007.00000002.447210235.0000000000D11000.00000020.00000001.01000000.00000005.sdmp, Offset: 00D10000, based on PE: true

Associated: 00000007.00000002.447205918.0000000000D10000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.447220101.0000000000D57000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.447225552.0000000000D6C000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.447230127.0000000000D70000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_d10000_MSI1B42.jbxd

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_H_prolog3Registercollate
String ID:
API String ID: 1007100420-0
Opcode ID: d121c00d43a59da05999ee389eb9e44d6dab783b41876a8cecf9b352f7f9f5f8
Instruction ID: ec07af0092b24aea91c123a3995a912339c7f06493982c32bb57a404926c665c
Opcode Fuzzy Hash: d121c00d43a59da05999ee389eb9e44d6dab783b41876a8cecf9b352f7f9f5f8
Instruction Fuzzy Hash: A50188759002259FCB05EB64B8116AEB761EF94714F284505F405AB391DF749E409BB1

Uniqueness

Uniqueness Score: -1.00%

Function 00D229F6 Relevance: 7.5, APIs: 5, Instructions: 49COMMONLIBRARYCODE

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00D229FD
std::_Lockit::_Lockit.LIBCPMT ref: 00D22A07

Part of subcall function 00D18C20: std::_Lockit::_Lockit.LIBCPMT ref: 00D18C50
Part of subcall function 00D18C20: std::_Lockit::~_Lockit.LIBCPMT ref: 00D18C78

moneypunct.LIBCPMT ref: 00D22A41
std::_Facet_Register.LIBCPMT ref: 00D22A58
std::_Lockit::~_Lockit.LIBCPMT ref: 00D22A78

Memory Dump Source

Source File: 00000007.00000002.447210235.0000000000D11000.00000020.00000001.01000000.00000005.sdmp, Offset: 00D10000, based on PE: true

Associated: 00000007.00000002.447205918.0000000000D10000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.447220101.0000000000D57000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.447225552.0000000000D6C000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.447230127.0000000000D70000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_d10000_MSI1B42.jbxd

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_H_prolog3Registermoneypunct
String ID:
API String ID: 419941038-0
Opcode ID: de8f038decfa5f5308e46b9c2da89f557a4fa44e1abdb4fa8027e6179f0e6a57
Instruction ID: 17a34534e6f178323768dbf7b9087738aa51466c8e12f9aa94d934a0fe894189
Opcode Fuzzy Hash: de8f038decfa5f5308e46b9c2da89f557a4fa44e1abdb4fa8027e6179f0e6a57
Instruction Fuzzy Hash: 3B01D675900225EFCB15EB64F8516BE7762EF94314F250509F800AB392DF749E41CBB1

Uniqueness

Uniqueness Score: -1.00%

Function 00D22961 Relevance: 7.5, APIs: 5, Instructions: 49COMMONLIBRARYCODE

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00D22968
std::_Lockit::_Lockit.LIBCPMT ref: 00D22972

Part of subcall function 00D18C20: std::_Lockit::_Lockit.LIBCPMT ref: 00D18C50
Part of subcall function 00D18C20: std::_Lockit::~_Lockit.LIBCPMT ref: 00D18C78

moneypunct.LIBCPMT ref: 00D229AC
std::_Facet_Register.LIBCPMT ref: 00D229C3
std::_Lockit::~_Lockit.LIBCPMT ref: 00D229E3

Memory Dump Source

Source File: 00000007.00000002.447210235.0000000000D11000.00000020.00000001.01000000.00000005.sdmp, Offset: 00D10000, based on PE: true

Associated: 00000007.00000002.447205918.0000000000D10000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.447220101.0000000000D57000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.447225552.0000000000D6C000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.447230127.0000000000D70000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_d10000_MSI1B42.jbxd

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_H_prolog3Registermoneypunct
String ID:
API String ID: 419941038-0
Opcode ID: 4dec6558cab8b89bf857a95f6454bb34a70421a8a5250fc5021dba17aa3b4805
Instruction ID: c7816ddc0f53e14be3357adabad775429c9ca60712b287e1882b51276e3455f4
Opcode Fuzzy Hash: 4dec6558cab8b89bf857a95f6454bb34a70421a8a5250fc5021dba17aa3b4805
Instruction Fuzzy Hash: C6019675940225EFCB05EB64F8516BEB766EF94714F24050AF810AB392DF749E408FB1

Uniqueness

Uniqueness Score: -1.00%

Function 00D2EA97 Relevance: 7.5, APIs: 5, Instructions: 49COMMONLIBRARYCODE

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00D2EA9E
std::_Lockit::_Lockit.LIBCPMT ref: 00D2EAA8

Part of subcall function 00D18C20: std::_Lockit::_Lockit.LIBCPMT ref: 00D18C50
Part of subcall function 00D18C20: std::_Lockit::~_Lockit.LIBCPMT ref: 00D18C78

moneypunct.LIBCPMT ref: 00D2EAE2
std::_Facet_Register.LIBCPMT ref: 00D2EAF9
std::_Lockit::~_Lockit.LIBCPMT ref: 00D2EB19

Memory Dump Source

Source File: 00000007.00000002.447210235.0000000000D11000.00000020.00000001.01000000.00000005.sdmp, Offset: 00D10000, based on PE: true

Associated: 00000007.00000002.447205918.0000000000D10000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.447220101.0000000000D57000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.447225552.0000000000D6C000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.447230127.0000000000D70000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_d10000_MSI1B42.jbxd

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_H_prolog3Registermoneypunct
String ID:
API String ID: 419941038-0
Opcode ID: 5f08fcb2de39ffe983538256cab2f481470930dbb13273c2fab3444ab08e42da
Instruction ID: 1c24dee352a8b8a8bdc8b6596f3343c11fe4e9c0565bca86f13d33777e426d86
Opcode Fuzzy Hash: 5f08fcb2de39ffe983538256cab2f481470930dbb13273c2fab3444ab08e42da
Instruction Fuzzy Hash: 0F01C075E002299BCB15EB60F9116AEB762FFA4324F280509F401AB396DF709E008BB1

Uniqueness

Uniqueness Score: -1.00%

Function 00D22A8B Relevance: 7.5, APIs: 5, Instructions: 49COMMONLIBRARYCODE

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00D22A92
std::_Lockit::_Lockit.LIBCPMT ref: 00D22A9C

Part of subcall function 00D18C20: std::_Lockit::_Lockit.LIBCPMT ref: 00D18C50
Part of subcall function 00D18C20: std::_Lockit::~_Lockit.LIBCPMT ref: 00D18C78

moneypunct.LIBCPMT ref: 00D22AD6
std::_Facet_Register.LIBCPMT ref: 00D22AED
std::_Lockit::~_Lockit.LIBCPMT ref: 00D22B0D

Memory Dump Source

Source File: 00000007.00000002.447210235.0000000000D11000.00000020.00000001.01000000.00000005.sdmp, Offset: 00D10000, based on PE: true

Associated: 00000007.00000002.447205918.0000000000D10000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.447220101.0000000000D57000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.447225552.0000000000D6C000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.447230127.0000000000D70000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_d10000_MSI1B42.jbxd

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_H_prolog3Registermoneypunct
String ID:
API String ID: 419941038-0
Opcode ID: b454924250fe8079abd048216cfff4560d521ec868b9cd3ac42b00ea8235e4b5
Instruction ID: 3da51d932bf78e754489d6caecf0cefbe5b22f3a8656e8acf319d2525fddb89a
Opcode Fuzzy Hash: b454924250fe8079abd048216cfff4560d521ec868b9cd3ac42b00ea8235e4b5
Instruction Fuzzy Hash: F801C435900225AFCB15EB64B8116BEB762EFA4324F290509F800AB392CF749E04CBB1

Uniqueness

Uniqueness Score: -1.00%

Function 00D22B20 Relevance: 7.5, APIs: 5, Instructions: 49COMMONLIBRARYCODE

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00D22B27
std::_Lockit::_Lockit.LIBCPMT ref: 00D22B31

Part of subcall function 00D18C20: std::_Lockit::_Lockit.LIBCPMT ref: 00D18C50
Part of subcall function 00D18C20: std::_Lockit::~_Lockit.LIBCPMT ref: 00D18C78

moneypunct.LIBCPMT ref: 00D22B6B
std::_Facet_Register.LIBCPMT ref: 00D22B82
std::_Lockit::~_Lockit.LIBCPMT ref: 00D22BA2

Memory Dump Source

Source File: 00000007.00000002.447210235.0000000000D11000.00000020.00000001.01000000.00000005.sdmp, Offset: 00D10000, based on PE: true

Associated: 00000007.00000002.447205918.0000000000D10000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.447220101.0000000000D57000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.447225552.0000000000D6C000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.447230127.0000000000D70000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_d10000_MSI1B42.jbxd

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_H_prolog3Registermoneypunct
String ID:
API String ID: 419941038-0
Opcode ID: c48a10275bb336f318e424071ca38de8b5a7ca001f138ff9a69a5fa3f78cc046
Instruction ID: 0b00441c53c8a616c3a4f62e16977605ef3d2e2753f1114e8a189cdd6af55427
Opcode Fuzzy Hash: c48a10275bb336f318e424071ca38de8b5a7ca001f138ff9a69a5fa3f78cc046
Instruction Fuzzy Hash: 2701C035A00325EBCB15EB64F8456BEBB72EF94724F280409F400AB396DF749E408BB1

Uniqueness

Uniqueness Score: -1.00%

Function 00D2EB2C Relevance: 7.5, APIs: 5, Instructions: 49COMMONLIBRARYCODE

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00D2EB33
std::_Lockit::_Lockit.LIBCPMT ref: 00D2EB3D

Part of subcall function 00D18C20: std::_Lockit::_Lockit.LIBCPMT ref: 00D18C50
Part of subcall function 00D18C20: std::_Lockit::~_Lockit.LIBCPMT ref: 00D18C78

moneypunct.LIBCPMT ref: 00D2EB77
std::_Facet_Register.LIBCPMT ref: 00D2EB8E
std::_Lockit::~_Lockit.LIBCPMT ref: 00D2EBAE

Memory Dump Source

Source File: 00000007.00000002.447210235.0000000000D11000.00000020.00000001.01000000.00000005.sdmp, Offset: 00D10000, based on PE: true

Associated: 00000007.00000002.447205918.0000000000D10000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.447220101.0000000000D57000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.447225552.0000000000D6C000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.447230127.0000000000D70000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_d10000_MSI1B42.jbxd

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_H_prolog3Registermoneypunct
String ID:
API String ID: 419941038-0
Opcode ID: 593b2c664b89e4beba75e38cdde0666e6b29b55c0b97350f72d7352d33ec351e
Instruction ID: 6fa2d52e6c1c4538fc5b1cf53e495d3c08a2d71f5313d4c3e0b132008c7b50b8
Opcode Fuzzy Hash: 593b2c664b89e4beba75e38cdde0666e6b29b55c0b97350f72d7352d33ec351e
Instruction Fuzzy Hash: 2101C435900225DFCB05EB60F8516AEB762EF94714F290449F811AB392CF709E008BB1

Uniqueness

Uniqueness Score: -1.00%

Function 00D22D74 Relevance: 7.5, APIs: 5, Instructions: 49COMMONLIBRARYCODE

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00D22D7B
std::_Lockit::_Lockit.LIBCPMT ref: 00D22D85

Part of subcall function 00D18C20: std::_Lockit::_Lockit.LIBCPMT ref: 00D18C50
Part of subcall function 00D18C20: std::_Lockit::~_Lockit.LIBCPMT ref: 00D18C78

numpunct.LIBCPMT ref: 00D22DBF
std::_Facet_Register.LIBCPMT ref: 00D22DD6
std::_Lockit::~_Lockit.LIBCPMT ref: 00D22DF6

Memory Dump Source

Source File: 00000007.00000002.447210235.0000000000D11000.00000020.00000001.01000000.00000005.sdmp, Offset: 00D10000, based on PE: true

Associated: 00000007.00000002.447205918.0000000000D10000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.447220101.0000000000D57000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.447225552.0000000000D6C000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.447230127.0000000000D70000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_d10000_MSI1B42.jbxd

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_H_prolog3Registernumpunct
String ID:
API String ID: 743221004-0
Opcode ID: f4e13632235c4efc48c2591650779d512402c82cd81bb1d8cd3d2dd12f8a2cc1
Instruction ID: 8bc381f7b28dd2a51b7357ba48029b0b117f527acfeda4618bef5b1f4b8a045d
Opcode Fuzzy Hash: f4e13632235c4efc48c2591650779d512402c82cd81bb1d8cd3d2dd12f8a2cc1
Instruction Fuzzy Hash: 4A01D635900225AFCB05EB60F9516BEB762FF94314F290409F410AB392DF749E419BF1

Uniqueness

Uniqueness Score: -1.00%

Function 00D1BB40 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 181memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LocalAlloc.KERNEL32(00000040,00000018,F83EBEA6,?,00000000), ref: 00D1BBA3
Concurrency::cancel_current_task.LIBCPMT ref: 00D1BD7F

Strings

true, xrefs: 00D1BCAB
false, xrefs: 00D1BC95

Memory Dump Source

Source File: 00000007.00000002.447210235.0000000000D11000.00000020.00000001.01000000.00000005.sdmp, Offset: 00D10000, based on PE: true

Associated: 00000007.00000002.447205918.0000000000D10000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.447220101.0000000000D57000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.447225552.0000000000D6C000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.447230127.0000000000D70000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_d10000_MSI1B42.jbxd

Similarity

API ID: AllocConcurrency::cancel_current_taskLocal
String ID: false$true
API String ID: 3924972193-2658103896
Opcode ID: 6a5a49a4b63627bbe879c8553c2cc2744caef44c6dfee0d94504f83315c119b7
Instruction ID: e44c5ee0de4f5e2655a724f5fb7a4231dba8d04a89c6fe9468acee4ce0f0b5da
Opcode Fuzzy Hash: 6a5a49a4b63627bbe879c8553c2cc2744caef44c6dfee0d94504f83315c119b7
Instruction Fuzzy Hash: 4F61A4B1D00748EFDB10CFA4D941BDEB7B4FF14304F14425AE855AB281EB75AA84CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 00D2D3CB Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 104COMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 00D2D3D2

Part of subcall function 00D2254E: __EH_prolog3.LIBCMT ref: 00D22555
Part of subcall function 00D2254E: std::_Lockit::_Lockit.LIBCPMT ref: 00D2255F
Part of subcall function 00D2254E: std::_Lockit::~_Lockit.LIBCPMT ref: 00D225D0

_Find_elem.LIBCPMT ref: 00D2D46E

Strings

0123456789-, xrefs: 00D2D41E
%.0Lf, xrefs: 00D2D419

Memory Dump Source

Source File: 00000007.00000002.447210235.0000000000D11000.00000020.00000001.01000000.00000005.sdmp, Offset: 00D10000, based on PE: true

Associated: 00000007.00000002.447205918.0000000000D10000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.447220101.0000000000D57000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.447225552.0000000000D6C000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.447230127.0000000000D70000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_d10000_MSI1B42.jbxd

Similarity

API ID: Lockitstd::_$Find_elemH_prolog3H_prolog3_Lockit::_Lockit::~_
String ID: %.0Lf$0123456789-
API String ID: 2544715827-3094241602
Opcode ID: 7bfc5f229ba0c628adc2ef9d517d72dab1a7541ba27365cce78b00861ffdc359
Instruction ID: 7106d4ce0e13d81530adaecc4da0ee7eec5ddc9e0c8c7403ed8efdee13e6b14b
Opcode Fuzzy Hash: 7bfc5f229ba0c628adc2ef9d517d72dab1a7541ba27365cce78b00861ffdc359
Instruction Fuzzy Hash: 4F415131900228DFCF15EFA8E8809DDBBB5FF24318F500159E901AB255DB30EA56CBB5

Uniqueness

Uniqueness Score: -1.00%

Function 00D2D66F Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 104COMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 00D2D676

Part of subcall function 00D18610: std::_Lockit::_Lockit.LIBCPMT ref: 00D18657
Part of subcall function 00D18610: std::_Lockit::_Lockit.LIBCPMT ref: 00D18679
Part of subcall function 00D18610: std::_Lockit::~_Lockit.LIBCPMT ref: 00D186A1
Part of subcall function 00D18610: std::_Lockit::~_Lockit.LIBCPMT ref: 00D1880E

_Find_elem.LIBCPMT ref: 00D2D712

Strings

0123456789-, xrefs: 00D2D6C2
0123456789-, xrefs: 00D2D6BD

Memory Dump Source

Source File: 00000007.00000002.447210235.0000000000D11000.00000020.00000001.01000000.00000005.sdmp, Offset: 00D10000, based on PE: true

Associated: 00000007.00000002.447205918.0000000000D10000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.447220101.0000000000D57000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.447225552.0000000000D6C000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.447230127.0000000000D70000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_d10000_MSI1B42.jbxd

Similarity

API ID: Lockitstd::_$Lockit::_Lockit::~_$Find_elemH_prolog3_
String ID: 0123456789-$0123456789-
API String ID: 3042121994-2494171821
Opcode ID: 3ededb3af1a747bcb629c3aaa1126a357d6dd49c2a41ca77cc2305373843598e
Instruction ID: 57bda3cd64eda5f1cb6450a2f5a3164dfa8b7aedf00a4307da9850bd071e818f
Opcode Fuzzy Hash: 3ededb3af1a747bcb629c3aaa1126a357d6dd49c2a41ca77cc2305373843598e
Instruction Fuzzy Hash: A841AF31900228DFCF01DFA8E880ADEBBB6FF18314F100059E911AB255DB30DA56CBB5

Uniqueness

Uniqueness Score: -1.00%

Function 00D3175A Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 104COMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 00D31761

Part of subcall function 00D19270: std::_Lockit::_Lockit.LIBCPMT ref: 00D192A0
Part of subcall function 00D19270: std::_Lockit::_Lockit.LIBCPMT ref: 00D192C2
Part of subcall function 00D19270: std::_Lockit::~_Lockit.LIBCPMT ref: 00D192EA
Part of subcall function 00D19270: std::_Lockit::~_Lockit.LIBCPMT ref: 00D19422

_Find_elem.LIBCPMT ref: 00D317FB

Strings

0123456789-, xrefs: 00D317A8
0123456789-, xrefs: 00D317AD

Memory Dump Source

Source File: 00000007.00000002.447210235.0000000000D11000.00000020.00000001.01000000.00000005.sdmp, Offset: 00D10000, based on PE: true

Associated: 00000007.00000002.447205918.0000000000D10000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.447220101.0000000000D57000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.447225552.0000000000D6C000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.447230127.0000000000D70000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_d10000_MSI1B42.jbxd

Similarity

API ID: Lockitstd::_$Lockit::_Lockit::~_$Find_elemH_prolog3_
String ID: 0123456789-$0123456789-
API String ID: 3042121994-2494171821
Opcode ID: 08347e746da1da060c49ca38596fe702082e4acc17dba0b8270452b334fd2952
Instruction ID: 9e5f065f632cf94f3dc98cc0570af1d5d8e241dd7f25586ab49712b7abd5219d
Opcode Fuzzy Hash: 08347e746da1da060c49ca38596fe702082e4acc17dba0b8270452b334fd2952
Instruction Fuzzy Hash: DB415975900209EFCF05DFA8E891AEEBBB5FF04314F14005AF811AB252DB359A56CBB5

Uniqueness

Uniqueness Score: -1.00%

Function 00D28386 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 73COMMONLIBRARYCODE

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00D2838D

Part of subcall function 00D21C42: _Maklocstr.LIBCPMT ref: 00D21C62
Part of subcall function 00D21C42: _Maklocstr.LIBCPMT ref: 00D21C7F
Part of subcall function 00D21C42: _Maklocstr.LIBCPMT ref: 00D21C9C
Part of subcall function 00D21C42: _Maklocchr.LIBCPMT ref: 00D21CAE
Part of subcall function 00D21C42: _Maklocchr.LIBCPMT ref: 00D21CC1

_Mpunct.LIBCPMT ref: 00D2841A
_Mpunct.LIBCPMT ref: 00D28434

Strings

$+xv, xrefs: 00D2843F

Memory Dump Source

Source File: 00000007.00000002.447210235.0000000000D11000.00000020.00000001.01000000.00000005.sdmp, Offset: 00D10000, based on PE: true

Associated: 00000007.00000002.447205918.0000000000D10000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.447220101.0000000000D57000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.447225552.0000000000D6C000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.447230127.0000000000D70000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_d10000_MSI1B42.jbxd

Similarity

API ID: Maklocstr$MaklocchrMpunct$H_prolog3
String ID: $+xv
API String ID: 2939335142-1686923651
Opcode ID: 37707c79b6fd53ff3ea93d2d69208bc54830aaecc12a3847bca1381f355f316a
Instruction ID: 6dd9f6505ced3a5eaf9aa5861d3636b95c45b9682ffde7f45f36ead8d6680450
Opcode Fuzzy Hash: 37707c79b6fd53ff3ea93d2d69208bc54830aaecc12a3847bca1381f355f316a
Instruction Fuzzy Hash: CD2192B1904BA26FD725EF75D49077BBEE8EB18305F04455AE499C7A42D730E602CBB0

Uniqueness

Uniqueness Score: -1.00%

Function 00D2FFEA Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 73COMMONLIBRARYCODE

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00D2FFF1
_Mpunct.LIBCPMT ref: 00D3007E
_Mpunct.LIBCPMT ref: 00D30098

Strings

$+xv, xrefs: 00D300A3

Memory Dump Source

Source File: 00000007.00000002.447210235.0000000000D11000.00000020.00000001.01000000.00000005.sdmp, Offset: 00D10000, based on PE: true

Associated: 00000007.00000002.447205918.0000000000D10000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.447220101.0000000000D57000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.447225552.0000000000D6C000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.447230127.0000000000D70000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_d10000_MSI1B42.jbxd

Similarity

API ID: Mpunct$H_prolog3
String ID: $+xv
API String ID: 4281374311-1686923651
Opcode ID: 01ae3770d015ac26a1ec14b9645939277e77eb1aeccec3d118e7624686e07077
Instruction ID: bd141b11c39ab82cf9e7ba03c998d06c3b9cc49bfdac891546e40c206e25e60e
Opcode Fuzzy Hash: 01ae3770d015ac26a1ec14b9645939277e77eb1aeccec3d118e7624686e07077
Instruction Fuzzy Hash: 752190B1904B926EDB25DF74849077BBEF8EB08301F044A1AE499C7A42D734E601CBB0

Uniqueness

Uniqueness Score: -1.00%

Function 00D124C0 Relevance: 6.4, APIs: 5, Instructions: 145memoryCOMMON

Download Yara Rule

APIs

LocalAlloc.KERNEL32(00000040,?,?,?,?,?,00D11434,?,00000000), ref: 00D12569
LocalAlloc.KERNEL32(00000040,?,?,?,?,?,00D11434,?,00000000), ref: 00D12589
LocalFree.KERNEL32(?,00D11434,?,00000000), ref: 00D125DF
CloseHandle.KERNEL32(00000000), ref: 00D12633
LocalFree.KERNEL32(?,F83EBEA6,?,00000000,00D53C40,000000FF,00000008,?,?,?,?,00D11434), ref: 00D12647

Memory Dump Source

Source File: 00000007.00000002.447210235.0000000000D11000.00000020.00000001.01000000.00000005.sdmp, Offset: 00D10000, based on PE: true

Associated: 00000007.00000002.447205918.0000000000D10000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.447220101.0000000000D57000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.447225552.0000000000D6C000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.447230127.0000000000D70000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_d10000_MSI1B42.jbxd

Similarity

API ID: Local$AllocFree$CloseHandle
String ID:
API String ID: 1291444452-0
Opcode ID: 7a25c8d8c4417dbb30be33dbf9cd6a2ead241211f6ac8d9e0a58bd0dd43ba50e
Instruction ID: 822ddc144614b3bbea59a06589ab95487fb63dbbfaac46db3bf5f8b0ab456d61
Opcode Fuzzy Hash: 7a25c8d8c4417dbb30be33dbf9cd6a2ead241211f6ac8d9e0a58bd0dd43ba50e
Instruction Fuzzy Hash: 22412A32600311ABD7149F28F8D4AFAB7E9EB45361F240629F866C76D0EF32D8948770

Uniqueness

Uniqueness Score: -1.00%

Function 00D51D9B Relevance: 6.3, APIs: 4, Instructions: 338fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetConsoleOutputCP.KERNEL32 ref: 00D51DFE

Part of subcall function 00D4A9BB: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,?,0000FDE9,00000000,-00000008,00000000,?,00D46F5E,?,00000000,-00000008), ref: 00D4AA67

WriteFile.KERNEL32(?,?,00000000,?,00000000), ref: 00D52059
WriteFile.KERNEL32(?,?,00000001,?,00000000), ref: 00D520A1
GetLastError.KERNEL32 ref: 00D52144

Memory Dump Source

Source File: 00000007.00000002.447210235.0000000000D11000.00000020.00000001.01000000.00000005.sdmp, Offset: 00D10000, based on PE: true

Associated: 00000007.00000002.447205918.0000000000D10000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.447220101.0000000000D57000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.447225552.0000000000D6C000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.447230127.0000000000D70000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_d10000_MSI1B42.jbxd

Similarity

API ID: FileWrite$ByteCharConsoleErrorLastMultiOutputWide
String ID:
API String ID: 2112829910-0
Opcode ID: 80dc0d162f3501b93a341a6ed027a0da9579876e12c015a23dfa6a5a7e7c27d0
Instruction ID: 882e896e20833464a8acb7025a6fd479362069f5ed3e56304d241e01d72d0229
Opcode Fuzzy Hash: 80dc0d162f3501b93a341a6ed027a0da9579876e12c015a23dfa6a5a7e7c27d0
Instruction Fuzzy Hash: 03D157B5D002589FCF15CFA8D880AAEBBB5FF09311F28452AED55EB351D730A949CB60

Uniqueness

Uniqueness Score: -1.00%

Function 00D235F7 Relevance: 6.3, APIs: 4, Instructions: 282COMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 00D235FE
_strcspn.LIBCMT ref: 00D23666
_strcspn.LIBCMT ref: 00D23686
ctype.LIBCPMT ref: 00D236E4

Memory Dump Source

Source File: 00000007.00000002.447210235.0000000000D11000.00000020.00000001.01000000.00000005.sdmp, Offset: 00D10000, based on PE: true

Associated: 00000007.00000002.447205918.0000000000D10000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.447220101.0000000000D57000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.447225552.0000000000D6C000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.447230127.0000000000D70000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_d10000_MSI1B42.jbxd

Similarity

API ID: _strcspn$H_prolog3_ctype
String ID:
API String ID: 838279627-0
Opcode ID: 1fb226bea4766d57f7a8e470fa7a76bd52e6a24c9322a1d46433f0b513c7fff2
Instruction ID: ac315beabce9997b34cc7e9447f6de52918611d2cabc5d876aa52f22a9d9051b
Opcode Fuzzy Hash: 1fb226bea4766d57f7a8e470fa7a76bd52e6a24c9322a1d46433f0b513c7fff2
Instruction Fuzzy Hash: AEB17BB5900269EFCF11DF98D880AEEBBB9FF58314F144019E845AB211D734AE52CBB0

Uniqueness

Uniqueness Score: -1.00%

Function 00D1DA6F Relevance: 6.3, APIs: 4, Instructions: 279COMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 00D1DA76
_strcspn.LIBCMT ref: 00D1DADE
_strcspn.LIBCMT ref: 00D1DAFE
ctype.LIBCPMT ref: 00D1DB5C

Memory Dump Source

Source File: 00000007.00000002.447210235.0000000000D11000.00000020.00000001.01000000.00000005.sdmp, Offset: 00D10000, based on PE: true

Associated: 00000007.00000002.447205918.0000000000D10000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.447220101.0000000000D57000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.447225552.0000000000D6C000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.447230127.0000000000D70000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_d10000_MSI1B42.jbxd

Similarity

API ID: _strcspn$H_prolog3_ctype
String ID:
API String ID: 838279627-0
Opcode ID: 2000cb31bee12d0d8e6a3e413ddf2789f3cba781778441f2713c9e538b817f8b
Instruction ID: 4ee56342ca4f2635b0ebb8c32c8e43d49e3813ccf09e5a18bcb6151f28355936
Opcode Fuzzy Hash: 2000cb31bee12d0d8e6a3e413ddf2789f3cba781778441f2713c9e538b817f8b
Instruction Fuzzy Hash: 15B15F75D00249EFDF10DF98D941AEEBBBAEF18310F144419E845A7216DB70AE81CBB0

Uniqueness

Uniqueness Score: -1.00%

Function 00D35A58 Relevance: 6.2, APIs: 4, Instructions: 168COMMONLIBRARYCODE

Download Yara Rule

APIs

___AdjustPointer.LIBCMT ref: 00D35B1F
___AdjustPointer.LIBCMT ref: 00D35B42
___AdjustPointer.LIBCMT ref: 00D35BDE

Memory Dump Source

Source File: 00000007.00000002.447210235.0000000000D11000.00000020.00000001.01000000.00000005.sdmp, Offset: 00D10000, based on PE: true

Associated: 00000007.00000002.447205918.0000000000D10000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.447220101.0000000000D57000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.447225552.0000000000D6C000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.447230127.0000000000D70000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_d10000_MSI1B42.jbxd

Similarity

API ID: AdjustPointer
String ID:
API String ID: 1740715915-0
Opcode ID: 497042ec968f193ee5b89a65f9e529d4dfc32ce9befbf9ac307040071c184230
Instruction ID: 99e36d97bb5dc5da31c9fd5487bcb7ac1a2fc76d6bba901e4dc3d12ff32f74ca
Opcode Fuzzy Hash: 497042ec968f193ee5b89a65f9e529d4dfc32ce9befbf9ac307040071c184230
Instruction Fuzzy Hash: E151E572600B06DFDB298F14E841B7AB7A4EF44310F18462DED4587299E731EC80DBB0

Uniqueness

Uniqueness Score: -1.00%

Function 00D424E8 Relevance: 6.1, APIs: 4, Instructions: 79COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.447210235.0000000000D11000.00000020.00000001.01000000.00000005.sdmp, Offset: 00D10000, based on PE: true

Associated: 00000007.00000002.447205918.0000000000D10000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.447220101.0000000000D57000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.447225552.0000000000D6C000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.447230127.0000000000D70000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_d10000_MSI1B42.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 49279b589aafa5168b3afeed1d12b95fda99fbbe2d5d3a19372ffda5fd60cba4
Instruction ID: f47300cfc4abdf1f06c2e1dc9d04ac92ca6d6442cda2f79be59efad0fdda86d3
Opcode Fuzzy Hash: 49279b589aafa5168b3afeed1d12b95fda99fbbe2d5d3a19372ffda5fd60cba4
Instruction Fuzzy Hash: C221AC71604605AF9B20AF61DC62D7A77A9FF443A4B944925F825D7291EB30ED009BB0

Uniqueness

Uniqueness Score: -1.00%

Function 00D16FB0 Relevance: 6.1, APIs: 1, Strings: 3, Instructions: 77COMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,00000002,80004005,S-1-5-18,00000008), ref: 00D16FB7

Strings

Last error=, xrefs: 00D17011
> returned:, xrefs: 00D16FC6
Call to ShellExecute() for verb<, xrefs: 00D16FC1

Memory Dump Source

Source File: 00000007.00000002.447210235.0000000000D11000.00000020.00000001.01000000.00000005.sdmp, Offset: 00D10000, based on PE: true

Associated: 00000007.00000002.447205918.0000000000D10000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.447220101.0000000000D57000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.447225552.0000000000D6C000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.447230127.0000000000D70000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_d10000_MSI1B42.jbxd

Similarity

API ID: ErrorLast
String ID: > returned:$Call to ShellExecute() for verb<$Last error=
API String ID: 1452528299-1781106413
Opcode ID: e5f923ecd393eadbc78cbcafd32834b3c59cecd686ffacaafc80300e435f375b
Instruction ID: 75b178c0e19803bb642c2b70b42a031398f2da08e07d15c1f85067aed2d340d6
Opcode Fuzzy Hash: e5f923ecd393eadbc78cbcafd32834b3c59cecd686ffacaafc80300e435f375b
Instruction Fuzzy Hash: C9218049B1036197CB301F28A401379A2F0EF58B54F69046FE8C9D7390EE698CC283B5

Uniqueness

Uniqueness Score: -1.00%

Function 00D1CCE0 Relevance: 6.1, APIs: 4, Instructions: 65fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000004,00000080,00000000), ref: 00D1CD1C
SetFilePointer.KERNEL32(00000000,00000000,00000000,00000002,?,40000000,00000001,00000000,00000004,00000080,00000000), ref: 00D1CD3C
WriteFile.KERNEL32(00000000,?,?,?,00000000), ref: 00D1CD6D
CloseHandle.KERNEL32(00000000), ref: 00D1CD86

Memory Dump Source

Source File: 00000007.00000002.447210235.0000000000D11000.00000020.00000001.01000000.00000005.sdmp, Offset: 00D10000, based on PE: true

Associated: 00000007.00000002.447205918.0000000000D10000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.447220101.0000000000D57000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.447225552.0000000000D6C000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.447230127.0000000000D70000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_d10000_MSI1B42.jbxd

Similarity

API ID: File$CloseCreateHandlePointerWrite
String ID:
API String ID: 3604237281-0
Opcode ID: 54434326df0f8acfe99fd4a3374c7b6049366953ed8aac8a242c914e36a0431b
Instruction ID: 17ce8c2090cd06c0f120a0fdda3efc2c86b45da323addc66aa7adbf6b3d2487b
Opcode Fuzzy Hash: 54434326df0f8acfe99fd4a3374c7b6049366953ed8aac8a242c914e36a0431b
Instruction Fuzzy Hash: D3217F70941315AFD7208F54EC0AFAABBB8EB05B25F214269F911A73D0DBB46A0487F4

Uniqueness

Uniqueness Score: -1.00%

Function 00D1D7E7 Relevance: 6.0, APIs: 4, Instructions: 49COMMONLIBRARYCODE

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00D1D7EE
std::_Lockit::_Lockit.LIBCPMT ref: 00D1D7F8

Part of subcall function 00D18C20: std::_Lockit::_Lockit.LIBCPMT ref: 00D18C50
Part of subcall function 00D18C20: std::_Lockit::~_Lockit.LIBCPMT ref: 00D18C78

std::_Facet_Register.LIBCPMT ref: 00D1D849
std::_Lockit::~_Lockit.LIBCPMT ref: 00D1D869

Memory Dump Source

Source File: 00000007.00000002.447210235.0000000000D11000.00000020.00000001.01000000.00000005.sdmp, Offset: 00D10000, based on PE: true

Associated: 00000007.00000002.447205918.0000000000D10000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.447220101.0000000000D57000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.447225552.0000000000D6C000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.447230127.0000000000D70000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_d10000_MSI1B42.jbxd

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_H_prolog3Register
String ID:
API String ID: 2854358121-0
Opcode ID: 9564ae6d3583915a91b53249a54c8e1d8720d006ae079dcfbd2ca79de3e742aa
Instruction ID: 58594b37db2444809d46b7038c734328e96a628964058119c66c92e094a86d21
Opcode Fuzzy Hash: 9564ae6d3583915a91b53249a54c8e1d8720d006ae079dcfbd2ca79de3e742aa
Instruction Fuzzy Hash: 2501C075D00225AFCB15EB60F8426EEB7A2EF94724F280409F401AB392DF709E81C7B1

Uniqueness

Uniqueness Score: -1.00%

Function 00D227A2 Relevance: 6.0, APIs: 4, Instructions: 49COMMONLIBRARYCODE

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00D227A9
std::_Lockit::_Lockit.LIBCPMT ref: 00D227B3

Part of subcall function 00D18C20: std::_Lockit::_Lockit.LIBCPMT ref: 00D18C50
Part of subcall function 00D18C20: std::_Lockit::~_Lockit.LIBCPMT ref: 00D18C78

std::_Facet_Register.LIBCPMT ref: 00D22804
std::_Lockit::~_Lockit.LIBCPMT ref: 00D22824

Memory Dump Source

Source File: 00000007.00000002.447210235.0000000000D11000.00000020.00000001.01000000.00000005.sdmp, Offset: 00D10000, based on PE: true

Associated: 00000007.00000002.447205918.0000000000D10000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.447220101.0000000000D57000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.447225552.0000000000D6C000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.447230127.0000000000D70000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_d10000_MSI1B42.jbxd

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_H_prolog3Register
String ID:
API String ID: 2854358121-0
Opcode ID: a3efbbd1bf967d08053f5d9806d0c4419c80661beada68b6cbbab52f3d5d7cd6
Instruction ID: 1f006c2539939cbf68023ddf38d54dddccdc436a47caa78a7e71e87d34c537f1
Opcode Fuzzy Hash: a3efbbd1bf967d08053f5d9806d0c4419c80661beada68b6cbbab52f3d5d7cd6
Instruction Fuzzy Hash: D601C435900225ABCB05EB64B9116BEB772FFA4724F240509F801AB392DF749E01CBB1

Uniqueness

Uniqueness Score: -1.00%

Function 00D1D752 Relevance: 6.0, APIs: 4, Instructions: 49COMMONLIBRARYCODE

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00D1D759
std::_Lockit::_Lockit.LIBCPMT ref: 00D1D763

Part of subcall function 00D18C20: std::_Lockit::_Lockit.LIBCPMT ref: 00D18C50
Part of subcall function 00D18C20: std::_Lockit::~_Lockit.LIBCPMT ref: 00D18C78

std::_Facet_Register.LIBCPMT ref: 00D1D7B4
std::_Lockit::~_Lockit.LIBCPMT ref: 00D1D7D4

Memory Dump Source

Source File: 00000007.00000002.447210235.0000000000D11000.00000020.00000001.01000000.00000005.sdmp, Offset: 00D10000, based on PE: true

Associated: 00000007.00000002.447205918.0000000000D10000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.447220101.0000000000D57000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.447225552.0000000000D6C000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.447230127.0000000000D70000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_d10000_MSI1B42.jbxd

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_H_prolog3Register
String ID:
API String ID: 2854358121-0
Opcode ID: 9b1acc2819ee789aa06a0aaf61c590aa88a383ba7cb3734b8ad5c57c1c5420b3
Instruction ID: 14f63be3eaddeb8825babda22ce651b26ae5b96e697d35e563f9897d812c73f0
Opcode Fuzzy Hash: 9b1acc2819ee789aa06a0aaf61c590aa88a383ba7cb3734b8ad5c57c1c5420b3
Instruction Fuzzy Hash: E401D635900215AFCB05EB60F9516EE77A2EF94314F280509F812AB3D2DF709E40D7B1

Uniqueness

Uniqueness Score: -1.00%

Function 00D2270D Relevance: 6.0, APIs: 4, Instructions: 49COMMONLIBRARYCODE

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00D22714
std::_Lockit::_Lockit.LIBCPMT ref: 00D2271E

Part of subcall function 00D18C20: std::_Lockit::_Lockit.LIBCPMT ref: 00D18C50
Part of subcall function 00D18C20: std::_Lockit::~_Lockit.LIBCPMT ref: 00D18C78

std::_Facet_Register.LIBCPMT ref: 00D2276F
std::_Lockit::~_Lockit.LIBCPMT ref: 00D2278F

Memory Dump Source

Source File: 00000007.00000002.447210235.0000000000D11000.00000020.00000001.01000000.00000005.sdmp, Offset: 00D10000, based on PE: true

Associated: 00000007.00000002.447205918.0000000000D10000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.447220101.0000000000D57000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.447225552.0000000000D6C000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.447230127.0000000000D70000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_d10000_MSI1B42.jbxd

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_H_prolog3Register
String ID:
API String ID: 2854358121-0
Opcode ID: 7f93d3abdeabaceb635ea64052b069f74d102a277e3456f02503d238e18414d8
Instruction ID: 904f33d1e1fb8da6875f986339e8ca8293199e9da825ef70e276dd3b9a144289
Opcode Fuzzy Hash: 7f93d3abdeabaceb635ea64052b069f74d102a277e3456f02503d238e18414d8
Instruction Fuzzy Hash: 3D01D675900225EBCB05EB60F8056BEB772FF94715F280509F810AB392CF749E019BB1

Uniqueness

Uniqueness Score: -1.00%

Function 00D228CC Relevance: 6.0, APIs: 4, Instructions: 49COMMONLIBRARYCODE

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00D228D3
std::_Lockit::_Lockit.LIBCPMT ref: 00D228DD

Part of subcall function 00D18C20: std::_Lockit::_Lockit.LIBCPMT ref: 00D18C50
Part of subcall function 00D18C20: std::_Lockit::~_Lockit.LIBCPMT ref: 00D18C78

std::_Facet_Register.LIBCPMT ref: 00D2292E
std::_Lockit::~_Lockit.LIBCPMT ref: 00D2294E

Memory Dump Source

Source File: 00000007.00000002.447210235.0000000000D11000.00000020.00000001.01000000.00000005.sdmp, Offset: 00D10000, based on PE: true

Associated: 00000007.00000002.447205918.0000000000D10000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.447220101.0000000000D57000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.447225552.0000000000D6C000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.447230127.0000000000D70000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_d10000_MSI1B42.jbxd

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_H_prolog3Register
String ID:
API String ID: 2854358121-0
Opcode ID: 7dca87f104672b801dfbc670ded87f35421e382529ed4cb9fe2a4eed6cacc373
Instruction ID: 75390cf15489ee40e0b1285e752701729c743c2766ebb75c74825325b515700d
Opcode Fuzzy Hash: 7dca87f104672b801dfbc670ded87f35421e382529ed4cb9fe2a4eed6cacc373
Instruction Fuzzy Hash: 7401C475900225ABCB05EB60B9116BE7772EF94724F280509F410AB392CF749E41CBB1

Uniqueness

Uniqueness Score: -1.00%

Function 00D22837 Relevance: 6.0, APIs: 4, Instructions: 49COMMONLIBRARYCODE

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00D2283E
std::_Lockit::_Lockit.LIBCPMT ref: 00D22848

Part of subcall function 00D18C20: std::_Lockit::_Lockit.LIBCPMT ref: 00D18C50
Part of subcall function 00D18C20: std::_Lockit::~_Lockit.LIBCPMT ref: 00D18C78

std::_Facet_Register.LIBCPMT ref: 00D22899
std::_Lockit::~_Lockit.LIBCPMT ref: 00D228B9

Memory Dump Source

Source File: 00000007.00000002.447210235.0000000000D11000.00000020.00000001.01000000.00000005.sdmp, Offset: 00D10000, based on PE: true

Associated: 00000007.00000002.447205918.0000000000D10000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.447220101.0000000000D57000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.447225552.0000000000D6C000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.447230127.0000000000D70000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_d10000_MSI1B42.jbxd

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_H_prolog3Register
String ID:
API String ID: 2854358121-0
Opcode ID: 80ef1477a70aa68749750e098deb648d1fcb2e10268d12d48d5105f653599521
Instruction ID: 53d9f09e1d7fd35cb942be74ce382282b3527b88042942a28493ea217706d871
Opcode Fuzzy Hash: 80ef1477a70aa68749750e098deb648d1fcb2e10268d12d48d5105f653599521
Instruction Fuzzy Hash: 2E01A175900225ABCB05EB60F9116BEB762FF94714F240509F400AB392DF74DA008BB1

Uniqueness

Uniqueness Score: -1.00%

Function 00D2E96D Relevance: 6.0, APIs: 4, Instructions: 49COMMONLIBRARYCODE

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00D2E974
std::_Lockit::_Lockit.LIBCPMT ref: 00D2E97E

Part of subcall function 00D18C20: std::_Lockit::_Lockit.LIBCPMT ref: 00D18C50
Part of subcall function 00D18C20: std::_Lockit::~_Lockit.LIBCPMT ref: 00D18C78

std::_Facet_Register.LIBCPMT ref: 00D2E9CF
std::_Lockit::~_Lockit.LIBCPMT ref: 00D2E9EF

Memory Dump Source

Source File: 00000007.00000002.447210235.0000000000D11000.00000020.00000001.01000000.00000005.sdmp, Offset: 00D10000, based on PE: true

Associated: 00000007.00000002.447205918.0000000000D10000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.447220101.0000000000D57000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.447225552.0000000000D6C000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.447230127.0000000000D70000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_d10000_MSI1B42.jbxd

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_H_prolog3Register
String ID:
API String ID: 2854358121-0
Opcode ID: 233751a7d1f38bc8e2404e190d1a2f7d6be876235fc03ff652d64327b926dbc4
Instruction ID: a55498787e172d591b1031fa533ab2e1f24bf739b29499e5947978f965d2c9eb
Opcode Fuzzy Hash: 233751a7d1f38bc8e2404e190d1a2f7d6be876235fc03ff652d64327b926dbc4
Instruction Fuzzy Hash: E201D6359002259BCB05EB64F9016FEB766EF94314F29050AF410AB392CF709E40CFB5

Uniqueness

Uniqueness Score: -1.00%

Function 00D2EA02 Relevance: 6.0, APIs: 4, Instructions: 49COMMONLIBRARYCODE

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00D2EA09
std::_Lockit::_Lockit.LIBCPMT ref: 00D2EA13

Part of subcall function 00D18C20: std::_Lockit::_Lockit.LIBCPMT ref: 00D18C50
Part of subcall function 00D18C20: std::_Lockit::~_Lockit.LIBCPMT ref: 00D18C78

std::_Facet_Register.LIBCPMT ref: 00D2EA64
std::_Lockit::~_Lockit.LIBCPMT ref: 00D2EA84

Memory Dump Source

Source File: 00000007.00000002.447210235.0000000000D11000.00000020.00000001.01000000.00000005.sdmp, Offset: 00D10000, based on PE: true

Associated: 00000007.00000002.447205918.0000000000D10000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.447220101.0000000000D57000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.447225552.0000000000D6C000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.447230127.0000000000D70000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_d10000_MSI1B42.jbxd

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_H_prolog3Register
String ID:
API String ID: 2854358121-0
Opcode ID: c2941ed4ea0098a32da15ebac33b97d3b47ee88cf9166a46e15769848f64095d
Instruction ID: 6289f47b9401023a8b7886ac01cdc7f154cc50790ca781c1ee9fb3442ab5a863
Opcode Fuzzy Hash: c2941ed4ea0098a32da15ebac33b97d3b47ee88cf9166a46e15769848f64095d
Instruction Fuzzy Hash: 6F01D235D002259FCB05EB64F9516AEBB62FFA4714F290509F800AB392DF709E408BB1

Uniqueness

Uniqueness Score: -1.00%

Function 00D2EBC1 Relevance: 6.0, APIs: 4, Instructions: 49COMMONLIBRARYCODE

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00D2EBC8
std::_Lockit::_Lockit.LIBCPMT ref: 00D2EBD2

Part of subcall function 00D18C20: std::_Lockit::_Lockit.LIBCPMT ref: 00D18C50
Part of subcall function 00D18C20: std::_Lockit::~_Lockit.LIBCPMT ref: 00D18C78

std::_Facet_Register.LIBCPMT ref: 00D2EC23
std::_Lockit::~_Lockit.LIBCPMT ref: 00D2EC43

Memory Dump Source

Source File: 00000007.00000002.447210235.0000000000D11000.00000020.00000001.01000000.00000005.sdmp, Offset: 00D10000, based on PE: true

Associated: 00000007.00000002.447205918.0000000000D10000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.447220101.0000000000D57000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.447225552.0000000000D6C000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.447230127.0000000000D70000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_d10000_MSI1B42.jbxd

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_H_prolog3Register
String ID:
API String ID: 2854358121-0
Opcode ID: ed1f0f64a4113181ae453dc82e023884812b5b78be3eed3202391ae676d97122
Instruction ID: 40912e75d71b5213a43fadf53009b08296d9d98882e2965fd018ba1ee49fba32
Opcode Fuzzy Hash: ed1f0f64a4113181ae453dc82e023884812b5b78be3eed3202391ae676d97122
Instruction Fuzzy Hash: 5701C435A002259BCB15EBA0F9056BE7772EF94324F280549F410AB3D2DF709E009BB1

Uniqueness

Uniqueness Score: -1.00%

Function 00D22BB5 Relevance: 6.0, APIs: 4, Instructions: 49COMMONLIBRARYCODE

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00D22BBC
std::_Lockit::_Lockit.LIBCPMT ref: 00D22BC6

Part of subcall function 00D18C20: std::_Lockit::_Lockit.LIBCPMT ref: 00D18C50
Part of subcall function 00D18C20: std::_Lockit::~_Lockit.LIBCPMT ref: 00D18C78

std::_Facet_Register.LIBCPMT ref: 00D22C17
std::_Lockit::~_Lockit.LIBCPMT ref: 00D22C37

Memory Dump Source

Source File: 00000007.00000002.447210235.0000000000D11000.00000020.00000001.01000000.00000005.sdmp, Offset: 00D10000, based on PE: true

Associated: 00000007.00000002.447205918.0000000000D10000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.447220101.0000000000D57000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.447225552.0000000000D6C000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.447230127.0000000000D70000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_d10000_MSI1B42.jbxd

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_H_prolog3Register
String ID:
API String ID: 2854358121-0
Opcode ID: 9aae07a85eea510cd965d66b0ea796e12c8455bb41ffa97e12c21f757a979d0c
Instruction ID: d1c1a3ff3ceb78314d5a6b56c12ab0c653f4c4d590291aa4af553db8abebdba2
Opcode Fuzzy Hash: 9aae07a85eea510cd965d66b0ea796e12c8455bb41ffa97e12c21f757a979d0c
Instruction Fuzzy Hash: 6501D635900229EBCB15EB64F9016BEB772EFA4314F250409F800AB392CF749E00DBB1

Uniqueness

Uniqueness Score: -1.00%

Function 00D22CDF Relevance: 6.0, APIs: 4, Instructions: 49COMMONLIBRARYCODE

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00D22CE6
std::_Lockit::_Lockit.LIBCPMT ref: 00D22CF0

Part of subcall function 00D18C20: std::_Lockit::_Lockit.LIBCPMT ref: 00D18C50
Part of subcall function 00D18C20: std::_Lockit::~_Lockit.LIBCPMT ref: 00D18C78

std::_Facet_Register.LIBCPMT ref: 00D22D41
std::_Lockit::~_Lockit.LIBCPMT ref: 00D22D61

Memory Dump Source

Source File: 00000007.00000002.447210235.0000000000D11000.00000020.00000001.01000000.00000005.sdmp, Offset: 00D10000, based on PE: true

Associated: 00000007.00000002.447205918.0000000000D10000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.447220101.0000000000D57000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.447225552.0000000000D6C000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.447230127.0000000000D70000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_d10000_MSI1B42.jbxd

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_H_prolog3Register
String ID:
API String ID: 2854358121-0
Opcode ID: 79bc2a4ea3aebc342a75d874b1cfe4cd7cc8abe463d6fd88a891db293e1275b8
Instruction ID: 51f400cfc0b81cb0548100f1c5f2174413650629c839cde515556fa0e8982a05
Opcode Fuzzy Hash: 79bc2a4ea3aebc342a75d874b1cfe4cd7cc8abe463d6fd88a891db293e1275b8
Instruction Fuzzy Hash: B101C035900229ABCB15EB60F9416BEB772FF94714F280509F800AB392DFB09E418BF1

Uniqueness

Uniqueness Score: -1.00%

Function 00D2EC56 Relevance: 6.0, APIs: 4, Instructions: 49COMMONLIBRARYCODE

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00D2EC5D
std::_Lockit::_Lockit.LIBCPMT ref: 00D2EC67

Part of subcall function 00D18C20: std::_Lockit::_Lockit.LIBCPMT ref: 00D18C50
Part of subcall function 00D18C20: std::_Lockit::~_Lockit.LIBCPMT ref: 00D18C78

std::_Facet_Register.LIBCPMT ref: 00D2ECB8
std::_Lockit::~_Lockit.LIBCPMT ref: 00D2ECD8

Memory Dump Source

Source File: 00000007.00000002.447210235.0000000000D11000.00000020.00000001.01000000.00000005.sdmp, Offset: 00D10000, based on PE: true

Associated: 00000007.00000002.447205918.0000000000D10000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.447220101.0000000000D57000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.447225552.0000000000D6C000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.447230127.0000000000D70000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_d10000_MSI1B42.jbxd

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_H_prolog3Register
String ID:
API String ID: 2854358121-0
Opcode ID: 677feb5fc0a77ab02fe23c6f7f29a7248c834930ed511969426e57e99880f288
Instruction ID: cc2f14750d062e96d7da79c1603a5584ef27321898c65cc51cea80586272fbbc
Opcode Fuzzy Hash: 677feb5fc0a77ab02fe23c6f7f29a7248c834930ed511969426e57e99880f288
Instruction Fuzzy Hash: F201C035A00225DBCB05EBA4F8516AEBB72FF94324F280409F401AB392DF709E419BB1

Uniqueness

Uniqueness Score: -1.00%

Function 00D22C4A Relevance: 6.0, APIs: 4, Instructions: 49COMMONLIBRARYCODE

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00D22C51
std::_Lockit::_Lockit.LIBCPMT ref: 00D22C5B

Part of subcall function 00D18C20: std::_Lockit::_Lockit.LIBCPMT ref: 00D18C50
Part of subcall function 00D18C20: std::_Lockit::~_Lockit.LIBCPMT ref: 00D18C78

std::_Facet_Register.LIBCPMT ref: 00D22CAC
std::_Lockit::~_Lockit.LIBCPMT ref: 00D22CCC

Memory Dump Source

Source File: 00000007.00000002.447210235.0000000000D11000.00000020.00000001.01000000.00000005.sdmp, Offset: 00D10000, based on PE: true

Associated: 00000007.00000002.447205918.0000000000D10000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.447220101.0000000000D57000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.447225552.0000000000D6C000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.447230127.0000000000D70000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_d10000_MSI1B42.jbxd

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_H_prolog3Register
String ID:
API String ID: 2854358121-0
Opcode ID: 104eda206c6b197bc325e170be1c476ca517f10fd885872525ff20712b76358f
Instruction ID: 3e6afb885557800238843c0afe6df715218dd36f2c298dcf7cb29f9d9d3c8d1f
Opcode Fuzzy Hash: 104eda206c6b197bc325e170be1c476ca517f10fd885872525ff20712b76358f
Instruction Fuzzy Hash: D601D675901225EFCB15EB64F9016BE7772EF94714F250409F401AB391CF759E409BB1

Uniqueness

Uniqueness Score: -1.00%

Function 00D22E9E Relevance: 6.0, APIs: 4, Instructions: 49COMMONLIBRARYCODE

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00D22EA5
std::_Lockit::_Lockit.LIBCPMT ref: 00D22EAF

Part of subcall function 00D18C20: std::_Lockit::_Lockit.LIBCPMT ref: 00D18C50
Part of subcall function 00D18C20: std::_Lockit::~_Lockit.LIBCPMT ref: 00D18C78

std::_Facet_Register.LIBCPMT ref: 00D22F00
std::_Lockit::~_Lockit.LIBCPMT ref: 00D22F20

Memory Dump Source

Source File: 00000007.00000002.447210235.0000000000D11000.00000020.00000001.01000000.00000005.sdmp, Offset: 00D10000, based on PE: true

Associated: 00000007.00000002.447205918.0000000000D10000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.447220101.0000000000D57000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.447225552.0000000000D6C000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.447230127.0000000000D70000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_d10000_MSI1B42.jbxd

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_H_prolog3Register
String ID:
API String ID: 2854358121-0
Opcode ID: bcd6b27455ffbda3a57e7ec852c4ae8579443fdb2a180e626b5d27145609205c
Instruction ID: 7391dd00b439ff263fe063cdd109ec2fb2827c8bf71d6c15a651b0a272e0bd45
Opcode Fuzzy Hash: bcd6b27455ffbda3a57e7ec852c4ae8579443fdb2a180e626b5d27145609205c
Instruction Fuzzy Hash: 3C01C435900225ABCB05EB60F9016BE7772FFA4314F250509F810AB392CF709E00CBB1

Uniqueness

Uniqueness Score: -1.00%

Function 00D22E09 Relevance: 6.0, APIs: 4, Instructions: 49COMMONLIBRARYCODE

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00D22E10
std::_Lockit::_Lockit.LIBCPMT ref: 00D22E1A

Part of subcall function 00D18C20: std::_Lockit::_Lockit.LIBCPMT ref: 00D18C50
Part of subcall function 00D18C20: std::_Lockit::~_Lockit.LIBCPMT ref: 00D18C78

std::_Facet_Register.LIBCPMT ref: 00D22E6B
std::_Lockit::~_Lockit.LIBCPMT ref: 00D22E8B

Memory Dump Source

Source File: 00000007.00000002.447210235.0000000000D11000.00000020.00000001.01000000.00000005.sdmp, Offset: 00D10000, based on PE: true

Associated: 00000007.00000002.447205918.0000000000D10000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.447220101.0000000000D57000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.447225552.0000000000D6C000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.447230127.0000000000D70000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_d10000_MSI1B42.jbxd

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_H_prolog3Register
String ID:
API String ID: 2854358121-0
Opcode ID: 59440dc173830f8090a9343c24a127def7a9d94f1edd9e162fc27728738e126b
Instruction ID: 15eae1d4fb07c674fba86f0a559c4c04f3c23d285d4b4a0f70437da13d8aff52
Opcode Fuzzy Hash: 59440dc173830f8090a9343c24a127def7a9d94f1edd9e162fc27728738e126b
Instruction Fuzzy Hash: CD01DB35900225EBCB05EB64F4016BEB772FF64714F250909F8106B391DF709E409BB1

Uniqueness

Uniqueness Score: -1.00%

Function 00D22F33 Relevance: 6.0, APIs: 4, Instructions: 49COMMONLIBRARYCODE

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00D22F3A
std::_Lockit::_Lockit.LIBCPMT ref: 00D22F44

Part of subcall function 00D18C20: std::_Lockit::_Lockit.LIBCPMT ref: 00D18C50
Part of subcall function 00D18C20: std::_Lockit::~_Lockit.LIBCPMT ref: 00D18C78

std::_Facet_Register.LIBCPMT ref: 00D22F95
std::_Lockit::~_Lockit.LIBCPMT ref: 00D22FB5

Memory Dump Source

Source File: 00000007.00000002.447210235.0000000000D11000.00000020.00000001.01000000.00000005.sdmp, Offset: 00D10000, based on PE: true

Associated: 00000007.00000002.447205918.0000000000D10000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.447220101.0000000000D57000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.447225552.0000000000D6C000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.447230127.0000000000D70000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_d10000_MSI1B42.jbxd

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_H_prolog3Register
String ID:
API String ID: 2854358121-0
Opcode ID: 29080daa6c0acadcdd1c3afb2d51315d4d990f91be3830afda2f7a39a0c54a20
Instruction ID: 4105fbd28acf7ba530c9e4d79994f6d821f1096f8f0ecd6847dcb9699f8cd933
Opcode Fuzzy Hash: 29080daa6c0acadcdd1c3afb2d51315d4d990f91be3830afda2f7a39a0c54a20
Instruction Fuzzy Hash: B7018435900225EBCB15EB64B9116BEB776FFA8714F250509F801AB392DF749E408BB1

Uniqueness

Uniqueness Score: -1.00%

Function 00D53686 Relevance: 6.0, APIs: 4, Instructions: 29COMMONLIBRARYCODE

Download Yara Rule

APIs

WriteConsoleW.KERNEL32 ref: 00D5369D
GetLastError.KERNEL32(?,00D53053,?,00000001,?,?,?,00D52198,?,?,00000000,?,?,?,00D5271F,?), ref: 00D536A9

Part of subcall function 00D5366F: CloseHandle.KERNEL32(FFFFFFFE), ref: 00D5367F

___initconout.LIBCMT ref: 00D536B9

Part of subcall function 00D53631: CreateFileW.KERNEL32(CONOUT$,40000000,00000003,00000000,00000003,00000000,00000000), ref: 00D53644

WriteConsoleW.KERNEL32 ref: 00D536CE

Memory Dump Source

Source File: 00000007.00000002.447210235.0000000000D11000.00000020.00000001.01000000.00000005.sdmp, Offset: 00D10000, based on PE: true

Associated: 00000007.00000002.447205918.0000000000D10000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.447220101.0000000000D57000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.447225552.0000000000D6C000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.447230127.0000000000D70000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_d10000_MSI1B42.jbxd

Similarity

API ID: ConsoleWrite$CloseCreateErrorFileHandleLast___initconout
String ID:
API String ID: 2744216297-0
Opcode ID: 8e4db491358f6bcf7cf6207ac0496d165a110ef5201b029688ca30c48d33507c
Instruction ID: 939c9eb8acea5833be551790c26b54eeb2c439dc841aca7d8b0287ecbc61d9bc
Opcode Fuzzy Hash: 8e4db491358f6bcf7cf6207ac0496d165a110ef5201b029688ca30c48d33507c
Instruction Fuzzy Hash: B3F01C36504358BBCF622FD9EC049993F66FB083E2B144454FE19DA320C6328920EBB0

Uniqueness

Uniqueness Score: -1.00%

Function 00D1EC87 Relevance: 5.6, APIs: 2, Strings: 1, Instructions: 317COMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 00D1EC8E

Part of subcall function 00D1D87C: __EH_prolog3.LIBCMT ref: 00D1D883
Part of subcall function 00D1D87C: std::_Lockit::_Lockit.LIBCPMT ref: 00D1D88D
Part of subcall function 00D1D87C: std::_Lockit::~_Lockit.LIBCPMT ref: 00D1D8FE

_Find_elem.LIBCPMT ref: 00D1EE8A

Strings

0123456789ABCDEFabcdef-+Xx, xrefs: 00D1ECF6

Memory Dump Source

Source File: 00000007.00000002.447210235.0000000000D11000.00000020.00000001.01000000.00000005.sdmp, Offset: 00D10000, based on PE: true

Associated: 00000007.00000002.447205918.0000000000D10000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.447220101.0000000000D57000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.447225552.0000000000D6C000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.447230127.0000000000D70000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_d10000_MSI1B42.jbxd

Similarity

API ID: Lockitstd::_$Find_elemH_prolog3H_prolog3_Lockit::_Lockit::~_
String ID: 0123456789ABCDEFabcdef-+Xx
API String ID: 2544715827-2799312399
Opcode ID: b86a3cc0e0e4d3a886acd402f4434032ab7e56e33c207c736459b7db8d334721
Instruction ID: 6cbcbcd2cf2c68b4fea7cfb9433736f03cd8be6ca72d6762b5a6c32d5b5c7b14
Opcode Fuzzy Hash: b86a3cc0e0e4d3a886acd402f4434032ab7e56e33c207c736459b7db8d334721
Instruction Fuzzy Hash: C4C15F34E04298AADF15DBA4E5507ECBBB2AF55300F284069EC856B287DF319DC6CB71

Uniqueness

Uniqueness Score: -1.00%

Function 00D262BE Relevance: 5.6, APIs: 2, Strings: 1, Instructions: 316COMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 00D262C8

Part of subcall function 00D22D74: __EH_prolog3.LIBCMT ref: 00D22D7B
Part of subcall function 00D22D74: std::_Lockit::_Lockit.LIBCPMT ref: 00D22D85
Part of subcall function 00D22D74: std::_Lockit::~_Lockit.LIBCPMT ref: 00D22DF6

_Find_elem.LIBCPMT ref: 00D26502

Strings

0123456789ABCDEFabcdef-+Xx, xrefs: 00D2633F

Memory Dump Source

Source File: 00000007.00000002.447210235.0000000000D11000.00000020.00000001.01000000.00000005.sdmp, Offset: 00D10000, based on PE: true

Associated: 00000007.00000002.447205918.0000000000D10000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.447220101.0000000000D57000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.447225552.0000000000D6C000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.447230127.0000000000D70000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_d10000_MSI1B42.jbxd

Similarity

API ID: Lockitstd::_$Find_elemH_prolog3H_prolog3_Lockit::_Lockit::~_
String ID: 0123456789ABCDEFabcdef-+Xx
API String ID: 2544715827-2799312399
Opcode ID: 13ea2dedce409de26b6abfe844ba262d1c1c14287c9a4d84aae3fe0a530f4b38
Instruction ID: 4630475be059df7a51bbec72c098ceb677022a93136e6b065406ed1609d65c45
Opcode Fuzzy Hash: 13ea2dedce409de26b6abfe844ba262d1c1c14287c9a4d84aae3fe0a530f4b38
Instruction Fuzzy Hash: B1C18470E043788ADF25DF68E8517ACBBB1BF21308F584099D885AB286DB35DD85DB70

Uniqueness

Uniqueness Score: -1.00%

Function 00D26694 Relevance: 5.6, APIs: 2, Strings: 1, Instructions: 316COMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 00D2669E

Part of subcall function 00D1B8B0: std::_Lockit::_Lockit.LIBCPMT ref: 00D1B8DD
Part of subcall function 00D1B8B0: std::_Lockit::_Lockit.LIBCPMT ref: 00D1B900
Part of subcall function 00D1B8B0: std::_Lockit::~_Lockit.LIBCPMT ref: 00D1B928
Part of subcall function 00D1B8B0: std::_Lockit::~_Lockit.LIBCPMT ref: 00D1B9B7

_Find_elem.LIBCPMT ref: 00D268D8

Strings

0123456789ABCDEFabcdef-+Xx, xrefs: 00D26715

Memory Dump Source

Source File: 00000007.00000002.447210235.0000000000D11000.00000020.00000001.01000000.00000005.sdmp, Offset: 00D10000, based on PE: true

Associated: 00000007.00000002.447205918.0000000000D10000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.447220101.0000000000D57000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.447225552.0000000000D6C000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.447230127.0000000000D70000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_d10000_MSI1B42.jbxd

Similarity

API ID: Lockitstd::_$Lockit::_Lockit::~_$Find_elemH_prolog3_
String ID: 0123456789ABCDEFabcdef-+Xx
API String ID: 3042121994-2799312399
Opcode ID: 18afea134a2c8acf14d9665ad428fb72c84b202b011ea88926aa0f0367a6c912
Instruction ID: e6207ad3aa72ee2f91767e0c40dc2005b1eef386efa2d1970da9b2e40f932df8
Opcode Fuzzy Hash: 18afea134a2c8acf14d9665ad428fb72c84b202b011ea88926aa0f0367a6c912
Instruction Fuzzy Hash: E4C16370D043788ADF15DF64E8517ACBBB2BF65308F588099D885AB282DB34DD85DB70

Uniqueness

Uniqueness Score: -1.00%

Function 00D4BB06 Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 224COMMON

Download Yara Rule

APIs

_wcschr.LIBVCRUNTIME ref: 00D4BB30

Part of subcall function 00D37044: IsProcessorFeaturePresent.KERNEL32(00000017), ref: 00D37046
Part of subcall function 00D37044: GetCurrentProcess.KERNEL32(C0000417,00D6A078,?,00000000,?,?,?,00D43583,00D6A078,0000000C,00D43841,?), ref: 00D37069
Part of subcall function 00D37044: TerminateProcess.KERNEL32(00000000,?,00D43583,00D6A078,0000000C,00D43841,?), ref: 00D37070

Strings

G, xrefs: 00D4BB5B, 00D4BB9A, 00D4BBCF, 00D4BBE3, 00D4BBED, 00D4BCB7

Memory Dump Source

Source File: 00000007.00000002.447210235.0000000000D11000.00000020.00000001.01000000.00000005.sdmp, Offset: 00D10000, based on PE: true

Associated: 00000007.00000002.447205918.0000000000D10000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.447220101.0000000000D57000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.447225552.0000000000D6C000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.447230127.0000000000D70000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_d10000_MSI1B42.jbxd

Similarity

API ID: Process$CurrentFeaturePresentProcessorTerminate_wcschr
String ID: G
API String ID: 606420371-2458028032
Opcode ID: 731411f6c8ab6d88dc774a84d9b6839a151af71538b3d45f5e498e1c5132e61c
Instruction ID: 42c0ee2b66dc182decaaa1797383104ea084e043f0463f888808abd589610ca5
Opcode Fuzzy Hash: 731411f6c8ab6d88dc774a84d9b6839a151af71538b3d45f5e498e1c5132e61c
Instruction Fuzzy Hash: 0E61F5B1D00704ABCB206F78D882A6E77A4EF25370F18456FF912DB286EB74D9009B70

Uniqueness

Uniqueness Score: -1.00%

Function 00D41A6D Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 194COMMONLIBRARYCODE

Download Yara Rule

APIs

__startOneArgErrorHandling.LIBCMT ref: 00D41AFD

Strings

pow, xrefs: 00D41AD5, 00D41AF2

Memory Dump Source

Source File: 00000007.00000002.447210235.0000000000D11000.00000020.00000001.01000000.00000005.sdmp, Offset: 00D10000, based on PE: true

Associated: 00000007.00000002.447205918.0000000000D10000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.447220101.0000000000D57000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.447225552.0000000000D6C000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.447230127.0000000000D70000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_d10000_MSI1B42.jbxd

Similarity

API ID: ErrorHandling__start
String ID: pow
API String ID: 3213639722-2276729525
Opcode ID: 420c26160872de6c1eb300cad11f91846eac375f4b949e9f88ca430b6f89a426
Instruction ID: 28126849c55eeb22c5cb2fe745de1d1ad4ae9aead61624b94e628f017eea2a8c
Opcode Fuzzy Hash: 420c26160872de6c1eb300cad11f91846eac375f4b949e9f88ca430b6f89a426
Instruction Fuzzy Hash: E6519B65A89302CBCB117F5CCD4537A7BA0EB01741F284958E4D1862E9FF318CC59A77

Uniqueness

Uniqueness Score: -1.00%

Function 00D31E70 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 182COMMON

Download Yara Rule

APIs

__aulldiv.LIBCMT ref: 00D31FD1

Strings

-, xrefs: 00D31FFF
0123456789abcdefghijklmnopqrstuvwxyz, xrefs: 00D31F2F, 00D31F66, 00D31F6B

Memory Dump Source

Source File: 00000007.00000002.447210235.0000000000D11000.00000020.00000001.01000000.00000005.sdmp, Offset: 00D10000, based on PE: true

Associated: 00000007.00000002.447205918.0000000000D10000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.447220101.0000000000D57000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.447225552.0000000000D6C000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.447230127.0000000000D70000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_d10000_MSI1B42.jbxd

Similarity

API ID: __aulldiv
String ID: -$0123456789abcdefghijklmnopqrstuvwxyz
API String ID: 3732870572-1956417402
Opcode ID: 910ffd1e61834cf430d6903360d0a61ce8b5325204e8cd3421ecd184845b7082
Instruction ID: fcad979a8be39c9ef14aecd8f2b756530cdb876234a9744439adc9727e122a9b
Opcode Fuzzy Hash: 910ffd1e61834cf430d6903360d0a61ce8b5325204e8cd3421ecd184845b7082
Instruction Fuzzy Hash: BF511579B042869BDF298FAC84817BEBBF9AF05341F18406AE891E7241C375D945CB71

Uniqueness

Uniqueness Score: -1.00%

Function 00D1BD90 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 167COMMONLIBRARYCODE

Download Yara Rule

APIs

Concurrency::cancel_current_task.LIBCPMT ref: 00D1BF6E

Strings

true, xrefs: 00D1BEAB
false, xrefs: 00D1BE95

Memory Dump Source

Source File: 00000007.00000002.447210235.0000000000D11000.00000020.00000001.01000000.00000005.sdmp, Offset: 00D10000, based on PE: true

Associated: 00000007.00000002.447205918.0000000000D10000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.447220101.0000000000D57000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.447225552.0000000000D6C000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.447230127.0000000000D70000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_d10000_MSI1B42.jbxd

Similarity

API ID: Concurrency::cancel_current_task
String ID: false$true
API String ID: 118556049-2658103896
Opcode ID: 820d19b843e704e5ed47c35b17b3385fd017366cd457273ad6d9216ff14f626d
Instruction ID: f7d4a9d6110e19a28f3ddb0b171a7d1ad93276c8c3f074add5a03b53fd6bb3ed
Opcode Fuzzy Hash: 820d19b843e704e5ed47c35b17b3385fd017366cd457273ad6d9216ff14f626d
Instruction Fuzzy Hash: 1651B3B5D007489FDB10CFA4D841BEEB7B8FF04314F14826AE845A7241EB74AA85CB71

Uniqueness

Uniqueness Score: -1.00%

Function 00D170A0 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 149COMMON

Download Yara Rule

Strings

\\?\, xrefs: 00D171E3, 00D17210
\\?\UNC\, xrefs: 00D17173, 00D171CE

Memory Dump Source

Source File: 00000007.00000002.447210235.0000000000D11000.00000020.00000001.01000000.00000005.sdmp, Offset: 00D10000, based on PE: true

Associated: 00000007.00000002.447205918.0000000000D10000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.447220101.0000000000D57000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.447225552.0000000000D6C000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.447230127.0000000000D70000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_d10000_MSI1B42.jbxd

Similarity

API ID:
String ID: \\?\$\\?\UNC\
API String ID: 0-3019864461
Opcode ID: 392a1bdc9c063d24136b062b8a514f206fb0a64eef0a45f8fea62dc3752c3043
Instruction ID: 617282fccfad973eef4e25f110e84feadffcc38daf7383c1e676f73b04097890
Opcode Fuzzy Hash: 392a1bdc9c063d24136b062b8a514f206fb0a64eef0a45f8fea62dc3752c3043
Instruction Fuzzy Hash: B7518C70A04304ABDB14CF68E845BEEB7B5FF49704F145519E841A7291DBB5A9C8CBB0

Uniqueness

Uniqueness Score: -1.00%

Function 00D2D4FA Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 130COMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 00D2D501
_swprintf.LIBCMT ref: 00D2D573

Part of subcall function 00D2254E: __EH_prolog3.LIBCMT ref: 00D22555
Part of subcall function 00D2254E: std::_Lockit::_Lockit.LIBCPMT ref: 00D2255F
Part of subcall function 00D2254E: std::_Lockit::~_Lockit.LIBCPMT ref: 00D225D0

Part of subcall function 00D22FC8: __EH_prolog3.LIBCMT ref: 00D22FCF

Strings

%.0Lf, xrefs: 00D2D56B

Memory Dump Source

Source File: 00000007.00000002.447210235.0000000000D11000.00000020.00000001.01000000.00000005.sdmp, Offset: 00D10000, based on PE: true

Associated: 00000007.00000002.447205918.0000000000D10000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.447220101.0000000000D57000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.447225552.0000000000D6C000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.447230127.0000000000D70000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_d10000_MSI1B42.jbxd

Similarity

API ID: H_prolog3Lockitstd::_$H_prolog3_Lockit::_Lockit::~__swprintf
String ID: %.0Lf
API String ID: 3050236999-1402515088
Opcode ID: 5ba02835cf5e9c5cd1db4afbed7e0b42552c2335be443955c1f9992a167cff64
Instruction ID: 4230465d2c3046015102f0405658c219ec8bf8629a5cb39c2fe784cc58e9ed7a
Opcode Fuzzy Hash: 5ba02835cf5e9c5cd1db4afbed7e0b42552c2335be443955c1f9992a167cff64
Instruction Fuzzy Hash: A3416B71E00318ABCF05DFE4E845AEDBBB5FF19304F208449E846AB295DB759915CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 00D2D79E Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 130COMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 00D2D7A5
_swprintf.LIBCMT ref: 00D2D817

Part of subcall function 00D18610: std::_Lockit::_Lockit.LIBCPMT ref: 00D18657
Part of subcall function 00D18610: std::_Lockit::_Lockit.LIBCPMT ref: 00D18679
Part of subcall function 00D18610: std::_Lockit::~_Lockit.LIBCPMT ref: 00D186A1
Part of subcall function 00D18610: std::_Lockit::~_Lockit.LIBCPMT ref: 00D1880E

Strings

%.0Lf, xrefs: 00D2D80F

Memory Dump Source

Source File: 00000007.00000002.447210235.0000000000D11000.00000020.00000001.01000000.00000005.sdmp, Offset: 00D10000, based on PE: true

Associated: 00000007.00000002.447205918.0000000000D10000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.447220101.0000000000D57000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.447225552.0000000000D6C000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.447230127.0000000000D70000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_d10000_MSI1B42.jbxd

Similarity

API ID: Lockitstd::_$Lockit::_Lockit::~_$H_prolog3__swprintf
String ID: %.0Lf
API String ID: 1487807907-1402515088
Opcode ID: c09e3485d437b0c48c3c047941d7b2bfbb7d05236136e0e8b06204fe935aa5ed
Instruction ID: 58755b946cb5f78b1b39e7e0cd54a5ea83fb4c5819d3a92f2e41df624f5c4c73
Opcode Fuzzy Hash: c09e3485d437b0c48c3c047941d7b2bfbb7d05236136e0e8b06204fe935aa5ed
Instruction Fuzzy Hash: 46417871E00318ABCF05DFE4E845ADEBBB5FF18304F204449E846AB295EB359955CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 00D31887 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 128COMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 00D3188E
_swprintf.LIBCMT ref: 00D31900

Part of subcall function 00D19270: std::_Lockit::_Lockit.LIBCPMT ref: 00D192A0
Part of subcall function 00D19270: std::_Lockit::_Lockit.LIBCPMT ref: 00D192C2
Part of subcall function 00D19270: std::_Lockit::~_Lockit.LIBCPMT ref: 00D192EA
Part of subcall function 00D19270: std::_Lockit::~_Lockit.LIBCPMT ref: 00D19422

Strings

%.0Lf, xrefs: 00D318F8

Memory Dump Source

Source File: 00000007.00000002.447210235.0000000000D11000.00000020.00000001.01000000.00000005.sdmp, Offset: 00D10000, based on PE: true

Associated: 00000007.00000002.447205918.0000000000D10000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.447220101.0000000000D57000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.447225552.0000000000D6C000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.447230127.0000000000D70000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_d10000_MSI1B42.jbxd

Similarity

API ID: Lockitstd::_$Lockit::_Lockit::~_$H_prolog3__swprintf
String ID: %.0Lf
API String ID: 1487807907-1402515088
Opcode ID: 3b6730938b426eb05f1f972200bbf77044bfaee7ff94cab5059c290b457011ed
Instruction ID: 354507d67507daf7249aeb165dccac3bfab8244d76e12909493830ed3034ece2
Opcode Fuzzy Hash: 3b6730938b426eb05f1f972200bbf77044bfaee7ff94cab5059c290b457011ed
Instruction Fuzzy Hash: 23418875E00309ABCF05DFE4D855ADDBBB5FF08300F208449E856AB2A1DB359A59CFA4

Uniqueness

Uniqueness Score: -1.00%

Function 00D36059 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 112COMMONLIBRARYCODE

Download Yara Rule

APIs

EncodePointer.KERNEL32(00000000,?,00000000,1FFFFFFF), ref: 00D3607E

Strings

MOC, xrefs: 00D36090
RCC, xrefs: 00D36098

Memory Dump Source

Source File: 00000007.00000002.447210235.0000000000D11000.00000020.00000001.01000000.00000005.sdmp, Offset: 00D10000, based on PE: true

Associated: 00000007.00000002.447205918.0000000000D10000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.447220101.0000000000D57000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.447225552.0000000000D6C000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.447230127.0000000000D70000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_d10000_MSI1B42.jbxd

Similarity

API ID: EncodePointer
String ID: MOC$RCC
API String ID: 2118026453-2084237596
Opcode ID: 299f65880ab7f204bd81ce2cdb0c8486f5310b2c87790bd91c9472e48d0bd3b9
Instruction ID: bfd914f5bf09c1ea6471a1908341d4de5cc94ffc9ffe1bc5031720a47146599a
Opcode Fuzzy Hash: 299f65880ab7f204bd81ce2cdb0c8486f5310b2c87790bd91c9472e48d0bd3b9
Instruction Fuzzy Hash: 16413671900209FFCF15DF98DD81AAEBBB5EF48304F188159F908A7252D235D951DB60

Uniqueness

Uniqueness Score: -1.00%

Function 00D2DF8F Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 100COMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 00D2DF96
__cftoe.LIBCMT ref: 00D2E01A

Strings

!%x, xrefs: 00D2DFA7

Memory Dump Source

Source File: 00000007.00000002.447210235.0000000000D11000.00000020.00000001.01000000.00000005.sdmp, Offset: 00D10000, based on PE: true

Associated: 00000007.00000002.447205918.0000000000D10000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.447220101.0000000000D57000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.447225552.0000000000D6C000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.447230127.0000000000D70000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_d10000_MSI1B42.jbxd

Similarity

API ID: H_prolog3___cftoe
String ID: !%x
API String ID: 855520168-1893981228
Opcode ID: e02282dc4c552ddb7946ade5ce06a6442755b6818e104d1c668d14899c295de4
Instruction ID: 2a3f93f6b8c350b0ee38c4a1016410bc51d37252ed5abe1ce29bec0786098edb
Opcode Fuzzy Hash: e02282dc4c552ddb7946ade5ce06a6442755b6818e104d1c668d14899c295de4
Instruction Fuzzy Hash: CA316671D00219EBDF04DF94EA81AEEB7B6FF18308F204419F905A7251DB75AA46CB74

Uniqueness

Uniqueness Score: -1.00%

Function 00D319FA Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 98COMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 00D31A01
__cftoe.LIBCMT ref: 00D31A7F

Strings

!%x, xrefs: 00D31A15

Memory Dump Source

Source File: 00000007.00000002.447210235.0000000000D11000.00000020.00000001.01000000.00000005.sdmp, Offset: 00D10000, based on PE: true

Associated: 00000007.00000002.447205918.0000000000D10000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.447220101.0000000000D57000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.447225552.0000000000D6C000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.447230127.0000000000D70000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_d10000_MSI1B42.jbxd

Similarity

API ID: H_prolog3___cftoe
String ID: !%x
API String ID: 855520168-1893981228
Opcode ID: 30c10768a4cb41472d9573ebe97dd5cfecf34eb04e922402dd6a1950ba91218c
Instruction ID: 52da2664415f927f19f6d771b6438864c38957690eb2b577e027c5068563ee30
Opcode Fuzzy Hash: 30c10768a4cb41472d9573ebe97dd5cfecf34eb04e922402dd6a1950ba91218c
Instruction Fuzzy Hash: 7F319836D05259AFEF00DF98E881AEEBBB5EF18305F14001AF844A7242D7759A46CBB0

Uniqueness

Uniqueness Score: -1.00%

Function 00D15F40 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 66COMMON

Download Yara Rule

APIs

ConvertSidToStringSidW.ADVAPI32(?,00000000), ref: 00D15F86
LocalFree.KERNEL32(00000000,Invalid SID,0000000B,?,00000000,F83EBEA6), ref: 00D15FF6

Strings

Invalid SID, xrefs: 00D15FD4

Memory Dump Source

Source File: 00000007.00000002.447210235.0000000000D11000.00000020.00000001.01000000.00000005.sdmp, Offset: 00D10000, based on PE: true

Associated: 00000007.00000002.447205918.0000000000D10000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.447220101.0000000000D57000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.447225552.0000000000D6C000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.447230127.0000000000D70000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_d10000_MSI1B42.jbxd

Similarity

API ID: ConvertFreeLocalString
String ID: Invalid SID
API String ID: 3201929900-130637731
Opcode ID: 4acbc82f7be25b9651803922e81c4f2de7e8e12a4e0536ac1da40c8478083926
Instruction ID: 9101a5cf93d790c2c337ace829ac6804eb842a2612c0fc59e5fcf0831792d647
Opcode Fuzzy Hash: 4acbc82f7be25b9651803922e81c4f2de7e8e12a4e0536ac1da40c8478083926
Instruction Fuzzy Hash: DF218E74A04705EBDB14CF58E815BAFBBF8EF44714F14051DE801A7380DBBAAA458BE0

Uniqueness

Uniqueness Score: -1.00%

Function 00D19070 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 60COMMONLIBRARYCODE

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 00D1909B
std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 00D190FE

Strings

bad locale name, xrefs: 00D19121

Memory Dump Source

Source File: 00000007.00000002.447210235.0000000000D11000.00000020.00000001.01000000.00000005.sdmp, Offset: 00D10000, based on PE: true

Associated: 00000007.00000002.447205918.0000000000D10000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.447220101.0000000000D57000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.447225552.0000000000D6C000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.447230127.0000000000D70000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_d10000_MSI1B42.jbxd

Similarity

API ID: std::_$Locinfo::_Locinfo_ctorLockitLockit::_
String ID: bad locale name
API String ID: 3988782225-1405518554
Opcode ID: 362ce761a51f4c3d5e431e914f452d2980f9ad1eba6ee4833b6c643fc0d1720f
Instruction ID: 243fa6884664653d642469756b66fa4a70ced97604e4d301fa0a6f96be4dcb61
Opcode Fuzzy Hash: 362ce761a51f4c3d5e431e914f452d2980f9ad1eba6ee4833b6c643fc0d1720f
Instruction Fuzzy Hash: CE21DE70805B84EED721CFA8C90478BBFE4EF19314F10868DE49597781D7B5A6088BB1

Uniqueness

Uniqueness Score: -1.00%

Function 00D1F098 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 57COMMONLIBRARYCODE

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 00D1F09F

Strings

true, xrefs: 00D1F109
false, xrefs: 00D1F0F6

Memory Dump Source

Source File: 00000007.00000002.447210235.0000000000D11000.00000020.00000001.01000000.00000005.sdmp, Offset: 00D10000, based on PE: true

Associated: 00000007.00000002.447205918.0000000000D10000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.447220101.0000000000D57000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.447225552.0000000000D6C000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.447230127.0000000000D70000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_d10000_MSI1B42.jbxd

Similarity

API ID: H_prolog3_
String ID: false$true
API String ID: 2427045233-2658103896
Opcode ID: 40f4b9f8dc74a57dc374c19387f3354617dd82d87507c3b2073efca423e285e6
Instruction ID: 8f30277ef8726f2f348fb156d0c2d4599c2c0fdc77e418287e074dae92290560
Opcode Fuzzy Hash: 40f4b9f8dc74a57dc374c19387f3354617dd82d87507c3b2073efca423e285e6
Instruction Fuzzy Hash: F0118175941745AFC720EFB4E441BCAB7F4AF19300F14C52AF49697242EA30E5848B70

Uniqueness

Uniqueness Score: -1.00%

Function 00D14070 Relevance: 5.2, APIs: 4, Instructions: 189memoryCOMMON

Download Yara Rule

APIs

LocalFree.KERNEL32(00000000,00D14261,00D54400,000000FF,F83EBEA6,00000000,?,00000000,?,?,?,00D54400,000000FF,?,00D13A75,?), ref: 00D14096
LocalAlloc.KERNEL32(00000040,40000022,F83EBEA6,?,?,00000000,?,?,?,?,?,?,?,?,00000000), ref: 00D14154
LocalAlloc.KERNEL32(00000040,3FFFFFFF,F83EBEA6,?,?,00000000,?,?,?,?,?,?,?,?,00000000), ref: 00D14177
LocalFree.KERNEL32(?,?,?,?,?,?,00000000,?,?,?,?,?,?,?,?), ref: 00D14217

Memory Dump Source

Source File: 00000007.00000002.447210235.0000000000D11000.00000020.00000001.01000000.00000005.sdmp, Offset: 00D10000, based on PE: true

Associated: 00000007.00000002.447205918.0000000000D10000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.447220101.0000000000D57000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.447225552.0000000000D6C000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.447230127.0000000000D70000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_d10000_MSI1B42.jbxd

Similarity

API ID: Local$AllocFree
String ID:
API String ID: 2012307162-0
Opcode ID: ab8b8b2c6fc739a7a14ea78957beb88e5ead78cd7c8853709156ffe4330a1e45
Instruction ID: 8b5ae66465bf1afa7d1a5152d288be917b9f068a32a0cf7139df2c426ce5c7a5
Opcode Fuzzy Hash: ab8b8b2c6fc739a7a14ea78957beb88e5ead78cd7c8853709156ffe4330a1e45
Instruction Fuzzy Hash: F1518675A00205AFDB18DF6CD985AAEBBB5FB48350F14462DF915E7380DB31AD80CB64

Uniqueness

Uniqueness Score: -1.00%

Function 00D11D80 Relevance: 5.2, APIs: 4, Instructions: 171memoryCOMMON

Download Yara Rule

APIs

LocalAlloc.KERNEL32(00000040,80000022,00000000,?,00000000), ref: 00D11E01
LocalAlloc.KERNEL32(00000040,7FFFFFFF,00000000,?,00000000), ref: 00D11E21
LocalFree.KERNEL32(7FFFFFFE,?,00000000), ref: 00D11EA7
LocalFree.KERNEL32(00000001,F83EBEA6,00000000,00000000,00D53C40,000000FF,?,00000000), ref: 00D11F2D

Memory Dump Source

Source File: 00000007.00000002.447210235.0000000000D11000.00000020.00000001.01000000.00000005.sdmp, Offset: 00D10000, based on PE: true

Associated: 00000007.00000002.447205918.0000000000D10000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.447220101.0000000000D57000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.447225552.0000000000D6C000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.447230127.0000000000D70000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_d10000_MSI1B42.jbxd

Similarity

API ID: Local$AllocFree
String ID:
API String ID: 2012307162-0
Opcode ID: 184ac80fecdece0c863c4d9eb834f833ec67a4a2c37f7d05ebabd0a87fb12c89
Instruction ID: bc0746520d12ccad55ccab217525ffb3c5597f4e474b581ab4b49914a733bc65
Opcode Fuzzy Hash: 184ac80fecdece0c863c4d9eb834f833ec67a4a2c37f7d05ebabd0a87fb12c89
Instruction Fuzzy Hash: 5651D476508315AFC715DF68E840AABB7E8FB48350F140A6EF956D7390DB30D98487B1

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: rundll32.exePID: 3572, Parent PID: 1244COMMON

Execution Graph

Execution Coverage:	1.3%
Dynamic/Decrypted Code Coverage:	98.1%
Signature Coverage:	4.8%
Total number of Nodes:	374
Total number of Limit Nodes:	12

Executed Functions

Function 0013463C Relevance: 15.3, APIs: 10, Instructions: 291
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNEL32 ref: 00134666
GetCurrentProcessId.KERNEL32 ref: 00134673

Part of subcall function 00138AE0: GetUserNameA.ADVAPI32 ref: 00138B08
Part of subcall function 00138AE0: wsprintfA.USER32 ref: 00138B25

GetCurrentProcessId.KERNEL32 ref: 00134743
GetCurrentProcessId.KERNEL32 ref: 0013478D
OpenProcess.KERNEL32 ref: 0013479D
NtQueryInformationProcess.NTDLL ref: 00134800
ReadProcessMemory.KERNEL32 ref: 00134873
ReadProcessMemory.KERNEL32 ref: 001348CD

Part of subcall function 0013AD34: NtAllocateVirtualMemory.NTDLL ref: 0013AD6A

WideCharToMultiByte.KERNEL32 ref: 00134946
CloseHandle.KERNEL32 ref: 00134B2C

Memory Dump Source

Source File: 00000008.00000002.446779994.0000000000130000.00000040.00001000.00020000.00000000.sdmp, Offset: 00130000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_130000_rundll32.jbxd

Yara matches

Similarity

API ID: Process$CurrentMemory$HandleRead$AllocateByteCharCloseInformationModuleMultiNameOpenQueryUserVirtualWidewsprintf
String ID:
API String ID: 3997021431-0
Opcode ID: 4fcbf81e38295e8c30bf4c4e02621455fce0c4a51cb942f1f600040aacfb28cd
Instruction ID: e82e2dd3dfc7f1b7ce20def0a904a2f795383226c34abd477536f74464ef2488
Opcode Fuzzy Hash: 4fcbf81e38295e8c30bf4c4e02621455fce0c4a51cb942f1f600040aacfb28cd
Instruction Fuzzy Hash: 16E13C72209B8486EB60DB25F85439AB3A4F788794F504125EBCD87B68EF7CC585CB40

Uniqueness

Uniqueness Score: -1.00%

Function 00137588 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 43
nativefileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlInitUnicodeString.NTDLL ref: 001375E3

Part of subcall function 00137414: GetFileAttributesW.KERNEL32 ref: 00137428

NtCreateFile.NTDLL ref: 00137662
NtClose.NTDLL ref: 00137680

Strings

0, xrefs: 001375CB
@, xrefs: 001375C0

Memory Dump Source

Source File: 00000008.00000002.446779994.0000000000130000.00000040.00001000.00020000.00000000.sdmp, Offset: 00130000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_130000_rundll32.jbxd

Yara matches

Similarity

API ID: File$AttributesCloseCreateInitStringUnicode
String ID: 0$@
API String ID: 2504508917-1545510068
Opcode ID: 76083a2609edba1498485c59019560715fe1d99402632d84a6ddf28b8a5ccd31
Instruction ID: afb11a08bcd0fe1bedf2a15e3554af01653cd4bd2f33bd9b81831c7dbac689d2
Opcode Fuzzy Hash: 76083a2609edba1498485c59019560715fe1d99402632d84a6ddf28b8a5ccd31
Instruction Fuzzy Hash: F921E4B2118B808AE760DF10F46938BB7A0F3C0348F504125E6C987AA9CB7DD949CF40

Uniqueness

Uniqueness Score: -1.00%

Function 001377B0 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 43
filenativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlInitUnicodeString.NTDLL ref: 0013781B
NtCreateFile.NTDLL ref: 00137898

Strings

0, xrefs: 00137803
@, xrefs: 0013782E

Memory Dump Source

Source File: 00000008.00000002.446779994.0000000000130000.00000040.00001000.00020000.00000000.sdmp, Offset: 00130000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_130000_rundll32.jbxd

Yara matches

Similarity

API ID: CreateFileInitStringUnicode
String ID: 0$@
API String ID: 2498367268-1545510068
Opcode ID: 04c235c605806e9dc8f2c28b84d8f7d6f4de585734f90aa2da62749025ce9b27
Instruction ID: 1947187ad60473b65db10953a17c697283cb76f05eb4de20c211970a26d0b782
Opcode Fuzzy Hash: 04c235c605806e9dc8f2c28b84d8f7d6f4de585734f90aa2da62749025ce9b27
Instruction Fuzzy Hash: 4721AF725187C48AE760DF14F45478BBBA4F3C4358F908219E6D987AA8CB7DD589CF40

Uniqueness

Uniqueness Score: -1.00%

Function 001368E8 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 35
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetAdaptersInfo.IPHLPAPI ref: 00136910

Part of subcall function 0013AD34: NtAllocateVirtualMemory.NTDLL ref: 0013AD6A

GetAdaptersInfo.IPHLPAPI ref: 0013693B

Strings

o, xrefs: 0013691A

Memory Dump Source

Source File: 00000008.00000002.446779994.0000000000130000.00000040.00001000.00020000.00000000.sdmp, Offset: 00130000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_130000_rundll32.jbxd

Yara matches

Similarity

API ID: AdaptersInfo$AllocateMemoryVirtual
String ID: o
API String ID: 2718687846-252678980
Opcode ID: 962fc864ad44ea50d102d36a4ef51c309c81b64051b49607d5a3645f8981529f
Instruction ID: 2b54693b46fc7e8aed2f6c573157fe1aa3d98f194295aa006c02781794f0a2c3
Opcode Fuzzy Hash: 962fc864ad44ea50d102d36a4ef51c309c81b64051b49607d5a3645f8981529f
Instruction Fuzzy Hash: D0018076608B44DADB309B15E49435ABBB0F38C7A8F444625EACD47B68DB7CCA85CF04

Uniqueness

Uniqueness Score: -1.00%

Function 0013B0C4 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 29
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtOpenKey.NTDLL ref: 0013B136

Strings

0, xrefs: 0013B108
@, xrefs: 0013B110

Memory Dump Source

Source File: 00000008.00000002.446779994.0000000000130000.00000040.00001000.00020000.00000000.sdmp, Offset: 00130000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_130000_rundll32.jbxd

Yara matches

Similarity

API ID: Open
String ID: 0$@
API String ID: 71445658-1545510068
Opcode ID: 795e13a4c90058da1f1586ebf72c997efb6f13dca80179e68242aeb83b732573
Instruction ID: c0161828a460836e3e9f56393cd3b10f8de824402bc5cb210f681390afd7dbd8
Opcode Fuzzy Hash: 795e13a4c90058da1f1586ebf72c997efb6f13dca80179e68242aeb83b732573
Instruction Fuzzy Hash: F101BBB221868196D760DF10E89438BBBA4F7D4384F905115E7C996A68EB7CC659CF40

Uniqueness

Uniqueness Score: -1.00%

Function 00138AE0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 17
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetUserNameA.ADVAPI32 ref: 00138B08
wsprintfA.USER32 ref: 00138B25

Strings

Albus, xrefs: 00138B1E, 00138B2B

Memory Dump Source

Source File: 00000008.00000002.446779994.0000000000130000.00000040.00001000.00020000.00000000.sdmp, Offset: 00130000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_130000_rundll32.jbxd

Yara matches

Similarity

API ID: NameUserwsprintf
String ID: Albus
API String ID: 54179028-39222308
Opcode ID: 00ea61a6f36f2d287cf2ddfa281af9f578b78246b28b81e2290f27616a54ea60
Instruction ID: 20884c27dd7be2d48983651277c0df06c6075eedb352a69f5ef4fab48afbe12a
Opcode Fuzzy Hash: 00ea61a6f36f2d287cf2ddfa281af9f578b78246b28b81e2290f27616a54ea60
Instruction Fuzzy Hash: 01F01271624A83D2EB61EF11F8403E96321FB98744FC01031A28D479B8DF7CC65ADB80

Uniqueness

Uniqueness Score: -1.00%

Function 0013B1D4 Relevance: 4.6, APIs: 3, Instructions: 78
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000008.00000002.446779994.0000000000130000.00000040.00001000.00020000.00000000.sdmp, Offset: 00130000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_130000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9a33609b2a6856a8619b29129fe63f4e792fb1ba5e95133a34c5626e82038bfd
Instruction ID: 64eeb0df88f9820fdf0c27f6f8dada5075d4fbb6a32484c802e4648919d451b0
Opcode Fuzzy Hash: 9a33609b2a6856a8619b29129fe63f4e792fb1ba5e95133a34c5626e82038bfd
Instruction Fuzzy Hash: C031E436229A8086DB50DF25E48475EB7A0F7C4B84F905025FB8E87B69EF3CC945CB00

Uniqueness

Uniqueness Score: -1.00%

Function 0013A350 Relevance: 4.6, APIs: 3, Instructions: 67
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000008.00000002.446779994.0000000000130000.00000040.00001000.00020000.00000000.sdmp, Offset: 00130000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_130000_rundll32.jbxd

Yara matches

Similarity

API ID: DirectorySystem
String ID:
API String ID: 2188284642-0
Opcode ID: f5b8e15e2d5f741c678a4cffa39018f89b7dc81c4aebc7bfbd20095086e1a026
Instruction ID: d8fc94ff480b18e491ad4e5036996112356907c63d80b917440d05f5df75268c
Opcode Fuzzy Hash: f5b8e15e2d5f741c678a4cffa39018f89b7dc81c4aebc7bfbd20095086e1a026
Instruction Fuzzy Hash: DC311232218A81D6DB70DB10F48435EB360FBD4364F944726E6EE82AA8EF7CC544CB02

Uniqueness

Uniqueness Score: -1.00%

Function 0013AD34 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 18memorynativeCOMMON

Download Yara Rule

APIs

NtAllocateVirtualMemory.NTDLL ref: 0013AD6A

Strings

@, xrefs: 0013AD46

Memory Dump Source

Source File: 00000008.00000002.446779994.0000000000130000.00000040.00001000.00020000.00000000.sdmp, Offset: 00130000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_130000_rundll32.jbxd

Yara matches

Similarity

API ID: AllocateMemoryVirtual
String ID: @
API String ID: 2167126740-2766056989
Opcode ID: 1bc704fd273e58d77e85457f0012f42626ceed0c4d95ff0d4dbaf88ef569351a
Instruction ID: 1a7158d2f0aef2764b992cc8b4fb6787e02b17bf09df75d1d32465d2ab24561c
Opcode Fuzzy Hash: 1bc704fd273e58d77e85457f0012f42626ceed0c4d95ff0d4dbaf88ef569351a
Instruction Fuzzy Hash: BBE0C9B2628B8082D7509F65E45474BB764FB847B4F906305FAA947BD8CBBCC1188F44

Uniqueness

Uniqueness Score: -1.00%

Function 001378C0 Relevance: 1.6, APIs: 1, Instructions: 61filenativeCOMMON

Download Yara Rule

APIs

Part of subcall function 0013AD34: NtAllocateVirtualMemory.NTDLL ref: 0013AD6A

NtReadFile.NTDLL ref: 0013799F

Memory Dump Source

Source File: 00000008.00000002.446779994.0000000000130000.00000040.00001000.00020000.00000000.sdmp, Offset: 00130000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_130000_rundll32.jbxd

Yara matches

Similarity

API ID: AllocateFileMemoryReadVirtual
String ID:
API String ID: 1637922817-0
Opcode ID: 36657efa21e47acabbe304ce370d7eda266725ffc383b0fc2da5649518910504
Instruction ID: ea394a901197351c597956f6ff9f6741a418d0239023516317dc310e05d47677
Opcode Fuzzy Hash: 36657efa21e47acabbe304ce370d7eda266725ffc383b0fc2da5649518910504
Instruction Fuzzy Hash: 7721B776218BC48ADB60CB65E45035AB7A5F3887A4F908525EBCD83B68EF7CC554CF40

Uniqueness

Uniqueness Score: -1.00%

Function 001379C8 Relevance: 1.5, APIs: 1, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.446779994.0000000000130000.00000040.00001000.00020000.00000000.sdmp, Offset: 00130000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_130000_rundll32.jbxd

Yara matches

Similarity

API ID: CreateFileInitStringUnicode
String ID:
API String ID: 2498367268-0
Opcode ID: b656561e30d1fd1fc609a6f2f889e1297561c276a586ec00a0fee1a63f198b42
Instruction ID: f5f07010d32f223c71bd71426ba92c3332f9c03d2e5de7a90396874b33ae780b
Opcode Fuzzy Hash: b656561e30d1fd1fc609a6f2f889e1297561c276a586ec00a0fee1a63f198b42
Instruction Fuzzy Hash: 3A01AEB220CA80C6CA30DB16E48061EBBB0F799798F540215EA8D97A68DB3DCA458F00

Uniqueness

Uniqueness Score: -1.00%

Function 00137A54 Relevance: 1.5, APIs: 1, Instructions: 25filenativeCOMMON

Download Yara Rule

APIs

NtWriteFile.NTDLL ref: 00137AAB

Memory Dump Source

Source File: 00000008.00000002.446779994.0000000000130000.00000040.00001000.00020000.00000000.sdmp, Offset: 00130000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_130000_rundll32.jbxd

Yara matches

Similarity

API ID: FileWrite
String ID:
API String ID: 3934441357-0
Opcode ID: 13d6e9b28a46ed7aa7967ced570f62f239b9eb5f972fb27ff2d7d829580b4ea2
Instruction ID: dc4075ff466b7ce87afa718983a7b976c04739ddca08499728e357f53a0f47da
Opcode Fuzzy Hash: 13d6e9b28a46ed7aa7967ced570f62f239b9eb5f972fb27ff2d7d829580b4ea2
Instruction Fuzzy Hash: 69F0E272618B9086D760CB64F48474BB7A0F388394F604129E7C983F68DBBCC1948F40

Uniqueness

Uniqueness Score: -1.00%

Function 0013378C Relevance: 1.5, APIs: 1, Instructions: 25nativeCOMMON

Download Yara Rule

APIs

NtClose.NTDLL ref: 001337F6

Memory Dump Source

Source File: 00000008.00000002.446779994.0000000000130000.00000040.00001000.00020000.00000000.sdmp, Offset: 00130000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_130000_rundll32.jbxd

Yara matches

Similarity

API ID: Close
String ID:
API String ID: 3535843008-0
Opcode ID: d9304d9f457485473b7900aa6a25bb2e7ca8446cd6fe457b90ec29283a0f1812
Instruction ID: 4bfb8366f596ecfb15ec0b8a40367a621e108a775d381236a3b504595ff154f8
Opcode Fuzzy Hash: d9304d9f457485473b7900aa6a25bb2e7ca8446cd6fe457b90ec29283a0f1812
Instruction Fuzzy Hash: BCF01DB222864086D7309B10E44475AB760F7947B8F500314FAAE47AE8DB7DC2448B04

Uniqueness

Uniqueness Score: -1.00%

Function 00137B40 Relevance: 1.5, APIs: 1, Instructions: 13nativeCOMMON

Download Yara Rule

APIs

NtFreeVirtualMemory.NTDLL ref: 00137B71

Memory Dump Source

Source File: 00000008.00000002.446779994.0000000000130000.00000040.00001000.00020000.00000000.sdmp, Offset: 00130000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_130000_rundll32.jbxd

Yara matches

Similarity

API ID: FreeMemoryVirtual
String ID:
API String ID: 3963845541-0
Opcode ID: 05855a3fed8d404054af5e3eef5cf0d9a8da3070589f551744240206e39a9f46
Instruction ID: df0f0e6fbec89c101034d37517d8c71030738eb2d5a587d2c0e381bee24d63b3
Opcode Fuzzy Hash: 05855a3fed8d404054af5e3eef5cf0d9a8da3070589f551744240206e39a9f46
Instruction Fuzzy Hash: 95E0B672508A8182D6209B60E44478AB770F3853B8FA44305EAB942AE8CB7CC28ACF00

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180070044 Relevance: 12.2, APIs: 2, Strings: 6, Instructions: 179
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAlloc.KERNELBASE ref: 0000000180070201
VirtualAlloc.KERNELBASE ref: 0000000180070272

Strings

MhGL, xrefs: 0000000180070079
t!, xrefs: 0000000180070089
&$58, xrefs: 0000000180070248
o0+X, xrefs: 0000000180070081
k, xrefs: 0000000180070099
KYZi, xrefs: 0000000180070071

Memory Dump Source

Source File: 00000008.00000002.446994309.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000008.00000002.446990685.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.447008267.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.447016292.00000001800C5000.00000008.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.447024270.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_180000000_rundll32.jbxd

Similarity

API ID: AllocVirtual
String ID: &$58$KYZi$MhGL$k$o0+X$t!
API String ID: 4275171209-455283310
Opcode ID: 1d3f5de679e9be7a7fe53fc895b5663e74619cb245d1804fb0228fdac3198365
Instruction ID: 0e931260a18899616fd0cd13b7456a36469c7a130b0b511a481734c725122d66
Opcode Fuzzy Hash: 1d3f5de679e9be7a7fe53fc895b5663e74619cb245d1804fb0228fdac3198365
Instruction Fuzzy Hash: 9E712272701788C6EB6ACF25E044B9E7BB1F348BC8FA59115EE4927B55DA3EC609C700

Uniqueness

Uniqueness Score: -1.00%

Function 00133A24 Relevance: 9.1, APIs: 6, Instructions: 110
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileW.KERNEL32 ref: 00133A6D

Memory Dump Source

Source File: 00000008.00000002.446779994.0000000000130000.00000040.00001000.00020000.00000000.sdmp, Offset: 00130000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_130000_rundll32.jbxd

Yara matches

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 28f683417bb40a7b537b498f59f6f3678ae65d175f6e6e2096980ada4a5882a7
Instruction ID: dad797483e558c288c3d48e653fba69b019cc3917f1f929bbc32b22e070352a3
Opcode Fuzzy Hash: 28f683417bb40a7b537b498f59f6f3678ae65d175f6e6e2096980ada4a5882a7
Instruction Fuzzy Hash: 3151F832208A8082DB60DB69F85035AB760F7C57A4F201225EBED87BE8DF7DC585CB44

Uniqueness

Uniqueness Score: -1.00%

Function 00133868 Relevance: 7.6, APIs: 5, Instructions: 102
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000008.00000002.446779994.0000000000130000.00000040.00001000.00020000.00000000.sdmp, Offset: 00130000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_130000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c40ee5ec7f747c4b479e98bcd982703e9207b45c7ee94fbb0c95756ed98e132e
Instruction ID: a4d01376934cc61ecc8ebd2fead3eeec67d7e3a7803917deb4e63e550fe7c8c2
Opcode Fuzzy Hash: c40ee5ec7f747c4b479e98bcd982703e9207b45c7ee94fbb0c95756ed98e132e
Instruction Fuzzy Hash: F741B331604641C6EB24AF35E80532A7290FB553ACF504325F6BAC76E4DF38CA048B09

Uniqueness

Uniqueness Score: -1.00%

Function 00138820 Relevance: 6.0, APIs: 4, Instructions: 28
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 00138836
Process32FirstW.KERNEL32 ref: 00138862
Process32NextW.KERNEL32 ref: 00138880
CloseHandle.KERNEL32 ref: 0013888F

Memory Dump Source

Source File: 00000008.00000002.446779994.0000000000130000.00000040.00001000.00020000.00000000.sdmp, Offset: 00130000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_130000_rundll32.jbxd

Yara matches

Similarity

API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32
String ID:
API String ID: 420147892-0
Opcode ID: 2dc8fd6175d5f81b5a57fe4cd961050eae0e2aeff7595481171681c6ca23b914
Instruction ID: a291f8359edc26666891720508c8b00944b7d82ce8eaebfd2b0a21882595b9ac
Opcode Fuzzy Hash: 2dc8fd6175d5f81b5a57fe4cd961050eae0e2aeff7595481171681c6ca23b914
Instruction Fuzzy Hash: EB011936628A40C7E7A0DB11E88875AB760F7C8788F440225FACE87A68DF3CC605CB04

Uniqueness

Uniqueness Score: -1.00%

Function 00000001800701F0 Relevance: 4.6, APIs: 2, Strings: 1, Instructions: 82
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAlloc.KERNELBASE ref: 0000000180070201
VirtualAlloc.KERNELBASE ref: 0000000180070272

Strings

&$58, xrefs: 0000000180070248

Memory Dump Source

Source File: 00000008.00000002.446994309.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000008.00000002.446990685.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.447008267.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.447016292.00000001800C5000.00000008.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.447024270.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_180000000_rundll32.jbxd

Similarity

API ID: AllocVirtual
String ID: &$58
API String ID: 4275171209-292207594
Opcode ID: 4f173b11b85c9be10da8eb9948744f72f75bdffef8083b501ef1bcff6fad96bb
Instruction ID: dc3067c45e012cfe901e309ad5e26282e7953dc62dc132df2a3d5b0976b166a3
Opcode Fuzzy Hash: 4f173b11b85c9be10da8eb9948744f72f75bdffef8083b501ef1bcff6fad96bb
Instruction Fuzzy Hash: 6021263371169886CB6ACF74B158BADABA5B748BC8F1590268F4E17F55C93DD10AC700

Uniqueness

Uniqueness Score: -1.00%

Function 00000001800701E0 Relevance: 4.6, APIs: 2, Strings: 1, Instructions: 75
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAlloc.KERNELBASE ref: 0000000180070201
VirtualAlloc.KERNELBASE ref: 0000000180070272

Strings

&$58, xrefs: 0000000180070248

Memory Dump Source

Source File: 00000008.00000002.446994309.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000008.00000002.446990685.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.447008267.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.447016292.00000001800C5000.00000008.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.447024270.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_180000000_rundll32.jbxd

Similarity

API ID: AllocVirtual
String ID: &$58
API String ID: 4275171209-292207594
Opcode ID: 11a750e4170a9ad4c562e75150ed66c3a2dc3f508a0205cd01daf590c50fbe37
Instruction ID: 23527d6a8d6615ab95d8207fcdc7229d218c2df4260ae3193873eea517917a3c
Opcode Fuzzy Hash: 11a750e4170a9ad4c562e75150ed66c3a2dc3f508a0205cd01daf590c50fbe37
Instruction Fuzzy Hash: 0421233271179486CB6ACF35A158FADABA5B718BC8F169016CF8E17F55C93DD109C300

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180070200 Relevance: 4.6, APIs: 2, Strings: 1, Instructions: 68
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAlloc.KERNELBASE ref: 0000000180070201
VirtualAlloc.KERNELBASE ref: 0000000180070272

Strings

&$58, xrefs: 0000000180070248

Memory Dump Source

Source File: 00000008.00000002.446994309.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000008.00000002.446990685.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.447008267.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.447016292.00000001800C5000.00000008.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.447024270.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_180000000_rundll32.jbxd

Similarity

API ID: AllocVirtual
String ID: &$58
API String ID: 4275171209-292207594
Opcode ID: a6f1ea9488f9dd4da2db5fb67a2fd5314731c71e78e17318f66e63a2c9041829
Instruction ID: d87006d348cf916555d4c40589e898ccdcab4414593187567b45beb92d847496
Opcode Fuzzy Hash: a6f1ea9488f9dd4da2db5fb67a2fd5314731c71e78e17318f66e63a2c9041829
Instruction Fuzzy Hash: 5421333271139886CB6ACF74A158FADABA1B708BC4F169115CE8E17F06C93DD109C300

Uniqueness

Uniqueness Score: -1.00%

Function 0013B400 Relevance: 4.5, APIs: 3, Instructions: 41processCOMMON

Download Yara Rule

APIs

CreateProcessW.KERNEL32 ref: 0013B498
CloseHandle.KERNEL32 ref: 0013B4AB
CloseHandle.KERNEL32 ref: 0013B4B6

Memory Dump Source

Source File: 00000008.00000002.446779994.0000000000130000.00000040.00001000.00020000.00000000.sdmp, Offset: 00130000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_130000_rundll32.jbxd

Yara matches

Similarity

API ID: CloseHandle$CreateProcess
String ID:
API String ID: 2922976086-0
Opcode ID: cd309ebfe44d1ce1b9eebeab880966758d8a8f2593ff83e7c251b015e6764e6d
Instruction ID: fd3ac5a0e7075c15fb836cc18ce1d716d5c8f610cdcfbdc2cbe9824124749b6e
Opcode Fuzzy Hash: cd309ebfe44d1ce1b9eebeab880966758d8a8f2593ff83e7c251b015e6764e6d
Instruction Fuzzy Hash: 2C110336618A8087E760CF24F48475BB7A0F7C8354F508526EBCA82E68EBBCC448CF04

Uniqueness

Uniqueness Score: -1.00%

Function 001389D4 Relevance: 4.5, APIs: 3, Instructions: 38COMMON

Download Yara Rule

APIs

FindFirstVolumeW.KERNEL32 ref: 00138A0E
GetVolumeInformationW.KERNEL32 ref: 00138A62
FindVolumeClose.KERNEL32 ref: 00138A71

Memory Dump Source

Source File: 00000008.00000002.446779994.0000000000130000.00000040.00001000.00020000.00000000.sdmp, Offset: 00130000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_130000_rundll32.jbxd

Yara matches

Similarity

API ID: Volume$Find$CloseFirstInformation
String ID:
API String ID: 586543143-0
Opcode ID: f8471610ee8cd183a9485870a89c6ee0d7cca4bc8c0aade8722fc7fa7e06f6f6
Instruction ID: d52d27266562d71768750e1cd53a8f5ea0733f61fd9197e1eb945d7e96be4b47
Opcode Fuzzy Hash: f8471610ee8cd183a9485870a89c6ee0d7cca4bc8c0aade8722fc7fa7e06f6f6
Instruction Fuzzy Hash: 1111EC32228B40D6D761DB11F48439AB7B0F7C4360FA44226E79983AA8DF7CC949CB40

Uniqueness

Uniqueness Score: -1.00%

Function 00133C2C Relevance: 4.5, APIs: 3, Instructions: 15synchronizationCOMMON

Download Yara Rule

APIs

SetEvent.KERNEL32 ref: 00133C49
ReleaseMutex.KERNEL32 ref: 00133C60
CloseHandle.KERNEL32 ref: 00133C6D

Memory Dump Source

Source File: 00000008.00000002.446779994.0000000000130000.00000040.00001000.00020000.00000000.sdmp, Offset: 00130000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_130000_rundll32.jbxd

Yara matches

Similarity

API ID: CloseEventHandleMutexRelease
String ID:
API String ID: 3391745777-0
Opcode ID: 34ec866cfd7482a0b3d3af7380d3e699ee32a18233fddf405b1384eaf4aff779
Instruction ID: 3eca42532b44088a47f1e911d2d46e0828c3e55978b3a04d8f9b607d950eae06
Opcode Fuzzy Hash: 34ec866cfd7482a0b3d3af7380d3e699ee32a18233fddf405b1384eaf4aff779
Instruction Fuzzy Hash: BCE09234508A40C2E7A29B1AEC4839423B0F788B58F480215DF4E52270CF7CC989CB18

Uniqueness

Uniqueness Score: -1.00%

Function 0013C808 Relevance: 3.1, APIs: 2, Instructions: 98comCOMMON

Download Yara Rule

APIs

CoInitialize.OLE32 ref: 0013C83E
CoCreateInstance.OLE32 ref: 0013C867

Memory Dump Source

Source File: 00000008.00000002.446779994.0000000000130000.00000040.00001000.00020000.00000000.sdmp, Offset: 00130000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_130000_rundll32.jbxd

Yara matches

Similarity

API ID: CreateInitializeInstance
String ID:
API String ID: 3519745914-0
Opcode ID: 5f95cf64fe2eaace5818cad7947abaf6b2442e6c64c43a74d831eec03a8d12d4
Instruction ID: 8548fcd2aeb7b2cc2e051ad8c909e34451fff1d6c8d8d5849f97d72f9d8d24c7
Opcode Fuzzy Hash: 5f95cf64fe2eaace5818cad7947abaf6b2442e6c64c43a74d831eec03a8d12d4
Instruction Fuzzy Hash: 3D41AA36218BC8C6DBA0CB15E49479EB761F3D8B94F408126EACE53B68DF79C585CB40

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180070210 Relevance: 3.1, APIs: 1, Strings: 1, Instructions: 62memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE ref: 0000000180070272

Strings

&$58, xrefs: 0000000180070248

Memory Dump Source

Source File: 00000008.00000002.446994309.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000008.00000002.446990685.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.447008267.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.447016292.00000001800C5000.00000008.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.447024270.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_180000000_rundll32.jbxd

Similarity

API ID: AllocVirtual
String ID: &$58
API String ID: 4275171209-292207594
Opcode ID: b6a3a98d28c9259cb78a12b48d44ca555a7ad990dfd794d5708a1868dd1c73ff
Instruction ID: cbf57c0b74e788f2119e0e4766543ca7679dc5ca0df739001d034443fdc2105d
Opcode Fuzzy Hash: b6a3a98d28c9259cb78a12b48d44ca555a7ad990dfd794d5708a1868dd1c73ff
Instruction Fuzzy Hash: 4021F07231139886CA69CF75A248FA9ABA5B708BC4F1691158F8E27F45CA3DE10AC700

Uniqueness

Uniqueness Score: -1.00%

Function 001388F8 Relevance: 1.6, APIs: 1, Instructions: 52COMMON

Download Yara Rule

APIs

RtlFormatCurrentUserKeyPath.NTDLL ref: 0013896F

Part of subcall function 00137B40: NtFreeVirtualMemory.NTDLL ref: 00137B71

Memory Dump Source

Source File: 00000008.00000002.446779994.0000000000130000.00000040.00001000.00020000.00000000.sdmp, Offset: 00130000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_130000_rundll32.jbxd

Yara matches

Similarity

API ID: CurrentFormatFreeMemoryPathUserVirtual
String ID:
API String ID: 2593304397-0
Opcode ID: f52ee2aa33d777d70af5112c0a56f381be43764fb5e061da45e694194d02d43a
Instruction ID: fd0ab2d50d9f534c7aa929576f7234e37cfb853012afa37e83e27fdb4509fd98
Opcode Fuzzy Hash: f52ee2aa33d777d70af5112c0a56f381be43764fb5e061da45e694194d02d43a
Instruction Fuzzy Hash: 9011DA32218B8691DB20DB21E89136AB374F7E838CF905525F7CE82668EF3DC605CB01

Uniqueness

Uniqueness Score: -1.00%

Function 00137414 Relevance: 1.5, APIs: 1, Instructions: 19COMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNEL32 ref: 00137428

Memory Dump Source

Source File: 00000008.00000002.446779994.0000000000130000.00000040.00001000.00020000.00000000.sdmp, Offset: 00130000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_130000_rundll32.jbxd

Yara matches

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: 252c82bd18f63079363c04d0726cb3e85d9e951d6d0439d97e6f477b3e596fc1
Instruction ID: a1a9130c9b2843c74e60f2d92ae78b3f22b94104eba2f3eb9f5da2fdd0014926
Opcode Fuzzy Hash: 252c82bd18f63079363c04d0726cb3e85d9e951d6d0439d97e6f477b3e596fc1
Instruction Fuzzy Hash: D4E04FB2A3C681C6D7B09B34E84576A6A60F385350F501620AAE7815D4DB38D459DF01

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 000000018004A650 Relevance: 79.3, APIs: 37, Strings: 8, Instructions: 513filesleepmemoryCOMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 000000018004A762
GetModuleFileNameW.KERNEL32 ref: 000000018004A778
PathAppendW.SHLWAPI ref: 000000018004A79A
ShellExecuteExW.SHELL32 ref: 000000018004A7D9
ILGetSize.SHELL32 ref: 000000018004A879
GetTickCount.KERNEL32 ref: 000000018004A8A3
srand.MSVCRT ref: 000000018004A8AB
GetCurrentProcess.KERNEL32 ref: 000000018004A8C4
GetProcessId.KERNEL32 ref: 000000018004A8CD
GetCurrentThreadId.KERNEL32 ref: 000000018004A8FF
rand.MSVCRT ref: 000000018004A907
LocalAlloc.KERNEL32 ref: 000000018004A956
InitializeSecurityDescriptor.ADVAPI32 ref: 000000018004A96C
LocalFree.KERNEL32 ref: 000000018004A979
SetSecurityDescriptorDacl.ADVAPI32 ref: 000000018004A9D6
CreateFileMappingW.KERNEL32 ref: 000000018004AA10
LocalFree.KERNEL32 ref: 000000018004AA1E
CreateFileMappingW.KERNEL32 ref: 000000018004AA59
MapViewOfFile.KERNEL32 ref: 000000018004AA84
CloseHandle.KERNEL32 ref: 000000018004AA97
memset.MSVCRT ref: 000000018004AAAC
memmove.MSVCRT ref: 000000018004AB4C
memmove.MSVCRT ref: 000000018004AB67
memmove.MSVCRT ref: 000000018004ABB3
memmove.MSVCRT ref: 000000018004ABCC
memmove.MSVCRT ref: 000000018004AC8F
UnmapViewOfFile.KERNEL32 ref: 000000018004ACA8
FindWindowW.USER32 ref: 000000018004ACC1
SetForegroundWindow.USER32 ref: 000000018004ACCF
memset.MSVCRT ref: 000000018004ACE4
wsprintfW.USER32 ref: 000000018004AD17
memset.MSVCRT ref: 000000018004AD2E
WaitForSingleObject.KERNEL32 ref: 000000018004AE1F
Sleep.KERNEL32 ref: 000000018004AE34
CloseHandle.KERNEL32 ref: 000000018004AE4C
CloseHandle.KERNEL32 ref: 000000018004AE5B
CloseHandle.KERNEL32 ref: 000000018004AE66

Strings

se2, xrefs: 000000018004AD07
open, xrefs: 000000018004A654
se1, xrefs: 000000018004AD10
Progman, xrefs: 000000018004ACBA
Program manager, xrefs: 000000018004ACB3
/%s %s %u, xrefs: 000000018004ACF1
..\360DeskAna64.exe, xrefs: 000000018004A78C
%u_%d_%d_%d_%u, xrefs: 000000018004A92D

Memory Dump Source

Source File: 00000008.00000002.446994309.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000008.00000002.446990685.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.447008267.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.447016292.00000001800C5000.00000008.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.447024270.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_180000000_rundll32.jbxd

Similarity

API ID: Filememmove$CloseHandlememset$Local$CreateCurrentDescriptorFreeMappingProcessSecurityViewWindow$AllocAppendCountDaclExecuteFindForegroundInitializeModuleNameObjectPathShellSingleSizeSleepThreadTickUnmapWaitrandsrandwsprintf
String ID: %u_%d_%d_%d_%u$..\360DeskAna64.exe$/%s %s %u$Progman$Program manager$open$se1$se2
API String ID: 1121195023-828389715
Opcode ID: bf27cba7947237ddb48d80a7ebe4eca32a8cf6ef406abc02a9deeb192b889f14
Instruction ID: 9c018b3ec5208d5dc303fe800ce77a7618bf785d2afa65f14d01c037d361c4e0
Opcode Fuzzy Hash: bf27cba7947237ddb48d80a7ebe4eca32a8cf6ef406abc02a9deeb192b889f14
Instruction Fuzzy Hash: D332CC72604B8886FB96CF25D8803DD73B1F789BD8F528116EA5947BA4DF38C649C708

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180010580 Relevance: 61.5, APIs: 25, Strings: 10, Instructions: 237registryCOMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 00000001800105C6
GetModuleFileNameW.KERNEL32 ref: 00000001800105DD
memset.MSVCRT ref: 00000001800105EF
RegOpenKeyExW.ADVAPI32 ref: 000000018001061C
RegQueryValueExW.ADVAPI32 ref: 0000000180010660
RegCloseKey.ADVAPI32 ref: 000000018001066B
PathAddBackslashW.SHLWAPI ref: 0000000180010684
StrCmpNIW.SHLWAPI ref: 00000001800106C8
memset.MSVCRT ref: 00000001800106E0
PathFileExistsW.SHLWAPI ref: 000000018001071C
memset.MSVCRT ref: 0000000180010734
PathFileExistsW.SHLWAPI ref: 0000000180010769
memset.MSVCRT ref: 000000018001077B
PathFileExistsW.SHLWAPI ref: 00000001800107AC

Strings

SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\App Paths\360safe.exe, xrefs: 000000018001060B
360leakfixer.exe, xrefs: 00000001800106E5
%s\%s, xrefs: 00000001800106EF
safemon\pedrver.dll, xrefs: 0000000180010739
360SkinMgr.exe, xrefs: 0000000180010916
Path, xrefs: 0000000180010655, 00000001800108D7
SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\App Paths\360sd.exe, xrefs: 0000000180010896
safemon\FreeSaaS.tpi, xrefs: 0000000180010780
hipsver.dll, xrefs: 00000001800107E7
safemon\360Cactus.tpi, xrefs: 0000000180010834

Memory Dump Source

Source File: 00000008.00000002.446994309.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000008.00000002.446990685.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.447008267.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.447016292.00000001800C5000.00000008.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.447024270.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_180000000_rundll32.jbxd

Similarity

API ID: memset$FilePath$Exists$BackslashCloseModuleNameOpenQueryValue
String ID: %s\%s$360SkinMgr.exe$360leakfixer.exe$Path$SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\App Paths\360safe.exe$SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\App Paths\360sd.exe$hipsver.dll$safemon\360Cactus.tpi$safemon\FreeSaaS.tpi$safemon\pedrver.dll
API String ID: 4260417939-4002867936
Opcode ID: 69930986b2b6c6c437e187827024c0865ac4d7e0e25485b3d46344904dffa666
Instruction ID: bf4960b57fd98bc25e9fd953caee1d48b1d668c6bea79cfa729634ea3028d897
Opcode Fuzzy Hash: 69930986b2b6c6c437e187827024c0865ac4d7e0e25485b3d46344904dffa666
Instruction Fuzzy Hash: BCB13D31614E8895EBA2DB21EC543DA63A4F78DBC4F908116FA9D87A95EF39C70DC700

Uniqueness

Uniqueness Score: -1.00%

Function 000000018001ECF4 Relevance: 45.8, APIs: 25, Strings: 1, Instructions: 323fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32 ref: 000000018001ED67
GetFileSizeEx.KERNEL32 ref: 000000018001ED80
??_U@YAPEAX_K@Z.MSVCRT ref: 000000018001EDA6
ReadFile.KERNEL32 ref: 000000018001EDCE
CloseHandle.KERNEL32 ref: 000000018001EDDD
SetFilePointer.KERNEL32 ref: 000000018001EE03
ReadFile.KERNEL32 ref: 000000018001EE20
SetFilePointer.KERNEL32 ref: 000000018001EE63
ReadFile.KERNEL32 ref: 000000018001EE80
SetFilePointer.KERNEL32 ref: 000000018001EF14
ReadFile.KERNEL32 ref: 000000018001EF31
SetFilePointer.KERNEL32 ref: 000000018001EFB0
ReadFile.KERNEL32 ref: 000000018001EFCD
??_U@YAPEAX_K@Z.MSVCRT ref: 000000018001F007
MultiByteToWideChar.KERNEL32 ref: 000000018001F034

Part of subcall function 0000000180036EC8: wcschr.MSVCRT ref: 0000000180036F7A
Part of subcall function 0000000180036EC8: _wcslwr.MSVCRT ref: 0000000180036FC8

SetFilePointer.KERNEL32 ref: 000000018001F064
ReadFile.KERNEL32 ref: 000000018001F07D
??_U@YAPEAX_K@Z.MSVCRT ref: 000000018001F0A6
memmove.MSVCRT ref: 000000018001F0C1
memmove.MSVCRT ref: 000000018001F0EE
memmove.MSVCRT ref: 000000018001F117
??3@YAXPEAX@Z.MSVCRT ref: 000000018001F172
CloseHandle.KERNEL32 ref: 000000018001F17E
??3@YAXPEAX@Z.MSVCRT ref: 000000018001F195
CloseHandle.KERNEL32 ref: 000000018001F1A5

Strings

9, xrefs: 000000018001EF82

Memory Dump Source

Source File: 00000008.00000002.446994309.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000008.00000002.446990685.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.447008267.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.447016292.00000001800C5000.00000008.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.447024270.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_180000000_rundll32.jbxd

Similarity

API ID: File$Read$Pointer$CloseHandlememmove$??3@$ByteCharCreateMultiSizeWide_wcslwrwcschr
String ID: 9
API String ID: 2469906296-2366072709
Opcode ID: 1edc00ec3368a205bebbe676ef1486fb611a75b6483dacecd85243c6051295a2
Instruction ID: b16b18eef39a39b515becb99aaa5640e1c6952976385d86e077c0efac659451c
Opcode Fuzzy Hash: 1edc00ec3368a205bebbe676ef1486fb611a75b6483dacecd85243c6051295a2
Instruction Fuzzy Hash: 43D1D072300A8886EBA6DF25E8507ED37A1F749BD8F448614FE5647BA8DF38C249C700

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180062148 Relevance: 43.9, APIs: 14, Strings: 11, Instructions: 114libraryloaderCOMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 000000018006217C
GetModuleFileNameW.KERNEL32 ref: 0000000180062193
PathCombineW.SHLWAPI ref: 00000001800621AA

Part of subcall function 0000000180065F9C: GetModuleHandleW.KERNEL32 ref: 0000000180065FBE
Part of subcall function 0000000180065F9C: memset.MSVCRT ref: 0000000180065FD4

GetProcAddress.KERNEL32 ref: 00000001800621DB
GetProcAddress.KERNEL32 ref: 00000001800621EF
GetProcAddress.KERNEL32 ref: 0000000180062203
GetProcAddress.KERNEL32 ref: 0000000180062217
GetProcAddress.KERNEL32 ref: 000000018006222B
GetProcAddress.KERNEL32 ref: 000000018006223F
GetProcAddress.KERNEL32 ref: 0000000180062253
GetProcAddress.KERNEL32 ref: 0000000180062267
GetProcAddress.KERNEL32 ref: 000000018006227B
GetProcAddress.KERNEL32 ref: 000000018006228F
FreeLibrary.KERNEL32 ref: 00000001800622DD

Strings

ReadProcessMemory64, xrefs: 00000001800621D1
EnumProcessModules64, xrefs: 0000000180062209
GetCurrentDirectory64, xrefs: 0000000180062231
GetModuleInformation64, xrefs: 0000000180062259
GetModuleFileNameExW64, xrefs: 00000001800621F5
GetModuleBaseNameW64, xrefs: 00000001800621E1
..\ipc\x64for32lib.dll, xrefs: 0000000180062199
NtQueryInformationProcess64, xrefs: 0000000180062281
IsProcessWow64Process, xrefs: 0000000180062245
GetCommandLine64, xrefs: 000000018006221D
NtQueryInformationThread64, xrefs: 000000018006226D

Memory Dump Source

Source File: 00000008.00000002.446994309.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000008.00000002.446990685.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.447008267.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.447016292.00000001800C5000.00000008.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.447024270.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_180000000_rundll32.jbxd

Similarity

API ID: AddressProc$Modulememset$CombineFileFreeHandleLibraryNamePath
String ID: ..\ipc\x64for32lib.dll$EnumProcessModules64$GetCommandLine64$GetCurrentDirectory64$GetModuleBaseNameW64$GetModuleFileNameExW64$GetModuleInformation64$IsProcessWow64Process$NtQueryInformationProcess64$NtQueryInformationThread64$ReadProcessMemory64
API String ID: 3359005274-2277939915
Opcode ID: 11406f1aeae7bd1ca1e9419c163a9dd1d65d254f22157801c59e7a4b8def0cf2
Instruction ID: 36480451210aca2b5e6fe81c352119384c097133635e903ecd0715684d47c6ca
Opcode Fuzzy Hash: 11406f1aeae7bd1ca1e9419c163a9dd1d65d254f22157801c59e7a4b8def0cf2
Instruction Fuzzy Hash: 2D512532201F5AA2EEA58F51E99439833A5FB4C7C0F549525EA5907A60DF38D3B9C710

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180002610 Relevance: 31.9, APIs: 14, Strings: 4, Instructions: 416registryCOMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 0000000180002691
memset.MSVCRT ref: 00000001800026A3
memset.MSVCRT ref: 00000001800026C1
memset.MSVCRT ref: 000000018000275C
memset.MSVCRT ref: 0000000180002771
RegOpenKeyExW.ADVAPI32 ref: 0000000180002824
RegEnumKeyW.ADVAPI32 ref: 000000018000286C
RegOpenKeyExW.ADVAPI32 ref: 0000000180002964
free.MSVCRT ref: 0000000180002A97
RegCloseKey.ADVAPI32 ref: 0000000180002AD2
RegCloseKey.ADVAPI32 ref: 0000000180002AFB
RegCloseKey.ADVAPI32 ref: 0000000180002D4B

Strings

\Products\, xrefs: 00000001800028DF
HKEY_LOCAL_MACHINE\, xrefs: 0000000180002CA7
\Features\, xrefs: 000000018000290E
\Components\, xrefs: 0000000180002BB2

Memory Dump Source

Source File: 00000008.00000002.446994309.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000008.00000002.446990685.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.447008267.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.447016292.00000001800C5000.00000008.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.447024270.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_180000000_rundll32.jbxd

Similarity

API ID: memset$Close$Open$Enumfree
String ID: HKEY_LOCAL_MACHINE\$\Components\$\Features\$\Products\
API String ID: 1285027818-2258373985
Opcode ID: 9906bf7cd91924df8938282da413fefd9331e0d97fbadb0acae730663cf89f7c
Instruction ID: 6311c4a4e92b2eb2b6e61e2371f742115398930d0f6aaa53fdf69de799299566
Opcode Fuzzy Hash: 9906bf7cd91924df8938282da413fefd9331e0d97fbadb0acae730663cf89f7c
Instruction Fuzzy Hash: 9C126F72218AC891FAB2EB55E8453DAB365FB897C4F448111FA8E43A99DF3DC749C700

Uniqueness

Uniqueness Score: -1.00%

Function 00131030 Relevance: 31.7, APIs: 17, Strings: 1, Instructions: 206pipefileprocessCOMMON

Download Yara Rule

APIs

CreatePipe.KERNEL32 ref: 001310FF
SetHandleInformation.KERNEL32 ref: 00131119
CreatePipe.KERNEL32 ref: 0013113A
SetHandleInformation.KERNEL32 ref: 00131154
CreatePipe.KERNEL32 ref: 00131175
SetHandleInformation.KERNEL32 ref: 0013118F
CreateProcessW.KERNEL32 ref: 00131251

Part of subcall function 0013AD34: NtAllocateVirtualMemory.NTDLL ref: 0013AD6A

PeekNamedPipe.KERNEL32 ref: 00131300
ReadFile.KERNEL32 ref: 0013135C
PeekNamedPipe.KERNEL32 ref: 001313B0
ReadFile.KERNEL32 ref: 0013140C
GetExitCodeProcess.KERNEL32 ref: 00131445
TerminateProcess.KERNEL32 ref: 00131476
CloseHandle.KERNEL32 ref: 00131484

Part of subcall function 0013CB54: NtDelayExecution.NTDLL ref: 0013CB76

CloseHandle.KERNEL32 ref: 00131492
CloseHandle.KERNEL32 ref: 001314A0
CloseHandle.KERNEL32 ref: 001314AE

Part of subcall function 00137B40: NtFreeVirtualMemory.NTDLL ref: 00137B71

Strings

h, xrefs: 00131195

Memory Dump Source

Source File: 00000008.00000002.446779994.0000000000130000.00000040.00001000.00020000.00000000.sdmp, Offset: 00130000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_130000_rundll32.jbxd

Yara matches

Similarity

API ID: Handle$Pipe$CloseCreate$InformationProcess$FileMemoryNamedPeekReadVirtual$AllocateCodeDelayExecutionExitFreeTerminate
String ID: h
API String ID: 30365702-2439710439
Opcode ID: eb7bea1748a89db5f07d023bcdb676065683870e413be2d4ad1df109deaa66ff
Instruction ID: 7eea54fee0b2fed40058bfb68b1866b961760aac0ca0060e7c8b8bd834170f5c
Opcode Fuzzy Hash: eb7bea1748a89db5f07d023bcdb676065683870e413be2d4ad1df109deaa66ff
Instruction Fuzzy Hash: 34C1AF36208BC09AE760DB65E49479AB7A1F7C8754F504125EAC987A68DFBDC488CF40

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180060578 Relevance: 30.0, APIs: 12, Strings: 5, Instructions: 289registrywindowtimeCOMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32 ref: 000000018006062B
FindWindowW.USER32 ref: 000000018006067B
IsWindow.USER32 ref: 0000000180060690
memset.MSVCRT ref: 00000001800606C2
SendMessageTimeoutW.USER32 ref: 0000000180060722
SendMessageTimeoutW.USER32 ref: 0000000180060767
RegOpenKeyExW.ADVAPI32 ref: 00000001800607BF
memset.MSVCRT ref: 00000001800607DE
RegQueryValueExW.ADVAPI32 ref: 0000000180060825
memset.MSVCRT ref: 00000001800608E0
RegQueryValueExW.ADVAPI32 ref: 0000000180060918

Part of subcall function 0000000180016DD4: memmove.MSVCRT(?,?,?,?,?,?,?,0000000180016E29), ref: 0000000180016E10

RegCloseKey.ADVAPI32 ref: 00000001800609B9

Strings

activeapp, xrefs: 0000000180060819
TS2P, xrefs: 0000000180060713
Q360SafeMonClass, xrefs: 0000000180060674
activeweb, xrefs: 000000018006090C
MsgCenter, xrefs: 000000018006078E

Memory Dump Source

Source File: 00000008.00000002.446994309.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000008.00000002.446990685.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.447008267.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.447016292.00000001800C5000.00000008.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.447024270.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_180000000_rundll32.jbxd

Similarity

API ID: Windowmemset$MessageQuerySendTimeoutValue$CloseFindForegroundOpenmemmove
String ID: MsgCenter$Q360SafeMonClass$TS2P$activeapp$activeweb
API String ID: 3772276521-2728888700
Opcode ID: 252ce8677bfb522a4b6632ad157aa9371a8792e99c65b85e20036a72b1270932
Instruction ID: ee8cae4e48a5beadbc07239537d79e19b069e47090ef93ff609d4821bf219365
Opcode Fuzzy Hash: 252ce8677bfb522a4b6632ad157aa9371a8792e99c65b85e20036a72b1270932
Instruction Fuzzy Hash: C1D19172604B4886EB51DF25E8403DE7761F789BE8F608215EAAD43BE5DF38C649CB40

Uniqueness

Uniqueness Score: -1.00%

Function 000000018007E7C7 Relevance: 28.7, APIs: 16, Strings: 3, Instructions: 248COMMON

Download Yara Rule

APIs

calloc.MSVCRT ref: 000000018007EB4B
free.MSVCRT ref: 000000018007EB57
free.MSVCRT ref: 000000018007EB62
memset.MSVCRT ref: 000000018007EBC2
calloc.MSVCRT ref: 000000018007EC04
free.MSVCRT ref: 000000018007EC10
free.MSVCRT ref: 000000018007EC1B
calloc.MSVCRT ref: 000000018007ECB8
free.MSVCRT ref: 000000018007ECC4
free.MSVCRT ref: 000000018007ECCF
calloc.MSVCRT ref: 000000018007ED0B
free.MSVCRT ref: 000000018007ED17
free.MSVCRT ref: 000000018007ED22
calloc.MSVCRT ref: 000000018007EDC9
free.MSVCRT ref: 000000018007EDD5
free.MSVCRT ref: 000000018007EDE0

Strings

], xrefs: 000000018007ED55
], xrefs: 000000018007EC39
-, xrefs: 000000018007EC59

Memory Dump Source

Source File: 00000008.00000002.446994309.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000008.00000002.446990685.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.447008267.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.447016292.00000001800C5000.00000008.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.447024270.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_180000000_rundll32.jbxd

Similarity

API ID: free$calloc$memset
String ID: -$]$]
API String ID: 2591755499-1349866957
Opcode ID: 2679cd0fb79ab9e79cb7ec4cb87940f65e1566cfba3dc15da5d319deb0b258b9
Instruction ID: 1d85a50f400dc416e5d0a718f77556582d5ce19bdf984b68484f18af02043cc0
Opcode Fuzzy Hash: 2679cd0fb79ab9e79cb7ec4cb87940f65e1566cfba3dc15da5d319deb0b258b9
Instruction Fuzzy Hash: BCA1D272706BC892EB96CB16D0403A977A1F74D780F449616EB8A17B81DF39D2B9D300

Uniqueness

Uniqueness Score: -1.00%

Function 000000018005D014 Relevance: 28.4, APIs: 8, Strings: 8, Instructions: 422timesynchronizationCOMMON

Download Yara Rule

APIs

GetSystemTime.KERNEL32 ref: 000000018005D0CB
SystemTimeToFileTime.KERNEL32 ref: 000000018005D0D9
??3@YAXPEAX@Z.MSVCRT ref: 000000018005D46D
free.MSVCRT ref: 000000018005D489
??3@YAXPEAX@Z.MSVCRT ref: 000000018005D597
free.MSVCRT ref: 000000018005D5B3
free.MSVCRT ref: 000000018005D5CB
ReleaseMutex.KERNEL32 ref: 000000018005D600

Strings

SLEV = %d , xrefs: 000000018005D7BB
ModName LIKE ', xrefs: 000000018005D6E2
AND , xrefs: 000000018005D73B
INSERT INTO "MT" VALUES ( ?,?,?,?,?,?,?,?,?,?,?,?,NULL ) , xrefs: 000000018005D09E
DELETE FROM 'MT' , xrefs: 000000018005D909
TimeStamp < %I64d;, xrefs: 000000018005D846
WHERE , xrefs: 000000018005D944
TYPE = %d, xrefs: 000000018005D76E

Memory Dump Source

Source File: 00000008.00000002.446994309.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000008.00000002.446990685.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.447008267.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.447016292.00000001800C5000.00000008.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.447024270.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_180000000_rundll32.jbxd

Similarity

API ID: Timefree$??3@System$FileMutexRelease
String ID: AND $ SLEV = %d $ TYPE = %d$ WHERE $DELETE FROM 'MT' $INSERT INTO "MT" VALUES ( ?,?,?,?,?,?,?,?,?,?,?,?,NULL ) $ModName LIKE '$TimeStamp < %I64d;
API String ID: 2360919559-3261407791
Opcode ID: 0fdc13341be9cf7c256e26cb2936a3b5a8a79f5d9c0121a176094682301e8f56
Instruction ID: fbbc87ecfbf22c2b8803d4662eccf4799cfebf60f86054df91e993a66dbd8da4
Opcode Fuzzy Hash: 0fdc13341be9cf7c256e26cb2936a3b5a8a79f5d9c0121a176094682301e8f56
Instruction Fuzzy Hash: B102B332711A4C85FFB29BA5D4403DD2361AB887D8F148627BE2E6B7D4DE3AC649C300

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180052FD8 Relevance: 23.1, APIs: 5, Strings: 8, Instructions: 303registryCOMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32 ref: 000000018005303F
LeaveCriticalSection.KERNEL32 ref: 0000000180053088
RegOpenKeyExW.ADVAPI32 ref: 0000000180053228
RegDeleteKeyW.ADVAPI32 ref: 0000000180053296
RegCloseKey.ADVAPI32 ref: 00000001800532E1

Part of subcall function 00000001800432C8: memset.MSVCRT ref: 0000000180043335

Strings

Num_Catalog_Entries, xrefs: 00000001800530A9
Catalog_Entries64, xrefs: 00000001800530B6
SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\%s\%012d, xrefs: 0000000180053359
%s\%s, xrefs: 0000000180053267
Num_Catalog_Entries64, xrefs: 00000001800530A2
SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\%s, xrefs: 00000001800531D2
Catalog_Entries, xrefs: 00000001800530BD
NameSpace_Catalog5, xrefs: 00000001800533D8

Memory Dump Source

Source File: 00000008.00000002.446994309.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000008.00000002.446990685.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.447008267.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.447016292.00000001800C5000.00000008.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.447024270.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_180000000_rundll32.jbxd

Similarity

API ID: CriticalSection$CloseDeleteEnterLeaveOpenmemset
String ID: %s\%s$Catalog_Entries$Catalog_Entries64$NameSpace_Catalog5$Num_Catalog_Entries$Num_Catalog_Entries64$SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\%s$SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\%s\%012d
API String ID: 2413450229-732542554
Opcode ID: 5d3b3c8892c10d7fff7567f6933cd8fc0a8177a7f871dcf3f8d0113f8f36deb6
Instruction ID: 3ab1713314ff84c9548747a70e29f101a91a5434d94fe8d6158548384223fcd6
Opcode Fuzzy Hash: 5d3b3c8892c10d7fff7567f6933cd8fc0a8177a7f871dcf3f8d0113f8f36deb6
Instruction Fuzzy Hash: 69C1DEB1701A4D82EEA6DB29E8457D963A0F788BD4F04C422FE0D1B7A5DF39C64AC700

Uniqueness

Uniqueness Score: -1.00%

Function 000000018000834C Relevance: 19.8, APIs: 13, Instructions: 336stringregistryCOMMON

Download Yara Rule

APIs

Part of subcall function 0000000180008C68: CharNextW.USER32 ref: 0000000180008CA7
Part of subcall function 0000000180008C68: CharNextW.USER32 ref: 0000000180008CD3
Part of subcall function 0000000180008C68: CharNextW.USER32 ref: 0000000180008D81

lstrcmpiW.KERNEL32(?,00000000,00000000,?,?,00000000,00000000,0000000180009076,?,?,00000000,?,?,00000000,00000000,00000000), ref: 00000001800083C8
lstrcmpiW.KERNEL32(?,?,00000000,00000000,0000000180009076,?,?,00000000,?,?,00000000,00000000,00000000,000000018000976A), ref: 00000001800083E6
CharNextW.USER32 ref: 0000000180008457
CharNextW.USER32 ref: 0000000180008541
CharNextW.USER32 ref: 000000018000855D
RegSetValueExW.ADVAPI32 ref: 00000001800085C2

Memory Dump Source

Source File: 00000008.00000002.446994309.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000008.00000002.446990685.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.447008267.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.447016292.00000001800C5000.00000008.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.447024270.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_180000000_rundll32.jbxd

Similarity

API ID: CharNext$lstrcmpi$Value
String ID:
API String ID: 3520330261-0
Opcode ID: e6b0475dc37a1ccc9b5f93fb3a52cf7f5178555000e54cf4b197682acd1df91f
Instruction ID: 54a0f5542f62afcd6411b2081a4c08be2fbbe8d603b0a409542dd15f8ed12d0a
Opcode Fuzzy Hash: e6b0475dc37a1ccc9b5f93fb3a52cf7f5178555000e54cf4b197682acd1df91f
Instruction Fuzzy Hash: D3D1643260864982FBA2DB15E8543DA76E1FB9C7D0F91C121BA99476E4EF38C74DD700

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180060174 Relevance: 19.5, APIs: 8, Strings: 3, Instructions: 270COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 00000001800601FC
SHGetValueW.SHLWAPI ref: 0000000180060257
_wtoi.MSVCRT ref: 000000018006029F
_wtoi.MSVCRT ref: 00000001800602B1
_wtoi.MSVCRT ref: 00000001800602C3
_wtoi.MSVCRT ref: 00000001800602D5
SHSetValueW.SHLWAPI ref: 0000000180060468
??3@YAXPEAX@Z.MSVCRT ref: 000000018006050C

Strings

MontiorInfo, xrefs: 0000000180060244, 0000000180060455
%d|%d|%d|%d, xrefs: 0000000180060404
MsgCenter, xrefs: 000000018006021A, 000000018006042C, 0000000180060436

Memory Dump Source

Source File: 00000008.00000002.446994309.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000008.00000002.446990685.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.447008267.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.447016292.00000001800C5000.00000008.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.447024270.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_180000000_rundll32.jbxd

Similarity

API ID: _wtoi$Value$??3@memset
String ID: %d|%d|%d|%d$MontiorInfo$MsgCenter
API String ID: 1219333133-3184008533
Opcode ID: 5a13214d90345a148425d7b4cec5787b2bbb9191422684e28f36f8c5be619ee2
Instruction ID: 3a97e8b4d36ab7b0ff62b7c8c746816c118d75ce1dcaba847e92933311b9e76e
Opcode Fuzzy Hash: 5a13214d90345a148425d7b4cec5787b2bbb9191422684e28f36f8c5be619ee2
Instruction Fuzzy Hash: FDC1B472604B4887EB51CF29E84039E77A1F789BA4F208216FAAD577A4DF78D644CB00

Uniqueness

Uniqueness Score: -1.00%

Function 00137FA8 Relevance: 17.7, APIs: 9, Strings: 1, Instructions: 202COMMON

Download Yara Rule

APIs

Part of subcall function 0013AD34: NtAllocateVirtualMemory.NTDLL ref: 0013AD6A

GetAdaptersInfo.IPHLPAPI ref: 00137FF4
GetAdaptersInfo.IPHLPAPI ref: 0013802B
wsprintfA.USER32 ref: 00138074
wsprintfA.USER32 ref: 0013815F
wsprintfA.USER32 ref: 001381C3

Strings

o, xrefs: 00138006

Memory Dump Source

Source File: 00000008.00000002.446779994.0000000000130000.00000040.00001000.00020000.00000000.sdmp, Offset: 00130000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_130000_rundll32.jbxd

Yara matches

Similarity

API ID: wsprintf$AdaptersInfo$AllocateMemoryVirtual
String ID: o
API String ID: 2074107575-252678980
Opcode ID: 78c1bf18890002bbd55230ae8bdd6788f42dae7e011ee9be3a01caf660352b1c
Instruction ID: 73acef771514c589cdb48e56c6d8ad713546e67bef7c99e3ad8be745b83c9193
Opcode Fuzzy Hash: 78c1bf18890002bbd55230ae8bdd6788f42dae7e011ee9be3a01caf660352b1c
Instruction Fuzzy Hash: ACA1B876209B848ADB64CB15F49039AB7A0F788788F50052AFBCE83B69DF7CC555CB00

Uniqueness

Uniqueness Score: -1.00%

Function 00000001800647B0 Relevance: 16.1, APIs: 8, Strings: 1, Instructions: 395memoryCOMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32 ref: 0000000180064800

Part of subcall function 0000000180035E24: ??2@YAPEAX_K@Z.MSVCRT ref: 0000000180035ED4
Part of subcall function 0000000180035E24: memmove.MSVCRT ref: 0000000180035F42
Part of subcall function 0000000180035E24: ??3@YAXPEAX@Z.MSVCRT ref: 0000000180035F7C

??_U@YAPEAX_K@Z.MSVCRT ref: 00000001800648B2
SysFreeString.OLEAUT32 ref: 0000000180064941
SysAllocString.OLEAUT32 ref: 000000018006495E
GetFileAttributesW.KERNEL32 ref: 0000000180064BC3
??_V@YAXPEAX@Z.MSVCRT ref: 0000000180064D1C
??3@YAXPEAX@Z.MSVCRT ref: 0000000180064D8E
LeaveCriticalSection.KERNEL32 ref: 0000000180064DAC

Strings

360util, xrefs: 00000001800649C6, 0000000180064C35

Memory Dump Source

Source File: 00000008.00000002.446994309.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000008.00000002.446990685.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.447008267.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.447016292.00000001800C5000.00000008.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.447024270.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_180000000_rundll32.jbxd

Similarity

API ID: ??3@CriticalSectionString$??2@AllocAttributesEnterFileFreeLeavememmove
String ID: 360util
API String ID: 2488163691-2294763832
Opcode ID: ba9b85f3e8219bbad665a1013a4ecfff85fbfd5e77b065d066760422abbecf22
Instruction ID: 9938724ed40c23cc8900e9648d175c046ed33f6fe674e618e7d9782a5817fc1c
Opcode Fuzzy Hash: ba9b85f3e8219bbad665a1013a4ecfff85fbfd5e77b065d066760422abbecf22
Instruction Fuzzy Hash: AE029C73B01B488AEB91CB64D8443DD33A6FB48798F519226EE592BB94DF38C619C344

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180070760 Relevance: 15.1, APIs: 10, Instructions: 88COMMONLIBRARYCODE

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32 ref: 000000018007078B
memset.MSVCRT ref: 00000001800707E0
RtlCaptureContext.KERNEL32 ref: 00000001800707FC
RtlLookupFunctionEntry.KERNEL32 ref: 0000000180070814
RtlVirtualUnwind.KERNEL32 ref: 0000000180070852
IsDebuggerPresent.KERNEL32 ref: 0000000180070893
SetUnhandledExceptionFilter.KERNEL32 ref: 000000018007089D
UnhandledExceptionFilter.KERNEL32 ref: 00000001800708A8
GetCurrentProcess.KERNEL32 ref: 00000001800708BE
TerminateProcess.KERNEL32 ref: 00000001800708CC

Memory Dump Source

Source File: 00000008.00000002.446994309.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000008.00000002.446990685.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.447008267.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.447016292.00000001800C5000.00000008.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.447024270.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_180000000_rundll32.jbxd

Similarity

API ID: ExceptionFilterPresentProcessUnhandled$CaptureContextCurrentDebuggerEntryFeatureFunctionLookupProcessorTerminateUnwindVirtualmemset
String ID:
API String ID: 2775880128-0
Opcode ID: 720e268603e6e9f10860910523c2ba7112bd240762bfe9a634b271c2e63346d6
Instruction ID: 97518c6b28749f0b1885d3d6b1dd33bd68934808d59c248e1302251445d11ba7
Opcode Fuzzy Hash: 720e268603e6e9f10860910523c2ba7112bd240762bfe9a634b271c2e63346d6
Instruction Fuzzy Hash: 1E413032A14B858AE751CF60EC503ED7360F799788F119229EA9D46B69EF78C398C700

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180049050 Relevance: 15.1, APIs: 10, Instructions: 70COMMON

Download Yara Rule

APIs

GetCurrentProcessId.KERNEL32 ref: 0000000180049077
GetCurrentProcess.KERNEL32 ref: 0000000180049085
OpenProcessToken.ADVAPI32 ref: 000000018004909B
LookupPrivilegeValueW.ADVAPI32 ref: 00000001800490B4
SetLastError.KERNEL32 ref: 00000001800490DA
AdjustTokenPrivileges.ADVAPI32 ref: 00000001800490FA
GetLastError.KERNEL32 ref: 0000000180049104
CloseHandle.KERNEL32 ref: 0000000180049117
CloseHandle.KERNEL32 ref: 0000000180049120
OpenProcess.KERNEL32 ref: 000000018004914F

Memory Dump Source

Source File: 00000008.00000002.446994309.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000008.00000002.446990685.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.447008267.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.447016292.00000001800C5000.00000008.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.447024270.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_180000000_rundll32.jbxd

Similarity

API ID: Process$CloseCurrentErrorHandleLastOpenToken$AdjustLookupPrivilegePrivilegesValue
String ID:
API String ID: 2007143780-0
Opcode ID: 6a90cf9bb053f436ae0415ad8c3242d222e7ab952c09d034660e141397cb4a9e
Instruction ID: d46f0c18e1a39d64aeb05f722a7361000aff992e322ccff9c5dcc36b437ee35a
Opcode Fuzzy Hash: 6a90cf9bb053f436ae0415ad8c3242d222e7ab952c09d034660e141397cb4a9e
Instruction Fuzzy Hash: 2E218032604B4982EB919F61E8583DA63A1FB8CBD5F458035FA9E47B64DF3CC6498B04

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180017FE8 Relevance: 13.8, APIs: 9, Instructions: 322COMMON

Download Yara Rule

APIs

GetTickCount.KERNEL32 ref: 0000000180018020
memmove.MSVCRT ref: 0000000180018188
??_V@YAXPEAX@Z.MSVCRT ref: 00000001800181E8
??_V@YAXPEAX@Z.MSVCRT ref: 000000018001820A
??3@YAXPEAX@Z.MSVCRT ref: 000000018001824D

Part of subcall function 0000000180044250: EnterCriticalSection.KERNEL32 ref: 0000000180044280
Part of subcall function 0000000180044250: LeaveCriticalSection.KERNEL32 ref: 00000001800442BA

??_V@YAXPEAX@Z.MSVCRT ref: 0000000180018278
??_V@YAXPEAX@Z.MSVCRT ref: 00000001800182AD
??_V@YAXPEAX@Z.MSVCRT ref: 00000001800182D5
??_V@YAXPEAX@Z.MSVCRT ref: 000000018001845E

Part of subcall function 00000001800429F4: ??_V@YAXPEAX@Z.MSVCRT ref: 0000000180042AAA

Memory Dump Source

Source File: 00000008.00000002.446994309.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000008.00000002.446990685.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.447008267.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.447016292.00000001800C5000.00000008.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.447024270.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_180000000_rundll32.jbxd

Similarity

API ID: CriticalSection$??3@CountEnterLeaveTickmemmove
String ID:
API String ID: 1944083165-0
Opcode ID: e7dc1351d672686ce6982c514aa1efe126a088afe47b95bc729bfb6aef2c92dc
Instruction ID: f41da155b52ef09f3583e4d9bfd8bf17b476c2db053c24b9ffbabfba65fc2eed
Opcode Fuzzy Hash: e7dc1351d672686ce6982c514aa1efe126a088afe47b95bc729bfb6aef2c92dc
Instruction Fuzzy Hash: 37E15932B01F449AEB92CFA1E8403DD33B6F748798F148125EE5967B98DE34C65AD344

Uniqueness

Uniqueness Score: -1.00%

Function 000000018006A994 Relevance: 10.8, APIs: 5, Strings: 1, Instructions: 339COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 000000018006A9D6

Part of subcall function 000000018006BD58: GetFileSizeEx.KERNEL32(?,?,?,?,000000018006A9EB,?,?,?,?,?,?,?,?,?,?,00000003), ref: 000000018006BD5C
Part of subcall function 000000018006BD58: _swprintf_c_l.LIBCMT ref: 000000018006BD74

Part of subcall function 000000018006A2B8: malloc.MSVCRT(?,?,?,0000000180069638), ref: 000000018006DF0A
Part of subcall function 000000018006A2B8: SetLastError.KERNEL32(?,?,?,0000000180069638), ref: 000000018006DF1B

_swprintf_c_l.LIBCMT ref: 000000018006AA1B
_swprintf_c_l.LIBCMT ref: 000000018006AA86
_swprintf_c_l.LIBCMT ref: 000000018006AB3B
_swprintf_c_l.LIBCMT ref: 000000018006AD15

Strings

INIT, xrefs: 000000018006AD63

Memory Dump Source

Source File: 00000008.00000002.446994309.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000008.00000002.446990685.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.447008267.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.447016292.00000001800C5000.00000008.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.447024270.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_180000000_rundll32.jbxd

Similarity

API ID: _swprintf_c_l$ErrorFileLastSizemallocmemset
String ID: INIT
API String ID: 2772675779-4041279936
Opcode ID: 91801e61f8e34b5680577b6ef1157ad949fcf405e34d1d65f93b8e184a0d9fad
Instruction ID: 738f7e56dffb12879fa424a41098a8b7db62e01a67729e30f645ff56db629163
Opcode Fuzzy Hash: 91801e61f8e34b5680577b6ef1157ad949fcf405e34d1d65f93b8e184a0d9fad
Instruction Fuzzy Hash: 31E192727043588BF7A6EB6598507EA77A6F70D7C8F54C029AE5A43B86DF34C608CB10

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180010B58 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 146registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.ADVAPI32 ref: 0000000180010BE9
RegQueryValueExW.ADVAPI32 ref: 0000000180010C46
memmove.MSVCRT(?,?,?,?,?,?,?,?,00000000,00000000,00000040,?,0000000180013F90), ref: 0000000180010D0F
??_V@YAXPEAX@Z.MSVCRT ref: 0000000180010D31
RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,?,00000000,00000000,00000040,?,0000000180013F90), ref: 0000000180010D3B

Strings

360scan, xrefs: 0000000180010BBB

Memory Dump Source

Source File: 00000008.00000002.446994309.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000008.00000002.446990685.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.447008267.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.447016292.00000001800C5000.00000008.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.447024270.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_180000000_rundll32.jbxd

Similarity

API ID: CloseOpenQueryValuememmove
String ID: 360scan
API String ID: 1121107697-2450673717
Opcode ID: 220e67dd3970d468599f7a797be11ec42a8334a823f280886d40bb2abff1120a
Instruction ID: 8412be06b917c2556790a81d519247f335b1f81f587c3bd72331bc97ccab05af
Opcode Fuzzy Hash: 220e67dd3970d468599f7a797be11ec42a8334a823f280886d40bb2abff1120a
Instruction Fuzzy Hash: B551F336700A4889FBA6CBB5E8107ED3760BB487E8F548215EEA917B95DF74C649C700

Uniqueness

Uniqueness Score: -1.00%

Function 000000018008023C Relevance: 10.6, APIs: 7, Instructions: 70COMMON

Download Yara Rule

APIs

_CxxThrowException.MSVCRT ref: 0000000180080256
_CxxThrowException.MSVCRT ref: 0000000180080276
_CxxThrowException.MSVCRT ref: 0000000180080296

Part of subcall function 000000018000EF8C: ??3@YAXPEAX@Z.MSVCRT ref: 000000018000F01A

_CxxThrowException.MSVCRT ref: 00000001800802BA
_CxxThrowException.MSVCRT ref: 00000001800802DA
_CxxThrowException.MSVCRT ref: 00000001800802FA
??3@YAXPEAX@Z.MSVCRT ref: 0000000180080312

Memory Dump Source

Source File: 00000008.00000002.446994309.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000008.00000002.446990685.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.447008267.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.447016292.00000001800C5000.00000008.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.447024270.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_180000000_rundll32.jbxd

Similarity

API ID: ExceptionThrow$??3@
String ID:
API String ID: 3542664073-0
Opcode ID: 4077b6000bdbe81cdcb22badff92ad6060c6f4ec82431c923b1cffb770fd83d1
Instruction ID: f77bb453ddad34bb426a0367fc3509630a9405fc871705a0e6efaa82900c553f
Opcode Fuzzy Hash: 4077b6000bdbe81cdcb22badff92ad6060c6f4ec82431c923b1cffb770fd83d1
Instruction Fuzzy Hash: 35216A72B00A88C9E75DFE33B8423EB6212ABD87C0F18D435BA594B69BDE25C5168740

Uniqueness

Uniqueness Score: -1.00%

Function 0013745C Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 31nativefileCOMMON

Download Yara Rule

APIs

RtlInitUnicodeString.NTDLL ref: 001374A2
NtOpenFile.NTDLL ref: 001374D6
NtClose.NTDLL ref: 001374F0

Strings

0, xrefs: 0013748D
, xrefs: 001374B2
@, xrefs: 00137482

Memory Dump Source

Source File: 00000008.00000002.446779994.0000000000130000.00000040.00001000.00020000.00000000.sdmp, Offset: 00130000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_130000_rundll32.jbxd

Yara matches

Similarity

API ID: CloseFileInitOpenStringUnicode
String ID: $0$@
API String ID: 3719522541-2347541974
Opcode ID: 569bf1d9c0e4b42045824f196861e1bccdac350dc9b2e721c941129060653f3b
Instruction ID: 3ce89dd518e80b804148b30e01c1c79a3aa1cd66aa210b17866225896c3f9342
Opcode Fuzzy Hash: 569bf1d9c0e4b42045824f196861e1bccdac350dc9b2e721c941129060653f3b
Instruction Fuzzy Hash: 9001DA72119B8096E750DF10E49439BBB60F3D4794FA01025E7CA83AB8DB7DD98ACF41

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180066C3C Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 42COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 0000000180066C52
GetLastError.KERNEL32 ref: 0000000180066C9D
IsDebuggerPresent.KERNEL32 ref: 0000000180066CB5
OutputDebugStringW.KERNEL32 ref: 0000000180066CC6

Strings

ERROR : Unable to initialize critical section in CAtlBaseModule, xrefs: 0000000180066CBF

Memory Dump Source

Source File: 00000008.00000002.446994309.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000008.00000002.446990685.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.447008267.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.447016292.00000001800C5000.00000008.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.447024270.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_180000000_rundll32.jbxd

Similarity

API ID: DebugDebuggerErrorLastOutputPresentStringmemset
String ID: ERROR : Unable to initialize critical section in CAtlBaseModule
API String ID: 1848478996-631824599
Opcode ID: 9f3b69b346ce0167d1f9eabdb45a87455ea8902d3636c2fa194e63da2080b7c6
Instruction ID: 5420fd47393a03a9017ccb442b178d5ad27f9d1acba3036b184651f5d30fce96
Opcode Fuzzy Hash: 9f3b69b346ce0167d1f9eabdb45a87455ea8902d3636c2fa194e63da2080b7c6
Instruction Fuzzy Hash: FC117032710B4997F7869B22EE453E932A1FB58395F50C125E75982AA0EF3CD67CC710

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180082A18 Relevance: 7.6, APIs: 6, Instructions: 62COMMON

Download Yara Rule

APIs

_CxxThrowException.MSVCRT ref: 0000000180082A35
_CxxThrowException.MSVCRT ref: 0000000180082A55
_CxxThrowException.MSVCRT ref: 0000000180082A75
_CxxThrowException.MSVCRT ref: 0000000180082A95
_CxxThrowException.MSVCRT ref: 0000000180082AB8
_CxxThrowException.MSVCRT ref: 0000000180082ADB

Memory Dump Source

Source File: 00000008.00000002.446994309.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000008.00000002.446990685.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.447008267.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.447016292.00000001800C5000.00000008.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.447024270.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_180000000_rundll32.jbxd

Similarity

API ID: ExceptionThrow
String ID:
API String ID: 432778473-0
Opcode ID: 51705d7ffc1c5a9faf17d18654f459016f05baa871bea5d42b40ed88e15a0c9d
Instruction ID: 0cc55a271704fcaf4879220f63c9cc24c35a4ef39e1216f676686ee34d186413
Opcode Fuzzy Hash: 51705d7ffc1c5a9faf17d18654f459016f05baa871bea5d42b40ed88e15a0c9d
Instruction Fuzzy Hash: CE118471714A88C9E75EFE33A8027EB5312ABDC7C0F14D434B9894B65BCF25C6164300

Uniqueness

Uniqueness Score: -1.00%

Function 00137694 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 21filenativeCOMMON

Download Yara Rule

APIs

RtlInitUnicodeString.NTDLL ref: 001376D1
NtDeleteFile.NTDLL ref: 001376E6

Strings

@, xrefs: 001376B4
0, xrefs: 001376BC

Memory Dump Source

Source File: 00000008.00000002.446779994.0000000000130000.00000040.00001000.00020000.00000000.sdmp, Offset: 00130000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_130000_rundll32.jbxd

Yara matches

Similarity

API ID: DeleteFileInitStringUnicode
String ID: 0$@
API String ID: 3559453722-1545510068
Opcode ID: b6164af5c4588a1862d81e9109c65e2a6067d28343454251f55d6c9ee728859c
Instruction ID: 2211810f5e9bca1ce03e373e1f37dcadc778416c3091536c55e258067f89eb4a
Opcode Fuzzy Hash: b6164af5c4588a1862d81e9109c65e2a6067d28343454251f55d6c9ee728859c
Instruction Fuzzy Hash: 7AF0B2B2218A8186D7209F14E49438BBBA4F794798FA04115E6CE47A68DB7DC659CF40

Uniqueness

Uniqueness Score: -1.00%

Function 00131A08 Relevance: 6.1, APIs: 4, Instructions: 113fileCOMMON

Download Yara Rule

APIs

Part of subcall function 0013AD34: NtAllocateVirtualMemory.NTDLL ref: 0013AD6A

FindFirstFileA.KERNEL32 ref: 00131AC7
wsprintfA.USER32 ref: 00131B95
FindNextFileA.KERNEL32 ref: 00131BC2
FindClose.KERNEL32 ref: 00131BD5

Memory Dump Source

Source File: 00000008.00000002.446779994.0000000000130000.00000040.00001000.00020000.00000000.sdmp, Offset: 00130000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_130000_rundll32.jbxd

Yara matches

Similarity

API ID: Find$File$AllocateCloseFirstMemoryNextVirtualwsprintf
String ID:
API String ID: 65906682-0
Opcode ID: 7544d8a013f7abd9b84a5d7f403609ff286104f35a45eb63b3216f6701f46496
Instruction ID: b9ef09451730d036464fe2c08f4bec31ddadfe8e21a1d15780dc9294e65cae9c
Opcode Fuzzy Hash: 7544d8a013f7abd9b84a5d7f403609ff286104f35a45eb63b3216f6701f46496
Instruction Fuzzy Hash: 60510A72219BC5E2DB20DB01F49039AB775FBD4394F905526E68E43AA8EF7CC649CB40

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180062600 Relevance: 5.2, APIs: 4, Instructions: 248COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 00000001800626EE
memset.MSVCRT ref: 0000000180062710
memmove.MSVCRT ref: 00000001800627F5
memmove.MSVCRT ref: 0000000180062865

Memory Dump Source

Source File: 00000008.00000002.446994309.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000008.00000002.446990685.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.447008267.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.447016292.00000001800C5000.00000008.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.447024270.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_180000000_rundll32.jbxd

Similarity

API ID: memmovememset
String ID:
API String ID: 1288253900-0
Opcode ID: 25317eca67bb0a3083e8d95f7975eeecdd6a0a887f58df33bf998c20beef77dc
Instruction ID: 53b279b989bf8eb66429a88fea8492b1387e1814281b1786c9cbc4725fb6e079
Opcode Fuzzy Hash: 25317eca67bb0a3083e8d95f7975eeecdd6a0a887f58df33bf998c20beef77dc
Instruction Fuzzy Hash: 56A1A273A146D48FD795CF79D8407AC7BE1F389788F548126EA9997B48EB38C205CB00

Uniqueness

Uniqueness Score: -1.00%

Function 00138560 Relevance: 3.1, APIs: 2, Instructions: 66COMMON

Download Yara Rule

APIs

RtlGetVersion.NTDLL ref: 00138595
GetVersionExW.KERNEL32 ref: 001385AA

Memory Dump Source

Source File: 00000008.00000002.446779994.0000000000130000.00000040.00001000.00020000.00000000.sdmp, Offset: 00130000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_130000_rundll32.jbxd

Yara matches

Similarity

API ID: Version
String ID:
API String ID: 1889659487-0
Opcode ID: 1c33a9e7f7864ab9b6d588ba9abe1a45e84af9b554b73114541b1a6212808f0c
Instruction ID: f354f61e78200fe81e0a43f71fd85efff351c5663b18922339b649b43e4b5968
Opcode Fuzzy Hash: 1c33a9e7f7864ab9b6d588ba9abe1a45e84af9b554b73114541b1a6212808f0c
Instruction Fuzzy Hash: A03190F2829780CADB748B40E48936AB6A0F395759F55211AF28B45958CB7CC9D8CF06

Uniqueness

Uniqueness Score: -1.00%

Function 00134F58 Relevance: 1.6, APIs: 1, Instructions: 53filenetworkCOMMON

Download Yara Rule

APIs

InternetReadFile.WININET ref: 00134FB9

Memory Dump Source

Source File: 00000008.00000002.446779994.0000000000130000.00000040.00001000.00020000.00000000.sdmp, Offset: 00130000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_130000_rundll32.jbxd

Yara matches

Similarity

API ID: FileInternetRead
String ID:
API String ID: 778332206-0
Opcode ID: e7fe929742e2ac5551c0b5bf5975d3ec219019460fbf9948bd6d2171cb39b706
Instruction ID: ca49efcef7773ba6ed6b433f458e6264f7c41a93bbacd6fd75cd574bca563f9a
Opcode Fuzzy Hash: e7fe929742e2ac5551c0b5bf5975d3ec219019460fbf9948bd6d2171cb39b706
Instruction Fuzzy Hash: 3511F93232868597DB65CA15E4547AAA3E6F7C8B84F804125AA8D83B58EF7DC645CF00

Uniqueness

Uniqueness Score: -1.00%

Function 000000018006A2C8 Relevance: 1.5, APIs: 1, Instructions: 11COMMON

Download Yara Rule

APIs

DeviceIoControl.KERNEL32 ref: 000000018006A2F1

Memory Dump Source

Source File: 00000008.00000002.446994309.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000008.00000002.446990685.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.447008267.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.447016292.00000001800C5000.00000008.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.447024270.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_180000000_rundll32.jbxd

Similarity

API ID: ControlDevice
String ID:
API String ID: 2352790924-0
Opcode ID: a66e1d163aca22c0d64387c7a093102cf96f82ef91a8c2df69456084ab1fc6cd
Instruction ID: 1e54cb40d621f6ee58c2f67f74a10768d1db0efbd2ae079103c51a30650bf8b3
Opcode Fuzzy Hash: a66e1d163aca22c0d64387c7a093102cf96f82ef91a8c2df69456084ab1fc6cd
Instruction Fuzzy Hash: 68D04276928B84CBD6A09B18F48430AB7A0F388794F501215EBCD46B29DB3CC2558F04

Uniqueness

Uniqueness Score: -1.00%

Function 00140B08 Relevance: .0, Instructions: 40COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.446779994.0000000000130000.00000040.00001000.00020000.00000000.sdmp, Offset: 00130000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_130000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a7e8b3a06e032308635d2037ffc9f4553eadc341b1c96db30923b3bf8c960e7f
Instruction ID: 52d7be0db948e51a3071de6eae9a16f3fecf3e0a6d54012035996ad6ac793130
Opcode Fuzzy Hash: a7e8b3a06e032308635d2037ffc9f4553eadc341b1c96db30923b3bf8c960e7f
Instruction Fuzzy Hash: 0D011F8790E3D45BC3078B750CA205E3F709693A4438BC1ABC399C3283D60D5919D722

Uniqueness

Uniqueness Score: -1.00%

Function 00140B38 Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.446779994.0000000000130000.00000040.00001000.00020000.00000000.sdmp, Offset: 00130000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_130000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6a035545d14f4d889ab215aa68e43aeeb25967380c8536a5bebcf1304ebbf42d
Instruction ID: 635a34729624dbe067341029a1c4ed0c67fb7a74477a886226d8198c4ed4d1d2
Opcode Fuzzy Hash: 6a035545d14f4d889ab215aa68e43aeeb25967380c8536a5bebcf1304ebbf42d
Instruction Fuzzy Hash: AFF0318B90E3D46BC3030F340CA219C3F700293A44B9AD0A3C7A8E3783D40E695AE762

Uniqueness

Uniqueness Score: -1.00%

Function 00140B28 Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.446779994.0000000000130000.00000040.00001000.00020000.00000000.sdmp, Offset: 00130000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_130000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8246972d00f7b6f65566328481c67de661093764b5a2be5aac936da48b2a51d6
Instruction ID: c272f3b44f45aa2f0b8d17d573eb5996cfb31920d0d8bc550c0fd2c8bdb0490a
Opcode Fuzzy Hash: 8246972d00f7b6f65566328481c67de661093764b5a2be5aac936da48b2a51d6
Instruction Fuzzy Hash: 4EF00B8B90E3E4ABC7030E340CA209D3FB04693A4439AD1A7C3A5E3783950E581AE723

Uniqueness

Uniqueness Score: -1.00%

Function 00140A18 Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.446779994.0000000000130000.00000040.00001000.00020000.00000000.sdmp, Offset: 00130000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_130000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 58575a1358ae7e387839bc9df08da724cb04d05ef8efba8a2ce89fd355e24106
Instruction ID: 6bbf2164b3f308e0ad865be7b43a87ef8cc59ea827d5f1cea88a1b47ec1c57d9
Opcode Fuzzy Hash: 58575a1358ae7e387839bc9df08da724cb04d05ef8efba8a2ce89fd355e24106
Instruction Fuzzy Hash: 9BF05AA790E7C0ABD3175F3448A424D3F7096A3E44BAA80C7C3C9C3293D26D491AD766

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180060FE0 Relevance: 59.6, APIs: 17, Strings: 17, Instructions: 126libraryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32 ref: 0000000180061027
GetProcAddress.KERNEL32 ref: 0000000180061044
GetProcAddress.KERNEL32 ref: 0000000180061061
GetProcAddress.KERNEL32 ref: 000000018006107E
GetProcAddress.KERNEL32 ref: 000000018006109B
GetProcAddress.KERNEL32 ref: 00000001800610B8
GetProcAddress.KERNEL32 ref: 00000001800610D5
GetProcAddress.KERNEL32 ref: 00000001800610F2
GetProcAddress.KERNEL32 ref: 000000018006110F
GetProcAddress.KERNEL32 ref: 000000018006112C
GetProcAddress.KERNEL32 ref: 0000000180061149
GetProcAddress.KERNEL32 ref: 0000000180061166
GetProcAddress.KERNEL32 ref: 0000000180061183
GetProcAddress.KERNEL32 ref: 000000018006119C
GetProcAddress.KERNEL32 ref: 00000001800611B5
GetProcAddress.KERNEL32 ref: 00000001800611D1

Strings

sqlite3_close, xrefs: 000000018006103D
sqlite3_column_int64, xrefs: 000000018006117C
sqlite3_bind_parameter_index, xrefs: 00000001800611E6
sqlite3_column_int, xrefs: 000000018006115F
sqlite3_bind_int64, xrefs: 00000001800610B1
sqlite3_step, xrefs: 00000001800611AE
sqlite3_bind_int, xrefs: 00000001800610CE
sqlite3_reset, xrefs: 0000000180061094
sqlite3_prepare16_v2, xrefs: 0000000180061077
sqlite3_bind_text16, xrefs: 0000000180061108
sqlite3_finalize, xrefs: 0000000180061195
sqlite3_bind_blob, xrefs: 00000001800610EB
sqlite3_column_bytes, xrefs: 00000001800611CA
sqlite3_open16, xrefs: 000000018006101D
sqlite3_column_text16, xrefs: 0000000180061142
sqlite3_exec, xrefs: 000000018006105A
sqlite3_column_blob, xrefs: 0000000180061125

Memory Dump Source

Source File: 00000008.00000002.446994309.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000008.00000002.446990685.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.447008267.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.447016292.00000001800C5000.00000008.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.447024270.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_180000000_rundll32.jbxd

Similarity

API ID: AddressProc
String ID: sqlite3_bind_blob$sqlite3_bind_int$sqlite3_bind_int64$sqlite3_bind_parameter_index$sqlite3_bind_text16$sqlite3_close$sqlite3_column_blob$sqlite3_column_bytes$sqlite3_column_int$sqlite3_column_int64$sqlite3_column_text16$sqlite3_exec$sqlite3_finalize$sqlite3_open16$sqlite3_prepare16_v2$sqlite3_reset$sqlite3_step
API String ID: 190572456-2634604785
Opcode ID: c6900063e6f1f58e840ab128dafbd2c95afe69325bb9c3ee8f7ad832e163feb1
Instruction ID: 5824c6e44f34b1b970dc4f09c8d16c86c5da5fb83a6df47551891ccc5cd06f94
Opcode Fuzzy Hash: c6900063e6f1f58e840ab128dafbd2c95afe69325bb9c3ee8f7ad832e163feb1
Instruction Fuzzy Hash: D351A271201F4EA5EF968BA4E8913D833A1FB4CBD7F19D125A92D46364EF38C698C710

Uniqueness

Uniqueness Score: -1.00%

Function 000000018005AC40 Relevance: 45.7, APIs: 18, Strings: 8, Instructions: 242COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32 ref: 000000018005AD27
VariantInit.OLEAUT32 ref: 000000018005AD40
VariantClear.OLEAUT32 ref: 000000018005AD67
VariantClear.OLEAUT32 ref: 000000018005AD72
VariantClear.OLEAUT32 ref: 000000018005AF35
VariantClear.OLEAUT32 ref: 000000018005AF40

Strings

name, xrefs: 000000018005AD52
update_first_open, xrefs: 000000018005AE57
propoganda, xrefs: 000000018005AE90
pop_count, xrefs: 000000018005AEAC
value, xrefs: 000000018005AD99
//root/config/item, xrefs: 000000018005AC7D
install_first_open, xrefs: 000000018005AE3C
tray_startup, xrefs: 000000018005AE73

Memory Dump Source

Source File: 00000008.00000002.446994309.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000008.00000002.446990685.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.447008267.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.447016292.00000001800C5000.00000008.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.447024270.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_180000000_rundll32.jbxd

Similarity

API ID: Variant$Clear$Init
String ID: //root/config/item$install_first_open$name$pop_count$propoganda$tray_startup$update_first_open$value
API String ID: 3740757921-2166998829
Opcode ID: da0fe18e004557cc7b0f2f3d8356101b6c2bfabc220260c257d30514f78ba6f4
Instruction ID: aff580d4b75deea64deb7e46e4065f56afbdc634fa72071d76af76b76e89fc57
Opcode Fuzzy Hash: da0fe18e004557cc7b0f2f3d8356101b6c2bfabc220260c257d30514f78ba6f4
Instruction Fuzzy Hash: CDB12A72705A09DAFB95CF65D8903EC27B0FB49B99F149421FA0EA3A64DF35CA48C340

Uniqueness

Uniqueness Score: -1.00%

Function 000000018006442C Relevance: 45.7, APIs: 17, Strings: 9, Instructions: 170libraryloaderCOMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 0000000180064485
InitializeCriticalSectionAndSpinCount.KERNEL32 ref: 000000018006448F
GetLastError.KERNEL32 ref: 000000018006449C
EnterCriticalSection.KERNEL32 ref: 00000001800644C5
memset.MSVCRT ref: 00000001800644DB
GetModuleFileNameW.KERNEL32 ref: 00000001800644F4
PathAppendW.SHLWAPI ref: 0000000180064508
PathAppendW.SHLWAPI ref: 000000018006451C
GetProcAddress.KERNEL32 ref: 0000000180064549
GetProcAddress.KERNEL32 ref: 000000018006455E
GetProcAddress.KERNEL32 ref: 0000000180064573
GetProcAddress.KERNEL32 ref: 0000000180064588
GetProcAddress.KERNEL32 ref: 000000018006459D
memset.MSVCRT ref: 00000001800645E5
FreeLibrary.KERNEL32 ref: 0000000180064691
LeaveCriticalSection.KERNEL32 ref: 00000001800646A3
??3@YAXPEAX@Z.MSVCRT ref: 00000001800646FD

Strings

..\deepscan\, xrefs: 00000001800644FA
QueryFilesEx2, xrefs: 0000000180064568
QuerySetOption, xrefs: 0000000180064592
360Safe, xrefs: 000000018006460E
QueryFileCreate, xrefs: 000000018006453F
QueryFileCancel, xrefs: 000000018006457D
360util, xrefs: 0000000180064628
cloudcom2.dll, xrefs: 000000018006450E
QueryFileClose, xrefs: 0000000180064553

Memory Dump Source

Source File: 00000008.00000002.446994309.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000008.00000002.446990685.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.447008267.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.447016292.00000001800C5000.00000008.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.447024270.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_180000000_rundll32.jbxd

Similarity

API ID: AddressProc$CriticalSectionmemset$AppendPath$??3@CountEnterErrorFileFreeInitializeLastLeaveLibraryModuleNameSpin
String ID: ..\deepscan\$360Safe$360util$QueryFileCancel$QueryFileClose$QueryFileCreate$QueryFilesEx2$QuerySetOption$cloudcom2.dll
API String ID: 1015768321-2684063875
Opcode ID: 75acf276f5303c209b0e6b56f5e71fa6dc54d5f9daca34d9052b038fe3a01ebd
Instruction ID: 85df055bf9425c6c0da70963d94a526d831783e1f19dc8973dcfbc1a34099653
Opcode Fuzzy Hash: 75acf276f5303c209b0e6b56f5e71fa6dc54d5f9daca34d9052b038fe3a01ebd
Instruction Fuzzy Hash: B2818032301B8896EBA6DF21ED403D933A5FB497D4F548125EA5A0BBA4DF38D768C740

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180066428 Relevance: 33.4, APIs: 13, Strings: 6, Instructions: 103registrylibraryloaderCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.ADVAPI32 ref: 0000000180066475
RegQueryValueExW.ADVAPI32 ref: 00000001800664BA
RegCloseKey.ADVAPI32 ref: 00000001800664D7
RegOpenKeyExW.ADVAPI32 ref: 00000001800664FE
memset.MSVCRT ref: 0000000180066519
RegQueryValueExW.ADVAPI32 ref: 0000000180066556
RegCloseKey.ADVAPI32 ref: 000000018006656C
PathAppendW.SHLWAPI ref: 000000018006657E
PathFileExistsW.SHLWAPI ref: 0000000180066589

Part of subcall function 0000000180065F9C: GetModuleHandleW.KERNEL32 ref: 0000000180065FBE
Part of subcall function 0000000180065F9C: memset.MSVCRT ref: 0000000180065FD4

GetProcAddress.KERNEL32 ref: 00000001800665AF
FreeLibrary.KERNEL32 ref: 00000001800665C3
FreeLibrary.KERNEL32 ref: 00000001800665D0
RegCloseKey.ADVAPI32 ref: 00000001800665DD

Strings

Init, xrefs: 00000001800665A5
Path, xrefs: 0000000180066547
\entclient\EntSvcCall_x64.dll, xrefs: 0000000180066572
SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\360safe.exe, xrefs: 00000001800664F0
ServiceCall, xrefs: 00000001800664AF
SOFTWARE\360Safe\360Ent, xrefs: 0000000180066467

Memory Dump Source

Source File: 00000008.00000002.446994309.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000008.00000002.446990685.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.447008267.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.447016292.00000001800C5000.00000008.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.447024270.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_180000000_rundll32.jbxd

Similarity

API ID: Close$FreeLibraryOpenPathQueryValuememset$AddressAppendExistsFileHandleModuleProc
String ID: Init$Path$SOFTWARE\360Safe\360Ent$SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\360safe.exe$ServiceCall$\entclient\EntSvcCall_x64.dll
API String ID: 1498439332-702965266
Opcode ID: 7287dc7089829755e66462901955348d5673694c8cc533bc2c05e2a633cd80c9
Instruction ID: 4281fb2f7f8363f35efb0fd70a638a071d20137889dcc292f685ea46b841f4e2
Opcode Fuzzy Hash: 7287dc7089829755e66462901955348d5673694c8cc533bc2c05e2a633cd80c9
Instruction Fuzzy Hash: 74513E32614B4996EF918F20E8557DA73A0F7897C4F549116BA9F06A79EF38C74CCB00

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180024CD4 Relevance: 32.0, APIs: 6, Strings: 12, Instructions: 490COMMON

Download Yara Rule

APIs

wcsstr.MSVCRT ref: 0000000180024D2B
PathFindExtensionW.SHLWAPI ref: 0000000180024D45
wcsstr.MSVCRT ref: 0000000180024D81
_wcsicmp.MSVCRT ref: 0000000180024DBC
wcschr.MSVCRT ref: 0000000180025254
_wtoi.MSVCRT ref: 0000000180025266

Strings

gfffffff, xrefs: 0000000180025519
Server, xrefs: 00000001800255AD, 00000001800255CC
ShellExecute, xrefs: 000000018002568D
\\?\, xrefs: 0000000180025ABC
gfffffff, xrefs: 0000000180025A39
InprocServer, xrefs: 0000000180025950, 000000018002596F
InprocHandler, xrefs: 00000001800259C4, 00000001800259E3
LocalServer, xrefs: 0000000180025539, 0000000180025558
CLSID, xrefs: 0000000180025490
InprocServer32, xrefs: 000000018002598A, 00000001800259A9
InprocHandler32, xrefs: 00000001800259FE, 0000000180025A1D
LocalServer32, xrefs: 0000000180025573, 0000000180025592

Memory Dump Source

Source File: 00000008.00000002.446994309.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000008.00000002.446990685.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.447008267.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.447016292.00000001800C5000.00000008.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.447024270.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_180000000_rundll32.jbxd

Similarity

API ID: wcsstr$ExtensionFindPath_wcsicmp_wtoiwcschr
String ID: CLSID$InprocHandler$InprocHandler32$InprocServer$InprocServer32$LocalServer$LocalServer32$Server$ShellExecute$\\?\$gfffffff$gfffffff
API String ID: 3861457700-2318594275
Opcode ID: 1a717cbbda8cc80c3c9297c878bbbc669d8a73a80a9fe28ac877bfe538569426
Instruction ID: f5eaf3cd70d8a4233fc3eb4f5baabc932733307175318797ea3a634ab2d80fd0
Opcode Fuzzy Hash: 1a717cbbda8cc80c3c9297c878bbbc669d8a73a80a9fe28ac877bfe538569426
Instruction Fuzzy Hash: 3A12B672301A4886EB92DF39C8407DD23A1FB85BE5F44D211EA6D576E9EF78CA48C704

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180056DE8 Relevance: 31.6, APIs: 9, Strings: 9, Instructions: 118COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(?,?,?,?,?,00000000), ref: 0000000180056E2B
_wcsicmp.MSVCRT ref: 0000000180056E62
_wcsicmp.MSVCRT ref: 0000000180056E79
memset.MSVCRT ref: 0000000180056E93
SHGetValueW.SHLWAPI ref: 0000000180056ECC
memset.MSVCRT ref: 0000000180056EF4
memset.MSVCRT ref: 0000000180056F1B

Part of subcall function 0000000180056534: memset.MSVCRT ref: 0000000180056572
Part of subcall function 0000000180056534: GetModuleFileNameW.KERNEL32 ref: 0000000180056589
Part of subcall function 0000000180056534: PathAppendW.SHLWAPI ref: 00000001800565AD
Part of subcall function 0000000180056534: _wcsicmp.MSVCRT ref: 00000001800565C8
Part of subcall function 0000000180056534: PathAppendW.SHLWAPI ref: 00000001800565DE

SHGetValueW.SHLWAPI ref: 0000000180056F5D
LeaveCriticalSection.KERNEL32 ref: 0000000180056F91

Strings

SOFTWARE\Wow6432Node\360SD, xrefs: 0000000180056EBB
ipartner, xrefs: 0000000180056F03
SOFTWARE\Wow6432Node\360EntSecurity, xrefs: 0000000180056F41
Partner, xrefs: 0000000180056F2F
PCInfo, xrefs: 0000000180056E6F
SOFTWARE\Wow6432Node\360Safe\Coop, xrefs: 0000000180056F0A
pid, xrefs: 0000000180056EB4
360ExtHost, xrefs: 0000000180056E58
SOFTWARE\Wow6432Node\360EDRSensor, xrefs: 0000000180056F38

Memory Dump Source

Source File: 00000008.00000002.446994309.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000008.00000002.446990685.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.447008267.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.447016292.00000001800C5000.00000008.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.447024270.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_180000000_rundll32.jbxd

Similarity

API ID: memset$_wcsicmp$AppendCriticalPathSectionValue$EnterFileLeaveModuleName
String ID: 360ExtHost$PCInfo$Partner$SOFTWARE\Wow6432Node\360EDRSensor$SOFTWARE\Wow6432Node\360EntSecurity$SOFTWARE\Wow6432Node\360SD$SOFTWARE\Wow6432Node\360Safe\Coop$ipartner$pid
API String ID: 3226263223-3142758636
Opcode ID: 628566989c82da212381fb3148179b37bd681cc2eaf5be604a1b5c7982e4b541
Instruction ID: 9533c192c26b347b8b9675f8c4be5ba0e6f9fe9a3a5b632a6bc0f6ba07ebb3e1
Opcode Fuzzy Hash: 628566989c82da212381fb3148179b37bd681cc2eaf5be604a1b5c7982e4b541
Instruction Fuzzy Hash: CF419D31A00A0C94FB96DB22A8403D963A4F74DBE4F909225FD28677A5EF39C74EC340

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180044F64 Relevance: 30.1, APIs: 9, Strings: 8, Instructions: 320COMMON

Download Yara Rule

APIs

Part of subcall function 000000018000A7AC: GetProcessHeap.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,0000000180001020), ref: 000000018000A7D5

_cwprintf_s_l.LIBCMT ref: 00000001800450AA
_cwprintf_s_l.LIBCMT ref: 00000001800450C2
_cwprintf_s_l.LIBCMT ref: 00000001800450D8

Part of subcall function 0000000180017B44: memset.MSVCRT ref: 0000000180017B79
Part of subcall function 0000000180017B44: memset.MSVCRT ref: 0000000180017BCB
Part of subcall function 0000000180017B44: InitializeCriticalSectionAndSpinCount.KERNEL32(?,?,?,?,?,?,0000000180006327), ref: 0000000180017BD6
Part of subcall function 0000000180017B44: GetLastError.KERNEL32(?,?,?,?,?,?,0000000180006327), ref: 0000000180017BE0
Part of subcall function 0000000180017B44: GetTickCount.KERNEL32(?,?,?,?,?,?,0000000180006327), ref: 0000000180017BF8

Part of subcall function 000000018000D19C: ??2@YAPEAX_K@Z.MSVCRT ref: 000000018000D22A
Part of subcall function 000000018000D19C: memset.MSVCRT ref: 000000018000D270
Part of subcall function 000000018000D19C: memmove.MSVCRT ref: 000000018000D282
Part of subcall function 000000018000D19C: ??3@YAXPEAX@Z.MSVCRT ref: 000000018000D2B8

memmove.MSVCRT ref: 000000018004518F
??_V@YAXPEAX@Z.MSVCRT ref: 00000001800451AE
??3@YAXPEAX@Z.MSVCRT ref: 00000001800451EB
GetTickCount.KERNEL32 ref: 0000000180045357
srand.MSVCRT ref: 000000018004535F
rand.MSVCRT ref: 0000000180045365

Strings

0=%s, xrefs: 00000001800450CC
mid=%sm2=%sproduct=%scombo=%srule_group_id=%suv=%s, xrefs: 000000018004509E
DomainQuery, xrefs: 00000001800450AF
router:1, xrefs: 000000018004506E
[%s], xrefs: 0000000180045051, 00000001800450B6
360safe, xrefs: 0000000180045086
com, xrefs: 000000018004504A
router, xrefs: 000000018004507A

Memory Dump Source

Source File: 00000008.00000002.446994309.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000008.00000002.446990685.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.447008267.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.447016292.00000001800C5000.00000008.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.447024270.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_180000000_rundll32.jbxd

Similarity

API ID: Count_cwprintf_s_lmemset$??3@Tickmemmove$??2@CriticalErrorHeapInitializeLastProcessSectionSpinrandsrand
String ID: 0=%s$360safe$DomainQuery$[%s]$com$mid=%sm2=%sproduct=%scombo=%srule_group_id=%suv=%s$router$router:1
API String ID: 1789426470-3446598425
Opcode ID: 61786b1980ef7039dc4211af90e47e9a0e74f34993d56612bf85e9d061f4368c
Instruction ID: 6d6f9855de1d8c5247af129e1c82467daf937bd8777ee679c9f2b2c93b700a4d
Opcode Fuzzy Hash: 61786b1980ef7039dc4211af90e47e9a0e74f34993d56612bf85e9d061f4368c
Instruction Fuzzy Hash: D8D19132204F4882EB419B69D8803DE73A0F789BE5F108226BAAD477E5DF78C649C704

Uniqueness

Uniqueness Score: -1.00%

Function 000000018004C034 Relevance: 29.9, APIs: 13, Strings: 4, Instructions: 112memoryCOMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32 ref: 000000018004C074
OpenProcessToken.ADVAPI32 ref: 000000018004C085
GetTokenInformation.ADVAPI32 ref: 000000018004C0B8
GetLastError.KERNEL32 ref: 000000018004C0C8
GlobalAlloc.KERNEL32 ref: 000000018004C0E3
GetTokenInformation.ADVAPI32 ref: 000000018004C115
LookupAccountSidW.ADVAPI32 ref: 000000018004C156
CloseHandle.KERNEL32 ref: 000000018004C175
GlobalFree.KERNEL32 ref: 000000018004C183
wcscmp.MSVCRT ref: 000000018004C19D
wcscmp.MSVCRT ref: 000000018004C1B4
wcscmp.MSVCRT ref: 000000018004C1CB
wcscmp.MSVCRT ref: 000000018004C1E2

Strings

NETWORK SERVICE, xrefs: 000000018004C1D4
NT AUTHORITY, xrefs: 000000018004C193
LOCAL SERVICE, xrefs: 000000018004C1BD
SYSTEM, xrefs: 000000018004C1A6

Memory Dump Source

Source File: 00000008.00000002.446994309.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000008.00000002.446990685.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.447008267.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.447016292.00000001800C5000.00000008.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.447024270.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_180000000_rundll32.jbxd

Similarity

API ID: wcscmp$Token$GlobalInformationProcess$AccountAllocCloseCurrentErrorFreeHandleLastLookupOpen
String ID: LOCAL SERVICE$NETWORK SERVICE$NT AUTHORITY$SYSTEM
API String ID: 3141378966-199577007
Opcode ID: 8d6976f719ecb46038f7faa6d62441ad30095ab4bbf55d005c38fee77e3359ad
Instruction ID: cee3605f7c7adaec53412b2e982fb153fefebb873c81ca2b5be3308eddbb09f0
Opcode Fuzzy Hash: 8d6976f719ecb46038f7faa6d62441ad30095ab4bbf55d005c38fee77e3359ad
Instruction Fuzzy Hash: F2517C32604B4986EBE28F14E8847DA73A5F78D7D8F518125EA5D436A4DF39C70DCB00

Uniqueness

Uniqueness Score: -1.00%

Function 000000018003AC1C Relevance: 26.4, APIs: 12, Strings: 3, Instructions: 107COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 000000018003AC67
GetModuleHandleW.KERNEL32 ref: 000000018003AC73
GetModuleFileNameW.KERNEL32 ref: 000000018003AC8E
memset.MSVCRT ref: 000000018003ACAE
GetModuleFileNameW.KERNEL32 ref: 000000018003ACC4
PathAppendW.SHLWAPI ref: 000000018003ACEA
PathAppendW.SHLWAPI ref: 000000018003ACFC
GetFileAttributesW.KERNEL32 ref: 000000018003AD07
PathAppendW.SHLWAPI ref: 000000018003AD36
PathAppendW.SHLWAPI ref: 000000018003AD48

Strings

..\deepscan\, xrefs: 000000018003ACDE
bapi64.dll, xrefs: 000000018003AC6C, 000000018003ACF0, 000000018003AD3C
..\, xrefs: 000000018003AD2A

Memory Dump Source

Source File: 00000008.00000002.446994309.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000008.00000002.446990685.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.447008267.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.447016292.00000001800C5000.00000008.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.447024270.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_180000000_rundll32.jbxd

Similarity

API ID: AppendPath$FileModule$Namememset$AttributesHandle
String ID: ..\$..\deepscan\$bapi64.dll
API String ID: 2144934147-2390674060
Opcode ID: 9d5beebac642680a506550c8be48c190e39914ceb82cb04c52bb84f1375e2870
Instruction ID: 18b05e09174244348b6cef7f8f2b1baf28e5037f203e247325d4c6a64b139c1b
Opcode Fuzzy Hash: 9d5beebac642680a506550c8be48c190e39914ceb82cb04c52bb84f1375e2870
Instruction Fuzzy Hash: 6F514B32614A8882FBA3DB20EC443DA3361F78D7C9F859125E59A47AA5EF2DC74DC740

Uniqueness

Uniqueness Score: -1.00%

Function 000000018004872C Relevance: 24.8, APIs: 10, Strings: 4, Instructions: 318COMMON

Download Yara Rule

APIs

Part of subcall function 000000018000A7AC: GetProcessHeap.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,0000000180001020), ref: 000000018000A7D5

_cwprintf_s_l.LIBCMT ref: 0000000180048845
_cwprintf_s_l.LIBCMT ref: 000000018004885A
IsBadStringPtrW.KERNEL32 ref: 0000000180048873
_cwprintf_s_l.LIBCMT ref: 000000018004888F
memmove.MSVCRT ref: 0000000180048946
??_V@YAXPEAX@Z.MSVCRT ref: 00000001800489B5
??3@YAXPEAX@Z.MSVCRT ref: 00000001800489F2
GetTickCount.KERNEL32(?,?,?,?,?,00000001800486FE), ref: 0000000180048B0C
srand.MSVCRT ref: 0000000180048B14
rand.MSVCRT ref: 0000000180048B1A

Strings

mid=%sm2=%sproduct=%scombo=%srule_group_id=%suv=%spid=%s, xrefs: 0000000180048839
%d=%s, xrefs: 0000000180048883
[%s], xrefs: 00000001800487EE, 000000018004884E
com, xrefs: 00000001800487E7

Memory Dump Source

Source File: 00000008.00000002.446994309.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000008.00000002.446990685.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.447008267.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.447016292.00000001800C5000.00000008.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.447024270.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_180000000_rundll32.jbxd

Similarity

API ID: _cwprintf_s_l$??3@CountHeapProcessStringTickmemmoverandsrand
String ID: %d=%s$[%s]$com$mid=%sm2=%sproduct=%scombo=%srule_group_id=%suv=%spid=%s
API String ID: 2740332460-2247268028
Opcode ID: 48d86df3b5eac7e439a35ff4fd84f198e4b1e974b1358ce155bcc0297089f372
Instruction ID: 80426b886386f52412969e15ba132e6e65bce95777886caa6ce0aa64614bcf94
Opcode Fuzzy Hash: 48d86df3b5eac7e439a35ff4fd84f198e4b1e974b1358ce155bcc0297089f372
Instruction Fuzzy Hash: 5FD1C172305F4886EB51DB29E88039E73A0FB88BE8F158625AE5D077A5DF78C549C704

Uniqueness

Uniqueness Score: -1.00%

Function 000000018004F018 Relevance: 24.6, APIs: 7, Strings: 7, Instructions: 116COMMON

Download Yara Rule

APIs

wcsstr.MSVCRT ref: 000000018004F06D
_wcsicmp.MSVCRT ref: 000000018004F102
_wcsnicmp.MSVCRT ref: 000000018004F11C
_wcsicmp.MSVCRT ref: 000000018004F14D
_wcsnicmp.MSVCRT ref: 000000018004F167
_wcsicmp.MSVCRT ref: 000000018004F17B
_wcsnicmp.MSVCRT ref: 000000018004F195

Strings

Software\Classes\Wow6432Node\, xrefs: 000000018004F15D
Wow6432Node, xrefs: 000000018004F0F8
Software\Wow6432Node, xrefs: 000000018004F171
Wow6432Node\, xrefs: 000000018004F112
Software\Classes\Wow6432Node, xrefs: 000000018004F143
wow6432node, xrefs: 000000018004F066
Software\Wow6432Node\, xrefs: 000000018004F18B

Memory Dump Source

Source File: 00000008.00000002.446994309.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000008.00000002.446990685.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.447008267.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.447016292.00000001800C5000.00000008.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.447024270.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_180000000_rundll32.jbxd

Similarity

API ID: _wcsicmp_wcsnicmp$wcsstr
String ID: Software\Classes\Wow6432Node$Software\Classes\Wow6432Node\$Software\Wow6432Node$Software\Wow6432Node\$Wow6432Node$Wow6432Node\$wow6432node
API String ID: 4199785700-2224805171
Opcode ID: bc25291bcc814f054e7e10840494f54f48fde9230fe93c8f0d5c0c6b2b3ad0be
Instruction ID: 173969ce7e51924b4f06bf421c606f91b3afd6de77e358442d966ae2f37bd097
Opcode Fuzzy Hash: bc25291bcc814f054e7e10840494f54f48fde9230fe93c8f0d5c0c6b2b3ad0be
Instruction Fuzzy Hash: 55517371710E48C1EBA6DB29D8843B923A1B789BE4F46C215EA39437E4DF68CB4CC745

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180014138 Relevance: 24.6, APIs: 11, Strings: 3, Instructions: 92COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 000000018001417F
GetModuleFileNameW.KERNEL32 ref: 0000000180014196
PathAppendW.SHLWAPI ref: 00000001800141A8

Part of subcall function 0000000180065EE4: PathFileExistsW.SHLWAPI ref: 0000000180065F00
Part of subcall function 0000000180065EE4: EnterCriticalSection.KERNEL32 ref: 0000000180065F2A
Part of subcall function 0000000180065EE4: LeaveCriticalSection.KERNEL32 ref: 0000000180065F73

memset.MSVCRT ref: 00000001800141E1
GetModuleFileNameW.KERNEL32 ref: 00000001800141F8
PathAppendW.SHLWAPI ref: 000000018001420A
PathFileExistsW.SHLWAPI ref: 0000000180014215
memset.MSVCRT ref: 0000000180014229
GetModuleFileNameW.KERNEL32 ref: 0000000180014240
PathAppendW.SHLWAPI ref: 0000000180014252
PathFileExistsW.SHLWAPI ref: 000000018001425D

Strings

..\safemon\360Cactus.tpi, xrefs: 000000018001419C
..\360SkinMgr.exe, xrefs: 0000000180014246
..\360sd.exe, xrefs: 00000001800141FE

Memory Dump Source

Source File: 00000008.00000002.446994309.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000008.00000002.446990685.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.447008267.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.447016292.00000001800C5000.00000008.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.447024270.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_180000000_rundll32.jbxd

Similarity

API ID: FilePath$AppendExistsModuleNamememset$CriticalSection$EnterLeave
String ID: ..\360SkinMgr.exe$..\360sd.exe$..\safemon\360Cactus.tpi
API String ID: 2738204422-1657815065
Opcode ID: 78597d9bd975c32090d8355579ef8ffe821f8875940c9f43dd2c1350df723c28
Instruction ID: 05d3995d6e5afe1b7f2ff7eb98ba3dbe6d41cc5d548c72c66593806649a32fef
Opcode Fuzzy Hash: 78597d9bd975c32090d8355579ef8ffe821f8875940c9f43dd2c1350df723c28
Instruction Fuzzy Hash: 0E417131614A8D82EBE69B21EC953EA27A4F79D784F80C055F99E476A5DF2DC30DCB00

Uniqueness

Uniqueness Score: -1.00%

Function 000000018004C3C8 Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 187COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 000000018004C433
GetModuleFileNameW.KERNEL32 ref: 000000018004C44D
PathAppendW.SHLWAPI ref: 000000018004C462

Strings

//lsp/fnpw, xrefs: 000000018004C685
..\360bps.dat, xrefs: 000000018004C453
//lsp/fnp, xrefs: 000000018004C66D

Memory Dump Source

Source File: 00000008.00000002.446994309.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000008.00000002.446990685.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.447008267.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.447016292.00000001800C5000.00000008.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.447024270.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_180000000_rundll32.jbxd

Similarity

API ID: AppendFileModuleNamePathmemset
String ID: ..\360bps.dat$//lsp/fnp$//lsp/fnpw
API String ID: 1620117007-629564897
Opcode ID: 8b88fd5d987282aa7e8cbcbc9338ad7a6d43f93b19f4f5ae7e83081502dc9fb0
Instruction ID: 9751cd454638bcc7bf23e097769634142843b259acdcdf6531404e40a8ce2858
Opcode Fuzzy Hash: 8b88fd5d987282aa7e8cbcbc9338ad7a6d43f93b19f4f5ae7e83081502dc9fb0
Instruction Fuzzy Hash: FF918431209B8882EAD2CF15E8847DDB7A4F7887D4F418116EA9943BA9DF7CC64DCB01

Uniqueness

Uniqueness Score: -1.00%

Function 000000018000E07C Relevance: 22.9, APIs: 11, Strings: 2, Instructions: 163filetimeCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32 ref: 000000018000E0E1
GetFileSizeEx.KERNEL32 ref: 000000018000E0FB
malloc.MSVCRT ref: 000000018000E127
memset.MSVCRT ref: 000000018000E142
ReadFile.KERNEL32 ref: 000000018000E15C

Part of subcall function 000000018000DDA4: EnterCriticalSection.KERNEL32 ref: 000000018000DDEB
Part of subcall function 000000018000DDA4: LeaveCriticalSection.KERNEL32 ref: 000000018000DE34

malloc.MSVCRT ref: 000000018000E22B
memset.MSVCRT ref: 000000018000E247

Part of subcall function 000000018000DC14: EnterCriticalSection.KERNEL32 ref: 000000018000DC5D
Part of subcall function 000000018000DC14: LeaveCriticalSection.KERNEL32 ref: 000000018000DCA6

GetFileTime.KERNEL32 ref: 000000018000E281
CloseHandle.KERNEL32 ref: 000000018000E28F
free.MSVCRT ref: 000000018000E29C
free.MSVCRT ref: 000000018000E2AF

Strings

D063, xrefs: 000000018000E176
|, xrefs: 000000018000E18C

Memory Dump Source

Source File: 00000008.00000002.446994309.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000008.00000002.446990685.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.447008267.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.447016292.00000001800C5000.00000008.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.447024270.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_180000000_rundll32.jbxd

Similarity

API ID: CriticalFileSection$EnterLeavefreemallocmemset$CloseCreateHandleReadSizeTime
String ID: D063$|
API String ID: 1613485820-3743183194
Opcode ID: 180749bbb112b904ef6176165a202792b4826eb4bf0b5cc93a95b31eeb2a1677
Instruction ID: 1c0486e52071ce2fa8a0c36d95268ac158065e3f2ce4ac4886627ad722c994ab
Opcode Fuzzy Hash: 180749bbb112b904ef6176165a202792b4826eb4bf0b5cc93a95b31eeb2a1677
Instruction Fuzzy Hash: 0A61AF327016588AFBD6CFA5E9457A873E9B70DBD8F008025EE0957BA8DF34C649C711

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180056C84 Relevance: 22.8, APIs: 6, Strings: 7, Instructions: 93COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32 ref: 0000000180056CB4
SHGetValueW.SHLWAPI ref: 0000000180056D05

Part of subcall function 00000001800562D0: memset.MSVCRT ref: 000000018005630E
Part of subcall function 00000001800562D0: GetModuleFileNameW.KERNEL32 ref: 0000000180056325
Part of subcall function 00000001800562D0: PathAppendW.SHLWAPI ref: 0000000180056349
Part of subcall function 00000001800562D0: _wcsicmp.MSVCRT ref: 0000000180056364
Part of subcall function 00000001800562D0: PathAppendW.SHLWAPI ref: 000000018005637A

memset.MSVCRT ref: 0000000180056D30
memset.MSVCRT ref: 0000000180056D5A
SHGetValueW.SHLWAPI ref: 0000000180056D9C

Part of subcall function 0000000180056534: memset.MSVCRT ref: 0000000180056572
Part of subcall function 0000000180056534: GetModuleFileNameW.KERNEL32 ref: 0000000180056589
Part of subcall function 0000000180056534: PathAppendW.SHLWAPI ref: 00000001800565AD
Part of subcall function 0000000180056534: _wcsicmp.MSVCRT ref: 00000001800565C8
Part of subcall function 0000000180056534: PathAppendW.SHLWAPI ref: 00000001800565DE

LeaveCriticalSection.KERNEL32(?,?,000000018004825D,?,?,?,?,?,?,?,000000018000644F), ref: 0000000180056DCF

Strings

SOFTWARE\Wow6432Node\360SD, xrefs: 0000000180056CF4
SOFTWARE\Wow6432Node\360EntSecurity, xrefs: 0000000180056D80
Partner, xrefs: 0000000180056D6E
SOFTWARE\Wow6432Node\360Safe\Coop, xrefs: 0000000180056D46
pid, xrefs: 0000000180056CED
SOFTWARE\Wow6432Node\360EDRSensor, xrefs: 0000000180056D77
PartnerName, xrefs: 0000000180056D3F

Memory Dump Source

Source File: 00000008.00000002.446994309.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000008.00000002.446990685.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.447008267.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.447016292.00000001800C5000.00000008.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.447024270.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_180000000_rundll32.jbxd

Similarity

API ID: AppendPathmemset$CriticalFileModuleNameSectionValue_wcsicmp$EnterLeave
String ID: Partner$PartnerName$SOFTWARE\Wow6432Node\360EDRSensor$SOFTWARE\Wow6432Node\360EntSecurity$SOFTWARE\Wow6432Node\360SD$SOFTWARE\Wow6432Node\360Safe\Coop$pid
API String ID: 264253324-3445957450
Opcode ID: af17b70cf5ba9092bea16f3f380d13b2d21a94489603b21e2ef55527860ed742
Instruction ID: 89340431e1bc531ff063a600718ea9f8068e08b94321d1f6c16d494f9f8bead4
Opcode Fuzzy Hash: af17b70cf5ba9092bea16f3f380d13b2d21a94489603b21e2ef55527860ed742
Instruction Fuzzy Hash: 98319A32A00A4896FBA29F21AC443D967A0F74D7E4F808615FD68576E8DF79C78DC350

Uniqueness

Uniqueness Score: -1.00%

Function 000000018004808C Relevance: 21.3, APIs: 7, Strings: 5, Instructions: 252COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 00000001800480D3

Part of subcall function 000000018000A7AC: GetProcessHeap.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,0000000180001020), ref: 000000018000A7D5

GetTickCount.KERNEL32(?,?,?,?,?,?,?,000000018000644F), ref: 000000018004825D
srand.MSVCRT ref: 0000000180048265
rand.MSVCRT ref: 000000018004826B
rand.MSVCRT ref: 000000018004829C

Part of subcall function 000000018000AF68: ??2@YAPEAX_K@Z.MSVCRT ref: 000000018000B026

Part of subcall function 000000018000AF68: ??2@YAPEAX_K@Z.MSVCRT ref: 000000018000B04B

InitializeCriticalSection.KERNEL32(?,?,?,?,?,?,?,000000018000644F), ref: 0000000180048390
??3@YAXPEAX@Z.MSVCRT ref: 0000000180048415

Strings

http://%s/wcheckquery, xrefs: 00000001800482EE, 0000000180048331
wificheck:1, xrefs: 0000000180048215
wificheck, xrefs: 00000001800481F4
360safe, xrefs: 00000001800481D5
WifiCheckQuery, xrefs: 0000000180048237

Memory Dump Source

Source File: 00000008.00000002.446994309.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000008.00000002.446990685.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.447008267.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.447016292.00000001800C5000.00000008.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.447024270.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_180000000_rundll32.jbxd

Similarity

API ID: ??2@rand$??3@CountCriticalHeapInitializeProcessSectionTickmemsetsrand
String ID: 360safe$WifiCheckQuery$http://%s/wcheckquery$wificheck$wificheck:1
API String ID: 2719022499-1298750920
Opcode ID: ba48bf925f8ff20436e767d0bb5c933ca5c9980a21313222aabcab8ee4652180
Instruction ID: c937e0c4e90421d2c820d9f7251a3693a618876eb833e6d48c240cb9fefbc629
Opcode Fuzzy Hash: ba48bf925f8ff20436e767d0bb5c933ca5c9980a21313222aabcab8ee4652180
Instruction Fuzzy Hash: 31A19E72201F0891EA96DF29D8443DD33A0FB49BE8F558625EA6D077D1EF78C689C344

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180066608 Relevance: 21.1, APIs: 9, Strings: 3, Instructions: 136registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.ADVAPI32 ref: 0000000180066653
RegQueryValueExW.ADVAPI32 ref: 0000000180066696
RegCloseKey.ADVAPI32 ref: 00000001800666AA

Part of subcall function 0000000180066428: RegOpenKeyExW.ADVAPI32 ref: 0000000180066475
Part of subcall function 0000000180066428: RegQueryValueExW.ADVAPI32 ref: 00000001800664BA
Part of subcall function 0000000180066428: RegCloseKey.ADVAPI32 ref: 00000001800664D7
Part of subcall function 0000000180066428: RegOpenKeyExW.ADVAPI32 ref: 00000001800664FE
Part of subcall function 0000000180066428: memset.MSVCRT ref: 0000000180066519
Part of subcall function 0000000180066428: RegQueryValueExW.ADVAPI32 ref: 0000000180066556
Part of subcall function 0000000180066428: RegCloseKey.ADVAPI32 ref: 000000018006656C
Part of subcall function 0000000180066428: PathAppendW.SHLWAPI ref: 000000018006657E
Part of subcall function 0000000180066428: PathFileExistsW.SHLWAPI ref: 0000000180066589
Part of subcall function 0000000180066428: GetProcAddress.KERNEL32 ref: 00000001800665AF
Part of subcall function 0000000180066428: FreeLibrary.KERNEL32 ref: 00000001800665C3

RegCloseKey.ADVAPI32 ref: 00000001800666E1
GetCurrentProcess.KERNEL32 ref: 0000000180066715
OpenProcessToken.ADVAPI32 ref: 0000000180066727
CloseHandle.KERNEL32 ref: 0000000180066748
GetCommandLineW.KERNEL32 ref: 000000018006675D
wcsstr.MSVCRT ref: 000000018006678D

Strings

/elevated, xrefs: 0000000180066786
ServiceCall, xrefs: 000000018006668B
SOFTWARE\360Safe\360Ent, xrefs: 0000000180066645

Memory Dump Source

Source File: 00000008.00000002.446994309.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000008.00000002.446990685.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.447008267.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.447016292.00000001800C5000.00000008.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.447024270.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_180000000_rundll32.jbxd

Similarity

API ID: Close$Open$QueryValue$PathProcess$AddressAppendCommandCurrentExistsFileFreeHandleLibraryLineProcTokenmemsetwcsstr
String ID: /elevated$SOFTWARE\360Safe\360Ent$ServiceCall
API String ID: 3868077243-983453937
Opcode ID: e8e6a48d377b8b947be7de055ef0add81918a1ec871415dff66262798b1d0c29
Instruction ID: 15e9288aeb9452e37e9dffc63771de1b8c488dcb05314bb0ab77bc9e2c882ef0
Opcode Fuzzy Hash: e8e6a48d377b8b947be7de055ef0add81918a1ec871415dff66262798b1d0c29
Instruction Fuzzy Hash: 1C514F72B00B188AFB919F65DC847DC33B5BB48BA8F148125EE2A536A5DF34CA49C740

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180002308 Relevance: 21.1, APIs: 7, Strings: 5, Instructions: 102libraryloaderCOMMON

Download Yara Rule

APIs

SHGetMalloc.SHELL32 ref: 0000000180002336
SHGetSpecialFolderLocation.SHELL32 ref: 000000018000234D

Part of subcall function 0000000180001900: SHGetPathFromIDListW.SHELL32 ref: 000000018000190C

GetModuleHandleW.KERNEL32 ref: 000000018000239C
GetProcAddress.KERNEL32 ref: 00000001800023B5
GetCurrentProcess.KERNEL32 ref: 00000001800023C7
wcsstr.MSVCRT ref: 0000000180002407

Strings

Kernel32.dll, xrefs: 0000000180002395
(x86), xrefs: 0000000180002437
\SysWOW64, xrefs: 00000001800023FD
\System32, xrefs: 0000000180002415
IsWow64Process, xrefs: 00000001800023AB

Memory Dump Source

Source File: 00000008.00000002.446994309.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000008.00000002.446990685.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.447008267.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.447016292.00000001800C5000.00000008.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.447024270.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_180000000_rundll32.jbxd

Similarity

API ID: AddressCurrentFolderFromHandleListLocationMallocModulePathProcProcessSpecialwcsstr
String ID: (x86)$IsWow64Process$Kernel32.dll$\SysWOW64$\System32
API String ID: 3215350457-2087702655
Opcode ID: bf72767515c204881d1f258e158e1a3830e9824de3f932ee163774af780d841d
Instruction ID: 20fdff06134b497470b840b0dc70d8e75aaa21696b334e6b55e82bb231538848
Opcode Fuzzy Hash: bf72767515c204881d1f258e158e1a3830e9824de3f932ee163774af780d841d
Instruction Fuzzy Hash: 58411C7120574882FB96DB65EC543E932A0BB8DBE0F55C226A9A9477A5DF38C74DC300

Uniqueness

Uniqueness Score: -1.00%

Function 00000001800448C4 Relevance: 19.8, APIs: 13, Instructions: 310memoryCOMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32 ref: 0000000180044908
GetTickCount.KERNEL32 ref: 00000001800449C4
srand.MSVCRT ref: 00000001800449CC
rand.MSVCRT ref: 00000001800449D2
LeaveCriticalSection.KERNEL32 ref: 0000000180044A6F
EnterCriticalSection.KERNEL32 ref: 0000000180044AE0
SysAllocString.OLEAUT32 ref: 0000000180044BF7
SysStringByteLen.OLEAUT32 ref: 0000000180044C0C
SysAllocStringByteLen.OLEAUT32 ref: 0000000180044C17
SysFreeString.OLEAUT32 ref: 0000000180044C26
LeaveCriticalSection.KERNEL32 ref: 0000000180044C63
EnterCriticalSection.KERNEL32 ref: 0000000180044CBE
LeaveCriticalSection.KERNEL32 ref: 0000000180044CD1

Memory Dump Source

Source File: 00000008.00000002.446994309.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000008.00000002.446990685.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.447008267.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.447016292.00000001800C5000.00000008.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.447024270.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_180000000_rundll32.jbxd

Similarity

API ID: CriticalSection$String$EnterLeave$AllocByte$CountFreeTickrandsrand
String ID:
API String ID: 2388112003-0
Opcode ID: 601ce5742b1ae8d3f199bb9b56dc9d4efdb3fb2238afb3afbe88db3bb5de28ba
Instruction ID: ae2396e8f272108b73aaedae01213fa34c0c0a48780782be1cf856f1cb9becad
Opcode Fuzzy Hash: 601ce5742b1ae8d3f199bb9b56dc9d4efdb3fb2238afb3afbe88db3bb5de28ba
Instruction Fuzzy Hash: D7C1A133711E4986FB86CF6598843ED23A0F748BE8F498215EE295B794DF34CA49C344

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180060B20 Relevance: 19.4, APIs: 9, Strings: 2, Instructions: 113libraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 0000000180062148: memset.MSVCRT ref: 000000018006217C
Part of subcall function 0000000180062148: GetModuleFileNameW.KERNEL32 ref: 0000000180062193
Part of subcall function 0000000180062148: PathCombineW.SHLWAPI ref: 00000001800621AA
Part of subcall function 0000000180062148: GetProcAddress.KERNEL32 ref: 00000001800621DB
Part of subcall function 0000000180062148: GetProcAddress.KERNEL32 ref: 00000001800621EF
Part of subcall function 0000000180062148: GetProcAddress.KERNEL32 ref: 0000000180062203
Part of subcall function 0000000180062148: GetProcAddress.KERNEL32 ref: 0000000180062217
Part of subcall function 0000000180062148: GetProcAddress.KERNEL32 ref: 000000018006222B
Part of subcall function 0000000180062148: GetProcAddress.KERNEL32 ref: 000000018006223F
Part of subcall function 0000000180062148: GetProcAddress.KERNEL32 ref: 0000000180062253
Part of subcall function 0000000180062148: GetProcAddress.KERNEL32 ref: 0000000180062267
Part of subcall function 0000000180062148: GetProcAddress.KERNEL32 ref: 000000018006227B
Part of subcall function 0000000180062148: GetProcAddress.KERNEL32 ref: 000000018006228F

OpenProcess.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 0000000180060B9F
CloseHandle.KERNEL32 ref: 0000000180060BD7
OpenProcess.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 0000000180060BF2
GetModuleFileNameExW.PSAPI(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 0000000180060C0E
GetModuleHandleW.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 0000000180060C1F
GetProcAddress.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 0000000180060C2F
OpenProcess.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 0000000180060C4A
CloseHandle.KERNEL32 ref: 0000000180060C76
SysFreeString.OLEAUT32 ref: 0000000180060C89

Strings

Kernel32.dll, xrefs: 0000000180060C18
QueryFullProcessImageNameW, xrefs: 0000000180060C28

Memory Dump Source

Source File: 00000008.00000002.446994309.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000008.00000002.446990685.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.447008267.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.447016292.00000001800C5000.00000008.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.447024270.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_180000000_rundll32.jbxd

Similarity

API ID: AddressProc$HandleModuleOpenProcess$CloseFileName$CombineFreePathStringmemset
String ID: Kernel32.dll$QueryFullProcessImageNameW
API String ID: 930578061-1170590071
Opcode ID: 21058d059558c167eb128ecc070ccb7a1d86f5313822a2293c00ae13ac054d8f
Instruction ID: 54324c73b988387a6f6bb080a4d890c873d93734858c8758c4fce1d00ab0755c
Opcode Fuzzy Hash: 21058d059558c167eb128ecc070ccb7a1d86f5313822a2293c00ae13ac054d8f
Instruction Fuzzy Hash: AD418231B01F089AE751CBA2EC04BDD72A2BB4DBD4F548524EE69637A4DF388619C344

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180040CB0 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 78libraryloaderCOMMON

Download Yara Rule

APIs

GetVersionExW.KERNEL32 ref: 0000000180040CEF
memset.MSVCRT ref: 0000000180040D0A
SHGetValueW.SHLWAPI ref: 0000000180040D49
atoi.MSVCRT ref: 0000000180040D70
GetVersion.KERNEL32 ref: 0000000180040D80
GetModuleHandleW.KERNEL32 ref: 0000000180040DD0
GetProcAddress.KERNEL32 ref: 0000000180040DE0

Strings

CurrentVersion, xrefs: 0000000180040D34
ntdll.dll, xrefs: 0000000180040DC9
RtlGetVersion, xrefs: 0000000180040DD9
SOFTWARE\Microsoft\Windows NT\CurrentVersion, xrefs: 0000000180040D3B

Memory Dump Source

Source File: 00000008.00000002.446994309.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000008.00000002.446990685.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.447008267.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.447016292.00000001800C5000.00000008.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.447024270.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_180000000_rundll32.jbxd

Similarity

API ID: Version$AddressHandleModuleProcValueatoimemset
String ID: CurrentVersion$RtlGetVersion$SOFTWARE\Microsoft\Windows NT\CurrentVersion$ntdll.dll
API String ID: 1009632096-1820686997
Opcode ID: 96873d62ae8b00b27b2edc00cc4e017e8c26c7791766384428e26c81b31d8715
Instruction ID: 603b8f84a57364ab934b969a098bbde4f8155cf87e7eb2653b8acdc6aa15b94a
Opcode Fuzzy Hash: 96873d62ae8b00b27b2edc00cc4e017e8c26c7791766384428e26c81b31d8715
Instruction Fuzzy Hash: 0F416D31615A498AF792CF20EC883DB77A0F78C7A5F918115F56A426A8DF3CD24CCB00

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180078A30 Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 197COMMON

Download Yara Rule

APIs

__C_specific_handler.MSVCRT ref: 0000000180078A39
?terminate@@YAXXZ.MSVCRT ref: 0000000180078A58
abort.MSVCRT ref: 0000000180078A72
_errno.MSVCRT ref: 0000000180078AAA
_errno.MSVCRT ref: 0000000180078B26
iswctype.MSVCRT ref: 0000000180078BF5
_errno.MSVCRT ref: 0000000180078C8D
free.MSVCRT ref: 0000000180078C9D

Strings

f, xrefs: 0000000180078A3F
csm, xrefs: 0000000180078A45

Memory Dump Source

Source File: 00000008.00000002.446994309.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000008.00000002.446990685.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.447008267.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.447016292.00000001800C5000.00000008.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.447024270.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_180000000_rundll32.jbxd

Similarity

API ID: _errno$?terminate@@C_specific_handlerabortfreeiswctype
String ID: csm$f
API String ID: 3008409500-629598281
Opcode ID: cb4ff8b5ebe89d3986471470a6de958979d9adc1f1dde0f1a6724a9577e23cc3
Instruction ID: 7b0f8dd17277ba6112c52f93bbbd1643d611d3ff89c652db72cc518acb6e3753
Opcode Fuzzy Hash: cb4ff8b5ebe89d3986471470a6de958979d9adc1f1dde0f1a6724a9577e23cc3
Instruction Fuzzy Hash: 1D819172781B0889FBA6DFA490503EC23E0EF4C7D8F048515FA5917BC9DE3A8A599321

Uniqueness

Uniqueness Score: -1.00%

Function 000000018004A39C Relevance: 17.7, APIs: 5, Strings: 5, Instructions: 158COMMON

Download Yara Rule

APIs

FindWindowW.USER32 ref: 000000018004A3C8
SetForegroundWindow.USER32 ref: 000000018004A3DB
wcsstr.MSVCRT ref: 000000018004A3FC
memset.MSVCRT ref: 000000018004A46F
ShellExecuteW.SHELL32 ref: 000000018004A5FC

Part of subcall function 00000001800495A4: GetTickCount.KERNEL32 ref: 00000001800495AC
Part of subcall function 00000001800495A4: srand.MSVCRT ref: 00000001800495B4
Part of subcall function 00000001800495A4: GetCurrentProcessId.KERNEL32 ref: 00000001800495BA
Part of subcall function 00000001800495A4: GetCurrentProcessId.KERNEL32 ref: 00000001800495CE
Part of subcall function 00000001800495A4: ??_U@YAPEAX_K@Z.MSVCRT ref: 00000001800495FA
Part of subcall function 00000001800495A4: GetTokenInformation.ADVAPI32 ref: 0000000180049629
Part of subcall function 00000001800495A4: GetSidSubAuthorityCount.ADVAPI32 ref: 0000000180049636
Part of subcall function 00000001800495A4: GetLastError.KERNEL32 ref: 000000018004963F
Part of subcall function 00000001800495A4: GetSidSubAuthority.ADVAPI32 ref: 0000000180049658
Part of subcall function 00000001800495A4: ??_V@YAXPEAX@Z.MSVCRT ref: 000000018004967B

Part of subcall function 00000001800494C4: ??_U@YAPEAX_K@Z.MSVCRT ref: 00000001800494DA

Part of subcall function 000000018004AF08: ShellExecuteW.SHELL32 ref: 000000018004AF73

Part of subcall function 0000000180049798: CoInitialize.OLE32 ref: 00000001800497D2
Part of subcall function 0000000180049798: CoCreateInstance.OLE32 ref: 0000000180049805
Part of subcall function 0000000180049798: IUnknown_QueryService.SHLWAPI ref: 0000000180049897

Strings

http://, xrefs: 000000018004A42C
p, xrefs: 000000018004A45C
open, xrefs: 000000018004A47A, 000000018004A53B, 000000018004A5F3
Progman, xrefs: 000000018004A3C1
Program manager, xrefs: 000000018004A3BA

Memory Dump Source

Source File: 00000008.00000002.446994309.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000008.00000002.446990685.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.447008267.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.447016292.00000001800C5000.00000008.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.447024270.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_180000000_rundll32.jbxd

Similarity

API ID: AuthorityCountCurrentExecuteProcessShellWindow$CreateErrorFindForegroundInformationInitializeInstanceLastQueryServiceTickTokenUnknown_memsetsrandwcsstr
String ID: Progman$Program manager$http://$open$p
API String ID: 1516062321-2122229248
Opcode ID: 58ac5753a69af218fee8d4caaaed4576b5dee7a80132d74c2a967a22724bbafe
Instruction ID: 5854d287d17234f5949c9620cb83c855c738d658d9246579e802d6f7b8ceff8d
Opcode Fuzzy Hash: 58ac5753a69af218fee8d4caaaed4576b5dee7a80132d74c2a967a22724bbafe
Instruction Fuzzy Hash: A971A672209F8981FBA19B29D4913DE7360F7C97F4F058326BA6942AD5DF38C648C744

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180056400 Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 142registryCOMMON

Download Yara Rule

APIs

Part of subcall function 000000018000A7AC: GetProcessHeap.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,0000000180001020), ref: 000000018000A7D5

memset.MSVCRT ref: 00000001800564A0

Part of subcall function 0000000180057364: RegQueryValueExW.ADVAPI32 ref: 00000001800573A9

RegCloseKey.ADVAPI32 ref: 00000001800564F2
memset.MSVCRT ref: 0000000180056572
GetModuleFileNameW.KERNEL32 ref: 0000000180056589
PathAppendW.SHLWAPI ref: 00000001800565AD
_wcsicmp.MSVCRT ref: 00000001800565C8
PathAppendW.SHLWAPI ref: 00000001800565DE

Part of subcall function 000000018000892C: GetModuleHandleW.KERNEL32 ref: 0000000180008966
Part of subcall function 000000018000892C: GetProcAddress.KERNEL32 ref: 000000018000897B
Part of subcall function 000000018000892C: RegCloseKey.ADVAPI32 ref: 00000001800089E0

PathFileExistsW.SHLWAPI ref: 00000001800565FA

Strings

SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\App Paths\360EDRSensor.exe, xrefs: 0000000180056477
safemon\360EDRSensor.exe, xrefs: 00000001800565D2

Memory Dump Source

Source File: 00000008.00000002.446994309.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000008.00000002.446990685.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.447008267.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.447016292.00000001800C5000.00000008.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.447024270.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_180000000_rundll32.jbxd

Similarity

API ID: Path$AppendCloseFileModulememset$AddressExistsHandleHeapNameProcProcessQueryValue_wcsicmp
String ID: SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\App Paths\360EDRSensor.exe$safemon\360EDRSensor.exe
API String ID: 1838183957-848848004
Opcode ID: 53d40d4281f59d1785bb74b81d44e61fae45e923a74e0e4f630338c30aea0692
Instruction ID: 12369466515329e4b94078003e01a8293ee627d21bf6a1b54a8e48e621231722
Opcode Fuzzy Hash: 53d40d4281f59d1785bb74b81d44e61fae45e923a74e0e4f630338c30aea0692
Instruction Fuzzy Hash: F9617132614A4886EBA1DF25E8543DA73A4FB8C7E4F408215BAAD437E5DF39C749CB00

Uniqueness

Uniqueness Score: -1.00%

Function 000000018005619C Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 141registryCOMMON

Download Yara Rule

APIs

Part of subcall function 000000018000A7AC: GetProcessHeap.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,0000000180001020), ref: 000000018000A7D5

memset.MSVCRT ref: 000000018005623C

Part of subcall function 0000000180057364: RegQueryValueExW.ADVAPI32 ref: 00000001800573A9

RegCloseKey.ADVAPI32 ref: 000000018005628E
memset.MSVCRT ref: 000000018005630E
GetModuleFileNameW.KERNEL32 ref: 0000000180056325
PathAppendW.SHLWAPI ref: 0000000180056349
_wcsicmp.MSVCRT ref: 0000000180056364
PathAppendW.SHLWAPI ref: 000000018005637A

Part of subcall function 000000018000892C: GetModuleHandleW.KERNEL32 ref: 0000000180008966
Part of subcall function 000000018000892C: GetProcAddress.KERNEL32 ref: 000000018000897B
Part of subcall function 000000018000892C: RegCloseKey.ADVAPI32 ref: 00000001800089E0

PathFileExistsW.SHLWAPI ref: 0000000180056396

Strings

safemon\360ExtHost.exe, xrefs: 000000018005636E
SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\App Paths\360ExtHost.exe, xrefs: 0000000180056213

Memory Dump Source

Source File: 00000008.00000002.446994309.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000008.00000002.446990685.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.447008267.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.447016292.00000001800C5000.00000008.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.447024270.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_180000000_rundll32.jbxd

Similarity

API ID: Path$AppendCloseFileModulememset$AddressExistsHandleHeapNameProcProcessQueryValue_wcsicmp
String ID: SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\App Paths\360ExtHost.exe$safemon\360ExtHost.exe
API String ID: 1838183957-351904165
Opcode ID: 1e39c5d7731f9f0cfe2357af418d2a02b58939d64fc7587de7a383dead0b9532
Instruction ID: 01aece9f02afbb37390a2111cb2c5fee408a8cfe5dec439bdff79febd640f7a5
Opcode Fuzzy Hash: 1e39c5d7731f9f0cfe2357af418d2a02b58939d64fc7587de7a383dead0b9532
Instruction Fuzzy Hash: 27615132614A4892EBA1DB25E8543DA73A4FB8C7E4F448315BAAD436F5DF39C749CB00

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180052160 Relevance: 17.6, APIs: 4, Strings: 6, Instructions: 78COMMON

Download Yara Rule

APIs

DeleteCriticalSection.KERNEL32 ref: 000000018005218D

Part of subcall function 0000000180030EE8: ??3@YAXPEAX@Z.MSVCRT ref: 0000000180030F5A

??3@YAXPEAX@Z.MSVCRT ref: 00000001800521B1
??3@YAXPEAX@Z.MSVCRT ref: 0000000180052230
DeleteCriticalSection.KERNEL32(?,?,?,?,0000000180006BF2), ref: 0000000180052261

Strings

Num_Catalog_Entries, xrefs: 0000000180052346
%s\NameSpace_Catalog5\Catalog_Entries64\%012d, xrefs: 0000000180052353
Num_Catalog_Entries64, xrefs: 000000018005233F
SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5, xrefs: 00000001800523AF
SYSTEM\CurrentControlSet\Services\WinSock2\Parameters, xrefs: 00000001800524C4
%s\NameSpace_Catalog5\Catalog_Entries\%012d, xrefs: 000000018005235A, 0000000180052631

Memory Dump Source

Source File: 00000008.00000002.446994309.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000008.00000002.446990685.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.447008267.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.447016292.00000001800C5000.00000008.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.447024270.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_180000000_rundll32.jbxd

Similarity

API ID: ??3@$CriticalDeleteSection
String ID: %s\NameSpace_Catalog5\Catalog_Entries64\%012d$%s\NameSpace_Catalog5\Catalog_Entries\%012d$Num_Catalog_Entries$Num_Catalog_Entries64$SYSTEM\CurrentControlSet\Services\WinSock2\Parameters$SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5
API String ID: 1297904149-2676930693
Opcode ID: 3d1b4d4945e0e21b4209534fb7adf2456145591c447b83fcd6c449b0aaaa6bb8
Instruction ID: 73cc0848a655b1fb88aa06a885314cf1e75da9385d723178a5cf1b8a64167aea
Opcode Fuzzy Hash: 3d1b4d4945e0e21b4209534fb7adf2456145591c447b83fcd6c449b0aaaa6bb8
Instruction Fuzzy Hash: F631F232741B4892EF668F25E4443DC63A0F74ABE0F588621EB5C07BA5CF39D5A9C300

Uniqueness

Uniqueness Score: -1.00%

Function 000000018003A8D4 Relevance: 16.6, APIs: 11, Instructions: 87libraryCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(?,00000000,?,?,00000000,000000018003AAB8,?,?,?,?,00000000), ref: 000000018003A907
FindResourceW.KERNEL32(?,00000000,?,?,00000000,000000018003AAB8,?,?,?,?,00000000), ref: 000000018003A91F
SizeofResource.KERNEL32(?,00000000,?,?,00000000,000000018003AAB8,?,?,?,?,00000000), ref: 000000018003A933
LoadResource.KERNEL32(?,00000000,?,?,00000000,000000018003AAB8,?,?,?,?,00000000), ref: 000000018003A942
LockResource.KERNEL32(?,00000000,?,?,00000000,000000018003AAB8,?,?,?,?,00000000), ref: 000000018003A953
malloc.MSVCRT(?,00000000,?,?,00000000,000000018003AAB8,?,?,?,?,00000000), ref: 000000018003A964
memmove.MSVCRT(?,00000000,?,?,00000000,000000018003AAB8,?,?,?,?,00000000), ref: 000000018003A97B
FreeResource.KERNEL32(?,00000000,?,?,00000000,000000018003AAB8,?,?,?,?,00000000), ref: 000000018003A983
FreeLibrary.KERNEL32(?,00000000,?,?,00000000,000000018003AAB8,?,?,?,?,00000000), ref: 000000018003A98C
VerQueryValueW.VERSION(?,00000000,?,?,00000000,000000018003AAB8,?,?,?,?,00000000), ref: 000000018003A9B4
free.MSVCRT(?,00000000,?,?,00000000,000000018003AAB8,?,?,?,?,00000000), ref: 000000018003A9D9

Memory Dump Source

Source File: 00000008.00000002.446994309.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000008.00000002.446990685.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.447008267.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.447016292.00000001800C5000.00000008.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.447024270.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_180000000_rundll32.jbxd

Similarity

API ID: Resource$FreeLibraryLoad$FindLockQuerySizeofValuefreemallocmemmove
String ID:
API String ID: 3317409091-0
Opcode ID: d575d481ff84caad7d8740059adda23fe9f9648e66c4b8f54cfb60a62ec78070
Instruction ID: 8185c375a913dccbf35fde3c3455573a2fd048fb7f01b55c3a130ccbeb9ebe14
Opcode Fuzzy Hash: d575d481ff84caad7d8740059adda23fe9f9648e66c4b8f54cfb60a62ec78070
Instruction Fuzzy Hash: 09316B35606B4886EA86DF16AC0479AB3E4BB4DFC0F0A8426AE4907764EF3CD649C700

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180019044 Relevance: 16.6, APIs: 11, Instructions: 86libraryCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32 ref: 000000018001906D
FindResourceW.KERNEL32 ref: 0000000180019085
SizeofResource.KERNEL32 ref: 0000000180019099
LoadResource.KERNEL32 ref: 00000001800190A8
LockResource.KERNEL32 ref: 00000001800190B9
malloc.MSVCRT ref: 00000001800190CA
memmove.MSVCRT ref: 00000001800190E1
FreeResource.KERNEL32 ref: 00000001800190E9
FreeLibrary.KERNEL32 ref: 00000001800190F2
VerQueryValueW.VERSION ref: 000000018001911A
free.MSVCRT ref: 000000018001913F

Memory Dump Source

Source File: 00000008.00000002.446994309.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000008.00000002.446990685.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.447008267.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.447016292.00000001800C5000.00000008.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.447024270.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_180000000_rundll32.jbxd

Similarity

API ID: Resource$FreeLibraryLoad$FindLockQuerySizeofValuefreemallocmemmove
String ID:
API String ID: 3317409091-0
Opcode ID: c78e14dcb0124c7fdfddeb6e32502328b3625422cacc1ce2de84f055e235b1f2
Instruction ID: 7be624b5aba991f8dce8e488531e7c4bc30f0810fde0e2206e2c198a200c07cc
Opcode Fuzzy Hash: c78e14dcb0124c7fdfddeb6e32502328b3625422cacc1ce2de84f055e235b1f2
Instruction Fuzzy Hash: F5316D31702B448AEB87DF6AA84479977E0BB4CFD4F098425AE0907764EF38D64AC700

Uniqueness

Uniqueness Score: -1.00%

Function 000000018003F070 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 145registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.ADVAPI32 ref: 000000018003F0F4
memset.MSVCRT ref: 000000018003F111
memset.MSVCRT ref: 000000018003F126
SHEnumValueW.SHLWAPI ref: 000000018003F15C
SHGetValueW.SHLWAPI ref: 000000018003F1BF
RegCloseKey.ADVAPI32 ref: 000000018003F29C

Strings

stat, xrefs: 000000018003F0B9

Memory Dump Source

Source File: 00000008.00000002.446994309.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000008.00000002.446990685.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.447008267.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.447016292.00000001800C5000.00000008.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.447024270.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_180000000_rundll32.jbxd

Similarity

API ID: Valuememset$CloseEnumOpen
String ID: stat
API String ID: 3313869694-548994849
Opcode ID: 021697519deb37d11cec93fa9a5ab951d19f885d93b4615a5ee70ee1a279cb79
Instruction ID: bca1fd9f3236c41ce4b8b5e5b78ce057e793223580287a74ffbbd9e6a5e702b7
Opcode Fuzzy Hash: 021697519deb37d11cec93fa9a5ab951d19f885d93b4615a5ee70ee1a279cb79
Instruction Fuzzy Hash: 4E616076614A8896D7A2CF25E4403DB77A4F7897D4F518216EB9C43BA8DF39C609CB00

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180066A50 Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 121COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 0000000180066A90
GetModuleFileNameW.KERNEL32 ref: 0000000180066AA1
GetCommandLineW.KERNEL32 ref: 0000000180066B41
memset.MSVCRT ref: 0000000180066B85
ShellExecuteExW.SHELL32 ref: 0000000180066BCC
CloseHandle.KERNEL32 ref: 0000000180066BE1

Strings

MPR.dll, xrefs: 0000000180066AC1
runas, xrefs: 0000000180066B9B
/elevated, xrefs: 0000000180066B55

Memory Dump Source

Source File: 00000008.00000002.446994309.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000008.00000002.446990685.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.447008267.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.447016292.00000001800C5000.00000008.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.447024270.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_180000000_rundll32.jbxd

Similarity

API ID: memset$CloseCommandExecuteFileHandleLineModuleNameShell
String ID: /elevated$MPR.dll$runas
API String ID: 3400839104-479190379
Opcode ID: ff0e70aebe942903d03514da05f5171b976ef8719cbab5a1757af81890fa035d
Instruction ID: c5738ef19aefcfe0893ce15e6bbb4f81d570db0aa822fd902f1c1618a14612e4
Opcode Fuzzy Hash: ff0e70aebe942903d03514da05f5171b976ef8719cbab5a1757af81890fa035d
Instruction Fuzzy Hash: 35518F32611B4481EB919B29D85039A73A5FB88BF4F108316FABE437E4DF38C649C740

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180028C8C Relevance: 15.2, APIs: 10, Instructions: 235COMMON

Download Yara Rule

APIs

Part of subcall function 000000018000A7AC: GetProcessHeap.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,0000000180001020), ref: 000000018000A7D5

StringFromGUID2.OLE32 ref: 0000000180028D17
_wcsupr.MSVCRT ref: 0000000180028D26
StringFromGUID2.OLE32 ref: 0000000180028DCA
_wcsupr.MSVCRT ref: 0000000180028DD8
StringFromGUID2.OLE32 ref: 0000000180028E38
_wcsupr.MSVCRT ref: 0000000180028E4A
StringFromGUID2.OLE32 ref: 0000000180028E84
_wcsupr.MSVCRT ref: 0000000180028E92
StringFromGUID2.OLE32 ref: 0000000180028EC4
_wcsupr.MSVCRT ref: 0000000180028ED5

Memory Dump Source

Source File: 00000008.00000002.446994309.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000008.00000002.446990685.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.447008267.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.447016292.00000001800C5000.00000008.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.447024270.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_180000000_rundll32.jbxd

Similarity

API ID: FromString_wcsupr$HeapProcess
String ID:
API String ID: 2249050647-0
Opcode ID: af4d7778e813cec4d2260f242f830c925d5e0839e1a4af0d89802f64c8607ec2
Instruction ID: c2b84f69b377f8d486519554b3a5ef31eab8a077f1ecb1a3c09cbb62b7b5dce0
Opcode Fuzzy Hash: af4d7778e813cec4d2260f242f830c925d5e0839e1a4af0d89802f64c8607ec2
Instruction Fuzzy Hash: A5A19E36302A4881EBE79F15D8403E963A1FB58BD4F45C116EA5E5B6E9DF38CB89D300

Uniqueness

Uniqueness Score: -1.00%

Function 00131C38 Relevance: 15.2, APIs: 10, Instructions: 234processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 00131C72

Part of subcall function 0013AD34: NtAllocateVirtualMemory.NTDLL ref: 0013AD6A

Process32First.KERNEL32 ref: 00131CFC
Process32Next.KERNEL32 ref: 00131D1D
Process32First.KERNEL32 ref: 00131D49
Process32Next.KERNEL32 ref: 00131D96
Process32First.KERNEL32 ref: 00131DAD
wsprintfA.USER32 ref: 00131EF0
wsprintfA.USER32 ref: 00131F96
Process32Next.KERNEL32 ref: 001320D3
CloseHandle.KERNEL32 ref: 001320F0

Memory Dump Source

Source File: 00000008.00000002.446779994.0000000000130000.00000040.00001000.00020000.00000000.sdmp, Offset: 00130000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_130000_rundll32.jbxd

Yara matches

Similarity

API ID: Process32$FirstNext$wsprintf$AllocateCloseCreateHandleMemorySnapshotToolhelp32Virtual
String ID:
API String ID: 3605396869-0
Opcode ID: bb05992a4f7f9f49a53442d2e1aaa10a6dfd61868bba92c4a54245666e2faaf4
Instruction ID: d90c1bca6a782a4c22c109914a8abe53440f5c5a9064bd137ed4e488ea72d955
Opcode Fuzzy Hash: bb05992a4f7f9f49a53442d2e1aaa10a6dfd61868bba92c4a54245666e2faaf4
Instruction Fuzzy Hash: 33C1D776209B85D9DA30DB15E4903DAB7A5FBD9384F804126EBCD43B68EF38C649CB40

Uniqueness

Uniqueness Score: -1.00%

Function 00000001800421D4 Relevance: 15.2, APIs: 10, Instructions: 163networkCOMMON

Download Yara Rule

APIs

??_V@YAXPEAX@Z.MSVCRT ref: 00000001800423F9

Part of subcall function 0000000180042FC4: WideCharToMultiByte.KERNEL32 ref: 0000000180042FFB
Part of subcall function 0000000180042FC4: ??_V@YAXPEAX@Z.MSVCRT ref: 0000000180043016
Part of subcall function 0000000180042FC4: WideCharToMultiByte.KERNEL32 ref: 000000018004306B

Part of subcall function 0000000180066050: EnterCriticalSection.KERNEL32 ref: 0000000180066098
Part of subcall function 0000000180066050: LeaveCriticalSection.KERNEL32 ref: 00000001800660E1

Part of subcall function 0000000180043154: ??_V@YAXPEAX@Z.MSVCRT ref: 0000000180043187
Part of subcall function 0000000180043154: htonl.WS2_32 ref: 00000001800431F3

??_V@YAXPEAX@Z.MSVCRT ref: 000000018004228E
??_V@YAXPEAX@Z.MSVCRT ref: 00000001800422DA
??_V@YAXPEAX@Z.MSVCRT ref: 0000000180042302
htons.WS2_32 ref: 000000018004234A
htonl.WS2_32 ref: 0000000180042358
htons.WS2_32 ref: 0000000180042366
memmove.MSVCRT(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0000000180042385
??_V@YAXPEAX@Z.MSVCRT ref: 00000001800423AB
??_V@YAXPEAX@Z.MSVCRT ref: 00000001800423D3

Memory Dump Source

Source File: 00000008.00000002.446994309.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000008.00000002.446990685.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.447008267.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.447016292.00000001800C5000.00000008.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.447024270.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_180000000_rundll32.jbxd

Similarity

API ID: ByteCharCriticalMultiSectionWidehtonlhtons$EnterLeavememmove
String ID:
API String ID: 505489203-0
Opcode ID: a07653937a79e70b2ab9cb09c4e22017cd899243124cbf7044e450a9eefd8b59
Instruction ID: 546e40b67bc81cdcf22b9085e67948acfa9500907e31d87aed3a5e4506fe483b
Opcode Fuzzy Hash: a07653937a79e70b2ab9cb09c4e22017cd899243124cbf7044e450a9eefd8b59
Instruction Fuzzy Hash: A6711C32B05B548AFB96CFA1E8403ED33B5B70879DF468025EE5627A98DF38C659C344

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180052280 Relevance: 14.2, APIs: 3, Strings: 5, Instructions: 220COMMON

Download Yara Rule

Strings

Num_Catalog_Entries, xrefs: 0000000180052346
%s\NameSpace_Catalog5\Catalog_Entries64\%012d, xrefs: 0000000180052353
Num_Catalog_Entries64, xrefs: 000000018005233F
SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5, xrefs: 00000001800523AF
%s\NameSpace_Catalog5\Catalog_Entries\%012d, xrefs: 000000018005235A, 0000000180052631

Memory Dump Source

Source File: 00000008.00000002.446994309.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000008.00000002.446990685.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.447008267.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.447016292.00000001800C5000.00000008.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.447024270.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_180000000_rundll32.jbxd

Similarity

API ID:
String ID: %s\NameSpace_Catalog5\Catalog_Entries64\%012d$%s\NameSpace_Catalog5\Catalog_Entries\%012d$Num_Catalog_Entries$Num_Catalog_Entries64$SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5
API String ID: 0-1196714001
Opcode ID: 568fd741c3bdcc21c426c5afc4ac46b45918c5554304f1a676603b4f6589036a
Instruction ID: 902fc08f0a24e927d00bac490aa4b2e4fc0ab2cffff010c51715f7c20a33671b
Opcode Fuzzy Hash: 568fd741c3bdcc21c426c5afc4ac46b45918c5554304f1a676603b4f6589036a
Instruction Fuzzy Hash: 8B91E232701B4886EB96CB62A8407D973A0FB8DBD4F058225BF6D17795EF39CA49C700

Uniqueness

Uniqueness Score: -1.00%

Function 000000018002C720 Relevance: 14.2, APIs: 6, Strings: 2, Instructions: 217COMMON

Download Yara Rule

APIs

Part of subcall function 000000018000A7AC: GetProcessHeap.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,0000000180001020), ref: 000000018000A7D5

StringFromGUID2.OLE32 ref: 000000018002C7A1
_wcsupr.MSVCRT ref: 000000018002C7AF
SysFreeString.OLEAUT32 ref: 000000018002C8DA
??_V@YAXPEAX@Z.MSVCRT ref: 000000018002C8EC
??3@YAXPEAX@Z.MSVCRT ref: 000000018002C8FE
_wtoi.MSVCRT ref: 000000018002C9F2

Strings

internetshortcut, xrefs: 000000018002C96B
hotkey, xrefs: 000000018002C95A

Memory Dump Source

Source File: 00000008.00000002.446994309.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000008.00000002.446990685.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.447008267.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.447016292.00000001800C5000.00000008.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.447024270.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_180000000_rundll32.jbxd

Similarity

API ID: String$??3@FreeFromHeapProcess_wcsupr_wtoi
String ID: hotkey$internetshortcut
API String ID: 2885337837-1159320594
Opcode ID: a2454b8e8b8246686a3b2ba7e9ac3c3560326eba55912cdd4e74c1efac8119ef
Instruction ID: 4557ede77b3344c9b7d134b2ef366cc1eba795b6e68afc4d6349487d3a9816dc
Opcode Fuzzy Hash: a2454b8e8b8246686a3b2ba7e9ac3c3560326eba55912cdd4e74c1efac8119ef
Instruction Fuzzy Hash: 56915972701B4886EB96DF69D84079D33A0F748BE4F44C626AA6D477E4DF38CA99C340

Uniqueness

Uniqueness Score: -1.00%

Function 000000018003AA00 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 156sleepthreadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32(?,?,?,?,00000000), ref: 000000018003AA41
Sleep.KERNEL32(?,?,?,?,00000000), ref: 000000018003AA64

Strings

JudgeVersion, xrefs: 000000018003AB6A

Memory Dump Source

Source File: 00000008.00000002.446994309.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000008.00000002.446990685.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.447008267.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.447016292.00000001800C5000.00000008.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.447024270.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_180000000_rundll32.jbxd

Similarity

API ID: CurrentSleepThread
String ID: JudgeVersion
API String ID: 1164918020-3141317846
Opcode ID: 2437360cf512e5b62a46a09ef29253c79db304fd769a9f3e4dce4e3854d29d87
Instruction ID: 47c15e1018a900855fb3b169089698e2b9417bb7c9542535bb0a2760737ebbf6
Opcode Fuzzy Hash: 2437360cf512e5b62a46a09ef29253c79db304fd769a9f3e4dce4e3854d29d87
Instruction Fuzzy Hash: EE51AB32604A889AFB979F65DD843DE73A1F3097D4F468525EA2A83790DF34CA99C340

Uniqueness

Uniqueness Score: -1.00%

Function 000000018005E750 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 152filesynchronizationCOMMON

Download Yara Rule

APIs

DeleteFileW.KERNEL32 ref: 000000018005E831
GetFileAttributesW.KERNEL32 ref: 000000018005E898
SetFileAttributesW.KERNEL32 ref: 000000018005E8B3
DeleteFileW.KERNEL32 ref: 000000018005E909
GetLastError.KERNEL32 ref: 000000018005E919
GetLastError.KERNEL32 ref: 000000018005E921
ReleaseMutex.KERNEL32 ref: 000000018005E936

Strings

PRAGMA synchronous = OFF;, xrefs: 000000018005E7E9, 000000018005E87B

Memory Dump Source

Source File: 00000008.00000002.446994309.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000008.00000002.446990685.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.447008267.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.447016292.00000001800C5000.00000008.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.447024270.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_180000000_rundll32.jbxd

Similarity

API ID: File$AttributesDeleteErrorLast$MutexRelease
String ID: PRAGMA synchronous = OFF;
API String ID: 874664252-1854902270
Opcode ID: 1145e7b794f1c9dbefaeeafce65ce3907897fb728955ac70424f53ad1c5898c9
Instruction ID: fa77642fd0660764f5a509da37546a8681fbf34ddf7b90f5fa11f8d2a21f9c13
Opcode Fuzzy Hash: 1145e7b794f1c9dbefaeeafce65ce3907897fb728955ac70424f53ad1c5898c9
Instruction Fuzzy Hash: 6551A335700B8996FEDE8F6594517B92390AB4DBD4F048524BEAE677E0DF35CA098300

Uniqueness

Uniqueness Score: -1.00%

Function 00000001800570A0 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 147COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 00000001800570E7
GetModuleFileNameW.KERNEL32 ref: 00000001800570FE
PathRemoveFileSpecW.SHLWAPI ref: 0000000180057109
PathFileExistsW.SHLWAPI ref: 000000018005715E
PathFileExistsW.SHLWAPI ref: 00000001800571E7

Strings

\QHVer.dll, xrefs: 0000000180057178
\360ver.dll, xrefs: 000000018005711F
%hd.%hd.%hd.%hd, xrefs: 0000000180057233

Memory Dump Source

Source File: 00000008.00000002.446994309.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000008.00000002.446990685.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.447008267.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.447016292.00000001800C5000.00000008.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.447024270.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_180000000_rundll32.jbxd

Similarity

API ID: File$Path$Exists$ModuleNameRemoveSpecmemset
String ID: %hd.%hd.%hd.%hd$\360ver.dll$\QHVer.dll
API String ID: 3680197243-1037704697
Opcode ID: 3e80556d967b03fa81a8d0e192ef84c8c157516f2ebd988b45dcbe8060877e80
Instruction ID: 3305af636dff0720fe62b84610ade698e39c861821be0ce054630d245facfc05
Opcode Fuzzy Hash: 3e80556d967b03fa81a8d0e192ef84c8c157516f2ebd988b45dcbe8060877e80
Instruction Fuzzy Hash: 73516572701A4982E751DB29D84078A77A0F789BF4F408212FA6D877E5DF39CA49CB40

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180044568 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 146COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 00000001800445B0

Part of subcall function 00000001800463BC: ??2@YAPEAX_K@Z.MSVCRT ref: 00000001800463D3

GetTickCount.KERNEL32 ref: 000000018004461F
srand.MSVCRT ref: 0000000180044627
rand.MSVCRT ref: 000000018004462D
rand.MSVCRT ref: 0000000180044651
InitializeCriticalSection.KERNEL32 ref: 0000000180044763

Part of subcall function 000000018000AF68: ??2@YAPEAX_K@Z.MSVCRT ref: 000000018000B026

Part of subcall function 000000018000AF68: ??2@YAPEAX_K@Z.MSVCRT ref: 000000018000B04B

Part of subcall function 0000000180044810: DeleteCriticalSection.KERNEL32 ref: 000000018004483D
Part of subcall function 0000000180044810: ??3@YAXPEAX@Z.MSVCRT ref: 000000018004488A
Part of subcall function 0000000180044810: DeleteCriticalSection.KERNEL32 ref: 00000001800448AA

??3@YAXPEAX@Z.MSVCRT ref: 00000001800447A5

Strings

http://%s/dquery, xrefs: 00000001800446A3, 00000001800446F3

Memory Dump Source

Source File: 00000008.00000002.446994309.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000008.00000002.446990685.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.447008267.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.447016292.00000001800C5000.00000008.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.447024270.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_180000000_rundll32.jbxd

Similarity

API ID: ??2@CriticalSection$??3@Deleterand$CountInitializeTickmemsetsrand
String ID: http://%s/dquery
API String ID: 3689213441-2489601265
Opcode ID: 3d6c1d3a1db6c1d00b31d5721a07cc2654ec57c957b64071c42c049315398c83
Instruction ID: 80c6b5da0a524930356cbb69355e12e6cacd4ac9a253962bc35af1aeed2dd264
Opcode Fuzzy Hash: 3d6c1d3a1db6c1d00b31d5721a07cc2654ec57c957b64071c42c049315398c83
Instruction Fuzzy Hash: F3619076211F4986E7829B64EC843D933A0FB497A8F518316ED29076E5EF78C78DC344

Uniqueness

Uniqueness Score: -1.00%

Function 000000018005ECC0 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 86COMMON

Download Yara Rule

APIs

Part of subcall function 0000000180018E8C: GetCurrentProcessId.KERNEL32(?,?,?,?,?,?,?,0000000180065B3D), ref: 0000000180018E96
Part of subcall function 0000000180018E8C: CreateFileW.KERNEL32 ref: 0000000180018EC6
Part of subcall function 0000000180018E8C: DeviceIoControl.KERNEL32 ref: 0000000180018F04
Part of subcall function 0000000180018E8C: CloseHandle.KERNEL32 ref: 0000000180018F0F

memset.MSVCRT ref: 000000018005ED13
GetModuleFileNameW.KERNEL32 ref: 000000018005ED24

Part of subcall function 0000000180065EE4: PathFileExistsW.SHLWAPI ref: 0000000180065F00
Part of subcall function 0000000180065EE4: EnterCriticalSection.KERNEL32 ref: 0000000180065F2A
Part of subcall function 0000000180065EE4: LeaveCriticalSection.KERNEL32 ref: 0000000180065F73

GetModuleFileNameW.KERNEL32 ref: 000000018005ED55
PathAppendW.SHLWAPI ref: 000000018005ED69
PathFileExistsW.SHLWAPI ref: 000000018005EDD0

Strings

\heavygate64.dll, xrefs: 000000018005EDEE
\deepscan\heavygate64.dll, xrefs: 000000018005EDBA
\Config\MessageCenter.db, xrefs: 000000018005ED93

Memory Dump Source

Source File: 00000008.00000002.446994309.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000008.00000002.446990685.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.447008267.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.447016292.00000001800C5000.00000008.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.447024270.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_180000000_rundll32.jbxd

Similarity

API ID: File$Path$CriticalExistsModuleNameSection$AppendCloseControlCreateCurrentDeviceEnterHandleLeaveProcessmemset
String ID: \Config\MessageCenter.db$\deepscan\heavygate64.dll$\heavygate64.dll
API String ID: 830827343-1853890022
Opcode ID: 298258ffcac91158a1fef4f3201ca6457f5d35ecb6e0b41006b5da1b8766b288
Instruction ID: ed8f6b5c495fe7c06dfc5e892af335cc1c0a2688f7bbfb93a7c5ae832a2d3b97
Opcode Fuzzy Hash: 298258ffcac91158a1fef4f3201ca6457f5d35ecb6e0b41006b5da1b8766b288
Instruction Fuzzy Hash: 12413B72214A8995EBB5DF21EC413D92360F7897C8F808112FA4D9B5A9DF39C70DCB40

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180004288 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 79COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 00000001800042C6

Part of subcall function 0000000180001900: SHGetPathFromIDListW.SHELL32 ref: 000000018000190C

GetFileAttributesW.KERNEL32 ref: 00000001800042FA
memset.MSVCRT ref: 0000000180004316
ILCreateFromPath.SHELL32 ref: 0000000180004330
ILCombine.SHELL32 ref: 000000018000437A
CoTaskMemFree.OLE32 ref: 0000000180004387
CoTaskMemFree.OLE32 ref: 0000000180004394

Strings

:, xrefs: 00000001800042E7

Memory Dump Source

Source File: 00000008.00000002.446994309.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000008.00000002.446990685.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.447008267.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.447016292.00000001800C5000.00000008.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.447024270.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_180000000_rundll32.jbxd

Similarity

API ID: FreeFromPathTaskmemset$AttributesCombineCreateFileList
String ID: :
API String ID: 2941325240-336475711
Opcode ID: b7718fc7bab466bf75feea53bf66271dcee3e8f8e01a932515278184e63cf5ba
Instruction ID: dc65f2bc49bddac93e31888ce9d3fd3537e0c7ef9c239f6ea7558133a88505f1
Opcode Fuzzy Hash: b7718fc7bab466bf75feea53bf66271dcee3e8f8e01a932515278184e63cf5ba
Instruction Fuzzy Hash: 7731747260458881EAB5DB16E4543ED7361FB8CBC4F44D115FA4E86AA5DF3CCB49C704

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180060A0C Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 68COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 0000000180060A59
GetClassNameW.USER32 ref: 0000000180060A6C
StrCmpIW.SHLWAPI ref: 0000000180060A8C
StrCmpIW.SHLWAPI ref: 0000000180060AAD
GetWindowTextW.USER32 ref: 0000000180060AC5
StrStrIW.SHLWAPI ref: 0000000180060AE0

Strings

ApplicationFrameWindow, xrefs: 0000000180060AA6
Microsoft Edge, xrefs: 0000000180060AD4

Memory Dump Source

Source File: 00000008.00000002.446994309.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000008.00000002.446990685.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.447008267.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.447016292.00000001800C5000.00000008.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.447024270.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_180000000_rundll32.jbxd

Similarity

API ID: ClassNameTextWindowmemset
String ID: ApplicationFrameWindow$Microsoft Edge
API String ID: 1817102812-2764675319
Opcode ID: bdc5f29d5c31fe96e361a90c3735c845403ae182fb6ea73bd058871bc7ed945a
Instruction ID: cbb3fe303a1e4ce820f684c33e5910fd11efe3c021ca595ae8cabc946684c7f6
Opcode Fuzzy Hash: bdc5f29d5c31fe96e361a90c3735c845403ae182fb6ea73bd058871bc7ed945a
Instruction Fuzzy Hash: 3721943135478985FAA19F65E8843DA6361F78C7C4F648125AAAD872A4EF7CC74DC700

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180008B5C Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 66libraryloaderregistryCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32 ref: 0000000180008B8A
GetProcAddress.KERNEL32 ref: 0000000180008B9F
RegDeleteKeyW.ADVAPI32 ref: 0000000180008BD1
GetModuleHandleW.KERNEL32 ref: 0000000180008BFE
GetProcAddress.KERNEL32 ref: 0000000180008C13

Strings

Advapi32.dll, xrefs: 0000000180008B83, 0000000180008BF7
RegDeleteKeyTransactedW, xrefs: 0000000180008B95
RegDeleteKeyExW, xrefs: 0000000180008C09

Memory Dump Source

Source File: 00000008.00000002.446994309.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000008.00000002.446990685.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.447008267.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.447016292.00000001800C5000.00000008.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.447024270.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_180000000_rundll32.jbxd

Similarity

API ID: AddressHandleModuleProc$Delete
String ID: Advapi32.dll$RegDeleteKeyExW$RegDeleteKeyTransactedW
API String ID: 2668475584-1053001802
Opcode ID: 0b7aaba438b382d164bc0afc74327b597900df9609eba397915e0a396ce3b562
Instruction ID: 915c5fbfce3db82b286e5c0612373c0c02ac60b4c6bcd7d6af2be75d68b23045
Opcode Fuzzy Hash: 0b7aaba438b382d164bc0afc74327b597900df9609eba397915e0a396ce3b562
Instruction Fuzzy Hash: 9F314675209A4891FBA2CB11EC047D973A0BB4DBD4F58C025AE9A07BA4EF3CC748D310

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180064DE4 Relevance: 14.0, APIs: 6, Strings: 2, Instructions: 49COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32 ref: 0000000180064E2F
GetModuleFileNameW.KERNEL32 ref: 0000000180064E51
PathAppendW.SHLWAPI ref: 0000000180064E63
PathAppendW.SHLWAPI ref: 0000000180064E75
??2@YAPEAX_K@Z.MSVCRT ref: 0000000180064E7E

Part of subcall function 000000018006442C: memset.MSVCRT ref: 0000000180064485
Part of subcall function 000000018006442C: InitializeCriticalSectionAndSpinCount.KERNEL32 ref: 000000018006448F
Part of subcall function 000000018006442C: GetLastError.KERNEL32 ref: 000000018006449C
Part of subcall function 000000018006442C: EnterCriticalSection.KERNEL32 ref: 00000001800644C5
Part of subcall function 000000018006442C: memset.MSVCRT ref: 00000001800644DB
Part of subcall function 000000018006442C: GetModuleFileNameW.KERNEL32 ref: 00000001800644F4
Part of subcall function 000000018006442C: PathAppendW.SHLWAPI ref: 0000000180064508
Part of subcall function 000000018006442C: PathAppendW.SHLWAPI ref: 000000018006451C
Part of subcall function 000000018006442C: GetProcAddress.KERNEL32 ref: 0000000180064549
Part of subcall function 000000018006442C: GetProcAddress.KERNEL32 ref: 000000018006455E
Part of subcall function 000000018006442C: GetProcAddress.KERNEL32 ref: 0000000180064573
Part of subcall function 000000018006442C: GetProcAddress.KERNEL32 ref: 0000000180064588
Part of subcall function 000000018006442C: GetProcAddress.KERNEL32 ref: 000000018006459D
Part of subcall function 000000018006442C: memset.MSVCRT ref: 00000001800645E5

LeaveCriticalSection.KERNEL32 ref: 0000000180064EA8

Strings

..\deepscan\, xrefs: 0000000180064E57
speedmem2.hg, xrefs: 0000000180064E69

Memory Dump Source

Source File: 00000008.00000002.446994309.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000008.00000002.446990685.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.447008267.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.447016292.00000001800C5000.00000008.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.447024270.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_180000000_rundll32.jbxd

Similarity

API ID: AddressProc$AppendCriticalPathSection$memset$EnterFileModuleName$??2@CountErrorInitializeLastLeaveSpin
String ID: ..\deepscan\$speedmem2.hg
API String ID: 2338990259-1390971677
Opcode ID: 1f5c69f5d04849719002e6335fbd6f545d460fa84012e21aa4d7e04e73bbc5ea
Instruction ID: 91bce694e0342d9d21a92653d8ecf9702c458f92e478111cc4d5f0d53c5c3f7e
Opcode Fuzzy Hash: 1f5c69f5d04849719002e6335fbd6f545d460fa84012e21aa4d7e04e73bbc5ea
Instruction Fuzzy Hash: BB212C35215B4D81EA928B64FC953996360FB5C7E4F409215E96D077B4EF78C64EC700

Uniqueness

Uniqueness Score: -1.00%

Function 000000018004242C Relevance: 13.7, APIs: 9, Instructions: 156networkCOMMON

Download Yara Rule

APIs

Part of subcall function 0000000180066050: EnterCriticalSection.KERNEL32 ref: 0000000180066098
Part of subcall function 0000000180066050: LeaveCriticalSection.KERNEL32 ref: 00000001800660E1

Part of subcall function 0000000180043154: ??_V@YAXPEAX@Z.MSVCRT ref: 0000000180043187
Part of subcall function 0000000180043154: htonl.WS2_32 ref: 00000001800431F3

??_V@YAXPEAX@Z.MSVCRT ref: 0000000180042510
??_V@YAXPEAX@Z.MSVCRT ref: 000000018004253B
htons.WS2_32 ref: 0000000180042586
htonl.WS2_32 ref: 0000000180042596
htons.WS2_32 ref: 00000001800425A4
memmove.MSVCRT(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00000001800425C3
??_V@YAXPEAX@Z.MSVCRT ref: 00000001800425E6
??_V@YAXPEAX@Z.MSVCRT ref: 0000000180042612
??_V@YAXPEAX@Z.MSVCRT ref: 0000000180042632

Memory Dump Source

Source File: 00000008.00000002.446994309.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000008.00000002.446990685.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.447008267.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.447016292.00000001800C5000.00000008.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.447024270.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_180000000_rundll32.jbxd

Similarity

API ID: CriticalSectionhtonlhtons$EnterLeavememmove
String ID:
API String ID: 33644419-0
Opcode ID: c447bd6221281bfe5dd6872084f78464a8d5e064d41710de40e0bf531ce06f55
Instruction ID: 90b71582b8c4a32b78347334d3d295f004072f45cff62f784db803bd1658b447
Opcode Fuzzy Hash: c447bd6221281bfe5dd6872084f78464a8d5e064d41710de40e0bf531ce06f55
Instruction Fuzzy Hash: 69614736B00B549AF792DFA1E9503ED33B5B70878CF458019EE5627A98DF34866EC348

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180014F24 Relevance: 13.6, APIs: 9, Instructions: 146COMMON

Download Yara Rule

APIs

SafeArrayCreate.OLEAUT32 ref: 0000000180014FEE
VariantInit.OLEAUT32 ref: 0000000180015009
SafeArrayPutElement.OLEAUT32 ref: 000000018001503B
VariantInit.OLEAUT32 ref: 0000000180015069
VariantInit.OLEAUT32 ref: 0000000180015094

Memory Dump Source

Source File: 00000008.00000002.446994309.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000008.00000002.446990685.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.447008267.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.447016292.00000001800C5000.00000008.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.447024270.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_180000000_rundll32.jbxd

Similarity

API ID: InitVariant$ArraySafe$CreateElement
String ID:
API String ID: 3308809976-0
Opcode ID: 3e6f35141bead04b4f889ba04b40996eb253cad0316321e95f0b8ebe6d532838
Instruction ID: 146264a788ca7c4eb20d782c9947d04824275c30ee96bc1b713ea33f9e3da92e
Opcode Fuzzy Hash: 3e6f35141bead04b4f889ba04b40996eb253cad0316321e95f0b8ebe6d532838
Instruction Fuzzy Hash: 52515A32B00A548AE781CFA5EC843DD37B0F7487A9F158125EA5A97764EF34C64AC340

Uniqueness

Uniqueness Score: -1.00%

Function 000000018001E59C Relevance: 12.6, APIs: 3, Strings: 4, Instructions: 311COMMON

Download Yara Rule

APIs

??_U@YAPEAX_K@Z.MSVCRT ref: 000000018001E625
??_V@YAXPEAX@Z.MSVCRT ref: 000000018001E6A1
_wcsicmp.MSVCRT ref: 000000018001E926

Strings

InitString, xrefs: 000000018001E741
.exe, xrefs: 000000018001E5A5, 000000018001E919
SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\, xrefs: 000000018001E8CC
%I64u, xrefs: 000000018001E7A3

Memory Dump Source

Source File: 00000008.00000002.446994309.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000008.00000002.446990685.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.447008267.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.447016292.00000001800C5000.00000008.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.447024270.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_180000000_rundll32.jbxd

Similarity

API ID: _wcsicmp
String ID: %I64u$.exe$InitString$SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\
API String ID: 2081463915-3789319691
Opcode ID: a7524d0a6a2f2a6811e2d6bfe887dea111f6d1a43d9b514e68db11bdf2e08a92
Instruction ID: 99d661dcfab4fd9f60583e58d61e1d075c9151c162a47e32eebc6396990c7acc
Opcode Fuzzy Hash: a7524d0a6a2f2a6811e2d6bfe887dea111f6d1a43d9b514e68db11bdf2e08a92
Instruction Fuzzy Hash: A8C1B172710A488AEB929B25D8407DD33A0F749BE8F448216FE6D47BE5DF38C689C744

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180036EC8 Relevance: 12.5, APIs: 5, Strings: 2, Instructions: 238COMMON

Download Yara Rule

APIs

wcschr.MSVCRT ref: 0000000180036F7A
_wcslwr.MSVCRT ref: 0000000180036FC8
wcschr.MSVCRT ref: 0000000180037043
wcscmp.MSVCRT ref: 00000001800370A6
wcscmp.MSVCRT ref: 00000001800370BA

Part of subcall function 000000018000A7AC: GetProcessHeap.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,0000000180001020), ref: 000000018000A7D5

Part of subcall function 000000018001B6F0: wcsstr.MSVCRT ref: 000000018001B73B
Part of subcall function 000000018001B6F0: wcsstr.MSVCRT ref: 000000018001B764
Part of subcall function 000000018001B6F0: IIDFromString.OLE32 ref: 000000018001B7CF

Strings

clsid2, xrefs: 00000001800370AF
clsid, xrefs: 000000018003709B

Memory Dump Source

Source File: 00000008.00000002.446994309.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000008.00000002.446990685.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.447008267.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.447016292.00000001800C5000.00000008.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.447024270.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_180000000_rundll32.jbxd

Similarity

API ID: wcschrwcscmpwcsstr$FromHeapProcessString_wcslwr
String ID: clsid$clsid2
API String ID: 2934854147-3646038404
Opcode ID: 911e3de000ae97c58b3acce3279f437468a1569be05101070c01195505b2f66e
Instruction ID: bd95a24bb0aafbb45aea4f5794df0f126b37bc211fbb868afd4ed2029302fca7
Opcode Fuzzy Hash: 911e3de000ae97c58b3acce3279f437468a1569be05101070c01195505b2f66e
Instruction Fuzzy Hash: 86A16172701A4885EBA79B29C8503EE63A1FB49BD4F46C122FA1D477D6EF74CA49C340

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180068390 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 136COMMON

Download Yara Rule

APIs

Part of subcall function 0000000180067B20: memset.MSVCRT ref: 0000000180067B76

memset.MSVCRT ref: 0000000180068455
memmove.MSVCRT ref: 000000018006849B
??3@YAXPEAX@Z.MSVCRT ref: 00000001800684CF
memmove.MSVCRT ref: 0000000180068525
??3@YAXPEAX@Z.MSVCRT ref: 0000000180068555

Strings

generic, xrefs: 0000000180068580
unknown error, xrefs: 00000001800683F1

Memory Dump Source

Source File: 00000008.00000002.446994309.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000008.00000002.446990685.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.447008267.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.447016292.00000001800C5000.00000008.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.447024270.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_180000000_rundll32.jbxd

Similarity

API ID: ??3@memmovememset
String ID: generic$unknown error
API String ID: 2528313377-3628847473
Opcode ID: de4f988636b97df9b255ecc11943299432ed388bb3462f1d961b5968a0cd6148
Instruction ID: f953be595861da4e4b866d1587ee45b735e1f1b3269ec21885f27e4079069760
Opcode Fuzzy Hash: de4f988636b97df9b255ecc11943299432ed388bb3462f1d961b5968a0cd6148
Instruction Fuzzy Hash: 4451A372704B8882EF459B16DA443AD6362F749BD0F50C221FB6A07BD6EF78C6A59340

Uniqueness

Uniqueness Score: -1.00%

Function 00000001800744F0 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 127libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32 ref: 000000018007460C
FreeLibrary.KERNEL32 ref: 000000018007466D
GetModuleHandleW.KERNEL32 ref: 000000018007468D
GetProcAddress.KERNEL32 ref: 00000001800746A2

Strings

kernel32, xrefs: 0000000180074686
AddDllDirectory, xrefs: 0000000180074698

Memory Dump Source

Source File: 00000008.00000002.446994309.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000008.00000002.446990685.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.447008267.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.447016292.00000001800C5000.00000008.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.447024270.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_180000000_rundll32.jbxd

Similarity

API ID: Library$AddressFreeHandleLoadModuleProc
String ID: AddDllDirectory$kernel32
API String ID: 1437655972-3758863895
Opcode ID: 62d5c79b2ea4fb088856e3f0301c9a109d3b9d8bbbaf54877c47554339dab04f
Instruction ID: bbf3e12eda5f2f818c86a6d8723dcf8fbef42ab492d342ab48d7d832c77590ad
Opcode Fuzzy Hash: 62d5c79b2ea4fb088856e3f0301c9a109d3b9d8bbbaf54877c47554339dab04f
Instruction Fuzzy Hash: 7751E53231164885FEA6CF51E4103E962A0FB5DBE4F48C621EA6A4B7D4DF3DC649C705

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180040688 Relevance: 12.4, APIs: 4, Strings: 3, Instructions: 105COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32 ref: 0000000180040746
LeaveCriticalSection.KERNEL32 ref: 000000018004078F

Part of subcall function 00000001800432C8: memset.MSVCRT ref: 0000000180043335

std::exception_ptr::exception_ptr.LIBCONCRT ref: 0000000180040802
std::_XGetLastError.LIBCPMT ref: 0000000180040811

Strings

arm64, xrefs: 0000000180040713
x86, xrefs: 00000001800407B0
x64, xrefs: 000000018004079E

Memory Dump Source

Source File: 00000008.00000002.446994309.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000008.00000002.446990685.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.447008267.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.447016292.00000001800C5000.00000008.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.447024270.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_180000000_rundll32.jbxd

Similarity

API ID: CriticalSection$EnterErrorLastLeavememsetstd::_std::exception_ptr::exception_ptr
String ID: arm64$x64$x86
API String ID: 4069188616-280937049
Opcode ID: 80f3249773d162cbeeb550be5abaaeac6b7c95d6a1b3ac1e44b50876622fa97b
Instruction ID: 117583cd4254ef97ff9b72dc100ece26d9127ce95370434fd6434e2e215e4972
Opcode Fuzzy Hash: 80f3249773d162cbeeb550be5abaaeac6b7c95d6a1b3ac1e44b50876622fa97b
Instruction Fuzzy Hash: 78415B71B00A1C95FA92DB20EC843D937A4F70C7E8FA58611F96A536E6DF34C68AC740

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180040E18 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 87libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32 ref: 0000000180040ECE
GetProcAddress.KERNEL32 ref: 0000000180040EDE
GetCurrentProcess.KERNEL32 ref: 0000000180040EF6
std::exception_ptr::exception_ptr.LIBCONCRT ref: 0000000180040F64
std::_XGetLastError.LIBCPMT ref: 0000000180040F72

Strings

Kernel32.dll, xrefs: 0000000180040EC7
IsWow64Process2, xrefs: 0000000180040ED7

Memory Dump Source

Source File: 00000008.00000002.446994309.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000008.00000002.446990685.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.447008267.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.447016292.00000001800C5000.00000008.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.447024270.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_180000000_rundll32.jbxd

Similarity

API ID: AddressCurrentErrorHandleLastModuleProcProcessstd::_std::exception_ptr::exception_ptr
String ID: IsWow64Process2$Kernel32.dll
API String ID: 1364622999-2175735969
Opcode ID: 6751241f688bd49d1875dc8d854f79e14c2fff9f0de6f06901ba81ab434c2c27
Instruction ID: 5a1c62e2a9ead4f3428123871bab1930646db393e55966b9c052552951b7636c
Opcode Fuzzy Hash: 6751241f688bd49d1875dc8d854f79e14c2fff9f0de6f06901ba81ab434c2c27
Instruction Fuzzy Hash: DD416531204B4991EAA2CF14EC843DA73A4FB8D794FA18226F659437A5DF38CB4DCB44

Uniqueness

Uniqueness Score: -1.00%

Function 000000018003C6D8 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 69libraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 000000018001AD68: InitializeCriticalSection.KERNEL32(?,?,?,?,?,000000018001AFD5), ref: 000000018001ADCE

EnterCriticalSection.KERNEL32 ref: 000000018003C719
LeaveCriticalSection.KERNEL32 ref: 000000018003C72D
LeaveCriticalSection.KERNEL32 ref: 000000018003C750
GetProcAddress.KERNEL32 ref: 000000018003C77C
FreeLibrary.KERNEL32 ref: 000000018003C7AE
LeaveCriticalSection.KERNEL32 ref: 000000018003C7BF

Strings

InitLibs, xrefs: 000000018003C772

Memory Dump Source

Source File: 00000008.00000002.446994309.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000008.00000002.446990685.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.447008267.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.447016292.00000001800C5000.00000008.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.447024270.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_180000000_rundll32.jbxd

Similarity

API ID: CriticalSection$Leave$AddressEnterFreeInitializeLibraryProc
String ID: InitLibs
API String ID: 388043826-2748520195
Opcode ID: d54e888b80642ae16c136f4daec8858b4574610897ae795fcaa0a3f587715d16
Instruction ID: 14a8bfa7cef1bdae3a626f07b321ff872beb2833b4a3adf2d3b4914cd80619d3
Opcode Fuzzy Hash: d54e888b80642ae16c136f4daec8858b4574610897ae795fcaa0a3f587715d16
Instruction Fuzzy Hash: 5631953661874882EBA78F25A4547AE23B0F78DFD4F1A9125ED5A473A4DF38C649CB00

Uniqueness

Uniqueness Score: -1.00%

Function 000000018001B004 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 44COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 000000018001B03F
GetModuleFileNameW.KERNEL32 ref: 000000018001B051
PathFindFileNameW.SHLWAPI ref: 000000018001B05C
_wcsicmp.MSVCRT ref: 000000018001B074
_wcsicmp.MSVCRT ref: 000000018001B094

Strings

360tray.exe, xrefs: 000000018001B06A
QHSafeTray.exe, xrefs: 000000018001B08A

Memory Dump Source

Source File: 00000008.00000002.446994309.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000008.00000002.446990685.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.447008267.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.447016292.00000001800C5000.00000008.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.447024270.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_180000000_rundll32.jbxd

Similarity

API ID: FileName_wcsicmp$FindModulePathmemset
String ID: 360tray.exe$QHSafeTray.exe
API String ID: 2436975468-72543816
Opcode ID: a7768d738e7b534716dd32aca9e4ff23bf3b7449249a9ac96035ea6388957e04
Instruction ID: f13d88eabac643da90db78e2c45270d8f51b6174de2d3bfd56aa28c15744bb18
Opcode Fuzzy Hash: a7768d738e7b534716dd32aca9e4ff23bf3b7449249a9ac96035ea6388957e04
Instruction Fuzzy Hash: 86114230615B4882FBA6CB21EC593D62364FB8C7A5F408225E56A867E5EF3DC74DCB00

Uniqueness

Uniqueness Score: -1.00%

Function 00134110 Relevance: 12.2, APIs: 8, Instructions: 237COMMON

Download Yara Rule

APIs

Part of subcall function 0013AD34: NtAllocateVirtualMemory.NTDLL ref: 0013AD6A

Part of subcall function 00137E90: SHGetFolderPathW.SHELL32 ref: 00137EC3

wsprintfW.USER32 ref: 0013424D
wsprintfW.USER32 ref: 001342A8
wsprintfW.USER32 ref: 001343C3

Memory Dump Source

Source File: 00000008.00000002.446779994.0000000000130000.00000040.00001000.00020000.00000000.sdmp, Offset: 00130000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_130000_rundll32.jbxd

Yara matches

Similarity

API ID: wsprintf$AllocateFolderMemoryPathVirtual
String ID:
API String ID: 206084008-0
Opcode ID: 3f0a1096dd83600a13c208f95dfa09032702bdcf8618f0e5637695aff639911f
Instruction ID: 33fa18e80fd0d32cbb379dad9d5152cf90c8dd4af6d979dbeb00c60d82ca31fc
Opcode Fuzzy Hash: 3f0a1096dd83600a13c208f95dfa09032702bdcf8618f0e5637695aff639911f
Instruction Fuzzy Hash: 5BC1E732219BC596DA60EB10F4913DBB7A1FBD8340F905426EACD87A69EF7CC549CB40

Uniqueness

Uniqueness Score: -1.00%

Function 000000018005A8D8 Relevance: 12.1, APIs: 8, Instructions: 141COMMON

Download Yara Rule

APIs

_time64.MSVCRT ref: 000000018005A906
EnterCriticalSection.KERNEL32 ref: 000000018005A951
_time64.MSVCRT ref: 000000018005A95D
LeaveCriticalSection.KERNEL32 ref: 000000018005AAC1

Memory Dump Source

Source File: 00000008.00000002.446994309.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000008.00000002.446990685.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.447008267.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.447016292.00000001800C5000.00000008.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.447024270.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_180000000_rundll32.jbxd

Similarity

API ID: CriticalSection_time64$EnterLeave
String ID:
API String ID: 3499907473-0
Opcode ID: fad2f7b7927532790d07ba8be1895770e69b37db2dedf9ef4961b264574dfbe7
Instruction ID: 2d3d355faa5a201e66dfe59503a55f94d93e9d2144db4385c4ebef4b0973e561
Opcode Fuzzy Hash: fad2f7b7927532790d07ba8be1895770e69b37db2dedf9ef4961b264574dfbe7
Instruction Fuzzy Hash: B9517B31605B4889FB968F25E9543D933A5FB0EBE8F548115FD5A27764CF39C689C300

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180074200 Relevance: 12.1, APIs: 8, Instructions: 98COMMONLIBRARYCODE

Download Yara Rule

APIs

_errno.MSVCRT ref: 0000000180074221

Memory Dump Source

Source File: 00000008.00000002.446994309.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000008.00000002.446990685.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.447008267.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.447016292.00000001800C5000.00000008.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.447024270.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_180000000_rundll32.jbxd

Similarity

API ID: _errno
String ID:
API String ID: 2918714741-0
Opcode ID: 97c6daf75c94dd34b649a7a3f9a9ab6583bbf65966f83f2829fedd4982e22aff
Instruction ID: 8158435372b26aa4a6dd2edb7174a458af360551698bfd787e5366ef90707461
Opcode Fuzzy Hash: 97c6daf75c94dd34b649a7a3f9a9ab6583bbf65966f83f2829fedd4982e22aff
Instruction Fuzzy Hash: 0441A733604A4886EAA36FA9A4003DD7290BB8C7F4F55C310FA684B7D6CF3DC6598711

Uniqueness

Uniqueness Score: -1.00%

Function 00135750 Relevance: 11.0, APIs: 7, Instructions: 467threadCOMMON

Download Yara Rule

APIs

wsprintfA.USER32 ref: 00135BB7
wsprintfA.USER32 ref: 00135CA6
wsprintfA.USER32 ref: 00135DCD
new[].LIBCPMTD ref: 00135E75

Part of subcall function 00134D20: InternetCloseHandle.WININET ref: 00134F33
Part of subcall function 00134D20: InternetCloseHandle.WININET ref: 00134F46

new[].LIBCPMTD ref: 00135FA3
GetExitCodeThread.KERNEL32 ref: 001361C3
GetExitCodeThread.KERNEL32 ref: 001361FC

Part of subcall function 0013AD34: NtAllocateVirtualMemory.NTDLL ref: 0013AD6A

Memory Dump Source

Source File: 00000008.00000002.446779994.0000000000130000.00000040.00001000.00020000.00000000.sdmp, Offset: 00130000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_130000_rundll32.jbxd

Yara matches

Similarity

API ID: wsprintf$CloseCodeExitHandleInternetThreadnew[]$AllocateMemoryVirtual
String ID:
API String ID: 511820185-0
Opcode ID: c733c1eb138d61e5c7cccf2536b94b4266d490a8e64c5f5d78646b0364d0b340
Instruction ID: 33f26353f881e9d2c12f311749bea7777a10d8a17e1469cef85af5cfd2f2ce7a
Opcode Fuzzy Hash: c733c1eb138d61e5c7cccf2536b94b4266d490a8e64c5f5d78646b0364d0b340
Instruction Fuzzy Hash: A342B272609BC48AE775DB16E88439AB7A1F788744F50412ADB8D87B69DF7CC488CF40

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180056664 Relevance: 11.0, APIs: 1, Strings: 5, Instructions: 463registryCOMMON

Download Yara Rule

APIs

Part of subcall function 000000018000A7AC: GetProcessHeap.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,0000000180001020), ref: 000000018000A7D5

Part of subcall function 00000001800562D0: memset.MSVCRT ref: 000000018005630E
Part of subcall function 00000001800562D0: GetModuleFileNameW.KERNEL32 ref: 0000000180056325
Part of subcall function 00000001800562D0: PathAppendW.SHLWAPI ref: 0000000180056349
Part of subcall function 00000001800562D0: _wcsicmp.MSVCRT ref: 0000000180056364
Part of subcall function 00000001800562D0: PathAppendW.SHLWAPI ref: 000000018005637A

RegCloseKey.ADVAPI32 ref: 0000000180056B49

Strings

?, xrefs: 0000000180056B12
360Safe, xrefs: 00000001800566C5
360EntSecurity, xrefs: 00000001800566AF
SOFTWARE\, xrefs: 0000000180056852, 0000000180056A1B, 0000000180056BC8
SOFTWARE\Wow6432Node\, xrefs: 000000018005678F, 000000018005695A, 0000000180056B7E

Memory Dump Source

Source File: 00000008.00000002.446994309.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000008.00000002.446990685.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.447008267.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.447016292.00000001800C5000.00000008.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.447024270.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_180000000_rundll32.jbxd

Similarity

API ID: AppendPath$CloseFileHeapModuleNameProcess_wcsicmpmemset
String ID: 360EntSecurity$360Safe$?$SOFTWARE\$SOFTWARE\Wow6432Node\
API String ID: 2226481571-3054377637
Opcode ID: 559c51600a1c84c3d1a9e1e9348cf60bbaa67dd7de1927a7c1e5ea5049295e34
Instruction ID: 5d79a3dbe08d97a28ec647ffc4188a53122dfd3fad7d09cd3595c12d58dad182
Opcode Fuzzy Hash: 559c51600a1c84c3d1a9e1e9348cf60bbaa67dd7de1927a7c1e5ea5049295e34
Instruction Fuzzy Hash: 211261B2701A4886EB419B69C8413DD73A1FB85BF4F448711AA3D977E5DF78CA89C340

Uniqueness

Uniqueness Score: -1.00%

Function 000000018004C720 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 248COMMON

Download Yara Rule

APIs

SysFreeString.OLEAUT32 ref: 000000018004C7EF
??_V@YAXPEAX@Z.MSVCRT ref: 000000018004C802
??3@YAXPEAX@Z.MSVCRT ref: 000000018004C815
_wtoi.MSVCRT ref: 000000018004C918

Part of subcall function 000000018004CD44: ??2@YAPEAX_K@Z.MSVCRT ref: 000000018004CDF5

SysFreeString.OLEAUT32 ref: 000000018004C9F7

Strings

//reccfg/wndclass, xrefs: 000000018004C79A

Memory Dump Source

Source File: 00000008.00000002.446994309.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000008.00000002.446990685.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.447008267.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.447016292.00000001800C5000.00000008.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.447024270.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_180000000_rundll32.jbxd

Similarity

API ID: FreeString$??2@??3@_wtoi
String ID: //reccfg/wndclass
API String ID: 1119205991-3779619899
Opcode ID: 9c78ad74510e5c1aaa63a647f98f978ea0f712cabf314f4090d01513adc07354
Instruction ID: aac1c87dd54dd223690f6a51cef8bcee3ce48f855a47f00273c96f55abf577db
Opcode Fuzzy Hash: 9c78ad74510e5c1aaa63a647f98f978ea0f712cabf314f4090d01513adc07354
Instruction Fuzzy Hash: D5B17A32701E489AEB81CF79C4803DC33A0F749B98F058626EA1E57B98DF38CA59C345

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180042664 Relevance: 10.7, APIs: 7, Instructions: 237networkCOMMON

Download Yara Rule

APIs

Part of subcall function 0000000180042CB8: WideCharToMultiByte.KERNEL32 ref: 0000000180042D94

htons.WS2_32 ref: 00000001800427AA
htonl.WS2_32 ref: 00000001800427B7
??_V@YAXPEAX@Z.MSVCRT ref: 00000001800428C1
??_V@YAXPEAX@Z.MSVCRT ref: 0000000180042920
memmove.MSVCRT ref: 0000000180042957

Part of subcall function 0000000180043090: MultiByteToWideChar.KERNEL32 ref: 00000001800430C2
Part of subcall function 0000000180043090: ??_V@YAXPEAX@Z.MSVCRT ref: 00000001800430E0
Part of subcall function 0000000180043090: MultiByteToWideChar.KERNEL32 ref: 0000000180043129

??_V@YAXPEAX@Z.MSVCRT ref: 00000001800429A0
??_V@YAXPEAX@Z.MSVCRT ref: 00000001800429CB

Part of subcall function 0000000180043214: htonl.WS2_32 ref: 0000000180043230

Memory Dump Source

Source File: 00000008.00000002.446994309.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000008.00000002.446990685.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.447008267.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.447016292.00000001800C5000.00000008.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.447024270.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_180000000_rundll32.jbxd

Similarity

API ID: ByteCharMultiWide$htonl$htonsmemmove
String ID:
API String ID: 2604728826-0
Opcode ID: 47040365556197fad99d51432fd7888eae327b64f784180218b7cf6a30f5653d
Instruction ID: c6a7ef21b5906d6b557d77442a06c91d81bd98b5ee7ca8850e16d0b233cac89c
Opcode Fuzzy Hash: 47040365556197fad99d51432fd7888eae327b64f784180218b7cf6a30f5653d
Instruction Fuzzy Hash: 21B15B36704B848AE792CF61F48039EB7B5F748788F518015EE8917A98CF38D65DDB48

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180068020 Relevance: 10.7, APIs: 7, Instructions: 200COMMONLIBRARYCODE

Download Yara Rule

APIs

memmove.MSVCRT ref: 000000018006809D
??3@YAXPEAX@Z.MSVCRT ref: 0000000180068131
??3@YAXPEAX@Z.MSVCRT ref: 000000018006818D
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,000000018001AF0F), ref: 00000001800681DE
_CxxThrowException.MSVCRT ref: 0000000180068219
?terminate@@YAXXZ.MSVCRT ref: 00000001800682C7
?terminate@@YAXXZ.MSVCRT ref: 00000001800682CD

Memory Dump Source

Source File: 00000008.00000002.446994309.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000008.00000002.446990685.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.447008267.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.447016292.00000001800C5000.00000008.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.447024270.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_180000000_rundll32.jbxd

Similarity

API ID: ??3@?terminate@@$ErrorExceptionLastThrowmemmove
String ID:
API String ID: 223594506-0
Opcode ID: abe36e33305c97acef1d384f130b573a12daa0eb5c7ec11c20e9a8599c7bd32e
Instruction ID: fcc32ee8dbcfcc96106fa9aa2d9edb036d58ed735eb2ced8cd8263455d285739
Opcode Fuzzy Hash: abe36e33305c97acef1d384f130b573a12daa0eb5c7ec11c20e9a8599c7bd32e
Instruction Fuzzy Hash: 0971E472210B8882EB559F19E8403DE6321FB8DBD4F608611FBAD47B96DF38C699C300

Uniqueness

Uniqueness Score: -1.00%

Function 000000018000CB00 Relevance: 10.7, APIs: 3, Strings: 3, Instructions: 189COMMON

Download Yara Rule

APIs

Part of subcall function 000000018000A7AC: GetProcessHeap.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,0000000180001020), ref: 000000018000A7D5

SHGetValueW.SHLWAPI ref: 000000018000CBF6
_time64.MSVCRT ref: 000000018000CC10

Part of subcall function 0000000180070DD0: _errno.MSVCRT ref: 0000000180070DDE

Part of subcall function 0000000180070DD0: _errno.MSVCRT ref: 0000000180070E1F

SHGetValueW.SHLWAPI ref: 000000018000CD0C

Strings

%s_count, xrefs: 000000018000CB87
%s_lasttime, xrefs: 000000018000CB9B
CloudCfg, xrefs: 000000018000CBBA

Memory Dump Source

Source File: 00000008.00000002.446994309.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000008.00000002.446990685.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.447008267.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.447016292.00000001800C5000.00000008.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.447024270.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_180000000_rundll32.jbxd

Similarity

API ID: Value_errno$HeapProcess_time64
String ID: %s_count$%s_lasttime$CloudCfg
API String ID: 2146318826-610660357
Opcode ID: 391d25aba3b16aa89747ead15b5123f6840dc9e57769fc6a8d330c04b0e76dac
Instruction ID: 0a7454a278269eadbb0ffce7cefadb2dc21e45630bc3a54506c3f9663c92b6cc
Opcode Fuzzy Hash: 391d25aba3b16aa89747ead15b5123f6840dc9e57769fc6a8d330c04b0e76dac
Instruction Fuzzy Hash: DC819572215B4986EB91DB64D4807DE77A0F7887E4F508226FA5E437E9DF38CA48CB40

Uniqueness

Uniqueness Score: -1.00%

Function 000000018000E478 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 187COMMON

Download Yara Rule

APIs

CreateStreamOnHGlobal.OLE32 ref: 000000018000E612
GetHGlobalFromStream.OLE32 ref: 000000018000E64C
GlobalLock.KERNEL32 ref: 000000018000E65F
GlobalSize.KERNEL32 ref: 000000018000E66C

Part of subcall function 000000018000E6F8: ??3@YAXPEAX@Z.MSVCRT ref: 000000018000E74D

GlobalUnlock.KERNEL32 ref: 000000018000E6BE

Strings

__Location__, xrefs: 000000018000E59C

Memory Dump Source

Source File: 00000008.00000002.446994309.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000008.00000002.446990685.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.447008267.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.447016292.00000001800C5000.00000008.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.447024270.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_180000000_rundll32.jbxd

Similarity

API ID: Global$Stream$??3@CreateFromLockSizeUnlock
String ID: __Location__
API String ID: 3539542440-1240413640
Opcode ID: 258c331e991ad95c783ef0416d4c37d993b248583095014714736d7ddb22313c
Instruction ID: 0f7485e4f93bbca4fed8cf01455b67f1128db3508264a427a58b068d72c2ae23
Opcode Fuzzy Hash: 258c331e991ad95c783ef0416d4c37d993b248583095014714736d7ddb22313c
Instruction Fuzzy Hash: A6818072700A4885EB46DB75D8403DC3761F749BE8F548216EA2E577E5DF34CA89C300

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180008C68 Relevance: 10.6, APIs: 7, Instructions: 125COMMON

Download Yara Rule

APIs

CharNextW.USER32 ref: 0000000180008CA7
CharNextW.USER32 ref: 0000000180008CD3
CharNextW.USER32 ref: 0000000180008CED
CharNextW.USER32 ref: 0000000180008D05
CharNextW.USER32 ref: 0000000180008D14
CharNextW.USER32 ref: 0000000180008D81
CharNextW.USER32 ref: 0000000180008DA5

Memory Dump Source

Source File: 00000008.00000002.446994309.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000008.00000002.446990685.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.447008267.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.447016292.00000001800C5000.00000008.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.447024270.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_180000000_rundll32.jbxd

Similarity

API ID: CharNext
String ID:
API String ID: 3213498283-0
Opcode ID: f29f1362136db7183f5f3bb7661024df541b93d863d4b8e8a836a3b8ce17e584
Instruction ID: 1492bbbb0fb01b81f8d7bc8417cc5d1fdb32638e21ab672acd404a2c35c9a6c4
Opcode Fuzzy Hash: f29f1362136db7183f5f3bb7661024df541b93d863d4b8e8a836a3b8ce17e584
Instruction Fuzzy Hash: 5B417236615A9881FBA2CF11D4143A833E0FB5CBD4F44C412EB8A47795EF78C7AA9305

Uniqueness

Uniqueness Score: -1.00%

Function 000000018000C97C Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 111COMMON

Download Yara Rule

APIs

Part of subcall function 000000018000CB00: SHGetValueW.SHLWAPI ref: 000000018000CBF6
Part of subcall function 000000018000CB00: _time64.MSVCRT ref: 000000018000CC10

_time64.MSVCRT ref: 000000018000C9A2

Part of subcall function 000000018000A7AC: GetProcessHeap.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,0000000180001020), ref: 000000018000A7D5

SHSetValueW.SHLWAPI ref: 000000018000CA52
SHSetValueW.SHLWAPI ref: 000000018000CA73

Strings

%s_count, xrefs: 000000018000C9EC
%s_lasttime, xrefs: 000000018000C9FF
CloudCfg, xrefs: 000000018000CA14

Memory Dump Source

Source File: 00000008.00000002.446994309.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000008.00000002.446990685.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.447008267.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.447016292.00000001800C5000.00000008.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.447024270.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_180000000_rundll32.jbxd

Similarity

API ID: Value$_time64$HeapProcess
String ID: %s_count$%s_lasttime$CloudCfg
API String ID: 1319719158-610660357
Opcode ID: 633e9513b59cb82dbd4c42a8dfc42ca5507bcd6ec68c6f3b38eaf980b99686d7
Instruction ID: 831a43b99bf02356c207f364941f14581f3732c075b2ce428cfbfee20bf611f1
Opcode Fuzzy Hash: 633e9513b59cb82dbd4c42a8dfc42ca5507bcd6ec68c6f3b38eaf980b99686d7
Instruction Fuzzy Hash: 6D416CB2701B4486EB51DB29D84079D37A1FB89BF8F048325AA2E577E5DF38C688C341

Uniqueness

Uniqueness Score: -1.00%

Function 0013B670 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 100fileCOMMON

Download Yara Rule

APIs

CreateFileMappingA.KERNEL32 ref: 0013B6DE
MapViewOfFile.KERNEL32 ref: 0013B711
VirtualFree.KERNEL32 ref: 0013B815
UnmapViewOfFile.KERNEL32 ref: 0013B82D
CloseHandle.KERNEL32 ref: 0013B838

Strings

@, xrefs: 0013B6F8

Memory Dump Source

Source File: 00000008.00000002.446779994.0000000000130000.00000040.00001000.00020000.00000000.sdmp, Offset: 00130000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_130000_rundll32.jbxd

Yara matches

Similarity

API ID: File$View$CloseCreateFreeHandleMappingUnmapVirtual
String ID: @
API String ID: 1610889594-2766056989
Opcode ID: 9e250b4aa7b62d1553fe35a5f9326120a0ee329e43ca5cceee30773795f05c5d
Instruction ID: 7e3ec4805bf171649116eeb00cfc7755a40712108081f57de73f5286651d6e8e
Opcode Fuzzy Hash: 9e250b4aa7b62d1553fe35a5f9326120a0ee329e43ca5cceee30773795f05c5d
Instruction Fuzzy Hash: AE41E936219B85C2DBA0DB16E49076AB760F7C8B94F505125EB8E83BA9EF7DC444CB00

Uniqueness

Uniqueness Score: -1.00%

Function 000000018005AAEC Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 83COMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32 ref: 000000018005AB3A
PathAppendW.SHLWAPI ref: 000000018005AB4B

Part of subcall function 000000018001A470: CreateFileW.KERNEL32 ref: 000000018001A4E8
Part of subcall function 000000018001A470: GetFileSizeEx.KERNEL32 ref: 000000018001A4FF
Part of subcall function 000000018001A470: ??_U@YAPEAX_K@Z.MSVCRT ref: 000000018001A51D
Part of subcall function 000000018001A470: ReadFile.KERNEL32 ref: 000000018001A53A
Part of subcall function 000000018001A470: CloseHandle.KERNEL32 ref: 000000018001A567

??_U@YAPEAX_K@Z.MSVCRT ref: 000000018005ABCC
memmove.MSVCRT ref: 000000018005ABDE
??_V@YAXPEAX@Z.MSVCRT ref: 000000018005ABEB

Strings

..\config\msgcenter64.dat, xrefs: 000000018005AB40

Memory Dump Source

Source File: 00000008.00000002.446994309.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000008.00000002.446990685.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.447008267.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.447016292.00000001800C5000.00000008.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.447024270.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_180000000_rundll32.jbxd

Similarity

API ID: File$AppendCloseCreateHandleModuleNamePathReadSizememmove
String ID: ..\config\msgcenter64.dat
API String ID: 1552649294-925171115
Opcode ID: 2b6bc0a9826245997d2484599f869692e6608d281a15ca6de91b59abf58e858d
Instruction ID: 6037bf8a0cbc718679defd9cfc68d096276397db31603676c3dd85afabd3a34b
Opcode Fuzzy Hash: 2b6bc0a9826245997d2484599f869692e6608d281a15ca6de91b59abf58e858d
Instruction Fuzzy Hash: A1316032604B8886E751CF61E8447CDBBA4F389BD4F508115FEA917BA8CF38C64ACB00

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180056534 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 67COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 0000000180056572
GetModuleFileNameW.KERNEL32 ref: 0000000180056589
PathAppendW.SHLWAPI ref: 00000001800565AD

Part of subcall function 0000000180056400: memset.MSVCRT ref: 00000001800564A0
Part of subcall function 0000000180056400: RegCloseKey.ADVAPI32 ref: 00000001800564F2

_wcsicmp.MSVCRT ref: 00000001800565C8
PathAppendW.SHLWAPI ref: 00000001800565DE
PathFileExistsW.SHLWAPI ref: 00000001800565FA

Strings

safemon\360EDRSensor.exe, xrefs: 00000001800565D2

Memory Dump Source

Source File: 00000008.00000002.446994309.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000008.00000002.446990685.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.447008267.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.447016292.00000001800C5000.00000008.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.447024270.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_180000000_rundll32.jbxd

Similarity

API ID: Path$AppendFilememset$CloseExistsModuleName_wcsicmp
String ID: safemon\360EDRSensor.exe
API String ID: 2297386589-1382049097
Opcode ID: 42f0aba2aa1986b903558ee18fe79d01fe9ddf52126576828c9ac8a665b693b0
Instruction ID: b56041483c5d1cc8e669a9f5834781a952b0b95e5cd2a6710febed08a80e77bc
Opcode Fuzzy Hash: 42f0aba2aa1986b903558ee18fe79d01fe9ddf52126576828c9ac8a665b693b0
Instruction Fuzzy Hash: 44315071724A4886EA91DB24EC9439973A0FB8C7A4F409215B96E436F5EF39C74DC700

Uniqueness

Uniqueness Score: -1.00%

Function 00000001800562D0 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 66COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 000000018005630E
GetModuleFileNameW.KERNEL32 ref: 0000000180056325
PathAppendW.SHLWAPI ref: 0000000180056349

Part of subcall function 000000018005619C: memset.MSVCRT ref: 000000018005623C
Part of subcall function 000000018005619C: RegCloseKey.ADVAPI32 ref: 000000018005628E

_wcsicmp.MSVCRT ref: 0000000180056364
PathAppendW.SHLWAPI ref: 000000018005637A
PathFileExistsW.SHLWAPI ref: 0000000180056396

Strings

safemon\360ExtHost.exe, xrefs: 000000018005636E

Memory Dump Source

Source File: 00000008.00000002.446994309.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000008.00000002.446990685.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.447008267.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.447016292.00000001800C5000.00000008.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.447024270.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_180000000_rundll32.jbxd

Similarity

API ID: Path$AppendFilememset$CloseExistsModuleName_wcsicmp
String ID: safemon\360ExtHost.exe
API String ID: 2297386589-1382862812
Opcode ID: fc9508a032b388f95354c21349e4f50a604572e192d3fc7bf2bb7d329c5c28e2
Instruction ID: 6ff1a21142ab4c8bd4a0b27ef24c26924cb25d1c518f26ee789ee6da218a3a52
Opcode Fuzzy Hash: fc9508a032b388f95354c21349e4f50a604572e192d3fc7bf2bb7d329c5c28e2
Instruction Fuzzy Hash: E7316F71724A4886EBA1DB24EC943997360FB8C7A4F409215B96E836F5DF39C74CCB00

Uniqueness

Uniqueness Score: -1.00%

Function 000000018000892C Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 63registrylibraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32 ref: 0000000180008966
GetProcAddress.KERNEL32 ref: 000000018000897B
RegOpenKeyExW.ADVAPI32 ref: 00000001800089CE
RegCloseKey.ADVAPI32 ref: 00000001800089E0

Strings

Advapi32.dll, xrefs: 000000018000895F
RegOpenKeyTransactedW, xrefs: 0000000180008971

Memory Dump Source

Source File: 00000008.00000002.446994309.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000008.00000002.446990685.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.447008267.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.447016292.00000001800C5000.00000008.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.447024270.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_180000000_rundll32.jbxd

Similarity

API ID: AddressCloseHandleModuleOpenProc
String ID: Advapi32.dll$RegOpenKeyTransactedW
API String ID: 823179699-3913318428
Opcode ID: e5aa230e6d6d73d44fbb0867bef8b98e7cffe5e7cefdcdffa37db2e7ba59e934
Instruction ID: bf9e62a3942db8529e652a7a00b11324bbad2056b1e05bdd0101147039c14a4a
Opcode Fuzzy Hash: e5aa230e6d6d73d44fbb0867bef8b98e7cffe5e7cefdcdffa37db2e7ba59e934
Instruction Fuzzy Hash: E7218E32604B4482EB92DF02F8543A973A0FB8CBD0F088025AED947B54DF3CC659D701

Uniqueness

Uniqueness Score: -1.00%

Function 000000018004410C Relevance: 10.6, APIs: 7, Instructions: 58COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32 ref: 0000000180044136
memset.MSVCRT ref: 0000000180044147
_time64.MSVCRT ref: 0000000180044156

Part of subcall function 000000018003BC0C: CryptAcquireContextW.ADVAPI32 ref: 000000018003BC33
Part of subcall function 000000018003BC0C: GetLastError.KERNEL32 ref: 000000018003BC3D
Part of subcall function 000000018003BC0C: CryptAcquireContextW.ADVAPI32 ref: 000000018003BC62

_time64.MSVCRT ref: 000000018004417C
srand.MSVCRT ref: 0000000180044185
rand.MSVCRT ref: 000000018004418B
LeaveCriticalSection.KERNEL32 ref: 00000001800441C5

Memory Dump Source

Source File: 00000008.00000002.446994309.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000008.00000002.446990685.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.447008267.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.447016292.00000001800C5000.00000008.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.447024270.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_180000000_rundll32.jbxd

Similarity

API ID: AcquireContextCriticalCryptSection_time64$EnterErrorLastLeavememsetrandsrand
String ID:
API String ID: 1109857607-0
Opcode ID: 8a34afe03370e941922b9fa1342c3f51188d8ab34ab1c1fde89d7cbfdbbd1467
Instruction ID: ca70be7a54b7a8b6e3e4f55ca6010b26a0c6ab118fec8c1b3c60b99ca43e49b7
Opcode Fuzzy Hash: 8a34afe03370e941922b9fa1342c3f51188d8ab34ab1c1fde89d7cbfdbbd1467
Instruction Fuzzy Hash: 7521A132B10B4482E7559F25E84439C77A5FB99F98F059225DA690BBA5CF38C68AC300

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180084E36 Relevance: 10.6, APIs: 7, Instructions: 50memorysynchronizationCOMMON

Download Yara Rule

APIs

_CxxThrowException.MSVCRT ref: 0000000180084E55

Part of subcall function 000000018006DB10: GetProcessHeap.KERNEL32 ref: 000000018006DB1C
Part of subcall function 000000018006DB10: HeapLock.KERNEL32 ref: 000000018006DB2D
Part of subcall function 000000018006DB10: HeapWalk.KERNEL32 ref: 000000018006DB40
Part of subcall function 000000018006DB10: HeapFree.KERNEL32 ref: 000000018006DB88
Part of subcall function 000000018006DB10: HeapUnlock.KERNEL32 ref: 000000018006DB91

ReleaseMutex.KERNEL32 ref: 0000000180084E73
TlsFree.KERNEL32 ref: 0000000180084E8D
CloseHandle.KERNEL32 ref: 0000000180084E9B
GetProcessHeap.KERNEL32 ref: 0000000180084EAA
HeapFree.KERNEL32 ref: 0000000180084EBD
CloseHandle.KERNEL32 ref: 0000000180084ECD

Memory Dump Source

Source File: 00000008.00000002.446994309.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000008.00000002.446990685.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.447008267.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.447016292.00000001800C5000.00000008.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.447024270.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_180000000_rundll32.jbxd

Similarity

API ID: Heap$Free$CloseHandleProcess$ExceptionLockMutexReleaseThrowUnlockWalk
String ID:
API String ID: 2337826640-0
Opcode ID: 5ebd4694b0cf8b1b0e10d1caafe6c046652a29d11f97caa12330084f2d285228
Instruction ID: 33d5259c6290a7581a5ad5f3dc980324b092c5f168283266ec493f33f9dd72fa
Opcode Fuzzy Hash: 5ebd4694b0cf8b1b0e10d1caafe6c046652a29d11f97caa12330084f2d285228
Instruction Fuzzy Hash: BB111632601A49CAEB869F21EC543E82360FB4CBD5F19D525BA190B6A5DF34C75DC340

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180064040 Relevance: 10.5, APIs: 7, Instructions: 49COMMON

Download Yara Rule

APIs

SysFreeString.OLEAUT32 ref: 000000018006405B
SysFreeString.OLEAUT32 ref: 0000000180064070
SysFreeString.OLEAUT32 ref: 0000000180064085
SysFreeString.OLEAUT32 ref: 000000018006409A
SysFreeString.OLEAUT32 ref: 00000001800640AF
SysFreeString.OLEAUT32 ref: 00000001800640C4
SysFreeString.OLEAUT32 ref: 00000001800640D9

Memory Dump Source

Source File: 00000008.00000002.446994309.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000008.00000002.446990685.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.447008267.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.447016292.00000001800C5000.00000008.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.447024270.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_180000000_rundll32.jbxd

Similarity

API ID: FreeString
String ID:
API String ID: 3341692771-0
Opcode ID: 73e3a869f78964b23eaffc721e09444bf3a0d7b676e7666a508320a6b867a5bd
Instruction ID: c87333ac7bcb44b69379473da2adcf9225e28ba0b3bfb3a3c4204cf647e2c29f
Opcode Fuzzy Hash: 73e3a869f78964b23eaffc721e09444bf3a0d7b676e7666a508320a6b867a5bd
Instruction Fuzzy Hash: B5110337612B08C6FB96DF64D8583682360FB5DFA9F258704DA6B49599CF38C64DC340

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180018E8C Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 41fileCOMMON

Download Yara Rule

APIs

GetCurrentProcessId.KERNEL32(?,?,?,?,?,?,?,0000000180065B3D), ref: 0000000180018E96
CreateFileW.KERNEL32 ref: 0000000180018EC6
DeviceIoControl.KERNEL32 ref: 0000000180018F04
CloseHandle.KERNEL32 ref: 0000000180018F0F

Strings

L ", xrefs: 0000000180018EFC
\\.\360SelfProtection, xrefs: 0000000180018E9E

Memory Dump Source

Source File: 00000008.00000002.446994309.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000008.00000002.446990685.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.447008267.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.447016292.00000001800C5000.00000008.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.447024270.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_180000000_rundll32.jbxd

Similarity

API ID: CloseControlCreateCurrentDeviceFileHandleProcess
String ID: L "$\\.\360SelfProtection
API String ID: 3778458602-907869749
Opcode ID: e256c9444f2bf81226e555b6f7292d8a7bd12b46bc34df817c0f54cce6c08caa
Instruction ID: 4989c80b025c73f727db9230e342af37d309858987cbaecb77f10a65d22bbdba
Opcode Fuzzy Hash: e256c9444f2bf81226e555b6f7292d8a7bd12b46bc34df817c0f54cce6c08caa
Instruction Fuzzy Hash: F6111C32618B84D7C7518F64F88478AB7A0F78C7A4F444725E6AA43B68EF78C65CCB00

Uniqueness

Uniqueness Score: -1.00%

Function 00000001800184B8 Relevance: 9.3, APIs: 6, Instructions: 270COMMON

Download Yara Rule

APIs

??3@YAXPEAX@Z.MSVCRT ref: 0000000180018666
??_V@YAXPEAX@Z.MSVCRT ref: 000000018001868A
??_V@YAXPEAX@Z.MSVCRT ref: 00000001800186B7
??_V@YAXPEAX@Z.MSVCRT ref: 00000001800186D7

Part of subcall function 0000000180042FC4: WideCharToMultiByte.KERNEL32 ref: 0000000180042FFB
Part of subcall function 0000000180042FC4: ??_V@YAXPEAX@Z.MSVCRT ref: 0000000180043016
Part of subcall function 0000000180042FC4: WideCharToMultiByte.KERNEL32 ref: 000000018004306B

??_V@YAXPEAX@Z.MSVCRT ref: 0000000180018867

Part of subcall function 000000018004388C: ??_V@YAXPEAX@Z.MSVCRT ref: 0000000180043AB7

Part of subcall function 0000000180043F2C: ??_V@YAXPEAX@Z.MSVCRT ref: 0000000180044096

Memory Dump Source

Source File: 00000008.00000002.446994309.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000008.00000002.446990685.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.447008267.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.447016292.00000001800C5000.00000008.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.447024270.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_180000000_rundll32.jbxd

Similarity

API ID: ByteCharMultiWide$??3@
String ID:
API String ID: 652292005-0
Opcode ID: d5eaac9880b29e7d0af136669fdebebd909549339380b54f119e65074af5ce41
Instruction ID: 16cab60fb696caa1ac382d07db4514fcd7f2788f0d4e97422f2d8c76aa010f09
Opcode Fuzzy Hash: d5eaac9880b29e7d0af136669fdebebd909549339380b54f119e65074af5ce41
Instruction Fuzzy Hash: 95C14A32B00B449AEB61CFA1E8407DD33B6F748798F548125EE9967B98DF34C62AD344

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180004D74 Relevance: 9.2, APIs: 6, Instructions: 219COMMON

Download Yara Rule

APIs

wcsstr.MSVCRT ref: 0000000180004E12
wcsstr.MSVCRT ref: 0000000180004E38
wcsstr.MSVCRT ref: 0000000180004EF1
memmove.MSVCRT(?,?,?,?,?,?,?,?,?,?,?,?,0000000180001A9F), ref: 0000000180004F53
wcsstr.MSVCRT ref: 0000000180004FBE
_errno.MSVCRT ref: 000000018000504A

Memory Dump Source

Source File: 00000008.00000002.446994309.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000008.00000002.446990685.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.447008267.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.447016292.00000001800C5000.00000008.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.447024270.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_180000000_rundll32.jbxd

Similarity

API ID: wcsstr$_errnomemmove
String ID:
API String ID: 3323953840-0
Opcode ID: 251354a66c982ebe395b5198ba1b60466afa3abfe6d2f318c4ac3c1dc85cfacb
Instruction ID: 824f22201ec0d57d4a2227744580b71807502b4fbd2fda829f419a9b6e1dff6e
Opcode Fuzzy Hash: 251354a66c982ebe395b5198ba1b60466afa3abfe6d2f318c4ac3c1dc85cfacb
Instruction Fuzzy Hash: CF810572701A4881EAA6DB14A4447AE77A0FB4CBE4F15C215FFAE4B7D4DE38C6498704

Uniqueness

Uniqueness Score: -1.00%

Function 00000001800505E0 Relevance: 9.2, APIs: 6, Instructions: 196networkCOMMON

Download Yara Rule

APIs

WSAStartup.WS2_32 ref: 0000000180050638
WSCDeinstallProvider.WS2_32 ref: 00000001800507A4
WSCDeinstallProvider32.WS2_32 ref: 00000001800507AC
WSCDeinstallProvider.WS2_32 ref: 0000000180050862
WSCDeinstallProvider32.WS2_32 ref: 000000018005086A
WSACleanup.WS2_32 ref: 00000001800508F4

Memory Dump Source

Source File: 00000008.00000002.446994309.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000008.00000002.446990685.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.447008267.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.447016292.00000001800C5000.00000008.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.447024270.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_180000000_rundll32.jbxd

Similarity

API ID: Deinstall$ProviderProvider32$CleanupStartup
String ID:
API String ID: 348239931-0
Opcode ID: 4fc830036e70fcdad210563e15636e8950cfeeae8d6d629c7bbfe77b3d9d1d9b
Instruction ID: c360e4d789f3669f84b45de69cf2c2640493478b51e108b497c61621dba60db4
Opcode Fuzzy Hash: 4fc830036e70fcdad210563e15636e8950cfeeae8d6d629c7bbfe77b3d9d1d9b
Instruction Fuzzy Hash: 48910332604A88C6EB92CB65E4547EE77A4F78C7E4F618111FA8D276A4DF39C649CB00

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180032E5C Relevance: 9.2, APIs: 6, Instructions: 150COMMON

Download Yara Rule

APIs

Part of subcall function 000000018000A7AC: GetProcessHeap.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,0000000180001020), ref: 000000018000A7D5

Part of subcall function 000000018000B560: ??2@YAPEAX_K@Z.MSVCRT ref: 000000018000B584
Part of subcall function 000000018000B560: SysAllocString.OLEAUT32 ref: 000000018000B5A6

Part of subcall function 000000018003AE08: SysFreeString.OLEAUT32 ref: 000000018003AE51
Part of subcall function 000000018003AE08: ??_V@YAXPEAX@Z.MSVCRT ref: 000000018003AE64
Part of subcall function 000000018003AE08: ??3@YAXPEAX@Z.MSVCRT ref: 000000018003AE77

SysFreeString.OLEAUT32 ref: 0000000180032EF4
??_V@YAXPEAX@Z.MSVCRT ref: 0000000180032F07
??3@YAXPEAX@Z.MSVCRT ref: 0000000180032F1A
SysFreeString.OLEAUT32 ref: 0000000180032F63
??_V@YAXPEAX@Z.MSVCRT ref: 0000000180032F76
??3@YAXPEAX@Z.MSVCRT ref: 0000000180032F89

Memory Dump Source

Source File: 00000008.00000002.446994309.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000008.00000002.446990685.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.447008267.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.447016292.00000001800C5000.00000008.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.447024270.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_180000000_rundll32.jbxd

Similarity

API ID: String$??3@Free$??2@AllocHeapProcess
String ID:
API String ID: 195827-0
Opcode ID: a0ac78459233da017ac87d6453e8a81be7370a52e333d62a5881ff707d93bed7
Instruction ID: 472ff7a9124bb4c66568a88574ce92508997c8508967d0cb70e73e2f7ddd2399
Opcode Fuzzy Hash: a0ac78459233da017ac87d6453e8a81be7370a52e333d62a5881ff707d93bed7
Instruction Fuzzy Hash: B951BD32701A4886EB46DF65D8403AD73B0FB49BE4F098621EB2957BE9DF38C959C340

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180034178 Relevance: 9.1, APIs: 6, Instructions: 147COMMON

Download Yara Rule

APIs

Part of subcall function 000000018000A7AC: GetProcessHeap.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,0000000180001020), ref: 000000018000A7D5

Part of subcall function 000000018000B560: ??2@YAPEAX_K@Z.MSVCRT ref: 000000018000B584
Part of subcall function 000000018000B560: SysAllocString.OLEAUT32 ref: 000000018000B5A6

Part of subcall function 000000018003AE08: SysFreeString.OLEAUT32 ref: 000000018003AE51
Part of subcall function 000000018003AE08: ??_V@YAXPEAX@Z.MSVCRT ref: 000000018003AE64
Part of subcall function 000000018003AE08: ??3@YAXPEAX@Z.MSVCRT ref: 000000018003AE77

SysFreeString.OLEAUT32 ref: 000000018003420F
??_V@YAXPEAX@Z.MSVCRT ref: 0000000180034222
??3@YAXPEAX@Z.MSVCRT ref: 0000000180034235
SysFreeString.OLEAUT32 ref: 0000000180034279
??_V@YAXPEAX@Z.MSVCRT ref: 000000018003428C
??3@YAXPEAX@Z.MSVCRT ref: 000000018003429F

Memory Dump Source

Source File: 00000008.00000002.446994309.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000008.00000002.446990685.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.447008267.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.447016292.00000001800C5000.00000008.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.447024270.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_180000000_rundll32.jbxd

Similarity

API ID: String$??3@Free$??2@AllocHeapProcess
String ID:
API String ID: 195827-0
Opcode ID: ceda01c74325736d26a0411a727c02681ceb51477494a67f089079f3182e5468
Instruction ID: d6e040c62356dd28a52f4054929385a923e12d2376c870478276763e31a13ced
Opcode Fuzzy Hash: ceda01c74325736d26a0411a727c02681ceb51477494a67f089079f3182e5468
Instruction Fuzzy Hash: 9D516F33701B4982EB469F65D85039E63A0FB89FA4F498221EB295B7D9DF38C549C340

Uniqueness

Uniqueness Score: -1.00%

Function 00000001800322A0 Relevance: 9.1, APIs: 6, Instructions: 147COMMON

Download Yara Rule

APIs

Part of subcall function 000000018000A7AC: GetProcessHeap.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,0000000180001020), ref: 000000018000A7D5

Part of subcall function 000000018000B560: ??2@YAPEAX_K@Z.MSVCRT ref: 000000018000B584
Part of subcall function 000000018000B560: SysAllocString.OLEAUT32 ref: 000000018000B5A6

Part of subcall function 000000018003AE08: SysFreeString.OLEAUT32 ref: 000000018003AE51
Part of subcall function 000000018003AE08: ??_V@YAXPEAX@Z.MSVCRT ref: 000000018003AE64
Part of subcall function 000000018003AE08: ??3@YAXPEAX@Z.MSVCRT ref: 000000018003AE77

SysFreeString.OLEAUT32 ref: 0000000180032337
??_V@YAXPEAX@Z.MSVCRT ref: 000000018003234A
??3@YAXPEAX@Z.MSVCRT ref: 000000018003235D
SysFreeString.OLEAUT32 ref: 00000001800323A1
??_V@YAXPEAX@Z.MSVCRT ref: 00000001800323B4
??3@YAXPEAX@Z.MSVCRT ref: 00000001800323C7

Memory Dump Source

Source File: 00000008.00000002.446994309.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000008.00000002.446990685.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.447008267.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.447016292.00000001800C5000.00000008.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.447024270.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_180000000_rundll32.jbxd

Similarity

API ID: String$??3@Free$??2@AllocHeapProcess
String ID:
API String ID: 195827-0
Opcode ID: 1487f1b9042455cadd1f594916249c517a85c0241772127b20d59336a7db92ce
Instruction ID: b9a7bc9aefba1d0cd95c21a72bfdce90d94dfcaa7ac1bda6bd9d80d9113677c1
Opcode Fuzzy Hash: 1487f1b9042455cadd1f594916249c517a85c0241772127b20d59336a7db92ce
Instruction Fuzzy Hash: 55516032701B4882EB469F65D85039E73A0FB49FE4F098625EB69577D9DF38C649C380

Uniqueness

Uniqueness Score: -1.00%

Function 000000018003288C Relevance: 9.1, APIs: 6, Instructions: 147COMMON

Download Yara Rule

APIs

Part of subcall function 000000018000A7AC: GetProcessHeap.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,0000000180001020), ref: 000000018000A7D5

Part of subcall function 00000001800298FC: GetFileAttributesW.KERNEL32 ref: 000000018002998C
Part of subcall function 00000001800298FC: GetFileAttributesW.KERNEL32 ref: 000000018002999E

Part of subcall function 000000018000B560: ??2@YAPEAX_K@Z.MSVCRT ref: 000000018000B584
Part of subcall function 000000018000B560: SysAllocString.OLEAUT32 ref: 000000018000B5A6

Part of subcall function 000000018003AE08: SysFreeString.OLEAUT32 ref: 000000018003AE51
Part of subcall function 000000018003AE08: ??_V@YAXPEAX@Z.MSVCRT ref: 000000018003AE64
Part of subcall function 000000018003AE08: ??3@YAXPEAX@Z.MSVCRT ref: 000000018003AE77

SysFreeString.OLEAUT32 ref: 0000000180032923
??_V@YAXPEAX@Z.MSVCRT ref: 0000000180032936
??3@YAXPEAX@Z.MSVCRT ref: 0000000180032949
SysFreeString.OLEAUT32 ref: 000000018003298D
??_V@YAXPEAX@Z.MSVCRT ref: 00000001800329A0
??3@YAXPEAX@Z.MSVCRT ref: 00000001800329B3

Memory Dump Source

Source File: 00000008.00000002.446994309.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000008.00000002.446990685.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.447008267.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.447016292.00000001800C5000.00000008.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.447024270.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_180000000_rundll32.jbxd

Similarity

API ID: String$??3@Free$AttributesFile$??2@AllocHeapProcess
String ID:
API String ID: 2343307612-0
Opcode ID: 8e393e3a3852b3cedc11bf39ea6ffb031ff90eabb787ce897587cb6f9badf564
Instruction ID: 3edc698dfee31cca13762dbc840380725e1013da3230f8d99093220343b8c6e9
Opcode Fuzzy Hash: 8e393e3a3852b3cedc11bf39ea6ffb031ff90eabb787ce897587cb6f9badf564
Instruction Fuzzy Hash: 21515F32701B4882EB46DF65D85039D73A0FB49FA4F098225EB695B7E9DF38C949C380

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180026754 Relevance: 9.1, APIs: 2, Strings: 4, Instructions: 142stringCOMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 00000001800267E9
lstrcmpiW.KERNEL32 ref: 0000000180026826

Strings

{42042206-2D85-11D3-8CFF-005004838597}, xrefs: 000000018002681B
clsid\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon\, xrefs: 0000000180026851
ShellEx\IconHandler, xrefs: 0000000180026798
\DefaultIcon, xrefs: 0000000180026863

Memory Dump Source

Source File: 00000008.00000002.446994309.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000008.00000002.446990685.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.447008267.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.447016292.00000001800C5000.00000008.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.447024270.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_180000000_rundll32.jbxd

Similarity

API ID: lstrcmpimemset
String ID: ShellEx\IconHandler$\DefaultIcon$clsid\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon\${42042206-2D85-11D3-8CFF-005004838597}
API String ID: 3784069311-1340094651
Opcode ID: 0a12214a811aa3540a0b94e6fb55089740eaeb8575e012286690255a8f8d330d
Instruction ID: 9f0af0b831dc55336fcff299f0060eabbe44d87f67dffe850d980bb31fffbbb0
Opcode Fuzzy Hash: 0a12214a811aa3540a0b94e6fb55089740eaeb8575e012286690255a8f8d330d
Instruction Fuzzy Hash: 0251A672601E4982EB52DB29D8817DE6760FB897F4F508312FA6D436E5DF38C689C740

Uniqueness

Uniqueness Score: -1.00%

Function 00000001800503B8 Relevance: 9.1, APIs: 6, Instructions: 136COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32 ref: 0000000180050421
ExpandEnvironmentStringsW.KERNEL32 ref: 0000000180050458
EnterCriticalSection.KERNEL32 ref: 00000001800504D4
LeaveCriticalSection.KERNEL32 ref: 000000018005051D
ExpandEnvironmentStringsW.KERNEL32 ref: 0000000180050544
LeaveCriticalSection.KERNEL32 ref: 00000001800505AF

Memory Dump Source

Source File: 00000008.00000002.446994309.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000008.00000002.446990685.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.447008267.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.447016292.00000001800C5000.00000008.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.447024270.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_180000000_rundll32.jbxd

Similarity

API ID: CriticalSection$EnterEnvironmentExpandLeaveStrings
String ID:
API String ID: 3103530258-0
Opcode ID: 4711d94ae21e721216315d7d413d31c061a842b8496e77f250252f344626d692
Instruction ID: b0c21a69e9994dd49745b429a24057b93f4d6bf7018e4c24e81fb4468a7e2a6c
Opcode Fuzzy Hash: 4711d94ae21e721216315d7d413d31c061a842b8496e77f250252f344626d692
Instruction Fuzzy Hash: 0051AF32711A4882EB82CF29D8843DE7761F789BE8F549211FE69176A5DF39C64AC700

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180066808 Relevance: 9.1, APIs: 4, Strings: 2, Instructions: 114COMMON

Download Yara Rule

APIs

wcsstr.MSVCRT ref: 0000000180066883

Part of subcall function 0000000180066608: RegOpenKeyExW.ADVAPI32 ref: 0000000180066653
Part of subcall function 0000000180066608: RegQueryValueExW.ADVAPI32 ref: 0000000180066696
Part of subcall function 0000000180066608: RegCloseKey.ADVAPI32 ref: 00000001800666AA

Strings

"%s" %s, xrefs: 00000001800668D4
/elevated, xrefs: 0000000180066879

Memory Dump Source

Source File: 00000008.00000002.446994309.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000008.00000002.446990685.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.447008267.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.447016292.00000001800C5000.00000008.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.447024270.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_180000000_rundll32.jbxd

Similarity

API ID: CloseOpenQueryValuewcsstr
String ID: "%s" %s$/elevated
API String ID: 1248106594-1382985213
Opcode ID: 7d994b47a6feae35010406933b82370a9ece06ded3bcb5ee78e307a99859ddb1
Instruction ID: f3329ece6a2879d43efc8f52936060a6c90d44f89bf07b9cf1bbe3f09b4200fa
Opcode Fuzzy Hash: 7d994b47a6feae35010406933b82370a9ece06ded3bcb5ee78e307a99859ddb1
Instruction Fuzzy Hash: E241A432702B4489EB95CF65D8407DC33A5FB88BD4F15861AAE5E53BA4DF34C659C340

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180068954 Relevance: 9.1, APIs: 1, Strings: 5, Instructions: 113COMMON

Download Yara Rule

APIs

Part of subcall function 000000018006A424: RegOpenKeyExW.ADVAPI32 ref: 000000018006A44B

memset.MSVCRT ref: 00000001800689A4

Part of subcall function 000000018006A490: RegQueryValueExW.ADVAPI32 ref: 000000018006A4A9

Strings

SignData, xrefs: 0000000180068A87
IssueDate, xrefs: 0000000180068A07
Operator, xrefs: 00000001800689C1
ExpirationDate, xrefs: 0000000180068A4B
SOFTWARE\360MachineSignature, xrefs: 0000000180068980

Memory Dump Source

Source File: 00000008.00000002.446994309.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000008.00000002.446990685.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.447008267.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.447016292.00000001800C5000.00000008.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.447024270.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_180000000_rundll32.jbxd

Similarity

API ID: OpenQueryValuememset
String ID: ExpirationDate$IssueDate$Operator$SOFTWARE\360MachineSignature$SignData
API String ID: 733315865-1479031278
Opcode ID: 024b379d581b3895d461dc1fafaaa22704cd15f8aacd44fa0de35045f287b812
Instruction ID: ca32e24e8d646fa6672ed224415891838e44a9bb2fa0ab3c5403e0472a1cb0df
Opcode Fuzzy Hash: 024b379d581b3895d461dc1fafaaa22704cd15f8aacd44fa0de35045f287b812
Instruction Fuzzy Hash: DA411972B00B149AFB92DBA5D8447DD73B5BB487C8F148A16AE6853B58EF34C708CB00

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180052E84 Relevance: 9.1, APIs: 6, Instructions: 87networkCOMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32 ref: 0000000180052EE6
LeaveCriticalSection.KERNEL32 ref: 0000000180052F32
WSAStartup.WS2_32 ref: 0000000180052F68
WSCUnInstallNameSpace.WS2_32 ref: 0000000180052F85
WSAGetLastError.WS2_32 ref: 0000000180052F94

Part of subcall function 00000001800432C8: memset.MSVCRT ref: 0000000180043335

WSACleanup.WS2_32 ref: 0000000180052FA1

Memory Dump Source

Source File: 00000008.00000002.446994309.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000008.00000002.446990685.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.447008267.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.447016292.00000001800C5000.00000008.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.447024270.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_180000000_rundll32.jbxd

Similarity

API ID: CriticalSection$CleanupEnterErrorInstallLastLeaveNameSpaceStartupmemset
String ID:
API String ID: 3860525367-0
Opcode ID: 566063b2480ce26a8a1017dda99dddd59a3f866f59b7cd308274edefec3830af
Instruction ID: 37d746e663b56e28a6a3e394405e8b675d481f719bc3bdb0db42ce8d24bf20fd
Opcode Fuzzy Hash: 566063b2480ce26a8a1017dda99dddd59a3f866f59b7cd308274edefec3830af
Instruction Fuzzy Hash: 57316E31700A4886F6A29F25EC443E973A0FB8DBD5F548531B96A972A1DF39C7898700

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180064338 Relevance: 9.1, APIs: 6, Instructions: 67fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32 ref: 0000000180064372
GetFileSize.KERNEL32 ref: 0000000180064394
GetFileSize.KERNEL32 ref: 00000001800643A2
ReadFile.KERNEL32 ref: 00000001800643DE
??_V@YAXPEAX@Z.MSVCRT ref: 0000000180064406
CloseHandle.KERNEL32 ref: 000000018006440F

Memory Dump Source

Source File: 00000008.00000002.446994309.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000008.00000002.446990685.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.447008267.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.447016292.00000001800C5000.00000008.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.447024270.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_180000000_rundll32.jbxd

Similarity

API ID: File$Size$CloseCreateHandleRead
String ID:
API String ID: 1601809017-0
Opcode ID: 6c38b284369adc8e8a95ca7bd81b2def578c31ecd07c0865210070f76e2fb98a
Instruction ID: 513f97a3dac13d024bc23301dce07c49bc5a225dcf8c593d0dc48b4e525c804c
Opcode Fuzzy Hash: 6c38b284369adc8e8a95ca7bd81b2def578c31ecd07c0865210070f76e2fb98a
Instruction Fuzzy Hash: 2E21803260475487E7819F2AE8443997BA1F788FD0F658225EF6547BA4DF38C64ACB00

Uniqueness

Uniqueness Score: -1.00%

Function 000000018004CD44 Relevance: 9.0, APIs: 3, Strings: 2, Instructions: 279COMMON

Download Yara Rule

APIs

??2@YAPEAX_K@Z.MSVCRT ref: 000000018004CDF5
??2@YAPEAX_K@Z.MSVCRT ref: 000000018004CE1A
??3@YAXPEAX@Z.MSVCRT ref: 000000018004D181

Strings

Num_Catalog_Entries, xrefs: 000000018004CD4A
Catalog_Entries, xrefs: 000000018004CD48

Memory Dump Source

Source File: 00000008.00000002.446994309.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000008.00000002.446990685.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.447008267.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.447016292.00000001800C5000.00000008.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.447024270.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_180000000_rundll32.jbxd

Similarity

API ID: ??2@$??3@
String ID: Catalog_Entries$Num_Catalog_Entries
API String ID: 1245774677-781996053
Opcode ID: 6b8a8c89c4b699f957cd55a4368444c75396a5c1355a13cca8d488b9109841c6
Instruction ID: 9fcea3ce77e1ed4f5330bab62f44b4aa9bf918aefdaa2edac95f8aa4354510da
Opcode Fuzzy Hash: 6b8a8c89c4b699f957cd55a4368444c75396a5c1355a13cca8d488b9109841c6
Instruction Fuzzy Hash: E6C14132205F8481DAA1CF15F98039EB3A4F789BE4F598625EAED47B98CF38C155C744

Uniqueness

Uniqueness Score: -1.00%

Function 000000018004687C Relevance: 9.0, APIs: 3, Strings: 2, Instructions: 248COMMON

Download Yara Rule

APIs

??3@YAXPEAX@Z.MSVCRT ref: 0000000180046A22
??2@YAPEAX_K@Z.MSVCRT ref: 0000000180046A67

Strings

Num_Catalog_Entries, xrefs: 0000000180046924
Catalog_Entries, xrefs: 0000000180046922

Memory Dump Source

Source File: 00000008.00000002.446994309.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000008.00000002.446990685.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.447008267.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.447016292.00000001800C5000.00000008.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.447024270.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_180000000_rundll32.jbxd

Similarity

API ID: ??2@??3@
String ID: Catalog_Entries$Num_Catalog_Entries
API String ID: 1936579350-781996053
Opcode ID: 37b5463f15d82ba4b2fcb730a9bc1d4a2b4fab43a6711b8c84a700227f9107d3
Instruction ID: d1be57a1d71c98b0b77dd863bddb056ffd98aca7a61043883bc55f1bcd24f70e
Opcode Fuzzy Hash: 37b5463f15d82ba4b2fcb730a9bc1d4a2b4fab43a6711b8c84a700227f9107d3
Instruction Fuzzy Hash: 46A1CB72B01F5882EA55DF25D98439C33A4E708BF8F1A8315EA68477E4EF34C69AC345

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180040418 Relevance: 8.9, APIs: 7, Instructions: 155sleepCOMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(?,?,?,?,00000040,?,000000018001107F), ref: 000000018004048F
LeaveCriticalSection.KERNEL32(?,?,?,?,00000040,?,000000018001107F), ref: 00000001800404A5
LeaveCriticalSection.KERNEL32(?,?,?,?,00000040,?,000000018001107F), ref: 00000001800404DD
EnterCriticalSection.KERNEL32(?,?,?,?,00000040,?,000000018001107F), ref: 0000000180040553
LeaveCriticalSection.KERNEL32(?,?,?,?,00000040,?,000000018001107F), ref: 0000000180040569
LeaveCriticalSection.KERNEL32(?,?,?,?,00000040,?,000000018001107F), ref: 00000001800405A1
Sleep.KERNEL32(?,?,?,?,00000040,?,000000018001107F), ref: 000000018004061C

Memory Dump Source

Source File: 00000008.00000002.446994309.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000008.00000002.446990685.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.447008267.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.447016292.00000001800C5000.00000008.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.447024270.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_180000000_rundll32.jbxd

Similarity

API ID: CriticalSection$Leave$Enter$Sleep
String ID:
API String ID: 950586405-0
Opcode ID: 5fd251fa728f84f380744b40e651b61ba74c7f1c4af02f91f8a7010bdfac5f08
Instruction ID: e5e3152c6d786b815c8bb063f8079f541e8d353448f2aaa10215c0b82b1e43f2
Opcode Fuzzy Hash: 5fd251fa728f84f380744b40e651b61ba74c7f1c4af02f91f8a7010bdfac5f08
Instruction Fuzzy Hash: E8618C31301A4892FAD69B21EC943DA23A4F78DBE9F66C515ED6A572A1CF38C74DC700

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180010990 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 115registryCOMMON

Download Yara Rule

APIs

RegCreateKeyW.ADVAPI32 ref: 0000000180010A0B
RegSetValueExW.ADVAPI32 ref: 0000000180010AF9
??_V@YAXPEAX@Z.MSVCRT ref: 0000000180010B02
RegCloseKey.ADVAPI32 ref: 0000000180010B0C

Strings

360scan, xrefs: 00000001800109E5

Memory Dump Source

Source File: 00000008.00000002.446994309.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000008.00000002.446990685.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.447008267.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.447016292.00000001800C5000.00000008.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.447024270.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_180000000_rundll32.jbxd

Similarity

API ID: CloseCreateValue
String ID: 360scan
API String ID: 1818849710-2450673717
Opcode ID: 5bf155bf79df099cab00ad323e7c5f0b1ac545c6889d31c6f531c87adec6c7e2
Instruction ID: 36ede12e68d324247f48980037de7b94a87db2de9e86c0014956a12bc0703eb2
Opcode Fuzzy Hash: 5bf155bf79df099cab00ad323e7c5f0b1ac545c6889d31c6f531c87adec6c7e2
Instruction Fuzzy Hash: 4341B132714B9885F7928B75D8503DC2B70BB8CBE8F549215EEA953BA5DF78C24AC300

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180008224 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 55registrylibraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32 ref: 0000000180008249
GetProcAddress.KERNEL32 ref: 0000000180008262
RegCreateKeyExW.ADVAPI32 ref: 00000001800082FB

Strings

Advapi32.dll, xrefs: 0000000180008242
RegCreateKeyTransactedW, xrefs: 0000000180008258

Memory Dump Source

Source File: 00000008.00000002.446994309.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000008.00000002.446990685.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.447008267.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.447016292.00000001800C5000.00000008.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.447024270.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_180000000_rundll32.jbxd

Similarity

API ID: AddressCreateHandleModuleProc
String ID: Advapi32.dll$RegCreateKeyTransactedW
API String ID: 1964897782-2994018265
Opcode ID: ad3fb016844a3b870c46d04542df6f296797cd153b096fbf22ac7f30fc2e7ae0
Instruction ID: ad22b3d90bad73cc844585d5212e8c39d9a41fcfaef769d6902fd1eabb8e997b
Opcode Fuzzy Hash: ad3fb016844a3b870c46d04542df6f296797cd153b096fbf22ac7f30fc2e7ae0
Instruction Fuzzy Hash: 77210C32619B8482EBA1CB55F8547AAB7A0F7C8BD4F149115EACD07B68CF7CC248CB00

Uniqueness

Uniqueness Score: -1.00%

Function 000000018000E2D8 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 51COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 000000018000E31F
GetModuleFileNameW.KERNEL32 ref: 000000018000E341
PathAppendW.SHLWAPI ref: 000000018000E385

Strings

cloudcfg.dat, xrefs: 000000018000E379
..\Config\cloudcfg.dat, xrefs: 000000018000E350

Memory Dump Source

Source File: 00000008.00000002.446994309.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000008.00000002.446990685.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.447008267.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.447016292.00000001800C5000.00000008.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.447024270.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_180000000_rundll32.jbxd

Similarity

API ID: AppendFileModuleNamePathmemset
String ID: ..\Config\cloudcfg.dat$cloudcfg.dat
API String ID: 1620117007-2349577946
Opcode ID: 1df7031f83b1f1459874d000a77c3faa375f56ebc32878d2fd44ce6dffecdc51
Instruction ID: ddd92409ecb0ccec80f2ab3f904b9d803dc2e3fbc70a3a57e8900bd834cf0119
Opcode Fuzzy Hash: 1df7031f83b1f1459874d000a77c3faa375f56ebc32878d2fd44ce6dffecdc51
Instruction Fuzzy Hash: DD216F71204A8881EA91DB11E8443DE7360F78ABD9F90C211FA9947AE9DF7DC74DCB00

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180074A30 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 26libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32 ref: 0000000180074A58
GetProcAddress.KERNEL32 ref: 0000000180074A6E
FreeLibrary.KERNEL32 ref: 0000000180074A87

Strings

CorExitProcess, xrefs: 0000000180074A67
mscoree.dll, xrefs: 0000000180074A4F

Memory Dump Source

Source File: 00000008.00000002.446994309.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000008.00000002.446990685.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.447008267.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.447016292.00000001800C5000.00000008.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.447024270.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_180000000_rundll32.jbxd

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: c2f829957779a5f3283623a795060286876ebd1f64ff5d399dec1781f672f9f2
Instruction ID: e395451e8db6c2212d1c7d058d3e5d590d561a96988dee0adbc21a3ed47a46ec
Opcode Fuzzy Hash: c2f829957779a5f3283623a795060286876ebd1f64ff5d399dec1781f672f9f2
Instruction Fuzzy Hash: 3CF0903120070491EEA28B64A84439A2360FB8C7E1F548619E67A4A2F4CF3DC34DC300

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180018AE8 Relevance: 7.7, APIs: 5, Instructions: 244COMMON

Download Yara Rule

APIs

Part of subcall function 000000018004388C: ??_V@YAXPEAX@Z.MSVCRT ref: 0000000180043AB7

??_V@YAXPEAX@Z.MSVCRT ref: 0000000180018C88
??_V@YAXPEAX@Z.MSVCRT ref: 0000000180018CA9

Part of subcall function 0000000180044250: EnterCriticalSection.KERNEL32 ref: 0000000180044280
Part of subcall function 0000000180044250: LeaveCriticalSection.KERNEL32 ref: 00000001800442BA

??_V@YAXPEAX@Z.MSVCRT ref: 0000000180018E36

Part of subcall function 0000000180042ADC: ??_V@YAXPEAX@Z.MSVCRT ref: 0000000180042B9A

Part of subcall function 0000000180018AE8: ??3@YAXPEAX@Z.MSVCRT ref: 0000000180018C64

Memory Dump Source

Source File: 00000008.00000002.446994309.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000008.00000002.446990685.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.447008267.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.447016292.00000001800C5000.00000008.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.447024270.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_180000000_rundll32.jbxd

Similarity

API ID: CriticalSection$??3@EnterLeave
String ID:
API String ID: 3906572401-0
Opcode ID: 8704770b73637da07f2765808fbc5d80e4dde8a3e535cddf5f679fa9373d9d11
Instruction ID: 485792f3aa206c277c5c0904b00aba5ea33dd2ed139350c249341fca4c3fabed
Opcode Fuzzy Hash: 8704770b73637da07f2765808fbc5d80e4dde8a3e535cddf5f679fa9373d9d11
Instruction Fuzzy Hash: 5CB15732B05B448AEB51CFA0A8407DD33F5F748798F144526EE9867B88DF34C65AD354

Uniqueness

Uniqueness Score: -1.00%

Function 001314D8 Relevance: 7.7, APIs: 5, Instructions: 176processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 001314FA
Process32First.KERNEL32 ref: 00131548
wsprintfA.USER32 ref: 00131693
wsprintfA.USER32 ref: 0013172D
Process32Next.KERNEL32 ref: 0013184F

Memory Dump Source

Source File: 00000008.00000002.446779994.0000000000130000.00000040.00001000.00020000.00000000.sdmp, Offset: 00130000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_130000_rundll32.jbxd

Yara matches

Similarity

API ID: Process32wsprintf$CreateFirstNextSnapshotToolhelp32
String ID:
API String ID: 4137211488-0
Opcode ID: 5ae15c8b8c9fac1bc2260a3d73dec5e15d910bbb577535e29febeca4dfee412a
Instruction ID: c382ee8f2556739568dfc6b235a106d3b4cd57f30fa34ade9701d4e8adcc3f0f
Opcode Fuzzy Hash: 5ae15c8b8c9fac1bc2260a3d73dec5e15d910bbb577535e29febeca4dfee412a
Instruction Fuzzy Hash: 4391F876619BC1E6DA60DB15E48039AB7A5F7D8384F900225EBCD43B68EF78C546CF40

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180070F00 Relevance: 7.7, APIs: 5, Instructions: 174COMMONLIBRARYCODE

Download Yara Rule

APIs

_errno.MSVCRT ref: 0000000180070F36

Memory Dump Source

Source File: 00000008.00000002.446994309.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000008.00000002.446990685.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.447008267.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.447016292.00000001800C5000.00000008.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.447024270.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_180000000_rundll32.jbxd

Similarity

API ID: _errno
String ID:
API String ID: 2918714741-0
Opcode ID: 8b2e5358ef7994b7672dda4e212676a9332a6cdbfea30cd8ee4f2d86f2200a94
Instruction ID: 273587a47ae5326c80e6ba55da8392b357747b6508265d18e5e13f97f53468fd
Opcode Fuzzy Hash: 8b2e5358ef7994b7672dda4e212676a9332a6cdbfea30cd8ee4f2d86f2200a94
Instruction Fuzzy Hash: 7471A572204B88CAE7AA8F19A4403EE77A4FB887D4F148115FE9947BD4DF3AC604C700

Uniqueness

Uniqueness Score: -1.00%

Function 001333AC Relevance: 7.7, APIs: 5, Instructions: 165COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.446779994.0000000000130000.00000040.00001000.00020000.00000000.sdmp, Offset: 00130000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_130000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ba1b7d8a54ca9e61b32243bdca9827d2af31baf2e5ee2aa88a178ea20bd3cca5
Instruction ID: 419d1cd18973d3b13d39a4ceb472edd046808d52e61f51e035053bf17ea67cb2
Opcode Fuzzy Hash: ba1b7d8a54ca9e61b32243bdca9827d2af31baf2e5ee2aa88a178ea20bd3cca5
Instruction Fuzzy Hash: 38810A72219B8595DB61EB11F49139AB3A0FBD5384F901426EBCE43A78EF7CC649CB40

Uniqueness

Uniqueness Score: -1.00%

Function 00135030 Relevance: 7.6, APIs: 5, Instructions: 122networkCOMMON

Download Yara Rule

APIs

HttpOpenRequestA.WININET ref: 00135168
HttpOpenRequestA.WININET ref: 001351E8
InternetSetOptionA.WININET ref: 00135227
HttpSendRequestA.WININET ref: 00135273
HttpSendRequestA.WININET ref: 00135294

Memory Dump Source

Source File: 00000008.00000002.446779994.0000000000130000.00000040.00001000.00020000.00000000.sdmp, Offset: 00130000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_130000_rundll32.jbxd

Yara matches

Similarity

API ID: HttpRequest$OpenSend$InternetOption
String ID:
API String ID: 664753792-0
Opcode ID: 7ca2387c2bbf1a7d28999812ac2f6f2864370cd4003b28c3ab5a0417524daa68
Instruction ID: c3845d65c315092e6188af00eb253e13d5317f593431812fa0d2b4dc10842f3e
Opcode Fuzzy Hash: 7ca2387c2bbf1a7d28999812ac2f6f2864370cd4003b28c3ab5a0417524daa68
Instruction Fuzzy Hash: B161C276609B80C6EB61CB15F49439AB7A1F399784F60052AEBC943B68EF7DC548CF40

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180016CA8 Relevance: 7.6, APIs: 5, Instructions: 114COMMONLIBRARYCODE

Download Yara Rule

APIs

??2@YAPEAX_K@Z.MSVCRT ref: 0000000180016D26
??2@YAPEAX_K@Z.MSVCRT ref: 0000000180016D4B
memmove.MSVCRT(?,?,?,0000000180016E29), ref: 0000000180016D69
??3@YAXPEAX@Z.MSVCRT ref: 0000000180016DA1
memmove.MSVCRT(?,?,?,?,?,?,?,0000000180016E29), ref: 0000000180016E10

Memory Dump Source

Source File: 00000008.00000002.446994309.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000008.00000002.446990685.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.447008267.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.447016292.00000001800C5000.00000008.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.447024270.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_180000000_rundll32.jbxd

Similarity

API ID: ??2@memmove$??3@
String ID:
API String ID: 232491532-0
Opcode ID: 36aecff153c17e78cc281762afab7df910fd19be64e25fb5c31b0b5d4ec441f6
Instruction ID: 28467c757ab6f7ef32b6ddf95ff48fc265dfbbceda238bfa6dff49904db51385
Opcode Fuzzy Hash: 36aecff153c17e78cc281762afab7df910fd19be64e25fb5c31b0b5d4ec441f6
Instruction Fuzzy Hash: 0C41C432B05B8881EF568B16F9403996361E748BE0F548725AB7A07BE9DF78C6958340

Uniqueness

Uniqueness Score: -1.00%

Function 000000018006A658 Relevance: 7.6, APIs: 5, Instructions: 113COMMON

Download Yara Rule

APIs

_swprintf_c_l.LIBCMT ref: 000000018006A6B0
memmove.MSVCRT(00000000,00000008,00000000,000000018006AA37,?,?,?,?,?,?,?,?,?,?,00000003,?), ref: 000000018006A6DB
memmove.MSVCRT(00000000,00000008,00000000,000000018006AA37,?,?,?,?,?,?,?,?,?,?,00000003,?), ref: 000000018006A755

Memory Dump Source

Source File: 00000008.00000002.446994309.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000008.00000002.446990685.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.447008267.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.447016292.00000001800C5000.00000008.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.447024270.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_180000000_rundll32.jbxd

Similarity

API ID: memmove$_swprintf_c_l
String ID:
API String ID: 3930809162-0
Opcode ID: 4d957fd311e85dbc9e9e1d2fcdfd49009c8516e907acacc0d6bfdbff04455b87
Instruction ID: 2e3324a3b5d682f35c297bfefc02d538748b26edc97be9d81ac6111acbd6bae8
Opcode Fuzzy Hash: 4d957fd311e85dbc9e9e1d2fcdfd49009c8516e907acacc0d6bfdbff04455b87
Instruction Fuzzy Hash: 0A41E33231875496EBA5DA26D90079A67A2BB4DBC0F248015AF1A43F41DE35D6688B40

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180044CE4 Relevance: 7.6, APIs: 6, Instructions: 110COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32 ref: 0000000180044D24
LeaveCriticalSection.KERNEL32 ref: 0000000180044D3A
LeaveCriticalSection.KERNEL32 ref: 0000000180044D71
EnterCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,0000000180044EED), ref: 0000000180044DDC
LeaveCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,0000000180044EED), ref: 0000000180044DF2
LeaveCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,0000000180044EED), ref: 0000000180044E29

Memory Dump Source

Source File: 00000008.00000002.446994309.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000008.00000002.446990685.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.447008267.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.447016292.00000001800C5000.00000008.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.447024270.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_180000000_rundll32.jbxd

Similarity

API ID: CriticalSection$Leave$Enter
String ID:
API String ID: 2978645861-0
Opcode ID: 84f7991fb58de1b865a10277cce647e74e53e0d7bb9d3c9fb8eb0733b83dca90
Instruction ID: 73bd4c9cd9396375e0c1b942217bf14bfc10cb3082dae23d56ea31479293823c
Opcode Fuzzy Hash: 84f7991fb58de1b865a10277cce647e74e53e0d7bb9d3c9fb8eb0733b83dca90
Instruction Fuzzy Hash: 19413932641B0896FA869F21EC943E83764F749FD9F598115EAA50B3A5CF28C74EC304

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180016090 Relevance: 7.6, APIs: 5, Instructions: 99COMMON

Download Yara Rule

APIs

??2@YAPEAX_K@Z.MSVCRT ref: 000000018001611F
??2@YAPEAX_K@Z.MSVCRT ref: 0000000180016144
memmove.MSVCRT(?,?,?,?,?,?,000000C8,0000000180015AD6), ref: 000000018001616B
??3@YAXPEAX@Z.MSVCRT ref: 00000001800161A1
memmove.MSVCRT(?,?,?,?,?,?,000000C8,0000000180015AD6), ref: 00000001800161AB

Memory Dump Source

Source File: 00000008.00000002.446994309.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000008.00000002.446990685.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.447008267.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.447016292.00000001800C5000.00000008.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.447024270.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_180000000_rundll32.jbxd

Similarity

API ID: ??2@memmove$??3@
String ID:
API String ID: 232491532-0
Opcode ID: 4c8a09d1fefffe74558815fc45e4f8bd62bc61723e2fbaaf498aee53098e704a
Instruction ID: 3308181ea52ff5a0dd97f5d36b69886329373971ad435e2f25c4df82c4de258d
Opcode Fuzzy Hash: 4c8a09d1fefffe74558815fc45e4f8bd62bc61723e2fbaaf498aee53098e704a
Instruction Fuzzy Hash: 8231D332705B8894EF5ACF16D9443986362F709FE0F588615EE6E07BE6DE78D299C300

Uniqueness

Uniqueness Score: -1.00%

Function 00000001800161EC Relevance: 7.6, APIs: 5, Instructions: 96COMMON

Download Yara Rule

APIs

memmove.MSVCRT(?,?,?,7FFFFFFFFFFFFFFF,?,?,?,?,?,?,000000C8,0000000180015AD6), ref: 0000000180016298
memmove.MSVCRT(?,?,?,7FFFFFFFFFFFFFFF,?,?,?,?,?,?,000000C8,0000000180015AD6), ref: 00000001800162A6
??3@YAXPEAX@Z.MSVCRT ref: 00000001800162DE
memmove.MSVCRT(?,?,?,7FFFFFFFFFFFFFFF,?,?,?,?,?,?,000000C8,0000000180015AD6), ref: 00000001800162E8
memmove.MSVCRT(?,?,?,7FFFFFFFFFFFFFFF,?,?,?,?,?,?,000000C8,0000000180015AD6), ref: 00000001800162F6

Memory Dump Source

Source File: 00000008.00000002.446994309.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000008.00000002.446990685.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.447008267.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.447016292.00000001800C5000.00000008.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.447024270.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_180000000_rundll32.jbxd

Similarity

API ID: memmove$??3@
String ID:
API String ID: 2321372689-0
Opcode ID: 2a291cfa02ae191c963c7aa5d4289e2a243c3539a711814b18b996a7d7b87c53
Instruction ID: b2b38ff55e60cbfe57fc328909b4bad170525be2db7207aa5bf6da73de3f6202
Opcode Fuzzy Hash: 2a291cfa02ae191c963c7aa5d4289e2a243c3539a711814b18b996a7d7b87c53
Instruction Fuzzy Hash: 7831D272700A8891DB569F12E9043DE6351F748FD0F948522EF5E4BBA6DE3CC259C300

Uniqueness

Uniqueness Score: -1.00%

Function 00138D90 Relevance: 7.6, APIs: 5, Instructions: 92networkCOMMON

Download Yara Rule

APIs

InternetOpenW.WININET ref: 00138DF7
InternetOpenUrlW.WININET ref: 00138E33
InternetCloseHandle.WININET ref: 00138F33
InternetCloseHandle.WININET ref: 00138F46

Memory Dump Source

Source File: 00000008.00000002.446779994.0000000000130000.00000040.00001000.00020000.00000000.sdmp, Offset: 00130000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_130000_rundll32.jbxd

Yara matches

Similarity

API ID: Internet$CloseHandleOpen
String ID:
API String ID: 435140893-0
Opcode ID: 1ae38b70c00e5fa2b0baae9672864dfc4ebc490b6e9ea35561f34b789a8602ec
Instruction ID: 04ae8cdf1a4bf5558470f693f9f04813b8f4ddb50aa274acdc713fe0db26dbe8
Opcode Fuzzy Hash: 1ae38b70c00e5fa2b0baae9672864dfc4ebc490b6e9ea35561f34b789a8602ec
Instruction Fuzzy Hash: 4441DF76229B8086D760CB19F49471AB7A1F3C9B84F505429FB8A83B68DF7DC854CF04

Uniqueness

Uniqueness Score: -1.00%

Function 00000001800442DC Relevance: 7.6, APIs: 5, Instructions: 91COMMON

Download Yara Rule

APIs

??3@YAXPEAX@Z.MSVCRT ref: 0000000180044380
memmove.MSVCRT(?,00000001,?,0000000180043D7F), ref: 000000018004439C
memmove.MSVCRT(?,00000001,?,0000000180043D7F), ref: 00000001800443B5
memmove.MSVCRT(?,00000001,?,0000000180043D7F), ref: 00000001800443CB
memmove.MSVCRT(?,00000001,?,0000000180043D7F), ref: 00000001800443D9

Memory Dump Source

Source File: 00000008.00000002.446994309.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000008.00000002.446990685.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.447008267.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.447016292.00000001800C5000.00000008.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.447024270.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_180000000_rundll32.jbxd

Similarity

API ID: memmove$??3@
String ID:
API String ID: 2321372689-0
Opcode ID: d7a3fd22b0ebd3110ce60677b93657e49589d130bcba2fb1c65b72589847b85a
Instruction ID: 762f5997fa826d969e67cf094c143b4ceaf1448be14793aa958531d929a095e6
Opcode Fuzzy Hash: d7a3fd22b0ebd3110ce60677b93657e49589d130bcba2fb1c65b72589847b85a
Instruction Fuzzy Hash: 8231A172300E9885D94AEE5286843DCA765F74DFD4F66C521BF680BB96CE38D24AC304

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180057FF0 Relevance: 7.6, APIs: 5, Instructions: 88COMMON

Download Yara Rule

APIs

WindowFromPoint.USER32 ref: 000000018005802B
GetAncestor.USER32 ref: 0000000180058051
GetWindowRect.USER32 ref: 0000000180058071
memset.MSVCRT ref: 00000001800580D5
StrCmpIW.SHLWAPI ref: 00000001800580F6

Memory Dump Source

Source File: 00000008.00000002.446994309.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000008.00000002.446990685.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.447008267.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.447016292.00000001800C5000.00000008.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.447024270.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_180000000_rundll32.jbxd

Similarity

API ID: Window$AncestorFromPointRectmemset
String ID:
API String ID: 3039914759-0
Opcode ID: fc34e6d246657f66188d6f8573fbe65fb936fbcf3c4029c0371e48d01d16a740
Instruction ID: 06be680ac09e87041cb82e4d3d0d5ca659cc845397dc933fd24aa54eca265516
Opcode Fuzzy Hash: fc34e6d246657f66188d6f8573fbe65fb936fbcf3c4029c0371e48d01d16a740
Instruction Fuzzy Hash: 1931CD32615A4486F7E28F25DC487DA63A4FB8C7C4F449020FE5977694EF39CA99D700

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180004B34 Relevance: 7.6, APIs: 5, Instructions: 82COMMON

Download Yara Rule

APIs

iswspace.MSVCRT ref: 0000000180004B51
iswspace.MSVCRT ref: 0000000180004B62
_errno.MSVCRT ref: 0000000180004BC5
memmove.MSVCRT ref: 0000000180004BE4
_errno.MSVCRT ref: 0000000180004C25

Memory Dump Source

Source File: 00000008.00000002.446994309.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000008.00000002.446990685.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.447008267.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.447016292.00000001800C5000.00000008.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.447024270.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_180000000_rundll32.jbxd

Similarity

API ID: _errnoiswspace$memmove
String ID:
API String ID: 972559988-0
Opcode ID: 62484f1315cc315bf352517e41dc366093ff24740a399b805c186dd2600ce3b7
Instruction ID: aea15859d9ef88290176a7c9cabebc096ef147a52e12ca1286494642d1a9418c
Opcode Fuzzy Hash: 62484f1315cc315bf352517e41dc366093ff24740a399b805c186dd2600ce3b7
Instruction Fuzzy Hash: 3531CBB3601A4886EB99DF54D9847ED33A0F788BC0F18C019EB4A0B792DF3DDA588744

Uniqueness

Uniqueness Score: -1.00%

Function 0013B4CC Relevance: 7.6, APIs: 5, Instructions: 79processCOMMON

Download Yara Rule

APIs

wsprintfW.USER32 ref: 0013B59C
wsprintfW.USER32 ref: 0013B5EE
CreateProcessW.KERNEL32 ref: 0013B63D
CloseHandle.KERNEL32 ref: 0013B650
CloseHandle.KERNEL32 ref: 0013B65B

Memory Dump Source

Source File: 00000008.00000002.446779994.0000000000130000.00000040.00001000.00020000.00000000.sdmp, Offset: 00130000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_130000_rundll32.jbxd

Yara matches

Similarity

API ID: CloseHandlewsprintf$CreateProcess
String ID:
API String ID: 2803068115-0
Opcode ID: 8938f75853ead479109948e0102cad3cc37345a1e7db50e04927b10cccad6238
Instruction ID: da12eb9c82cd0421016ec6dea64d8c1b4b2fd8c64bbe910e4aa6c8da0b3c0fd4
Opcode Fuzzy Hash: 8938f75853ead479109948e0102cad3cc37345a1e7db50e04927b10cccad6238
Instruction Fuzzy Hash: 1941F272208BC196DB60DB15F48039AB7A1F7D8384F804426EBCA83A68EF7CC559CB40

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180010EFC Relevance: 7.6, APIs: 5, Instructions: 77COMMON

Download Yara Rule

APIs

Part of subcall function 0000000180011890: EnterCriticalSection.KERNEL32 ref: 00000001800118C7
Part of subcall function 0000000180011890: ??3@YAXPEAX@Z.MSVCRT ref: 0000000180011949
Part of subcall function 0000000180011890: LeaveCriticalSection.KERNEL32 ref: 0000000180011965

DeleteCriticalSection.KERNEL32(?,?,?,?,?,0000000180006D7E), ref: 0000000180010F28

Part of subcall function 00000001800101E0: ??3@YAXPEAX@Z.MSVCRT ref: 000000018001021F

??3@YAXPEAX@Z.MSVCRT ref: 0000000180010F67
??3@YAXPEAX@Z.MSVCRT ref: 0000000180010FCC
??3@YAXPEAX@Z.MSVCRT ref: 0000000180010FE2
DeleteCriticalSection.KERNEL32(?,?,?,?,?,0000000180006D7E), ref: 0000000180011004

Memory Dump Source

Source File: 00000008.00000002.446994309.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000008.00000002.446990685.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.447008267.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.447016292.00000001800C5000.00000008.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.447024270.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_180000000_rundll32.jbxd

Similarity

API ID: ??3@$CriticalSection$Delete$EnterLeave
String ID:
API String ID: 274858031-0
Opcode ID: a29c501b7cb5b62190f2ee82e18e93e4c2b49ef20e282c724fca1469eff036db
Instruction ID: d11087617417198f0cbd7eb66d5c9be171642f9dfb033e604718f16c8d919299
Opcode Fuzzy Hash: a29c501b7cb5b62190f2ee82e18e93e4c2b49ef20e282c724fca1469eff036db
Instruction Fuzzy Hash: 49312A36201E88A2EB569F64E4913DDA360F7897D0F54C522EB9D437A1DF78DAA9C300

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180072640 Relevance: 7.6, APIs: 5, Instructions: 51COMMON

Download Yara Rule

APIs

_errno.MSVCRT ref: 0000000180072658

Memory Dump Source

Source File: 00000008.00000002.446994309.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000008.00000002.446990685.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.447008267.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.447016292.00000001800C5000.00000008.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.447024270.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_180000000_rundll32.jbxd

Similarity

API ID: _errno
String ID:
API String ID: 2918714741-0
Opcode ID: ef9a1a2487f9f747f790f9b6156918c71975c41e3d5b8d109555e51fa42619a5
Instruction ID: a73d7fb5a67d4d67bba371cf0b3796608c1c1b370b7326418a0f08ed132aa8b6
Opcode Fuzzy Hash: ef9a1a2487f9f747f790f9b6156918c71975c41e3d5b8d109555e51fa42619a5
Instruction Fuzzy Hash: D411E03270468881EAE66B25B1403DE63D0E7487E0F09A226FBAA1B7C5CE3DD5D79714

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180072700 Relevance: 7.6, APIs: 5, Instructions: 51COMMON

Download Yara Rule

APIs

_errno.MSVCRT ref: 0000000180072718

Memory Dump Source

Source File: 00000008.00000002.446994309.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000008.00000002.446990685.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.447008267.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.447016292.00000001800C5000.00000008.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.447024270.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_180000000_rundll32.jbxd

Similarity

API ID: _errno
String ID:
API String ID: 2918714741-0
Opcode ID: c89821886ccf670e100f3b8fb91d8e831a6b96267fb5c2ba29df3964e1113532
Instruction ID: ac3a4cfa431d0ef0eaea2260b684207aebe75cd91c02b4061f0f196fb58aac9a
Opcode Fuzzy Hash: c89821886ccf670e100f3b8fb91d8e831a6b96267fb5c2ba29df3964e1113532
Instruction Fuzzy Hash: 2611013270878881EAEA6B25B2403DE6391E7487D0F08A125BBAA0B3C5DE3DD5979304

Uniqueness

Uniqueness Score: -1.00%

Function 00000001800543E4 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 211COMMON

Download Yara Rule

APIs

??2@YAPEAX_K@Z.MSVCRT ref: 00000001800544D5
??2@YAPEAX_K@Z.MSVCRT ref: 00000001800544FA
??3@YAXPEAX@Z.MSVCRT ref: 000000018005469A

Strings

%s\NameSpace_Catalog5\Catalog_Entries\%012d, xrefs: 00000001800543EC

Memory Dump Source

Source File: 00000008.00000002.446994309.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000008.00000002.446990685.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.447008267.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.447016292.00000001800C5000.00000008.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.447024270.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_180000000_rundll32.jbxd

Similarity

API ID: ??2@$??3@
String ID: %s\NameSpace_Catalog5\Catalog_Entries\%012d
API String ID: 1245774677-2131870787
Opcode ID: af5baddc67ad33526a33c39d65950fd72fb0df208da0cc0d422425bada8017cf
Instruction ID: 67395956b14f0255dc157d00751ecdd5e79b91100998fde5bc7e771f553c8d3c
Opcode Fuzzy Hash: af5baddc67ad33526a33c39d65950fd72fb0df208da0cc0d422425bada8017cf
Instruction Fuzzy Hash: 5C81AFB3700B4882DE65CF15E8447E9A3A5F749BD4F54C222BA9D1B794EF7AD289C300

Uniqueness

Uniqueness Score: -1.00%

Function 00000001800546E8 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 175COMMON

Download Yara Rule

APIs

??2@YAPEAX_K@Z.MSVCRT ref: 00000001800547CD
??2@YAPEAX_K@Z.MSVCRT ref: 00000001800547FA
??3@YAXPEAX@Z.MSVCRT ref: 0000000180054933

Strings

%s\NameSpace_Catalog5\Catalog_Entries\%012d, xrefs: 00000001800546F0

Memory Dump Source

Source File: 00000008.00000002.446994309.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000008.00000002.446990685.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.447008267.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.447016292.00000001800C5000.00000008.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.447024270.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_180000000_rundll32.jbxd

Similarity

API ID: ??2@$??3@
String ID: %s\NameSpace_Catalog5\Catalog_Entries\%012d
API String ID: 1245774677-2131870787
Opcode ID: dfcd8af31725850ee712bb16f67c2dba61d9d14ccc8acf01942b48f66b795e08
Instruction ID: ceb8e503b58a09837b0f64c0a513370a87b020a4d694bdf072cc47396662b60f
Opcode Fuzzy Hash: dfcd8af31725850ee712bb16f67c2dba61d9d14ccc8acf01942b48f66b795e08
Instruction Fuzzy Hash: 8251C47371579C82EE59CB16E5143EA6364B34DBD4F108626BEAD1BBC4DF39C2558300

Uniqueness

Uniqueness Score: -1.00%

Function 000000018000C374 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 140synchronizationtimeCOMMON

Download Yara Rule

APIs

GetSystemTimeAsFileTime.KERNEL32 ref: 000000018000C3B5
ReleaseMutex.KERNEL32 ref: 000000018000C520

Strings

%I64d, xrefs: 000000018000C3DE
__LastModified__, xrefs: 000000018000C43A

Memory Dump Source

Source File: 00000008.00000002.446994309.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000008.00000002.446990685.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.447008267.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.447016292.00000001800C5000.00000008.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.447024270.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_180000000_rundll32.jbxd

Similarity

API ID: Time$FileMutexReleaseSystem
String ID: %I64d$__LastModified__
API String ID: 4233779698-1650611527
Opcode ID: 3e8cf2df84acdc051a18ea2821a1bd380114409e3e0b0fa2bea459e4e782fd62
Instruction ID: 09458c959511dc8cfabe6624f5c81a29e97a68172d7e622df1c6d3cc80163a48
Opcode Fuzzy Hash: 3e8cf2df84acdc051a18ea2821a1bd380114409e3e0b0fa2bea459e4e782fd62
Instruction Fuzzy Hash: FF518D72610A0986EB96DB39C8507ED33A0FB49BE8F448321BE3A476E5DF24C649C341

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180048BC0 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 123COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 0000000180048C08

Part of subcall function 000000018000A7AC: GetProcessHeap.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,0000000180001020), ref: 000000018000A7D5

Part of subcall function 0000000180048D8C: _vsnwprintf_s.LEGACY_STDIO_DEFINITIONS ref: 0000000180048DAE

IsBadStringPtrW.KERNEL32 ref: 0000000180048CE6

Strings

error_code, xrefs: 0000000180048C48
com, xrefs: 0000000180048C0D, 0000000180048C4F

Memory Dump Source

Source File: 00000008.00000002.446994309.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000008.00000002.446990685.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.447008267.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.447016292.00000001800C5000.00000008.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.447024270.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_180000000_rundll32.jbxd

Similarity

API ID: HeapProcessString_vsnwprintf_smemset
String ID: com$error_code
API String ID: 3912638396-1490343999
Opcode ID: c3fc6b550fc0518e05701da538a0c891b20461f4f7683d40c3e05c31526f994e
Instruction ID: a6db5d25ead79d5040835bfd854280f02b38994ac018b834727960b236b5b414
Opcode Fuzzy Hash: c3fc6b550fc0518e05701da538a0c891b20461f4f7683d40c3e05c31526f994e
Instruction Fuzzy Hash: E351D772601D4995EB82DB25D8803DE2360FB88BD8F55C212FE2D476E9DF34CA49C740

Uniqueness

Uniqueness Score: -1.00%

Function 000000018000D00C Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 101COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 000000018000D094
InitializeCriticalSectionAndSpinCount.KERNEL32 ref: 000000018000D132
GetLastError.KERNEL32 ref: 000000018000D13C

Strings

http://%s/wcheckquery, xrefs: 000000018000D012

Memory Dump Source

Source File: 00000008.00000002.446994309.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000008.00000002.446990685.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.447008267.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.447016292.00000001800C5000.00000008.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.447024270.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_180000000_rundll32.jbxd

Similarity

API ID: CountCriticalErrorInitializeLastSectionSpinmemset
String ID: http://%s/wcheckquery
API String ID: 1980634866-481256882
Opcode ID: e44517d9abee306bf729d9c1b39ec77439867e7632e0484d40de2573647f887c
Instruction ID: d06bd9b14ce5bf28a863698d63a9b65a52eeb4a283bf68ad799e7df679026a35
Opcode Fuzzy Hash: e44517d9abee306bf729d9c1b39ec77439867e7632e0484d40de2573647f887c
Instruction Fuzzy Hash: 0841A032601B4996E7A2CF64E8403DA73E4F788BA4F548125EF8957794EF3CC659C350

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180074740 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 96sleeplibraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetProcAddress.KERNEL32(?,?,?,000000018001AEC5), ref: 00000001800747AB
Sleep.KERNEL32(?,?,?,000000018001AEC5), ref: 0000000180074840
SetLastError.KERNEL32(?,?,?,000000018001AEC5), ref: 0000000180074885

Strings

InitOnceExecuteOnce, xrefs: 00000001800747A1

Memory Dump Source

Source File: 00000008.00000002.446994309.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000008.00000002.446990685.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.447008267.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.447016292.00000001800C5000.00000008.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.447024270.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_180000000_rundll32.jbxd

Similarity

API ID: AddressErrorLastProcSleep
String ID: InitOnceExecuteOnce
API String ID: 299661913-4081768745
Opcode ID: 094ff7c6e7223ac0c25a3f196aef8d97d885558a79827bf00b4784aca917e5fd
Instruction ID: d97429db02a29b97f0d7b061f75759de830bcf77ba77d21ec7224c84f46128ac
Opcode Fuzzy Hash: 094ff7c6e7223ac0c25a3f196aef8d97d885558a79827bf00b4784aca917e5fd
Instruction Fuzzy Hash: 4331C63131175881FBDA8B65AC103A92294BB4DBE4F44C225FE6A9B7D4DF3DCA4A8300

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180042088 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 86COMMON

Download Yara Rule

APIs

??_V@YAXPEAX@Z.MSVCRT ref: 00000001800421A6

Strings

emc, xrefs: 0000000180042137
mpt, xrefs: 0000000180042158
nct, xrefs: 000000018004217C

Memory Dump Source

Source File: 00000008.00000002.446994309.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000008.00000002.446990685.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.447008267.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.447016292.00000001800C5000.00000008.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.447024270.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_180000000_rundll32.jbxd

Similarity

API ID:
String ID: emc$mpt$nct
API String ID: 0-4018135154
Opcode ID: de2908332be039851882f27ba843e54a0a4e6a129764ff773922d891e26d8285
Instruction ID: 4437dbb73dbe2b615a95de1095330fd5d3d5a6b349df20e8dd5e5932057711ae
Opcode Fuzzy Hash: de2908332be039851882f27ba843e54a0a4e6a129764ff773922d891e26d8285
Instruction Fuzzy Hash: 00416872200B499AEB82DF71D8403DA37B0F3587D8F858912FA28976A9DF34C659C790

Uniqueness

Uniqueness Score: -1.00%

Function 000000018005CCA8 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 75libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32 ref: 000000018005CD59
GetProcAddress.KERNEL32 ref: 000000018005CD6E

Strings

NTDLL.DLL, xrefs: 000000018005CD52
ZwSetInformationThread, xrefs: 000000018005CD64

Memory Dump Source

Source File: 00000008.00000002.446994309.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000008.00000002.446990685.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.447008267.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.447016292.00000001800C5000.00000008.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.447024270.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_180000000_rundll32.jbxd

Similarity

API ID: AddressHandleModuleProc
String ID: NTDLL.DLL$ZwSetInformationThread
API String ID: 1646373207-2735485441
Opcode ID: 42bcdad47f616cafdcd5b405ab44a7d36b4e0dac125c8dcdc21394efa803f9cc
Instruction ID: b89890f0d555bdc3e142d7496d6436052e72b1d505dadace56c849a3f497b7c1
Opcode Fuzzy Hash: 42bcdad47f616cafdcd5b405ab44a7d36b4e0dac125c8dcdc21394efa803f9cc
Instruction Fuzzy Hash: 10315472A04B8886E6829B24D5017E86760FB987C4F05E625FF5D62293EF35E7CCC311

Uniqueness

Uniqueness Score: -1.00%

Function 000000018005F014 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 73synchronizationCOMMON

Download Yara Rule

APIs

ReleaseMutex.KERNEL32 ref: 000000018005F105

Strings

update sqlite_sequence set seq = 0 where name='MT';, xrefs: 000000018005F0DF
select * from sqlite_sequence;, xrefs: 000000018005F0A6
DELETE FROM 'MT', xrefs: 000000018005F06D

Memory Dump Source

Source File: 00000008.00000002.446994309.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000008.00000002.446990685.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.447008267.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.447016292.00000001800C5000.00000008.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.447024270.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_180000000_rundll32.jbxd

Similarity

API ID: MutexRelease
String ID: DELETE FROM 'MT'$select * from sqlite_sequence;$update sqlite_sequence set seq = 0 where name='MT';
API String ID: 1638419-14785165
Opcode ID: 881e86d389d9cefced57cf04117e8820d9d165fbcb2647cbb323e1f898b7160a
Instruction ID: 2735ef6a2105b6c033439e84eaa5791c9d84b25ec53eae267885e45c8fb0a052
Opcode Fuzzy Hash: 881e86d389d9cefced57cf04117e8820d9d165fbcb2647cbb323e1f898b7160a
Instruction Fuzzy Hash: 2231CE32305B4982EAA59B64E5903AD6390F78CBE0F089224EF6D57BD1CF69CA598700

Uniqueness

Uniqueness Score: -1.00%

Function 000000018005C9F4 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 62COMMON

Download Yara Rule

APIs

SHGetValueW.SHLWAPI ref: 000000018005CA65
_time64.MSVCRT ref: 000000018005CA9D

Strings

opentime_afterupdate, xrefs: 000000018005CA52
MsgCenter, xrefs: 000000018005CA28

Memory Dump Source

Source File: 00000008.00000002.446994309.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000008.00000002.446990685.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.447008267.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.447016292.00000001800C5000.00000008.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.447024270.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_180000000_rundll32.jbxd

Similarity

API ID: Value_time64
String ID: MsgCenter$opentime_afterupdate
API String ID: 785988768-2434204715
Opcode ID: 5bb0f640ed1e05b6f5fb6319ad101f5784147dd22b425cd5bc3155a5095c0593
Instruction ID: fc05a4dbc7e4eba58b3f0245281c2719f95df9f8cff95e83ed4d87eeecbf7a83
Opcode Fuzzy Hash: 5bb0f640ed1e05b6f5fb6319ad101f5784147dd22b425cd5bc3155a5095c0593
Instruction Fuzzy Hash: F021A272600B4887E752CF28D4407897BA0F788BF4F508325BA69537E4DF34C649CB41

Uniqueness

Uniqueness Score: -1.00%

Function 000000018005CDD0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 62COMMON

Download Yara Rule

APIs

_wcslwr.MSVCRT ref: 000000018005CE1F
memset.MSVCRT ref: 000000018005CE61
??2@YAPEAX_K@Z.MSVCRT ref: 000000018005CE89

Strings

Global\QIHOO360_%s, xrefs: 000000018005CE6B

Memory Dump Source

Source File: 00000008.00000002.446994309.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000008.00000002.446990685.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.447008267.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.447016292.00000001800C5000.00000008.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.447024270.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_180000000_rundll32.jbxd

Similarity

API ID: ??2@_wcslwrmemset
String ID: Global\QIHOO360_%s
API String ID: 2483156104-3710684550
Opcode ID: 9be342a6d8c237716bffd5caf06391c6b8b6f70f0f13e01ce8d5a989816153c8
Instruction ID: 82c5ad46f6e7f4dabe07948ff870f9b922604b6aade2c66f9895ca3b1b8f50de
Opcode Fuzzy Hash: 9be342a6d8c237716bffd5caf06391c6b8b6f70f0f13e01ce8d5a989816153c8
Instruction Fuzzy Hash: 5821A171205B8881FBA6DB10E8553EA6360F7897D4F808221B69D077D5EF3DCA49C745

Uniqueness

Uniqueness Score: -1.00%

Function 000000018006A4C0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 52timeCOMMON

Download Yara Rule

APIs

sscanf.LEGACY_STDIO_DEFINITIONS ref: 000000018006A519
SystemTimeToFileTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000001,0000000180069AA1), ref: 000000018006A530
LocalFileTimeToFileTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000001,0000000180069AA1), ref: 000000018006A542

Strings

%hu-%hu-%hu %hu:%hu:%hu, xrefs: 000000018006A4FA

Memory Dump Source

Source File: 00000008.00000002.446994309.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000008.00000002.446990685.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.447008267.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.447016292.00000001800C5000.00000008.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.447024270.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_180000000_rundll32.jbxd

Similarity

API ID: Time$File$LocalSystemsscanf
String ID: %hu-%hu-%hu %hu:%hu:%hu
API String ID: 34346384-1004895946
Opcode ID: d723607966dc0ff236e85823f2716610310f4f89feb8e52b597ed1c2c8f9df5e
Instruction ID: 56cd0a7082cee1cdafaeaa7a6634e2a063740646281a87663471f261b7941616
Opcode Fuzzy Hash: d723607966dc0ff236e85823f2716610310f4f89feb8e52b597ed1c2c8f9df5e
Instruction Fuzzy Hash: 53210472B10B1889FB81DFA4D8803DD33B4B708788F948526EA1D96768EF34C659C750

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180040358 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 44COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 000000018004038D
SHGetSpecialFolderPathW.SHELL32 ref: 00000001800403A0

Part of subcall function 0000000180019044: LoadLibraryExW.KERNEL32 ref: 000000018001906D
Part of subcall function 0000000180019044: FindResourceW.KERNEL32 ref: 0000000180019085
Part of subcall function 0000000180019044: SizeofResource.KERNEL32 ref: 0000000180019099
Part of subcall function 0000000180019044: LoadResource.KERNEL32 ref: 00000001800190A8
Part of subcall function 0000000180019044: LockResource.KERNEL32 ref: 00000001800190B9
Part of subcall function 0000000180019044: malloc.MSVCRT ref: 00000001800190CA
Part of subcall function 0000000180019044: memmove.MSVCRT ref: 00000001800190E1
Part of subcall function 0000000180019044: FreeResource.KERNEL32 ref: 00000001800190E9
Part of subcall function 0000000180019044: FreeLibrary.KERNEL32 ref: 00000001800190F2
Part of subcall function 0000000180019044: VerQueryValueW.VERSION ref: 000000018001911A
Part of subcall function 0000000180019044: free.MSVCRT ref: 000000018001913F

Strings

%u.%u.%u, xrefs: 00000001800403D4
\Internet Explorer\IEXPLORE.EXE, xrefs: 00000001800403A6

Memory Dump Source

Source File: 00000008.00000002.446994309.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000008.00000002.446990685.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.447008267.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.447016292.00000001800C5000.00000008.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.447024270.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_180000000_rundll32.jbxd

Similarity

API ID: Resource$FreeLibraryLoad$FindFolderLockPathQuerySizeofSpecialValuefreemallocmemmovememset
String ID: %u.%u.%u$\Internet Explorer\IEXPLORE.EXE
API String ID: 28297470-3177478685
Opcode ID: 24d6d362a50ceef5c55e60ddcc5b0fe3f6e297d637c40a6a892b7a9edbf356b3
Instruction ID: 8c267d1c97a4f3ae60188c217bf77148b2efdc3265efdf379ec177d08f4db65c
Opcode Fuzzy Hash: 24d6d362a50ceef5c55e60ddcc5b0fe3f6e297d637c40a6a892b7a9edbf356b3
Instruction Fuzzy Hash: 95118F32325A8986EB91DB25E4457DB7360F78C789F805012B68A47955DF3DC609CF00

Uniqueness

Uniqueness Score: -1.00%

Function 000000018003C7D8 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 43COMMON

Download Yara Rule

APIs

Part of subcall function 000000018001AD68: InitializeCriticalSection.KERNEL32(?,?,?,?,?,000000018001AFD5), ref: 000000018001ADCE

GetModuleFileNameW.KERNEL32 ref: 000000018003C829
PathAppendW.SHLWAPI ref: 000000018003C83B
PathFileExistsW.SHLWAPI ref: 000000018003C846

Strings

..\360NetBase64.dll, xrefs: 000000018003C82F

Memory Dump Source

Source File: 00000008.00000002.446994309.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000008.00000002.446990685.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.447008267.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.447016292.00000001800C5000.00000008.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.447024270.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_180000000_rundll32.jbxd

Similarity

API ID: FilePath$AppendCriticalExistsInitializeModuleNameSection
String ID: ..\360NetBase64.dll
API String ID: 2373086246-4183035884
Opcode ID: d761a6c3e6a00880f8900059568cee75d214a1108ffb73bc445c6367f4a0409a
Instruction ID: af5cf4f44f90b4c64e773468feb6851d22c47134ddc293a853e7e5ebda926cde
Opcode Fuzzy Hash: d761a6c3e6a00880f8900059568cee75d214a1108ffb73bc445c6367f4a0409a
Instruction Fuzzy Hash: 25114C71614A4981FBF3AB60E8953DB23A0FB8D7C9F518115B58D825A5EF28C74DC702

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180002DE4 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 38COMMON

Download Yara Rule

APIs

wcsncmp.MSVCRT ref: 0000000180002E06
wcsncmp.MSVCRT ref: 0000000180002E20
PathIsDirectoryW.SHLWAPI ref: 0000000180002E34

Strings

\\?\, xrefs: 0000000180002DFF

Memory Dump Source

Source File: 00000008.00000002.446994309.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000008.00000002.446990685.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.447008267.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.447016292.00000001800C5000.00000008.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.447024270.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_180000000_rundll32.jbxd

Similarity

API ID: wcsncmp$DirectoryPath
String ID: \\?\
API String ID: 911398208-4282027825
Opcode ID: eba105415aec120dfe2fa9ea8ee759a3358e54afb6881a7277e4926ce0db569d
Instruction ID: 9903006c7179f3997e6314bb7e882962eeb1ce79a0b7cc9db4c5bfd4c7dd6eaa
Opcode Fuzzy Hash: eba105415aec120dfe2fa9ea8ee759a3358e54afb6881a7277e4926ce0db569d
Instruction Fuzzy Hash: E501AD3036568882FBA2EB25EC457E97214BB4CBD0F848235B96A8B1E5DF6CC34DC304

Uniqueness

Uniqueness Score: -1.00%

Function 00000001800142E8 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 33COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 0000000180014317
GetModuleFileNameW.KERNEL32 ref: 000000018001432E
PathAppendW.SHLWAPI ref: 0000000180014340

Part of subcall function 0000000180065EE4: PathFileExistsW.SHLWAPI ref: 0000000180065F00
Part of subcall function 0000000180065EE4: EnterCriticalSection.KERNEL32 ref: 0000000180065F2A
Part of subcall function 0000000180065EE4: LeaveCriticalSection.KERNEL32 ref: 0000000180065F73

Strings

..\safemon\FreeSaaS.tpi, xrefs: 0000000180014334

Memory Dump Source

Source File: 00000008.00000002.446994309.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000008.00000002.446990685.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.447008267.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.447016292.00000001800C5000.00000008.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.447024270.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_180000000_rundll32.jbxd

Similarity

API ID: CriticalFilePathSection$AppendEnterExistsLeaveModuleNamememset
String ID: ..\safemon\FreeSaaS.tpi
API String ID: 154803636-205188023
Opcode ID: 5dcafe1727c8202c4fade54654e340c0afccdd89b962ceed78f6299e177fdd45
Instruction ID: d74fc56e569283819db6817bdf86699dd223bda9e6afadc26b68049d38556e4d
Opcode Fuzzy Hash: 5dcafe1727c8202c4fade54654e340c0afccdd89b962ceed78f6299e177fdd45
Instruction Fuzzy Hash: B5016D35219A8C82FBE2D721EC693D92790B78D388F80D041A4AA077A1DF2DC30DCB00

Uniqueness

Uniqueness Score: -1.00%

Function 00000001800560C8 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 32synchronizationCOMMON

Download Yara Rule

APIs

ConvertStringSecurityDescriptorToSecurityDescriptorW.ADVAPI32 ref: 0000000180056109
CreateMutexW.KERNEL32(?,?,?,?,?,?,00000000,000000018000BCF5,?,?,?,?,?,0000000180006143), ref: 000000018005611D
LocalFree.KERNEL32(?,?,?,?,?,?,00000000,000000018000BCF5,?,?,?,?,?,0000000180006143), ref: 000000018005612B

Strings

D:P(OA;;FA;;;WD), xrefs: 00000001800560EC

Memory Dump Source

Source File: 00000008.00000002.446994309.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000008.00000002.446990685.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.447008267.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.447016292.00000001800C5000.00000008.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.447024270.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_180000000_rundll32.jbxd

Similarity

API ID: DescriptorSecurity$ConvertCreateFreeLocalMutexString
String ID: D:P(OA;;FA;;;WD)
API String ID: 794372803-936388898
Opcode ID: 8eafacdefded48d18c198f43637dcf9209a60b0ec07301bfb3a11cb5b2937e32
Instruction ID: 0d5b46b33c23d90729eae48064ade5dfd8da35591b75e80b0d34519ac450dbba
Opcode Fuzzy Hash: 8eafacdefded48d18c198f43637dcf9209a60b0ec07301bfb3a11cb5b2937e32
Instruction Fuzzy Hash: 44014B72A14F4486EB518F21F8487A973E0F78CBD4F468221EA5D87714DF38C658C744

Uniqueness

Uniqueness Score: -1.00%

Function 000000018002AD5C Relevance: 6.4, APIs: 1, Strings: 3, Instructions: 381COMMON

Download Yara Rule

APIs

Part of subcall function 000000018000A7AC: GetProcessHeap.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,0000000180001020), ref: 000000018000A7D5

_wcsicmp.MSVCRT ref: 000000018002AE4E

Part of subcall function 00000001800275E4: IIDFromString.OLE32 ref: 000000018002760B

Strings

, xrefs: 000000018002B093
CLSID, xrefs: 000000018002AEFC
ftp:, xrefs: 000000018002AE44

Memory Dump Source

Source File: 00000008.00000002.446994309.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000008.00000002.446990685.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.447008267.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.447016292.00000001800C5000.00000008.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.447024270.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_180000000_rundll32.jbxd

Similarity

API ID: FromHeapProcessString_wcsicmp
String ID: $CLSID$ftp:
API String ID: 2012545421-381575252
Opcode ID: 248410c0f50f664e6cc0f1b348e136da499af2e3908b9f8e498f8b2d610c306c
Instruction ID: d299122ce3e9d517528ccb327dc5a756d1d769515d838a72f3e491c2ced193a8
Opcode Fuzzy Hash: 248410c0f50f664e6cc0f1b348e136da499af2e3908b9f8e498f8b2d610c306c
Instruction Fuzzy Hash: 41F14073301B4886EB52DB29D8407DE7361F789BE9F448311AA6D876E5DF78CA49C700

Uniqueness

Uniqueness Score: -1.00%

Function 000000018006616C Relevance: 6.3, APIs: 5, Instructions: 80COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32 ref: 00000001800661AC
LeaveCriticalSection.KERNEL32 ref: 00000001800661F5

Part of subcall function 0000000180065438: InitializeCriticalSection.KERNEL32 ref: 000000018006552A

malloc.MSVCRT ref: 000000018006621C
memmove.MSVCRT ref: 0000000180066241
free.MSVCRT ref: 0000000180066272

Memory Dump Source

Source File: 00000008.00000002.446994309.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000008.00000002.446990685.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.447008267.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.447016292.00000001800C5000.00000008.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.447024270.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_180000000_rundll32.jbxd

Similarity

API ID: CriticalSection$EnterInitializeLeavefreemallocmemmove
String ID:
API String ID: 1740668140-0
Opcode ID: 22bd5bec54ccc0147c543859d5de4a8772452d611ad636121f4766ad3a15c823
Instruction ID: e94a3ea1fea36b0b32ca35adaff13378f84fa0a728ffd439e1abdc7c1a055df0
Opcode Fuzzy Hash: 22bd5bec54ccc0147c543859d5de4a8772452d611ad636121f4766ad3a15c823
Instruction Fuzzy Hash: 4D316C32605B4886EB828F15EC543D977A5F79CBE4F59C225EAA9077A5CF3CC249C700

Uniqueness

Uniqueness Score: -1.00%

Function 000000018002CD40 Relevance: 6.1, APIs: 1, Strings: 3, Instructions: 142COMMON

Download Yara Rule

APIs

_wcsicmp.MSVCRT ref: 000000018002CE3A

Strings

{0CF774D0-F077-11D1-B1BC-00C04F86C324}, xrefs: 000000018002CE2F
ScriptEngine, xrefs: 000000018002CD6C
ScriptHostEncode, xrefs: 000000018002CDE1

Memory Dump Source

Source File: 00000008.00000002.446994309.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000008.00000002.446990685.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.447008267.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.447016292.00000001800C5000.00000008.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.447024270.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_180000000_rundll32.jbxd

Similarity

API ID: _wcsicmp
String ID: ScriptEngine$ScriptHostEncode${0CF774D0-F077-11D1-B1BC-00C04F86C324}
API String ID: 2081463915-2936173157
Opcode ID: 91efc328dbdbb67abd3faf589063878782725af3816d995bc94ee69e6f4a6945
Instruction ID: 292b1ab8c79ee979d74f734f58635ebd7dc6439912a4449b937fba72fcba6d7c
Opcode Fuzzy Hash: 91efc328dbdbb67abd3faf589063878782725af3816d995bc94ee69e6f4a6945
Instruction Fuzzy Hash: 5B514F72711E4986EB419F79C8807CC2760FB49BF4F449322AA3E936E5DF64C989C340

Uniqueness

Uniqueness Score: -1.00%

Function 000000018003C208 Relevance: 6.1, APIs: 4, Instructions: 130COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(?,?,?,?,?,?,?,00000001,?), ref: 000000018003C25E
LeaveCriticalSection.KERNEL32(?,?,?,?,?,?,?,00000001,?), ref: 000000018003C2A7
??_V@YAXPEAX@Z.MSVCRT ref: 000000018003C30E
??_V@YAXPEAX@Z.MSVCRT ref: 000000018003C3A4

Part of subcall function 0000000180065438: InitializeCriticalSection.KERNEL32 ref: 000000018006552A

Memory Dump Source

Source File: 00000008.00000002.446994309.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000008.00000002.446990685.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.447008267.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.447016292.00000001800C5000.00000008.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.447024270.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_180000000_rundll32.jbxd

Similarity

API ID: CriticalSection$EnterInitializeLeave
String ID:
API String ID: 3991485460-0
Opcode ID: 679129d8c6ac973d941e645a86577fd2f61a9db60b9c7d755c606238edf6303c
Instruction ID: ad71276d619936af7ac4a5a15bbb21467ea728ff9fc93a66917b9291cac940fe
Opcode Fuzzy Hash: 679129d8c6ac973d941e645a86577fd2f61a9db60b9c7d755c606238edf6303c
Instruction Fuzzy Hash: 04514B36201B4886EB96CF21E844B9E33A9FB48BD8F158516EE6947768CF34C658C391

Uniqueness

Uniqueness Score: -1.00%

Function 000000018004C20C Relevance: 6.1, APIs: 4, Instructions: 128COMMON

Download Yara Rule

APIs

Part of subcall function 000000018000B560: ??2@YAPEAX_K@Z.MSVCRT ref: 000000018000B584
Part of subcall function 000000018000B560: SysAllocString.OLEAUT32 ref: 000000018000B5A6

SysFreeString.OLEAUT32 ref: 000000018004C293
??_V@YAXPEAX@Z.MSVCRT ref: 000000018004C2A6
??3@YAXPEAX@Z.MSVCRT ref: 000000018004C2B9
SysFreeString.OLEAUT32 ref: 000000018004C385

Part of subcall function 000000018000AF68: ??2@YAPEAX_K@Z.MSVCRT ref: 000000018000B026

Memory Dump Source

Source File: 00000008.00000002.446994309.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000008.00000002.446990685.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.447008267.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.447016292.00000001800C5000.00000008.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.447024270.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_180000000_rundll32.jbxd

Similarity

API ID: String$??2@Free$??3@Alloc
String ID:
API String ID: 1832687772-0
Opcode ID: ec64ef81cce12dd9496e54433e59b2b444f0d078a8dee198f6ac45ada33b9a8a
Instruction ID: 427e473512a75300f47d7fa230ba5ccb5e5a60885440308665830fb44559812f
Opcode Fuzzy Hash: ec64ef81cce12dd9496e54433e59b2b444f0d078a8dee198f6ac45ada33b9a8a
Instruction Fuzzy Hash: 58513A72711A0885EB91DFA5C8947ED3370FB48FE9F098621EE2A57698DF78C648C344

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180072146 Relevance: 6.1, APIs: 4, Instructions: 122COMMON

Download Yara Rule

APIs

_errno.MSVCRT ref: 0000000180072156
wcstol.MSVCRT ref: 0000000180072185
_errno.MSVCRT ref: 0000000180072197
free.MSVCRT ref: 00000001800723C6

Memory Dump Source

Source File: 00000008.00000002.446994309.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000008.00000002.446990685.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.447008267.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.447016292.00000001800C5000.00000008.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.447024270.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_180000000_rundll32.jbxd

Similarity

API ID: _errno$freewcstol
String ID:
API String ID: 1017142431-0
Opcode ID: 9f264acde1fee37a4af08923b04b71ab41a6f4bc8a876f6580f083589344777c
Instruction ID: ea2c5121f7eb01e98f314e31e7cc383447851c7166ff6db358424aa6cc9ed06f
Opcode Fuzzy Hash: 9f264acde1fee37a4af08923b04b71ab41a6f4bc8a876f6580f083589344777c
Instruction Fuzzy Hash: C351683264478886EBA68F26A1403AE33E5F7597D8F008115FF9907798CF3ADA59CB00

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180072242 Relevance: 6.1, APIs: 4, Instructions: 108COMMON

Download Yara Rule

APIs

_errno.MSVCRT ref: 000000018007224E
wcstol.MSVCRT ref: 000000018007227D
_errno.MSVCRT ref: 000000018007228F
free.MSVCRT ref: 00000001800723C6

Memory Dump Source

Source File: 00000008.00000002.446994309.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000008.00000002.446990685.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.447008267.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.447016292.00000001800C5000.00000008.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.447024270.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_180000000_rundll32.jbxd

Similarity

API ID: _errno$freewcstol
String ID:
API String ID: 1017142431-0
Opcode ID: c26116d00bfa255a5e71194d5ccf5fda896b8abf688f47e901cb44eb358fcc84
Instruction ID: b35714efefb3a3022de44867f37344a12698415f3c6fa059f944579b3902dd1a
Opcode Fuzzy Hash: c26116d00bfa255a5e71194d5ccf5fda896b8abf688f47e901cb44eb358fcc84
Instruction Fuzzy Hash: AE415A7264478886EBB68F2594503EE37A1F7597E8F008115FF5807798CF3EDA5A8B00

Uniqueness

Uniqueness Score: -1.00%

Function 000000018000ADF4 Relevance: 6.1, APIs: 4, Instructions: 91COMMON

Download Yara Rule

APIs

WideCharToMultiByte.KERNEL32 ref: 000000018000AE88
GetLastError.KERNEL32 ref: 000000018000AE9A
WideCharToMultiByte.KERNEL32 ref: 000000018000AEC4
WideCharToMultiByte.KERNEL32 ref: 000000018000AEFA

Memory Dump Source

Source File: 00000008.00000002.446994309.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000008.00000002.446990685.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.447008267.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.447016292.00000001800C5000.00000008.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.447024270.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_180000000_rundll32.jbxd

Similarity

API ID: ByteCharMultiWide$ErrorLast
String ID:
API String ID: 1717984340-0
Opcode ID: ac5000abb9ee01d321f1ec273ada81a5511227e924beba0eb19fad604af8d780
Instruction ID: bae3b3959ef39ef5daeeababb2c60870945ab1ace41e6c98233782fb8fc2ea52
Opcode Fuzzy Hash: ac5000abb9ee01d321f1ec273ada81a5511227e924beba0eb19fad604af8d780
Instruction Fuzzy Hash: 9B31D272604B8482E764CF56B88074AB7A8F79DBD0F548628AFD947BA5CF38C645C700

Uniqueness

Uniqueness Score: -1.00%

Function 000000018006C200 Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 90COMMON

Download Yara Rule

APIs

Part of subcall function 000000018006A2B8: malloc.MSVCRT(?,?,?,0000000180069638), ref: 000000018006DF0A
Part of subcall function 000000018006A2B8: SetLastError.KERNEL32(?,?,?,0000000180069638), ref: 000000018006DF1B

Part of subcall function 000000018006A32C: CreateFileA.KERNEL32 ref: 000000018006A363

memset.MSVCRT ref: 000000018006C2AB

Part of subcall function 000000018006A2C8: DeviceIoControl.KERNEL32 ref: 000000018006A2F1

CloseHandle.KERNEL32 ref: 000000018006C308

Part of subcall function 000000018006BD88: memmove.MSVCRT ref: 000000018006BDDE

Strings

\\.\PhysicalDrive%d, xrefs: 000000018006C25A
DISKID:, xrefs: 000000018006C2EC

Memory Dump Source

Source File: 00000008.00000002.446994309.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000008.00000002.446990685.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.447008267.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.447016292.00000001800C5000.00000008.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.447024270.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_180000000_rundll32.jbxd

Similarity

API ID: CloseControlCreateDeviceErrorFileHandleLastmallocmemmovememset
String ID: DISKID:$\\.\PhysicalDrive%d
API String ID: 1541746987-3765948602
Opcode ID: 0a0cd503669e2d71dfc94f1a05760105f70003c8e3e1ab21ca38997401335250
Instruction ID: 026b1f04e6263926176f9cf333c98f43658e4a5f02bea82afa83b16206533a48
Opcode Fuzzy Hash: 0a0cd503669e2d71dfc94f1a05760105f70003c8e3e1ab21ca38997401335250
Instruction Fuzzy Hash: D831063220474542FBA29B66AC00BEA7392F789BD4F608121BE5947795DF3CC749CB40

Uniqueness

Uniqueness Score: -1.00%

Function 000000018001E200 Relevance: 6.1, APIs: 4, Instructions: 75registryCOMMON

Download Yara Rule

APIs

RegDeleteKeyW.ADVAPI32 ref: 000000018001E242
RegDeleteKeyW.ADVAPI32 ref: 000000018001E265
RegDeleteKeyW.ADVAPI32 ref: 000000018001E293
RegDeleteKeyW.ADVAPI32 ref: 000000018001E2B6

Memory Dump Source

Source File: 00000008.00000002.446994309.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000008.00000002.446990685.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.447008267.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.447016292.00000001800C5000.00000008.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.447024270.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_180000000_rundll32.jbxd

Similarity

API ID: Delete
String ID:
API String ID: 1035893169-0
Opcode ID: 22d0e1e140aac874fdce29ddc6509984b94616c0dddbf9d09c1d0fd8dd23a40b
Instruction ID: 40b5deca117a7cefaab46096add2d716b918ff16b730c8479b301d173d09ace7
Opcode Fuzzy Hash: 22d0e1e140aac874fdce29ddc6509984b94616c0dddbf9d09c1d0fd8dd23a40b
Instruction Fuzzy Hash: 44219031705E8840FBAADBA2991079D6299BB4EFC0F1DC525FD2A437D4DE38C7488311

Uniqueness

Uniqueness Score: -1.00%

Function 00000001800324A4 Relevance: 6.1, APIs: 4, Instructions: 59COMMON

Download Yara Rule

APIs

PathFindFileNameW.SHLWAPI ref: 00000001800324C4

Part of subcall function 000000018000B560: ??2@YAPEAX_K@Z.MSVCRT ref: 000000018000B584
Part of subcall function 000000018000B560: SysAllocString.OLEAUT32 ref: 000000018000B5A6

Part of subcall function 000000018003AE08: SysFreeString.OLEAUT32 ref: 000000018003AE51
Part of subcall function 000000018003AE08: ??_V@YAXPEAX@Z.MSVCRT ref: 000000018003AE64
Part of subcall function 000000018003AE08: ??3@YAXPEAX@Z.MSVCRT ref: 000000018003AE77

SysFreeString.OLEAUT32 ref: 000000018003251C
??_V@YAXPEAX@Z.MSVCRT ref: 000000018003252F
??3@YAXPEAX@Z.MSVCRT ref: 0000000180032542

Memory Dump Source

Source File: 00000008.00000002.446994309.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000008.00000002.446990685.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.447008267.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.447016292.00000001800C5000.00000008.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.447024270.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_180000000_rundll32.jbxd

Similarity

API ID: String$??3@Free$??2@AllocFileFindNamePath
String ID:
API String ID: 772211780-0
Opcode ID: 0f2a8a44e8f4c9cff1795b6050ee267adc792dc9736a48368970f0735874c93d
Instruction ID: 2d82027f7e94cb9bcb22be17a4537bea80464cdcc919518384ddf93808e552b3
Opcode Fuzzy Hash: 0f2a8a44e8f4c9cff1795b6050ee267adc792dc9736a48368970f0735874c93d
Instruction Fuzzy Hash: 0521C432611E4482EB529F29D85039EB3A0FB89BF4F198711EA794B6E8DF7CC2448700

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180032A90 Relevance: 6.1, APIs: 4, Instructions: 59COMMON

Download Yara Rule

APIs

PathFindFileNameW.SHLWAPI ref: 0000000180032AB3

Part of subcall function 000000018000B560: ??2@YAPEAX_K@Z.MSVCRT ref: 000000018000B584
Part of subcall function 000000018000B560: SysAllocString.OLEAUT32 ref: 000000018000B5A6

Part of subcall function 000000018003AE08: SysFreeString.OLEAUT32 ref: 000000018003AE51
Part of subcall function 000000018003AE08: ??_V@YAXPEAX@Z.MSVCRT ref: 000000018003AE64
Part of subcall function 000000018003AE08: ??3@YAXPEAX@Z.MSVCRT ref: 000000018003AE77

SysFreeString.OLEAUT32 ref: 0000000180032B0B
??_V@YAXPEAX@Z.MSVCRT ref: 0000000180032B1E
??3@YAXPEAX@Z.MSVCRT ref: 0000000180032B31

Memory Dump Source

Source File: 00000008.00000002.446994309.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000008.00000002.446990685.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.447008267.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.447016292.00000001800C5000.00000008.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.447024270.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_180000000_rundll32.jbxd

Similarity

API ID: String$??3@Free$??2@AllocFileFindNamePath
String ID:
API String ID: 772211780-0
Opcode ID: f9574987d235c529e2b4a5f79013c743acc608ea97a4ad6ac219f98d4fdede78
Instruction ID: 283ffb4ef057f0283fd59c714cbfe65b47d72467c2882de283dc062303e29699
Opcode Fuzzy Hash: f9574987d235c529e2b4a5f79013c743acc608ea97a4ad6ac219f98d4fdede78
Instruction Fuzzy Hash: 1221B832611A4482EB92DF29D84439EB3A0FB89BF4F198725E779476E9DF7CC6448700

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180033068 Relevance: 6.1, APIs: 4, Instructions: 59COMMON

Download Yara Rule

APIs

PathFindFileNameW.SHLWAPI ref: 0000000180033088

Part of subcall function 000000018000B560: ??2@YAPEAX_K@Z.MSVCRT ref: 000000018000B584
Part of subcall function 000000018000B560: SysAllocString.OLEAUT32 ref: 000000018000B5A6

Part of subcall function 000000018003AE08: SysFreeString.OLEAUT32 ref: 000000018003AE51
Part of subcall function 000000018003AE08: ??_V@YAXPEAX@Z.MSVCRT ref: 000000018003AE64
Part of subcall function 000000018003AE08: ??3@YAXPEAX@Z.MSVCRT ref: 000000018003AE77

SysFreeString.OLEAUT32 ref: 00000001800330E0
??_V@YAXPEAX@Z.MSVCRT ref: 00000001800330F3
??3@YAXPEAX@Z.MSVCRT ref: 0000000180033106

Memory Dump Source

Source File: 00000008.00000002.446994309.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000008.00000002.446990685.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.447008267.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.447016292.00000001800C5000.00000008.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.447024270.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_180000000_rundll32.jbxd

Similarity

API ID: String$??3@Free$??2@AllocFileFindNamePath
String ID:
API String ID: 772211780-0
Opcode ID: 307ce0f3569f6860fa341fe80190f4157af3b04d29387ea8d5fe3f277a62001a
Instruction ID: d9e03fda3b1d153f0bd4bb02b331d59468f410aa3c35072f5ffbfd31d5bd1a6e
Opcode Fuzzy Hash: 307ce0f3569f6860fa341fe80190f4157af3b04d29387ea8d5fe3f277a62001a
Instruction Fuzzy Hash: CD21D632601A4482EB568F29D89139EB3A0FB88BF4F198715EA79476E8DF7CC644C700

Uniqueness

Uniqueness Score: -1.00%

Function 000000018003C614 Relevance: 6.1, APIs: 4, Instructions: 53COMMON

Download Yara Rule

APIs

GetTickCount.KERNEL32(?,?,?,00000001800188EE), ref: 000000018003C62A
malloc.MSVCRT(?,?,?,00000001800188EE), ref: 000000018003C663
free.MSVCRT(?,?,?,00000001800188EE), ref: 000000018003C6B1
GetTickCount.KERNEL32(?,?,?,00000001800188EE), ref: 000000018003C6B7

Memory Dump Source

Source File: 00000008.00000002.446994309.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000008.00000002.446990685.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.447008267.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.447016292.00000001800C5000.00000008.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.447024270.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_180000000_rundll32.jbxd

Similarity

API ID: CountTick$freemalloc
String ID:
API String ID: 112427268-0
Opcode ID: 40d9beaaacbcde50260c436ec66f3643f495edb07ad5aab697476aac6434d7f6
Instruction ID: b8918b2958dc72fb2df8bfc42f6eb5cd02d312beeb31fdbe44136919b98f9138
Opcode Fuzzy Hash: 40d9beaaacbcde50260c436ec66f3643f495edb07ad5aab697476aac6434d7f6
Instruction Fuzzy Hash: 3021517261560987EFD78B24EC85BAF23A0B74C7C0F42E024F95682695DF38D75D8B02

Uniqueness

Uniqueness Score: -1.00%

Function 000000018001AF10 Relevance: 6.1, APIs: 4, Instructions: 53COMMON

Download Yara Rule

APIs

InitializeCriticalSection.KERNEL32 ref: 000000018001AF4B
EnterCriticalSection.KERNEL32 ref: 000000018001AF6C
LeaveCriticalSection.KERNEL32 ref: 000000018001AFB5

Part of subcall function 0000000180065438: InitializeCriticalSection.KERNEL32 ref: 000000018006552A

DeleteCriticalSection.KERNEL32 ref: 000000018001AFE6

Memory Dump Source

Source File: 00000008.00000002.446994309.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000008.00000002.446990685.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.447008267.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.447016292.00000001800C5000.00000008.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.447024270.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_180000000_rundll32.jbxd

Similarity

API ID: CriticalSection$Initialize$DeleteEnterLeave
String ID:
API String ID: 3345835275-0
Opcode ID: 342e2fd84596a913fc4e554fed418576577eb4ed1e3f0298ebe73fa484c4289a
Instruction ID: bac7ba2d50b8a8327d60b40396a6a413962eafb144c30abffe047fc5a4d1e144
Opcode Fuzzy Hash: 342e2fd84596a913fc4e554fed418576577eb4ed1e3f0298ebe73fa484c4289a
Instruction Fuzzy Hash: 51212970605A4896FBD29F50EC543D873A8F74EBE4F588229EAA9062A5DF39C74DC700

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180070910 Relevance: 6.0, APIs: 4, Instructions: 50COMMON

Download Yara Rule

APIs

_errno.MSVCRT ref: 000000018007093E
_msize.MSVCRT ref: 0000000180070965
realloc.MSVCRT ref: 000000018007097B
memset.MSVCRT ref: 0000000180070999

Memory Dump Source

Source File: 00000008.00000002.446994309.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000008.00000002.446990685.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.447008267.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.447016292.00000001800C5000.00000008.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.447024270.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_180000000_rundll32.jbxd

Similarity

API ID: _errno_msizememsetrealloc
String ID:
API String ID: 1716158884-0
Opcode ID: cdc86eb51b19dd29fbdd1dbcc9e2dd10d7135d8ad8bd6beb6c08774733d5e7b7
Instruction ID: eee6de8c671426a850027d5845b58404d35e5bb09185fe1037511193ebe898ed
Opcode Fuzzy Hash: cdc86eb51b19dd29fbdd1dbcc9e2dd10d7135d8ad8bd6beb6c08774733d5e7b7
Instruction Fuzzy Hash: 7201A536715648C1F9869B27A4043D99251AB8CBE0F1DD720BF6A07BCBDE3DC6418700

Uniqueness

Uniqueness Score: -1.00%

Function 000000018007F080 Relevance: 6.0, APIs: 4, Instructions: 49COMMON

Download Yara Rule

APIs

_errno.MSVCRT ref: 000000018007F0A2
memmove.MSVCRT(?,?,00000072,000000018007DC56), ref: 000000018007F0D7
memset.MSVCRT ref: 000000018007F0F3
_errno.MSVCRT ref: 000000018007F102

Memory Dump Source

Source File: 00000008.00000002.446994309.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000008.00000002.446990685.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.447008267.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.447016292.00000001800C5000.00000008.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.447024270.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_180000000_rundll32.jbxd

Similarity

API ID: _errno$memmovememset
String ID:
API String ID: 390474681-0
Opcode ID: 34773165fa903b58a8169a26407c6ce6a53d95ed58fc80f98c13fe875aa60091
Instruction ID: 14b1c1fe1981e25254dae316b1258392d266da5cf9c387dbe4ce1a9d85b7c1af
Opcode Fuzzy Hash: 34773165fa903b58a8169a26407c6ce6a53d95ed58fc80f98c13fe875aa60091
Instruction Fuzzy Hash: 2401D631B1469C42FAE66B56F0003EE5250AB8CBD0F48D020BF4557B8FCE2ECA968740

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180064710 Relevance: 6.0, APIs: 4, Instructions: 44COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32 ref: 0000000180064746
FreeLibrary.KERNEL32 ref: 000000018006477F
LeaveCriticalSection.KERNEL32 ref: 0000000180064793
DeleteCriticalSection.KERNEL32 ref: 000000018006479D

Memory Dump Source

Source File: 00000008.00000002.446994309.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000008.00000002.446990685.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.447008267.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.447016292.00000001800C5000.00000008.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.447024270.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_180000000_rundll32.jbxd

Similarity

API ID: CriticalSection$DeleteEnterFreeLeaveLibrary
String ID:
API String ID: 2347899730-0
Opcode ID: 8ca6170e5c17e41b4a506002b7f4800d109eeedd4070b7d9029d326942e7e76d
Instruction ID: 48e8189d87aa0b979fc36c7d6fe6748a55851d8ea4777fada0444d8c8a940578
Opcode Fuzzy Hash: 8ca6170e5c17e41b4a506002b7f4800d109eeedd4070b7d9029d326942e7e76d
Instruction Fuzzy Hash: 6E117033605B4897EB558F21E9443A97360FB4A7B5F1897249B690BAA0CF78D2798300

Uniqueness

Uniqueness Score: -1.00%

Function 000000018006A900 Relevance: 6.0, APIs: 4, Instructions: 41fileCOMMON

Download Yara Rule

APIs

SetFilePointerEx.KERNEL32 ref: 000000018006A91E
_swprintf_c_l.LIBCMT ref: 000000018006A93A
ReadFile.KERNEL32 ref: 000000018006A955
_swprintf_c_l.LIBCMT ref: 000000018006A974

Memory Dump Source

Source File: 00000008.00000002.446994309.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000008.00000002.446990685.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.447008267.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.447016292.00000001800C5000.00000008.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.447024270.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_180000000_rundll32.jbxd

Similarity

API ID: File_swprintf_c_l$PointerRead
String ID:
API String ID: 1259558433-0
Opcode ID: 430f8c9727729296bcb3ae13e9e40dcee6c79fd9ad2c75f57ecad12c2e0545ef
Instruction ID: 41788915f12d7117270c0c242483de8f49aba279d1603b6e07884f1d05f749b7
Opcode Fuzzy Hash: 430f8c9727729296bcb3ae13e9e40dcee6c79fd9ad2c75f57ecad12c2e0545ef
Instruction Fuzzy Hash: 9B01F53172864881F7929B61AC407DBA3A1F74D7C4F65C022FA5543A64CF3DC748CB20

Uniqueness

Uniqueness Score: -1.00%

Function 000000018001A3F0 Relevance: 6.0, APIs: 4, Instructions: 36COMMON

Download Yara Rule

APIs

??_U@YAPEAX_K@Z.MSVCRT(?,?,?,00000001800017BF), ref: 000000018001A413
memmove.MSVCRT(?,?,?,00000001800017BF), ref: 000000018001A426
??_U@YAPEAX_K@Z.MSVCRT(?,?,?,00000001800017BF), ref: 000000018001A43F
memmove.MSVCRT(?,?,?,00000001800017BF), ref: 000000018001A452

Memory Dump Source

Source File: 00000008.00000002.446994309.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000008.00000002.446990685.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.447008267.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.447016292.00000001800C5000.00000008.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.447024270.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_180000000_rundll32.jbxd

Similarity

API ID: memmove
String ID:
API String ID: 2162964266-0
Opcode ID: f48e30d42f7362a3489efc8b4fb4b1d86e67ce5bf115bf63e3aa4bcefc4ad982
Instruction ID: 461c31f9552aa3729a5e6565f135de1ccc8cc925f396947b96927f6322aea50e
Opcode Fuzzy Hash: f48e30d42f7362a3489efc8b4fb4b1d86e67ce5bf115bf63e3aa4bcefc4ad982
Instruction Fuzzy Hash: A6014B72604B8486DA999F02B84439AA6A4F799FC0F58C034AF9A1BB1ACE7CC2518700

Uniqueness

Uniqueness Score: -1.00%

Function 000000018001D048 Relevance: 6.0, APIs: 2, Strings: 2, Instructions: 33COMMON

Download Yara Rule

APIs

Part of subcall function 0000000180001900: SHGetPathFromIDListW.SHELL32 ref: 000000018000190C

StrCmpNIW.SHLWAPI ref: 000000018001D071
StrCmpNIW.SHLWAPI ref: 000000018001D08B

Part of subcall function 0000000180002DE4: wcsncmp.MSVCRT ref: 0000000180002E06
Part of subcall function 0000000180002DE4: wcsncmp.MSVCRT ref: 0000000180002E20

Strings

http://, xrefs: 000000018001D067
https://, xrefs: 000000018001D081

Memory Dump Source

Source File: 00000008.00000002.446994309.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000008.00000002.446990685.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.447008267.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.447016292.00000001800C5000.00000008.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.447024270.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_180000000_rundll32.jbxd

Similarity

API ID: wcsncmp$FromListPath
String ID: http://$https://
API String ID: 1354619976-1916535328
Opcode ID: f0180345e040584d079c5b24169db75a70be302b2ca9e14ca998ae6b14b2d4e5
Instruction ID: 3b4f654c0190b1c660da69d9b707c9435e3e8476667423005c0f2b5f6a7ba28a
Opcode Fuzzy Hash: f0180345e040584d079c5b24169db75a70be302b2ca9e14ca998ae6b14b2d4e5
Instruction Fuzzy Hash: 21F06D30314B4D81FBD3AB22ED807E92361A74DBC0F08D026BE128B681EE29C79DC701

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180042CB8 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 192COMMON

Download Yara Rule

APIs

WideCharToMultiByte.KERNEL32 ref: 0000000180042D94

Part of subcall function 000000018001AD68: InitializeCriticalSection.KERNEL32(?,?,?,?,?,000000018001AFD5), ref: 000000018001ADCE

Strings

Connection: Keep-Alive, xrefs: 0000000180042DE3
Cache-Control: no-cache, xrefs: 0000000180042E08

Memory Dump Source

Source File: 00000008.00000002.446994309.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000008.00000002.446990685.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.447008267.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.447016292.00000001800C5000.00000008.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.447024270.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_180000000_rundll32.jbxd

Similarity

API ID: ByteCharCriticalInitializeMultiSectionWide
String ID: Cache-Control: no-cache$Connection: Keep-Alive
API String ID: 2071930665-2797312137
Opcode ID: 390d372ab0f8ca9c8d35a5c5b59fa4f1daf8a60d35f223fc70caf0e07e2a75eb
Instruction ID: 06b1c2be51b69464b9694ee66dce0eee22d8a6c444c0793ba53430c965e4d999
Opcode Fuzzy Hash: 390d372ab0f8ca9c8d35a5c5b59fa4f1daf8a60d35f223fc70caf0e07e2a75eb
Instruction Fuzzy Hash: 6971B172300E9886EB96DF26D4807DD3760FB89BD8F86C625BE2947B85CF31D6598304

Uniqueness

Uniqueness Score: -1.00%

Function 000000018003A138 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 102COMMON

Download Yara Rule

APIs

std::_Xinvalid_argument.LIBCPMT ref: 000000018003A3B9

Strings

map/set<T> too long, xrefs: 000000018003A3B2

Memory Dump Source

Source File: 00000008.00000002.446994309.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000008.00000002.446990685.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.447008267.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.447016292.00000001800C5000.00000008.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.447024270.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_180000000_rundll32.jbxd

Similarity

API ID: Xinvalid_argumentstd::_
String ID: map/set<T> too long
API String ID: 909987262-1285458680
Opcode ID: 4f8b5c4a4b7dfd174ba02e61296e3cf7ea921cc7912cdcef76d88542124505ce
Instruction ID: b716ba77de4695a230c5cde56cb36caf30baef682964767987e615475274616d
Opcode Fuzzy Hash: 4f8b5c4a4b7dfd174ba02e61296e3cf7ea921cc7912cdcef76d88542124505ce
Instruction Fuzzy Hash: 17419E32208F8881EAA2CF25E84039E73A4F399BE0F558225EF9D43B95DF39C556C740

Uniqueness

Uniqueness Score: -1.00%

Function 000000018001C31C Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 102COMMON

Download Yara Rule

APIs

PathFindFileNameW.SHLWAPI ref: 000000018001C340
wcscmp.MSVCRT ref: 000000018001C398

Strings

RUNDLL32, xrefs: 000000018001C38E

Memory Dump Source

Source File: 00000008.00000002.446994309.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000008.00000002.446990685.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.447008267.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.447016292.00000001800C5000.00000008.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.447024270.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_180000000_rundll32.jbxd

Similarity

API ID: FileFindNamePathwcscmp
String ID: RUNDLL32
API String ID: 3222201028-252960710
Opcode ID: cb23065da29cb40e9b09dc38cb932cba9fa4c45224ed154b04bc2c1aad3b4612
Instruction ID: 4f5a5794d41fc096d520f70cd288b3f3e4e93d0d03317b7f7fc332b0f1d573f2
Opcode Fuzzy Hash: cb23065da29cb40e9b09dc38cb932cba9fa4c45224ed154b04bc2c1aad3b4612
Instruction Fuzzy Hash: 87412932711A5896EB919F39C84479C2360FB49BB8F548312EA3D47BE9DF34CA99C344

Uniqueness

Uniqueness Score: -1.00%

Function 000000018004AF08 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 58COMMON

Download Yara Rule

APIs

ShellExecuteW.SHELL32 ref: 000000018004AF73

Part of subcall function 00000001800495A4: GetTickCount.KERNEL32 ref: 00000001800495AC
Part of subcall function 00000001800495A4: srand.MSVCRT ref: 00000001800495B4
Part of subcall function 00000001800495A4: GetCurrentProcessId.KERNEL32 ref: 00000001800495BA
Part of subcall function 00000001800495A4: GetCurrentProcessId.KERNEL32 ref: 00000001800495CE
Part of subcall function 00000001800495A4: ??_U@YAPEAX_K@Z.MSVCRT ref: 00000001800495FA
Part of subcall function 00000001800495A4: GetTokenInformation.ADVAPI32 ref: 0000000180049629
Part of subcall function 00000001800495A4: GetSidSubAuthorityCount.ADVAPI32 ref: 0000000180049636
Part of subcall function 00000001800495A4: GetLastError.KERNEL32 ref: 000000018004963F
Part of subcall function 00000001800495A4: GetSidSubAuthority.ADVAPI32 ref: 0000000180049658
Part of subcall function 00000001800495A4: ??_V@YAXPEAX@Z.MSVCRT ref: 000000018004967B

Part of subcall function 00000001800494C4: ??_U@YAPEAX_K@Z.MSVCRT ref: 00000001800494DA

memset.MSVCRT ref: 000000018004AF8E

Strings

p, xrefs: 000000018004AF7D

Memory Dump Source

Source File: 00000008.00000002.446994309.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000008.00000002.446990685.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.447008267.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.447016292.00000001800C5000.00000008.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.447024270.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_180000000_rundll32.jbxd

Similarity

API ID: AuthorityCountCurrentProcess$ErrorExecuteInformationLastShellTickTokenmemsetsrand
String ID: p
API String ID: 526592482-2181537457
Opcode ID: db20606bd2f8c5ddcc62ab015699e8350b9eea6392e973e239eb88e586f6bc5b
Instruction ID: c7a46caf8343ac9de693e6305f929c410170157657da93c1511d6525c5ccc842
Opcode Fuzzy Hash: db20606bd2f8c5ddcc62ab015699e8350b9eea6392e973e239eb88e586f6bc5b
Instruction Fuzzy Hash: B221B632208F8885E7A1DF51F48078AB3A4F799BC4F158021BE8D43B59DF38C549CB44

Uniqueness

Uniqueness Score: -1.00%

Function 000000018004B054 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 58COMMON

Download Yara Rule

APIs

ShellExecuteW.SHELL32 ref: 000000018004B0BF

Part of subcall function 00000001800495A4: GetTickCount.KERNEL32 ref: 00000001800495AC
Part of subcall function 00000001800495A4: srand.MSVCRT ref: 00000001800495B4
Part of subcall function 00000001800495A4: GetCurrentProcessId.KERNEL32 ref: 00000001800495BA
Part of subcall function 00000001800495A4: GetCurrentProcessId.KERNEL32 ref: 00000001800495CE
Part of subcall function 00000001800495A4: ??_U@YAPEAX_K@Z.MSVCRT ref: 00000001800495FA
Part of subcall function 00000001800495A4: GetTokenInformation.ADVAPI32 ref: 0000000180049629
Part of subcall function 00000001800495A4: GetSidSubAuthorityCount.ADVAPI32 ref: 0000000180049636
Part of subcall function 00000001800495A4: GetLastError.KERNEL32 ref: 000000018004963F
Part of subcall function 00000001800495A4: GetSidSubAuthority.ADVAPI32 ref: 0000000180049658
Part of subcall function 00000001800495A4: ??_V@YAXPEAX@Z.MSVCRT ref: 000000018004967B

Part of subcall function 00000001800494C4: ??_U@YAPEAX_K@Z.MSVCRT ref: 00000001800494DA

memset.MSVCRT ref: 000000018004B0DA

Strings

p, xrefs: 000000018004B0C9

Memory Dump Source

Source File: 00000008.00000002.446994309.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000008.00000002.446990685.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.447008267.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.447016292.00000001800C5000.00000008.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.447024270.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_180000000_rundll32.jbxd

Similarity

API ID: AuthorityCountCurrentProcess$ErrorExecuteInformationLastShellTickTokenmemsetsrand
String ID: p
API String ID: 526592482-2181537457
Opcode ID: f2d62255b16ca96ed2cbf9c0141287d8586ff51f1b7a2213e7ec1c807b59ad21
Instruction ID: 630a19f9e7c8d33164371876bc9408f173fd4fcd3dffaf0243fab21a92527801
Opcode Fuzzy Hash: f2d62255b16ca96ed2cbf9c0141287d8586ff51f1b7a2213e7ec1c807b59ad21
Instruction Fuzzy Hash: E1217432204F8885E7A1DF61F48078AB7A4F788BC4F558121FE8883B5ADF38C654CB44

Uniqueness

Uniqueness Score: -1.00%

Function 000000018005AFB8 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 43COMMON

Download Yara Rule

APIs

SHGetValueW.SHLWAPI ref: 000000018005B020

Strings

opentime_afterinstall, xrefs: 000000018005B00D
MsgCenter, xrefs: 000000018005AFE8

Memory Dump Source

Source File: 00000008.00000002.446994309.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000008.00000002.446990685.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.447008267.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.447016292.00000001800C5000.00000008.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.447024270.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_180000000_rundll32.jbxd

Similarity

API ID: Value
String ID: MsgCenter$opentime_afterinstall
API String ID: 3702945584-3718352646
Opcode ID: bc51746a4845ef3513b79512763e58b7b7c59a9adac5c6c1a917732545d0aad2
Instruction ID: 9121a4dbc030fef007b745f88a0fe18748c482634fd5ebee216f5006264a8ac8
Opcode Fuzzy Hash: bc51746a4845ef3513b79512763e58b7b7c59a9adac5c6c1a917732545d0aad2
Instruction Fuzzy Hash: AC116A72600B4482EB508F29E44438AB760F789BF4F108316EB79437E4CF79C688CB84

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180074CC0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 40sleepthreadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32(?,171.8.167.45,?,0000000180074FBF,?,?,?,?,?,?,000000018006F6BE), ref: 0000000180074CD8
Sleep.KERNEL32(?,171.8.167.45,?,0000000180074FBF,?,?,?,?,?,?,000000018006F6BE), ref: 0000000180074CF4

Strings

171.8.167.45, xrefs: 0000000180074CCB

Memory Dump Source

Source File: 00000008.00000002.446994309.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000008.00000002.446990685.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.447008267.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.447016292.00000001800C5000.00000008.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.447024270.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_180000000_rundll32.jbxd

Similarity

API ID: CurrentSleepThread
String ID: 171.8.167.45
API String ID: 1164918020-2723241389
Opcode ID: b82daa9be066ead2ec14612a1a02b00537e7c47846788e1f0fd2d6a2c4d35c95
Instruction ID: 739a1f1183ec9c18e579ba8ee55cb859ca32a6d953d7c9429809cc63265ca520
Opcode Fuzzy Hash: b82daa9be066ead2ec14612a1a02b00537e7c47846788e1f0fd2d6a2c4d35c95
Instruction Fuzzy Hash: B201D13370425586E7A3DFA9B88039E66A0F74C7E0F058431FF4487655EF79C99A8B80

Uniqueness

Uniqueness Score: -1.00%

Function 000000018005B060 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 37COMMON

Download Yara Rule

APIs

SHSetValueW.SHLWAPI ref: 000000018005B0BD

Strings

opentime_afterinstall, xrefs: 000000018005B0AA
MsgCenter, xrefs: 000000018005B07E

Memory Dump Source

Source File: 00000008.00000002.446994309.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000008.00000002.446990685.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.447008267.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.447016292.00000001800C5000.00000008.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.447024270.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_180000000_rundll32.jbxd

Similarity

API ID: Value
String ID: MsgCenter$opentime_afterinstall
API String ID: 3702945584-3718352646
Opcode ID: 5bc7ba386a7905614b99b0fc8fa89d0a447947fd7441929353b8c1a08fc42a0a
Instruction ID: 21b9b515d364e76d08f8b9de98a0e6c83aa7314f475d7e108810017b28aec3e9
Opcode Fuzzy Hash: 5bc7ba386a7905614b99b0fc8fa89d0a447947fd7441929353b8c1a08fc42a0a
Instruction Fuzzy Hash: DA0188B2611B4482DB10DF69D854389B760F788BB0F00831AEA79137E4DF78C699CB44

Uniqueness

Uniqueness Score: -1.00%

Function 000000018008455E Relevance: 5.0, APIs: 4, Instructions: 43COMMON

Download Yara Rule

APIs

_CxxThrowException.MSVCRT ref: 000000018008457B
_CxxThrowException.MSVCRT ref: 000000018008459B
_CxxThrowException.MSVCRT ref: 00000001800845BE
_CxxThrowException.MSVCRT ref: 00000001800845E1

Memory Dump Source

Source File: 00000008.00000002.446994309.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000008.00000002.446990685.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.447008267.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.447016292.00000001800C5000.00000008.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.447024270.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_180000000_rundll32.jbxd

Similarity

API ID: ExceptionThrow
String ID:
API String ID: 432778473-0
Opcode ID: 114c5287cdb026fffe76d3c7f9949e070cfa45e7e663d84f565ee682834d51f6
Instruction ID: 38ed7ffc1fc9f375285380fd3d7b3dc2d70f7ac5fc31fc0dcffbf51ad022335a
Opcode Fuzzy Hash: 114c5287cdb026fffe76d3c7f9949e070cfa45e7e663d84f565ee682834d51f6
Instruction Fuzzy Hash: 9D0184B1650A88C9E79DFF33A8063FB6212BBD87C0F18C835B9954B65BDE25C21A4700

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Compromised credentials may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access, network devices, and remote desktop.Compromised credentials may also grant an adversary increased privilege to specific systems or access to restricted areas of the network. Adversaries may choose not to use malware or tools in conjunction with the legitimate access those credentials provide to make it harder to detect their presence.
Tactics:	Defense Evasion, Initial Access, Persistence, Privilege Escalation
Data Sources:	Logon Session: Logon Session Creation, Logon Session: Logon Session Metadata, User Account: User Account Authentication
Platforms:	Azure AD, Containers, Google Workspace, IaaS, Linux, macOS, Network, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may move onto systems, possibly those on disconnected or air-gapped networks, by copying malware to removable media and taking advantage of Autorun features when the media is inserted into a system and executes. In the case of Lateral Movement, this may occur through modification of executable files stored on removable media or by copying malware and renaming it to look like a legitimate file to trick users into executing it on a separate system. In the case of Initial Access, this may occur through manual manipulation of the media, modification of systems used to initially format the media, or modification to the media's firmware itself.
Tactics:	Initial Access, Lateral Movement
Data Sources:	Drive: Drive Creation, File: File Access, File: File Creation, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically may require being a member of an admin or otherwise privileged group on the remote system.
Tactics:	Execution, Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, Container: Container Creation, File: File Creation, File: File Modification, Process: Process Creation, Scheduled Job: Scheduled Job Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse the Windows service control manager to execute malicious commands or payloads. The Windows service control manager ( `services.exe` ) is an interface to manage and manipulate services.The service control manager is accessible to users via GUI components as well as system utilities such as `sc.exe` and Net .
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Traffic Flow, Process: Process Creation, Service: Service Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may create or modify Windows services to repeatedly execute malicious payloads as part of persistence. When Windows boots up, it starts programs or applications called services that perform background system functions.Windows service configuration information, including the file path to the service's executable or recovery programs/commands, is stored in the Windows Registry.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, Driver: Driver Load, File: File Metadata, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Creation, Service: Service Creation, Service: Service Modification, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use bootkits to persist on systems. Bootkits reside at a layer below the operating system and may make it difficult to perform full remediation unless an organization suspects one was used and can act accordingly.
Tactics:	Defense Evasion, Persistence
Data Sources:	Drive: Drive Modification
Platforms:	Linux, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in an attempt to elevate privileges. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. Security constructs such as permission levels will often hinder access to information and use of certain techniques, so adversaries will likely need to perform privilege escalation to include use of software exploitation to circumvent those restrictions.
Tactics:	Privilege Escalation
Data Sources:	Driver: Driver Load, Process: Process Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may delete files left behind by the actions of their intrusion activity. Malware, tools, or other non-native files dropped or created on a system by an adversary (ex: Ingress Tool Transfer ) may leave traces to indicate to what was done within a network and how. Removal of these files can occur during an intrusion, or as part of a post-intrusion process to minimize the adversary's footprint.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Deletion
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse rundll32.exe to proxy execution of malicious code. Using rundll32.exe, vice executing directly (i.e. Shared Modules ), may avoid triggering security tools that may not monitor execution of the rundll32.exe process because of allowlists or false positives from normal operations. Rundll32.exe is commonly associated with executing DLL payloads (ex: `rundll32.exe {DLLname, DLLfunction}` ).
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to gather information about attached peripheral devices and components connected to a computer system.Peripheral devices could include auxiliary resources that support a variety of functionalities such as keyboards, printers, cameras, smart card readers, or removable storage. The information may be used to enhance their awareness of the system and network environment or may be used for further actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of valid accounts, usernames, or email addresses on a system or within a compromised environment. This information can help adversaries determine which accounts exist, which can aid in follow-on behavior such as brute-forcing, spear-phishing attacks, or account takeovers (e.g., Valid Accounts ).
Tactics:	Discovery
Data Sources:	Command: Command Execution, File: File Access, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report neo.msi

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: Latrodectus

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Snort Signatures

Joe Sandbox Signatures

AV Detection

Cryptography

Compliance

Spreading

Networking

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

:wtfbbq (copy)

C:\Config.Msi\747f70.rbs

C:\System Volume Information\SPP\OnlineMetadataCache\{f14178ee-79d6-4c4a-804e-c18354b90115}_OnDiskSnapshotProp

C:\System Volume Information\SPP\metadata-2

C:\System Volume Information\SPP\snapshot-2

C:\Users\user\AppData\Local\Temp\MSI782b9.LOG

C:\Users\user\AppData\Local\Temp\MSI825B.tmp

C:\Users\user\AppData\Local\Temp\MSI827B.tmp

C:\Users\user\AppData\Local\Temp\MSI829C.tmp

C:\Users\user\AppData\Local\Temp\MSI82BC.tmp

C:\Users\user\AppData\Local\Temp\MSIADBD.tmp

C:\Users\user\AppData\Local\Temp\~DF675E700E3E268100.TMP

C:\Users\user\AppData\Local\Temp\~DF84AA1769D646EEA7.TMP

Windows Analysis Report
neo.msi

Function 00D14BA0 Relevance: 36.5, APIs: 24, Instructions: 502
comCOMMON

Function 00D13C20 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 225
librarynativeloaderCOMMON

Function 00D13860 Relevance: 10.7, APIs: 7, Instructions: 227
processCOMMON

Function 00D16A50 Relevance: 9.2, APIs: 4, Strings: 1, Instructions: 461
COMMON

Function 00D19730 Relevance: 12.6, APIs: 6, Strings: 1, Instructions: 398
COMMON

Function 00D472FB Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 74
COMMONLIBRARYCODE

Function 00D136D0 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 129
libraryCOMMON

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may look for details about the network configuration and settings, such as IP and/or MAC addresses, of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp , ipconfig / ifconfig , nbtstat , and route .
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre